fix: fix obsolete SSL files aren't deleted after the bridge configuration update

apps/emqx_bridge/src/emqx_bridge_app.erl

@@ -58,7 +58,8 @@ pre_config_update(Path, Conf, _OldConfig) when is_map(Conf) ->
 
 post_config_update(Path, '$remove', _, OldConf, _AppEnvs) ->
     _ = emqx_connector_ssl:clear_certs(filename:join(Path), OldConf);
-post_config_update(_Path, _Req, _, _OldConf, _AppEnvs) ->
+post_config_update(Path, _Req, NewConf, OldConf, _AppEnvs) ->
+    _ = emqx_connector_ssl:try_clear_certs(filename:join(Path), NewConf, OldConf),
     ok.
 
 %% internal functions

apps/emqx_bridge/test/data/certs/cafile

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE5DCCAswCCQCF3o0gIdaNDjANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlF
+TVFYIFRlc3QxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMTEy
+MzAwODQxMTFaFw00OTA1MTcwODQxMTFaMDQxEjAQBgNVBAoMCUVNUVggVGVzdDEe
+MBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEAqmqSrxyH16j63QhqGLT1UO8I+m6BM3HfnJQM8laQdtJ0
+WgHqCh0/OphH3S7v4SfF4fNJDEJWMWuuzJzU9cTqHPLzhvo3+ZHcMIENgtY2p2Cf
+7AQjEqFViEDyv2ZWNEe76BJeShntdY5NZr4gIPar99YGG/Ln8YekspleV+DU38rE
+EX9WzhgBr02NN9z4NzIxeB+jdvPnxcXs3WpUxzfnUjOQf/T1tManvSdRbFmKMbxl
+A8NLYK3oAYm8EbljWUINUNN6loqYhbigKv8bvo5S4xvRqmX86XB7sc0SApngtNcg
+O0EKn8z/KVPDskE+8lMfGMiU2e2Tzw6Rph57mQPOPtIp5hPiKRik7ST9n0p6piXW
+zRLplJEzSjf40I1u+VHmpXlWI/Fs8b1UkDSMiMVJf0LyWb4ziBSZOY2LtZzWHbWj
+LbNgxQcwSS29tKgUwfEFmFcm+iOM59cPfkl2IgqVLh5h4zmKJJbfQKSaYb5fcKRf
+50b1qsN40VbR3Pk/0lJ0/WqgF6kZCExmT1qzD5HJES/5grjjKA4zIxmHOVU86xOF
+ouWvtilVR4PGkzmkFvwK5yRhBUoGH/A9BurhqOc0QCGay1kqHQFA6se4JJS+9KOS
+x8Rn1Nm6Pi7sd6Le3cKmHTlyl5a/ofKqTCX2Qh+v/7y62V1V1wnoh3ipRjdPTnMC
+AwEAATANBgkqhkiG9w0BAQsFAAOCAgEARCqaocvlMFUQjtFtepO2vyG1krn11xJ0
+e7md26i+g8SxCCYqQ9IqGmQBg0Im8fyNDKRN/LZoj5+A4U4XkG1yya91ZIrPpWyF
+KUiRAItchNj3g1kHmI2ckl1N//6Kpx3DPaS7qXZaN3LTExf6Ph+StE1FnS0wVF+s
+tsNIf6EaQ+ZewW3pjdlLeAws3jvWKUkROc408Ngvx74zbbKo/zAC4tz8oH9ZcpsT
+WD8enVVEeUQKI6ItcpZ9HgTI9TFWgfZ1vYwvkoRwNIeabYI62JKmLEo2vGfGwWKr
+c+GjnJ/tlVI2DpPljfWOnQ037/7yyJI/zo65+HPRmGRD6MuW/BdPDYOvOZUTcQKh
+kANi5THSbJJgZcG3jb1NLebaUQ1H0zgVjn0g3KhUV+NJQYk8RQ7rHtB+MySqTKlM
+kRkRjfTfR0Ykxpks7Mjvsb6NcZENf08ZFPd45+e/ptsxpiKu4e4W4bV7NZDvNKf9
+0/aD3oGYNMiP7s+KJ1lRSAjnBuG21Yk8FpzG+yr8wvJhV8aFgNQ5wIH86SuUTmN0
+5bVzFEIcUejIwvGoQEctNHBlOwHrb7zmB6OwyZeMapdXBQ+9UDhYg8ehDqdDOdfn
+wsBcnjD2MwNhlE1hjL+tZWLNwSHiD6xx3LvNoXZu2HK8Cp3SOrkE69cFghYMIZZb
+T+fp6tNL6LE=
+-----END CERTIFICATE-----

