Merge pull request #4850 from rabbitmq/mergify/bp/v3.9.x/pr-4847

Implement fallback secret for credentials obfuscation (by @luos) (backport #4841) (backport #4847)
rabbitmq · May 19, 2022 · 21eb98e · 21eb98e
2 parents 7b3d155 + f5f1627
commit 21eb98e
Show file tree

Hide file tree

Showing 5 changed files with 93 additions and 17 deletions.
diff --git a/deps/rabbit/BUILD.bazel b/deps/rabbit/BUILD.bazel
@@ -147,7 +147,8 @@ _APP_ENV = """[
 	    %% interval at which connection/channel tracking executes post operations
 	    {tracking_execution_timeout, 15000},
 	    {stream_messages_soft_limit, 256},
-        {track_auth_attempt_source, false}
+        {track_auth_attempt_source, false},
+        {credentials_obfuscation_fallback_secret, <<"nocookie">>}
 	  ]
 """
 

diff --git a/deps/rabbit/Makefile b/deps/rabbit/Makefile
@@ -122,7 +122,8 @@ define PROJECT_ENV
 	    %% interval at which connection/channel tracking executes post operations
 	    {tracking_execution_timeout, 15000},
 	    {stream_messages_soft_limit, 256},
-        {track_auth_attempt_source, false}
+      {track_auth_attempt_source, false},
+			{credentials_obfuscation_fallback_secret, <<"nocookie">>}
 	  ]
 endef
 

diff --git a/deps/rabbit/apps/rabbitmq_prelaunch/src/rabbit_prelaunch_conf.erl b/deps/rabbit/apps/rabbitmq_prelaunch/src/rabbit_prelaunch_conf.erl
@@ -71,7 +71,6 @@ setup(Context) ->
                     #{config_files => [],
                       config_advanced_file => undefined}
             end,
-    ok = set_credentials_obfuscation_secret(),
     ?LOG_DEBUG(
       "Saving config state to application env: ~p", [State],
       #{domain => ?RMQLOG_DOMAIN_PRELAUNCH}),
@@ -395,24 +394,35 @@ apply_erlang_term_based_config([]) ->
     ok.
 
 apply_app_env_vars(App, [{Var, Value} | Rest]) ->
-    ?LOG_DEBUG("    - ~s = ~p", [Var, Value],
-               #{domain => ?RMQLOG_DOMAIN_PRELAUNCH}),
+    log_app_env_var(Var, Value),
     ok = application:set_env(App, Var, Value, [{persistent, true}]),
     apply_app_env_vars(App, Rest);
 apply_app_env_vars(_, []) ->
     ok.
 
-set_credentials_obfuscation_secret() ->
-    ?LOG_DEBUG(
-      "Refreshing credentials obfuscation configuration from env: ~p",
-      [application:get_all_env(credentials_obfuscation)],
-      #{domain => ?RMQLOG_DOMAIN_PRELAUNCH}),
-    ok = credentials_obfuscation:refresh_config(),
-    CookieBin = rabbit_data_coercion:to_binary(erlang:get_cookie()),
-    ?LOG_DEBUG(
-      "Setting credentials obfuscation secret to '~s'", [CookieBin],
-      #{domain => ?RMQLOG_DOMAIN_PRELAUNCH}),
-    ok = credentials_obfuscation:set_secret(CookieBin).
+log_app_env_var(password = Var, _) ->
+    ?LOG_DEBUG("    - ~s = ~p", [Var, "********"],
+               #{domain => ?RMQLOG_DOMAIN_PRELAUNCH});
+log_app_env_var(Var, Value) when is_list(Value) ->
+    % to redact sensitive entries, e.g. {password,"********"} for stream replication over TLS
+    Redacted = redact_env_var(Value),
+    ?LOG_DEBUG("    - ~s = ~p", [Var, Redacted],
+               #{domain => ?RMQLOG_DOMAIN_PRELAUNCH});
+log_app_env_var(Var, Value) ->
+    ?LOG_DEBUG("    - ~s = ~p", [Var, Value],
+               #{domain => ?RMQLOG_DOMAIN_PRELAUNCH}).
+
+redact_env_var(Value) when is_list(Value) ->
+    redact_env_var(Value, []);
+redact_env_var(Value) ->
+    Value.
+
+redact_env_var([], Acc) ->
+    Acc;
+redact_env_var([{password, _V} | T], Acc) ->
+    redact_env_var(T, Acc ++ [{password, "********"}]);
+redact_env_var([H | T], Acc) ->
+    redact_env_var(T, Acc ++ [H]).
 
