2 files changed, 66 insertions, 2 deletions

diff --git a/src/rabbit.erl b/src/rabbit.erl
index a0fcf8216c..48b9ba6458 100644
--- a/src/rabbit.erl
+++ b/src/rabbit.erl
@@ -24,7 +24,7 @@
          start_fhc/0]).
 -export([start/2, stop/1, prep_stop/1]).
 -export([start_apps/1, stop_apps/1]).
--export([log_location/1, config_files/0]). %% for testing and mgmt-agent
+-export([log_location/1, config_files/0, decrypt_config/2]). %% for testing and mgmt-agent
 
 %%---------------------------------------------------------------------------
 %% Boot steps.
@@ -442,6 +442,7 @@ stop_and_halt() ->
 
 start_apps(Apps) ->
     app_utils:load_applications(Apps),
+
     DecoderConfig = case application:get_env(rabbit, decoder_config) of
         undefined -> [];
         {ok, Val} -> Val
@@ -538,7 +539,7 @@ decrypt(Value, _) ->
 %% and ultimately return the string unmodified, as intended.
 decrypt_list([], _, Acc) ->
     lists:reverse(Acc);
-decrypt_list([{Key, Value}|Tail], Algo, Acc) ->
+decrypt_list([{Key, Value}|Tail], Algo, Acc) when Key =/= encrypted ->
     decrypt_list(Tail, Algo, [{Key, decrypt(Value, Algo)}|Acc]);
 decrypt_list([Value|Tail], Algo, Acc) ->
     decrypt_list(Tail, Algo, [decrypt(Value, Algo)|Acc]).
diff --git a/test/unit_SUITE.erl b/test/unit_SUITE.erl
index d9822e7eff..c10fa75ff4 100644
--- a/test/unit_SUITE.erl
+++ b/test/unit_SUITE.erl
@@ -43,6 +43,7 @@ groups() ->
           content_transcoding,
           encrypt_decrypt,
           encrypt_decrypt_term,
+          decrypt_config,
           pg_local,
           pmerge,
           plmerge,
@@ -71,6 +72,14 @@ groups() ->
 init_per_group(_, Config) -> Config.
 end_per_group(_, Config) -> Config.
 
+init_per_testcase(_, Config) ->
+    Config.
+
+end_per_testcase(decrypt_config, _Config) ->
+    application:unload(rabbit);
+end_per_testcase(_TC, _Config) ->
+    ok.
+
 %% -------------------------------------------------------------------
 %% Argument parsing.
 %% -------------------------------------------------------------------
@@ -283,6 +292,60 @@ encrypt_decrypt_term(_Config) ->
     end || H <- Hashes, C <- Ciphers, Data <- DataSet],
     ok.
 
+decrypt_config(_Config) ->
+    %% Take all available block ciphers.
+    Hashes = proplists:get_value(hashs, crypto:supports())
+        -- [md4, ripemd160],
+    Ciphers = proplists:get_value(ciphers, crypto:supports())
+        -- [aes_ctr, aes_ecb, des_ecb, blowfish_ecb, rc4, aes_gcm],
+    Iterations = [1, 10, 100, 1000],
+    %% Loop through all hashes, ciphers and iterations.
+    _ = [begin
+        PassPhrase = crypto:strong_rand_bytes(16),
+        do_decrypt_config({C, H, I, PassPhrase})
+    end || H <- Hashes, C <- Ciphers, I <- Iterations],
+    ok.
+
+do_decrypt_config(Algo = {C, H, I, P}) ->
+    application:load(rabbit),
+    RabbitConfig = application:get_all_env(rabbit),
+    %% Encrypt a few values in configuration.
+    %% Common cases.
+    _ = [encrypt_value(Key, Algo) || Key <- [
+        tcp_listeners,
+        num_tcp_acceptors,
+        ssl_options,
+        vm_memory_high_watermark,
+        default_pass,
+        default_permissions,
+        cluster_nodes,
+        auth_mechanisms,
+        msg_store_credit_disc_bound]],
+    %% Special case: encrypt a value in a list.
+    {ok, [LoopbackUser]} = application:get_env(rabbit, loopback_users),
+    EncLoopbackUser = rabbit_pbe:encrypt_term(C, H, I, P, LoopbackUser),
+    application:set_env(rabbit, loopback_users, [{encrypted, EncLoopbackUser}]),
+    %% Special case: encrypt a value in a key/value list.
+    {ok, TCPOpts} = application:get_env(rabbit, tcp_listen_options),
+    {_, Backlog} = lists:keyfind(backlog, 1, TCPOpts),
+    {_, Linger} = lists:keyfind(linger, 1, TCPOpts),
+    EncBacklog = rabbit_pbe:encrypt_term(C, H, I, P, Backlog),
+    EncLinger = rabbit_pbe:encrypt_term(C, H, I, P, Linger),
+    TCPOpts1 = lists:keyreplace(backlog, 1, TCPOpts, {backlog, {encrypted, EncBacklog}}),
+    TCPOpts2 = lists:keyreplace(linger, 1, TCPOpts1, {linger, {encrypted, EncLinger}}),
+    application:set_env(rabbit, tcp_listen_options, TCPOpts2),
+    %% Decrypt configuration.
+    rabbit:decrypt_config([rabbit], Algo),
+    %% Check that configuration was decrypted properly.
+    RabbitConfig = application:get_all_env(rabbit),
+    application:unload(rabbit),
+    ok.
+
+encrypt_value(Key, {C, H, I, P}) ->
+    {ok, Value} = application:get_env(rabbit, Key),
+    EncValue = rabbit_pbe:encrypt_term(C, H, I, P, Value),
+    application:set_env(rabbit, Key, {encrypted, EncValue}).
+
 %% -------------------------------------------------------------------
 %% pg_local.
 %% -------------------------------------------------------------------