Merge pull request #11690 from lafirest/fix/ldap_parse_cfg

fix(ldap): improve the LDAP `parse_config` function

apps/emqx_dashboard_sso/src/emqx_dashboard_sso_ldap.erl

@@ -87,19 +87,7 @@ destroy(#{resource_id := ResourceId}) ->
 
 parse_config(Config0) ->
     Config = ensure_bind_password(Config0),
-    State = lists:foldl(
+    {Config, maps:with([query_timeout], Config0)}.
-        fun(Key, Acc) ->
-            case maps:find(Key, Config) of
-                {ok, Value} when is_binary(Value) ->
-                    Acc#{Key := erlang:binary_to_list(Value)};
-                _ ->
-                    Acc
-            end
-        end,
-        Config,
-        [query_timeout]
-    ),
-    {Config, State}.
 
 %% In this feature, the `bind_password` is fixed, so it should conceal from the swagger,
 %% but the connector still needs it, hence we should add it back here

apps/emqx_ldap/src/emqx_ldap_authn.erl

@@ -91,14 +91,14 @@ refs() ->
 create(_AuthenticatorID, Config) ->
     do_create(?MODULE, Config).
 
-do_create(Module, Config0) ->
+do_create(Module, Config) ->
     ResourceId = emqx_authn_utils:make_resource_id(Module),
-    {Config, State} = parse_config(Config0),
+    State = parse_config(Config),
     {ok, _Data} = emqx_authn_utils:create_resource(ResourceId, emqx_ldap, Config),
     {ok, State#{resource_id => ResourceId}}.
 
-update(Config0, #{resource_id := ResourceId} = _State) ->
+update(Config, #{resource_id := ResourceId} = _State) ->
-    {Config, NState} = parse_config(Config0),
+    NState = parse_config(Config),
     case emqx_authn_utils:update_resource(emqx_ldap, Config, ResourceId) of
         {error, Reason} ->
             error({load_config_error, Reason});
@@ -143,19 +143,7 @@ authenticate(
     end.
 
 parse_config(Config) ->
-    State = lists:foldl(
+    maps:with([query_timeout, password_attribute, is_superuser_attribute], Config).
-        fun(Key, Acc) ->
-            case maps:find(Key, Config) of
-                {ok, Value} when is_binary(Value) ->
-                    Acc#{Key := erlang:binary_to_list(Value)};
-                _ ->
-                    Acc
-            end
-        end,
-        Config,
-        [password_attribute, is_superuser_attribute, query_timeout]
-    ),
-    {Config, State}.
 
 %% To compatible v4.x
 is_enabled(Password, #eldap_entry{attributes = Attributes} = Entry, State) ->

apps/emqx_ldap/src/emqx_ldap_authz.erl

@@ -134,21 +134,10 @@ do_authorize(_Action, _Topic, [], _Entry) ->
     nomatch.
 
 new_annotations(Init, Source) ->
-    lists:foldl(
+    State = maps:with(
-        fun(Attr, Acc) ->
+        [query_timeout, publish_attribute, subscribe_attribute, all_attribute], Source
-            Acc#{
+    ),
-                Attr =>
+    maps:merge(Init, State).
-                    case maps:get(Attr, Source) of
-                        Value when is_binary(Value) ->
-                            erlang:binary_to_list(Value);
-                        Value ->
-                            Value
-                    end
-            }
-        end,
-        Init,
-        [publish_attribute, subscribe_attribute, all_attribute]
-    ).
 
 select_attrs(#{action_type := publish}, #{publish_attribute := Pub, all_attribute := All}) ->
     [Pub, All];

changes/ce/fix-11667.en.md

@@ -0,0 +1 @@
+Disable access to the `logout` endpoint by the API key, this endpoint is for the Dashboard only.