yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(crl): allow specifying CRL URLs per listener

This commit is contained in:
Thales Macedo Garitezi 2022-11-07 16:42:51 -03:00
parent 86278c99a6
commit 26d2ed3d31
3 changed files with 48 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
priv/emqx.schema
View File

@ -1702,6 +1702,11 @@ end}.
{datatype, {enum, [true, false]}} {datatype, {enum, [true, false]}}
]}. ]}.
{mapping, "listener.ssl.$name.crl_cache_urls", "emqx.listeners", [
{default, ""},
{datatype, string}
]}.
{mapping, "listener.ssl.$name.crl_cache_http_timeout", "emqx.listeners", [ {mapping, "listener.ssl.$name.crl_cache_http_timeout", "emqx.listeners", [
{default, "15s"}, {default, "15s"},
{datatype, {duration, ms}} {datatype, {duration, ms}}
@ -1712,16 +1717,6 @@ end}.
{datatype, {duration, ms}} {datatype, {duration, ms}}
]}. ]}.
{mapping, "crl_cache.urls", "emqx.crl_cache_urls", [
{default, ""},
{datatype, string}
]}.
{translation, "emqx.crl_cache_urls", fun(Conf) ->
Val = cuttlefish:conf_get("crl_cache.urls", Conf),
string:tokens(Val, ", ")
end}.
%%-------------------------------------------------------------------- %%--------------------------------------------------------------------
%% MQTT/WebSocket Listeners %% MQTT/WebSocket Listeners
@ -2364,7 +2359,16 @@ end}.
{hibernate_after, cuttlefish:conf_get(Prefix ++ ".hibernate_after", Conf, undefined)} {hibernate_after, cuttlefish:conf_get(Prefix ++ ".hibernate_after", Conf, undefined)}
]) ])
end, end,
CRLOpts =
fun(Prefix) ->
CRLURLs = case cuttlefish:conf_get(Prefix ++ ".crl_cache_urls", Conf, undefined) of
undefined -> undefined;
URLs -> string:tokens(URLs, ", ")
end,
Filter([ {crl_cache_enabled, cuttlefish:conf_get(Prefix ++ ".enable_crl_cache", Conf, false)}
, {crl_cache_urls, CRLURLs}
])
end,
Listen_fix = fun({Ip, Port}) -> case inet:parse_address(Ip) of Listen_fix = fun({Ip, Port}) -> case inet:parse_address(Ip) of
{ok, R} -> {R, Port}; {ok, R} -> {R, Port};
_ -> {Ip, Port} _ -> {Ip, Port}
@ -2400,6 +2404,7 @@ end}.
, opts => [ {deflate_options, DeflateOpts(Prefix)} , opts => [ {deflate_options, DeflateOpts(Prefix)}
, {tcp_options, TcpOpts(Prefix)} , {tcp_options, TcpOpts(Prefix)}
, {ssl_options, SslOpts(Prefix)} , {ssl_options, SslOpts(Prefix)}
, {crl_options, CRLOpts(Prefix)}
| LisOpts(Prefix) | LisOpts(Prefix)
] ]
} }

11
src/emqx_crl_cache.erl
View File

@ -54,7 +54,8 @@
%%-------------------------------------------------------------------- %%--------------------------------------------------------------------
start_link() -> start_link() ->
URLs = emqx:get_env(crl_cache_urls, []), Listeners = emqx:get_env(listeners, []),
URLs = collect_urls(Listeners),
RefreshIntervalMS0 = emqx:get_env(crl_cache_refresh_interval, RefreshIntervalMS0 = emqx:get_env(crl_cache_refresh_interval,
timer:minutes(15)), timer:minutes(15)),
MinimumRefreshInverval = timer:minutes(1), MinimumRefreshInverval = timer:minutes(1),
@ -177,3 +178,11 @@ ensure_timer(URL, State = #state{refresh_timers = RefreshTimers0}, Timeout) ->
Timeout, Timeout,
{refresh, URL})}, {refresh, URL})},
State#state{refresh_timers = RefreshTimers}. State#state{refresh_timers = RefreshTimers}.
collect_urls(Listeners) ->
lists:usort([URL
|| #{proto := ssl, opts := Opts} <- Listeners,
{crl_options, CRLOpts} <- Opts,
proplists:get_bool(crl_cache_enabled, CRLOpts),
{crl_cache_urls, URLs} <- CRLOpts,
URL <- URLs]).

33
test/emqx_crl_cache_SUITE.erl
View File

@ -79,13 +79,21 @@ end_per_testcase(TestCase, Config)
ServerPid = ?config(http_server, Config), ServerPid = ?config(http_server, Config),
emqx_crl_cache_http_server:stop(ServerPid), emqx_crl_cache_http_server:stop(ServerPid),
emqx_ct_helpers:stop_apps([]), emqx_ct_helpers:stop_apps([]),
application:set_env(emqx, crl_cache_urls, []), emqx_ct_helpers:change_emqx_opts(
ssl_twoway, [ {crl_options, [ {crl_cache_enabled, false}
, {crl_cache_urls, []}
]}
]),
application:stop(cowboy), application:stop(cowboy),
clear_crl_cache(), clear_crl_cache(),
ok; ok;
end_per_testcase(t_not_cached_and_unreachable, _Config) -> end_per_testcase(t_not_cached_and_unreachable, _Config) ->
emqx_ct_helpers:stop_apps([]), emqx_ct_helpers:stop_apps([]),
application:set_env(emqx, crl_cache_urls, []), emqx_ct_helpers:change_emqx_opts(
ssl_twoway, [ {crl_options, [ {crl_cache_enabled, false}
, {crl_cache_urls, []}
]}
]),
clear_crl_cache(), clear_crl_cache(),
ok; ok;
end_per_testcase(_TestCase, _Config) -> end_per_testcase(_TestCase, _Config) ->
@ -177,16 +185,19 @@ setup_crl_options(Config, #{is_cached := IsCached}) ->
end, end,
Handler = Handler =
fun(emqx) -> fun(emqx) ->
application:set_env(emqx, crl_cache_urls, URLs),
emqx_ct_helpers:change_emqx_opts( emqx_ct_helpers:change_emqx_opts(
ssl_twoway, [{ssl_options, [ {certfile, Certfile} ssl_twoway, [ {ssl_options, [ {certfile, Certfile}
, {keyfile, Keyfile} , {keyfile, Keyfile}
, {verify, verify_peer} , {verify, verify_peer}
%% {crl_check, true} does not work; probably bug in OTP %% {crl_check, true} does not work; probably bug in OTP
, {crl_check, peer} , {crl_check, peer}
, {crl_cache, , {crl_cache,
{ssl_crl_cache, {internal, [{http, timer:seconds(15)}]}}} {ssl_crl_cache, {internal, [{http, timer:seconds(15)}]}}}
]}]), ]}
, {crl_options, [ {crl_cache_enabled, true}
, {crl_cache_urls, URLs}
]}
]),
%% emqx_ct_helpers:change_emqx_opts has cacertfile hardcoded.... %% emqx_ct_helpers:change_emqx_opts has cacertfile hardcoded....
ok = force_cacertfile(Cacertfile), ok = force_cacertfile(Cacertfile),
ok; ok;