apps/emqx_bridge/test/data/certs/certfile

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID/jCCAeagAwIBAgIJAKTICmq1Lg6dMA0GCSqGSIb3DQEBCwUAMDQxEjAQBgNV
+BAoMCUVNUVggVGVzdDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X
+DTIxMTIzMDA4NDExMloXDTQ5MDUxNzA4NDExMlowJTESMBAGA1UECgwJRU1RWCBU
+ZXN0MQ8wDQYDVQQDDAZjbGllbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDzrujfx6XZTH0MWqLO6kNAeHndUZ+OGaURXvxKMPMF5dA40lxNG6cEzzlq
+0Rm61adlv8tF4kRJrs6EnRjEVoMImrdh07vGFdOTYqP01LjiBhErAzyRtSn2X8FT
+Te8ExoCRs3x61SPebGY2hOvFxuO6YDPVOSDvbbxvRgqIlM1ZXC8dOvPSSGZ+P8hV
+56EPayRthfu1FVptnkW9CyZCRI0gg95Hv8RC7bGG+tuWpkN9ZrRvohhgGR1+bDUi
+BNBpncEsSh+UgWaj8KRN8D16H6m/Im6ty467j0at49FvPx5nACL48/ghtYvzgKLc
+uKHtokKUuuzebDK/hQxN3mUSAJStAgMBAAGjIjAgMAsGA1UdDwQEAwIFoDARBglg
+hkgBhvhCAQEEBAMCB4AwDQYJKoZIhvcNAQELBQADggIBAIlVyPhOpkz3MNzQmjX7
+xgJ3vGPK5uK11n/wfjRwe2qXwZbrI2sYLVtTpUgvLDuP0gB73Vwfu7xAMdue6TRm
+CKr9z0lkQsVBtgoqzZCjd4PYLfHm4EhsOMi98OGKU5uOGD4g3yLwQWXHhbYtiZMO
+Jsj0hebYveYJt/BYTd1syGQcIcYCyVExWvSWjidfpAqjT6EF7whdubaFtuF2kaGF
+IO9yn9rWtXB5yK99uCguEmKhx3fAQxomzqweTu3WRvy9axsUH3WAUW9a4DIBSz2+
+ZSJNheFn5GktgggygJUGYqpSZHooUJW0UBs/8vX6AP+8MtINmqOGZUawmNwLWLOq
+wHyVt2YGD5TXjzzsWNSQ4mqXxM6AXniZVZK0yYNjA4ATikX1AtwunyWBR4IjyE/D
+FxYPORdZCOtywRFE1R5KLTUq/C8BNGCkYnoO78DJBO+pT0oagkQGQb0CnmC6C1db
+4lWzA9K0i4B0PyooZA+gp+5FFgaLuX1DkyeaY1J204QhHR1z/Vcyl5dpqR9hqnYP
+t8raLk9ogMDKqKA9iG0wc3CBNckD4sjVWAEeovXhElG55fD21wwhF+AnDCvX8iVK
+cBfKV6z6uxfKjGIxc2I643I5DiIn+V3DnPxYyY74Ln1lWFYmt5JREhAxPu42zq74
+e6+eIMYFszB+5gKgt6pa6ZNI
+-----END CERTIFICATE-----

