Do not change the options in mongoose_config #3356
Conversation
This comment has been minimized.
This comment has been minimized.
Codecov Report
@@ Coverage Diff @@
## persistent-term-config #3356 +/- ##
==========================================================
- Coverage 80.80% 80.71% -0.10%
==========================================================
Files 397 397
Lines 32287 32234 -53
==========================================================
- Hits 26091 26017 -74
- Misses 6196 6217 +21
Continue to review full report at Codecov.
|
chrzaszcz
force-pushed
the
static-mongoose-config
branch
from
40e0887
to
966f6c6
Compare
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
chrzaszcz
force-pushed
the
static-mongoose-config
branch
from
d519c79
to
e93bf64
Compare
This comment has been minimized.
This comment has been minimized.
chrzaszcz
force-pushed
the
static-mongoose-config
branch
from
e93bf64
to
467fb12
Compare
Module options should be set only in module opts, stored by gen_mod in the 'ejabberd_modules' ETS table. The only exception was mod_mam_meta, which stored config for mod_mam. It is possible to avoid this completely and just use the module opts. There is no dynamic module reload now, so nothing will get out of sync.
This was used only by ejabberd_auth_jwt to store the secret. This secret can be stored in a persistent term as it remains constant for the whole runtime. Also: do not convert the algorithm from binary to list and back
This key needs to be the same for all nodes for successful server dialback. It was stored in global config before.
Listeners are configured only once at startup and their setup does not change.
There is no need to rewrite config options by system metrics.
Remove the tests relying on the overwritten config options, replacing them with actually checking all the tracking ids.
chrzaszcz
force-pushed
the
static-mongoose-config
branch
from
467fb12
to
e4d4d51
Compare
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
| @@ -75,7 +70,7 @@ authorize(Creds) -> | |||
| LServer :: jid:lserver(), | |||
| Password :: binary()) -> boolean(). | |||
| check_password(HostType, LUser, LServer, Password) -> | |||
| Key = case ejabberd_auth:get_opt(HostType, jwt_secret) of | |||
| Key = case persistent_term:get({?MODULE, HostType, jwt_secret}) of | |||
| Key1 when is_binary(Key1) -> Key1; | |||
| {env, Var} -> list_to_binary(os:getenv(Var)) | |||
There was a problem hiding this comment.
Considering that env-vars are private to a process and they're impossible to change externally, I'd also cache the value of the env-var in the persistent_term entry, instead of repeatedly reading such env-var. The reason why somebody would prefer deploying the secret as an env-var is that UNIX process memory has much stronger security semantics than filesystem permissions. Otherwise, the value might be kept cached in the process memory for much faster access.
There was a problem hiding this comment.
I mostly agree, but for me this modification would be out of scope of this PR.
There was a problem hiding this comment.
Could you please also fix this comment in the scope of current PR? https://github.com/esl/MongooseIM/pull/3343/files#r735601211
|
Hmmm technically speaking my comments on hashes and security are not the intent of this PR, so we might as well fix separately in other PRs reserved for that topic and then get this one approved and merged. Or in separated commits here. I have no preference, just want those fixes eventually 🙂 |
