Merge pull request #15808 from rabbitmq/rabbitmq-server-15807

michaelklishin · web-flow · commit ac0783fc5ca8 · 2026-03-23T13:21:04.000-07:00
Allow tagged (e.g. `encrypted:...`) values for more `rabbitmq.conf` keys
diff --git a/deps/rabbit/priv/schema/rabbit.schema b/deps/rabbit/priv/schema/rabbit.schema
@@ -2012,7 +2012,7 @@ end}.
     [{datatype, {enum, [true, false]}}]}.
 
 {mapping, "log.syslog.ssl_options.password", "syslog.protocol",
-    [{datatype, string}]}.
+    [{datatype, [tagged_binary, binary]}]}.
 
 {mapping, "log.syslog.ssl_options.psk_identity", "syslog.protocol",
     [{datatype, string}]}.
@@ -3012,7 +3012,7 @@ end}.
     [{datatype, {enum, [true, false]}}]}.
 
 {mapping, "amqp10_client.ssl_options.password", "amqp10_client.ssl_options.password",
-    [{datatype, string}]}.
+    [{datatype, [tagged_binary, binary]}]}.
 
 {mapping, "amqp10_client.ssl_options.psk_identity", "amqp10_client.ssl_options.psk_identity",
     [{datatype, string}]}.
@@ -3120,7 +3120,7 @@ end}.
     [{datatype, {enum, [true, false]}}]}.
 
 {mapping, "amqp_client.ssl_options.password", "amqp_client.ssl_options.password",
-    [{datatype, string}]}.
+    [{datatype, [tagged_binary, binary]}]}.
 
 {mapping, "amqp_client.ssl_options.psk_identity", "amqp_client.ssl_options.psk_identity",
     [{datatype, string}]}.
diff --git a/deps/rabbit/test/config_schema_SUITE_data/rabbit.snippets b/deps/rabbit/test/config_schema_SUITE_data/rabbit.snippets
@@ -1376,7 +1376,7 @@ credential_validator.regexp = ^abc\\d+",
       [{cacertfile,"test/config_schema_SUITE_data/certs/ca_certificate.pem"},
        {certfile,"test/config_schema_SUITE_data/certs/server_certificate.pem"},
        {keyfile,"test/config_schema_SUITE_data/certs/server_key.pem"},
-       {password,"t0p$3kRe7"}]}]}],
+       {password,<<"t0p$3kRe7">>}]}]}],
   []},
  {amqp_client_ssl_options_tls_versions,
   "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/ca_certificate.pem
@@ -1481,7 +1481,7 @@ credential_validator.regexp = ^abc\\d+",
       [{cacertfile,"test/config_schema_SUITE_data/certs/ca_certificate.pem"},
        {certfile,"test/config_schema_SUITE_data/certs/server_certificate.pem"},
        {keyfile,"test/config_schema_SUITE_data/certs/server_key.pem"},
-       {password,"t0p$3kRe7"}]}]}],
+       {password,<<"t0p$3kRe7">>}]}]}],
   []},
  {amqp10_client_ssl_options_tls_versions,
   "amqp10_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/ca_certificate.pem
diff --git a/deps/rabbit/test/unit_config_value_encryption_SUITE.erl b/deps/rabbit/test/unit_config_value_encryption_SUITE.erl
@@ -30,6 +30,7 @@ groups() ->
           decrypt_start_app_undefined,
           decrypt_start_app_wrong_passphrase,
           decrypt_config,
+          decrypt_config_map,
           rabbitmqctl_encode
         ]}
     ].
@@ -105,6 +106,33 @@ do_decrypt_config(Algo = {C, H, I, P}) ->
     ok = application:unload(rabbit),
     ok.
 
