From e6c85dfb0406bd919c36741e0b5f12ccf1be56e7 Mon Sep 17 00:00:00 2001 From: k32 <10274441+k32@users.noreply.github.com> Date: Tue, 4 May 2021 20:52:00 +0200 Subject: [PATCH] fix(node_dump): Attempt to censor passwords --- bin/node_dump | 9 +++--- src/emqx_node_dump.erl | 70 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 75 insertions(+), 4 deletions(-) create mode 100644 src/emqx_node_dump.erl diff --git a/bin/node_dump b/bin/node_dump index dad2ee07f..7b8af8cf5 100755 --- a/bin/node_dump +++ b/bin/node_dump @@ -12,14 +12,15 @@ DUMP="log/node_dump_$(date +"%y%m%d_%H%M%S").tar.gz" collect() { echo "========================================================" - echo " $@" + echo " $*" echo "========================================================" - eval $@ || echo "Unavailable" + eval "$*" || echo "Unavailable" echo -e '\n' } { collect bin/emqx_ctl broker + collect bin/emqx eval "'emqx_node_dump:sys_info()'" collect uname -a collect uptime @@ -33,9 +34,9 @@ collect() { collect bin/emqx_ctl listeners } > log/sysinfo.txt -bin/emqx eval 'ets:tab2list(ac_tab)' > log/conf.dump +bin/emqx eval 'emqx_node_dump:app_env_dump()' > log/conf.dump -tar czf $DUMP log/*.log.* log/run_erl.log* log/sysinfo.txt log/conf.dump +tar czf "${DUMP}" log/*.log.* log/run_erl.log* log/sysinfo.txt log/conf.dump ## Cleanup: rm log/sysinfo.txt diff --git a/src/emqx_node_dump.erl b/src/emqx_node_dump.erl new file mode 100644 index 000000000..06940a379 --- /dev/null +++ b/src/emqx_node_dump.erl @@ -0,0 +1,70 @@ +%%-------------------------------------------------------------------- +%% Copyright (c) 2021 EMQ Technologies Co., Ltd. All Rights Reserved. +%% +%% Licensed under the Apache License, Version 2.0 (the "License"); +%% you may not use this file except in compliance with the License. +%% You may obtain a copy of the License at +%% +%% http://www.apache.org/licenses/LICENSE-2.0 +%% +%% Unless required by applicable law or agreed to in writing, software +%% distributed under the License is distributed on an "AS IS" BASIS, +%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +%% See the License for the specific language governing permissions and +%% limitations under the License. +%%-------------------------------------------------------------------- + +%% Collection of functions for creating node dumps +-module(emqx_node_dump). + +-export([ sys_info/0 + , app_env_dump/0 + ]). + +sys_info() -> + #{ release => emqx_app:get_release() + , otp_version => emqx_vm:get_otp_version() + }. + +app_env_dump() -> + censor(ets:tab2list(ac_tab)). + +censor([]) -> + []; +censor([{{env, App, Key}, Val} | Rest]) -> + [{{env, App, Key}, censor([Key, App], Val)} | censor(Rest)]; +censor([_ | Rest]) -> + censor(Rest). + +censor(Path, L) when is_list(L) -> + [censor(Path, I) || I <- L]; +censor(Path, M) when is_map(M) -> + Fun = fun(Key, Val) -> + censor([Key|Path], Val) + end, + maps:map(Fun, M); +censor(Path, {Key, Val}) when is_atom(Key) -> + {Key, censor([Key|Path], Val)}; +censor(Path, Val) -> + case Path of + [password|_] when is_binary(Val) -> + <<"censored">>; + [password|_] when is_list(Val) -> + "censored"; + _ -> + Val + end. + +-ifdef(TEST). + +-include_lib("eunit/include/eunit.hrl"). + +censor_test() -> + ?assertMatch( [{{env, emqx, listeners}, #{password := <<"censored">>}}] + , censor([foo, {{env, emqx, listeners}, #{password => <<"secret">>}}, {app, bar}]) + ), + ?assertMatch( [{{env, emqx, listeners}, [{foo, 1}, {password, <<"censored">>}]}] + , censor([{{env, emqx, listeners}, [{foo, 1}, {password, <<"secret">>}]}]) + ). + +-endif. %% TEST