Merge pull request #13225 from lafirest/fix/mysql_redact

fix(auth): redact sensitive data for the authn/authz APIs

apps/emqx_auth/src/emqx_authn/emqx_authn_api.erl

@@ -897,7 +897,7 @@ list_authenticators(ConfKeyPath) ->
         maps:put(
             id,
             emqx_authn_chains:authenticator_id(AuthenticatorConfig),
-            convert_certs(AuthenticatorConfig)
+            convert_certs(emqx_utils:redact(AuthenticatorConfig))
         )
      || AuthenticatorConfig <- AuthenticatorsConfig
     ],
@@ -907,7 +907,8 @@ list_authenticator(_, ConfKeyPath, AuthenticatorID) ->
     with_authenticator(
         AuthenticatorID,
         ConfKeyPath,
-        fun(AuthenticatorConfig) ->
+        fun(AuthenticatorConfig0) ->
+            AuthenticatorConfig = emqx_utils:redact(AuthenticatorConfig0),
             {200, maps:put(id, AuthenticatorID, convert_certs(AuthenticatorConfig))}
         end
     ).
@@ -1050,9 +1051,16 @@ is_ok(ResL) ->
 
 update_authenticator(ConfKeyPath, ChainName, AuthenticatorID, Config) ->
     case
+        with_deobfuscate_update(
+            ConfKeyPath,
+            AuthenticatorID,
+            Config,
+            fun(AuthenticatorConfig) ->
                 update_config(
                     ConfKeyPath,
-            {update_authenticator, ChainName, AuthenticatorID, Config}
+                    {update_authenticator, ChainName, AuthenticatorID, AuthenticatorConfig}
+                )
+            end
         )
     of
         {ok, _} ->
@@ -1160,6 +1168,15 @@ list_users(ChainName, AuthenticatorID, QueryString) ->
             {200, Result}
     end.
 
+with_deobfuscate_update(ConfKeyPath, AuthenticatorID, NewConf, Fun) ->
+    case find_authenticator_config(AuthenticatorID, ConfKeyPath) of
+        {ok, RawConf} ->
+            Conf = emqx_utils:deobfuscate(NewConf, RawConf),
+            Fun(Conf);
+        {error, _} = Error ->
+            Error
+    end.
+
 update_config(Path, ConfigRequest) ->
     emqx_conf:update(Path, ConfigRequest, #{
         rawconf_with_defaults => true,

apps/emqx_auth/src/emqx_authz/emqx_authz_api_sources.erl

@@ -244,7 +244,8 @@ sources(get, _) ->
         fun(Source0, AccIn) ->
             try emqx_authz:maybe_read_source_files(Source0) of
                 Source1 ->
-                    lists:append(AccIn, [Source1])
+                    Source2 = emqx_utils:redact(Source1),
+                    lists:append(AccIn, [Source2])
             catch
                 _Error:_Reason ->
                     lists:append(AccIn, [Source0])
@@ -267,7 +268,8 @@ source(get, #{bindings := #{type := Type}}) ->
         fun(Source0) ->
             try emqx_authz:maybe_read_source_files(Source0) of
                 Source1 ->
-                    {200, Source1}
+                    Source2 = emqx_utils:redact(Source1),
+                    {200, Source2}
             catch
                 _Error:Reason ->
                     {500, #{
@@ -280,8 +282,9 @@ source(get, #{bindings := #{type := Type}}) ->
 source(put, #{bindings := #{type := Type}, body := #{<<"type">> := Type} = Body}) ->
     with_source(
         Type,
-        fun(_) ->
+        fun(RawConf) ->
-            update_config({?CMD_REPLACE, Type}, Body)
+            Conf = emqx_utils:deobfuscate(Body, RawConf),
+            update_config({?CMD_REPLACE, Type}, Conf)
         end
     );
 source(put, #{bindings := #{type := Type}, body := #{<<"type">> := _OtherType}}) ->

changes/ce/fix-13225.en.md

@@ -0,0 +1 @@
+Redacted sensitive data from authentication and authorization APIs.