Merge pull request #13225 from lafirest/fix/mysql_redact
fix(auth): redact sensitive data for the authn/authz APIs
This commit is contained in:
commit
afd4b46f72
|
@ -897,7 +897,7 @@ list_authenticators(ConfKeyPath) ->
|
|||
maps:put(
|
||||
id,
|
||||
emqx_authn_chains:authenticator_id(AuthenticatorConfig),
|
||||
convert_certs(AuthenticatorConfig)
|
||||
convert_certs(emqx_utils:redact(AuthenticatorConfig))
|
||||
)
|
||||
|| AuthenticatorConfig <- AuthenticatorsConfig
|
||||
],
|
||||
|
@ -907,7 +907,8 @@ list_authenticator(_, ConfKeyPath, AuthenticatorID) ->
|
|||
with_authenticator(
|
||||
AuthenticatorID,
|
||||
ConfKeyPath,
|
||||
fun(AuthenticatorConfig) ->
|
||||
fun(AuthenticatorConfig0) ->
|
||||
AuthenticatorConfig = emqx_utils:redact(AuthenticatorConfig0),
|
||||
{200, maps:put(id, AuthenticatorID, convert_certs(AuthenticatorConfig))}
|
||||
end
|
||||
).
|
||||
|
@ -1050,9 +1051,16 @@ is_ok(ResL) ->
|
|||
|
||||
update_authenticator(ConfKeyPath, ChainName, AuthenticatorID, Config) ->
|
||||
case
|
||||
update_config(
|
||||
with_deobfuscate_update(
|
||||
ConfKeyPath,
|
||||
{update_authenticator, ChainName, AuthenticatorID, Config}
|
||||
AuthenticatorID,
|
||||
Config,
|
||||
fun(AuthenticatorConfig) ->
|
||||
update_config(
|
||||
ConfKeyPath,
|
||||
{update_authenticator, ChainName, AuthenticatorID, AuthenticatorConfig}
|
||||
)
|
||||
end
|
||||
)
|
||||
of
|
||||
{ok, _} ->
|
||||
|
@ -1160,6 +1168,15 @@ list_users(ChainName, AuthenticatorID, QueryString) ->
|
|||
{200, Result}
|
||||
end.
|
||||
|
||||
with_deobfuscate_update(ConfKeyPath, AuthenticatorID, NewConf, Fun) ->
|
||||
case find_authenticator_config(AuthenticatorID, ConfKeyPath) of
|
||||
{ok, RawConf} ->
|
||||
Conf = emqx_utils:deobfuscate(NewConf, RawConf),
|
||||
Fun(Conf);
|
||||
{error, _} = Error ->
|
||||
Error
|
||||
end.
|
||||
|
||||
update_config(Path, ConfigRequest) ->
|
||||
emqx_conf:update(Path, ConfigRequest, #{
|
||||
rawconf_with_defaults => true,
|
||||
|
|
|
@ -244,7 +244,8 @@ sources(get, _) ->
|
|||
fun(Source0, AccIn) ->
|
||||
try emqx_authz:maybe_read_source_files(Source0) of
|
||||
Source1 ->
|
||||
lists:append(AccIn, [Source1])
|
||||
Source2 = emqx_utils:redact(Source1),
|
||||
lists:append(AccIn, [Source2])
|
||||
catch
|
||||
_Error:_Reason ->
|
||||
lists:append(AccIn, [Source0])
|
||||
|
@ -267,7 +268,8 @@ source(get, #{bindings := #{type := Type}}) ->
|
|||
fun(Source0) ->
|
||||
try emqx_authz:maybe_read_source_files(Source0) of
|
||||
Source1 ->
|
||||
{200, Source1}
|
||||
Source2 = emqx_utils:redact(Source1),
|
||||
{200, Source2}
|
||||
catch
|
||||
_Error:Reason ->
|
||||
{500, #{
|
||||
|
@ -280,8 +282,9 @@ source(get, #{bindings := #{type := Type}}) ->
|
|||
source(put, #{bindings := #{type := Type}, body := #{<<"type">> := Type} = Body}) ->
|
||||
with_source(
|
||||
Type,
|
||||
fun(_) ->
|
||||
update_config({?CMD_REPLACE, Type}, Body)
|
||||
fun(RawConf) ->
|
||||
Conf = emqx_utils:deobfuscate(Body, RawConf),
|
||||
update_config({?CMD_REPLACE, Type}, Conf)
|
||||
end
|
||||
);
|
||||
source(put, #{bindings := #{type := Type}, body := #{<<"type">> := _OtherType}}) ->
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
Redacted sensitive data from authentication and authorization APIs.
|
Loading…
Reference in New Issue