14245011954

Committed 03 Apr 2025 02:04PM UTC coverage: 83.448%. First build

Build # 14245011954

Build Type

Pull #14975

github

Committed by

web-flow

Commit Message

Merge 593c6f69e into d579f787a

Pull Request Pull Request #14975: fix(listener): use `esockd:reset_options/2` for online updates

Run Details

68 of 69 new or added lines in 6 files covered. (98.55%)

62123 of 74445 relevant lines covered (83.45%)

16310.83 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

85.71

/apps/emqx/src/emqx_tls_lib_auth_ext.erl

%%--------------------------------------------------------------------
%% Copyright (c) 2024-2025 EMQ Technologies Co., Ltd. All Rights Reserved.
%%--------------------------------------------------------------------

-module(emqx_tls_lib_auth_ext).
-elvis([{elvis_style, atom_naming_convention, #{regex => "^([a-z][a-z0-9A-Z]*_?)*$"}}]).

-export([
    opt_partial_chain/1,
    opt_verify_fun/1
]).

-include_lib("emqx/include/logger.hrl").

-define(CONST_MOD_V1, emqx_tls_lib_const_v1).
%% @doc enable TLS partial_chain validation
-spec opt_partial_chain(Conf :: map()) -> SslOpts :: [ssl:tls_option()].
opt_partial_chain(#{partial_chain := false}) ->
    %% For config update scenario, we must set it to override
    %% the 'existing' partial_chain in the listener
    [{partial_chain, fun ?CONST_MOD_V1:default_root_fun/1}];
opt_partial_chain(#{partial_chain := true} = SslOpts) ->
    [{partial_chain, rootfun_trusted_ca_from_cacertfile(1, SslOpts)}];
opt_partial_chain(#{partial_chain := cacert_from_cacertfile} = SslOpts) ->
    [{partial_chain, rootfun_trusted_ca_from_cacertfile(1, SslOpts)}];
opt_partial_chain(#{partial_chain := two_cacerts_from_cacertfile} = SslOpts) ->
    [{partial_chain, rootfun_trusted_ca_from_cacertfile(2, SslOpts)}];
opt_partial_chain(_Conf) ->
    [].

%% @doc make verify_fun if set.
-spec opt_verify_fun(Conf :: map()) -> SslOpts :: [ssl:tls_option()].
opt_verify_fun(#{verify_peer_ext_key_usage := V}) when V =/= undefined ->
    [{verify_fun, ?CONST_MOD_V1:make_tls_verify_fun(verify_cert_extKeyUsage, V)}];
opt_verify_fun(_Conf) ->
    [].

%% @doc Helper, make TLS root_fun
rootfun_trusted_ca_from_cacertfile(NumOfCerts, #{cacertfile := Cacertfile}) ->
    case file:read_file(emqx_schema:naive_env_interpolation(Cacertfile)) of
        {ok, PemBin} ->
            try
                do_rootfun_trusted_ca_from_cacertfile(NumOfCerts, PemBin)
            catch
                _Error:_Info:ST ->
                    %% The cacertfile will be checked by OTP SSL as well and OTP choice to be silent on this.
                    %% We are touching security sutffs, don't leak extra info..
                    ?SLOG(error, #{
                        msg => "trusted_cacert_not_found_in_cacertfile", stacktrace => ST
                    }),
                    throw({error, ?FUNCTION_NAME})
            end;
        {error, Reason} ->
            throw({error, {read_cacertfile_error, Cacertfile, Reason}})
    end;
rootfun_trusted_ca_from_cacertfile(_NumOfCerts, _SslOpts) ->
    throw({error, cacertfile_unset}).

do_rootfun_trusted_ca_from_cacertfile(NumOfCerts, PemBin) ->
    %% The last one or two should be the top parent in the chain if it is a chain
    Certs = public_key:pem_decode(PemBin),
    Pos = length(Certs) - NumOfCerts + 1,
    Trusted = [
        CADer
     || {'Certificate', CADer, _} <-
            lists:sublist(public_key:pem_decode(PemBin), Pos, NumOfCerts)
    ],
    ?CONST_MOD_V1:make_tls_root_fun(cacert_from_cacertfile, Trusted).