|
small_tests_24 / small_tests / e85c4ea internal_mnesia_24 / internal_mnesia / e85c4ea small_tests_23 / small_tests / e85c4ea dynamic_domains_pgsql_mnesia_23 / pgsql_mnesia / e85c4ea dynamic_domains_mssql_mnesia_24 / odbc_mssql_mnesia / e85c4ea ldap_mnesia_23 / ldap_mnesia / e85c4ea dynamic_domains_pgsql_mnesia_24 / pgsql_mnesia / e85c4ea ldap_mnesia_24 / ldap_mnesia / e85c4ea dynamic_domains_mysql_redis_24 / mysql_redis / e85c4ea mam_SUITE:rdbms_async_pool_prefs_cases:messages_filtered_when_prefs_default_policy_is_roster{error,{test_case_failed,"ASSERT EQUAL\n\tExpected []\n\tValue [ok]\n"}}pgsql_mnesia_24 / pgsql_mnesia / e85c4ea service_domain_db_SUITE:db:db_keeps_syncing_after_cluster_join{error,{test_case_failed,{[<<"example1.com">>,<<"example2.com">>,
<<"example3.com">>],
[<<"example1.com">>,<<"example2.com">>,
<<"example3.com">>,<<"example4.com">>]}}}mysql_redis_24 / mysql_redis / e85c4ea mam_SUITE:rdbms_prefs_cases:messages_filtered_when_prefs_default_policy_is_never{error,{test_case_failed,"ASSERT EQUAL\n\tExpected []\n\tValue [ok]\n"}}mam_SUITE:rdbms_prefs_cases:messages_filtered_when_prefs_default_policy_is_roster{error,{test_case_failed,"ASSERT EQUAL\n\tExpected []\n\tValue [ok]\n"}}pgsql_mnesia_23 / pgsql_mnesia / e85c4ea elasticsearch_and_cassandra_24 / elasticsearch_and_cassandra_mnesia / e85c4ea mssql_mnesia_24 / odbc_mssql_mnesia / e85c4ea rest_client_SUITE:muc:messages_can_be_paginated_in_room{error,
{{assertion_failed,assert,is_chat_message,
[<<"15303add">>],
{xmlel,<<"message">>,
[{<<"to">>,<<"[email protected]">>},
{<<"type">>,<<"chat">>}],
[{xmlel,<<"body">>,[],[{xmlcdata,<<"93916f82">>}]}]},
"<message to='[email protected]' type='chat'><body>93916f82</body></message>"},
[{escalus_new_assert,assert_true,2,
[{file,
"/home/circleci/app/big_tests/_build/default/lib/escalus/src/escalus_new_assert.erl"},
{line,84}]},
{rest_client_SUITE,assert_room_messages,2,
[{file,"/home/circleci/app/big_tests/tests/rest_client_SUITE.erl"},
{line,772}]},
{escalus_story,story,4,
[{file,
"/home/circleci/app/big_tests/_build/default/lib/escalus/src/escalus_story.erl"},
{line,72}]},
{test_server,ts_tc,3,[{file,"test_server.erl"},{line,1783}]},
{test_server,run_test_case_eval1,6,
[{file,"test_server.erl"},{line,1292}]},
{test_server,run_test_case_eval,9,
[{file,"test_server.erl"},{line,1224}]}]}}riak_mnesia_24 / riak_mnesia / e85c4ea mod_ping_SUITE:server_ping_kill:server_ping_pong{error,{{badmatch,[{[<<"localhost">>,mod_ping,ping_response],
{expected_diff,5},
{before_story,5},
{after_story,9}}]},
[{escalus_mongooseim,post_story_check_metrics,1,
[{file,"/home/circleci/app/big_tests/_build/default/lib/escalus/src/escalus_mongooseim.erl"},
{line,74}]},
{escalus_mongooseim,maybe_check_metrics_post_story,1,
[{file,"/home/circleci/app/big_tests/_build/default/lib/escalus/src/escalus_mongooseim.erl"},
{line,51}]},
{escalus_story,story,4,
[{file,"/home/circleci/app/big_tests/_build/default/lib/escalus/src/escalus_story.erl"},
{line,75}]},
{test_server,ts_tc,3,[{file,"test_server.erl"},{line,1783}]},
{test_server,run_test_case_eval1,6,
[{file,"test_server.erl"},{line,1292}]},
{test_server,run_test_case_eval,9,
[{file,"test_server.erl"},{line,1224}]}]}} |
|
