Allow tagged (e.g. encrypted:...) values for more rabbitmq.conf` keys

When the support for tagged values in `rabbitmq.conf` was introduced,
not all candidate keys were updated to include it.

This PR updates a few more sensitive `rabbitmq.conf` keys
to support `encrypted:...` values.

References #11989.

(cherry picked from commit e07cdf9)
(cherry picked from commit 81fc0a8)

Author: michaelklishin

deps/rabbit/test/unit_config_value_encryption_SUITE.erl

@@ -30,6 +30,7 @@ groups() ->
           decrypt_start_app_undefined,
           decrypt_start_app_wrong_passphrase,
           decrypt_config,
+          decrypt_config_map,
           rabbitmqctl_encode
         ]}
     ].
@@ -105,6 +106,33 @@ do_decrypt_config(Algo = {C, H, I, P}) ->
     ok = application:unload(rabbit),
     ok.
 
+decrypt_config_map(_Config) ->
+    Hashes = rabbit_pbe:supported_hashes() -- ?SKIPPED_HASHES,
+    Ciphers = rabbit_pbe:supported_ciphers() -- ?SKIPPED_CIPHERS,
+    Iterations = [1, 100, 1000],
+    _ = [begin
+        PassPhrase = crypto:strong_rand_bytes(16),
+        do_decrypt_config_map({C, H, I, PassPhrase})
+    end || H <- Hashes, C <- Ciphers, I <- Iterations],
+    ok.
+
+%% Verifies that encrypted values nested inside maps are decrypted,
+%% as required by e.g. rabbitmq_management.oauth_resource_servers.
+do_decrypt_config_map({C, H, I, P} = Algo) ->
+    case application:load(rabbit) of
+        ok -> ok;
+        {error, {already_loaded, rabbit}} -> ok
+    end,
+    Secret = <<"test_oauth_secret">>,
+    {encrypted, EncSecret} = rabbit_pbe:encrypt_term(C, H, I, P, Secret),
+    application:set_env(rabbit, test_map_decrypt,
+        #{<<"server">> => [{oauth_client_secret, {encrypted, EncSecret}}]}),
+    rabbit_prelaunch_conf:decrypt_config([rabbit], Algo),
+    {ok, Decrypted} = application:get_env(rabbit, test_map_decrypt),
+    Secret = proplists:get_value(oauth_client_secret, maps:get(<<"server">>, Decrypted)),
+    application:unset_env(rabbit, test_map_decrypt),
+    ok.
+
 encrypt_value(Key, {C, H, I, P}) ->
     {ok, Value} = application:get_env(rabbit, Key),
     {encrypted, EncValue} = rabbit_pbe:encrypt_term(C, H, I, P, Value),

deps/rabbitmq_auth_backend_ldap/priv/schema/rabbitmq_auth_backend_ldap.schema

@@ -290,7 +290,7 @@ end}.
     [{datatype, {enum, [true, false]}}]}.
 
 {mapping, "auth_ldap.ssl_options.password", "rabbitmq_auth_backend_ldap.ssl_options.password",
-    [{datatype, string}]}.
+    [{datatype, [tagged_binary, binary]}]}.
 
 {mapping, "auth_ldap.ssl_options.psk_identity", "rabbitmq_auth_backend_ldap.ssl_options.psk_identity",
     [{datatype, string}]}.

deps/rabbitmq_management/priv/schema/rabbitmq_management.schema

@@ -466,7 +466,7 @@ end}.
 {mapping, "management.oauth_client_id", "rabbitmq_management.oauth_client_id",
       [{datatype, string}]}.
 {mapping, "management.oauth_client_secret", "rabbitmq_management.oauth_client_secret",
-      [{datatype, string}]}.
+      [{datatype, [tagged_binary, binary]}]}.
 
 %% Configure OAuth2 authorization flow (defaults to code)
 {mapping, "management.oauth_response_type", "rabbitmq_management.oauth_response_type",
@@ -544,7 +544,7 @@ end}.
 {mapping,
   "management.oauth_resource_servers.$name.oauth_client_secret",
   "rabbitmq_management.oauth_resource_servers",
-  [{datatype, string}]
+  [{datatype, [tagged_binary, binary]}]
 }.
 