+decrypt_config_map(_Config) ->
+    Hashes = rabbit_pbe:supported_hashes() -- ?SKIPPED_HASHES,
+    Ciphers = rabbit_pbe:supported_ciphers() -- ?SKIPPED_CIPHERS,
+    Iterations = [1, 100, 1000],
+    _ = [begin
+        PassPhrase = crypto:strong_rand_bytes(16),
+        do_decrypt_config_map({C, H, I, PassPhrase})
+    end || H <- Hashes, C <- Ciphers, I <- Iterations],
+    ok.
+
+%% Verifies that encrypted values nested inside maps are decrypted,
+%% as required by e.g. rabbitmq_management.oauth_resource_servers.
+do_decrypt_config_map({C, H, I, P} = Algo) ->
+    case application:load(rabbit) of
+        ok -> ok;
+        {error, {already_loaded, rabbit}} -> ok
+    end,
+    Secret = <<"test_oauth_secret">>,
+    {encrypted, EncSecret} = rabbit_pbe:encrypt_term(C, H, I, P, Secret),
+    application:set_env(rabbit, test_map_decrypt,
+        #{<<"server">> => [{oauth_client_secret, {encrypted, EncSecret}}]}),
+    rabbit_prelaunch_conf:decrypt_config([rabbit], Algo),
+    {ok, Decrypted} = application:get_env(rabbit, test_map_decrypt),
+    Secret = proplists:get_value(oauth_client_secret, maps:get(<<"server">>, Decrypted)),
+    application:unset_env(rabbit, test_map_decrypt),
+    ok.
+
 encrypt_value(Key, {C, H, I, P}) ->
     {ok, Value} = application:get_env(rabbit, Key),
     {encrypted, EncValue} = rabbit_pbe:encrypt_term(C, H, I, P, Value),
diff --git a/deps/rabbitmq_auth_backend_ldap/priv/schema/rabbitmq_auth_backend_ldap.schema b/deps/rabbitmq_auth_backend_ldap/priv/schema/rabbitmq_auth_backend_ldap.schema
@@ -290,7 +290,7 @@ end}.
     [{datatype, {enum, [true, false]}}]}.
 
 {mapping, "auth_ldap.ssl_options.password", "rabbitmq_auth_backend_ldap.ssl_options.password",
-    [{datatype, string}]}.
+    [{datatype, [tagged_binary, binary]}]}.
 
 {mapping, "auth_ldap.ssl_options.psk_identity", "rabbitmq_auth_backend_ldap.ssl_options.psk_identity",
     [{datatype, string}]}.
diff --git a/deps/rabbitmq_auth_backend_ldap/test/config_schema_SUITE_data/rabbitmq_auth_backend_ldap.snippets b/deps/rabbitmq_auth_backend_ldap/test/config_schema_SUITE_data/rabbitmq_auth_backend_ldap.snippets
@@ -199,7 +199,7 @@
             [{cacertfile,"test/config_schema_SUITE_data/certs/ca_certificate.pem"},
              {certfile,"test/config_schema_SUITE_data/certs/server_certificate.pem"},
              {keyfile,"test/config_schema_SUITE_data/certs/server_key.pem"},
-             {password,"t0p$3kRe7"}]}]}],
+             {password,<<"t0p$3kRe7">>}]}]}],
   []},
  {ssl_options_tls_versions,
   "auth_ldap.use_ssl = true
diff --git a/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema b/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema
@@ -466,7 +466,7 @@ end}.
 {mapping, "management.oauth_client_id", "rabbitmq_management.oauth_client_id",
       [{datatype, string}]}.
 {mapping, "management.oauth_client_secret", "rabbitmq_management.oauth_client_secret",
-      [{datatype, string}]}.
+      [{datatype, [tagged_binary, binary]}]}.
 
 %% Configure OAuth2 authorization flow (defaults to code)
 {mapping, "management.oauth_response_type", "rabbitmq_management.oauth_response_type",
@@ -544,7 +544,7 @@ end}.
 {mapping,
   "management.oauth_resource_servers.$name.oauth_client_secret",
   "rabbitmq_management.oauth_resource_servers",
-  [{datatype, string}]
+  [{datatype, [tagged_binary, binary]}]
 }.
 
