fix: reveal file path secrets in logs

apps/emqx/src/emqx_schema_secret.erl

@@ -71,8 +71,8 @@ convert_secret(Secret, #{}) ->
     end.
 
 -spec wrap(source()) -> emqx_secret:t(t()).
-wrap(<<"file://", Filename/binary>>) ->
-    emqx_secret:wrap_load({file, Filename});
+wrap(<<"file://", _Filename/binary>> = Secret) ->
+    emqx_secret:wrap_load({file, Secret});
 wrap(Secret) ->
     emqx_secret:wrap(Secret).
 

apps/emqx/src/emqx_secret_loader.erl

@@ -22,9 +22,13 @@
 
 -export_type([source/0]).
 
--type source() :: {file, file:filename_all()}.
+-type source() :: {file, string() | binary()}.
 
 -spec load(source()) -> binary() | no_return().
+load({file, <<"file://", Path/binary>>}) ->
+    file(Path);
+load({file, "file://" ++ Path}) ->
+    file(Path);
 load({file, Filename}) ->
     file(Filename).
 

apps/emqx_utils/src/emqx_utils_redact.erl

@@ -163,10 +163,27 @@ redact_v([{str, Bin}]) when is_binary(Bin) ->
 redact_v(V) ->
     do_redact_v(V).
 
-do_redact_v(<<"file://", _/binary>> = V) -> V;
-do_redact_v("file://" ++ _ = V) -> V;
-do_redact_v(B) when is_binary(B) -> <<?REDACT_VAL>>;
-do_redact_v(_) -> ?REDACT_VAL.
+do_redact_v(<<"file://", _/binary>> = V) ->
+    V;
+do_redact_v("file://" ++ _ = V) ->
+    V;
+do_redact_v(B) when is_binary(B) ->
+    <<?REDACT_VAL>>;
+do_redact_v(F) when is_function(F, 0) ->
+    %% this can happen in logs
+    try
+        case emqx_secret:term(F) of
+            {file, File} ->
+                File;
+            V ->
+                do_redact_v(V)
+        end
+    catch
+        _:_ ->
+            ?REDACT_VAL
+    end;
+do_redact_v(_) ->
+    ?REDACT_VAL.
 
 deobfuscate(NewConf, OldConf) ->
     deobfuscate(NewConf, OldConf, fun(_) -> false end).

apps/emqx_utils/test/emqx_utils_redact_tests.erl

@@ -50,14 +50,28 @@ no_redact_file_paths_test() ->
         #{
             password => <<"file:///abs/path/a">>,
             <<"secret">> => <<"file://relative/path/b">>,
-            account_key => "file://string/path/x",
-            private_key => "file://string/path/y"
+            account_key => "file://string/path/x"
         },
         redact(#{
             password => <<"file:///abs/path/a">>,
             <<"secret">> => <<"file://relative/path/b">>,
-            account_key => "file://string/path/x",
-            private_key => "file://string/path/y"
+            account_key => "file://string/path/x"
+        })
+    ).
+
+no_redact_wrapped_file_paths_test() ->
+    ?assertEqual(
+        #{password => <<"file:///abs/path/a">>},
+        redact(#{
+            password => emqx_secret:wrap_load({file, <<"file:///abs/path/a">>})
+        })
+    ).
+
+redact_wrapped_secret_test() ->
+    ?assertEqual(
+        #{password => <<"******">>},
+        redact(#{
+            password => emqx_secret:wrap(<<"aaa">>)
         })
     ).