 {mapping,

deps/rabbitmq_management/test/config_schema_SUITE_data/rabbitmq_management.snippets

@@ -674,7 +674,7 @@
                           {oauth_enabled, true},
                           {oauth_provider_url, "http://localhost:8080"},
                           {oauth_client_id, "rabbitmq_client_code"},
-                          {oauth_client_secret, "rabbitmq_client_secret"},
+                          {oauth_client_secret, <<"rabbitmq_client_secret">>},
                           {oauth_scopes, "openid profile rabbitmq.*"},
                           {oauth_initiated_logon_type, idp_initiated},
                           {oauth_token_endpoint_params, [

deps/rabbitmq_peer_discovery_aws/priv/schema/rabbitmq_peer_discovery_aws.schema

@@ -50,7 +50,7 @@ end}.
 %% secret_key
 
 {mapping, "cluster_formation.aws.secret_key", "rabbit.cluster_formation.peer_discovery_aws.aws_secret_key", [
-    {datatype, string}
+    {datatype, [tagged_string, string]}
 ]}.
 
 {translation, "rabbit.cluster_formation.peer_discovery_aws.aws_secret_key",

deps/rabbitmq_peer_discovery_consul/priv/schema/rabbitmq_peer_discovery_consul.schema

@@ -53,7 +53,7 @@ end}.
 %% ACL token
 
 {mapping, "cluster_formation.consul.acl_token", "rabbit.cluster_formation.peer_discovery_consul.consul_acl_token", [
-    {datatype, string}
+    {datatype, [tagged_string, string]}
 ]}.
 
 {translation, "rabbit.cluster_formation.peer_discovery_consul.consul_acl_token",
@@ -416,7 +416,7 @@ end}.
 [{datatype, {enum, [true, false]}}]}.
 
 {mapping, "cluster_formation.consul.ssl_options.password", "rabbit.cluster_formation.peer_discovery_consul.ssl_options.password",
-[{datatype, string}]}.
+[{datatype, [tagged_binary, binary]}]}.
 
 {mapping, "cluster_formation.consul.ssl_options.psk_identity", "rabbit.cluster_formation.peer_discovery_consul.ssl_options.psk_identity",
 [{datatype, string}]}.

deps/rabbitmq_peer_discovery_etcd/priv/schema/rabbitmq_peer_discovery_etcd.schema

@@ -152,7 +152,7 @@ fun(Conf) ->
 end}.
 
 {mapping, "cluster_formation.etcd.password", "rabbit.cluster_formation.peer_discovery_etcd.etcd_password", [
-    {datatype, string}
+    {datatype, [tagged_binary, binary]}
 ]}.
 
 {translation, "rabbit.cluster_formation.peer_discovery_etcd.etcd_password",
@@ -226,7 +226,7 @@ end}.
     [{datatype, {enum, [true, false]}}]}.
 
 {mapping, "cluster_formation.etcd.ssl_options.password", "rabbit.cluster_formation.peer_discovery_etcd.ssl_options.password",
-    [{datatype, string}]}.
+    [{datatype, [tagged_binary, binary]}]}.
 
 {mapping, "cluster_formation.etcd.ssl_options.psk_identity", "rabbit.cluster_formation.peer_discovery_etcd.ssl_options.psk_identity",
     [{datatype, string}]}.

deps/rabbitmq_prelaunch/src/rabbit_prelaunch_conf.erl

@@ -528,6 +528,11 @@ decrypt({encrypted, _} = EncValue,
     decrypt(EncValue, Algo);
 decrypt(List, Algo) when is_list(List) ->
     decrypt_list(List, Algo, []);
+decrypt(Map, Algo) when is_map(Map) ->
+    maps:fold(fun(Key, Value, {AccMap, AccAlgo}) ->
+        {NewValue, NewAlgo} = decrypt(Value, AccAlgo),
+        {maps:put(Key, NewValue, AccMap), NewAlgo}
+    end, {#{}, Algo}, Map);
 decrypt(Value, Algo) ->
     {Value, Algo}.
 

deps/rabbitmq_stomp/priv/schema/rabbitmq_stomp.schema

@@ -189,7 +189,7 @@ end}.
 ]}.
 
 {mapping, "stomp.default_pass", "rabbitmq_stomp.default_user.passcode", [
-    {datatype, string}
+    {datatype, [tagged_binary, binary]}
 ]}.
 
 {mapping, "stomp.default_topic_exchange", "rabbitmq_stomp.default_topic_exchange", [

deps/rabbitmq_tracing/priv/schema/rabbitmq_tracing.schema

@@ -14,5 +14,5 @@
 ]}.
 
 {mapping, "tracing.password", "rabbitmq_tracing.password", [
-    {datatype, string}
+    {datatype, [tagged_binary, binary]}
 ]}.