From 68844cefd9a119420a0dc5f73fc8d76109ebc082 Mon Sep 17 00:00:00 2001
From: William Yang <mscame@gmail.com>
Date: Fri, 11 Jun 2021 11:12:07 +0200
Subject: [PATCH] feat(quic): update emqx_schema for quic

---
 apps/emqx/etc/emqx.conf       | 220 +++++++++++++++++-----------------
 apps/emqx/src/emqx_schema.erl |  34 +++++-
 2 files changed, 143 insertions(+), 111 deletions(-)

diff --git a/apps/emqx/etc/emqx.conf b/apps/emqx/etc/emqx.conf
index fd6de554e..b115964cf 100644
--- a/apps/emqx/etc/emqx.conf
+++ b/apps/emqx/etc/emqx.conf
@@ -2184,43 +2184,43 @@ listener.quic.external.max_connections = 16
 ## Value: Number
 listener.quic.external.max_conn_rate = 1000
 
-## Simulate the {active, N} option for the MQTT/QUIC connections.
-##
-## Value: Number
-listener.quic.external.active_n = 100
+# ## Simulate the {active, N} option for the MQTT/QUIC connections.
+# ##
+# ## Value: Number
+# listener.quic.external.active_n = 100
 
 ## Zone of the external MQTT/QUIC listener belonged to.
 ##
 ## Value: String
 listener.quic.external.zone = external
 
-## The access control rules for the MQTT/QUIC listener.
-##
-## See: listener.tcp.$name.access.<no>
-##
-## Value: ACL Rule
-listener.quic.external.access.1 = "allow all"
+# ## The access control rules for the MQTT/QUIC listener.
+# ##
+# ## See: listener.tcp.$name.access.<no>
+# ##
+# ## Value: ACL Rule
+# listener.quic.external.access.1 = "allow all"
 
-## Sets the timeout for proxy protocol.
-##
-## See: listener.tcp.$name.proxy_protocol_timeout
-##
-## Value: Duration
-## listener.quic.external.proxy_protocol_timeout = 3s
+# ## Sets the timeout for proxy protocol.
+# ##
+# ## See: listener.tcp.$name.proxy_protocol_timeout
+# ##
+# ## Value: Duration
+# ## listener.quic.external.proxy_protocol_timeout = 3s
 
-## TLS versions only to protect from POODLE attack.
-##
-## See: listener.ssl.$name.tls_versions
-##
-## Value: String, seperated by ','
-## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier
-## listener.quic.external.tls_versions = tlsv1.3,tlsv1.2,tlsv1.1,tlsv1
+# ## TLS versions only to protect from POODLE attack.
+# ##
+# ## See: listener.ssl.$name.tls_versions
+# ##
+# ## Value: String, seperated by ','
+# ## NOTE: Do not use tlsv1.3 if emqx is running on OTP-22 or earlier
+# ## listener.quic.external.tls_versions = tlsv1.3,tlsv1.2,tlsv1.1,tlsv1
 
-## Path to the file containing the user's private PEM-encoded key.
-##
-## See: listener.ssl.$name.keyfile
-##
-## Value: File
+# ## Path to the file containing the user's private PEM-encoded key.
+# ##
+# ## See: listener.ssl.$name.keyfile
+# ##
+# ## Value: File
 listener.quic.external.keyfile = "{{ platform_etc_dir }}/certs/key.pem"
 
 ## Path to a file containing the user certificate.
@@ -2230,100 +2230,100 @@ listener.quic.external.keyfile = "{{ platform_etc_dir }}/certs/key.pem"
 ## Value: File
 listener.quic.external.certfile = "{{ platform_etc_dir }}/certs/cert.pem"
 
-## Path to the file containing PEM-encoded CA certificates.
-##
-## See: listener.ssl.$name.cacert
-##
-## Value: File
-## listener.quic.external.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
+# ## Path to the file containing PEM-encoded CA certificates.
+# ##
+# ## See: listener.ssl.$name.cacert
+# ##
+# ## Value: File
+# ## listener.quic.external.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
 
-## Maximum number of non-self-issued intermediate certificates that
-## can follow the peer certificate in a valid certification path.
-##
-## See: listener.ssl.external.depth
-##
-## Value: Number
-## listener.quic.external.depth = 10
+# ## Maximum number of non-self-issued intermediate certificates that
+# ## can follow the peer certificate in a valid certification path.
+# ##
+# ## See: listener.ssl.external.depth
+# ##
+# ## Value: Number
+# ## listener.quic.external.depth = 10
 
-## String containing the user's password. Only used if the private keyfile
-## is password-protected.
-##
-## See: listener.ssl.$name.key_password
-##
-## Value: String
-## listener.quic.external.key_password = yourpass
+# ## String containing the user's password. Only used if the private keyfile
+# ## is password-protected.
+# ##
+# ## See: listener.ssl.$name.key_password
+# ##
+# ## Value: String
+# ## listener.quic.external.key_password = yourpass
 
