Merge branch 'shovel-obfuscatepassword'

author: Michael Klishin <michael@clojurewerkz.org> 2021-09-21 20:39:48 +0300
committer: Michael Klishin <michael@clojurewerkz.org> 2021-09-21 20:39:48 +0300
commit: 879e49ca7a3ac34687effcd56f783b11c06162e1 (patch)
tree: 369d03f5c8938db02293208193776b113d5936fd
parent: 0d54e71e8e1ef1f5fcac577fc49f5aaad0c5edb1 (diff)
parent: 1cabd3ccd4c8ec9bad4cdf4dbb56e4d4a10afca5 (diff)
download: rabbitmq-server-git-879e49ca7a3ac34687effcd56f783b11c06162e1.tar.gz
3 files changed, 49 insertions, 13 deletions
diff --git a/deps/rabbitmq_shovel/src/rabbit_shovel_dyn_worker_sup_sup.erl b/deps/rabbitmq_shovel/src/rabbit_shovel_dyn_worker_sup_sup.erl
index a77413cfbe..a448ab9856 100644
--- a/deps/rabbitmq_shovel/src/rabbit_shovel_dyn_worker_sup_sup.erl
+++ b/deps/rabbitmq_shovel/src/rabbit_shovel_dyn_worker_sup_sup.erl
@@ -11,6 +11,7 @@
 -export([start_link/0, init/1, adjust/2, stop_child/1, cleanup_specs/0]).
 
 -import(rabbit_misc, [pget/2]).
+-import(rabbit_data_coercion, [to_map/1, to_list/1]).
 
 -include("rabbit_shovel.hrl").
 -include_lib("rabbit_common/include/rabbit.hrl").
@@ -42,7 +43,7 @@ start_child({VHost, ShovelName} = Name, Def) ->
     rabbit_log_shovel:debug("Starting a mirrored supervisor named '~s' in virtual host '~s'", [ShovelName, VHost]),
     Result = case mirrored_supervisor:start_child(
            ?SUPERVISOR,
-           {Name, {rabbit_shovel_dyn_worker_sup, start_link, [Name, Def]},
+           {Name, {rabbit_shovel_dyn_worker_sup, start_link, [Name, obfuscated_uris_parameters(Def)]},
             transient, ?WORKER_WAIT, worker, [rabbit_shovel_dyn_worker_sup]}) of
         {ok,                      _Pid}  -> ok;
         {error, {already_started, _Pid}} -> ok
@@ -51,6 +52,11 @@ start_child({VHost, ShovelName} = Name, Def) ->
     rabbit_shovel_locks:unlock(LockId),
     Result.
 
+obfuscated_uris_parameters(Def) when is_map(Def) ->
+    to_map(rabbit_shovel_parameters:obfuscate_uris_in_definition(to_list(Def)));
+obfuscated_uris_parameters(Def) when is_list(Def) ->
+    rabbit_shovel_parameters:obfuscate_uris_in_definition(Def).
+
 child_exists(Name) ->
     lists:any(fun ({N, _, _, _}) -> N =:= Name end,
               mirrored_supervisor:which_children(?SUPERVISOR)).
diff --git a/deps/rabbitmq_shovel/src/rabbit_shovel_parameters.erl b/deps/rabbitmq_shovel/src/rabbit_shovel_parameters.erl
index a276990226..40316fb657 100644
--- a/deps/rabbitmq_shovel/src/rabbit_shovel_parameters.erl
+++ b/deps/rabbitmq_shovel/src/rabbit_shovel_parameters.erl
@@ -13,8 +13,9 @@
 
 -export([validate/5, notify/5, notify_clear/4]).
 -export([register/0, unregister/0, parse/3]).
+-export([obfuscate_uris_in_definition/1]).
 
--import(rabbit_misc, [pget/2, pget/3]).
+-import(rabbit_misc, [pget/2, pget/3, pset/3]).
 
 -rabbit_boot_step({?MODULE,
                    [{description, "shovel parameters"},
@@ -82,6 +83,16 @@ validate_amqp091_src(Def) ->
              ok
      end].
 
