From 8135e2758664555f54b6cb5f2e20745a936cea35 Mon Sep 17 00:00:00 2001 From: firest Date: Tue, 26 Sep 2023 11:06:47 +0800 Subject: [PATCH] fix: redact sensitive data in SSO and LDAP --- .../src/emqx_dashboard_sso_api.erl | 22 ++++++++++++++----- apps/emqx_ldap/src/emqx_ldap.erl | 9 +++++--- apps/emqx_ldap/src/emqx_ldap_authz.erl | 2 +- apps/emqx_ldap/src/emqx_ldap_bind_worker.erl | 8 ++++--- 4 files changed, 28 insertions(+), 13 deletions(-) diff --git a/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_api.erl b/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_api.erl index 5ac24f1f4..c9c9a7fd9 100644 --- a/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_api.erl +++ b/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_api.erl @@ -159,17 +159,23 @@ login(post, #{bindings := #{backend := Backend}, body := Body} = Request) -> State -> case emqx_dashboard_sso:login(provider(Backend), Request, State) of {ok, Role, Token} -> - ?SLOG(info, #{msg => "dashboard_sso_login_successful", request => Request}), + ?SLOG(info, #{ + msg => "dashboard_sso_login_successful", + request => emqx_utils:redact(Request) + }), Username = maps:get(<<"username">>, Body), {200, login_meta(Username, Role, Token)}; {redirect, Redirect} -> - ?SLOG(info, #{msg => "dashboard_sso_login_redirect", request => Request}), + ?SLOG(info, #{ + msg => "dashboard_sso_login_redirect", + request => emqx_utils:redact(Request) + }), Redirect; {error, Reason} -> ?SLOG(info, #{ msg => "dashboard_sso_login_failed", - request => Request, - reason => Reason + request => emqx_utils:redact(Request), + reason => emqx_utils:redact(Reason) }), {401, #{code => ?BAD_USERNAME_OR_PWD, message => <<"Auth failed">>}} end @@ -193,10 +199,14 @@ backend(get, #{bindings := #{backend := Type}}) -> {200, to_json(Backend)} end; backend(put, #{bindings := #{backend := Backend}, body := Config}) -> - ?SLOG(info, #{msg => "Update SSO backend", backend => Backend, config => Config}), + ?SLOG(info, #{ + msg => "update_sso_backend", + backend => Backend, + config => emqx_utils:redact(Config) + }), on_backend_update(Backend, Config, fun emqx_dashboard_sso_manager:update/2); backend(delete, #{bindings := #{backend := Backend}}) -> - ?SLOG(info, #{msg => "Delete SSO backend", backend => Backend}), + ?SLOG(info, #{msg => "delete_sso_backend", backend => Backend}), handle_backend_update_result(emqx_dashboard_sso_manager:delete(Backend), undefined). sso_parameters(Params) -> diff --git a/apps/emqx_ldap/src/emqx_ldap.erl b/apps/emqx_ldap/src/emqx_ldap.erl index f16166793..7b856521c 100644 --- a/apps/emqx_ldap/src/emqx_ldap.erl +++ b/apps/emqx_ldap/src/emqx_ldap.erl @@ -158,7 +158,7 @@ on_start( {error, Reason} -> ?tp( ldap_connector_start_failed, - #{error => Reason} + #{error => emqx_utils:redact(Reason)} ), {error, Reason} end. @@ -248,7 +248,7 @@ do_ldap_query( SearchOptions, #{pool_name := PoolName} = State ) -> - LogMeta = #{connector => InstId, search => SearchOptions, state => State}, + LogMeta = #{connector => InstId, search => SearchOptions, state => emqx_utils:redact(State)}, ?TRACE("QUERY", "ldap_connector_received", LogMeta), case ecpool:pick_and_do( @@ -268,7 +268,10 @@ do_ldap_query( {error, Reason} -> ?SLOG( error, - LogMeta#{msg => "ldap_connector_do_query_failed", reason => Reason} + LogMeta#{ + msg => "ldap_connector_do_query_failed", + reason => emqx_utils:redact(Reason) + } ), {error, {unrecoverable_error, Reason}} end. diff --git a/apps/emqx_ldap/src/emqx_ldap_authz.erl b/apps/emqx_ldap/src/emqx_ldap_authz.erl index f5ef38c01..13110306c 100644 --- a/apps/emqx_ldap/src/emqx_ldap_authz.erl +++ b/apps/emqx_ldap/src/emqx_ldap_authz.erl @@ -116,7 +116,7 @@ authorize( {error, Reason} -> ?SLOG(error, #{ msg => "query_ldap_error", - reason => Reason, + reason => emqx_utils:redact(Reason), resource_id => ResourceID }), nomatch diff --git a/apps/emqx_ldap/src/emqx_ldap_bind_worker.erl b/apps/emqx_ldap/src/emqx_ldap_bind_worker.erl index e4e341002..5fb69f0fd 100644 --- a/apps/emqx_ldap/src/emqx_ldap_bind_worker.erl +++ b/apps/emqx_ldap/src/emqx_ldap_bind_worker.erl @@ -61,7 +61,7 @@ on_query( {bind, Data}, #{ base_tokens := DNTks, - bind_password_tokens := PWTks, + bind_password := PWTks, bind_pool_name := PoolName } = State ) -> @@ -86,7 +86,7 @@ on_query( {error, Reason} -> ?SLOG( error, - LogMeta#{msg => "ldap_bind_failed", reason => Reason} + LogMeta#{msg => "ldap_bind_failed", reason => emqx_utils:redact(Reason)} ), {error, {unrecoverable_error, Reason}} end. @@ -100,7 +100,9 @@ prepare_template(Config, State) -> do_prepare_template(maps:to_list(maps:with([bind_password], Config)), State). do_prepare_template([{bind_password, V} | T], State) -> - do_prepare_template(T, State#{bind_password_tokens => emqx_placeholder:preproc_tmpl(V)}); + %% This is sensitive data + %% to reduce match cases, here we reuse the existing sensitive filter key: bind_password + do_prepare_template(T, State#{bind_password => emqx_placeholder:preproc_tmpl(V)}); do_prepare_template([], State) -> State.