 {mapping,
diff --git a/deps/rabbitmq_management/test/config_schema_SUITE_data/rabbitmq_management.snippets b/deps/rabbitmq_management/test/config_schema_SUITE_data/rabbitmq_management.snippets
@@ -674,7 +674,7 @@
                           {oauth_enabled, true},
                           {oauth_provider_url, "http://localhost:8080"},
                           {oauth_client_id, "rabbitmq_client_code"},
-                          {oauth_client_secret, "rabbitmq_client_secret"},
+                          {oauth_client_secret, <<"rabbitmq_client_secret">>},
                           {oauth_scopes, "openid profile rabbitmq.*"},
                           {oauth_initiated_logon_type, idp_initiated},
                           {oauth_token_endpoint_params, [
diff --git a/deps/rabbitmq_peer_discovery_aws/priv/schema/rabbitmq_peer_discovery_aws.schema b/deps/rabbitmq_peer_discovery_aws/priv/schema/rabbitmq_peer_discovery_aws.schema
@@ -50,7 +50,7 @@ end}.
 %% secret_key
 
 {mapping, "cluster_formation.aws.secret_key", "rabbit.cluster_formation.peer_discovery_aws.aws_secret_key", [
-    {datatype, string}
+    {datatype, [tagged_string, string]}
 ]}.
 
 {translation, "rabbit.cluster_formation.peer_discovery_aws.aws_secret_key",
diff --git a/deps/rabbitmq_peer_discovery_consul/priv/schema/rabbitmq_peer_discovery_consul.schema b/deps/rabbitmq_peer_discovery_consul/priv/schema/rabbitmq_peer_discovery_consul.schema
@@ -53,7 +53,7 @@ end}.
 %% ACL token
 
 {mapping, "cluster_formation.consul.acl_token", "rabbit.cluster_formation.peer_discovery_consul.consul_acl_token", [
-    {datatype, string}
+    {datatype, [tagged_string, string]}
 ]}.
 
 {translation, "rabbit.cluster_formation.peer_discovery_consul.consul_acl_token",
@@ -416,7 +416,7 @@ end}.
 [{datatype, {enum, [true, false]}}]}.
 
 {mapping, "cluster_formation.consul.ssl_options.password", "rabbit.cluster_formation.peer_discovery_consul.ssl_options.password",
-[{datatype, string}]}.
+[{datatype, [tagged_binary, binary]}]}.
 
 {mapping, "cluster_formation.consul.ssl_options.psk_identity", "rabbit.cluster_formation.peer_discovery_consul.ssl_options.psk_identity",
 [{datatype, string}]}.
diff --git a/deps/rabbitmq_peer_discovery_etcd/priv/schema/rabbitmq_peer_discovery_etcd.schema b/deps/rabbitmq_peer_discovery_etcd/priv/schema/rabbitmq_peer_discovery_etcd.schema
@@ -152,7 +152,7 @@ fun(Conf) ->
 end}.
 
 {mapping, "cluster_formation.etcd.password", "rabbit.cluster_formation.peer_discovery_etcd.etcd_password", [
-    {datatype, string}
+    {datatype, [tagged_binary, binary]}
 ]}.
 
 {translation, "rabbit.cluster_formation.peer_discovery_etcd.etcd_password",
@@ -226,7 +226,7 @@ end}.
     [{datatype, {enum, [true, false]}}]}.
 
 {mapping, "cluster_formation.etcd.ssl_options.password", "rabbit.cluster_formation.peer_discovery_etcd.ssl_options.password",
-    [{datatype, string}]}.
+    [{datatype, [tagged_binary, binary]}]}.
 
