From 445e176898379f15807346f696e13348c606bad0 Mon Sep 17 00:00:00 2001
From: Thales Macedo Garitezi <thalesmg@gmail.com>
Date: Thu, 10 Nov 2022 16:26:06 -0300
Subject: [PATCH 01/28] refactor(crl): rename
 `s/enable_crl_cache/enable_crl_check/g`

---
 etc/emqx.conf                 | 2 +-
 priv/emqx.schema              | 6 +++---
 src/emqx_crl_cache.erl        | 2 +-
 src/emqx_listeners.erl        | 2 +-
 test/emqx_crl_cache_SUITE.erl | 6 +++---
 5 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/etc/emqx.conf b/etc/emqx.conf
index c9bcb7b59..6f6ab764f 100644
--- a/etc/emqx.conf
+++ b/etc/emqx.conf
@@ -1554,7 +1554,7 @@ listener.ssl.external.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
 ##
 ## Value: boolean
 ## Default: false
-## listener.ssl.external.enable_crl_cache = true
+## listener.ssl.external.enable_crl_check = true
 
 ## Comma-separated URL list for CRL servers to fetch and cache CRLs
 ## from.  Must include the path to the CRL file(s).
diff --git a/priv/emqx.schema b/priv/emqx.schema
index e2daf197f..40c89f05c 100644
--- a/priv/emqx.schema
+++ b/priv/emqx.schema
@@ -1702,7 +1702,7 @@ end}.
   {datatype, {duration, ms}}
 ]}.
 
-{mapping, "listener.ssl.$name.enable_crl_cache", "emqx.listeners", [
+{mapping, "listener.ssl.$name.enable_crl_check", "emqx.listeners", [
   {default, false},
   {datatype, {enum, [true, false]}}
 ]}.
@@ -2337,7 +2337,7 @@ end}.
                       undefined -> undefined;
                       _ -> {fun emqx_psk:lookup/3, <<>>}
                     end,
-                  CRLCheck = case cuttlefish:conf_get(Prefix ++ ".enable_crl_cache", Conf, false) of
+                  CRLCheck = case cuttlefish:conf_get(Prefix ++ ".enable_crl_check", Conf, false) of
                                true ->
                                  HTTPTimeout = cuttlefish:conf_get(Prefix ++ ".crl_cache_http_timeout", Conf, timer:seconds(15)),
                                  %% {crl_check, true} doesn't work
@@ -2374,7 +2374,7 @@ end}.
                     undefined -> undefined;
                     URLs -> string:tokens(URLs, ", ")
                   end,
-        Filter([ {crl_cache_enabled, cuttlefish:conf_get(Prefix ++ ".enable_crl_cache", Conf, false)}
+        Filter([ {crl_check_enabled, cuttlefish:conf_get(Prefix ++ ".enable_crl_check", Conf, false)}
                , {crl_cache_urls, CRLURLs}
                ])
       end,
diff --git a/src/emqx_crl_cache.erl b/src/emqx_crl_cache.erl
index bca18e7a4..a8f1531f8 100644
--- a/src/emqx_crl_cache.erl
+++ b/src/emqx_crl_cache.erl
@@ -187,7 +187,7 @@ collect_urls(Listeners) ->
     CRLOpts1 =
         lists:filter(
           fun(CRLOpts) ->
-            proplists:get_bool(crl_cache_enabled, CRLOpts)
+            proplists:get_bool(crl_check_enabled, CRLOpts)
           end,
           CRLOpts0),
     CRLURLs =
diff --git a/src/emqx_listeners.erl b/src/emqx_listeners.erl
index 68a57142a..c6e70862d 100644
--- a/src/emqx_listeners.erl
+++ b/src/emqx_listeners.erl
@@ -306,7 +306,7 @@ find_by_id(Id, [L | Rest]) ->
 -spec maybe_register_crl_urls([esockd:option()]) -> ok.
 maybe_register_crl_urls(Options) ->
     CRLOptions = proplists:get_value(crl_options, Options, []),
-    case proplists:get_bool(crl_cache_enabled, CRLOptions) of
+    case proplists:get_bool(crl_check_enabled, CRLOptions) of
         false ->
             ok;
         true ->
diff --git a/test/emqx_crl_cache_SUITE.erl b/test/emqx_crl_cache_SUITE.erl
index f9090d85f..d736c5a87 100644
--- a/test/emqx_crl_cache_SUITE.erl
+++ b/test/emqx_crl_cache_SUITE.erl
@@ -80,7 +80,7 @@ end_per_testcase(TestCase, Config)
     emqx_crl_cache_http_server:stop(ServerPid),
     emqx_ct_helpers:stop_apps([]),
     emqx_ct_helpers:change_emqx_opts(
-      ssl_twoway, [ {crl_options, [ {crl_cache_enabled, false}
+      ssl_twoway, [ {crl_options, [ {crl_check_enabled, false}
                                   , {crl_cache_urls, []}
                                   ]}
                   ]),
@@ -90,7 +90,7 @@ end_per_testcase(TestCase, Config)
 end_per_testcase(t_not_cached_and_unreachable, _Config) ->
     emqx_ct_helpers:stop_apps([]),
     emqx_ct_helpers:change_emqx_opts(
-      ssl_twoway, [ {crl_options, [ {crl_cache_enabled, false}
+      ssl_twoway, [ {crl_options, [ {crl_check_enabled, false}
                                   , {crl_cache_urls, []}
                                   ]}
                   ]),
@@ -194,7 +194,7 @@ setup_crl_options(Config, #{is_cached := IsCached}) ->
                                               , {crl_cache,
                                                  {ssl_crl_cache, {internal, [{http, timer:seconds(15)}]}}}
                                               ]}
-                              , {crl_options, [ {crl_cache_enabled, true}
+                              , {crl_options, [ {crl_check_enabled, true}
                                               , {crl_cache_urls, URLs}
                                               ]}
                               ]),

From f9c1f8cf32f0c6c882c3b5df7c90a14e59fb2826 Mon Sep 17 00:00:00 2001
From: "Zaiming (Stone) Shi" <zmstone@gmail.com>
Date: Thu, 10 Nov 2022 22:00:25 +0100
Subject: [PATCH 02/28] docs: add a comment to schema default value

---
 priv/emqx.schema | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/priv/emqx.schema b/priv/emqx.schema
index 0399cb27d..e2eaa7b10 100644
--- a/priv/emqx.schema
+++ b/priv/emqx.schema
@@ -807,13 +807,13 @@ end}.
 %% @doc Define a determined authentication plugin/module check order.
 %% see detailed doc in emqx.conf
 {mapping, "auth_order", "emqx.auth_order", [
-  {default, "none"},
+  {default, "none"}, % keep default value in sync with emqx_conf.erl
   {datatype, string}
 ]}.
 
 %% @doc Same as auth_order, but for ACL.
 {mapping, "acl_order", "emqx.acl_order", [
-  {default, "none"},
+  {default, "none"}, % keep default value in sync with emqx_conf.erl
   {datatype, string}
 ]}.
 

From d5de5ac05cf1f95f1abf47fc18f9c193b911b17b Mon Sep 17 00:00:00 2001
From: "Zaiming (Stone) Shi" <zmstone@gmail.com>
Date: Fri, 11 Nov 2022 07:04:28 +0100
Subject: [PATCH 03/28] Revert "fix: remove outdated cert store from packages"

---
 .github/workflows/build_packages.yaml |  5 -----
 build                                 | 15 ++-------------
 2 files changed, 2 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/build_packages.yaml b/.github/workflows/build_packages.yaml
index 195e3c23c..38c1ea472 100644
--- a/.github/workflows/build_packages.yaml
+++ b/.github/workflows/build_packages.yaml
@@ -94,11 +94,6 @@ jobs:
         }
         make ensure-rebar3
         make ${{ matrix.profile }}
-        ## Delete certifi cert store
-        $Cert = Get-ChildItem "_build/${{ matrix.profile }}/rel/emqx/lib/certifi*/priv/cacerts.pem"
-        if (Test-Path $Cert) {
-            Remove-Item $Cert
-        }
         mkdir -p _packages/${{ matrix.profile }}
         Compress-Archive -Path _build/${{ matrix.profile }}/rel/emqx -DestinationPath _build/${{ matrix.profile }}/rel/$pkg_name
         mv _build/${{ matrix.profile }}/rel/$pkg_name _packages/${{ matrix.profile }}
diff --git a/build b/build
index 1cb6bd713..0ffb810eb 100755
--- a/build
+++ b/build
@@ -61,20 +61,9 @@ log() {
     echo "===< $msg"
 }
 
-delete_unwanted_file() {
-    if [ -e "${1}" ]; then
-        log "Deleting file: ${1}"
-        rm -f "${1}"
-    else
-        log "Cannot delete file: ${1} -- file not found"
-    fi
-}
-
 make_rel() {
-    ./rebar3 as "$PROFILE" release
-    # delete outdated cert store
-    delete_unwanted_file _build/"${PROFILE}"/rel/emqx/lib/certifi*/priv/cacerts.pem
-    ./rebar3 as "$PROFILE" tar
+    # shellcheck disable=SC1010
+    ./rebar3 as "$PROFILE" do release,tar
 }
 
 ## unzip previous version .zip files to _build/$PROFILE/rel/emqx/releases before making relup

From 0748ca1238d039afd38e3b4cced09d0081c42c1e Mon Sep 17 00:00:00 2001
From: JimMoen <LnJimMoen@outlook.com>
Date: Fri, 11 Nov 2022 14:00:38 +0800
Subject: [PATCH 04/28] chore: fix comment in schema and config file

---
 changes/v4.3.22-en.md | 4 ++--
 changes/v4.3.22-zh.md | 2 +-
 etc/emqx.conf         | 4 ++--
 priv/emqx.schema      | 4 ++--
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/changes/v4.3.22-en.md b/changes/v4.3.22-en.md
index d4116990a..48177dc19 100644
--- a/changes/v4.3.22-en.md
+++ b/changes/v4.3.22-en.md
@@ -39,8 +39,8 @@
 - Added configurations to enable more `client.disconnected` events (and counter bumps) [#9267](https://github.com/emqx/emqx/pull/9267).
   Prior to this change, the `client.disconnected` event (and counter bump) is triggered when a client
   performs a 'normal' disconnect, or is 'kicked' by system admin, but NOT triggered when a
-  stale connection had to be 'discarded' (for clean session) or 'takenover' (for non-clean session).
-  Now it is possible to set configs `broker.client_disconnect_discarded` and `broker.client_disconnect_takenover` to `on` to enable the event in these scenarios.
+  stale connection had to be 'discarded' (for clean session) or 'takeovered' (for non-clean session) by new connection.
+  Now it is possible to set configs `broker.client_disconnect_discarded` and `broker.client_disconnect_takeovered` to `on` to enable the event in these scenarios.
 