small_tests_24 / small_tests / 0d0f1fa internal_mnesia_24 / internal_mnesia / 0d0f1fa small_tests_23 / small_tests / 0d0f1fa dynamic_domains_pgsql_mnesia_24 / pgsql_mnesia / 0d0f1fa ldap_mnesia_24 / ldap_mnesia / 0d0f1fa dynamic_domains_mssql_mnesia_24 / odbc_mssql_mnesia / 0d0f1fa service_domain_db_SUITE:db:db_keeps_syncing_after_cluster_join{error,{test_case_failed,{[<<"example1.com">>,<<"example2.com">>,
<<"example3.com">>],
[<<"example1.com">>,<<"example2.com">>,
<<"example3.com">>,<<"example4.com">>]}}}sm_SUITE:parallel_manual_ack_freq_1:resume_session_state_stop_c2s{error,{thrown,{timeout,msg}}}dynamic_domains_pgsql_mnesia_23 / pgsql_mnesia / 0d0f1fa dynamic_domains_mysql_redis_24 / mysql_redis / 0d0f1fa mam_SUITE:rdbms_simple_prefs_cases:messages_filtered_when_prefs_default_policy_is_never{error,{test_case_failed,"ASSERT EQUAL\n\tExpected []\n\tValue [ok]\n"}}ldap_mnesia_23 / ldap_mnesia / 0d0f1fa elasticsearch_and_cassandra_24 / elasticsearch_and_cassandra_mnesia / 0d0f1fa sm_SUITE:parallel:messages_are_properly_flushed_during_resumption{error,
{{badmatch,
{error,
{connection_step_failed,
{#Fun<sm_SUITE.11.118723036>,
{client,
<<"alicE_messages_are_properly_flushed_during_resumption_18.117060@localhost">>,
escalus_tcp,<0.20181.1>,undefined,
[{username,
<<"alicE_messages_are_properly_flushed_during_resumption_18.117060">>},
{server,<<"localhost">>},
{password,<<"matygrysa">>},
{stream_management,true},
{host,<<"localhost">>},
{stream_id,<<"4f7d3039a35bf615">>}]},
[{compression,[<<"zlib">>]},
{starttls,true},
{stream_management,true},
{advanced_message_processing,true},
{client_state_indication,false},
{sasl_mechanisms,[<<"SCRAM-SHA-256">>,<<"PLAIN">>]},
{caps,undefined}]},
{timeout,get_resumed}}}},
[{sm_SUITE,'-messages_are_properly_flushed_during_resumption/1-fun-1-',
3,
[{file,"/home/circleci/app/big_tests/tests/sm_SUITE.erl"},
{line,1230}]},
{escalus_story,story,4,
[{file,
"/home/circleci/app/big_tests/_build/default/lib/escalus/src/escalus_story.erl"},
{line,72}]},
{test_server,ts_tc,3,[{file,"test_server.erl"},{line,1783}]},
{test_server,run_test_case_eval1,6,
[{file,"test_server.erl"},{line,1292}]},
{test_server,run_test_case_eval,9,
[{file,"test_server.erl"},{line,1224}]}]}}sm_SUITE:parallel:messages_are_properly_flushed_during_resumption{error,
{{badmatch,
{error,
{connection_step_failed,
{#Fun<sm_SUITE.11.118723036>,
{client,
<<"alicE_messages_are_properly_flushed_during_resumption_24.87395@localhost">>,
escalus_tcp,<0.20653.1>,undefined,
[{username,
<<"alicE_messages_are_properly_flushed_during_resumption_24.87395">>},
{server,<<"localhost">>},
{password,<<"matygrysa">>},
{stream_management,true},
{host,<<"localhost">>},
{stream_id,<<"584fe25d409ad866">>}]},
[{compression,[<<"zlib">>]},
{starttls,true},
{stream_management,true},
{advanced_message_processing,true},
{client_state_indication,false},
{sasl_mechanisms,[<<"SCRAM-SHA-256">>,<<"PLAIN">>]},
{caps,undefined}]},
{timeout,get_resumed}}}},
[{sm_SUITE,'-messages_are_properly_flushed_during_resumption/1-fun-1-',
3,
[{file,"/home/circleci/app/big_tests/tests/sm_SUITE.erl"},
{line,1230}]},
{escalus_story,story,4,
[{file,
"/home/circleci/app/big_tests/_build/default/lib/escalus/src/escalus_story.erl"},
{line,72}]},
{test_server,ts_tc,3,[{file,"test_server.erl"},{line,1783}]},
{test_server,run_test_case_eval1,6,
[{file,"test_server.erl"},{line,1292}]},
{test_server,run_test_case_eval,9,
[{file,"test_server.erl"},{line,1224}]}]}}sm_SUITE:parallel:messages_are_properly_flushed_during_resumption_p1_fsm_old{error,
