25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-11-28 16:34:13 +01:00

Move certificates processing code to pkix application

==== WARNING: MUST BE ADDED TO RELEASE NOTES =====
The commit introduces the following incompatibility:
- Option 'ca_path' is deprecated and has no effect anymore:
  option 'ca_file' should be used instead if needed.
==================================================
This commit is contained in:
Evgeny Khramtsov 2018-09-27 20:37:27 +03:00
parent e3a03394c7
commit 39fa1a810d
10 changed files with 315 additions and 863 deletions

View File

@ -29,6 +29,7 @@
{fast_yaml, ".*", {git, "https://github.com/processone/fast_yaml", {tag, "1.0.17"}}}, {fast_yaml, ".*", {git, "https://github.com/processone/fast_yaml", {tag, "1.0.17"}}},
{jiffy, ".*", {git, "https://github.com/davisp/jiffy", {tag, "0.14.8"}}}, {jiffy, ".*", {git, "https://github.com/davisp/jiffy", {tag, "0.14.8"}}},
{p1_oauth2, ".*", {git, "https://github.com/processone/p1_oauth2", {tag, "0.6.3"}}}, {p1_oauth2, ".*", {git, "https://github.com/processone/p1_oauth2", {tag, "0.6.3"}}},
{pkix, ".*", {git, "https://github.com/processone/pkix"}},
{jose, ".*", {git, "https://github.com/potatosalad/erlang-jose", {tag, "1.8.4"}}}, {jose, ".*", {git, "https://github.com/potatosalad/erlang-jose", {tag, "1.8.4"}}},
{eimp, ".*", {git, "https://github.com/processone/eimp", {tag, "1.0.8"}}}, {eimp, ".*", {git, "https://github.com/processone/eimp", {tag, "1.0.8"}}},
{if_var_true, stun, {stun, ".*", {git, "https://github.com/processone/stun", {tag, "1.0.25"}}}}, {if_var_true, stun, {stun, ".*", {git, "https://github.com/processone/stun", {tag, "1.0.25"}}}},

View File

@ -38,7 +38,7 @@
-protocol({xep, 270, '1.0'}). -protocol({xep, 270, '1.0'}).
-export([start/0, stop/0, halt/0, start_app/1, start_app/2, -export([start/0, stop/0, halt/0, start_app/1, start_app/2,
get_pid_file/0, check_app/1, module_name/1]). get_pid_file/0, check_app/1, module_name/1, is_loaded/0]).
-include("logger.hrl"). -include("logger.hrl").

View File

@ -1112,7 +1112,7 @@ save_certificate({ok, DomainName, Cert}) ->
%% that there is no certificate saved if it cannot be added in %% that there is no certificate saved if it cannot be added in
%% certificate persistent storage %% certificate persistent storage
write_cert(CertificateFile, Cert, DomainName), write_cert(CertificateFile, Cert, DomainName),
ok = ejabberd_pkix:add_certfile(CertificateFile), {ok, _} = ejabberd_pkix:add_certfile(CertificateFile),
DataCert = #data_cert{ DataCert = #data_cert{
domain = DomainName, domain = DomainName,
pem = Cert, pem = Cert,

View File

@ -59,6 +59,7 @@ start(normal, _Args) ->
?INFO_MSG("ejabberd ~s is started in the node ~p in ~.2fs", ?INFO_MSG("ejabberd ~s is started in the node ~p in ~.2fs",
[ejabberd_config:get_version(), [ejabberd_config:get_version(),
node(), (T2-T1)/1000]), node(), (T2-T1)/1000]),
ejabberd_hooks:run(ejabberd_started, []),
lists:foreach(fun erlang:garbage_collect/1, processes()), lists:foreach(fun erlang:garbage_collect/1, processes()),
{ok, SupPid}; {ok, SupPid};
Err -> Err ->
@ -150,6 +151,7 @@ start_apps() ->
crypto:start(), crypto:start(),
ejabberd:start_app(sasl), ejabberd:start_app(sasl),
ejabberd:start_app(ssl), ejabberd:start_app(ssl),
ejabberd:start_app(pkix),
ejabberd:start_app(p1_utils), ejabberd:start_app(p1_utils),
ejabberd:start_app(fast_yaml), ejabberd:start_app(fast_yaml),
ejabberd:start_app(fast_tls), ejabberd:start_app(fast_tls),

View File

@ -982,8 +982,8 @@ listen_opt_type(certfile = Opt) ->
fun(S) -> fun(S) ->
?WARNING_MSG("Listening option '~s' for ~s is deprecated, use " ?WARNING_MSG("Listening option '~s' for ~s is deprecated, use "
"'certfiles' global option instead", [Opt, ?MODULE]), "'certfiles' global option instead", [Opt, ?MODULE]),
ok = ejabberd_pkix:add_certfile(S), {ok, File} = ejabberd_pkix:add_certfile(S),
iolist_to_binary(S) File
end; end;
listen_opt_type(starttls) -> fun(B) when is_boolean(B) -> B end; listen_opt_type(starttls) -> fun(B) when is_boolean(B) -> B end;
listen_opt_type(starttls_required) -> fun(B) when is_boolean(B) -> B end; listen_opt_type(starttls_required) -> fun(B) when is_boolean(B) -> B end;

