From 26d2ed3d319aeda05b9c17feeb1fbca2ebe881b6 Mon Sep 17 00:00:00 2001 From: Thales Macedo Garitezi Date: Mon, 7 Nov 2022 16:42:51 -0300 Subject: [PATCH] fix(crl): allow specifying CRL URLs per listener --- priv/emqx.schema | 27 ++++++++++++++++----------- src/emqx_crl_cache.erl | 11 ++++++++++- test/emqx_crl_cache_SUITE.erl | 33 ++++++++++++++++++++++----------- 3 files changed, 48 insertions(+), 23 deletions(-) diff --git a/priv/emqx.schema b/priv/emqx.schema index 361374ee5..5c4ed24e2 100644 --- a/priv/emqx.schema +++ b/priv/emqx.schema @@ -1702,6 +1702,11 @@ end}. {datatype, {enum, [true, false]}} ]}. +{mapping, "listener.ssl.$name.crl_cache_urls", "emqx.listeners", [ + {default, ""}, + {datatype, string} +]}. + {mapping, "listener.ssl.$name.crl_cache_http_timeout", "emqx.listeners", [ {default, "15s"}, {datatype, {duration, ms}} @@ -1712,16 +1717,6 @@ end}. {datatype, {duration, ms}} ]}. -{mapping, "crl_cache.urls", "emqx.crl_cache_urls", [ - {default, ""}, - {datatype, string} -]}. - -{translation, "emqx.crl_cache_urls", fun(Conf) -> - Val = cuttlefish:conf_get("crl_cache.urls", Conf), - string:tokens(Val, ", ") -end}. - %%-------------------------------------------------------------------- %% MQTT/WebSocket Listeners @@ -2364,7 +2359,16 @@ end}. {hibernate_after, cuttlefish:conf_get(Prefix ++ ".hibernate_after", Conf, undefined)} ]) end, - + CRLOpts = + fun(Prefix) -> + CRLURLs = case cuttlefish:conf_get(Prefix ++ ".crl_cache_urls", Conf, undefined) of + undefined -> undefined; + URLs -> string:tokens(URLs, ", ") + end, + Filter([ {crl_cache_enabled, cuttlefish:conf_get(Prefix ++ ".enable_crl_cache", Conf, false)} + , {crl_cache_urls, CRLURLs} + ]) + end, Listen_fix = fun({Ip, Port}) -> case inet:parse_address(Ip) of {ok, R} -> {R, Port}; _ -> {Ip, Port} @@ -2400,6 +2404,7 @@ end}. , opts => [ {deflate_options, DeflateOpts(Prefix)} , {tcp_options, TcpOpts(Prefix)} , {ssl_options, SslOpts(Prefix)} + , {crl_options, CRLOpts(Prefix)} | LisOpts(Prefix) ] } diff --git a/src/emqx_crl_cache.erl b/src/emqx_crl_cache.erl index 49bdec126..d4e35ede4 100644 --- a/src/emqx_crl_cache.erl +++ b/src/emqx_crl_cache.erl @@ -54,7 +54,8 @@ %%-------------------------------------------------------------------- start_link() -> - URLs = emqx:get_env(crl_cache_urls, []), + Listeners = emqx:get_env(listeners, []), + URLs = collect_urls(Listeners), RefreshIntervalMS0 = emqx:get_env(crl_cache_refresh_interval, timer:minutes(15)), MinimumRefreshInverval = timer:minutes(1), @@ -177,3 +178,11 @@ ensure_timer(URL, State = #state{refresh_timers = RefreshTimers0}, Timeout) -> Timeout, {refresh, URL})}, State#state{refresh_timers = RefreshTimers}. + +collect_urls(Listeners) -> + lists:usort([URL + || #{proto := ssl, opts := Opts} <- Listeners, + {crl_options, CRLOpts} <- Opts, + proplists:get_bool(crl_cache_enabled, CRLOpts), + {crl_cache_urls, URLs} <- CRLOpts, + URL <- URLs]). diff --git a/test/emqx_crl_cache_SUITE.erl b/test/emqx_crl_cache_SUITE.erl index 9fb9a03ea..685e76684 100644 --- a/test/emqx_crl_cache_SUITE.erl +++ b/test/emqx_crl_cache_SUITE.erl @@ -79,13 +79,21 @@ end_per_testcase(TestCase, Config) ServerPid = ?config(http_server, Config), emqx_crl_cache_http_server:stop(ServerPid), emqx_ct_helpers:stop_apps([]), - application:set_env(emqx, crl_cache_urls, []), + emqx_ct_helpers:change_emqx_opts( + ssl_twoway, [ {crl_options, [ {crl_cache_enabled, false} + , {crl_cache_urls, []} + ]} + ]), application:stop(cowboy), clear_crl_cache(), ok; end_per_testcase(t_not_cached_and_unreachable, _Config) -> emqx_ct_helpers:stop_apps([]), - application:set_env(emqx, crl_cache_urls, []), + emqx_ct_helpers:change_emqx_opts( + ssl_twoway, [ {crl_options, [ {crl_cache_enabled, false} + , {crl_cache_urls, []} + ]} + ]), clear_crl_cache(), ok; end_per_testcase(_TestCase, _Config) -> @@ -177,16 +185,19 @@ setup_crl_options(Config, #{is_cached := IsCached}) -> end, Handler = fun(emqx) -> - application:set_env(emqx, crl_cache_urls, URLs), emqx_ct_helpers:change_emqx_opts( - ssl_twoway, [{ssl_options, [ {certfile, Certfile} - , {keyfile, Keyfile} - , {verify, verify_peer} - %% {crl_check, true} does not work; probably bug in OTP - , {crl_check, peer} - , {crl_cache, - {ssl_crl_cache, {internal, [{http, timer:seconds(15)}]}}} - ]}]), + ssl_twoway, [ {ssl_options, [ {certfile, Certfile} + , {keyfile, Keyfile} + , {verify, verify_peer} + %% {crl_check, true} does not work; probably bug in OTP + , {crl_check, peer} + , {crl_cache, + {ssl_crl_cache, {internal, [{http, timer:seconds(15)}]}}} + ]} + , {crl_options, [ {crl_cache_enabled, true} + , {crl_cache_urls, URLs} + ]} + ]), %% emqx_ct_helpers:change_emqx_opts has cacertfile hardcoded.... ok = force_cacertfile(Cacertfile), ok;