Add better message when decryption fails in config

4 files changed, 50 insertions, 14 deletions

diff --git a/src/rabbit.erl b/src/rabbit.erl
index 75425e1a95..9624aca184 100644
--- a/src/rabbit.erl
+++ b/src/rabbit.erl
@@ -444,8 +444,10 @@ start_apps(Apps) ->
     app_utils:load_applications(Apps),
 
     DecoderConfig = case application:get_env(rabbit, decoder_config) of
-        undefined -> [];
-        {ok, Val} -> Val
+        undefined ->
+            [];
+        {ok, Val} ->
+            Val
     end,
     PassPhrase = case proplists:get_value(passphrase, DecoderConfig) of
         prompt ->
@@ -465,9 +467,9 @@ start_apps(Apps) ->
             PP
     end,
     Algo = {
-        proplists:get_value(cipher, DecoderConfig, aes_cbc256),
-        proplists:get_value(hash, DecoderConfig, sha512),
-        proplists:get_value(iterations, DecoderConfig, 1000),
+        proplists:get_value(cipher, DecoderConfig, rabbit_pbe:default_cipher()),
+        proplists:get_value(hash, DecoderConfig, rabbit_pbe:default_hash()),
+        proplists:get_value(iterations, DecoderConfig, rabbit_pbe:default_iterations()),
         PassPhrase
     },
     decrypt_config(Apps, Algo),
@@ -516,9 +518,20 @@ decrypt_config([App|Apps], Algo) ->
 decrypt_app(_, [], _) ->
     ok;
 decrypt_app(App, [{Key, Value}|Tail], Algo) ->
-    case decrypt(Value, Algo) of
-        Value -> ok;
-        NewValue -> application:set_env(App, Key, NewValue)
+    try begin
+            case decrypt(Value, Algo) of
+                Value ->
+                    ok;
+                NewValue ->
+                    application:set_env(App, Key, NewValue)
+            end
+        end
+    catch
+        exit:{bad_configuration, decoder_config} ->
+            exit({bad_configuration, decoder_config});
+        _:Msg ->
+            rabbit_log:info("Error while decrypting key '~p'. Please check encrypted value, passphrase, and encryption configuration~n", [Key]),
+            exit({decryption_error, {key, Key}, Msg})
     end,
     decrypt_app(App, Tail, Algo).
 
diff --git a/src/rabbit_control_main.erl b/src/rabbit_control_main.erl
index ce242c9f91..8c245892b7 100644
--- a/src/rabbit_control_main.erl
+++ b/src/rabbit_control_main.erl
@@ -20,8 +20,8 @@
 -include("rabbit_misc.hrl").
 
 -export([start/0, stop/0, parse_arguments/2, action/5, action/6,
-    sync_queue/1, cancel_sync_queue/1, become/1,
-    purge_queue/1]).
+         sync_queue/1, cancel_sync_queue/1, become/1,
+         purge_queue/1]).
 
 -import(rabbit_misc, [rpc_call/4, rpc_call/5, rpc_call/7]).
 
diff --git a/src/rabbit_control_pbe.erl b/src/rabbit_control_pbe.erl
index dd4f9efa28..2fa2c90a6e 100644
--- a/src/rabbit_control_pbe.erl
+++ b/src/rabbit_control_pbe.erl
@@ -57,9 +57,11 @@ encode_encrypt_decrypt(_CipherExists, _HashExists, Decode, Cipher, Hash, Iterati
     try begin
             TermValue = evaluate_input_as_term(Value),
             TermToDecrypt = case TermValue of
-                                {encrypted, EncryptedTerm} -> EncryptedTerm;
-                                _ -> TermValue
-                            end,
+                {encrypted, EncryptedTerm} ->
+                    EncryptedTerm;
+                _ ->
+                    TermValue
+            end,
             Result = rabbit_pbe:decrypt_term(Cipher, Hash, Iterations, list_to_binary(PassPhrase), TermToDecrypt),
             {ok, io_lib:format("~p", [Result])}
         end
diff --git a/test/unit_SUITE.erl b/test/unit_SUITE.erl
index e363fe6cb6..e79dfc46ad 100644
--- a/test/unit_SUITE.erl
+++ b/test/unit_SUITE.erl
@@ -72,7 +72,8 @@ groups() ->
       {sequential_tests, [], [
           decrypt_start_app,
           decrypt_start_app_file,
-          decrypt_start_app_undefined
+          decrypt_start_app_undefined,
+          decrypt_start_app_wrong_passphrase
         ]}
     ].
 
@@ -410,6 +411,26 @@ decrypt_start_app_undefined(Config) ->
         _:_ -> exit(unexpected_exception)
     end.
 
+decrypt_start_app_wrong_passphrase(Config) ->
+    %% Configure rabbit for decrypting configuration.
+    application:set_env(rabbit, decoder_config, [
+        {cipher, aes_cbc256},
+        {hash, sha512},
+        {iterations, 1000},
+        {passphrase, "wrong passphrase"}
+    ]),
+    %% Add the path to our test application.
+    code:add_path(?config(data_dir, Config) ++ "/lib/rabbit_shovel_test/ebin"),
+    %% Attempt to start our test application.
+    %%
+    %% We expect a failure during decryption because the passphrase is wrong.
+    try
+        rabbit:start_apps([rabbit_shovel_test])
+    catch
+        exit:{decryption_error,_,_} -> ok;
+        _:_ -> exit(unexpected_exception)
+    end.
+
 rabbitmqctl_encode(_Config) ->
     % list ciphers and hashes
     {ok, _} = rabbit_control_pbe:encode(true, false, undefined, undefined, undefined, undefined, undefined),