diff --git a/deps/rabbit/priv/schema/rabbit.schema b/deps/rabbit/priv/schema/rabbit.schema index 2f7ae1f89c5f..7b708dcdc9ca 100644 --- a/deps/rabbit/priv/schema/rabbit.schema +++ b/deps/rabbit/priv/schema/rabbit.schema @@ -2012,7 +2012,7 @@ end}. [{datatype, {enum, [true, false]}}]}. {mapping, "log.syslog.ssl_options.password", "syslog.protocol", - [{datatype, string}]}. + [{datatype, [tagged_binary, binary]}]}. {mapping, "log.syslog.ssl_options.psk_identity", "syslog.protocol", [{datatype, string}]}. @@ -3012,7 +3012,7 @@ end}. [{datatype, {enum, [true, false]}}]}. {mapping, "amqp10_client.ssl_options.password", "amqp10_client.ssl_options.password", - [{datatype, string}]}. + [{datatype, [tagged_binary, binary]}]}. {mapping, "amqp10_client.ssl_options.psk_identity", "amqp10_client.ssl_options.psk_identity", [{datatype, string}]}. @@ -3120,7 +3120,7 @@ end}. [{datatype, {enum, [true, false]}}]}. {mapping, "amqp_client.ssl_options.password", "amqp_client.ssl_options.password", - [{datatype, string}]}. + [{datatype, [tagged_binary, binary]}]}. {mapping, "amqp_client.ssl_options.psk_identity", "amqp_client.ssl_options.psk_identity", [{datatype, string}]}. diff --git a/deps/rabbit/test/config_schema_SUITE_data/rabbit.snippets b/deps/rabbit/test/config_schema_SUITE_data/rabbit.snippets index 355b3d3dd73a..649d097f30a4 100644 --- a/deps/rabbit/test/config_schema_SUITE_data/rabbit.snippets +++ b/deps/rabbit/test/config_schema_SUITE_data/rabbit.snippets @@ -1376,7 +1376,7 @@ credential_validator.regexp = ^abc\\d+", [{cacertfile,"test/config_schema_SUITE_data/certs/ca_certificate.pem"}, {certfile,"test/config_schema_SUITE_data/certs/server_certificate.pem"}, {keyfile,"test/config_schema_SUITE_data/certs/server_key.pem"}, - {password,"t0p$3kRe7"}]}]}], + {password,<<"t0p$3kRe7">>}]}]}], []}, {amqp_client_ssl_options_tls_versions, "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/ca_certificate.pem @@ -1481,7 +1481,7 @@ credential_validator.regexp = ^abc\\d+", [{cacertfile,"test/config_schema_SUITE_data/certs/ca_certificate.pem"}, {certfile,"test/config_schema_SUITE_data/certs/server_certificate.pem"}, {keyfile,"test/config_schema_SUITE_data/certs/server_key.pem"}, - {password,"t0p$3kRe7"}]}]}], + {password,<<"t0p$3kRe7">>}]}]}], []}, {amqp10_client_ssl_options_tls_versions, "amqp10_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/ca_certificate.pem diff --git a/deps/rabbit/test/unit_config_value_encryption_SUITE.erl b/deps/rabbit/test/unit_config_value_encryption_SUITE.erl index fbd8b0f4b51c..914d5c120261 100644 --- a/deps/rabbit/test/unit_config_value_encryption_SUITE.erl +++ b/deps/rabbit/test/unit_config_value_encryption_SUITE.erl @@ -30,6 +30,7 @@ groups() -> decrypt_start_app_undefined, decrypt_start_app_wrong_passphrase, decrypt_config, + decrypt_config_map, rabbitmqctl_encode ]} ]. @@ -105,6 +106,33 @@ do_decrypt_config(Algo = {C, H, I, P}) -> ok = application:unload(rabbit), ok. +decrypt_config_map(_Config) -> + Hashes = rabbit_pbe:supported_hashes() -- ?SKIPPED_HASHES, + Ciphers = rabbit_pbe:supported_ciphers() -- ?SKIPPED_CIPHERS, + Iterations = [1, 100, 1000], + _ = [begin + PassPhrase = crypto:strong_rand_bytes(16), + do_decrypt_config_map({C, H, I, PassPhrase}) + end || H <- Hashes, C <- Ciphers, I <- Iterations], + ok. + +%% Verifies that encrypted values nested inside maps are decrypted, +%% as required by e.g. rabbitmq_management.oauth_resource_servers. +do_decrypt_config_map({C, H, I, P} = Algo) -> + case application:load(rabbit) of + ok -> ok; + {error, {already_loaded, rabbit}} -> ok + end, + Secret = <<"test_oauth_secret">>, + {encrypted, EncSecret} = rabbit_pbe:encrypt_term(C, H, I, P, Secret), + application:set_env(rabbit, test_map_decrypt, + #{<<"server">> => [{oauth_client_secret, {encrypted, EncSecret}}]}), + rabbit_prelaunch_conf:decrypt_config([rabbit], Algo), + {ok, Decrypted} = application:get_env(rabbit, test_map_decrypt), + Secret = proplists:get_value(oauth_client_secret, maps:get(<<"server">>, Decrypted)), + application:unset_env(rabbit, test_map_decrypt), + ok. + encrypt_value(Key, {C, H, I, P}) -> {ok, Value} = application:get_env(rabbit, Key), {encrypted, EncValue} = rabbit_pbe:encrypt_term(C, H, I, P, Value), diff --git a/deps/rabbitmq_auth_backend_ldap/priv/schema/rabbitmq_auth_backend_ldap.schema b/deps/rabbitmq_auth_backend_ldap/priv/schema/rabbitmq_auth_backend_ldap.schema index 5c8f27c5922b..73eeab84aeb1 100644 --- a/deps/rabbitmq_auth_backend_ldap/priv/schema/rabbitmq_auth_backend_ldap.schema +++ b/deps/rabbitmq_auth_backend_ldap/priv/schema/rabbitmq_auth_backend_ldap.schema @@ -290,7 +290,7 @@ end}. [{datatype, {enum, [true, false]}}]}. {mapping, "auth_ldap.ssl_options.password", "rabbitmq_auth_backend_ldap.ssl_options.password", - [{datatype, string}]}. + [{datatype, [tagged_binary, binary]}]}. {mapping, "auth_ldap.ssl_options.psk_identity", "rabbitmq_auth_backend_ldap.ssl_options.psk_identity", [{datatype, string}]}. diff --git a/deps/rabbitmq_auth_backend_ldap/test/config_schema_SUITE_data/rabbitmq_auth_backend_ldap.snippets b/deps/rabbitmq_auth_backend_ldap/test/config_schema_SUITE_data/rabbitmq_auth_backend_ldap.snippets index adc25d8b8a0e..e10ec7ffe955 100644 --- a/deps/rabbitmq_auth_backend_ldap/test/config_schema_SUITE_data/rabbitmq_auth_backend_ldap.snippets +++ b/deps/rabbitmq_auth_backend_ldap/test/config_schema_SUITE_data/rabbitmq_auth_backend_ldap.snippets @@ -199,7 +199,7 @@ [{cacertfile,"test/config_schema_SUITE_data/certs/ca_certificate.pem"}, {certfile,"test/config_schema_SUITE_data/certs/server_certificate.pem"}, {keyfile,"test/config_schema_SUITE_data/certs/server_key.pem"}, - {password,"t0p$3kRe7"}]}]}], + {password,<<"t0p$3kRe7">>}]}]}], []}, {ssl_options_tls_versions, "auth_ldap.use_ssl = true diff --git a/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema b/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema index b061b3b64644..1db17952870c 100644 --- a/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema +++ b/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema @@ -466,7 +466,7 @@ end}. {mapping, "management.oauth_client_id", "rabbitmq_management.oauth_client_id", [{datatype, string}]}. {mapping, "management.oauth_client_secret", "rabbitmq_management.oauth_client_secret", - [{datatype, string}]}. + [{datatype, [tagged_binary, binary]}]}. %% Configure OAuth2 authorization flow (defaults to code) {mapping, "management.oauth_response_type", "rabbitmq_management.oauth_response_type", @@ -544,7 +544,7 @@ end}. {mapping, "management.oauth_resource_servers.$name.oauth_client_secret", "rabbitmq_management.oauth_resource_servers", - [{datatype, string}] + [{datatype, [tagged_binary, binary]}] }. {mapping, diff --git a/deps/rabbitmq_management/test/config_schema_SUITE_data/rabbitmq_management.snippets b/deps/rabbitmq_management/test/config_schema_SUITE_data/rabbitmq_management.snippets index a3f0ee8fd5a7..e6d750f76018 100644 --- a/deps/rabbitmq_management/test/config_schema_SUITE_data/rabbitmq_management.snippets +++ b/deps/rabbitmq_management/test/config_schema_SUITE_data/rabbitmq_management.snippets @@ -674,7 +674,7 @@ {oauth_enabled, true}, {oauth_provider_url, "http://localhost:8080"}, {oauth_client_id, "rabbitmq_client_code"}, - {oauth_client_secret, "rabbitmq_client_secret"}, + {oauth_client_secret, <<"rabbitmq_client_secret">>}, {oauth_scopes, "openid profile rabbitmq.