Merge pull request #994 from rabbitmq/rabbitmq-server-979

Add optional password based encryption of configuration values

Author: kjnilsson

include/rabbit_cli.hrl

@@ -31,6 +31,12 @@
 -define(ONLINE_OPT, "--online").
 -define(LOCAL_OPT, "--local").
 
+-define(DECODE_OPT, "--decode").
+-define(CIPHER_OPT, "--cipher").
+-define(HASH_OPT, "--hash").
+-define(ITERATIONS_OPT, "--iterations").
+-define(LIST_CIPHERS_OPT, "--list-ciphers").
+-define(LIST_HASHES_OPT, "--list-hashes").
 
 -define(NODE_DEF(Node), {?NODE_OPT, {option, Node}}).
 -define(QUIET_DEF, {?QUIET_OPT, flag}).
@@ -48,6 +54,13 @@
 -define(OFFLINE_DEF, {?OFFLINE_OPT, flag}).
 -define(ONLINE_DEF, {?ONLINE_OPT, flag}).
 -define(LOCAL_DEF, {?LOCAL_OPT, flag}).
+-define(DECODE_DEF, {?DECODE_OPT, flag}).
+-define(CIPHER_DEF, {?CIPHER_OPT, {option, atom_to_list(rabbit_pbe:default_cipher())}}).
+-define(HASH_DEF, {?HASH_OPT, {option, atom_to_list(rabbit_pbe:default_hash())}}).
+-define(ITERATIONS_DEF, {?ITERATIONS_OPT, {option, integer_to_list(rabbit_pbe:default_iterations())}}).
+-define(LIST_CIPHERS_DEF, {?LIST_CIPHERS_OPT, flag}).
+-define(LIST_HASHES_DEF, {?LIST_HASHES_OPT, flag}).
+
 
 %% Subset of standartized exit codes from sysexits.h, see
 %% https://github.com/rabbitmq/rabbitmq-server/issues/396 for discussion.

src/rabbit.app.src

@@ -100,6 +100,12 @@
          %% see rabbitmq-server#248
          %% and rabbitmq-server#667
          {channel_operation_timeout, 15000},
+         {decoder_config, [
+             {cipher, aes_cbc256},
+             {hash, sha512},
+             {iterations, 1000},
+             {passphrase, undefined}
+         ]},
          %% rabbitmq-server-973
          {lazy_queue_explicit_gc_run_operation_threshold, 250}
         ]}]}.

src/rabbit.erl

@@ -24,7 +24,7 @@
          start_fhc/0]).
 -export([start/2, stop/1, prep_stop/1]).
 -export([start_apps/1, stop_apps/1]).
--export([log_location/1, config_files/0]). %% for testing and mgmt-agent
+-export([log_location/1, config_files/0, decrypt_config/2]). %% for testing and mgmt-agent
 
 %%---------------------------------------------------------------------------
 %% Boot steps.
@@ -442,6 +442,38 @@ stop_and_halt() ->
 
 start_apps(Apps) ->
     app_utils:load_applications(Apps),
+
+    DecoderConfig = case application:get_env(rabbit, decoder_config) of
+        undefined ->
+            [];
+        {ok, Val} ->
+            Val
+    end,
+    PassPhrase = case proplists:get_value(passphrase, DecoderConfig) of
+        prompt ->
+            IoDevice = get_input_iodevice(),
+            io:setopts(IoDevice, [{echo, false}]),
+            PP = lists:droplast(io:get_line(IoDevice,
+                "\nPlease enter the passphrase to unlock encrypted "
+                "configuration entries.\n\nPassphrase: ")),
+            io:setopts(IoDevice, [{echo, true}]),
+            io:format(IoDevice, "~n", []),
+            PP;
+        {file, Filename} ->
+            {ok, File} = file:read_file(Filename),
+            [PP|_] = binary:split(File, [<<"\r\n">>, <<"\n">>]),
+            PP;
+        PP ->
+            PP
+    end,
+    Algo = {
+        proplists:get_value(cipher, DecoderConfig, rabbit_pbe:default_cipher()),
+        proplists:get_value(hash, DecoderConfig, rabbit_pbe:default_hash()),
+        proplists:get_value(iterations, DecoderConfig, rabbit_pbe:default_iterations()),
+        PassPhrase
+    },
+    decrypt_config(Apps, Algo),
+
     OrderedApps = app_utils:app_dependency_order(Apps, false),
     case lists:member(rabbit, Apps) of
         false -> rabbit_boot_steps:run_boot_steps(Apps); %% plugin activation
@@ -450,6 +482,78 @@ start_apps(Apps) ->
     ok = app_utils:start_applications(OrderedApps,
                                       handle_app_error(could_not_start)).
 