 - For Rule-Engine resource creation failure, delay before the first retry [#9313](https://github.com/emqx/emqx/pull/9313).
   Prior to this change, the retry delay was added *after* the retry failure.
diff --git a/changes/v4.3.22-zh.md b/changes/v4.3.22-zh.md
index 2e02538ca..e5ee67942 100644
--- a/changes/v4.3.22-zh.md
+++ b/changes/v4.3.22-zh.md
@@ -34,7 +34,7 @@
 
 - 为更多类型的 `client.disconnected` 事件（计数器触发）提供可配置项 [#9267](https://github.com/emqx/emqx/pull/9267)。
   此前，`client.disconnected` 事件及计数器仅会在客户端正常断开连接或客户端被系统管理员踢出时触发，
-  但不会在旧 session 被废弃 (clean_session = true) 或旧 session 被接管 (clean_session = false) 时被触发。
+  但不会在旧 session 被新连接废弃时 (clean_session = true) ，或旧 session 被新连接接管时 (clean_session = false) 被触发。
   可将 `broker.client_disconnect_discarded` 和 `broker.client_disconnect_takovered` 选项设置为 `on` 来启用此场景下的客户端断连事件。
 
 - 规则引擎资源创建失败后，第一次重试前增加一个延迟 [#9313](https://github.com/emqx/emqx/pull/9313)。
diff --git a/etc/emqx.conf b/etc/emqx.conf
index f23b6f841..1eabe1cad 100644
--- a/etc/emqx.conf
+++ b/etc/emqx.conf
@@ -2457,9 +2457,9 @@ broker.route_batch_clean = off
 
 ## Enable client disconnect event will be triggered by which reasons.
 ## Value: on | off
-## `takeover`: session was takenover by another client with same client ID. (clean_session = false)
+## `discarded`: session was discarded by another client with same client ID when new connection use `clean_session = true`.
 ## Default: off
-## `discard`: session was takeover by another client with same client ID. (clean_session = true)
+## `takeover`: session was takeovered by another client with same client ID when new connection use `clean_session = false`.
 ## Default: off
 ##
 # broker.client_disconnect_discarded = off
diff --git a/priv/emqx.schema b/priv/emqx.schema
index 0399cb27d..61808dfa4 100644
--- a/priv/emqx.schema
+++ b/priv/emqx.schema
@@ -2508,13 +2508,13 @@ end}.
 ]}.
 
 %% @doc Configuration of disconnected event reason.
-%% `takeover`: session was takenover by another client with same client ID. (clean_session = false)
-%% `discard`: session was takeover by another client with same client ID. (clean_session = true)
+%% `discarded`: session was discarded by another client with same client ID when new connection use `clean_session = true`.
 {mapping, "broker.client_disconnect_discarded", "emqx.client_disconnect_discarded", [
   {default, off},
   {datatype, flag}
 ]}.
 
+%% `takeovered`: session was takeovered by another client with same client ID when new connection use `clean_session = false`.
 {mapping, "broker.client_disconnect_takeovered", "emqx.client_disconnect_takeovered", [
   {default, off},
   {datatype, flag}

From 2b6be02485dbb0764779bc643ecc3ac8a2da84dd Mon Sep 17 00:00:00 2001
From: zhongwencool <zhongwencool@gmail.com>
Date: Fri, 11 Nov 2022 18:05:31 +0800
Subject: [PATCH 05/28] feat: validate tls_versions value

---
 changes/v4.3.22-en.md |  2 ++
 changes/v4.3.22-zh.md |  2 ++
 priv/emqx.schema      | 11 ++++++++++-
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/changes/v4.3.22-en.md b/changes/v4.3.22-en.md
index 48177dc19..c11ea3718 100644
--- a/changes/v4.3.22-en.md
+++ b/changes/v4.3.22-en.md
@@ -3,6 +3,8 @@
 ## Enhancements
 
 
+- Make sure listener's tls_versions is `[tlsv1,tlsv1.1,tlsv1.2,tlsv1.3]` [#9260](https://github.com/emqx/emqx/pull/9260).
+
 - Remove useless information from the dashboard listener failure log [#9260](https://github.com/emqx/emqx/pull/9260).
 
 - We now trigger the `'message.acked'` hook after the CoAP gateway sends a message to the device and receives the ACK from the device [#9264](https://github.com/emqx/emqx/pull/9264).
diff --git a/changes/v4.3.22-zh.md b/changes/v4.3.22-zh.md
index e5ee67942..fc78c6985 100644
--- a/changes/v4.3.22-zh.md
+++ b/changes/v4.3.22-zh.md
@@ -2,6 +2,8 @@
 
 ## 增强
 
+- 确证监听器的 tls_versions 为 `[tlsv1,tlsv1.1,tlsv1.2,tlsv1.3]` [#9260](https://github.com/emqx/emqx/pull/9260).
+
 - 删除 Dashboard 监听器失败时日志中的无用信息 [#9260](https://github.com/emqx/emqx/pull/9260).
 
 - 当 CoAP 网关给设备投递消息并收到设备发来的确认之后，回调 `'message.acked'` 钩子 [#9264](https://github.com/emqx/emqx/pull/9264)。
diff --git a/priv/emqx.schema b/priv/emqx.schema
index 61808dfa4..60cb85ae2 100644
--- a/priv/emqx.schema
+++ b/priv/emqx.schema
@@ -2203,7 +2203,16 @@ end}.
     SslOpts = fun(Prefix) ->
                   Versions = case SplitFun(cuttlefish:conf_get(Prefix ++ ".tls_versions", Conf, undefined)) of
                                 undefined -> undefined;
-                                L -> [list_to_atom(V) || V <- L]
+                                L ->
+                                  Versions0 = [list_to_atom(V) || V <- L],
+                                  SupportVersions = ['tlsv1', 'tlsv1.1', 'tlsv1.2', 'tlsv1.3'],
+                                  case lists:all(fun(V) -> lists:member(V, SupportVersions) end, Versions0) of
+                                     false ->
+                                        cuttlefish:invalid(
+                                        lists:flatten(io_lib:format("tls_versions: only support ~p", [SupportVersions])));
+                                      true ->
+                                        Versions0
+                                  end
                             end,
                   TLSCiphers = cuttlefish:conf_get(Prefix++".ciphers", Conf, undefined),
                   PSKCiphers = cuttlefish:conf_get(Prefix++".psk_ciphers", Conf, undefined),

From c9e05acb4cc5aa81b0da038861cb84769f9084b0 Mon Sep 17 00:00:00 2001
From: Thales Macedo Garitezi <thalesmg@gmail.com>
Date: Fri, 11 Nov 2022 09:48:59 -0300
Subject: [PATCH 06/28] fix(crl): make http timeout global for all listeners

We make the CRL HTTP timeout the same for all listeners for simplicity
of understanding and implementation.
---
 etc/emqx.conf                 |  5 +++--
 priv/emqx.schema              |  4 ++--
 src/emqx_crl_cache.erl        | 34 +++++++++++++++++++++++-----------
 test/emqx_crl_cache_SUITE.erl |  1 +
 4 files changed, 29 insertions(+), 15 deletions(-)

diff --git a/etc/emqx.conf b/etc/emqx.conf
index 6f6ab764f..ccfaa4bb7 100644
--- a/etc/emqx.conf
+++ b/etc/emqx.conf
@@ -1562,11 +1562,12 @@ listener.ssl.external.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
 ## Value: String
 ## listener.ssl.external.crl_cache_urls = http://my.crl.server/intermediate.crl.pem, http://my.other.crl.server/another.crl.pem
 
-## The timeout for the HTTP request when fetching CRLs.
+## The timeout for the HTTP request when fetching CRLs.  This is
+## global for all listeners.
 ##
 ## Value: Duration
 ## Default: 15 s
-## listener.ssl.external.crl_cache_http_timeout = 15s
+## crl_cache.http_timeout = 15s
 
 ## The period to refresh the CRLs from the servers.  This is global
 ## for all URLs and listeners.
diff --git a/priv/emqx.schema b/priv/emqx.schema
index 40c89f05c..3fa61d490 100644
--- a/priv/emqx.schema
+++ b/priv/emqx.schema
@@ -1712,7 +1712,7 @@ end}.
   {datatype, string}
 ]}.
 
-{mapping, "listener.ssl.$name.crl_cache_http_timeout", "emqx.listeners", [
+{mapping, "crl_cache.http_timeout", "emqx.crl_cache_http_timeout", [
   {default, "15s"},
   {datatype, {duration, ms}}
 ]}.
@@ -2339,7 +2339,7 @@ end}.
                     end,
                   CRLCheck = case cuttlefish:conf_get(Prefix ++ ".enable_crl_check", Conf, false) of
                                true ->
-                                 HTTPTimeout = cuttlefish:conf_get(Prefix ++ ".crl_cache_http_timeout", Conf, timer:seconds(15)),
+                                 HTTPTimeout = cuttlefish:conf_get("crl_cache.http_timeout", Conf, timer:seconds(15)),
                                  %% {crl_check, true} doesn't work
                                  [ {crl_check, peer}
                                  , {crl_cache, {ssl_crl_cache, {internal, [{http, HTTPTimeout}]}}}
diff --git a/src/emqx_crl_cache.erl b/src/emqx_crl_cache.erl
index a8f1531f8..79906701c 100644
--- a/src/emqx_crl_cache.erl
+++ b/src/emqx_crl_cache.erl
@@ -41,12 +41,13 @@
 
 -define(LOG(Level, Format, Args),
         logger:log(Level, "[~p] " ++ Format, [?MODULE | Args])).
--define(HTTP_TIMEOUT, timer:seconds(10)).
+-define(HTTP_TIMEOUT, timer:seconds(15)).
 -define(RETRY_TIMEOUT, 5_000).
 
