Merge pull request #13412 from JimMoen/fix-cert-notafter-badmatch

fix: obtain cert expiry epoch failed due to formated `generalTime`
2024-07-05 10:13:22 +08:00 · 2024-07-05 10:13:22 +08:00 · 9d0b5a9bc6
parent aa84ca5a88 d84d31cbc5
commit 9d0b5a9bc6
6 changed files with 52 additions and 19 deletions
--- a/apps/emqx_prometheus/.gitignore
+++ b/apps/emqx_prometheus/.gitignore
@ -13,7 +13,6 @@ rel/example_project
 emqx_prometheus.d
 ct.coverdata
 logs/
-data/
 test/ct.cover.spec
 cover/
 erlang.mk
--- a/apps/emqx_prometheus/src/emqx_prometheus.app.src
+++ b/apps/emqx_prometheus/src/emqx_prometheus.app.src
@ -2,7 +2,7 @@
 {application, emqx_prometheus, [
    {description, "Prometheus for EMQX"},
    % strict semver, bump manually!
-    {vsn, "5.2.2"},
+    {vsn, "5.2.3"},
    {modules, []},
    {registered, [emqx_prometheus_sup]},
    {applications, [kernel, stdlib, prometheus, emqx, emqx_auth, emqx_resource, emqx_management]},
--- a/apps/emqx_prometheus/src/emqx_prometheus.erl
+++ b/apps/emqx_prometheus/src/emqx_prometheus.erl
@ -78,6 +78,10 @@
    do_stop/0
 ]).

+-ifdef(TEST).
+-export([cert_expiry_at_from_path/1]).
+-endif.
+
 %%--------------------------------------------------------------------
 %% Macros
 %%--------------------------------------------------------------------
@ -943,10 +947,8 @@ cert_expiry_at_from_path(Path0) ->
            {ok, PemBin} ->
                [CertEntry | _] = public_key:pem_decode(PemBin),
                Cert = public_key:pem_entry_decode(CertEntry),
-                %% TODO: Not fully tested for all certs type
-                {'utcTime', NotAfterUtc} =
-                    Cert#'Certificate'.'tbsCertificate'#'TBSCertificate'.validity#'Validity'.'notAfter',
-                utc_time_to_epoch(NotAfterUtc);
+                %% XXX: Only pem cert supported by listeners
+                not_after_epoch(Cert);
            {error, Reason} ->
                ?SLOG(error, #{
                    msg => "read_cert_file_failed",
@ -969,21 +971,17 @@ cert_expiry_at_from_path(Path0) ->
            0
    end.

-utc_time_to_epoch(UtcTime) ->
-    date_to_expiry_epoch(utc_time_to_datetime(UtcTime)).
-
-utc_time_to_datetime(Str) ->
-    {ok, [Year, Month, Day, Hour, Minute, Second], _} = io_lib:fread(
-        "~2d~2d~2d~2d~2d~2dZ", Str
-    ),
-    %% Always Assuming YY is in 2000
-    {{2000 + Year, Month, Day}, {Hour, Minute, Second}}.
-
 %% 62167219200 =:= calendar:datetime_to_gregorian_seconds({{1970, 1, 1}, {0, 0, 0}}).
 -define(EPOCH_START, 62167219200).
-spec date_to_expiry_epoch(calendar:datetime()) -> Seconds :: non_neg_integer().
-date_to_expiry_epoch(DateTime) ->
-    calendar:datetime_to_gregorian_seconds(DateTime) - ?EPOCH_START.
+not_after_epoch(#'Certificate'{
+    'tbsCertificate' = #'TBSCertificate'{
+        validity =
+            #'Validity'{'notAfter' = NotAfter}
+    }
+}) ->
+    pubkey_cert:'time_str_2_gregorian_sec'(NotAfter) - ?EPOCH_START;
+not_after_epoch(_) ->
+    0.