+%% This function retrieves the correct IoDevice for requesting
+%% input. The problem with using the default IoDevice is that
+%% the Erlang shell prevents us from getting the input.
+%%
+%% Instead we therefore look for the io process used by the
+%% shell and if it can't be found (because the shell is not
+%% started e.g with -noshell) we use the 'user' process.
+%%
+%% This function will not work when either -oldshell or -noinput
+%% options are passed to erl.
+get_input_iodevice() ->
+    case whereis(user) of
+        undefined -> user;
+        User ->
+            case group:interfaces(User) of
+                [] ->
+                    user;
+                [{user_drv, Drv}] ->
+                    case user_drv:interfaces(Drv) of
+                        [] ->
+                            user;
+                        [{current_group, IoDevice}] ->
+                            IoDevice
+                    end
+            end
+    end.
+
+decrypt_config([], _) ->
+    ok;
+decrypt_config([App|Apps], Algo) ->
+    decrypt_app(App, application:get_all_env(App), Algo),
+    decrypt_config(Apps, Algo).
+
+decrypt_app(_, [], _) ->
+    ok;
+decrypt_app(App, [{Key, Value}|Tail], Algo) ->
+    try begin
+            case decrypt(Value, Algo) of
+                Value ->
+                    ok;
+                NewValue ->
+                    application:set_env(App, Key, NewValue)
+            end
+        end
+    catch
+        exit:{bad_configuration, decoder_config} ->
+            exit({bad_configuration, decoder_config});
+        _:Msg ->
+            rabbit_log:info("Error while decrypting key '~p'. Please check encrypted value, passphrase, and encryption configuration~n", [Key]),
+            exit({decryption_error, {key, Key}, Msg})
+    end,
+    decrypt_app(App, Tail, Algo).
+
+decrypt({encrypted, _}, {_, _, _, undefined}) ->
+    exit({bad_configuration, decoder_config});
+decrypt({encrypted, EncValue}, {Cipher, Hash, Iterations, Password}) ->
+    rabbit_pbe:decrypt_term(Cipher, Hash, Iterations, Password, EncValue);
+decrypt(List, Algo) when is_list(List) ->
+    decrypt_list(List, Algo, []);
+decrypt(Value, _) ->
+    Value.
+
+%% We make no distinction between strings and other lists.
+%% When we receive a string, we loop through each element
+%% and ultimately return the string unmodified, as intended.
+decrypt_list([], _, Acc) ->
+    lists:reverse(Acc);
+decrypt_list([{Key, Value}|Tail], Algo, Acc) when Key =/= encrypted ->
+    decrypt_list(Tail, Algo, [{Key, decrypt(Value, Algo)}|Acc]);
+decrypt_list([Value|Tail], Algo, Acc) ->
+    decrypt_list(Tail, Algo, [decrypt(Value, Algo)|Acc]).
+
 stop_apps(Apps) ->
     ok = app_utils:stop_applications(
            Apps, handle_app_error(error_during_shutdown)),

src/rabbit_control_main.erl

@@ -92,7 +92,8 @@
          {trace_off, [?VHOST_DEF]},
          set_vm_memory_high_watermark,
          set_disk_free_limit,
-         help
+         help,
+         {encode, [?DECODE_DEF, ?CIPHER_DEF, ?HASH_DEF, ?ITERATIONS_DEF, ?LIST_CIPHERS_DEF, ?LIST_HASHES_DEF]}
         ]).
 
 -define(GLOBAL_QUERIES,
@@ -114,7 +115,7 @@
         [stop, stop_app, start_app, wait, reset, force_reset, rotate_logs,
          join_cluster, change_cluster_node_type, update_cluster_nodes,
          forget_cluster_node, rename_cluster_node, cluster_status, status,
-         environment, eval, force_boot, help, hipe_compile]).
+         environment, eval, force_boot, help, hipe_compile, encode]).
 
 %% [Command | {Command, DefaultTimeoutInMilliSeconds}]
 -define(COMMANDS_WITH_TIMEOUT,
@@ -579,6 +580,17 @@ action(eval, Node, [Expr], _Opts, _Inform) ->
 action(help, _Node, _Args, _Opts, _Inform) ->
     io:format("~s", [rabbit_ctl_usage:usage()]);
 
+action(encode, _Node, Args, Opts, _Inform) ->
+    ListCiphers = lists:member({?LIST_CIPHERS_OPT, true}, Opts),
+    ListHashes = lists:member({?LIST_HASHES_OPT, true}, Opts),
+    Decode = lists:member({?DECODE_OPT, true}, Opts),
+    Cipher = list_to_atom(proplists:get_value(?CIPHER_OPT, Opts)),
+    Hash = list_to_atom(proplists:get_value(?HASH_OPT, Opts)),
+    Iterations = list_to_integer(proplists:get_value(?ITERATIONS_OPT, Opts)),
+
+    {_, Msg} = rabbit_control_pbe:encode(ListCiphers, ListHashes, Decode, Cipher, Hash, Iterations, Args),
+    io:format(Msg ++ "~n");
+
 action(Command, Node, Args, Opts, Inform) ->
     %% For backward compatibility, run commands accepting a timeout with
     %% the default timeout.