apps/emqx_bridge/test/data/certs/keyfile

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA867o38el2Ux9DFqizupDQHh53VGfjhmlEV78SjDzBeXQONJc
+TRunBM85atEZutWnZb/LReJESa7OhJ0YxFaDCJq3YdO7xhXTk2Kj9NS44gYRKwM8
+kbUp9l/BU03vBMaAkbN8etUj3mxmNoTrxcbjumAz1Tkg7228b0YKiJTNWVwvHTrz
+0khmfj/IVeehD2skbYX7tRVabZ5FvQsmQkSNIIPeR7/EQu2xhvrblqZDfWa0b6IY
+YBkdfmw1IgTQaZ3BLEoflIFmo/CkTfA9eh+pvyJurcuOu49GrePRbz8eZwAi+PP4
+IbWL84Ci3Lih7aJClLrs3mwyv4UMTd5lEgCUrQIDAQABAoIBAQDwEbBgznrIwn8r
+jZt5x/brbAV7Ea/kOcWSgIaCvQifFdJ2OGAwov5/UXwajNgRZe2d4z7qoUhvYuUY
+ZwCAZU6ASpRBr2v9cYFYYURvrqZaHmoJew3P6q/lhl6aqFvC06DUagRHqvXEafyk
+13zEAvZVpfNKrBaTawPKiDFWb2qDDc9D6hC07EuJ/DNeehiHvzHrSZSDVV5Ut7Bw
+YDm33XygheUPAlHfeCnaixzcs3osiVyFEmVjxcIaM0ZS1NgcSaohSpJHMzvEaohX
+e+v9vccraSVlw01AlvFwI2vHYUV8jT6HwglTPKKGOCzK/ace3wPdYSU9qLcqfuHn
+EFhNc3tNAoGBAPugLMgbReJg2gpbIPUkYyoMMAAU7llFU1WvPWwXzo1a9EBjBACw
+WfCZISNtANXR38zIYXzoH547uXi4YPks1Nne3sYuCDpvuX+iz7fIo4zHf1nFmxH7
+eE6GtQr2ubmuuipTc28S0wBMGT1/KybH0e2NKL6GaOkNDmAI0IbEMBrvAoGBAPfr
+Y1QYLhPhan6m5g/5s+bQpKtHfNH9TNkk13HuYu72zNuY3qL2GC7oSadR8vTbRXZg
+KQqfaO0IGRcdkSFTq/AEhSSqr2Ld5nPadMbKvSGrSCc1s8rFH97jRVQY56yhM7ti
+IW4+6cE8ylCMbdYB6wuduK/GIgNpqoF4xs1i2XojAoGACacBUMPLEH4Kny8TupOk
+wi4pgTdMVVxVcAoC3yyincWJbRbfRm99Y79cCBHcYFdmsGJXawU0gUtlN/5KqgRQ
+PfNQtGV7p1I12XGTakdmDrZwai8sXao52TlNpJgGU9siBRGicfZU5cQFi9he/WPY
+57XshDJ/v8DidkigRysrdT0CgYEA5iuO22tblC+KvK1dGOXeZWO+DhrfwuGlcFBp
+CaimB2/w/8vsn2VVTG9yujo2E6hj1CQw1mDrfG0xRim4LTXOgpbfugwRqvuTUmo2
+Ur21XEX2RhjwpEfhcACWxB4fMUG0krrniMA2K6axupi1/KNpQi6bYe3UdFCs8Wld
+QSAOAvsCgYBk/X5PmD44DvndE5FShM2w70YOoMr3Cgl5sdwAFUFE9yDuC14UhVxk
+oxnYxwtVI9uVVirET+LczP9JEvcvxnN/Xg3tH/qm0WlIxmTxyYrFFIK9j0rqeu9z
+blPu56OzNI2VMrR1GbOBLxQINLTIpaacjNJAlr8XOlegdUJsW/Jwqw==
+-----END RSA PRIVATE KEY-----