-## See: listener.ssl.$name.dhfile
-##
-## Value: File
-## listener.ssl.external.dhfile = {{ platform_etc_dir }}/certs/dh-params.pem
+# ## See: listener.ssl.$name.dhfile
+# ##
+# ## Value: File
+# ## listener.ssl.external.dhfile = {{ platform_etc_dir }}/certs/dh-params.pem
 
-## See: listener.ssl.$name.verify
-##
-## Value: verify_peer | verify_none
-## listener.quic.external.verify = verify_peer
+# ## See: listener.ssl.$name.verify
+# ##
+# ## Value: verify_peer | verify_none
+# ## listener.quic.external.verify = verify_peer
 
-## See: listener.ssl.$name.fail_if_no_peer_cert
-##
-## Value: false | true
-## listener.quic.external.fail_if_no_peer_cert = true
+# ## See: listener.ssl.$name.fail_if_no_peer_cert
+# ##
+# ## Value: false | true
+# ## listener.quic.external.fail_if_no_peer_cert = true
 
-## See: listener.ssl.$name.ciphers
-##
-## Value: Ciphers
+# ## See: listener.ssl.$name.ciphers
+# ##
+# ## Value: Ciphers
 listener.quic.external.ciphers = "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_CCM_SHA256,TLS_AES_128_CCM_8_SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-DES-CBC3-SHA,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-SHA384,ECDH-RSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-DSS-AES256-SHA256,AES256-GCM-SHA384,AES256-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-SHA256,ECDH-RSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-DSS-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-RSA-AES256-SHA,DHE-DSS-AES256-SHA,ECDH-ECDSA-AES256-SHA,ECDH-RSA-AES256-SHA,AES256-SHA,ECDHE-ECDSA-AES128-SHA,ECDHE-RSA-AES128-SHA,DHE-DSS-AES128-SHA,ECDH-ECDSA-AES128-SHA,ECDH-RSA-AES128-SHA,AES128-SHA"
 
-## Ciphers for TLS PSK.
-## Note that 'listener.quic.external.ciphers' and 'listener.quic.external.psk_ciphers' cannot
-## be configured at the same time.
-## See 'https://tools.ietf.org/html/rfc4279#section-2'.
-## listener.quic.external.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
+# ## Ciphers for TLS PSK.
+# ## Note that 'listener.quic.external.ciphers' and 'listener.quic.external.psk_ciphers' cannot
+# ## be configured at the same time.
+# ## See 'https://tools.ietf.org/html/rfc4279#section-2'.
+# ## listener.quic.external.psk_ciphers = PSK-AES128-CBC-SHA,PSK-AES256-CBC-SHA,PSK-3DES-EDE-CBC-SHA,PSK-RC4-SHA
 
-## See: listener.ssl.$name.secure_renegotiate
-##
-## Value: on | off
-## listener.quic.external.secure_renegotiate = off
+# ## See: listener.ssl.$name.secure_renegotiate
+# ##
+# ## Value: on | off
+# ## listener.quic.external.secure_renegotiate = off
 
-## See: listener.ssl.$name.reuse_sessions
-##
-## Value: on | off
-## listener.quic.external.reuse_sessions = on
+# ## See: listener.ssl.$name.reuse_sessions
+# ##
+# ## Value: on | off
+# ## listener.quic.external.reuse_sessions = on
 
-## See: listener.ssl.$name.honor_cipher_order
-##
-## Value: on | off
-## listener.quic.external.honor_cipher_order = on
+# ## See: listener.ssl.$name.honor_cipher_order
+# ##
+# ## Value: on | off
+# ## listener.quic.external.honor_cipher_order = on
 
-## See: listener.ssl.$name.peer_cert_as_username
-##
-## Value: cn | dn | crt | pem | md5
-## listener.quic.external.peer_cert_as_username = cn
+# ## See: listener.ssl.$name.peer_cert_as_username
+# ##
+# ## Value: cn | dn | crt | pem | md5
+# ## listener.quic.external.peer_cert_as_username = cn
 
-## See: listener.ssl.$name.peer_cert_as_clientid
-##
-## Value: cn | dn | crt | pem | md5
-## listener.quic.external.peer_cert_as_clientid = cn
+# ## See: listener.ssl.$name.peer_cert_as_clientid
+# ##
+# ## Value: cn | dn | crt | pem | md5
+# ## listener.quic.external.peer_cert_as_clientid = cn
 
-## TCP backlog for the QUIC connection.
-##
-## See: listener.tcp.$name.backlog
-##
-## Value: Number >= 0
-listener.quic.external.backlog = 1024
+# ## TCP backlog for the QUIC connection.
+# ##
+# ## See: listener.tcp.$name.backlog
+# ##
+# ## Value: Number >= 0
+# listener.quic.external.backlog = 1024
 
