feat(node_dump): Hide `secret' configuration keys

Co-authored-by: Zaiming (Stone) Shi <zmstone@gmail.com>
2021-05-05 09:39:09 +02:00 · 2021-05-05 09:39:09 +02:00 · 1db8483bb3
parent e6c85dfb04
commit 1db8483bb3
2 changed files with 21 additions and 13 deletions
--- a/bin/node_dump
+++ b/bin/node_dump
@ -8,7 +8,7 @@ echo "Running node dump in ${ROOT_DIR}"

 cd "${ROOT_DIR}"

-DUMP="log/node_dump_$(date +"%y%m%d_%H%M%S").tar.gz"
+DUMP="log/node_dump_$(date +"%Y%m%d_%H%M%S").tar.gz"

 collect() {
    echo "========================================================"
@ -40,6 +40,9 @@ tar czf "${DUMP}" log/*.log.* log/run_erl.log* log/sysinfo.txt log/conf.dump

 ## Cleanup:
 rm log/sysinfo.txt
-rm log/conf.dump
+#rm log/conf.dump

 echo "Created a node dump ${DUMP}"
+echo -e "\nWarning: this script tries to obfuscate secrets, but make sure to
+inspect log/conf.dump file manually before uploading the node dump
+to a public location."
--- a/src/emqx_node_dump.erl
+++ b/src/emqx_node_dump.erl
@ -36,35 +36,40 @@ censor([{{env, App, Key}, Val} | Rest]) ->
 censor([_ | Rest]) ->
    censor(Rest).

-censor(Path, L) when is_list(L) ->
-    [censor(Path, I) || I <- L];
+censor(Path, {Key, Val}) when is_atom(Key) ->
+    {Key, censor([Key|Path], Val)};
 censor(Path, M) when is_map(M) ->
    Fun = fun(Key, Val) ->
                  censor([Key|Path], Val)
          end,
    maps:map(Fun, M);
-censor(Path, {Key, Val}) when is_atom(Key) ->
-    {Key, censor([Key|Path], Val)};
+censor(Path, L = [Fst|_]) when is_tuple(Fst) ->
+    [censor(Path, I) || I <- L];
 censor(Path, Val) ->
    case Path of
-        [password|_] when is_binary(Val) ->
-            <<"censored">>;
-        [password|_] when is_list(Val) ->
-            "censored";
+        [password|_] ->
+            obfuscate_value(Val);
+        [secret|_]  ->
+            obfuscate_value(Val);
        _ ->
            Val
    end.

+obfuscate_value(Val) when is_binary(Val) ->
+    <<"********">>;
+obfuscate_value(_Val) ->
+    "********".
+
 -ifdef(TEST).

 -include_lib("eunit/include/eunit.hrl").

 censor_test() ->
-    ?assertMatch( [{{env, emqx, listeners}, #{password := <<"censored">>}}]
+    ?assertMatch( [{{env, emqx, listeners}, #{password := <<"********">>}}]
                , censor([foo, {{env, emqx, listeners}, #{password => <<"secret">>}}, {app, bar}])
                ),
-    ?assertMatch( [{{env, emqx, listeners}, [{foo, 1}, {password, <<"censored">>}]}]
-                , censor([{{env, emqx, listeners}, [{foo, 1}, {password, <<"secret">>}]}])
+    ?assertMatch( [{{env, emqx, listeners}, [{foo, 1}, {password, "********"}]}]
+                , censor([{{env, emqx, listeners}, [{foo, 1}, {password, "secret"}]}])
                ).

 -endif. %% TEST