From 4fc56a6e5b70acf4466d1cfe329cd617232bb4a5 Mon Sep 17 00:00:00 2001 From: firest Date: Thu, 27 Oct 2022 16:36:55 +0800 Subject: [PATCH] fix(log): Use LOG_SENSITIVE to replace the risky LOG in ACL We should ensure that neither client nor backend database passwords should be printed out when users use ACLs --- apps/emqx_auth_http/src/emqx_auth_http.erl | 4 ++-- apps/emqx_auth_jwt/src/emqx_auth_jwt_svr.erl | 13 ++++++++----- apps/emqx_auth_ldap/src/emqx_auth_ldap.erl | 2 +- apps/emqx_auth_ldap/src/emqx_auth_ldap_cli.erl | 9 ++++----- apps/emqx_auth_mongo/src/emqx_auth_mongo.erl | 6 +++--- apps/emqx_auth_mysql/src/emqx_auth_mysql.erl | 4 ++-- apps/emqx_auth_mysql/src/emqx_auth_mysql_cli.erl | 4 ++-- apps/emqx_auth_pgsql/src/emqx_auth_pgsql.erl | 4 ++-- apps/emqx_auth_pgsql/src/emqx_auth_pgsql_cli.erl | 2 +- apps/emqx_auth_redis/src/emqx_auth_redis.erl | 4 ++-- apps/emqx_auth_redis/src/emqx_auth_redis_cli.erl | 3 +-- 11 files changed, 28 insertions(+), 27 deletions(-) diff --git a/apps/emqx_auth_http/src/emqx_auth_http.erl b/apps/emqx_auth_http/src/emqx_auth_http.erl index 3e63ea597..34f1a5e5b 100644 --- a/apps/emqx_auth_http/src/emqx_auth_http.erl +++ b/apps/emqx_auth_http/src/emqx_auth_http.erl @@ -53,7 +53,7 @@ check(ClientInfo, AuthResult, #{auth := AuthParms = #{path := Path}, {stop, AuthResult#{auth_result => http_to_connack_error(Code), anonymous => false}}; {error, Error} -> - ?LOG(error, "Deny connection from path: ~s, username: ~ts, due to " + ?LOG_SENSITIVE(error, "Deny connection from path: ~s, username: ~ts, due to " "request http-server failed: ~0p", [Path, Username, Error]), %%FIXME later: server_unavailable is not right. @@ -91,7 +91,7 @@ is_superuser(SuperParams = case request(PoolName, Method, Path, Headers, feedvar(Params, ClientInfo), Timeout, Retry) of {ok, 200, _Body} -> true; {ok, _Code, _Body} -> false; - {error, Error} -> ?LOG(error, "Request superuser path ~s, error: ~p", [Path, Error]), + {error, Error} -> ?LOG_SENSITIVE(error, "Request superuser path ~s, error: ~p", [Path, Error]), false end. diff --git a/apps/emqx_auth_jwt/src/emqx_auth_jwt_svr.erl b/apps/emqx_auth_jwt/src/emqx_auth_jwt_svr.erl index 049f07533..02d7b223c 100644 --- a/apps/emqx_auth_jwt/src/emqx_auth_jwt_svr.erl +++ b/apps/emqx_auth_jwt/src/emqx_auth_jwt_svr.erl @@ -27,7 +27,7 @@ %% APIs -export([start_link/1]). --export([verify/1]). +-export([verify/1, trace/2]). %% gen_server callbacks -export([ init/1 @@ -143,7 +143,8 @@ request_jwks(Addr) -> ?tp(debug, emqx_auth_jwt_svr_jwks_updated, #{jwks => Jwks, pid => self()}), Jwks catch _:_ -> - ?LOG(error, "Invalid jwks server response: ~p~n", [Body]), + ?MODULE:trace(jwks_server_reesponse, Body), + ?LOG(error, "Invalid jwks server response, body is not logged for security reasons, trace it if inspection is required", []), error(badarg) end end. @@ -174,7 +175,7 @@ do_verify(JwsCompacted) -> end catch Class : Reason : Stk -> - ?LOG(error, "verify JWK crashed: ~p, ~p, stacktrace: ~p~n", + ?LOG_SENSITIVE(error, "verify JWK crashed: ~p, ~p, stacktrace: ~p~n", [Class, Reason, Stk]), {error, invalid_signature} end. @@ -249,13 +250,15 @@ key2jwt_value(Key, Func, Options) -> V -> try Func(V) of {error, Reason} -> - ?LOG(warning, "Build ~p JWK ~p failed: {error, ~p}~n", + ?LOG_SENSITIVE(warning, "Build ~p JWK ~p failed: {error, ~p}~n", [Key, V, Reason]), undefined; J -> J catch T:R -> - ?LOG(warning, "Build ~p JWK ~p failed: {~p, ~p}~n", + ?LOG_SENSITIVE(warning, "Build ~p JWK ~p failed: {~p, ~p}~n", [Key, V, T, R]), undefined end end. + +trace(_Tag, _Data) -> ok. diff --git a/apps/emqx_auth_ldap/src/emqx_auth_ldap.erl b/apps/emqx_auth_ldap/src/emqx_auth_ldap.erl index da932c2fe..0b26f6125 100644 --- a/apps/emqx_auth_ldap/src/emqx_auth_ldap.erl +++ b/apps/emqx_auth_ldap/src/emqx_auth_ldap.erl @@ -62,7 +62,7 @@ check(ClientInfo = #{username := Username, password := Password}, AuthResult, {error, not_found} -> ok; {error, ResultCode} -> - ?LOG(error, "[LDAP] Auth from ldap failed: ~p", [ResultCode]), + ?LOG_SENSITIVE(error, "[LDAP] Auth from ldap failed: ~p", [ResultCode]), {stop, AuthResult#{auth_result => ResultCode, anonymous => false}} end. diff --git a/apps/emqx_auth_ldap/src/emqx_auth_ldap_cli.erl b/apps/emqx_auth_ldap/src/emqx_auth_ldap_cli.erl index d33f8d859..afd996459 100644 --- a/apps/emqx_auth_ldap/src/emqx_auth_ldap_cli.erl +++ b/apps/emqx_auth_ldap/src/emqx_auth_ldap_cli.erl @@ -54,22 +54,22 @@ connect(Opts) -> false -> [{port, Port}, {timeout, Timeout}] end, - ?LOG(debug, "[LDAP] Connecting to OpenLDAP server: ~p, Opts:~p ...", [Servers, LdapOpts]), + ?LOG_SENSITIVE(debug, "[LDAP] Connecting to OpenLDAP server: ~p, Opts:~p ...", [Servers, LdapOpts]), case eldap2:open(Servers, LdapOpts) of {ok, LDAP} -> try eldap2:simple_bind(LDAP, BindDn, BindPassword) of ok -> {ok, LDAP}; {error, Error} -> - ?LOG(error, "[LDAP] Can't authenticated to OpenLDAP server: ~p", [Error]), + ?LOG_SENSITIVE(error, "[LDAP] Can't authenticated to OpenLDAP server: ~p", [Error]), {error, Error} catch error:Reason -> - ?LOG(error, "[LDAP] Can't authenticated to OpenLDAP server: ~p", [Reason]), + ?LOG_SENSITIVE(error, "[LDAP] Can't authenticated to OpenLDAP server: ~p", [Reason]), {error, Reason} end; {error, Reason} -> - ?LOG(error, "[LDAP] Can't connect to OpenLDAP server: ~p", [Reason]), + ?LOG_SENSITIVE(error, "[LDAP] Can't connect to OpenLDAP server: ~p", [Reason]), {error, Reason} end. @@ -147,4 +147,3 @@ init_args(ENVS) -> match_objectclass => ObjectClass, username_attr => UidAttr, password_attr => PasswdAttr}}. - diff --git a/apps/emqx_auth_mongo/src/emqx_auth_mongo.erl b/apps/emqx_auth_mongo/src/emqx_auth_mongo.erl index b3259ab52..ac4fde86a 100644 --- a/apps/emqx_auth_mongo/src/emqx_auth_mongo.erl +++ b/apps/emqx_auth_mongo/src/emqx_auth_mongo.erl @@ -55,7 +55,7 @@ check(ClientInfo = #{password := Password}, AuthResult, undefined -> ok; {error, Reason} -> ?tp(emqx_auth_mongo_check_authn_error, #{error => Reason}), - ?LOG(error, "[MongoDB] Can't connect to MongoDB server: ~0p", [Reason]), + ?LOG_SENSITIVE(error, "[MongoDB] Can't connect to MongoDB server: ~0p", [Reason]), {stop, AuthResult#{auth_result => not_authorized, anonymous => false}}; UserMap -> Result = case [maps:get(Field, UserMap, undefined) || Field <- Fields] of @@ -72,7 +72,7 @@ check(ClientInfo = #{password := Password}, AuthResult, anonymous => false, auth_result => success}}; {error, Error} -> - ?LOG(error, "[MongoDB] check auth fail: ~p", [Error]), + ?LOG_SENSITIVE(error, "[MongoDB] check auth fail: ~p", [Error]), {stop, AuthResult#{auth_result => Error, anonymous => false}} end end. @@ -99,7 +99,7 @@ is_superuser(Pool, #superquery{collection = Coll, field = Field, selector = Sele false; {error, Reason} -> ?tp(emqx_auth_mongo_superuser_query_error, #{error => Reason}), - ?LOG(error, "[MongoDB] Can't connect to MongoDB server: ~0p", [Reason]), + ?LOG_SENSITIVE(error, "[MongoDB] Can't connect to MongoDB server: ~0p", [Reason]), false; Row -> case maps:get(Field, Row, false) of diff --git a/apps/emqx_auth_mysql/src/emqx_auth_mysql.erl b/apps/emqx_auth_mysql/src/emqx_auth_mysql.erl index 31d9a007f..268e09d8c 100644 --- a/apps/emqx_auth_mysql/src/emqx_auth_mysql.erl +++ b/apps/emqx_auth_mysql/src/emqx_auth_mysql.erl @@ -41,7 +41,7 @@ check(ClientInfo = #{password := Password}, AuthResult, {ok, _Columns, []} -> {error, not_found}; {error, Reason} -> - ?LOG(error, "[MySQL] query '~p' failed: ~p", [AuthSql, Reason]), + ?LOG_SENSITIVE(error, "[MySQL] query '~p' failed: ~p", [AuthSql, Reason]), {error, Reason} end, case CheckPass of @@ -52,7 +52,7 @@ check(ClientInfo = #{password := Password}, AuthResult, {error, not_found} -> ok; {error, ResultCode} -> - ?LOG(error, "[MySQL] Auth from mysql failed: ~p", [ResultCode]), + ?LOG_SENSITIVE(error, "[MySQL] Auth from mysql failed: ~p", [ResultCode]), {stop, AuthResult#{auth_result => ResultCode, anonymous => false}} end. diff --git a/apps/emqx_auth_mysql/src/emqx_auth_mysql_cli.erl b/apps/emqx_auth_mysql/src/emqx_auth_mysql_cli.erl index 5968a47b6..3e6d2b3ce 100644 --- a/apps/emqx_auth_mysql/src/emqx_auth_mysql_cli.erl +++ b/apps/emqx_auth_mysql/src/emqx_auth_mysql_cli.erl @@ -54,10 +54,10 @@ connect(Options) -> ?LOG(error, "[MySQL] Can't connect to MySQL server: Connection refused."), {error, Reason}; {error, Reason = {ErrorCode, _, Error}} -> - ?LOG(error, "[MySQL] Can't connect to MySQL server: ~p - ~p", [ErrorCode, Error]), + ?LOG_SENSITIVE(error, "[MySQL] Can't connect to MySQL server: ~p - ~p", [ErrorCode, Error]), {error, Reason}; {error, Reason} -> - ?LOG(error, "[MySQL] Can't connect to MySQL server: ~p", [Reason]), + ?LOG_SENSITIVE(error, "[MySQL] Can't connect to MySQL server: ~p", [Reason]), {error, Reason} end. diff --git a/apps/emqx_auth_pgsql/src/emqx_auth_pgsql.erl b/apps/emqx_auth_pgsql/src/emqx_auth_pgsql.erl index f673e07e4..c636e28f7 100644 --- a/apps/emqx_auth_pgsql/src/emqx_auth_pgsql.erl +++ b/apps/emqx_auth_pgsql/src/emqx_auth_pgsql.erl @@ -40,7 +40,7 @@ check(ClientInfo = #{password := Password}, AuthResult, {ok, _, []} -> {error, not_found}; {error, Reason} -> - ?LOG(error, "[Postgres] query '~p' failed: ~p", [AuthSql, Reason]), + ?LOG_SENSITIVE(error, "[Postgres] query '~p' failed: ~p", [AuthSql, Reason]), {error, not_found} end, case CheckPass of @@ -51,7 +51,7 @@ check(ClientInfo = #{password := Password}, AuthResult, {error, not_found} -> ok; {error, ResultCode} -> - ?LOG(error, "[Postgres] Auth from pgsql failed: ~p", [ResultCode]), + ?LOG_SENSITIVE(error, "[Postgres] Auth from pgsql failed: ~p", [ResultCode]), {stop, AuthResult#{auth_result => ResultCode, anonymous => false}} end. diff --git a/apps/emqx_auth_pgsql/src/emqx_auth_pgsql_cli.erl b/apps/emqx_auth_pgsql/src/emqx_auth_pgsql_cli.erl index 4905b32bf..5a2ab3a69 100644 --- a/apps/emqx_auth_pgsql/src/emqx_auth_pgsql_cli.erl +++ b/apps/emqx_auth_pgsql/src/emqx_auth_pgsql_cli.erl @@ -82,7 +82,7 @@ connect(Opts) -> ?LOG(error, "[Postgres] Can't connect to Postgres server: Invalid password."), {error, Reason}; {error, Reason} -> - ?LOG(error, "[Postgres] Can't connect to Postgres server: ~p", [Reason]), + ?LOG_SENSITIVE(error, "[Postgres] Can't connect to Postgres server: ~p", [Reason]), {error, Reason} end. diff --git a/apps/emqx_auth_redis/src/emqx_auth_redis.erl b/apps/emqx_auth_redis/src/emqx_auth_redis.erl index d432e012b..cd3260b4a 100644 --- a/apps/emqx_auth_redis/src/emqx_auth_redis.erl +++ b/apps/emqx_auth_redis/src/emqx_auth_redis.erl @@ -42,7 +42,7 @@ check(ClientInfo = #{password := Password}, AuthResult, {ok, [PassHash, Salt|_]} -> check_pass({PassHash, Salt, Password}, HashType); {error, Reason} -> - ?LOG(error, "[Redis] Command: ~p failed: ~p", [AuthCmd, Reason]), + ?LOG_SENSITIVE(error, "[Redis] Command: ~p failed: ~p", [AuthCmd, Reason]), {error, not_found} end, case CheckPass of @@ -54,7 +54,7 @@ check(ClientInfo = #{password := Password}, AuthResult, {error, not_found} -> ok; {error, ResultCode} -> - ?LOG(error, "[Redis] Auth from redis failed: ~p", [ResultCode]), + ?LOG_SENSITIVE(error, "[Redis] Auth from redis failed: ~p", [ResultCode]), {stop, AuthResult#{auth_result => ResultCode, anonymous => false}} end. diff --git a/apps/emqx_auth_redis/src/emqx_auth_redis_cli.erl b/apps/emqx_auth_redis/src/emqx_auth_redis_cli.erl index 57d641bd3..84dfa5381 100644 --- a/apps/emqx_auth_redis/src/emqx_auth_redis_cli.erl +++ b/apps/emqx_auth_redis/src/emqx_auth_redis_cli.erl @@ -56,7 +56,7 @@ connect(Opts) -> ?LOG(error, "[Redis] Can't connect to Redis server: Authentication failed."), {error, Reason}; {error, Reason} -> - ?LOG(error, "[Redis] Can't connect to Redis server: ~p", [Reason]), + ?LOG_SENSITIVE(error, "[Redis] Can't connect to Redis server: ~p", [Reason]), {error, Reason} end. @@ -86,4 +86,3 @@ repl(S, _Var, undefined) -> repl(S, Var, Val) -> NVal = re:replace(Val, "&", "\\\\&", [global, {return, list}]), re:replace(S, Var, NVal, [{return, list}]). -