fix(node_dump): Attempt to censor passwords

2021-05-04 20:52:00 +02:00 · 2021-05-04 20:52:00 +02:00 · e6c85dfb04
parent d913a7d20d
commit e6c85dfb04
2 changed files with 75 additions and 4 deletions
--- a/bin/node_dump
+++ b/bin/node_dump
@ -12,14 +12,15 @@ DUMP="log/node_dump_$(date +"%y%m%d_%H%M%S").tar.gz"

 collect() {
    echo "========================================================"
-    echo "    $@"
+    echo "    $*"
    echo "========================================================"
-    eval $@ || echo "Unavailable"
+    eval "$*" || echo "Unavailable"
    echo -e '\n'
 }

 {
    collect bin/emqx_ctl broker
+    collect bin/emqx eval "'emqx_node_dump:sys_info()'"

    collect uname -a
    collect uptime
@ -33,9 +34,9 @@ collect() {
    collect bin/emqx_ctl listeners
 } > log/sysinfo.txt

-bin/emqx eval 'ets:tab2list(ac_tab)' > log/conf.dump
+bin/emqx eval 'emqx_node_dump:app_env_dump()' > log/conf.dump

-tar czf $DUMP log/*.log.* log/run_erl.log* log/sysinfo.txt log/conf.dump
+tar czf "${DUMP}" log/*.log.* log/run_erl.log* log/sysinfo.txt log/conf.dump

 ## Cleanup:
 rm log/sysinfo.txt
--- a/src/emqx_node_dump.erl
+++ b/src/emqx_node_dump.erl
@ -0,0 +1,70 @@
+%%--------------------------------------------------------------------
+%% Copyright (c) 2021 EMQ Technologies Co., Ltd. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%--------------------------------------------------------------------
+
+%% Collection of functions for creating node dumps
+-module(emqx_node_dump).
+
+-export([ sys_info/0
+        , app_env_dump/0
+        ]).
+
+sys_info() ->
+    #{ release     => emqx_app:get_release()
+     , otp_version => emqx_vm:get_otp_version()
+     }.
+
+app_env_dump() ->
+    censor(ets:tab2list(ac_tab)).
+
+censor([]) ->
+    [];
+censor([{{env, App, Key}, Val} | Rest]) ->
+    [{{env, App, Key}, censor([Key, App], Val)} | censor(Rest)];
+censor([_ | Rest]) ->
+    censor(Rest).
+
+censor(Path, L) when is_list(L) ->
+    [censor(Path, I) || I <- L];
+censor(Path, M) when is_map(M) ->
+    Fun = fun(Key, Val) ->
+                  censor([Key|Path], Val)
+          end,
+    maps:map(Fun, M);
+censor(Path, {Key, Val}) when is_atom(Key) ->
+    {Key, censor([Key|Path], Val)};
+censor(Path, Val) ->
+    case Path of
+        [password|_] when is_binary(Val) ->
+            <<"censored">>;
+        [password|_] when is_list(Val) ->
+            "censored";
+        _ ->
+            Val
+    end.
+
+-ifdef(TEST).
+
+-include_lib("eunit/include/eunit.hrl").
+
+censor_test() ->
+    ?assertMatch( [{{env, emqx, listeners}, #{password := <<"censored">>}}]
+                , censor([foo, {{env, emqx, listeners}, #{password => <<"secret">>}}, {app, bar}])
+                ),
+    ?assertMatch( [{{env, emqx, listeners}, [{foo, 1}, {password, <<"censored">>}]}]
+                , censor([{{env, emqx, listeners}, [{foo, 1}, {password, <<"secret">>}]}])
+                ).
+
+-endif. %% TEST