 %%========================================
 %% Mria
--- a/apps/emqx_prometheus/test/data/cert.crt
+++ b/apps/emqx_prometheus/test/data/cert.crt
@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDfzCCAmegAwIBAgIUJ3pE/Dwffa5gKNHY2L8HmazicmowDQYJKoZIhvcNAQEL
+BQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
+DVNhbiBGcmFuY2lzY28xFTATBgNVBAoMDEV4YW1wbGUgSW5jLjEUMBIGA1UEAwwL
+ZXhhbXBsZS5jb20wIBcNMjQwNzAzMTAyOTMzWhgPMjA1NDA2MjYxMDI5MzNaMGcx
+CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4g
+RnJhbmNpc2NvMRUwEwYDVQQKDAxFeGFtcGxlIEluYy4xFDASBgNVBAMMC2V4YW1w
+bGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArFZKxzsxCaGP
+rVhilTd4PKk9jVrBLQ4xaFG6tmmlzjBCp+E35EulND4gpWZSUs9bYO/C+qykKmrL
+J7TddGBVXe6lbl6mMHqZzHUp9mJdvPBSHcqOHc2E/UiBwOpN4tatx6UdK+VEQySr
+z+dtc0Az5Itkoy/SvAu1Zzdq3d3MfxaTUvCmWfeR2huTalNQkG1jQ0C2CjCU9Z1f
+Ex+y1MzxNhVrrdExC8Vwrb4TDlue8/XwJ4A4gBJYNbVAwALcSKnF56nRib3evE3J
+Irvy2Rt4aC694JawWLPzJ1e2Rz8WBzCRPJAmaV4iD66sU8BMkmbCV+mMmF673s3R
+sS4kGqklvQIDAQABoyEwHzAdBgNVHQ4EFgQU0tDKnCDey6fKrzs7caDfS41Dii4w
+DQYJKoZIhvcNAQELBQADggEBAEIKvrSuUgpkIEUDV+UMr/5xUKkDyjNi4rwkBA6X
+Ej0HskXg6u9wOIkBKwpQbleDFICdyqXMhGMjN4050PQCizaInBJBz77ah47UwGGQ
+P+wavbcdHR9cbhewhCo6EtbCclPY1LXq4OFkgHMToLFzXC4S/kLX/KrhVApGHskO
+Ad4U4gmMtIalruz5Mzc4YuSaAjbRI9v0IxhvS8JU0uoOwhIstkrMlFc26SU6EcZ9
+k88gVmmqEnsvmJi4gn4XPgvJB8hPs0/OMDBCVjAM8VaxZZ6sqlTT9FTGaKbIJdDc
+KjT7VdbhVcuZo4s1u9gQzJNU2WHlHLwZi1wCjTC1vTE/HrQ=
+-----END CERTIFICATE-----
--- a/apps/emqx_prometheus/test/emqx_prometheus_SUITE.erl
+++ b/apps/emqx_prometheus/test/emqx_prometheus_SUITE.erl
@ -211,6 +211,16 @@ t_push_gateway(_) ->

    ok.

+t_cert_expiry_epoch(_) ->
+    Path = some_pem_path(),
+    ?assertEqual(
+        2666082573,
+        emqx_prometheus:cert_expiry_at_from_path(Path)
+    ).
+
+%%--------------------------------------------------------------------
+%% Helper functions
+
 start_mock_pushgateway(Port) ->
    ensure_loaded(cowboy),
    ensure_loaded(ranch),
@ -249,3 +259,7 @@ init(Req0, Opts) ->
    RespHeader = #{<<"content-type">> => <<"text/plain; charset=utf-8">>},
    Req = cowboy_req:reply(200, RespHeader, <<"OK">>, Req0),
    {ok, Req, Opts}.
+
+some_pem_path() ->
+    Dir = code:lib_dir(emqx_prometheus, test),
+    _Path = filename:join([Dir, "data", "cert.crt"]).
--- a/changes/fix-13412.en.md
+++ b/changes/fix-13412.en.md
@ -0,0 +1 @@
+Fixed an issue in the Prometheus API where the certificate expiration time format incorrectly returned `0` due to the use of `generalTime`.
				`@ -0,0 +1 @@`
				Fixed an issue in the Prometheus API where the certificate expiration time format incorrectly returned `0` due to the use of `generalTime`.