fix(schema): add password converter to ensure its binary() type

2023-01-15 11:09:33 +01:00 · 2023-01-15 11:09:33 +01:00 · 4a7e74f5d6
parent 74ae7c4264
commit 4a7e74f5d6
8 changed files with 44 additions and 7 deletions
--- a/apps/emqx/src/emqx_schema.erl
+++ b/apps/emqx/src/emqx_schema.erl
@ -114,6 +114,7 @@
 -export([namespace/0, roots/0, roots/1, fields/1, desc/1, tags/0]).
 -export([conf_get/2, conf_get/3, keys/2, filter/1]).
 -export([server_ssl_opts_schema/2, client_ssl_opts_schema/1, ciphers_schema/1]).
+-export([password_converter/2]).
 -export([authz_fields/0]).
 -export([sc/2, map/2]).

@ -1510,7 +1511,9 @@ fields("sysmon_top") ->
                #{
                    mapping => "system_monitor.db_password",
                    default => "system_monitor_password",
-                    desc => ?DESC(sysmon_top_db_password)
+                    desc => ?DESC(sysmon_top_db_password),
+                    converter => fun password_converter/2,
+                    sensitive => true
                }
            )},
        {"db_name",
@ -1900,7 +1903,8 @@ common_ssl_opts_schema(Defaults) ->
                    required => false,
                    example => <<"">>,
                    format => <<"password">>,
-                    desc => ?DESC(common_ssl_opts_schema_password)
+                    desc => ?DESC(common_ssl_opts_schema_password),
+                    converter => fun password_converter/2
                }
            )},
        {"versions",
@ -2068,6 +2072,18 @@ do_default_ciphers(_) ->
    %% otherwise resolve default ciphers list at runtime
    [].

+password_converter(undefined, _) ->
+    undefined;
+password_converter(I, _) when is_integer(I) ->
+    integer_to_binary(I);
+password_converter(X, _) ->
+    try
+        iolist_to_binary(X)
+    catch
+        _:_ ->
+            throw("must_quote")
+    end.
+
 authz_fields() ->
    [
        {"no_match",
--- a/apps/emqx_conf/src/emqx_conf_schema.erl
+++ b/apps/emqx_conf/src/emqx_conf_schema.erl
@ -408,7 +408,8 @@ fields("node") ->
                    required => true,
                    'readOnly' => true,
                    sensitive => true,
-                    desc => ?DESC(node_cookie)
+                    desc => ?DESC(node_cookie),
+                    converter => fun emqx_schema:password_converter/2
                }
            )},
        {"process_limit",
--- a/apps/emqx_connector/src/emqx_connector_schema_lib.erl
+++ b/apps/emqx_connector/src/emqx_connector_schema_lib.erl
@ -101,6 +101,7 @@ password(desc) -> ?DESC("password");
 password(required) -> false;
 password(format) -> <<"password">>;
 password(sensitive) -> true;
+password(converter) -> fun emqx_schema:password_converter/2;
 password(_) -> undefined.

 auto_reconnect(type) -> boolean();
--- a/apps/emqx_connector/src/mqtt/emqx_connector_mqtt_schema.erl
+++ b/apps/emqx_connector/src/mqtt/emqx_connector_mqtt_schema.erl
@ -107,7 +107,8 @@ fields("server_configs") ->
                #{
                    format => <<"password">>,
                    sensitive => true,
-                    desc => ?DESC("password")
+                    desc => ?DESC("password"),
+                    converter => fun emqx_schema:password_converter/2
                }
            )},
        {clean_start,
--- a/apps/emqx_dashboard/src/emqx_dashboard_schema.erl
+++ b/apps/emqx_dashboard/src/emqx_dashboard_schema.erl
@ -209,6 +209,7 @@ default_password(default) -> "public";
 default_password(required) -> true;
 default_password('readOnly') -> true;
 default_password(sensitive) -> true;
+default_password(converter) -> fun emqx_schema:password_converter/2;
 default_password(desc) -> ?DESC(default_password);
 default_password(_) -> undefined.

--- a/apps/emqx_gateway/src/emqx_gateway_schema.erl
+++ b/apps/emqx_gateway/src/emqx_gateway_schema.erl
@ -380,7 +380,13 @@ fields(ssl_server_opts) ->
 fields(clientinfo_override) ->
    [
        {username, sc(binary(), #{desc => ?DESC(gateway_common_clientinfo_override_username)})},
-        {password, sc(binary(), #{desc => ?DESC(gateway_common_clientinfo_override_password)})},
+        {password,
+            sc(binary(), #{
+                desc => ?DESC(gateway_common_clientinfo_override_password),
+                sensitive => true,
+                format => <<"password">>,
+                converter => fun emqx_schema:password_converter/2
+            })},
        {clientid, sc(binary(), #{desc => ?DESC(gateway_common_clientinfo_override_clientid)})}
    ];
 fields(lwm2m_translators) ->
--- a/lib-ee/emqx_ee_bridge/src/emqx_ee_bridge_kafka.erl
+++ b/lib-ee/emqx_ee_bridge/src/emqx_ee_bridge_kafka.erl
@ -116,7 +116,12 @@ fields(auth_username_password) ->
            })},
        {username, mk(binary(), #{required => true, desc => ?DESC(auth_sasl_username)})},
        {password,
-            mk(binary(), #{required => true, sensitive => true, desc => ?DESC(auth_sasl_password)})}
+            mk(binary(), #{
+                required => true,
+                sensitive => true,
+                desc => ?DESC(auth_sasl_password),
+                converter => fun emqx_schema:password_converter/2
+            })}
    ];
 fields(auth_gssapi_kerberos) ->
    [
--- a/lib-ee/emqx_ee_connector/src/emqx_ee_connector_influxdb.erl
+++ b/lib-ee/emqx_ee_connector/src/emqx_ee_connector_influxdb.erl
@ -157,7 +157,13 @@ fields(influxdb_api_v1) ->
        [
            {database, mk(binary(), #{required => true, desc => ?DESC("database")})},
            {username, mk(binary(), #{desc => ?DESC("username")})},
-            {password, mk(binary(), #{desc => ?DESC("password"), format => <<"password">>})}
+            {password,
+                mk(binary(), #{
+                    desc => ?DESC("password"),
+                    format => <<"password">>,
+                    sensitive => true,
+                    converter => fun emqx_schema:password_converter/2
+                })}
        ] ++ emqx_connector_schema_lib:ssl_fields();
 fields(influxdb_api_v2) ->
    fields(common) ++