From 41afcde964bb4263d708cc64866f67284a5fe838 Mon Sep 17 00:00:00 2001 From: zhanghongtong Date: Mon, 28 Dec 2020 10:55:39 +0800 Subject: [PATCH] chore(ssl conf): update the ssl configuration format for mongo, pgsql, and redis plug-ins --- .ci/compatibility_tests/.env | 5 +++++ .github/workflows/run_cts_tests.yaml | 21 ++++++++++++------- .github/workflows/run_test_cases.yaml | 16 +++++++------- apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf | 10 ++++----- .../priv/emqx_auth_mongo.schema | 12 +++++------ apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf | 10 ++++----- .../priv/emqx_auth_pgsql.schema | 12 +++++------ apps/emqx_auth_redis/etc/emqx_auth_redis.conf | 6 +++--- .../priv/emqx_auth_redis.schema | 12 +++++------ 9 files changed, 58 insertions(+), 46 deletions(-) create mode 100644 .ci/compatibility_tests/.env diff --git a/.ci/compatibility_tests/.env b/.ci/compatibility_tests/.env new file mode 100644 index 000000000..2ac286e98 --- /dev/null +++ b/.ci/compatibility_tests/.env @@ -0,0 +1,5 @@ +MYSQL_TAG=5.7 +REDIS_TAG=6 +MONGO_TAG=4.1 +PGSQL_TAG=11 +LDAP_TAG=2.4.50 diff --git a/.github/workflows/run_cts_tests.yaml b/.github/workflows/run_cts_tests.yaml index 3119be765..60a841525 100644 --- a/.github/workflows/run_cts_tests.yaml +++ b/.github/workflows/run_cts_tests.yaml @@ -2,6 +2,8 @@ name: Compatibility Test Suite on: push: + tags: + - v* release: types: - published @@ -77,10 +79,15 @@ jobs: if: matrix.connect_type == 'tls' run: | docker-compose -f .ci/compatibility_tests/docker-compose-mongo-tls.yaml up -d - echo 'auth.mongo.ssl = true' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf - echo 'auth.mongo.ssl_opts.cacertfile = /emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/ca.pem' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf - echo 'auth.mongo.ssl_opts.certfile = /emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/client-cert.pem' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf - echo 'auth.mongo.ssl_opts.keyfile = /emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/client-key.pem' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf + echo 'auth.mongo.ssl = on' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf + echo 'auth.mongo.ssl.cacertfile = /emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/ca.pem' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf + echo 'auth.mongo.ssl.certfile = /emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/client-cert.pem' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf + echo 'auth.mongo.ssl.keyfile = /emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/client-key.pem' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf + + # echo 'auth.mongo.ssl = true' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf + # echo 'auth.mongo.ssl_opts.cacertfile = /emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/ca.pem' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf + # echo 'auth.mongo.ssl_opts.certfile = /emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/client-cert.pem' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf + # echo 'auth.mongo.ssl_opts.keyfile = /emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/client-key.pem' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf - name: setup env: MONGO_TAG: ${{ matrix.mongo_tag }} @@ -247,9 +254,9 @@ jobs: docker-compose -f .ci/compatibility_tests/docker-compose-redis-${{ matrix.node_type }}-tls.yaml up -d echo '\n' >> apps/emqx_auth_mongo/etc/emqx_auth_redis.conf echo 'auth.redis.ssl = on' >> apps/emqx_auth_redis/etc/emqx_auth_redis.conf - echo 'auth.redis.cafile = /emqx/apps/emqx_auth_redis/test/emqx_auth_redis_SUITE_data/certs/ca.crt' >> apps/emqx_auth_redis/etc/emqx_auth_redis.conf - echo 'auth.redis.certfile = /emqx/apps/emqx_auth_redis/test/emqx_auth_redis_SUITE_data/certs/redis.crt' >> apps/emqx_auth_redis/etc/emqx_auth_redis.conf - echo 'auth.redis.keyfile = /emqx/apps/emqx_auth_redis/test/emqx_auth_redis_SUITE_data/certs/redis.key' >> apps/emqx_auth_redis/etc/emqx_auth_redis.conf + echo 'auth.redis.ssl.cafile = /emqx/apps/emqx_auth_redis/test/emqx_auth_redis_SUITE_data/certs/ca.crt' >> apps/emqx_auth_redis/etc/emqx_auth_redis.conf + echo 'auth.redis.ssl.certfile = /emqx/apps/emqx_auth_redis/test/emqx_auth_redis_SUITE_data/certs/redis.crt' >> apps/emqx_auth_redis/etc/emqx_auth_redis.conf + echo 'auth.redis.ssl.keyfile = /emqx/apps/emqx_auth_redis/test/emqx_auth_redis_SUITE_data/certs/redis.key' >> apps/emqx_auth_redis/etc/emqx_auth_redis.conf - name: setup env: REDIS_TAG: ${{ matrix.redis_tag }} diff --git a/.github/workflows/run_test_cases.yaml b/.github/workflows/run_test_cases.yaml index c1c119d26..eb15302be 100644 --- a/.github/workflows/run_test_cases.yaml +++ b/.github/workflows/run_test_cases.yaml @@ -20,7 +20,7 @@ jobs: matrix: mysql_tag: [5.7] redis_tag: [6] - mongo_tag: [3, 4] + mongo_tag: [4] pgsql_tag: [13] ldap_tag: [2.4.50] @@ -49,15 +49,15 @@ jobs: sed -i "/auth.redis.server/c auth.redis.server = redis_server:6379" apps/emqx_auth_redis/etc/emqx_auth_redis.conf echo 'auth.redis.ssl = on' >> apps/emqx_auth_redis/etc/emqx_auth_redis.conf - echo 'auth.redis.cafile = /emqx/apps/emqx_auth_redis/test/emqx_auth_redis_SUITE_data/certs/ca.crt' >> apps/emqx_auth_redis/etc/emqx_auth_redis.conf - echo 'auth.redis.certfile = /emqx/apps/emqx_auth_redis/test/emqx_auth_redis_SUITE_data/certs/redis.crt' >> apps/emqx_auth_redis/etc/emqx_auth_redis.conf - echo 'auth.redis.keyfile = /emqx/apps/emqx_auth_redis/test/emqx_auth_redis_SUITE_data/certs/redis.key' >> apps/emqx_auth_redis/etc/emqx_auth_redis.conf + echo 'auth.redis.ssl.cafile = /emqx/apps/emqx_auth_redis/test/emqx_auth_redis_SUITE_data/certs/ca.crt' >> apps/emqx_auth_redis/etc/emqx_auth_redis.conf + echo 'auth.redis.ssl.certfile = /emqx/apps/emqx_auth_redis/test/emqx_auth_redis_SUITE_data/certs/redis.crt' >> apps/emqx_auth_redis/etc/emqx_auth_redis.conf + echo 'auth.redis.ssl.keyfile = /emqx/apps/emqx_auth_redis/test/emqx_auth_redis_SUITE_data/certs/redis.key' >> apps/emqx_auth_redis/etc/emqx_auth_redis.conf sed -i "/auth.mongo.server/c auth.mongo.server = mongo_server:27017" apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf - echo 'auth.mongo.ssl = true' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf - echo 'auth.mongo.ssl_opts.cacertfile = /emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/ca.pem' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf - echo 'auth.mongo.ssl_opts.certfile = /emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/client-cert.pem' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf - echo 'auth.mongo.ssl_opts.keyfile = /emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/client-key.pem' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf + echo 'auth.mongo.ssl = on' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf + echo 'auth.mongo.ssl.cacertfile = /emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/ca.pem' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf + echo 'auth.mongo.ssl.certfile = /emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/client-cert.pem' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf + echo 'auth.mongo.ssl.keyfile = /emqx/apps/emqx_auth_mongo/test/emqx_auth_mongo_SUITE_data/client-key.pem' >> apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf sed -i "/auth.pgsql.server/c auth.pgsql.server = pgsql_server:5432" apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf sed -i "/auth.ldap.servers/c auth.ldap.servers = ldap_server" apps/emqx_auth_ldap/etc/emqx_auth_ldap.conf diff --git a/apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf b/apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf index cf1614efa..d2645c4e1 100644 --- a/apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf +++ b/apps/emqx_auth_mongo/etc/emqx_auth_mongo.conf @@ -52,23 +52,23 @@ auth.mongo.database = mqtt ## Whether to enable SSL connection. ## -## Value: true | false -## auth.mongo.ssl = false +## Value: on | off +## auth.mongo.ssl = off ## SSL keyfile. ## ## Value: File -## auth.mongo.ssl_opts.keyfile = +## auth.mongo.ssl.keyfile = ## SSL certfile. ## ## Value: File -## auth.mongo.ssl_opts.certfile = +## auth.mongo.ssl.certfile = ## SSL cacertfile. ## ## Value: File -## auth.mongo.ssl_opts.cacertfile = +## auth.mongo.ssl.cacertfile = ## MongoDB write mode. ## diff --git a/apps/emqx_auth_mongo/priv/emqx_auth_mongo.schema b/apps/emqx_auth_mongo/priv/emqx_auth_mongo.schema index 9b331e6c4..ebc5480ae 100644 --- a/apps/emqx_auth_mongo/priv/emqx_auth_mongo.schema +++ b/apps/emqx_auth_mongo/priv/emqx_auth_mongo.schema @@ -42,19 +42,19 @@ ]}. {mapping, "auth.mongo.ssl", "emqx_auth_mongo.server", [ - {default, false}, - {datatype, {enum, [true, false]}} + {default, off}, + {datatype, flag} ]}. -{mapping, "auth.mongo.ssl_opts.keyfile", "emqx_auth_mongo.server", [ +{mapping, "auth.mongo.ssl.keyfile", "emqx_auth_mongo.server", [ {datatype, string} ]}. -{mapping, "auth.mongo.ssl_opts.certfile", "emqx_auth_mongo.server", [ +{mapping, "auth.mongo.ssl.certfile", "emqx_auth_mongo.server", [ {datatype, string} ]}. -{mapping, "auth.mongo.ssl_opts.cacertfile", "emqx_auth_mongo.server", [ +{mapping, "auth.mongo.ssl.cacertfile", "emqx_auth_mongo.server", [ {datatype, string} ]}. @@ -107,7 +107,7 @@ {certfile, cuttlefish:conf_get(Prefix ++ ".certfile", Conf, undefined)}, {cacertfile, cuttlefish:conf_get(Prefix ++ ".cacertfile", Conf, undefined)}]) end, - [{ssl, true}, {ssl_opts, SslOpts("auth.mongo.ssl_opts")}]; + [{ssl, true}, {ssl_opts, SslOpts("auth.mongo.ssl")}]; false -> [] end, diff --git a/apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf b/apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf index 3e79d96d8..c3c6e2800 100644 --- a/apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf +++ b/apps/emqx_auth_pgsql/etc/emqx_auth_pgsql.conf @@ -36,23 +36,23 @@ auth.pgsql.encoding = utf8 ## Whether to enable SSL connection. ## -## Value: true | false -auth.pgsql.ssl = false +## Value: on | off +auth.pgsql.ssl = off ## SSL keyfile. ## ## Value: File -## auth.pgsql.ssl_opts.keyfile = +## auth.pgsql.ssl.keyfile = ## SSL certfile. ## ## Value: File -## auth.pgsql.ssl_opts.certfile = +## auth.pgsql.ssl.certfile = ## SSL cacertfile. ## ## Value: File -## auth.pgsql.ssl_opts.cacertfile = +## auth.pgsql.ssl.cacertfile = ## Authentication query. ## diff --git a/apps/emqx_auth_pgsql/priv/emqx_auth_pgsql.schema b/apps/emqx_auth_pgsql/priv/emqx_auth_pgsql.schema index 4a475ee0e..078158c0a 100644 --- a/apps/emqx_auth_pgsql/priv/emqx_auth_pgsql.schema +++ b/apps/emqx_auth_pgsql/priv/emqx_auth_pgsql.schema @@ -31,19 +31,19 @@ ]}. {mapping, "auth.pgsql.ssl", "emqx_auth_pgsql.server", [ - {default, false}, - {datatype, {enum, [true, false]}} + {default, off}, + {datatype, flag} ]}. -{mapping, "auth.pgsql.ssl_opts.keyfile", "emqx_auth_pgsql.server", [ +{mapping, "auth.pgsql.ssl.keyfile", "emqx_auth_pgsql.server", [ {datatype, string} ]}. -{mapping, "auth.pgsql.ssl_opts.certfile", "emqx_auth_pgsql.server", [ +{mapping, "auth.pgsql.ssl.certfile", "emqx_auth_pgsql.server", [ {datatype, string} ]}. -{mapping, "auth.pgsql.ssl_opts.cacertfile", "emqx_auth_pgsql.server", [ +{mapping, "auth.pgsql.ssl.cacertfile", "emqx_auth_pgsql.server", [ {datatype, string} ]}. @@ -85,7 +85,7 @@ {database, DB}, {encoding, Encoding}, {ssl, Ssl}, - {ssl_opts, SslOpts("auth.pgsql.ssl_opts")}] + {ssl_opts, SslOpts("auth.pgsql.ssl")}] end}. {mapping, "auth.pgsql.auth_query", "emqx_auth_pgsql.auth_query", [ diff --git a/apps/emqx_auth_redis/etc/emqx_auth_redis.conf b/apps/emqx_auth_redis/etc/emqx_auth_redis.conf index f61399242..644b90e4e 100644 --- a/apps/emqx_auth_redis/etc/emqx_auth_redis.conf +++ b/apps/emqx_auth_redis/etc/emqx_auth_redis.conf @@ -103,15 +103,15 @@ auth.redis.acl_cmd = HGETALL mqtt_acl:%u ## CA certificate. ## ## Value: File -#auth.redis.cafile = path/to/your/cafile +#auth.redis.ssl.cafile = path/to/your/cafile ## Client ssl certificate. ## ## Value: File -#auth.redis.certfile = path/to/your/certfile +#auth.redis.ssl.certfile = path/to/your/certfile ## Client ssl keyfile. ## ## Value: File -#auth.redis.keyfile = path/to/your/keyfile +#auth.redis.ssl.keyfile = path/to/your/keyfile diff --git a/apps/emqx_auth_redis/priv/emqx_auth_redis.schema b/apps/emqx_auth_redis/priv/emqx_auth_redis.schema index d51b9c1b2..a70be6a8d 100644 --- a/apps/emqx_auth_redis/priv/emqx_auth_redis.schema +++ b/apps/emqx_auth_redis/priv/emqx_auth_redis.schema @@ -38,17 +38,17 @@ {datatype, flag} ]}. -{mapping, "auth.redis.cafile", "emqx_auth_redis.options", [ +{mapping, "auth.redis.ssl.cafile", "emqx_auth_redis.options", [ {default, ""}, {datatype, string} ]}. -{mapping, "auth.redis.certfile", "emqx_auth_redis.options", [ +{mapping, "auth.redis.ssl.certfile", "emqx_auth_redis.options", [ {default, ""}, {datatype, string} ]}. -{mapping, "auth.redis.keyfile", "emqx_auth_redis.options", [ +{mapping, "auth.redis.ssl.keyfile", "emqx_auth_redis.options", [ {default, ""}, {datatype, string} ]}. @@ -57,9 +57,9 @@ Ssl = cuttlefish:conf_get("auth.redis.ssl", Conf, false), case Ssl of true -> - CA = cuttlefish:conf_get("auth.redis.cafile", Conf), - Cert = cuttlefish:conf_get("auth.redis.certfile", Conf), - Key = cuttlefish:conf_get("auth.redis.keyfile", Conf), + CA = cuttlefish:conf_get("auth.redis.ssl.cafile", Conf), + Cert = cuttlefish:conf_get("auth.redis.ssl.certfile", Conf), + Key = cuttlefish:conf_get("auth.redis.ssl.keyfile", Conf), [{options, [{ssl_options, [{cacertfile, CA}, {certfile, Cert}, {keyfile, Key}]}]}];