 -record(state,
         { refresh_timers   = #{}               :: #{binary() => timer:tref()}
         , refresh_interval = timer:minutes(15) :: timer:time()
+        , http_timeout = ?HTTP_TIMEOUT :: timer:time()
         }).
 
 %%--------------------------------------------------------------------
@@ -60,9 +61,13 @@ start_link() ->
                                       timer:minutes(15)),
     MinimumRefreshInverval = timer:minutes(1),
     RefreshIntervalMS = max(RefreshIntervalMS0, MinimumRefreshInverval),
-    start_link(#{urls => URLs, refresh_interval => RefreshIntervalMS}).
+    HTTPTimeoutMS = emqx:get_env(crl_cache_http_timeout, ?HTTP_TIMEOUT),
+    start_link(#{ urls => URLs
+                , refresh_interval => RefreshIntervalMS
+                , http_timeout => HTTPTimeoutMS
+                }).
 
-start_link(Opts = #{urls := _, refresh_interval := _}) ->
+start_link(Opts = #{urls := _, refresh_interval := _, http_timeout := _}) ->
     gen_server:start_link({local, ?MODULE}, ?MODULE, Opts, []).
 
 refresh(URL) ->
@@ -75,9 +80,15 @@ evict(URL) ->
 %% gen_server behaviour
 %%--------------------------------------------------------------------
 
-init(#{urls := URLs, refresh_interval := RefreshIntervalMS}) ->
+init(Config) ->
+    #{ urls := URLs
+     , refresh_interval := RefreshIntervalMS
+     , http_timeout := HTTPTimeoutMS
+     } = Config,
     State = lists:foldl(fun(URL, Acc) -> ensure_timer(URL, Acc, 0) end,
-                        #state{refresh_interval = RefreshIntervalMS},
+                        #state{ refresh_interval = RefreshIntervalMS
+                              , http_timeout = HTTPTimeoutMS
+                              },
                         URLs),
     {ok, State}.
 
@@ -95,7 +106,7 @@ handle_cast({evict, URL}, State0 = #state{refresh_timers = RefreshTimers0}) ->
          }),
     {noreply, State};
 handle_cast({refresh, URL}, State0) ->
-    case do_http_fetch_and_cache(URL) of
+    case do_http_fetch_and_cache(URL, State0#state.http_timeout) of
         {error, Error} ->
             ?tp(crl_refresh_failure, #{error => Error, url => URL}),
             ?LOG(error, "failed to fetch crl response for ~p; error: ~p",
@@ -109,12 +120,14 @@ handle_cast(_Cast, State) ->
     {noreply, State}.
 
 handle_info({timeout, TRef, {refresh, URL}},
-            State = #state{refresh_timers = RefreshTimers}) ->
+            State = #state{ refresh_timers = RefreshTimers
+                          , http_timeout = HTTPTimeoutMS
+                          }) ->
     case maps:get(URL, RefreshTimers, undefined) of
         TRef ->
             ?tp(crl_refresh_timer, #{url => URL}),
             ?LOG(debug, "refreshing crl response for ~p", [URL]),
-            case do_http_fetch_and_cache(URL) of
+            case do_http_fetch_and_cache(URL, HTTPTimeoutMS) of
                 {error, Error} ->
                     ?LOG(error, "failed to fetch crl response for ~p; error: ~p",
                          [URL, Error]),
@@ -142,10 +155,9 @@ http_get(URL, HTTPTimeout) ->
       [{body_format, binary}]
      ).
 
-do_http_fetch_and_cache(URL) ->
+do_http_fetch_and_cache(URL, HTTPTimeoutMS) ->
     ?tp(crl_http_fetch, #{crl_url => URL}),
-    %% FIXME: read from config
-    Resp = ?MODULE:http_get(URL, ?HTTP_TIMEOUT),
+    Resp = ?MODULE:http_get(URL, HTTPTimeoutMS),
     case Resp of
         {ok, {{_, 200, _}, _, Body}} ->
             case parse_crls(Body) of
diff --git a/test/emqx_crl_cache_SUITE.erl b/test/emqx_crl_cache_SUITE.erl
index d736c5a87..4c282a376 100644
--- a/test/emqx_crl_cache_SUITE.erl
+++ b/test/emqx_crl_cache_SUITE.erl
@@ -257,6 +257,7 @@ t_init_refresh(Config) ->
     URL2 = "http://localhost/crl2.pem",
     Opts = #{ urls => [URL1, URL2]
             , refresh_interval => timer:minutes(15)
+            , http_timeout => timer:seconds(15)
             },
     ok = snabbkaffe:start_trace(),
     {ok, SubRef} = snabbkaffe:subscribe(

From b08d1651ad917f69ed92b4b026fb058c1b0bd785 Mon Sep 17 00:00:00 2001
From: Thales Macedo Garitezi <thalesmg@gmail.com>
Date: Fri, 11 Nov 2022 10:47:38 -0300
Subject: [PATCH 07/28] docs: remove comment

The server will still fetch CRLs on the fly.
---
 etc/emqx.conf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/etc/emqx.conf b/etc/emqx.conf
index ccfaa4bb7..2303402d3 100644
--- a/etc/emqx.conf
+++ b/etc/emqx.conf
@@ -1550,7 +1550,6 @@ listener.ssl.external.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
 ## listener.ssl.external.ocsp_refresh_http_timeout = 15s
 
 ## Whether to enable CRL verification and caching for this listener.
-## If set to true, requires specifying the CRL server URLs.
 ##
 ## Value: boolean
 ## Default: false

From 0ca74925150933a9f3d892f0cc443e580631a5fd Mon Sep 17 00:00:00 2001
From: Thales Macedo Garitezi <thalesmg@gmail.com>
Date: Fri, 11 Nov 2022 12:21:03 -0300
Subject: [PATCH 08/28] feat(crl): add refresh config API

---
 src/emqx_crl_cache.erl        | 57 +++++++++++++++++------
 test/emqx_crl_cache_SUITE.erl | 86 +++++++++++++++++++++++++++++++++++
 2 files changed, 130 insertions(+), 13 deletions(-)

diff --git a/src/emqx_crl_cache.erl b/src/emqx_crl_cache.erl
index 79906701c..957890f46 100644
--- a/src/emqx_crl_cache.erl
+++ b/src/emqx_crl_cache.erl
@@ -23,6 +23,7 @@
         , start_link/1
         , refresh/1
         , evict/1
+        , refresh_config/0
         ]).
 
 %% gen_server callbacks
@@ -48,6 +49,7 @@
         { refresh_timers   = #{}               :: #{binary() => timer:tref()}
         , refresh_interval = timer:minutes(15) :: timer:time()
         , http_timeout = ?HTTP_TIMEOUT :: timer:time()
+        , extra = #{} :: map() %% for future use
         }).
 
 %%--------------------------------------------------------------------
@@ -55,20 +57,11 @@
 %%--------------------------------------------------------------------
 
 start_link() ->
-    Listeners = emqx:get_env(listeners, []),
-    URLs = collect_urls(Listeners),
-    RefreshIntervalMS0 = emqx:get_env(crl_cache_refresh_interval,
-                                      timer:minutes(15)),
-    MinimumRefreshInverval = timer:minutes(1),
-    RefreshIntervalMS = max(RefreshIntervalMS0, MinimumRefreshInverval),
-    HTTPTimeoutMS = emqx:get_env(crl_cache_http_timeout, ?HTTP_TIMEOUT),
-    start_link(#{ urls => URLs
-                , refresh_interval => RefreshIntervalMS
-                , http_timeout => HTTPTimeoutMS
-                }).
+    Config = gather_config(),
+    start_link(Config).
 
-start_link(Opts = #{urls := _, refresh_interval := _, http_timeout := _}) ->
-    gen_server:start_link({local, ?MODULE}, ?MODULE, Opts, []).
+start_link(Config = #{urls := _, refresh_interval := _, http_timeout := _}) ->
+    gen_server:start_link({local, ?MODULE}, ?MODULE, Config, []).
 
 refresh(URL) ->
     gen_server:cast(?MODULE, {refresh, URL}).
@@ -76,6 +69,11 @@ refresh(URL) ->
 evict(URL) ->
     gen_server:cast(?MODULE, {evict, URL}).
 
+%% to pick up changes from the config
+-spec refresh_config() -> ok.
+refresh_config() ->
+    gen_server:cast(?MODULE, refresh_config).
+
 %%--------------------------------------------------------------------
 %% gen_server behaviour
 %%--------------------------------------------------------------------
@@ -116,6 +114,21 @@ handle_cast({refresh, URL}, State0) ->
             ?LOG(debug, "fetched crl response for ~p", [URL]),
             {noreply, ensure_timer(URL, State0)}
     end;
+handle_cast(refresh_config, State0) ->
+    #{ urls := URLs
+     , http_timeout := HTTPTimeoutMS
+     , refresh_interval := RefreshIntervalMS
+     } = gather_config(),
+    State = lists:foldl(fun(URL, Acc) -> ensure_timer(URL, Acc, 0) end,
+                        State0#state{ refresh_interval = RefreshIntervalMS
+                                    , http_timeout = HTTPTimeoutMS
+                                    },
+                        URLs),
+    ?tp(crl_cache_refresh_config, #{ refresh_interval => RefreshIntervalMS
+                                   , http_timeout => HTTPTimeoutMS
+                                   , urls => URLs
+                                   }),
+    State;
 handle_cast(_Cast, State) ->
     {noreply, State}.
 