src/rabbit_control_pbe.erl

@@ -0,0 +1,79 @@
+% The contents of this file are subject to the Mozilla Public License
+%% Version 1.1 (the "License"); you may not use this file except in
+%% compliance with the License. You may obtain a copy of the License
+%% at http://www.mozilla.org/MPL/
+%%
+%% Software distributed under the License is distributed on an "AS IS"
+%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
+%% the License for the specific language governing rights and
+%% limitations under the License.
+%%
+%% The Original Code is RabbitMQ.
+%%
+%% The Initial Developer of the Original Code is GoPivotal, Inc.
+%% Copyright (c) 2007-2016 Pivotal Software, Inc.  All rights reserved.
+%%
+
+-module(rabbit_control_pbe).
+
+-export([encode/7]).
+
+% for testing purposes
+-export([evaluate_input_as_term/1]).
+
+encode(ListCiphers, _ListHashes, _Decode, _Cipher, _Hash, _Iterations, _Args) when ListCiphers ->
+    {ok, io_lib:format("~p", [rabbit_pbe:supported_ciphers()])};
+
+encode(_ListCiphers, ListHashes, _Decode, _Cipher, _Hash, _Iterations, _Args) when ListHashes ->
+    {ok, io_lib:format("~p", [rabbit_pbe:supported_hashes()])};
+
+encode(_ListCiphers, _ListHashes, Decode, Cipher, Hash, Iterations, Args) ->
+    CipherExists = lists:member(Cipher, rabbit_pbe:supported_ciphers()),
+    HashExists = lists:member(Hash, rabbit_pbe:supported_hashes()),
+    encode_encrypt_decrypt(CipherExists, HashExists, Decode, Cipher, Hash, Iterations, Args).
+
+encode_encrypt_decrypt(CipherExists, _HashExists, _Decode, _Cipher, _Hash, _Iterations, _Args) when CipherExists =:= false ->
+    {error, io_lib:format("The requested cipher is not supported", [])};
+
+encode_encrypt_decrypt(_CipherExists, HashExists, _Decode, _Cipher, _Hash, _Iterations, _Args) when HashExists =:= false ->
+    {error, io_lib:format("The requested hash is not supported", [])};
+
+encode_encrypt_decrypt(_CipherExists, _HashExists, _Decode, _Cipher, _Hash, Iterations, _Args) when Iterations =< 0 ->
+    {error, io_lib:format("The requested number of iterations is incorrect", [])};
+
+encode_encrypt_decrypt(_CipherExists, _HashExists, Decode, Cipher, Hash, Iterations, Args) when length(Args) == 2, Decode =:= false ->
+    [Value, PassPhrase] = Args,
+    try begin
+            TermValue = evaluate_input_as_term(Value),
+            Result = rabbit_pbe:encrypt_term(Cipher, Hash, Iterations, list_to_binary(PassPhrase), TermValue),
+            {ok, io_lib:format("~p", [{encrypted, Result}])}
+        end
+    catch
+        _:Msg -> {error, io_lib:format("Error during cipher operation: ~p", [Msg])}
+    end;
+
+encode_encrypt_decrypt(_CipherExists, _HashExists, Decode, Cipher, Hash, Iterations, Args) when length(Args) == 2, Decode ->
+    [Value, PassPhrase] = Args,
+    try begin
+            TermValue = evaluate_input_as_term(Value),
+            TermToDecrypt = case TermValue of
+                {encrypted, EncryptedTerm} ->
+                    EncryptedTerm;
+                _ ->
+                    TermValue
+            end,
+            Result = rabbit_pbe:decrypt_term(Cipher, Hash, Iterations, list_to_binary(PassPhrase), TermToDecrypt),
+            {ok, io_lib:format("~p", [Result])}
+        end
+    catch
+        _:Msg -> {error, io_lib:format("Error during cipher operation: ~p", [Msg])}
+    end;
+
+encode_encrypt_decrypt(_CipherExists, _HashExists, _Decode, _Cipher, _Hash, _Iterations, _Args) ->
+    {error, io_lib:format("Please provide a value to encode/decode and a passphrase", [])}.
+
+evaluate_input_as_term(Input) ->
+    {ok,Tokens,_EndLine} = erl_scan:string(Input ++ "."),
+    {ok,AbsForm} = erl_parse:parse_exprs(Tokens),
+    {value,TermValue,_Bs} = erl_eval:exprs(AbsForm, erl_eval:new_bindings()),
+    TermValue.