+obfuscate_uris_in_definition(Def) ->
+  SrcURIs  = get_uris(<<"src-uri">>, Def),
+  ObfuscatedSrcURIsDef = pset(<<"src-uri">>, obfuscate_uris(SrcURIs), Def),
+  DestURIs  = get_uris(<<"dest-uri">>, Def),
+  ObfuscatedDef = pset(<<"dest-uri">>, obfuscate_uris(DestURIs), ObfuscatedSrcURIsDef),
+  ObfuscatedDef.
+
+obfuscate_uris(URIs) ->
+  [credentials_obfuscation:encrypt(URI) || URI <- URIs].
+
 validate_amqp091_dest(Def) ->
     [case pget2(<<"dest-exchange">>, <<"dest-queue">>, Def) of
          zero -> ok;
@@ -279,7 +290,7 @@ parse_dest(VHostName, ClusterName, Def, SourceHeaders) ->
     end.
 
 parse_amqp10_dest({_VHost, _Name}, _ClusterName, Def, SourceHeaders) ->
-    Uris = get_uris(<<"dest-uri">>, Def),
+    Uris = deobfuscated_uris(<<"dest-uri">>, Def),
     Address = pget(<<"dest-address">>, Def),
     Properties =
         rabbit_data_coercion:to_proplist(
@@ -305,7 +316,7 @@ parse_amqp10_dest({_VHost, _Name}, _ClusterName, Def, SourceHeaders) ->
      }.
 
 parse_amqp091_dest({VHost, Name}, ClusterName, Def, SourceHeaders) ->
-    DestURIs  = get_uris(<<"dest-uri">>,      Def),
+    DestURIs  = deobfuscated_uris(<<"dest-uri">>,      Def),
     DestX     = pget(<<"dest-exchange">>,     Def, none),
     DestXKey  = pget(<<"dest-exchange-key">>, Def, none),
     DestQ     = pget(<<"dest-queue">>,        Def, none),
@@ -373,7 +384,7 @@ parse_amqp091_dest({VHost, Name}, ClusterName, Def, SourceHeaders) ->
                 }, Details).
 
 parse_amqp10_source(Def) ->
-    Uris = get_uris(<<"src-uri">>, Def),
+    Uris = deobfuscated_uris(<<"src-uri">>, Def),
     Address = pget(<<"src-address">>, Def),
     DeleteAfter = pget(<<"src-delete-after">>, Def, <<"never">>),
     PrefetchCount = pget(<<"src-prefetch-count">>, Def, 1000),
@@ -386,7 +397,7 @@ parse_amqp10_source(Def) ->
        consumer_args => []}, Headers}.
 
 parse_amqp091_source(Def) ->
-    SrcURIs  = get_uris(<<"src-uri">>, Def),
+    SrcURIs  = deobfuscated_uris(<<"src-uri">>, Def),
     SrcX     = pget(<<"src-exchange">>,Def, none),
     SrcXKey  = pget(<<"src-exchange-key">>, Def, <<>>), %% [1]
     SrcQ     = pget(<<"src-queue">>, Def, none),
@@ -430,6 +441,11 @@ get_uris(Key, Def) ->
            end,
     [binary_to_list(URI) || URI <- URIs].
 
+deobfuscated_uris(Key, Def) ->
+    ObfuscatedURIs = pget(Key, Def),
+    URIs = [credentials_obfuscation:decrypt(ObfuscatedURI) || ObfuscatedURI <- ObfuscatedURIs],
+    [binary_to_list(URI) || URI <- URIs].
+
 translate_ack_mode(<<"on-confirm">>) -> on_confirm;
 translate_ack_mode(<<"on-publish">>) -> on_publish;
 translate_ack_mode(<<"no-ack">>)     -> no_ack.
diff --git a/deps/rabbitmq_shovel/test/parameters_SUITE.erl b/deps/rabbitmq_shovel/test/parameters_SUITE.erl
index 004a1e65c3..ee40614983 100644
--- a/deps/rabbitmq_shovel/test/parameters_SUITE.erl
+++ b/deps/rabbitmq_shovel/test/parameters_SUITE.erl
@@ -43,9 +43,18 @@ groups() ->
 %% -------------------------------------------------------------------
 
 init_per_suite(Config) ->
+    {ok, _} = application:ensure_all_started(credentials_obfuscation),
+    Secret = crypto:strong_rand_bytes(128),
+    ok = credentials_obfuscation:set_secret(Secret),
     Config.
 
 end_per_suite(Config) ->
+    case application:stop(credentials_obfuscation) of
+      ok ->
+        ok;
+      {error, {not_started, credentials_obfuscation}} ->
+        ok
+    end,
     Config.
 
 init_per_group(_, Config) ->
@@ -54,9 +63,11 @@ init_per_group(_, Config) ->
 end_per_group(_, Config) ->
     Config.
 