 {mapping, "cluster_formation.etcd.ssl_options.psk_identity", "rabbit.cluster_formation.peer_discovery_etcd.ssl_options.psk_identity",
     [{datatype, string}]}.
diff --git a/deps/rabbitmq_peer_discovery_etcd/test/config_schema_SUITE_data/rabbitmq_peer_discovery_etcd.snippets b/deps/rabbitmq_peer_discovery_etcd/test/config_schema_SUITE_data/rabbitmq_peer_discovery_etcd.snippets
@@ -72,7 +72,7 @@
             {rabbit, [
                 {cluster_formation, [
                     {peer_discovery_etcd, [
-                        {etcd_password, "rabbitmq"}
+                        {etcd_password, <<"rabbitmq">>}
                     ]}
                 ]}
             ]}
diff --git a/deps/rabbitmq_prelaunch/src/rabbit_prelaunch_conf.erl b/deps/rabbitmq_prelaunch/src/rabbit_prelaunch_conf.erl
@@ -528,6 +528,11 @@ decrypt({encrypted, _} = EncValue,
     decrypt(EncValue, Algo);
 decrypt(List, Algo) when is_list(List) ->
     decrypt_list(List, Algo, []);
+decrypt(Map, Algo) when is_map(Map) ->
+    maps:fold(fun(Key, Value, {AccMap, AccAlgo}) ->
+        {NewValue, NewAlgo} = decrypt(Value, AccAlgo),
+        {maps:put(Key, NewValue, AccMap), NewAlgo}
+    end, {#{}, Algo}, Map);
 decrypt(Value, Algo) ->
     {Value, Algo}.
 
diff --git a/deps/rabbitmq_stomp/priv/schema/rabbitmq_stomp.schema b/deps/rabbitmq_stomp/priv/schema/rabbitmq_stomp.schema
@@ -189,7 +189,7 @@ end}.
 ]}.
 
 {mapping, "stomp.default_pass", "rabbitmq_stomp.default_user.passcode", [
-    {datatype, string}
+    {datatype, [tagged_binary, binary]}
 ]}.
 
 {mapping, "stomp.default_topic_exchange", "rabbitmq_stomp.default_topic_exchange", [
diff --git a/deps/rabbitmq_stomp/test/config_schema_SUITE_data/rabbitmq_stomp.snippets b/deps/rabbitmq_stomp/test/config_schema_SUITE_data/rabbitmq_stomp.snippets
@@ -66,7 +66,7 @@
    stomp.default_pass = guest
    stomp.proxy_protocol = false
    stomp.hide_server_info = false",
-  [{rabbitmq_stomp,[{default_user,[{login,"guest"},{passcode,"guest"}]},
+  [{rabbitmq_stomp,[{default_user,[{login,"guest"},{passcode,<<"guest">>}]},
                     {proxy_protocol,false},{hide_server_info,false}]}],
   [rabbitmq_stomp]},
  {ssl_cert_login,
@@ -78,7 +78,7 @@
    stomp.default_pass = guest
    stomp.implicit_connect = true
    stomp.proxy_protocol = true",
-  [{rabbitmq_stomp,[{default_user,[{login,"guest"},{passcode,"guest"}]},
+  [{rabbitmq_stomp,[{default_user,[{login,"guest"},{passcode,<<"guest">>}]},
                     {implicit_connect,true},
                     {proxy_protocol,true}]}],
   [rabbitmq_stomp]},
diff --git a/deps/rabbitmq_tracing/priv/schema/rabbitmq_tracing.schema b/deps/rabbitmq_tracing/priv/schema/rabbitmq_tracing.schema
@@ -14,5 +14,5 @@
 ]}.
 
 {mapping, "tracing.password", "rabbitmq_tracing.password", [
-    {datatype, string}
+    {datatype, [tagged_binary, binary]}
 ]}.
diff --git a/deps/rabbitmq_tracing/test/config_schema_SUITE_data/rabbitmq_tracing.snippets b/deps/rabbitmq_tracing/test/config_schema_SUITE_data/rabbitmq_tracing.snippets
@@ -9,7 +9,7 @@
     {tracing_password,
         "tracing.password = 6bc258e9eac005659a84afcc41be61d93da9f621",
         [{rabbitmq_tracing, [
-            {password, "6bc258e9eac005659a84afcc41be61d93da9f621"}
+            {password, <<"6bc258e9eac005659a84afcc41be61d93da9f621">>}
         ]}],
         [rabbitmq_tracing]}
 ].