-## The TCP send timeout for the QUIC connection.
-##
-## See: listener.tcp.$name.send_timeout
-##
-## Value: Duration
-listener.quic.external.send_timeout = 15s
+# ## The TCP send timeout for the QUIC connection.
+# ##
+# ## See: listener.tcp.$name.send_timeout
+# ##
+# ## Value: Duration
+# listener.quic.external.send_timeout = 15s
 
-## Close the QUIC connection if send timeout.
-##
-## See: listener.tcp.$name.send_timeout_close
-##
-## Value: on | off
-listener.quic.external.send_timeout_close = on
+# ## Close the QUIC connection if send timeout.
+# ##
+# ## See: listener.tcp.$name.send_timeout_close
+# ##
+# ## Value: on | off
+# listener.quic.external.send_timeout_close = on
 
 ## The TCP receive buffer(os kernel) for the QUIC connections.
 ##
@@ -2424,19 +2424,19 @@ listener.quic.external.send_timeout_close = on
 ## Whether a WebSocket message is allowed to contain multiple MQTT packets
 ##
 ## Value: single | multiple
-listener.quic.external.mqtt_piggyback = multiple
+#listener.quic.external.mqtt_piggyback = multiple
 ## Enable origin check in header for secure websocket connection
 ##
 ## Value: true | false (default false)
-listener.quic.external.check_origin_enable = false
+#listener.quic.external.check_origin_enable = false
 ## Allow origin to be absent in header in secure websocket connection  when check_origin_enable is true
 ##
 ## Value: true | false (default true)
-listener.quic.external.allow_origin_absence = true
+#listener.quic.external.allow_origin_absence = true
 ## Comma separated list of allowed origin in header for secure websocket connection
 ##
 ## Value: http://url eg. https://localhost:8084, https://127.0.0.1:8084
-listener.quic.external.check_origins = "https://localhost:8084, https://127.0.0.1:8084"
+#listener.quic.external.check_origins = "https://localhost:8084, https://127.0.0.1:8084"
 
 ## CONFIG_SECTION_END=listeners ================================================
 
diff --git a/apps/emqx/src/emqx_schema.erl b/apps/emqx/src/emqx_schema.erl
index 316f4b77c..d1c163e58 100644
--- a/apps/emqx/src/emqx_schema.erl
+++ b/apps/emqx/src/emqx_schema.erl
@@ -282,6 +282,7 @@ fields("listener") ->
     , {"ssl", ref("ssl_listener")}
     , {"ws", ref("ws_listener")}
     , {"wss", ref("wss_listener")}
+    , {"quic", ref("quic_listener")}
     ];
 
 fields("tcp_listener") ->
@@ -296,6 +297,9 @@ fields("ws_listener") ->
 fields("wss_listener") ->
     [ {"$name", ref("wss_listener_settings")}];
 
+fields("quic_listener") ->
+    [ {"$name", ref("quic_listener_settings")}];
+
 fields("listener_settings") ->
     [ {"endpoint", t(union(ip_port(), integer()))}
     , {"acceptors", t(integer(), undefined, 8)}
@@ -356,6 +360,32 @@ fields("wss_listener_settings") ->
     Settings = lists:ukeymerge(1, Ssl, fields("ws_listener_settings")),
     lists:keydelete("high_watermark", 1, Settings);
 
+fields("quic_listener_settings") ->
+    Unsupported = [ "max_connections"
+                  , "max_conn_rate"
+                  , "active_n"
+                  , "access"
+                  , "proxy_protocol"
+                  , "proxy_protocol_timeout"
+                  , "backlog"
+                  , "send_timeout"
+                  , "send_timeout_close"
+                  , "recvbuf"
+                  , "sndbuf"
+                  , "buffer"
+                  , "high_watermark"
+                  , "tune_buffer"
+                  , "nodelay"
+                  , "reuseaddr"
+                  ],
+    lists:foldl(fun(K, Acc) ->
+                        lists:keydelete(K, 1, Acc)
+                end,
+                [ {"certfile", t(string(), "emqx.certfile", undefined)}
+                , {"keyfile", t(string(), "emqx.keyfile", undefined)}
+                | fields("listener_settings")],
+                Unsupported);
+
 fields("access") ->
     [ {"$id", t(string(), undefined, undefined)}];
 
@@ -772,7 +802,9 @@ tr_listeners(Conf) ->
     lists:flatten([TcpListeners("tcp", Name) || Name <- keys("listener.tcp", Conf)]
                ++ [TcpListeners("ws", Name) || Name <- keys("listener.ws", Conf)]
                ++ [SslListeners("ssl", Name) || Name <- keys("listener.ssl", Conf)]
-               ++ [SslListeners("wss", Name) || Name <- keys("listener.wss", Conf)]).
+               ++ [SslListeners("wss", Name) || Name <- keys("listener.wss", Conf)]
+               ++ [SslListeners("quic", Name) || Name <- keys("listener.quic", Conf)]
+                 ).
 
 tr_modules(Conf) ->
     Subscriptions = fun() ->