diff --git a/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_ldap.erl b/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_ldap.erl index 83a57cf7b..ebe9ae913 100644 --- a/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_ldap.erl +++ b/apps/emqx_dashboard_sso/src/emqx_dashboard_sso_ldap.erl @@ -87,19 +87,7 @@ destroy(#{resource_id := ResourceId}) -> parse_config(Config0) -> Config = ensure_bind_password(Config0), - State = lists:foldl( - fun(Key, Acc) -> - case maps:find(Key, Config) of - {ok, Value} when is_binary(Value) -> - Acc#{Key := erlang:binary_to_list(Value)}; - _ -> - Acc - end - end, - Config, - [query_timeout] - ), - {Config, State}. + {Config, maps:with([query_timeout], Config0)}. %% In this feature, the `bind_password` is fixed, so it should conceal from the swagger, %% but the connector still needs it, hence we should add it back here diff --git a/apps/emqx_ldap/src/emqx_ldap_authn.erl b/apps/emqx_ldap/src/emqx_ldap_authn.erl index d5f2658bb..cbe62dfb2 100644 --- a/apps/emqx_ldap/src/emqx_ldap_authn.erl +++ b/apps/emqx_ldap/src/emqx_ldap_authn.erl @@ -91,14 +91,14 @@ refs() -> create(_AuthenticatorID, Config) -> do_create(?MODULE, Config). -do_create(Module, Config0) -> +do_create(Module, Config) -> ResourceId = emqx_authn_utils:make_resource_id(Module), - {Config, State} = parse_config(Config0), + State = parse_config(Config), {ok, _Data} = emqx_authn_utils:create_resource(ResourceId, emqx_ldap, Config), {ok, State#{resource_id => ResourceId}}. -update(Config0, #{resource_id := ResourceId} = _State) -> - {Config, NState} = parse_config(Config0), +update(Config, #{resource_id := ResourceId} = _State) -> + NState = parse_config(Config), case emqx_authn_utils:update_resource(emqx_ldap, Config, ResourceId) of {error, Reason} -> error({load_config_error, Reason}); @@ -143,19 +143,7 @@ authenticate( end. parse_config(Config) -> - State = lists:foldl( - fun(Key, Acc) -> - case maps:find(Key, Config) of - {ok, Value} when is_binary(Value) -> - Acc#{Key := erlang:binary_to_list(Value)}; - _ -> - Acc - end - end, - Config, - [password_attribute, is_superuser_attribute, query_timeout] - ), - {Config, State}. + maps:with([query_timeout, password_attribute, is_superuser_attribute], Config). %% To compatible v4.x is_enabled(Password, #eldap_entry{attributes = Attributes} = Entry, State) -> diff --git a/apps/emqx_ldap/src/emqx_ldap_authz.erl b/apps/emqx_ldap/src/emqx_ldap_authz.erl index 13110306c..b48b3a48b 100644 --- a/apps/emqx_ldap/src/emqx_ldap_authz.erl +++ b/apps/emqx_ldap/src/emqx_ldap_authz.erl @@ -134,21 +134,10 @@ do_authorize(_Action, _Topic, [], _Entry) -> nomatch. new_annotations(Init, Source) -> - lists:foldl( - fun(Attr, Acc) -> - Acc#{ - Attr => - case maps:get(Attr, Source) of - Value when is_binary(Value) -> - erlang:binary_to_list(Value); - Value -> - Value - end - } - end, - Init, - [publish_attribute, subscribe_attribute, all_attribute] - ). + State = maps:with( + [query_timeout, publish_attribute, subscribe_attribute, all_attribute], Source + ), + maps:merge(Init, State). select_attrs(#{action_type := publish}, #{publish_attribute := Pub, all_attribute := All}) -> [Pub, All]; diff --git a/changes/ce/fix-11667.en.md b/changes/ce/fix-11667.en.md new file mode 100644 index 000000000..5aab26e13 --- /dev/null +++ b/changes/ce/fix-11667.en.md @@ -0,0 +1 @@ +Disable access to the `logout` endpoint by the API key, this endpoint is for the Dashboard only.