@@ -186,6 +199,7 @@ ensure_timer(URL, State = #state{refresh_interval = Timeout}) ->
     ensure_timer(URL, State, Timeout).
 
 ensure_timer(URL, State = #state{refresh_timers = RefreshTimers0}, Timeout) ->
+    ?tp(crl_cache_ensure_timer, #{url => URL, timeout => Timeout}),
     MTimer = maps:get(URL, RefreshTimers0, undefined),
     emqx_misc:cancel_timer(MTimer),
     RefreshTimers = RefreshTimers0#{URL => emqx_misc:start_timer(
@@ -209,3 +223,20 @@ collect_urls(Listeners) ->
           end,
           CRLOpts1),
     lists:usort(CRLURLs).
+
+-spec gather_config() -> #{ urls := [string()]
+                          , refresh_interval := timer:time()
+                          , http_timeout := timer:time()
+                          }.
+gather_config() ->
+    Listeners = emqx:get_env(listeners, []),
+    URLs = collect_urls(Listeners),
+    RefreshIntervalMS0 = emqx:get_env(crl_cache_refresh_interval,
+                                      timer:minutes(15)),
+    MinimumRefreshInverval = timer:minutes(1),
+    RefreshIntervalMS = max(RefreshIntervalMS0, MinimumRefreshInverval),
+    HTTPTimeoutMS = emqx:get_env(crl_cache_http_timeout, ?HTTP_TIMEOUT),
+    #{ urls => URLs
+     , refresh_interval => RefreshIntervalMS
+     , http_timeout => HTTPTimeoutMS
+     }.
diff --git a/test/emqx_crl_cache_SUITE.erl b/test/emqx_crl_cache_SUITE.erl
index 4c282a376..da5b0a17f 100644
--- a/test/emqx_crl_cache_SUITE.erl
+++ b/test/emqx_crl_cache_SUITE.erl
@@ -56,6 +56,29 @@ init_per_testcase(t_not_cached_and_unreachable, Config) ->
     [ {crl_pem, CRLPem}
     , {crl_der, CRLDer}
     | Config];
+init_per_testcase(t_refresh_config, Config) ->
+    DataDir = ?config(data_dir, Config),
+    CRLFile = filename:join([DataDir, "crl.pem"]),
+    {ok, CRLPem} = file:read_file(CRLFile),
+    [{'CertificateList', CRLDer, not_encrypted}] = public_key:pem_decode(CRLPem),
+    TestPid = self(),
+    ok = meck:new(emqx_crl_cache, [non_strict, passthrough, no_history, no_link]),
+    meck:expect(emqx_crl_cache, http_get,
+                fun(URL, _HTTPTimeout) ->
+                  TestPid ! {http_get, URL},
+                  {ok, {{"HTTP/1.0", 200, 'OK'}, [], CRLPem}}
+                end),
+    OldListeners = emqx:get_env(listeners),
+    OldRefreshInterval = emqx:get_env(crl_cache_refresh_interval),
+    OldHTTPTimeout = emqx:get_env(crl_cache_http_timeout),
+    ok = setup_crl_options(Config, #{is_cached => false}),
+    [ {crl_pem, CRLPem}
+    , {crl_der, CRLDer}
+    , {old_configs, [ {listeners, OldListeners}
+                    , {crl_cache_refresh_interval, OldRefreshInterval}
+                    , {crl_cache_http_timeout, OldHTTPTimeout}
+                    ]}
+    | Config];
 init_per_testcase(_TestCase, Config) ->
     DataDir = ?config(data_dir, Config),
     CRLFile = filename:join([DataDir, "crl.pem"]),
@@ -86,6 +109,7 @@ end_per_testcase(TestCase, Config)
                   ]),
     application:stop(cowboy),
     clear_crl_cache(),
+    ok = snabbkaffe:stop(),
     ok;
 end_per_testcase(t_not_cached_and_unreachable, _Config) ->
     emqx_ct_helpers:stop_apps([]),
@@ -95,10 +119,34 @@ end_per_testcase(t_not_cached_and_unreachable, _Config) ->
                                   ]}
                   ]),
     clear_crl_cache(),
+    ok = snabbkaffe:stop(),
+    ok;
+end_per_testcase(t_refresh_config, Config) ->
+    OldConfigs = ?config(old_configs, Config),
+    meck:unload([emqx_crl_cache]),
+    emqx_ct_helpers:stop_apps([]),
+    emqx_ct_helpers:change_emqx_opts(
+      ssl_twoway, [ {crl_options, [ {crl_check_enabled, false}
+                                  , {crl_cache_urls, []}
+                                  ]}
+                  ]),
+    clear_crl_cache(),
+    lists:foreach(
+      fun({Key, MValue}) ->
+        case MValue of
+            undefined -> ok;
+            Value -> application:set_env(emqx, Key, Value)
+        end
+      end,
+      OldConfigs),
+    application:stop(cowboy),
+    clear_crl_cache(),
+    ok = snabbkaffe:stop(),
     ok;
 end_per_testcase(_TestCase, _Config) ->
     meck:unload([emqx_crl_cache]),
     clear_crl_cache(),
+    ok = snabbkaffe:stop(),
     ok.
 
 %%--------------------------------------------------------------------
@@ -422,6 +470,44 @@ t_filled_cache(Config) ->
     emqtt:disconnect(C),
     ok.
 
+t_refresh_config(_Config) ->
+    URLs = [ "http://localhost:9878/some.crl.pem"
+           , "http://localhost:9878/another.crl.pem"
+           ],
+    SortedURLs = lists:sort(URLs),
+    emqx_ct_helpers:change_emqx_opts(
+      ssl_twoway, [ {crl_options, [ {crl_check_enabled, true}
+                                  , {crl_cache_urls, URLs}
+                                  ]}
+                  ]),
+    %% has to be more than 1 minute
+    NewRefreshInterval = timer:seconds(64),
+    NewHTTPTimeout = timer:seconds(7),
+    application:set_env(emqx, crl_cache_refresh_interval, NewRefreshInterval),
+    application:set_env(emqx, crl_cache_http_timeout, NewHTTPTimeout),
+    ?check_trace(
+       ?wait_async_action(
+          emqx_crl_cache:refresh_config(),
+          #{?snk_kind := crl_cache_refresh_config},
+          _Timeout = 10_000),
+       fun(Res, Trace) ->
+         ?assertMatch({ok, {ok, _}}, Res),
+         ?assertMatch(
+            [#{ urls := SortedURLs
+              , refresh_interval := NewRefreshInterval
+              , http_timeout := NewHTTPTimeout
+              }],
+            ?of_kind(crl_cache_refresh_config, Trace),
+            #{ expected => #{ urls => SortedURLs
+                            , refresh_interval => NewRefreshInterval
+                            , http_timeout => NewHTTPTimeout
+                            }
+             }),
+         ?assertEqual(SortedURLs, ?projection(url, ?of_kind(crl_cache_ensure_timer, Trace))),
+         ok
+       end),
+    ok.
+
 %% If the CRL is not cached when the client tries to connect and the
 %% CRL server is unreachable, the client will be denied connection.
 t_not_cached_and_unreachable(Config) ->

From dfa3f4b5f775b72a7ef60de90e787959ffc55b69 Mon Sep 17 00:00:00 2001
From: zhongwencool <zhongwencool@gmail.com>
Date: Mon, 14 Nov 2022 09:26:48 +0800
Subject: [PATCH 09/28] chore: apply suggestions from code review

Co-authored-by: Zaiming (Stone) Shi <zmstone@gmail.com>
---
 changes/v4.3.22-en.md | 2 +-
 changes/v4.3.22-zh.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/changes/v4.3.22-en.md b/changes/v4.3.22-en.md
index c11ea3718..a625bf323 100644
--- a/changes/v4.3.22-en.md
+++ b/changes/v4.3.22-en.md
@@ -3,7 +3,7 @@
 ## Enhancements
 
 
-- Make sure listener's tls_versions is `[tlsv1,tlsv1.1,tlsv1.2,tlsv1.3]` [#9260](https://github.com/emqx/emqx/pull/9260).
+- Make sure listener's `tls_versions` config value is one or more of `tlsv1`, `tlsv1.1`, `tlsv1.2`, `tlsv1.3` [#9260](https://github.com/emqx/emqx/pull/9260).
 
 - Remove useless information from the dashboard listener failure log [#9260](https://github.com/emqx/emqx/pull/9260).
 
diff --git a/changes/v4.3.22-zh.md b/changes/v4.3.22-zh.md
index fc78c6985..758b31547 100644
--- a/changes/v4.3.22-zh.md
+++ b/changes/v4.3.22-zh.md
@@ -2,7 +2,7 @@
 
 ## 增强
 
-- 确证监听器的 tls_versions 为 `[tlsv1,tlsv1.1,tlsv1.2,tlsv1.3]` [#9260](https://github.com/emqx/emqx/pull/9260).
+- 检查监听器的 `tls_versions` 配置值是 `tlsv1`，`tlsv1.1`，`tlsv1.2`，`tlsv1.3` 中的一个或多个组合 [#9260](https://github.com/emqx/emqx/pull/9260)。
 
 - 删除 Dashboard 监听器失败时日志中的无用信息 [#9260](https://github.com/emqx/emqx/pull/9260).
 

From a48c75594e5427b8c0717188be1fd2a3962a4906 Mon Sep 17 00:00:00 2001
From: "Zaiming (Stone) Shi" <zmstone@gmail.com>
Date: Mon, 14 Nov 2022 08:49:03 +0100
Subject: [PATCH 10/28] ci: ensure github checkout@v1 and checkout@v2 fetch
 full history

for release builds, alwasy fetch full history otherwise
the old tags will not be found resulting in no relup generated
---
 .github/workflows/build_packages.yaml      | 1 +
 .github/workflows/build_slim_packages.yaml | 4 ++++
 .github/workflows/release.yaml             | 4 ++++
 3 files changed, 9 insertions(+)

diff --git a/.github/workflows/build_packages.yaml b/.github/workflows/build_packages.yaml
index 38c1ea472..4d82c4f0e 100644
--- a/.github/workflows/build_packages.yaml
+++ b/.github/workflows/build_packages.yaml
@@ -29,6 +29,7 @@ jobs:
       - uses: actions/checkout@v3
         with:
           path: source
+          fetch-depth: 0 # clone full git history
       - name: detect-profiles
         id: detect-profiles
         uses: ./source/.github/actions/detect-profiles
diff --git a/.github/workflows/build_slim_packages.yaml b/.github/workflows/build_slim_packages.yaml
index c542e0197..65f3c760d 100644
--- a/.github/workflows/build_slim_packages.yaml
+++ b/.github/workflows/build_slim_packages.yaml
@@ -34,6 +34,8 @@ jobs:
       # keep using v1 for now as the otp-23 image has an old version git
       # TODO: change to v3 after OTP is upgraded to 23.3.4.18-1
     - uses: actions/checkout@v1
+      with:
+          fetch-depth: 0 # clone full git history
     - name: fix-git-unsafe-repository
       run: git config --global --add safe.directory /__w/emqx/emqx
     - uses: ./.github/actions/detect-profiles
@@ -79,6 +81,8 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - uses: actions/checkout@v3
+      with:
+          fetch-depth: 0 # clone full git history
     - name: ensure access to github
       if: endsWith(github.repository, 'enterprise')
       run: |
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index c7446eaa1..c8065cd0c 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -14,6 +14,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0 # clone full git history
       - id: detect-profiles
         uses: ./.github/actions/detect-profiles
 
