From b45ad4529aef7273164356e47e1b0b071c2c62be Mon Sep 17 00:00:00 2001
From: Joongi Kim <joongi@lablup.com>
Date: Tue, 24 Oct 2023 15:59:15 +0900
Subject: [PATCH] fix: Mask sensitive fields when reading container registry
 via the manager GQL API (#1627)

---
 changes/1627.fix.md                   | 1 +
 src/ai/backend/manager/defs.py        | 2 ++
 src/ai/backend/manager/models/etcd.py | 4 +++-
 3 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 changes/1627.fix.md

diff --git a/changes/1627.fix.md b/changes/1627.fix.md
new file mode 100644
index 0000000000..477936cf4d
--- /dev/null
+++ b/changes/1627.fix.md
@@ -0,0 +1 @@
+Mask sensitive fields when reading the container registry information via the manager GraphQL API
diff --git a/src/ai/backend/manager/defs.py b/src/ai/backend/manager/defs.py
index a335b2db39..f1de1723e3 100644
--- a/src/ai/backend/manager/defs.py
+++ b/src/ai/backend/manager/defs.py
@@ -26,6 +26,8 @@
 # The default container role name for multi-container sessions
 DEFAULT_ROLE: Final = "main"
 
+PASSWORD_PLACEHOLDER: Final = "*****"
+
 _RESERVED_VFOLDER_PATTERNS = [r"^\.[a-z0-9]+rc$", r"^\.[a-z0-9]+_profile$"]
 RESERVED_DOTFILES = [".terminfo", ".jupyter", ".ssh", ".ssh/authorized_keys", ".local", ".config"]
 RESERVED_VFOLDERS = [
diff --git a/src/ai/backend/manager/models/etcd.py b/src/ai/backend/manager/models/etcd.py
index 6a94193cb1..0199e930b4 100644
--- a/src/ai/backend/manager/models/etcd.py
+++ b/src/ai/backend/manager/models/etcd.py
@@ -7,6 +7,7 @@
 
 from ai.backend.common.logging import BraceStyleAdapter
 
+from ..defs import PASSWORD_PLACEHOLDER
 from . import UserRole
 from .base import privileged_mutation, set_if_set
 
@@ -67,6 +68,7 @@ class Meta:
 
     @classmethod
     def from_row(cls, hostname: str, config: Mapping[str, str | list | None]) -> ContainerRegistry:
+        password = config.get("password", None)
         return cls(
             id=hostname,
             hostname=hostname,
@@ -75,7 +77,7 @@ def from_row(cls, hostname: str, config: Mapping[str, str | list | None]) -> Con
                 type=config.get("type"),
                 project=config.get("project", None),
                 username=config.get("username", None),
-                password=config.get("password", None),
+                password=PASSWORD_PLACEHOLDER if password is not None else None,
                 ssl_verify=config.get("ssl_verify", None),
             ),
         )