*"}, {oauth_initiated_logon_type, idp_initiated}, {oauth_token_endpoint_params, [ diff --git a/deps/rabbitmq_peer_discovery_aws/priv/schema/rabbitmq_peer_discovery_aws.schema b/deps/rabbitmq_peer_discovery_aws/priv/schema/rabbitmq_peer_discovery_aws.schema index 5a9249cb2810..cc84c4714aba 100644 --- a/deps/rabbitmq_peer_discovery_aws/priv/schema/rabbitmq_peer_discovery_aws.schema +++ b/deps/rabbitmq_peer_discovery_aws/priv/schema/rabbitmq_peer_discovery_aws.schema @@ -50,7 +50,7 @@ end}. %% secret_key {mapping, "cluster_formation.aws.secret_key", "rabbit.cluster_formation.peer_discovery_aws.aws_secret_key", [ - {datatype, string} + {datatype, [tagged_string, string]} ]}. {translation, "rabbit.cluster_formation.peer_discovery_aws.aws_secret_key", diff --git a/deps/rabbitmq_peer_discovery_consul/priv/schema/rabbitmq_peer_discovery_consul.schema b/deps/rabbitmq_peer_discovery_consul/priv/schema/rabbitmq_peer_discovery_consul.schema index 96ebba4f4668..21e6f5c4f7b7 100644 --- a/deps/rabbitmq_peer_discovery_consul/priv/schema/rabbitmq_peer_discovery_consul.schema +++ b/deps/rabbitmq_peer_discovery_consul/priv/schema/rabbitmq_peer_discovery_consul.schema @@ -53,7 +53,7 @@ end}. %% ACL token {mapping, "cluster_formation.consul.acl_token", "rabbit.cluster_formation.peer_discovery_consul.consul_acl_token", [ - {datatype, string} + {datatype, [tagged_string, string]} ]}. {translation, "rabbit.cluster_formation.peer_discovery_consul.consul_acl_token", @@ -416,7 +416,7 @@ end}. [{datatype, {enum, [true, false]}}]}. {mapping, "cluster_formation.consul.ssl_options.password", "rabbit.cluster_formation.peer_discovery_consul.ssl_options.password", -[{datatype, string}]}. +[{datatype, [tagged_binary, binary]}]}. {mapping, "cluster_formation.consul.ssl_options.psk_identity", "rabbit.cluster_formation.peer_discovery_consul.ssl_options.psk_identity", [{datatype, string}]}. diff --git a/deps/rabbitmq_peer_discovery_etcd/priv/schema/rabbitmq_peer_discovery_etcd.schema b/deps/rabbitmq_peer_discovery_etcd/priv/schema/rabbitmq_peer_discovery_etcd.schema index 060116334e16..0f783acc3ad6 100644 --- a/deps/rabbitmq_peer_discovery_etcd/priv/schema/rabbitmq_peer_discovery_etcd.schema +++ b/deps/rabbitmq_peer_discovery_etcd/priv/schema/rabbitmq_peer_discovery_etcd.schema @@ -152,7 +152,7 @@ fun(Conf) -> end}. {mapping, "cluster_formation.etcd.password", "rabbit.cluster_formation.peer_discovery_etcd.etcd_password", [ - {datatype, string} + {datatype, [tagged_binary, binary]} ]}. {translation, "rabbit.cluster_formation.peer_discovery_etcd.etcd_password", @@ -226,7 +226,7 @@ end}. [{datatype, {enum, [true, false]}}]}. {mapping, "cluster_formation.etcd.ssl_options.password", "rabbit.cluster_formation.peer_discovery_etcd.ssl_options.password", - [{datatype, string}]}. + [{datatype, [tagged_binary, binary]}]}. {mapping, "cluster_formation.etcd.ssl_options.psk_identity", "rabbit.cluster_formation.peer_discovery_etcd.ssl_options.psk_identity", [{datatype, string}]}. diff --git a/deps/rabbitmq_peer_discovery_etcd/test/config_schema_SUITE_data/rabbitmq_peer_discovery_etcd.snippets b/deps/rabbitmq_peer_discovery_etcd/test/config_schema_SUITE_data/rabbitmq_peer_discovery_etcd.snippets index 01bcf6ef1784..d2d4135f4053 100644 --- a/deps/rabbitmq_peer_discovery_etcd/test/config_schema_SUITE_data/rabbitmq_peer_discovery_etcd.snippets +++ b/deps/rabbitmq_peer_discovery_etcd/test/config_schema_SUITE_data/rabbitmq_peer_discovery_etcd.snippets @@ -72,7 +72,7 @@ {rabbit, [ {cluster_formation, [ {peer_discovery_etcd, [ - {etcd_password, "rabbitmq"} + {etcd_password, <<"rabbitmq">>} ]} ]} ]} diff --git a/deps/rabbitmq_prelaunch/src/rabbit_prelaunch_conf.erl b/deps/rabbitmq_prelaunch/src/rabbit_prelaunch_conf.erl index c477737bbda5..77d6eb651844 100644 --- a/deps/rabbitmq_prelaunch/src/rabbit_prelaunch_conf.erl +++ b/deps/rabbitmq_prelaunch/src/rabbit_prelaunch_conf.erl @@ -528,6 +528,11 @@ decrypt({encrypted, _} = EncValue, decrypt(EncValue, Algo); decrypt(List, Algo) when is_list(List) -> decrypt_list(List, Algo, []); +decrypt(Map, Algo) when is_map(Map) -> + maps:fold(fun(Key, Value, {AccMap, AccAlgo}) -> + {NewValue, NewAlgo} = decrypt(Value, AccAlgo), + {maps:put(Key, NewValue, AccMap), NewAlgo} + end, {#{}, Algo}, Map); decrypt(Value, Algo) -> {Value, Algo}. diff --git a/deps/rabbitmq_stomp/priv/schema/rabbitmq_stomp.schema b/deps/rabbitmq_stomp/priv/schema/rabbitmq_stomp.schema index 15b97336ec75..c65a44343058 100644 --- a/deps/rabbitmq_stomp/priv/schema/rabbitmq_stomp.schema +++ b/deps/rabbitmq_stomp/priv/schema/rabbitmq_stomp.schema @@ -189,7 +189,7 @@ end}. ]}. {mapping, "stomp.default_pass", "rabbitmq_stomp.default_user.passcode", [ - {datatype, string} + {datatype, [tagged_binary, binary]} ]}. {mapping, "stomp.default_topic_exchange", "rabbitmq_stomp.default_topic_exchange", [ diff --git a/deps/rabbitmq_stomp/test/config_schema_SUITE_data/rabbitmq_stomp.snippets b/deps/rabbitmq_stomp/test/config_schema_SUITE_data/rabbitmq_stomp.snippets index 08433d4d5d66..3b9a9a145929 100644 --- a/deps/rabbitmq_stomp/test/config_schema_SUITE_data/rabbitmq_stomp.snippets +++ b/deps/rabbitmq_stomp/test/config_schema_SUITE_data/rabbitmq_stomp.snippets @@ -66,7 +66,7 @@ stomp.default_pass = guest stomp.proxy_protocol = false stomp.hide_server_info = false", - [{rabbitmq_stomp,[{default_user,[{login,"guest"},{passcode,"guest"}]}, + [{rabbitmq_stomp,[{default_user,[{login,"guest"},{passcode,<<"guest">>}]}, {proxy_protocol,false},{hide_server_info,false}]}], [rabbitmq_stomp]}, {ssl_cert_login, @@ -78,7 +78,7 @@ stomp.default_pass = guest stomp.implicit_connect = true stomp.proxy_protocol = true", - [{rabbitmq_stomp,[{default_user,[{login,"guest"},{passcode,"guest"}]}, + [{rabbitmq_stomp,[{default_user,[{login,"guest"},{passcode,<<"guest">>}]}, {implicit_connect,true}, {proxy_protocol,true}]}], [rabbitmq_stomp]}, diff --git a/deps/rabbitmq_tracing/priv/schema/rabbitmq_tracing.schema b/deps/rabbitmq_tracing/priv/schema/rabbitmq_tracing.schema index 74219721fa3d..2c7f728c20d9 100644 --- a/deps/rabbitmq_tracing/priv/schema/rabbitmq_tracing.schema +++ b/deps/rabbitmq_tracing/priv/schema/rabbitmq_tracing.schema @@ -14,5 +14,5 @@ ]}. {mapping, "tracing.password", "rabbitmq_tracing.password", [ - {datatype, string} + {datatype, [tagged_binary, binary]} ]}. diff --git a/deps/rabbitmq_tracing/test/config_schema_SUITE_data/rabbitmq_tracing.snippets b/deps/rabbitmq_tracing/test/config_schema_SUITE_data/rabbitmq_tracing.snippets index 543d367c283f..2294f3715c8c 100644 --- a/deps/rabbitmq_tracing/test/config_schema_SUITE_data/rabbitmq_tracing.snippets +++ b/deps/rabbitmq_tracing/test/config_schema_SUITE_data/rabbitmq_tracing.snippets @@ -9,7 +9,7 @@ {tracing_password, "tracing.password = 6bc258e9eac005659a84afcc41be61d93da9f621", [{rabbitmq_tracing, [ - {password, "6bc258e9eac005659a84afcc41be61d93da9f621"} + {password, <<"6bc258e9eac005659a84afcc41be61d93da9f621">>} ]}], [rabbitmq_tracing]} ].