apps/emqx_bridge/test/emqx_bridge_SUITE.erl

@@ -156,3 +156,98 @@ setup_fake_telemetry_data() ->
     {ok, _} = snabbkaffe_collector:receive_events(Sub),
     ok = snabbkaffe:stop(),
     ok.
+
+t_update_ssl_conf(_) ->
+    Path = [bridges, <<"mqtt">>, <<"ssl_update_test">>],
+    EnableSSLConf = #{
+        <<"connector">> =>
+            #{
+                <<"bridge_mode">> => false,
+                <<"clean_start">> => true,
+                <<"keepalive">> => <<"60s">>,
+                <<"mode">> => <<"cluster_shareload">>,
+                <<"proto_ver">> => <<"v4">>,
+                <<"server">> => <<"127.0.0.1:1883">>,
+                <<"ssl">> =>
+                    #{
+                        <<"cacertfile">> => cert_file("cafile"),
+                        <<"certfile">> => cert_file("certfile"),
+                        <<"enable">> => true,
+                        <<"keyfile">> => cert_file("keyfile"),
+                        <<"verify">> => <<"verify_peer">>
+                    }
+            },
+        <<"direction">> => <<"ingress">>,
+        <<"local_qos">> => 1,
+        <<"payload">> => <<"${payload}">>,
+        <<"remote_qos">> => 1,
+        <<"remote_topic">> => <<"t/#">>,
+        <<"retain">> => false
+    },
+
+    emqx:update_config(Path, EnableSSLConf),
+    ?assertMatch({ok, [_, _, _]}, list_pem_dir(Path)),
+    NoSSLConf = #{
+        <<"connector">> =>
+            #{
+                <<"bridge_mode">> => false,
+                <<"clean_start">> => true,
+                <<"keepalive">> => <<"60s">>,
+                <<"max_inflight">> => 32,
+                <<"mode">> => <<"cluster_shareload">>,
+                <<"password">> => <<>>,
+                <<"proto_ver">> => <<"v4">>,
+                <<"reconnect_interval">> => <<"15s">>,
+                <<"replayq">> =>
+                    #{<<"offload">> => false, <<"seg_bytes">> => <<"100MB">>},
+                <<"retry_interval">> => <<"15s">>,
+                <<"server">> => <<"127.0.0.1:1883">>,
+                <<"ssl">> =>
+                    #{
+                        <<"ciphers">> => <<>>,
+                        <<"depth">> => 10,
+                        <<"enable">> => false,
+                        <<"reuse_sessions">> => true,
+                        <<"secure_renegotiate">> => true,
+                        <<"user_lookup_fun">> => <<"emqx_tls_psk:lookup">>,
+                        <<"verify">> => <<"verify_peer">>,
+                        <<"versions">> =>
+                            [
+                                <<"tlsv1.3">>,
+                                <<"tlsv1.2">>,
+                                <<"tlsv1.1">>,
+                                <<"tlsv1">>
+                            ]
+                    },
+                <<"username">> => <<>>
+            },
+        <<"direction">> => <<"ingress">>,
+        <<"enable">> => true,
+        <<"local_qos">> => 1,
+        <<"payload">> => <<"${payload}">>,
+        <<"remote_qos">> => 1,
+        <<"remote_topic">> => <<"t/#">>,
+        <<"retain">> => false
+    },
+
+    emqx:update_config(Path, NoSSLConf),
+    ?assertMatch({error, not_dir}, list_pem_dir(Path)),
+    emqx:remove_config(Path),
+    ok.
+
+list_pem_dir(Path) ->
+    Dir = filename:join([emqx:mutable_certs_dir() | Path]),
+    case filelib:is_dir(Dir) of
+        true ->
+            file:list_dir(Dir);
+        _ ->
+            {error, not_dir}
+    end.
+
+data_file(Name) ->
+    Dir = code:lib_dir(emqx_bridge, test),
+    {ok, Bin} = file:read_file(filename:join([Dir, "data", Name])),
+    Bin.
+
+cert_file(Name) ->
+    data_file(filename:join(["certs", Name])).

apps/emqx_connector/src/emqx_connector_ssl.erl

@@ -16,9 +16,12 @@
 
 -module(emqx_connector_ssl).
 