@@ -55,6 +57,8 @@ jobs:
                -d "{\"repo\":\"emqx/emqx\", \"tag\": \"${{ github.ref_name }}\" }" \
                ${{ secrets.EMQX_IO_RELEASE_API }}
       - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0 # clone full git history
       - name: get version
         id: version
         run: echo "version=$(./pkg-vsn.sh)" >> $GITHUB_OUTPUT

From e667b564d83129710d951e1165fb48d442a320d0 Mon Sep 17 00:00:00 2001
From: "Zaiming (Stone) Shi" <zmstone@gmail.com>
Date: Mon, 14 Nov 2022 10:10:34 +0100
Subject: [PATCH 11/28] docs: add a comment to .ci/build_packages/Dockerfile

---
 .ci/build_packages/Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.ci/build_packages/Dockerfile b/.ci/build_packages/Dockerfile
index b56cb5220..e979adfb3 100644
--- a/.ci/build_packages/Dockerfile
+++ b/.ci/build_packages/Dockerfile
@@ -1,4 +1,5 @@
 ARG BUILD_FROM=emqx/build-env:erl23.3.4.9-3-ubuntu20.04
+# This Dockerfile is only used for EMQX 4.3, no need to update for 4.4 or later
 FROM ${BUILD_FROM}
 
 ARG EMQX_NAME=emqx

From 7b5340ce094d08981b8170f20a1474d7634d75f2 Mon Sep 17 00:00:00 2001
From: JimMoen <LnJimMoen@outlook.com>
Date: Mon, 14 Nov 2022 17:55:17 +0800
Subject: [PATCH 12/28] fix(api): uppercase api request method

---
 apps/emqx_management/src/emqx_mgmt_http.erl  | 5 ++++-
 lib-ce/emqx_dashboard/src/emqx_dashboard.erl | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/apps/emqx_management/src/emqx_mgmt_http.erl b/apps/emqx_management/src/emqx_mgmt_http.erl
index 57c54ed3f..99263fbfd 100644
--- a/apps/emqx_management/src/emqx_mgmt_http.erl
+++ b/apps/emqx_management/src/emqx_mgmt_http.erl
@@ -124,7 +124,10 @@ handle_request(_Method, _Path, Req) ->
     cowboy_req:reply(400, #{<<"content-type">> => <<"text/plain">>}, <<"Not found.">>, Req).
 
 authorize_appid(Req) ->
-    authorize_appid(cowboy_req:method(Req), cowboy_req:path(Req), Req).
+    authorize_appid(
+      iolist_to_binary(string:uppercase(cowboy_req:method(Req))),
+      iolist_to_binary(cowboy_req:path(Req)),
+      Req).
 
 authorize_appid(<<"GET">>, <<"/api/v4/emqx_prometheus">>, _Req) ->
     true;
diff --git a/lib-ce/emqx_dashboard/src/emqx_dashboard.erl b/lib-ce/emqx_dashboard/src/emqx_dashboard.erl
index 3ad0694c4..fa3f0e7df 100644
--- a/lib-ce/emqx_dashboard/src/emqx_dashboard.erl
+++ b/lib-ce/emqx_dashboard/src/emqx_dashboard.erl
@@ -107,7 +107,10 @@ http_handlers() ->
 %%--------------------------------------------------------------------
 
 is_authorized(Req) ->
-    is_authorized(cowboy_req:method(Req), cowboy_req:path(Req), Req).
+    is_authorized(
+      iolist_to_binary(string:uppercase(cowboy_req:method(Req))),
+      iolist_to_binary(cowboy_req:path(Req)),
+      Req).
 
 is_authorized(<<"GET">>, <<"/api/v4/emqx_prometheus">>, _Req) ->
     true;

From 5df513f277961c4af4223dc7b9f2e2c296e2e4f7 Mon Sep 17 00:00:00 2001
From: Thales Macedo Garitezi <thalesmg@gmail.com>
Date: Mon, 14 Nov 2022 09:57:04 -0300
Subject: [PATCH 13/28] refactor: flatten crl_cache config namespace into root

---
 etc/emqx.conf                 | 4 ++--
 priv/emqx.schema              | 6 +++---
 test/emqx_crl_cache_SUITE.erl | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/etc/emqx.conf b/etc/emqx.conf
index 2303402d3..fc7ffa3cf 100644
--- a/etc/emqx.conf
+++ b/etc/emqx.conf
@@ -1566,14 +1566,14 @@ listener.ssl.external.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
 ##
 ## Value: Duration
 ## Default: 15 s
-## crl_cache.http_timeout = 15s
+## crl_cache_http_timeout = 15s
 
 ## The period to refresh the CRLs from the servers.  This is global
 ## for all URLs and listeners.
 ##
 ## Value: Duration
 ## Default: 15 m
-## crl_cache.refresh_interval = 15m
+## crl_cache_refresh_interval = 15m
 
 ## The Ephemeral Diffie-Helman key exchange is a very effective way of
 ## ensuring Forward Secrecy by exchanging a set of keys that never hit
diff --git a/priv/emqx.schema b/priv/emqx.schema
index 3fa61d490..0462b0898 100644
--- a/priv/emqx.schema
+++ b/priv/emqx.schema
@@ -1712,12 +1712,12 @@ end}.
   {datatype, string}
 ]}.
 
-{mapping, "crl_cache.http_timeout", "emqx.crl_cache_http_timeout", [
+{mapping, "crl_cache_http_timeout", "emqx.crl_cache_http_timeout", [
   {default, "15s"},
   {datatype, {duration, ms}}
 ]}.
 
-{mapping, "crl_cache.refresh_interval", "emqx.crl_cache_refresh_interval", [
+{mapping, "crl_cache_refresh_interval", "emqx.crl_cache_refresh_interval", [
   {default, "15m"},
   {datatype, {duration, ms}}
 ]}.
@@ -2339,7 +2339,7 @@ end}.
                     end,
                   CRLCheck = case cuttlefish:conf_get(Prefix ++ ".enable_crl_check", Conf, false) of
                                true ->
-                                 HTTPTimeout = cuttlefish:conf_get("crl_cache.http_timeout", Conf, timer:seconds(15)),
+                                 HTTPTimeout = cuttlefish:conf_get("crl_cache_http_timeout", Conf, timer:seconds(15)),
                                  %% {crl_check, true} doesn't work
                                  [ {crl_check, peer}
                                  , {crl_cache, {ssl_crl_cache, {internal, [{http, HTTPTimeout}]}}}
diff --git a/test/emqx_crl_cache_SUITE.erl b/test/emqx_crl_cache_SUITE.erl
index da5b0a17f..db1fc2ff2 100644
--- a/test/emqx_crl_cache_SUITE.erl
+++ b/test/emqx_crl_cache_SUITE.erl
@@ -124,6 +124,7 @@ end_per_testcase(t_not_cached_and_unreachable, _Config) ->
 end_per_testcase(t_refresh_config, Config) ->
     OldConfigs = ?config(old_configs, Config),
     meck:unload([emqx_crl_cache]),
+    clear_crl_cache(),
     emqx_ct_helpers:stop_apps([]),
     emqx_ct_helpers:change_emqx_opts(
       ssl_twoway, [ {crl_options, [ {crl_check_enabled, false}
@@ -140,7 +141,6 @@ end_per_testcase(t_refresh_config, Config) ->
       end,
       OldConfigs),
     application:stop(cowboy),
-    clear_crl_cache(),
     ok = snabbkaffe:stop(),
     ok;
 end_per_testcase(_TestCase, _Config) ->

From 92d80b5e55b23b1cf3d7d4d5836ccfb83f1d5f21 Mon Sep 17 00:00:00 2001
From: Thales Macedo Garitezi <thalesmg@gmail.com>
Date: Mon, 14 Nov 2022 15:08:30 -0300
Subject: [PATCH 14/28] fix(crl): correct return for
 `handle_cast(refresh_config)`

---
 src/emqx_crl_cache.erl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/emqx_crl_cache.erl b/src/emqx_crl_cache.erl
index 957890f46..4fabd3c1b 100644
--- a/src/emqx_crl_cache.erl
+++ b/src/emqx_crl_cache.erl
@@ -128,7 +128,7 @@ handle_cast(refresh_config, State0) ->
                                    , http_timeout => HTTPTimeoutMS
                                    , urls => URLs
                                    }),
-    State;
+    {noreply, State};
 handle_cast(_Cast, State) ->
     {noreply, State}.
 

