From 8fbde78512fd2b7aa0ec0f0ad224cdc511963702 Mon Sep 17 00:00:00 2001
From: Drew Erny <drew.erny@docker.com>
Date: Mon, 5 Feb 2018 11:47:17 -0800
Subject: [PATCH] Redact registry auth token from swarm-rafttool

When I added the --redact flag for swarm-rafttool, I forgot to include
the registry auth token as sensitive data to be redacted, so it was
present in redacted raft dumps. This replaces it with a redaction.

Signed-off-by: Drew Erny <drew.erny@docker.com>
---
 cmd/swarm-rafttool/dump.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/cmd/swarm-rafttool/dump.go b/cmd/swarm-rafttool/dump.go
index 86920d3695..97d90d5f1c 100644
--- a/cmd/swarm-rafttool/dump.go
+++ b/cmd/swarm-rafttool/dump.go
@@ -118,10 +118,16 @@ func dumpWAL(swarmdir, unlockKey string, start, end uint64, redact bool) error {
 						case *api.StoreAction_Task:
 							if container := actype.Task.Spec.GetContainer(); container != nil {
 								container.Env = []string{"ENVVARS REDACTED"}
+								if container.PullOptions != nil {
+									container.PullOptions.RegistryAuth = "REDACTED"
+								}
 							}
 						case *api.StoreAction_Service:
 							if container := actype.Service.Spec.Task.GetContainer(); container != nil {
 								container.Env = []string{"ENVVARS REDACTED"}
+								if container.PullOptions != nil {
+									container.PullOptions.RegistryAuth = "REDACTED"
+								}
 							}
 						}
 					}
@@ -192,6 +198,7 @@ func dumpSnapshot(swarmdir, unlockKey string, redact bool) error {
 			if task != nil {
 				if container := task.Spec.GetContainer(); container != nil {
 					container.Env = []string{"ENVVARS REDACTED"}
+					container.PullOptions.RegistryAuth = "REDACTED"
 				}
 			}
 		}
@@ -199,6 +206,7 @@ func dumpSnapshot(swarmdir, unlockKey string, redact bool) error {
 			if service != nil {
 				if container := service.Spec.Task.GetContainer(); container != nil {
 					container.Env = []string{"ENVVARS REDACTED"}
+					container.PullOptions.RegistryAuth = "REDACTED"
 				}
 			}
 		}