+-include_lib("emqx/include/logger.hrl").
+
 -export([
     convert_certs/2,
-    clear_certs/2
+    clear_certs/2,
+    try_clear_certs/3
 ]).
 
 %% TODO: rm `connector` case after `dev/ee5.0` merged into `master`.
@@ -43,21 +46,37 @@ convert_certs(RltvDir, #{ssl := SSL} = Config) ->
 convert_certs(_RltvDir, Config) ->
     {ok, Config}.
 
-clear_certs(RltvDir, #{<<"connector">> := Connector} = _Config) when
+clear_certs(RltvDir, Config) ->
+    clear_certs2(RltvDir, normalize_key_to_bin(Config)).
+
+clear_certs2(RltvDir, #{<<"connector">> := Connector} = _Config) when
     is_map(Connector)
 ->
     OldSSL = map_get_oneof([<<"ssl">>, ssl], Connector, undefined),
     ok = emqx_tls_lib:delete_ssl_files(RltvDir, undefined, OldSSL);
-clear_certs(RltvDir, #{connector := Connector} = _Config) when
+clear_certs2(RltvDir, #{<<"ssl">> := OldSSL} = _Config) ->
-    is_map(Connector)
+    ok = emqx_tls_lib:delete_ssl_files(RltvDir, undefined, OldSSL);
+clear_certs2(_RltvDir, _) ->
+    ok.
+
+try_clear_certs(RltvDir, NewConf, OldConf) ->
+    try_clear_certs2(
+        RltvDir,
+        normalize_key_to_bin(NewConf),
+        normalize_key_to_bin(OldConf)
+    ).
+
+try_clear_certs2(RltvDir, #{<<"connector">> := NewConnector}, #{<<"connector">> := OldConnector}) when
+    is_map(NewConnector),
+    is_map(OldConnector)
 ->
-    OldSSL = map_get_oneof([<<"ssl">>, ssl], Connector, undefined),
+    NewSSL = map_get_oneof([<<"ssl">>, ssl], NewConnector, undefined),
-    ok = emqx_tls_lib:delete_ssl_files(RltvDir, undefined, OldSSL);
+    OldSSL = map_get_oneof([<<"ssl">>, ssl], OldConnector, undefined),
-clear_certs(RltvDir, #{<<"ssl">> := OldSSL} = _Config) ->
+    ok = emqx_tls_lib:delete_ssl_files(RltvDir, NewSSL, OldSSL);
-    ok = emqx_tls_lib:delete_ssl_files(RltvDir, undefined, OldSSL);
+try_clear_certs2(RltvDir, #{<<"ssl">> := NewSSL}, #{<<"ssl">> := OldSSL}) ->
-clear_certs(RltvDir, #{ssl := OldSSL} = _Config) ->
+    ok = emqx_tls_lib:delete_ssl_files(RltvDir, NewSSL, OldSSL);
-    ok = emqx_tls_lib:delete_ssl_files(RltvDir, undefined, OldSSL);
+try_clear_certs2(RltvDir, NewConf, OldConf) ->
-clear_certs(_RltvDir, _) ->
+    ?SLOG(debug, #{msg => "unexpected_conf", path => RltvDir, new => NewConf, OldConf => OldConf}),
     ok.
 
 new_ssl_config(RltvDir, Config, SSL) ->
@@ -88,3 +107,18 @@ map_get_oneof([Key | Keys], Map, Default) ->
         {ok, Value} ->
             Value
     end.
+
+normalize_key_to_bin(Map) when is_map(Map) ->
+    maps:fold(
+        fun
+            (K, V, Acc) when is_atom(K) ->
+                Bin = erlang:atom_to_binary(K, utf8),
+                Acc#{Bin => V};
+            (K, V, Acc) ->
+                Acc#{K => V}
+        end,
+        #{},
+        Map
+    );
+normalize_key_to_bin(Any) ->
+    Any.