From 949916fc1c1f5b413bcfaf718ef45f9ccf943c12 Mon Sep 17 00:00:00 2001
From: "Zaiming (Stone) Shi" <zmstone@gmail.com>
Date: Mon, 14 Nov 2022 19:51:52 +0100
Subject: [PATCH 15/28] ci: use self-hosted for all Erlang tests

prepare, proper, eunit, ct and cover
---
 .github/workflows/run_test_cases.yaml | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/run_test_cases.yaml b/.github/workflows/run_test_cases.yaml
index 04045ac42..b68742b29 100644
--- a/.github/workflows/run_test_cases.yaml
+++ b/.github/workflows/run_test_cases.yaml
@@ -11,7 +11,7 @@ on:
 
 jobs:
   prepare:
-    runs-on: ubuntu-20.04
+    runs-on: aws-amd64
     container: emqx/build-env:erl23.3.4.9-3-ubuntu20.04
     outputs:
       fast_ct_apps: ${{ steps.run_find_apps.outputs.fast_ct_apps }}
@@ -40,6 +40,7 @@ jobs:
       - name: get_all_deps
         working-directory: source
         run: |
+          git config --global --add safe.directory $(pwd)
           # build the default profile for two purposes
           # 1. download all dependencies (so the individual app runs do not depend on github credentials)
           # 2. some of the files such as segmented config files are not created when compiling only the test profile
@@ -55,7 +56,7 @@ jobs:
 
   eunit_and_proper:
     needs: prepare
-    runs-on: ubuntu-20.04
+    runs-on: aws-amd64
     container: emqx/build-env:erl23.3.4.9-3-ubuntu20.04
     strategy:
       fail-fast: false
@@ -83,7 +84,7 @@ jobs:
 
   fast_ct:
     needs: prepare
-    runs-on: ubuntu-20.04
+    runs-on: ${{ matrix.runs-on }}
     container: emqx/build-env:erl23.3.4.9-3-ubuntu20.04
     strategy:
       fail-fast: false
@@ -246,7 +247,7 @@ jobs:
       - eunit_and_proper
       - fast_ct
       - docker_ct
-    runs-on: ubuntu-20.04
+    runs-on: aws-amd64
     container: emqx/build-env:erl23.3.4.9-3-ubuntu20.04
     steps:
       - uses: AutoModality/action-clean@v1
@@ -276,7 +277,7 @@ jobs:
 
   finish:
     needs: make_cover
-    runs-on: ubuntu-20.04
+    runs-on: aws-amd64
     steps:
       - name: Coveralls Finished
         env:

From 2b22ff0710c1fbbc4f17af839676d3fff885ca57 Mon Sep 17 00:00:00 2001
From: "Zaiming (Stone) Shi" <zmstone@gmail.com>
Date: Mon, 14 Nov 2022 20:11:50 +0100
Subject: [PATCH 16/28] ci: ensure github action workspace is clear

---
 .github/workflows/run_test_cases.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/run_test_cases.yaml b/.github/workflows/run_test_cases.yaml
index b68742b29..ea30902bc 100644
--- a/.github/workflows/run_test_cases.yaml
+++ b/.github/workflows/run_test_cases.yaml
@@ -17,6 +17,7 @@ jobs:
       fast_ct_apps: ${{ steps.run_find_apps.outputs.fast_ct_apps }}
       docker_ct_apps: ${{ steps.run_find_apps.outputs.docker_ct_apps }}
     steps:
+      - uses: AutoModality/action-clean@v1
       - uses: actions/checkout@v3
         with:
           path: source

From 4f029472221c2ac5bb94f1acca315afe9fabd3ca Mon Sep 17 00:00:00 2001
From: "Zaiming (Stone) Shi" <zmstone@gmail.com>
Date: Tue, 15 Nov 2022 13:16:20 +0100
Subject: [PATCH 17/28] fix(conf): add crl related config default values in
 conf

---
 etc/emqx.conf    | 4 ++--
 priv/emqx.schema | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/etc/emqx.conf b/etc/emqx.conf
index 0a7e67bba..bcd2a67c5 100644
--- a/etc/emqx.conf
+++ b/etc/emqx.conf
@@ -1566,14 +1566,14 @@ listener.ssl.external.cacertfile = {{ platform_etc_dir }}/certs/cacert.pem
 ##
 ## Value: Duration
 ## Default: 15 s
-## crl_cache_http_timeout = 15s
+crl_cache_http_timeout = 15s
 
 ## The period to refresh the CRLs from the servers.  This is global
 ## for all URLs and listeners.
 ##
 ## Value: Duration
 ## Default: 15 m
-## crl_cache_refresh_interval = 15m
+crl_cache_refresh_interval = 15m
 
 ## The Ephemeral Diffie-Helman key exchange is a very effective way of
 ## ensuring Forward Secrecy by exchanging a set of keys that never hit
diff --git a/priv/emqx.schema b/priv/emqx.schema
index 9e42362b2..432f56093 100644
--- a/priv/emqx.schema
+++ b/priv/emqx.schema
@@ -1698,7 +1698,7 @@ end}.
 ]}.
 
 {mapping, "listener.ssl.$name.ocsp_refresh_http_timeout", "emqx.listeners", [
-  {default, "15000ms"},
+  {default, "15s"},
   {datatype, {duration, ms}}
 ]}.
 

From e4a3dd9ee8e53c325da59c8c3b02b067305256b4 Mon Sep 17 00:00:00 2001
From: Shawn <506895667@qq.com>
Date: Tue, 15 Nov 2022 21:07:01 +0800
Subject: [PATCH 18/28] fix: enlarge the timeout when check alive of resources

---
 apps/emqx_rule_engine/src/emqx_rule_engine.erl | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/apps/emqx_rule_engine/src/emqx_rule_engine.erl b/apps/emqx_rule_engine/src/emqx_rule_engine.erl
index 0f62a2ac7..69f39335c 100644
--- a/apps/emqx_rule_engine/src/emqx_rule_engine.erl
+++ b/apps/emqx_rule_engine/src/emqx_rule_engine.erl
@@ -95,6 +95,8 @@
             end
         end()).
 
+-define(GET_RES_ALIVE_TIMEOUT, 60000).
+
 %%------------------------------------------------------------------------------
 %% Load resource/action providers from all available applications
 %%------------------------------------------------------------------------------
@@ -405,7 +407,7 @@ is_resource_alive(Nodes, ResId, _Opts = #{fetch := true}) ->
                 {ok, #resource_type{on_status = {Mod, OnStatus}}}
                     = emqx_rule_registry:find_resource_type(ResType),
                 case rpc:multicall(Nodes,
-                         ?MODULE, fetch_resource_status, [Mod, OnStatus, ResId], 5000) of
+                         ?MODULE, fetch_resource_status, [Mod, OnStatus, ResId], ?GET_RES_ALIVE_TIMEOUT) of
                     {ResL, []} ->
                         is_resource_alive_(ResL);
                     {_, _Error} ->
@@ -420,7 +422,7 @@ is_resource_alive(Nodes, ResId, _Opts = #{fetch := true}) ->
     end;
 is_resource_alive(Nodes, ResId, _Opts = #{fetch := false}) ->
     try
-        case rpc:multicall(Nodes, ?MODULE, get_resource_status, [ResId], 5000) of
+        case rpc:multicall(Nodes, ?MODULE, get_resource_status, [ResId], ?GET_RES_ALIVE_TIMEOUT) of
             {ResL, []} ->
                 is_resource_alive_(ResL);
             {_, _Errors} ->

From c0674001fbbf4e157da06e6b524f3eba1d66158e Mon Sep 17 00:00:00 2001
From: Ivan Dyachkov <dev@dyachkov.org>
Date: Mon, 14 Nov 2022 12:42:57 +0100
Subject: [PATCH 19/28] chore(sync from ee): sign extra binaries on macos when
 packaging

---
 scripts/macos-sign-binaries.sh | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/scripts/macos-sign-binaries.sh b/scripts/macos-sign-binaries.sh
index 7be40f621..384744b2a 100755
--- a/scripts/macos-sign-binaries.sh
+++ b/scripts/macos-sign-binaries.sh
@@ -42,11 +42,11 @@ for keychain in ${keychains}; do
 done
 security -v list-keychains -s "${keychain_names[@]}" "${KEYCHAIN}"
 
-# sign
+# known runtime executables and binaries
 codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/erts-*/bin/{beam.smp,dyn_erl,epmd,erl,erl_call,erl_child_setup,erlexec,escript,heart,inet_gethost,run_erl,to_erl}
-codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/lib/asn1-*/priv/lib/asn1rt_nif.so
-codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/lib/bcrypt-*/priv/bcrypt_nif.so
-codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/lib/crypto-*/priv/lib/{crypto.so,otp_test_engine.so}
-codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/lib/jiffy-*/priv/jiffy.so
-codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/lib/os_mon-*/priv/bin/{cpu_sup,memsup}
 codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/lib/runtime_tools-*/priv/lib/{dyntrace.so,trace_ip_drv.so,trace_file_drv.so}
+codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime "${REL_DIR}"/lib/os_mon-*/priv/bin/{cpu_sup,memsup}
+# other files from runtime and dependencies
+for f in asn1rt_nif.so bcrypt_nif.so crypto.so otp_test_engine.so crypto_callback.so jiffy.so crc32cer_nif.so sasl_auth.so snappyer.so odbcserver; do
+    find "${REL_DIR}"/lib/ -name "$f" -exec codesign -s "${APPLE_DEVELOPER_IDENTITY}" -f --verbose=4 --timestamp --options=runtime {} \;
+done

From f8439383641b750dd883e98962df637b1c4d89bd Mon Sep 17 00:00:00 2001
From: Shawn <506895667@qq.com>
Date: Tue, 15 Nov 2022 21:12:02 +0800
Subject: [PATCH 20/28] fix: don't check resource alive for the temporary
 resources

---
 .../emqx_rule_engine/src/emqx_rule_engine.erl | 24 +++++++++++++++----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/apps/emqx_rule_engine/src/emqx_rule_engine.erl b/apps/emqx_rule_engine/src/emqx_rule_engine.erl
index 69f39335c..72514a320 100644
--- a/apps/emqx_rule_engine/src/emqx_rule_engine.erl
+++ b/apps/emqx_rule_engine/src/emqx_rule_engine.erl
@@ -96,6 +96,7 @@
         end()).
 
 -define(GET_RES_ALIVE_TIMEOUT, 60000).
+-define(PROBE_RES_PREFIX, "__probe__:").
 
 %%------------------------------------------------------------------------------
 %% Load resource/action providers from all available applications
@@ -365,7 +366,7 @@ test_resource(#{type := Type} = Params) ->
         {ok, #resource_type{}} ->
             %% Resource will be deleted after test.
             %% Use random resource id, ensure test func will not delete the resource in used.
-            ResId = resource_id(),
+            ResId = probe_resource_id(),
             try
                 case create_resource(maps:put(id, ResId, Params), no_retry) of
                     {ok, _} ->
@@ -534,10 +535,15 @@ refresh_rule(#rule{id = RuleId, for = Topics, actions = Actions}) ->
 refresh_resource_status() ->
     lists:foreach(
         fun(#resource{id = ResId, type = ResType}) ->
-            case emqx_rule_registry:find_resource_type(ResType) of
-                {ok, #resource_type{on_status = {Mod, OnStatus}}} ->
-                    fetch_resource_status(Mod, OnStatus, ResId);
-                _ -> ok
+            case is_prober(ResId) of
+                false ->
+                    case emqx_rule_registry:find_resource_type(ResType) of
+                        {ok, #resource_type{on_status = {Mod, OnStatus}}} ->
+                            fetch_resource_status(Mod, OnStatus, ResId);
+                        _ -> ok
+                    end;
+                true ->
+                    ok
             end
         end, emqx_rule_registry:get_resources()).
 
