yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #10653 from SergeTupchiy/convert-gateway-authn-certs 

fix(emqx_gateway): convert and clear authentication certificates
This commit is contained in:
SergeTupchiy 2023-05-11 11:35:55 +03:00 committed by GitHub
parent a736b633b0 b98a7168c4
commit 0617a9b11c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 62 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
apps/emqx/src/emqx_authentication_config.erl
View File

@ -29,9 +29,13 @@
authn_type/1 authn_type/1
]). ]).
-ifdef(TEST). %% Used in emqx_gateway
-export([convert_certs/2, convert_certs/3, clear_certs/2]). -export([
-endif. certs_dir/2,
convert_certs/2,
convert_certs/3,
clear_certs/2
]).
-export_type([config/0]). -export_type([config/0]).

60
apps/emqx_gateway/src/emqx_gateway_conf.erl
View File

@ -448,10 +448,12 @@ pre_config_update(_, {add_authn, GwName, Conf}, RawConf) ->
) )
of of
undefined -> undefined ->
CertsDir = authn_certs_dir(GwName, Conf),
Conf1 = emqx_authentication_config:convert_certs(CertsDir, Conf),
{ok, {ok,
emqx_utils_maps:deep_merge( emqx_utils_maps:deep_merge(
RawConf, RawConf,
#{GwName => #{?AUTHN_BIN => Conf}} #{GwName => #{?AUTHN_BIN => Conf1}}
)}; )};
_ -> _ ->
badres_authn(already_exist, GwName) badres_authn(already_exist, GwName)
@ -469,7 +471,9 @@ pre_config_update(_, {add_authn, GwName, {LType, LName}, Conf}, RawConf) ->
Listener -> Listener ->
case maps:get(?AUTHN_BIN, Listener, undefined) of case maps:get(?AUTHN_BIN, Listener, undefined) of
undefined -> undefined ->
NListener = maps:put(?AUTHN_BIN, Conf, Listener), CertsDir = authn_certs_dir(GwName, LType, LName, Conf),
Conf1 = emqx_authentication_config:convert_certs(CertsDir, Conf),
NListener = maps:put(?AUTHN_BIN, Conf1, Listener),
NGateway = #{ NGateway = #{
GwName => GwName =>
#{ #{
@ -490,8 +494,10 @@ pre_config_update(_, {update_authn, GwName, Conf}, RawConf) ->
of of
undefined -> undefined ->
badres_authn(not_found, GwName); badres_authn(not_found, GwName);
_Authn -> OldAuthnConf ->
{ok, emqx_utils_maps:deep_put([GwName, ?AUTHN_BIN], RawConf, Conf)} CertsDir = authn_certs_dir(GwName, Conf),
Conf1 = emqx_authentication_config:convert_certs(CertsDir, Conf, OldAuthnConf),
{ok, emqx_utils_maps:deep_put([GwName, ?AUTHN_BIN], RawConf, Conf1)}
end; end;
pre_config_update(_, {update_authn, GwName, {LType, LName}, Conf}, RawConf) -> pre_config_update(_, {update_authn, GwName, {LType, LName}, Conf}, RawConf) ->
case case
@ -507,10 +513,16 @@ pre_config_update(_, {update_authn, GwName, {LType, LName}, Conf}, RawConf) ->
case maps:get(?AUTHN_BIN, Listener, undefined) of case maps:get(?AUTHN_BIN, Listener, undefined) of
undefined -> undefined ->
badres_listener_authn(not_found, GwName, LType, LName); badres_listener_authn(not_found, GwName, LType, LName);
_Auth -> OldAuthnConf ->
CertsDir = authn_certs_dir(GwName, LType, LName, OldAuthnConf),
Conf1 = emqx_authentication_config:convert_certs(
CertsDir,
Conf,
OldAuthnConf
),
NListener = maps:put( NListener = maps:put(
?AUTHN_BIN, ?AUTHN_BIN,
Conf, Conf1,
Listener Listener
), ),
{ok, {ok,
@ -522,12 +534,36 @@ pre_config_update(_, {update_authn, GwName, {LType, LName}, Conf}, RawConf) ->
end end
end; end;
pre_config_update(_, {remove_authn, GwName}, RawConf) -> pre_config_update(_, {remove_authn, GwName}, RawConf) ->
case
emqx_utils_maps:deep_get(
[GwName, ?AUTHN_BIN], RawConf, undefined
)
of
undefined ->
ok;
OldAuthnConf ->
CertsDir = authn_certs_dir(GwName, OldAuthnConf),
emqx_authentication_config:clear_certs(CertsDir, OldAuthnConf)
end,
{ok, {ok,
emqx_utils_maps:deep_remove( emqx_utils_maps:deep_remove(
[GwName, ?AUTHN_BIN], RawConf [GwName, ?AUTHN_BIN], RawConf
)}; )};
pre_config_update(_, {remove_authn, GwName, {LType, LName}}, RawConf) -> pre_config_update(_, {remove_authn, GwName, {LType, LName}}, RawConf) ->
Path = [GwName, <<"listeners">>, LType, LName, ?AUTHN_BIN], Path = [GwName, <<"listeners">>, LType, LName, ?AUTHN_BIN],
case
emqx_utils_maps:deep_get(
Path,
RawConf,
undefined
)
of
undefined ->
ok;
OldAuthnConf ->
CertsDir = authn_certs_dir(GwName, LType, LName, OldAuthnConf),
emqx_authentication_config:clear_certs(CertsDir, OldAuthnConf)
end,
{ok, emqx_utils_maps:deep_remove(Path, RawConf)}; {ok, emqx_utils_maps:deep_remove(Path, RawConf)};
pre_config_update(_, UnknownReq, _RawConf) -> pre_config_update(_, UnknownReq, _RawConf) ->
logger:error("Unknown configuration update request: ~0p", [UnknownReq]), logger:error("Unknown configuration update request: ~0p", [UnknownReq]),
@ -678,6 +714,18 @@ apply_to_gateway_basic_confs(_Fun, _GwName, Conf) ->
certs_dir(GwName) when is_binary(GwName) -> certs_dir(GwName) when is_binary(GwName) ->
GwName. GwName.
authn_certs_dir(GwName, ListenerType, ListenerName, AuthnConf) ->
ChainName = emqx_gateway_utils:listener_chain(GwName, ListenerType, ListenerName),
emqx_authentication_config:certs_dir(ChainName, AuthnConf).
authn_certs_dir(GwName, AuthnConf) when is_binary(GwName) ->
authn_certs_dir(binary_to_existing_atom(GwName), AuthnConf);
authn_certs_dir(GwName, AuthnConf) ->
emqx_authentication_config:certs_dir(
emqx_gateway_utils:global_chain(GwName),
AuthnConf
).
convert_certs(SubDir, Conf) -> convert_certs(SubDir, Conf) ->
convert_certs(<<"dtls_options">>, SubDir, convert_certs(<<"ssl_options">>, SubDir, Conf)). convert_certs(<<"dtls_options">>, SubDir, convert_certs(<<"ssl_options">>, SubDir, Conf)).

1
changes/ce/fix-10653.en.md Normal file
View File

@ -0,0 +1 @@
Store gateway authentication TLS certificates and keys in the data directory.