{{badmatch,
{error,
{connection_step_failed,
{#Fun<sm_SUITE.11.118723036>,
{client,
<<"alicE_messages_are_properly_flushed_during_resumption_p1_fsm_old_24.66127@localhost">>,
escalus_tcp,<0.20678.1>,undefined,
[{username,
<<"alicE_messages_are_properly_flushed_during_resumption_p1_fsm_old_24.66127">>},
{server,<<"localhost">>},
{password,<<"matygrysa">>},
{stream_management,true},
{host,<<"localhost">>},
{stream_id,<<"7899516f30e3b3ca">>}]},
[{compression,[<<"zlib">>]},
{starttls,true},
{stream_management,true},
{advanced_message_processing,true},
{client_state_indication,false},
{sasl_mechanisms,[<<"SCRAM-SHA-256">>,<<"PLAIN">>]},
{caps,undefined}]},
{timeout,get_resumed}}}},
[{sm_SUITE,
'-messages_are_properly_flushed_during_resumption_p1_fsm_old/1-fun-1-',
3,
[{file,"/home/circleci/app/big_tests/tests/sm_SUITE.erl"},
{line,1274}]},
{escalus_story,story,4,
[{file,
"/home/circleci/app/big_tests/_build/default/lib/escalus/src/escalus_story.erl"},
{line,72}]},
{test_server,ts_tc,3,[{file,"test_server.erl"},{line,1783}]},
{test_server,run_test_case_eval1,6,
[{file,"test_server.erl"},{line,1292}]},
{test_server,run_test_case_eval,9,
[{file,"test_server.erl"},{line,...pgsql_mnesia_24 / pgsql_mnesia / 0d0f1fa mysql_redis_24 / mysql_redis / 0d0f1fa pgsql_mnesia_23 / pgsql_mnesia / 0d0f1fa mssql_mnesia_24 / odbc_mssql_mnesia / 0d0f1fa service_domain_db_SUITE:db:db_keeps_syncing_after_cluster_join{error,{test_case_failed,{[<<"example1.com">>,<<"example2.com">>,
<<"example3.com">>],
[<<"example1.com">>,<<"example2.com">>,
<<"example3.com">>,<<"example4.com">>]}}}riak_mnesia_24 / riak_mnesia / 0d0f1fa rest_client_SUITE:muc:messages_can_be_paginated_in_room{error,
{{assertion_failed,assert,is_chat_message,
[<<"7a7aa227">>],
{xmlel,<<"message">>,
[{<<"to">>,<<"[email protected]">>},
{<<"type">>,<<"chat">>}],
[{xmlel,<<"body">>,[],[{xmlcdata,<<"1e0b62c9">>}]}]},
"<message to='[email protected]' type='chat'><body>1e0b62c9</body></message>"},
[{escalus_new_assert,assert_true,2,
[{file,
"/home/circleci/app/big_tests/_build/default/lib/escalus/src/escalus_new_assert.erl"},
{line,84}]},
{rest_client_SUITE,assert_room_messages,2,
[{file,"/home/circleci/app/big_tests/tests/rest_client_SUITE.erl"},
{line,772}]},
{rest_client_SUITE,'-messages_can_be_paginated_in_room/1-fun-0-',3,
[{file,"/home/circleci/app/big_tests/tests/rest_client_SUITE.erl"},
{line,538}]},
{escalus_story,story,4,
[{file,
"/home/circleci/app/big_tests/_build/default/lib/escalus/src/escalus_story.erl"},
{line,72}]},
{test_server,ts_tc,3,[{file,"test_server.erl"},{line,1783}]},
{test_server,run_test_case_eval1,6,
[{file,"test_server.erl"},{line,1292}]},
{test_server,run_test_case_eval,9,
[{file,"test_server.erl"},{line,1224}]}]}}dynamic_domains_mssql_mnesia_24 / odbc_mssql_mnesia / 0d0f1fa elasticsearch_and_cassandra_24 / elasticsearch_and_cassandra_mnesia / 0d0f1fa mssql_mnesia_24 / odbc_mssql_mnesia / 0d0f1fa |
done |
Remove the usage of
set_optandunset_optfrom the code, making the config in persistent terms constant for the whole lifetime of the MongooseIM app.Highlights:
gen_modis no longer modifying the config - it only sets the opts inejabberd_modulesnow. The only module using the config directly wasmod_mam_metaand this is now fixed.ejabberd_authis not setting any options when it starts. JWT secret is just stored in a separate persistent term.See the commit messages for more details.