 %% -------------------------------------------------------------------
 %% Config decryption.

diff --git a/deps/rabbit/apps/rabbitmq_prelaunch/src/rabbit_prelaunch_dist.erl b/deps/rabbit/apps/rabbitmq_prelaunch/src/rabbit_prelaunch_dist.erl
@@ -32,6 +32,8 @@ setup(#{nodename := Node, nodename_type := NameType} = Context) ->
             throw({error, {erlang_dist_running_with_unexpected_nodename,
                            Unexpected, Node}})
     end,
+    ok = set_credentials_obfuscation_secret(),
+
     ok.
 
 do_setup(#{nodename := Node,
@@ -131,3 +133,21 @@ dist_port_use_check_fail(Port, Host) ->
         [Name] ->
             throw({error, {dist_port_already_used, Port, Name, Host}})
     end.
+
+set_credentials_obfuscation_secret() ->
+    ?LOG_DEBUG(
+        "Refreshing credentials obfuscation configuration from env: ~p",
+        [application:get_all_env(credentials_obfuscation)],
+        #{domain => ?RMQLOG_DOMAIN_PRELAUNCH}),
+    ok = credentials_obfuscation:refresh_config(),
+    CookieBin = rabbit_data_coercion:to_binary(erlang:get_cookie()),
+    ?LOG_DEBUG(
+        "Setting credentials obfuscation secret to '~s'", [CookieBin],
+        #{domain => ?RMQLOG_DOMAIN_PRELAUNCH}),
+    ok = credentials_obfuscation:set_secret(CookieBin),
+    Fallback = application:get_env(rabbit, 
+                                   credentials_obfuscation_fallback_secret, 
+                                   <<"nocookie">>),
+    ok = credentials_obfuscation:set_fallback_secret(Fallback).
+
+
diff --git a/deps/rabbit/test/cluster_SUITE.erl b/deps/rabbit/test/cluster_SUITE.erl
@@ -8,6 +8,8 @@
 -module(cluster_SUITE).
 
 -include_lib("common_test/include/ct.hrl").
+-include_lib("eunit/include/eunit.hrl").
+-include_lib("eunit/include/eunit.hrl").
 -include_lib("amqp_client/include/amqp_client.hrl").
 -include("amqqueue.hrl").
 
@@ -26,14 +28,18 @@
 
 all() ->
     [
-      {group, cluster_tests}
+      {group, cluster_tests},
+      {group, stop_app_tests}
     ].
 
 groups() ->
     [
       {cluster_tests, [], [
           {from_cluster_node1, [], ?CLUSTER_TESTCASES},
           {from_cluster_node2, [], ?CLUSTER_TESTCASES}
+        ]},
+        {stop_app_tests, [], [
+            credentials_obfuscation
         ]}
     ].
 
@@ -305,3 +311,41 @@ queue_name(Config, Name) ->
 
 queue_name(Name) ->
     rabbit_misc:r(<<"/">>, queue, Name).
+
+credentials_obfuscation(Config) ->
+    case rabbit_ct_helpers:is_mixed_versions() of
+        false ->
+          case rabbit_ct_broker_helpers:enable_feature_flag(Config, virtual_host_metadata) of
+              ok ->
+                    Value = <<"amqp://something">>,
+                    Obfuscated0 = obfuscate_secret(Config, 0, Value),
+                    Obfuscated1 = obfuscate_secret(Config, 1, Value),
+
+                    ok = rabbit_ct_broker_helpers:restart_broker(Config, 1),
+
+                    ?assertEqual(Value, deobfuscate_secret(Config, 0, Obfuscated0)),
+                    ?assertEqual(Value, deobfuscate_secret(Config, 1, Obfuscated1)),
+                    ?assertEqual(Value, deobfuscate_secret(Config, 0, Obfuscated1)),
+                    ?assertEqual(Value, deobfuscate_secret(Config, 1, Obfuscated1)),
+
+                    Obfuscated2 = obfuscate_secret(Config, 1, Value),
+
+                    ok = rabbit_ct_broker_helpers:restart_broker(Config, 0),
+
+                    ?assertEqual(Value, deobfuscate_secret(Config, 0, Obfuscated2)),
+                    ok;
+              Skip ->
+                  Skip
+          end;
+        _ ->
+          %% skip the test in mixed version mode
+          {skip, "Should not run in mixed version environments"}
+      end.
+obfuscate_secret(Config, Node, Value) -> 
+    {encrypted, _} = Result = rabbit_ct_broker_helpers:rpc(Config, Node, 
+        credentials_obfuscation, encrypt, [Value]),
+    Result.
+
+deobfuscate_secret(Config, Node, Encrypted) ->
+    rabbit_ct_broker_helpers:rpc(Config, Node, 
+        credentials_obfuscation, decrypt, [Encrypted]).