-init_per_testcase(_Testcase, Config) -> Config.
+init_per_testcase(_Testcase, Config) ->
+  Config.
 
-end_per_testcase(_Testcase, Config) -> Config.
+end_per_testcase(_Testcase, Config) ->
+  Config.
 
 
 %% -------------------------------------------------------------------
@@ -140,8 +151,9 @@ parse_amqp091_empty_proplists(_Config) ->
 
 
 test_parse_amqp091(Params) ->
+    ObfuscatedParams = rabbit_shovel_parameters:obfuscate_uris_in_definition(Params),
     {ok, Result} = rabbit_shovel_parameters:parse({"vhost", "name"},
-                                                  "my-cluster", Params),
+                                                  "my-cluster", ObfuscatedParams),
     #{ack_mode := on_publish,
       name := "name",
       reconnect_delay := 1001,
@@ -165,8 +177,9 @@ test_parse_amqp091(Params) ->
     ok.
 
 test_parse_amqp091_with_blank_proprties(Params) ->
+    ObfuscatedParams = rabbit_shovel_parameters:obfuscate_uris_in_definition(Params),
     {ok, Result} = rabbit_shovel_parameters:parse({"vhost", "name"},
-                                                  "my-cluster", Params),
+                                                  "my-cluster", ObfuscatedParams),
     #{ack_mode := on_publish,
       name := "name",
       reconnect_delay := 1001,
@@ -229,7 +242,7 @@ parse_amqp10(_Config) ->
                                             <<"message-ann-value">>}]},
          {<<"dest-properties">>, [{<<"user_id">>, <<"some-user">>}]}
         ],
-
+    ObfuscatedParams = rabbit_shovel_parameters:obfuscate_uris_in_definition(Params),
     ?assertMatch(
        {ok, #{name := "my_shovel",
               ack_mode := on_publish,
@@ -252,7 +265,7 @@ parse_amqp10(_Config) ->
                        }
              }},
         rabbit_shovel_parameters:parse({"vhost", "my_shovel"}, "my-cluster",
-                                       Params)),
+                                       ObfuscatedParams)),
     ok.
 
 parse_amqp10_minimal(_Config) ->
@@ -266,6 +279,7 @@ parse_amqp10_minimal(_Config) ->
          {<<"dest-uri">>, <<"amqp://remotehost:5672">>},
          {<<"dest-address">>, <<"a-dest-queue">>}
         ],
+    ObfuscatedParams = rabbit_shovel_parameters:obfuscate_uris_in_definition(Params),
     ?assertMatch(
        {ok, #{name := "my_shovel",
               ack_mode := on_confirm,
@@ -281,7 +295,7 @@ parse_amqp10_minimal(_Config) ->
                        }
              }},
         rabbit_shovel_parameters:parse({"vhost", "my_shovel"}, "my-cluster",
-                                       Params)),
+                                       ObfuscatedParams)),
     ok.
 
 validate_amqp10(_Config) ->
author	Michael Klishin <michael@clojurewerkz.org>	2021-09-21 20:39:48 +0300
committer	Michael Klishin <michael@clojurewerkz.org>	2021-09-21 20:39:48 +0300
commit	879e49ca7a3ac34687effcd56f783b11c06162e1 (patch)
tree	369d03f5c8938db02293208193776b113d5936fd
parent	0d54e71e8e1ef1f5fcac577fc49f5aaad0c5edb1 (diff)
parent	1cabd3ccd4c8ec9bad4cdf4dbb56e4d4a10afca5 (diff)
download	rabbitmq-server-git-879e49ca7a3ac34687effcd56f783b11c06162e1.tar.gz