yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(node_dump): Hide `secret' configuration keys 

Co-authored-by: Zaiming (Stone) Shi <zmstone@gmail.com>
This commit is contained in:
k32 2021-05-05 09:39:09 +02:00 committed by Zaiming (Stone) Shi
parent e6c85dfb04
commit 1db8483bb3
2 changed files with 21 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
bin/node_dump
View File

@ -8,7 +8,7 @@ echo "Running node dump in ${ROOT_DIR}"
cd "${ROOT_DIR}" cd "${ROOT_DIR}"
DUMP="log/node_dump_$(date +"%y%m%d_%H%M%S").tar.gz" DUMP="log/node_dump_$(date +"%Y%m%d_%H%M%S").tar.gz"
collect() { collect() {
echo "========================================================" echo "========================================================"
@ -40,6 +40,9 @@ tar czf "${DUMP}" log/*.log.* log/run_erl.log* log/sysinfo.txt log/conf.dump
## Cleanup: ## Cleanup:
rm log/sysinfo.txt rm log/sysinfo.txt
rm log/conf.dump #rm log/conf.dump
echo "Created a node dump ${DUMP}" echo "Created a node dump ${DUMP}"
echo -e "\nWarning: this script tries to obfuscate secrets, but make sure to
inspect log/conf.dump file manually before uploading the node dump
to a public location."

27
src/emqx_node_dump.erl
View File

@ -36,35 +36,40 @@ censor([{{env, App, Key}, Val} | Rest]) ->
censor([_ | Rest]) -> censor([_ | Rest]) ->
censor(Rest). censor(Rest).
censor(Path, L) when is_list(L) -> censor(Path, {Key, Val}) when is_atom(Key) ->
[censor(Path, I) || I <- L]; {Key, censor([Key|Path], Val)};
censor(Path, M) when is_map(M) -> censor(Path, M) when is_map(M) ->
Fun = fun(Key, Val) -> Fun = fun(Key, Val) ->
censor([Key|Path], Val) censor([Key|Path], Val)
end, end,
maps:map(Fun, M); maps:map(Fun, M);
censor(Path, {Key, Val}) when is_atom(Key) -> censor(Path, L = [Fst|_]) when is_tuple(Fst) ->
{Key, censor([Key|Path], Val)}; [censor(Path, I) || I <- L];
censor(Path, Val) -> censor(Path, Val) ->
case Path of case Path of
[password|_] when is_binary(Val) -> [password|_] ->
<<"censored">>; obfuscate_value(Val);
[password|_] when is_list(Val) -> [secret|_] ->
"censored"; obfuscate_value(Val);
_ -> _ ->
Val Val
end. end.
obfuscate_value(Val) when is_binary(Val) ->
<<"********">>;
obfuscate_value(_Val) ->
"********".
-ifdef(TEST). -ifdef(TEST).
-include_lib("eunit/include/eunit.hrl"). -include_lib("eunit/include/eunit.hrl").
censor_test() -> censor_test() ->
?assertMatch( [{{env, emqx, listeners}, #{password := <<"censored">>}}] ?assertMatch( [{{env, emqx, listeners}, #{password := <<"********">>}}]
, censor([foo, {{env, emqx, listeners}, #{password => <<"secret">>}}, {app, bar}]) , censor([foo, {{env, emqx, listeners}, #{password => <<"secret">>}}, {app, bar}])
), ),
?assertMatch( [{{env, emqx, listeners}, [{foo, 1}, {password, <<"censored">>}]}] ?assertMatch( [{{env, emqx, listeners}, [{foo, 1}, {password, "********"}]}]
, censor([{{env, emqx, listeners}, [{foo, 1}, {password, <<"secret">>}]}]) , censor([{{env, emqx, listeners}, [{foo, 1}, {password, "secret"}]}])
). ).
-endif. %% TEST -endif. %% TEST