security(mediaserver): stop leaking credentials to Docker events log

2025-04-01 17:48:34 +02:00 · 2025-04-01 17:48:34 +02:00 · 5bf19f92b0
commit 5bf19f92b0
parent e4438baa65
1 changed files with 14 additions and 1 deletions
--- a/internal/mediaserver/actor.go
+++ b/internal/mediaserver/actor.go
@ -170,7 +170,8 @@ func StartActor(ctx context.Context, params StartActorParams) (_ *Actor, err err
 						"--fail",
 						"--silent",
 						"--cacert", "/etc/tls.crt",
-						actor.pathsURL(),
+						"--config", "/etc/healthcheckopts.txt",
+						actor.healthCheckURL(),
 					},
 					Interval:      time.Second * 10,
 					StartPeriod:   time.Second * 2,
@ -200,6 +201,11 @@ func StartActor(ctx context.Context, params StartActorParams) (_ *Actor, err err
 					Payload: bytes.NewReader(tlsKey),
 					Mode:    0600,
 				},
+				{
+					Path:    "/etc/healthcheckopts.txt",
+					Payload: bytes.NewReader([]byte(fmt.Sprintf("--user api:%s", actor.pass))),
+					Mode:    0600,
+				},
 			},
 		},
 	)
@ -368,6 +374,13 @@ func (s *Actor) pathsURL() string {
 	return fmt.Sprintf("https://api:%s@localhost:%d/v3/paths/list", s.pass, s.apiPort)
 }

+// healthCheckURL returns the URL for the health check, accessible from the
+// container. It is logged to Docker's events log so must not include
+// credentials.
+func (s *Actor) healthCheckURL() string {
+	return fmt.Sprintf("https://localhost:%d/v3/paths/list", s.apiPort)
+}
+
 // shortID returns the first 12 characters of the given container ID.
 func shortID(id string) string {
 	if len(id) < 12 {