yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #10546 from zhongwencool/04-27-ssl_options 

feat: organize the ssl_options
This commit is contained in:
zhongwencool 2023-05-05 20:51:19 +08:00 committed by GitHub
parent 335d948bce 2ab0e30489
commit fb3c0c1fe9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 19 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
apps/emqx/src/emqx_schema.erl
View File

@ -2191,7 +2191,7 @@ common_ssl_opts_schema(Defaults) ->
D = fun(Field) -> maps:get(to_atom(Field), Defaults, undefined) end, D = fun(Field) -> maps:get(to_atom(Field), Defaults, undefined) end,
Df = fun(Field, Default) -> maps:get(to_atom(Field), Defaults, Default) end, Df = fun(Field, Default) -> maps:get(to_atom(Field), Defaults, Default) end,
Collection = maps:get(versions, Defaults, tls_all_available), Collection = maps:get(versions, Defaults, tls_all_available),
AvailableVersions = default_tls_vsns(Collection), DefaultVersions = default_tls_vsns(Collection),
[ [
{"cacertfile", {"cacertfile",
sc( sc(
@ -2253,6 +2253,7 @@ common_ssl_opts_schema(Defaults) ->
example => <<"">>, example => <<"">>,
format => <<"password">>, format => <<"password">>,
desc => ?DESC(common_ssl_opts_schema_password), desc => ?DESC(common_ssl_opts_schema_password),
importance => ?IMPORTANCE_LOW,
converter => fun password_converter/2 converter => fun password_converter/2
} }
)}, )},
@ -2260,10 +2261,10 @@ common_ssl_opts_schema(Defaults) ->
sc( sc(
hoconsc:array(typerefl:atom()), hoconsc:array(typerefl:atom()),
#{ #{
default => AvailableVersions, default => DefaultVersions,
desc => ?DESC(common_ssl_opts_schema_versions), desc => ?DESC(common_ssl_opts_schema_versions),
importance => ?IMPORTANCE_HIGH, importance => ?IMPORTANCE_HIGH,
validator => fun(Inputs) -> validate_tls_versions(AvailableVersions, Inputs) end validator => fun(Input) -> validate_tls_versions(Collection, Input) end
} }
)}, )},
{"ciphers", ciphers_schema(D("ciphers"))}, {"ciphers", ciphers_schema(D("ciphers"))},
@ -2449,10 +2450,14 @@ client_ssl_opts_schema(Defaults) ->
)} )}
]. ].
default_tls_vsns(dtls_all_available) -> available_tls_vsns(dtls_all_available) -> emqx_tls_lib:available_versions(dtls);
emqx_tls_lib:available_versions(dtls); available_tls_vsns(tls_all_available) -> emqx_tls_lib:available_versions(tls).
default_tls_vsns(tls_all_available) ->
emqx_tls_lib:available_versions(tls). outdated_tls_vsn(dtls_all_available) -> [dtlsv1];
outdated_tls_vsn(tls_all_available) -> ['tlsv1.1', tlsv1].
default_tls_vsns(Key) ->
available_tls_vsns(Key) -- outdated_tls_vsn(Key).
-spec ciphers_schema(quic | dtls_all_available | tls_all_available | undefined) -> -spec ciphers_schema(quic | dtls_all_available | tls_all_available | undefined) ->
hocon_schema:field_schema(). hocon_schema:field_schema().
@ -2761,7 +2766,8 @@ validate_ciphers(Ciphers) ->
Bad -> {error, {bad_ciphers, Bad}} Bad -> {error, {bad_ciphers, Bad}}
end. end.
validate_tls_versions(AvailableVersions, Versions) -> validate_tls_versions(Collection, Versions) ->
AvailableVersions = available_tls_vsns(Collection),
case lists:filter(fun(V) -> not lists:member(V, AvailableVersions) end, Versions) of case lists:filter(fun(V) -> not lists:member(V, AvailableVersions) end, Versions) of
[] -> ok; [] -> ok;
Vs -> {error, {unsupported_tls_versions, Vs}} Vs -> {error, {unsupported_tls_versions, Vs}}

3
apps/emqx/test/emqx_tls_lib_tests.erl
View File

@ -229,7 +229,8 @@ ssl_files_handle_non_generated_file_test() ->
ok = emqx_tls_lib:delete_ssl_files(Dir, undefined, SSL2), ok = emqx_tls_lib:delete_ssl_files(Dir, undefined, SSL2),
%% verify the file is not delete and not changed, because it is not generated by %% verify the file is not delete and not changed, because it is not generated by
%% emqx_tls_lib %% emqx_tls_lib
?assertEqual({ok, KeyFileContent}, file:read_file(TmpKeyFile)). ?assertEqual({ok, KeyFileContent}, file:read_file(TmpKeyFile)),
ok = file:delete(TmpKeyFile).
ssl_file_replace_test() -> ssl_file_replace_test() ->
Key1 = bin(test_key()), Key1 = bin(test_key()),

4
apps/emqx_conf/src/emqx_conf_schema.erl
View File

@ -343,7 +343,7 @@ fields(cluster_etcd) ->
?R_REF(emqx_schema, "ssl_client_opts"), ?R_REF(emqx_schema, "ssl_client_opts"),
#{ #{
desc => ?DESC(cluster_etcd_ssl), desc => ?DESC(cluster_etcd_ssl),
alias => [ssl], aliases => [ssl],
'readOnly' => true 'readOnly' => true
} }
)} )}
@ -1286,7 +1286,7 @@ cluster_options(dns, Conf) ->
{type, conf_get("cluster.dns.record_type", Conf)} {type, conf_get("cluster.dns.record_type", Conf)}
]; ];
cluster_options(etcd, Conf) -> cluster_options(etcd, Conf) ->
Namespace = "cluster.etcd.ssl", Namespace = "cluster.etcd.ssl_options",
SslOpts = fun(C) -> SslOpts = fun(C) ->
Options = keys(Namespace, C), Options = keys(Namespace, C),
lists:map(fun(Key) -> {to_atom(Key), conf_get([Namespace, Key], Conf)} end, Options) lists:map(fun(Key) -> {to_atom(Key), conf_get([Namespace, Key], Conf)} end, Options)

4
apps/emqx_dashboard/src/emqx_dashboard_schema.erl
View File

@ -102,9 +102,7 @@ fields("https") ->
server_ssl_opts() -> server_ssl_opts() ->
Opts0 = emqx_schema:server_ssl_opts_schema(#{}, true), Opts0 = emqx_schema:server_ssl_opts_schema(#{}, true),
Opts1 = exclude_fields(["fail_if_no_peer_cert"], Opts0), exclude_fields(["fail_if_no_peer_cert"], Opts0).
{value, {_, Meta}, Opts2} = lists:keytake("password", 1, Opts1),
[{"password", Meta#{importance => ?IMPORTANCE_HIDDEN}} | Opts2].
exclude_fields([], Fields) -> exclude_fields([], Fields) ->
Fields; Fields;