yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #10962 from fix/no-random-certnames 

fix(tlslib): bring back deterministic filenames for managed certs
This commit is contained in:
Andrew Mayorov 2023-06-07 14:44:47 +03:00 committed by GitHub
parent c1be86c5ec c05f462d0a
commit 9fccae8a7a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 24 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
apps/emqx/src/emqx_tls_lib.erl
View File

@ -389,7 +389,7 @@ is_pem(MaybePem) ->
%% Also a potentially half-written PEM file (e.g. due to power outage) %% Also a potentially half-written PEM file (e.g. due to power outage)
%% can be corrected with an overwrite. %% can be corrected with an overwrite.
save_pem_file(Dir, KeyPath, Pem, DryRun) -> save_pem_file(Dir, KeyPath, Pem, DryRun) ->
Path = pem_file_name(Dir, KeyPath), Path = pem_file_name(Dir, KeyPath, Pem),
case filelib:ensure_dir(Path) of case filelib:ensure_dir(Path) of
ok when DryRun -> ok when DryRun ->
{ok, Path}; {ok, Path};
@ -412,11 +412,14 @@ is_managed_ssl_file(Filename) ->
_ -> false _ -> false
end. end.
pem_file_name(Dir, KeyPath) -> pem_file_name(Dir, KeyPath, Pem) ->
Suffix = binary:encode_hex(crypto:strong_rand_bytes(8)), % NOTE
% Wee need to have the same filename on every cluster node.
Segments = lists:map(fun ensure_bin/1, KeyPath), Segments = lists:map(fun ensure_bin/1, KeyPath),
Filename0 = iolist_to_binary(lists:join(<<"_">>, Segments)), Filename0 = iolist_to_binary(lists:join(<<"_">>, Segments)),
Filename1 = binary:replace(Filename0, <<"file">>, <<>>), Filename1 = binary:replace(Filename0, <<"file">>, <<>>),
Fingerprint = crypto:hash(md5, [Dir, Filename1, Pem]),
Suffix = binary:encode_hex(binary:part(Fingerprint, 0, 8)),
Filename = <<Filename1/binary, "-", Suffix/binary>>, Filename = <<Filename1/binary, "-", Suffix/binary>>,
filename:join([pem_dir(Dir), Filename]). filename:join([pem_dir(Dir), Filename]).

18
apps/emqx/test/emqx_tls_lib_tests.erl
View File

@ -206,6 +206,24 @@ ssl_file_replace_test() ->
?assert(filelib:is_regular(IssuerPem2)), ?assert(filelib:is_regular(IssuerPem2)),
ok. ok.
ssl_file_deterministic_names_test() ->
SSL0 = #{
<<"keyfile">> => test_key(),
<<"certfile">> => test_key()
},
Dir0 = filename:join(["/tmp", ?FUNCTION_NAME, "ssl0"]),
Dir1 = filename:join(["/tmp", ?FUNCTION_NAME, "ssl1"]),
{ok, SSLFiles0} = emqx_tls_lib:ensure_ssl_files(Dir0, SSL0),
?assertEqual(
{ok, SSLFiles0},
emqx_tls_lib:ensure_ssl_files(Dir0, SSL0)
),
?assertNotEqual(
{ok, SSLFiles0},
emqx_tls_lib:ensure_ssl_files(Dir1, SSL0)
),
_ = file:del_dir_r(filename:join(["/tmp", ?FUNCTION_NAME])).
bin(X) -> iolist_to_binary(X). bin(X) -> iolist_to_binary(X).
test_key() -> test_key() ->