View File

@ -965,8 +965,8 @@ listen_opt_type(certfile = Opt) ->
fun(S) -> fun(S) ->
?WARNING_MSG("Listening option '~s' for ~s is deprecated, use " ?WARNING_MSG("Listening option '~s' for ~s is deprecated, use "
"'certfiles' global option instead", [Opt, ?MODULE]), "'certfiles' global option instead", [Opt, ?MODULE]),
ok = ejabberd_pkix:add_certfile(S), {ok, File} = ejabberd_pkix:add_certfile(S),
iolist_to_binary(S) File
end; end;
listen_opt_type(captcha) -> listen_opt_type(captcha) ->
fun(B) when is_boolean(B) -> B end; fun(B) when is_boolean(B) -> B end;

View File

@ -63,12 +63,7 @@ init(_) ->
ets:new(?MODULE, [named_table, public]), ets:new(?MODULE, [named_table, public]),
ejabberd_hooks:add(config_reloaded, ?MODULE, config_reloaded, 50), ejabberd_hooks:add(config_reloaded, ?MODULE, config_reloaded, 50),
Listeners = ejabberd_config:get_option(listen, []), Listeners = ejabberd_config:get_option(listen, []),
case add_certfiles(Listeners) of {ok, {{one_for_one, 10, 1}, listeners_childspec(Listeners)}}.
ok ->
{ok, {{one_for_one, 10, 1}, listeners_childspec(Listeners)}};
{error, _} = Err ->
Err
end.
-spec listeners_childspec([listener()]) -> [supervisor:child_spec()]. -spec listeners_childspec([listener()]) -> [supervisor:child_spec()].
listeners_childspec(Listeners) -> listeners_childspec(Listeners) ->
@ -432,20 +427,6 @@ check_rate_limit(Interval) ->
end, end,
NewInterval. NewInterval.
-spec add_certfiles([listener()]) -> ok | {error, any()}.
add_certfiles([{_, _, Opts}|Listeners]) ->
case lists:keyfind(certfile, 1, Opts) of
{_, Path} ->
case ejabberd_pkix:add_certfile(Path) of
ok -> add_certfiles(Listeners);
{error, _} = Err -> Err
end;
false ->
add_certfiles(Listeners)
end;
add_certfiles([]) ->
ok.
transform_option({{Port, IP, Transport}, Mod, Opts}) -> transform_option({{Port, IP, Transport}, Mod, Opts}) ->
IPStr = if is_tuple(IP) -> IPStr = if is_tuple(IP) ->
list_to_binary(inet_parse:ntoa(IP)); list_to_binary(inet_parse:ntoa(IP));
@ -652,12 +633,12 @@ listen_opt_type(supervisor) ->
fun(B) when is_boolean(B) -> B end; fun(B) when is_boolean(B) -> B end;
listen_opt_type(certfile) -> listen_opt_type(certfile) ->
fun(S) -> fun(S) ->
ok = ejabberd_pkix:add_certfile(S), {ok, File} = ejabberd_pkix:add_certfile(S),
iolist_to_binary(S) File
end; end;
listen_opt_type(ciphers) -> fun iolist_to_binary/1; listen_opt_type(ciphers) -> fun iolist_to_binary/1;
listen_opt_type(dhfile) -> fun misc:try_read_file/1; listen_opt_type(dhfile) -> fun misc:try_read_file/1;
listen_opt_type(cafile) -> fun misc:try_read_file/1; listen_opt_type(cafile) -> fun ejabberd_pkix:try_certfile/1;
listen_opt_type(protocol_options) -> listen_opt_type(protocol_options) ->
fun (Options) -> str:join(Options, <<"|">>) end; fun (Options) -> str:join(Options, <<"|">>) end;
listen_opt_type(tls_compression) -> listen_opt_type(tls_compression) ->

File diff suppressed because it is too large Load Diff

View File

@ -344,8 +344,8 @@ listen_opt_type(certfile = Opt) ->
fun(S) -> fun(S) ->
?WARNING_MSG("Listening option '~s' for ~s is deprecated, use " ?WARNING_MSG("Listening option '~s' for ~s is deprecated, use "
"'certfiles' global option instead", [Opt, ?MODULE]), "'certfiles' global option instead", [Opt, ?MODULE]),
ok = ejabberd_pkix:add_certfile(S), {ok, File} = ejabberd_pkix:add_certfile(S),
iolist_to_binary(S) File
end. end.
listen_options() -> listen_options() ->

View File

@ -1162,7 +1162,7 @@ opt_type(sql_username) -> fun iolist_to_binary/1;
opt_type(sql_ssl) -> fun(B) when is_boolean(B) -> B end; opt_type(sql_ssl) -> fun(B) when is_boolean(B) -> B end;
opt_type(sql_ssl_verify) -> fun(B) when is_boolean(B) -> B end; opt_type(sql_ssl_verify) -> fun(B) when is_boolean(B) -> B end;
opt_type(sql_ssl_certfile) -> fun ejabberd_pkix:try_certfile/1; opt_type(sql_ssl_certfile) -> fun ejabberd_pkix:try_certfile/1;
opt_type(sql_ssl_cafile) -> fun misc:try_read_file/1; opt_type(sql_ssl_cafile) -> fun ejabberd_pkix:try_certfile/1;
opt_type(sql_query_timeout) -> opt_type(sql_query_timeout) ->
fun (I) when is_integer(I), I > 0 -> I end; fun (I) when is_integer(I), I > 0 -> I end;
opt_type(sql_connect_timeout) -> opt_type(sql_connect_timeout) ->