1	%%--------------------------------------------------------------------
2	%% Copyright (c) 2024-2025 EMQ Technologies Co., Ltd. All Rights Reserved.
3	%%--------------------------------------------------------------------
4
5	-module(emqx_tls_lib_auth_ext).
6	-elvis([{elvis_style, atom_naming_convention, #{regex => "^([a-z][a-z0-9A-Z]_?)$"}}]).
7
8	-export([
9	opt_partial_chain/1,
10	opt_verify_fun/1
11	]).
12
13	-include_lib("emqx/include/logger.hrl").
14
15	-define(CONST_MOD_V1, emqx_tls_lib_const_v1).
16	%% @doc enable TLS partial_chain validation
17	-spec opt_partial_chain(Conf :: map()) -> SslOpts :: [ssl:tls_option()].
18	opt_partial_chain(#{partial_chain := false}) ->
19	%% For config update scenario, we must set it to override
20	%% the 'existing' partial_chain in the listener
21	[{partial_chain, fun ?CONST_MOD_V1:default_root_fun/1}];	3✔
22	opt_partial_chain(#{partial_chain := true} = SslOpts) ->
23	[{partial_chain, rootfun_trusted_ca_from_cacertfile(1, SslOpts)}];	30✔
24	opt_partial_chain(#{partial_chain := cacert_from_cacertfile} = SslOpts) ->
NEW 25	[{partial_chain, rootfun_trusted_ca_from_cacertfile(1, SslOpts)}];	×
26	opt_partial_chain(#{partial_chain := two_cacerts_from_cacertfile} = SslOpts) ->
27	[{partial_chain, rootfun_trusted_ca_from_cacertfile(2, SslOpts)}];	4✔
28	opt_partial_chain(_Conf) ->
29	[].	2,782✔
30
31	%% @doc make verify_fun if set.
32	-spec opt_verify_fun(Conf :: map()) -> SslOpts :: [ssl:tls_option()].
33	opt_verify_fun(#{verify_peer_ext_key_usage := V}) when V =/= undefined ->
34	[{verify_fun, ?CONST_MOD_V1:make_tls_verify_fun(verify_cert_extKeyUsage, V)}];	18✔
35	opt_verify_fun(_Conf) ->
36	[].	2,800✔
37
38	%% @doc Helper, make TLS root_fun
39	rootfun_trusted_ca_from_cacertfile(NumOfCerts, #{cacertfile := Cacertfile}) ->
40	case file:read_file(emqx_schema:naive_env_interpolation(Cacertfile)) of	34✔
41	{ok, PemBin} ->
42	try	34✔
43	do_rootfun_trusted_ca_from_cacertfile(NumOfCerts, PemBin)	34✔
44	catch
45	_Error:_Info:ST ->
46	%% The cacertfile will be checked by OTP SSL as well and OTP choice to be silent on this.
47	%% We are touching security sutffs, don't leak extra info..
48	?SLOG(error, #{	1✔
49	msg => "trusted_cacert_not_found_in_cacertfile", stacktrace => ST
50	}),	1✔
51	throw({error, ?FUNCTION_NAME})	1✔
52	end;
53	{error, Reason} ->
54	throw({error, {read_cacertfile_error, Cacertfile, Reason}})	×
55	end;
56	rootfun_trusted_ca_from_cacertfile(_NumOfCerts, _SslOpts) ->
57	throw({error, cacertfile_unset}).	×
58
59	do_rootfun_trusted_ca_from_cacertfile(NumOfCerts, PemBin) ->
60	%% The last one or two should be the top parent in the chain if it is a chain
61	Certs = public_key:pem_decode(PemBin),	34✔
62	Pos = length(Certs) - NumOfCerts + 1,	34✔
63	Trusted = [	34✔
64	CADer	37✔
65	\|\| {'Certificate', CADer, _} <-
66	lists:sublist(public_key:pem_decode(PemBin), Pos, NumOfCerts)	34✔
67	],
68	?CONST_MOD_V1:make_tls_root_fun(cacert_from_cacertfile, Trusted).	34✔

emqx / emqx / 14245011954

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous