Merge pull request #13225 from lafirest/fix/mysql_redact

fix(auth): redact sensitive data for the authn/authz APIs
This commit is contained in:
lafirest 2024-06-14 09:19:21 +08:00 committed by GitHub
commit afd4b46f72
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 29 additions and 8 deletions

View File

@ -897,7 +897,7 @@ list_authenticators(ConfKeyPath) ->
maps:put(
id,
emqx_authn_chains:authenticator_id(AuthenticatorConfig),
convert_certs(AuthenticatorConfig)
convert_certs(emqx_utils:redact(AuthenticatorConfig))
)
|| AuthenticatorConfig <- AuthenticatorsConfig
],
@ -907,7 +907,8 @@ list_authenticator(_, ConfKeyPath, AuthenticatorID) ->
with_authenticator(
AuthenticatorID,
ConfKeyPath,
fun(AuthenticatorConfig) ->
fun(AuthenticatorConfig0) ->
AuthenticatorConfig = emqx_utils:redact(AuthenticatorConfig0),
{200, maps:put(id, AuthenticatorID, convert_certs(AuthenticatorConfig))}
end
).
@ -1050,9 +1051,16 @@ is_ok(ResL) ->
update_authenticator(ConfKeyPath, ChainName, AuthenticatorID, Config) ->
case
update_config(
with_deobfuscate_update(
ConfKeyPath,
{update_authenticator, ChainName, AuthenticatorID, Config}
AuthenticatorID,
Config,
fun(AuthenticatorConfig) ->
update_config(
ConfKeyPath,
{update_authenticator, ChainName, AuthenticatorID, AuthenticatorConfig}
)
end
)
of
{ok, _} ->
@ -1160,6 +1168,15 @@ list_users(ChainName, AuthenticatorID, QueryString) ->
{200, Result}
end.
with_deobfuscate_update(ConfKeyPath, AuthenticatorID, NewConf, Fun) ->
case find_authenticator_config(AuthenticatorID, ConfKeyPath) of
{ok, RawConf} ->
Conf = emqx_utils:deobfuscate(NewConf, RawConf),
Fun(Conf);
{error, _} = Error ->
Error
end.
update_config(Path, ConfigRequest) ->
emqx_conf:update(Path, ConfigRequest, #{
rawconf_with_defaults => true,

View File

@ -244,7 +244,8 @@ sources(get, _) ->
fun(Source0, AccIn) ->
try emqx_authz:maybe_read_source_files(Source0) of
Source1 ->
lists:append(AccIn, [Source1])
Source2 = emqx_utils:redact(Source1),
lists:append(AccIn, [Source2])
catch
_Error:_Reason ->
lists:append(AccIn, [Source0])
@ -267,7 +268,8 @@ source(get, #{bindings := #{type := Type}}) ->
fun(Source0) ->
try emqx_authz:maybe_read_source_files(Source0) of
Source1 ->
{200, Source1}
Source2 = emqx_utils:redact(Source1),
{200, Source2}
catch
_Error:Reason ->
{500, #{
@ -280,8 +282,9 @@ source(get, #{bindings := #{type := Type}}) ->
source(put, #{bindings := #{type := Type}, body := #{<<"type">> := Type} = Body}) ->
with_source(
Type,
fun(_) ->
update_config({?CMD_REPLACE, Type}, Body)
fun(RawConf) ->
Conf = emqx_utils:deobfuscate(Body, RawConf),
update_config({?CMD_REPLACE, Type}, Conf)
end
);
source(put, #{bindings := #{type := Type}, body := #{<<"type">> := _OtherType}}) ->

View File

@ -0,0 +1 @@
Redacted sensitive data from authentication and authorization APIs.