NVSHAS-10213: [Scanner] Handling of passwords as command arguments (20)

Author: williamlin-suse

monitor/monitor.c

@@ -32,12 +32,8 @@
 #define ENV_SCANNER_REGISTRY           "SCANNER_REGISTRY"
 #define ENV_SCANNER_REPOSITORY         "SCANNER_REPOSITORY"
 #define ENV_SCANNER_TAG                "SCANNER_TAG"
-#define ENV_SCANNER_REG_USER           "SCANNER_REGISTRY_USERNAME"
-#define ENV_SCANNER_REG_PASS           "SCANNER_REGISTRY_PASSWORD"
 #define ENV_SCANNER_SCAN_LAYERS        "SCANNER_SCAN_LAYERS"
 #define ENV_SCANNER_BASE_IMAGE         "SCANNER_BASE_IMAGE"
-#define ENV_SCANNER_CTRL_USER          "SCANNER_CTRL_API_USERNAME"
-#define ENV_SCANNER_CTRL_PASS          "SCANNER_CTRL_API_PASSWORD"
 #define ENV_SCANNER_TLS_VERIFICATION   "SCANNER_STANDALONE_TLS_VERIFICATION"
 #define ENV_SCANNER_DEBUG_MODE         "SCANNER_DEBUG_MODE"
 #define ENV_SCANNER_PROXY_URL          "PROXY_URL"
@@ -135,7 +131,7 @@ static pid_t fork_exec(int i)
     pid_t pid;
     char *args[PROC_ARGS_MAX], *join, *adv, *url;
     char *join_port, *adv_port;
-    char *license, *registry, *repository, *tag, *user, *pass, *base, *api_user, *api_pass, *enable, *proxy_url;
+    char *license, *registry, *repository, *tag, *base, *enable, *proxy_url;
     char *on_demand, *cache_record_max;
     int a;
 
@@ -224,14 +220,6 @@ static pid_t fork_exec(int i)
         }
 
         // The following options apply to both standalone or non-standalone mode
-        if ((user = getenv(ENV_SCANNER_REG_USER)) != NULL) {
-            args[a ++] = "--registry_username";
-            args[a ++] = user;
-        }
-        if ((pass = getenv(ENV_SCANNER_REG_PASS)) != NULL) {
-            args[a ++] = "--registry_password";
-            args[a ++] = pass;
-        }
         if ((base = getenv(ENV_SCANNER_BASE_IMAGE)) != NULL) {
             args[a ++] = "--base_image";
             args[a ++] = base;
@@ -241,19 +229,11 @@ static pid_t fork_exec(int i)
                 args[a ++] = "--scan_layers";
             }
         }
-        if ((api_user = getenv(ENV_SCANNER_CTRL_USER)) != NULL) {
-            args[a ++] = "--ctrl_username";
-            args[a ++] = api_user;
-        }
-        if ((api_pass = getenv(ENV_SCANNER_CTRL_PASS)) != NULL) {
-            args[a ++] = "--ctrl_password";
-            args[a ++] = api_pass;
-        }
         if ((cache_record_max = getenv(ENV_SCANNER_CACHE_MAX)) != NULL) {
                args[a ++] = "-maxrec";
                args[a ++] = cache_record_max;
         }
-        if ((api_pass = getenv(ENV_SCANNER_TLS_VERIFICATION)) != NULL) {
+        if ((enable = getenv(ENV_SCANNER_TLS_VERIFICATION)) != NULL) {
             args[a ++] = "--enable-tls-verification";
         }
         if ((proxy_url = getenv(ENV_SCANNER_PROXY_URL)) != NULL) {

scanner.go

@@ -205,12 +205,8 @@ func main() {
 	registry := flag.String("registry", "", "Scan image registry")
 	repository := flag.String("repository", "", "Scan image repository")
 	tag := flag.String("tag", "latest", "Scan image tag (or digest like sha256:...)")
-	regUser := flag.String("registry_username", "", "Registry username")
-	regPass := flag.String("registry_password", "", "Registry password")
 	scanLayers := flag.Bool("scan_layers", false, "Scan image layers")
 	baseImage := flag.String("base_image", "", "Base image")
-	ctrlUser := flag.String("ctrl_username", "", "Controller REST API username")
-	ctrlPass := flag.String("ctrl_password", "", "Controller REST API password")
 	noWait := flag.Bool("no_wait", false, "No initial wait")
 	noTask := flag.Bool("no_task", false, "Not using scanner task")
 	verbose := flag.Bool("x", false, "more debug")
@@ -257,6 +253,11 @@ func main() {
 		showTaskDebug = true
 	}
 
+	regUser := os.Getenv("SCANNER_REGISTRY_USERNAME")
+	regPass := os.Getenv("SCANNER_REGISTRY_PASSWORD")
+	ctrlUser := os.Getenv("SCANNER_CTRL_API_USERNAME")
+	ctrlPass := os.Getenv("SCANNER_CTRL_API_PASSWORD")
+
 	var grpcServer *cluster.GRPCServer
 	var ctx context.Context
 	var internalCertControllerCancel context.CancelFunc
@@ -404,8 +405,8 @@ func main() {
 				Registry:    reg,
 				Repository:  repo,
 				Tag:         tag,
-				Username:    *regUser,
-				Password:    *regPass,
+				Username:    regUser,
+				Password:    regPass,
 				ScanLayers:  *scanLayers,
 				ScanSecrets: false,
 				BaseImage:   *baseImage,
@@ -415,8 +416,8 @@ func main() {
 				Registry:    *registry,
 				Repository:  *repository,
 				Tag:         *tag,
-				Username:    *regUser,
-				Password:    *regPass,
+				Username:    regUser,
+				Password:    regPass,
 				ScanLayers:  *scanLayers,
 				ScanSecrets: true,
 				BaseImage:   *baseImage,
@@ -429,7 +430,7 @@ func main() {
 
 		// submit scan result if join address is given
 		if result != nil && result.Error == share.ScanErrorCode_ScanErrNone &&
-			*join != "" && *ctrlUser != "" && *ctrlPass != "" {
+			*join != "" && ctrlUser != "" && ctrlPass != "" {
 			if *adv == "" {
 				_, addr, err := cluster.ResolveJoinAndBindAddr(*join, sys)
 				if err != nil {
@@ -444,7 +445,7 @@ func main() {
 				joinPort = &port
 			}
 
-			err := scanSubmitResult(*join, (uint16)(*joinPort), *adv, *ctrlUser, *ctrlPass, result)
+			err := scanSubmitResult(*join, (uint16)(*joinPort), *adv, ctrlUser, ctrlPass, result)
 			if err != nil {
 				log.WithFields(log.Fields{"error": err}).Error("Failed to sumit scan result")
 			} else {