@@ -664,6 +670,9 @@ ignore_lib_apps(Apps) ->
 resource_id() ->
     gen_id("resource:", fun emqx_rule_registry:find_resource/1).
 
+probe_resource_id() ->
+    gen_id(?PROBE_RES_PREFIX, fun emqx_rule_registry:find_resource/1).
+
 rule_id() ->
     gen_id("rule:", fun emqx_rule_registry:get_rule/1).
 
@@ -814,3 +823,8 @@ find_type(ResId) ->
 
 alarm_name_of_resource_down(Type, ResId) ->
     list_to_binary(io_lib:format("resource/~s/~s/down", [Type, ResId])).
+
+is_prober(<<?PROBE_RES_PREFIX, _/binary>>) ->
+    true;
+is_prober(_ResId) ->
+    false.

From 039135368efd068a759929d6ce33865dd5c09007 Mon Sep 17 00:00:00 2001
From: Shawn <506895667@qq.com>
Date: Wed, 16 Nov 2022 10:22:21 +0800
Subject: [PATCH 21/28] chore: update mongodb-erlang to v3.0.15

---
 rebar.config | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rebar.config b/rebar.config
index 26fbf7f8e..e109fe242 100644
--- a/rebar.config
+++ b/rebar.config
@@ -61,7 +61,7 @@
     , {getopt, "1.0.1"}
     , {snabbkaffe, {git, "https://github.com/kafka4beam/snabbkaffe.git", {tag, "1.0.1"}}}
     , {lc, {git, "https://github.com/emqx/lc.git", {tag, "0.3.2"}}}
-    , {mongodb, {git,"https://github.com/emqx/mongodb-erlang", {tag, "v3.0.14"}}}
+    , {mongodb, {git,"https://github.com/emqx/mongodb-erlang", {tag, "v3.0.15"}}}
     , {epgsql, {git, "https://github.com/emqx/epgsql.git", {tag, "4.6.0"}}}
     , {grpc, {git, "https://github.com/emqx/grpc-erl", {tag, "0.6.7"}}}
     ]}.

From 5aa6b6dbb644e54baff4486522652d276a0132de Mon Sep 17 00:00:00 2001
From: Thales Macedo Garitezi <thalesmg@gmail.com>
Date: Wed, 16 Nov 2022 10:00:47 -0300
Subject: [PATCH 22/28] refactor(alias_enrichment): rename
 `enrich_clientid_alias` -> `enrich_with_aliases` and
 `clientid_enrichment_module` ->`alias_enrichment_module`

Addresses
https://github.com/emqx/emqx-enterprise/pull/1535#discussion_r1022132136

Since it enriches client information with more than just clientid
alias.
---
 priv/emqx.schema     |  4 ++--
 src/emqx_app.erl     | 12 ++++++------
 src/emqx_channel.erl |  8 ++++----
 3 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/priv/emqx.schema b/priv/emqx.schema
index 432f56093..3b9d13c9b 100644
--- a/priv/emqx.schema
+++ b/priv/emqx.schema
@@ -852,11 +852,11 @@ end}.
   {datatype, string}
 ]}.
 
-%% @doc Specify a module that defines the `enrich_clientid_alias/2'
+%% @doc Specify a module that defines the `enrich_with_aliases/2'
 %% function.  This function will be used to enrich the client/channel
 %% information with clientid and/or common name aliases (or other
 %% enrichments the module may implement).
-{mapping, "clientid_enrichment_module", "emqx.clientid_enrichment_module", [
+{mapping, "alias_enrichment_module", "emqx.alias_enrichment_module", [
   {datatype, atom}
 ]}.
 
diff --git a/src/emqx_app.erl b/src/emqx_app.erl
index 5a55a1abd..012386144 100644
--- a/src/emqx_app.erl
+++ b/src/emqx_app.erl
@@ -26,7 +26,7 @@
         ]).
 
 %% internal exports for ad-hoc debugging.
--export([ set_clientid_enrichment_module/0
+-export([ set_alias_enrichment_module/0
         , set_special_auth_module/0
         ]).
 
@@ -54,7 +54,7 @@ start(_Type, _Args) ->
     ok = emqx_plugins:init(),
     _ = emqx_plugins:load(),
     _ = start_ce_modules(),
-    set_clientid_enrichment_module(),
+    set_alias_enrichment_module(),
     _ = set_special_auth_module(),
     register(emqx, self()),
     print_vsn(),
@@ -85,14 +85,14 @@ start_ce_modules() ->
     ok.
 -endif.
 
-set_clientid_enrichment_module() ->
-    case emqx:get_env(clientid_enrichment_module) of
+set_alias_enrichment_module() ->
+    case emqx:get_env(alias_enrichment_module) of
         undefined ->
             ok;
         Mod ->
-            case erlang:function_exported(Mod, enrich_clientid_alias, 2) of
+            case erlang:function_exported(Mod, enrich_with_aliases, 2) of
                 true ->
-                    persistent_term:put(clientid_enrichment_module, Mod);
+                    persistent_term:put(alias_enrichment_module, Mod);
                 false ->
                     ok
             end
diff --git a/src/emqx_channel.erl b/src/emqx_channel.erl
index 1d726fa89..4cc30c1ad 100644
--- a/src/emqx_channel.erl
+++ b/src/emqx_channel.erl
@@ -313,7 +313,7 @@ handle_in(?CONNECT_PACKET(ConnPkt) = Packet, Channel) ->
                    fun set_log_meta/2,
                    fun check_banned/2,
                    fun count_flapping_event/2,
-                   fun enrich_clientid_alias/2,
+                   fun enrich_with_aliases/2,
                    fun auth_connect/2
                   ], ConnPkt, Channel#channel{conn_state = connecting}) of
         {ok, NConnPkt, NChannel = #channel{clientinfo = ClientInfo}} ->
@@ -1363,12 +1363,12 @@ check_banned(_ConnPkt, #channel{clientinfo = ClientInfo = #{zone := Zone}}) ->
 %%--------------------------------------------------------------------
 %% Enrich ClientID Alias
 
-enrich_clientid_alias(Packet, Channel) ->
-    case persistent_term:get(clientid_enrichment_module, undefined) of
+enrich_with_aliases(Packet, Channel) ->
+    case persistent_term:get(alias_enrichment_module, undefined) of
         undefined ->
             {ok, Channel};
         Mod ->
-            Mod:enrich_clientid_alias(Packet, Channel)
+            Mod:enrich_with_aliases(Packet, Channel)
     end.
 
 %%--------------------------------------------------------------------

From 61ac8f6bae9e21455a13cd3c434c10b0a13099b2 Mon Sep 17 00:00:00 2001
From: Thales Macedo Garitezi <thalesmg@gmail.com>
Date: Wed, 16 Nov 2022 10:36:49 -0300
Subject: [PATCH 23/28] test: fix broken mod delayed test

https://github.com/emqx/emqx/actions/runs/3479575153/jobs/5818370291#step:8:309

```
%%% emqx_mod_delayed_SUITE ==> init_per_suite: FAILED
%%% emqx_mod_delayed_SUITE ==> {{failed_to_start_app,emqx_modules,
     {emqx_modules,
         {bad_return,
             {{emqx_modules_app,start,[normal,[]]},
              {'EXIT',
                  {function_clause,
                      [{proplists,get_value,
                           [acl_file,undefined,undefined],
                           [{file,"proplists.erl"},{line,216}]},
                       {emqx_mod_acl_internal,load,1,
                           [{file,
                                "/__w/emqx/emqx/source/lib-ce/emqx_modules/src/emqx_mod_acl_internal.erl"},
                            {line,46}]},
                       {emqx_modules,load_module,2,
                           [{file,
                                "/__w/emqx/emqx/source/lib-ce/emqx_modules/src/emqx_modules.erl"},
                            {line,157}]},
                       {lists,foreach,2,[{file,"lists.erl"},{line,1342}]},
                       {emqx_modules_app,start,2,
                           [{file,
                                "/__w/emqx/emqx/source/lib-ce/emqx_modules/src/emqx_modules_app.erl"},
                            {line,30}]},
                       {application_master,start_it_old,4,
                           [{file,"application_master.erl"},
                            {line,293}]}]}}}}}},
 [{emqx_ct_helpers,start_app,4,
      [{file,
           "/__w/emqx/emqx/source/_build/test/lib/emqx_ct_helpers/src/emqx_ct_helpers.erl"},
       {line,99}]},
  {lists,foreach,2,[{file,"lists.erl"},{line,1342}]},
  {emqx_mod_delayed_SUITE,init_per_suite,1,
      [{file,
           "/__w/emqx/emqx/source/lib-ce/emqx_modules/test/emqx_mod_delayed_SUITE.erl"},
       {line,38}]},
  {test_server,ts_tc,3,[{file,"test_server.erl"},{line,1783}]},
  {test_server,run_test_case_eval1,6,[{file,"test_server.erl"},{line,1380}]},
  {test_server,run_test_case_eval,9,[{file,"test_server.erl"},{line,1224}]}]}
```
---
 lib-ce/emqx_modules/test/emqx_mod_delayed_SUITE.erl | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib-ce/emqx_modules/test/emqx_mod_delayed_SUITE.erl b/lib-ce/emqx_modules/test/emqx_mod_delayed_SUITE.erl
index cf0399210..e2341dddc 100644
--- a/lib-ce/emqx_modules/test/emqx_mod_delayed_SUITE.erl
+++ b/lib-ce/emqx_modules/test/emqx_mod_delayed_SUITE.erl
@@ -42,7 +42,9 @@ end_per_suite(_) ->
     emqx_ct_helpers:stop_apps([emqx_modules]).
 
 set_special_configs(emqx) ->
-    application:set_env(emqx, modules, [{emqx_mod_delayed, []}]),
+    AclFilePath = filename:join(["test", "emqx_SUITE_data", "acl.conf"]),
+    application:set_env(emqx, modules, [{emqx_mod_delayed, []},
+                                        {emqx_mod_acl_internal, [{acl_file, AclFilePath}]}]),
     application:set_env(emqx, allow_anonymous, false),
     application:set_env(emqx, enable_acl_cache, false);
 set_special_configs(_App) ->

From 252b03abd86996a9236390f91bf09edcfe483dc1 Mon Sep 17 00:00:00 2001
From: Shawn <506895667@qq.com>
Date: Thu, 17 Nov 2022 10:23:33 +0800
Subject: [PATCH 24/28] fix: generating alarm name for utf8 resource id failed

---
 .../emqx_rule_engine/src/emqx_rule_engine.erl |  2 +-
 .../test/emqx_rule_engine_SUITE.erl           | 25 +++++++++++++------
 2 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/apps/emqx_rule_engine/src/emqx_rule_engine.erl b/apps/emqx_rule_engine/src/emqx_rule_engine.erl
index 72514a320..c9f32b962 100644
--- a/apps/emqx_rule_engine/src/emqx_rule_engine.erl
+++ b/apps/emqx_rule_engine/src/emqx_rule_engine.erl
@@ -822,7 +822,7 @@ find_type(ResId) ->
     {ok, Type}.
 
 alarm_name_of_resource_down(Type, ResId) ->
-    list_to_binary(io_lib:format("resource/~s/~s/down", [Type, ResId])).
+    unicode:characters_to_binary(io_lib:format("resource/~ts/~ts/down", [Type, ResId])).
 
 is_prober(<<?PROBE_RES_PREFIX, _/binary>>) ->
     true;
diff --git a/apps/emqx_rule_engine/test/emqx_rule_engine_SUITE.erl b/apps/emqx_rule_engine/test/emqx_rule_engine_SUITE.erl
index b8ee6b981..ed327a987 100644
--- a/apps/emqx_rule_engine/test/emqx_rule_engine_SUITE.erl
+++ b/apps/emqx_rule_engine/test/emqx_rule_engine_SUITE.erl
@@ -62,7 +62,8 @@ groups() ->
        t_create_rule,
        t_reset_metrics,
        t_reset_metrics_fallbacks,
-       t_create_resource
+       t_create_resource,
+       t_clean_resource_alarms
       ]},
      {actions, [],
       [t_inspect_action
@@ -307,21 +308,29 @@ t_create_resource(_Config) ->
     ok.
 
 t_clean_resource_alarms(_Config) ->
+    lists:foreach(fun(ResId) ->
+            clean_resource_alarms(ResId)
+        end, [<<"abc">>, <<"哈喽"/utf8>>]).
+
+clean_resource_alarms(ResId) ->
+    emqx_rule_registry:register_resource_types(
+            [make_simple_debug_resource_type()]),
     ok = emqx_rule_engine:load_providers(),
     {ok, #resource{id = ResId}} = emqx_rule_engine:create_resource(
-            #{type => built_in,
+            #{id => ResId,
+              type => built_in,
               config => #{},
               description => <<"debug resource">>}),
-    ?assert(true, is_binary(ResId)),
     Name = emqx_rule_engine:alarm_name_of_resource_down(ResId, built_in),
     _ = emqx_alarm:activate(Name, #{id => ResId, type => built_in}),
     AlarmExist = fun(#{name := AName}) -> AName == Name end,
-    Len = length(lists:filter(AlarmExist, emqx_alarm:get_alarms())),
-    ?assert(Len == 1),
+    Len = length(lists:filter(AlarmExist, emqx_alarm:get_alarms(activated))),
+    ?assertEqual(1, Len),
+    emqx_rule_engine:ensure_resource_deleted(ResId),
+    emqx_alarm:deactivate(Name),
+    LenAfterRemove = length(lists:filter(AlarmExist, emqx_alarm:get_alarms(activated))),
+    ?assertEqual(0, LenAfterRemove),
     ok = emqx_rule_engine:unload_providers(),
-    emqx_rule_registry:remove_resource(ResId),
-    LenAfterRemove = length(lists:filter(AlarmExist, emqx_alarm:get_alarms())),
-    ?assert(LenAfterRemove == 0),
     ok.
 
 %%------------------------------------------------------------------------------

From 854836a4c150fc622b402937cb74b024c2f9506c Mon Sep 17 00:00:00 2001
From: "Zaiming (Stone) Shi" <zmstone@gmail.com>
Date: Wed, 23 Nov 2022 22:46:37 +0100
Subject: [PATCH 25/28] chore: bump version to v4.3.22-rc.1

---
 include/emqx_release.hrl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/emqx_release.hrl b/include/emqx_release.hrl
index e7d50d7fc..72d791eb3 100644
--- a/include/emqx_release.hrl
+++ b/include/emqx_release.hrl
@@ -29,7 +29,7 @@
 
 -ifndef(EMQX_ENTERPRISE).
 
--define(EMQX_RELEASE, {opensource, "4.3.22-alpha.1"}).
+-define(EMQX_RELEASE, {opensource, "4.3.22-rc.1"}).
 
 -else.
 

From f55e7612ea1e66be1f3eb6d4d90d7aecb3d53d4c Mon Sep 17 00:00:00 2001
From: firest <blankalupo@163.com>
Date: Thu, 24 Nov 2022 18:34:41 +0800
Subject: [PATCH 26/28] chore: update changes

---
 changes/v4.3.22-en.md | 2 +-
 changes/v4.3.22-zh.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/changes/v4.3.22-en.md b/changes/v4.3.22-en.md
index a625bf323..cb9b242e2 100644
--- a/changes/v4.3.22-en.md
+++ b/changes/v4.3.22-en.md
@@ -72,7 +72,7 @@
 
 - Make sure Rule-Engine API supports Percent-encoding `rule_id` and `resource_id` in HTTP request path [#9190](https://github.com/emqx/emqx/pull/9190).
   Note that the `id` in `POST /api/v4/rules` should be literals (not encoded) when creating a `rule` or `resource`.
-  See docs [Create Rule](https://www.emqx.io/docs/zh/v4.3/advanced/http-api.html#post-api-v4-rules) [Create Resource](https://www.emqx.io/docs/zh/v4.3/advanced/http-api.html#post-api-v4-resources).
+  See docs [Create Rule](https://docs.emqx.com/en/enterprise/v4.4/advanced/http-api.html#post-api-v4-rules) [Create Resource](https://docs.emqx.com/en/enterprise/v4.4/advanced/http-api.html#post-api-v4-resources).
 
 - Calling 'DELETE /alarms/deactivated' now deletes deactived alarms on all nodes, including remote nodes, not just the local node [#9280](https://github.com/emqx/emqx/pull/9280).
 
diff --git a/changes/v4.3.22-zh.md b/changes/v4.3.22-zh.md
index 758b31547..83783d53b 100644
--- a/changes/v4.3.22-zh.md
+++ b/changes/v4.3.22-zh.md
@@ -67,7 +67,7 @@
 
 - 使规则引擎 API 在 HTTP 请求路径中支持百分号编码的 `rule_id` 及 `resource_id` [#9190](https://github.com/emqx/emqx/pull/9190)。
   注意在创建规则或资源时，HTTP body 中的 `id` 字段仍为字面值，而不是编码之后的值。
-  详情请参考 [创建规则](https://www.emqx.io/docs/zh/v4.3/advanced/http-api.html#post-api-v4-rules) 和 [创建资源](https://www.emqx.io/docs/zh/v4.3/advanced/http-api.html#post-api-v4-resources)。
+  详情请参考 [创建规则](https://docs.emqx.com/zh/enterprise/v4.4/advanced/http-api.html#post-api-v4-rules) 和 [创建资源](https://docs.emqx.com/zh/enterprise/v4.4/advanced/http-api.html#post-api-v4-resources)。
 
 - 修复调用 'DELETE /alarms/deactivated' 只在单个节点上生效的问题，现在将会删除所有节点上的非活跃警告 [#9280](https://github.com/emqx/emqx/pull/9280)。
 

From 0d7d9e40224582a2ece7984cb0784c4376f59344 Mon Sep 17 00:00:00 2001
From: "Zaiming (Stone) Shi" <zmstone@gmail.com>
Date: Fri, 25 Nov 2022 23:35:33 +0100
Subject: [PATCH 27/28] chore: bump to version v4.3.22

---
 include/emqx_release.hrl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/emqx_release.hrl b/include/emqx_release.hrl
index 72d791eb3..6c5de4a24 100644
--- a/include/emqx_release.hrl
+++ b/include/emqx_release.hrl
@@ -29,7 +29,7 @@
 
 -ifndef(EMQX_ENTERPRISE).
 
--define(EMQX_RELEASE, {opensource, "4.3.22-rc.1"}).
+-define(EMQX_RELEASE, {opensource, "4.3.22"}).
 
 -else.
 

From f2dd44982b4e28bad1f76160854187c7df15358d Mon Sep 17 00:00:00 2001
From: "Zaiming (Stone) Shi" <zmstone@gmail.com>
Date: Fri, 25 Nov 2022 23:38:15 +0100
Subject: [PATCH 28/28] docs: update v4.3.22 change logs

---
 changes/v4.3.22-en.md | 3 ++-
 changes/v4.3.22-zh.md | 2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/changes/v4.3.22-en.md b/changes/v4.3.22-en.md
index a625bf323..ea3ffcb88 100644
--- a/changes/v4.3.22-en.md
+++ b/changes/v4.3.22-en.md
@@ -1,7 +1,8 @@
 # v4.3.22
 
-## Enhancements
+This marks the last release of EMQX v4.3 Opensource Edition.
 
+## Enhancements
 
 - Make sure listener's `tls_versions` config value is one or more of `tlsv1`, `tlsv1.1`, `tlsv1.2`, `tlsv1.3` [#9260](https://github.com/emqx/emqx/pull/9260).
 
diff --git a/changes/v4.3.22-zh.md b/changes/v4.3.22-zh.md
index 758b31547..8b7500c4e 100644
--- a/changes/v4.3.22-zh.md
+++ b/changes/v4.3.22-zh.md
@@ -1,5 +1,7 @@
 # v4.3.22
 
+这是 EMQX 开原版 v4.3 系列的最后一个版本。
+
 ## 增强
 
 - 检查监听器的 `tls_versions` 配置值是 `tlsv1`，`tlsv1.1`，`tlsv1.2`，`tlsv1.3` 中的一个或多个组合 [#9260](https://github.com/emqx/emqx/pull/9260)。