├── .github ├── PULL_REQUEST_TEMPLATE.md └── workflows │ └── main.yml ├── .gitignore ├── CHANGELOG.md ├── HISTORY.md ├── LICENSE ├── LICENSE-APACHE2 ├── LICENSE-MPL-RabbitMQ ├── README.md ├── doc ├── .build ├── 404.html ├── api-reference.html ├── credentials_obfuscation.epub ├── credentials_obfuscation.html ├── credentials_obfuscation_app.html ├── credentials_obfuscation_pbe.html ├── credentials_obfuscation_sup.html ├── credentials_obfuscation_svc.html ├── dist │ ├── handlebars.runtime-NWIB6V2M.js │ ├── handlebars.templates-IV5W3OL2.js │ ├── html-XN2TSG4M.js │ ├── html-erlang-6FXMBT73.css │ ├── inconsolata-latin-400-normal-RGKDDNDD.woff2 │ ├── inconsolata-latin-700-normal-DTS2D7TO.woff2 │ ├── inconsolata-latin-ext-400-normal-K7HVGTP7.woff2 │ ├── inconsolata-latin-ext-700-normal-4MPBLFZC.woff2 │ ├── inconsolata-vietnamese-400-normal-IGQPHHJH.woff2 │ ├── inconsolata-vietnamese-700-normal-LHEGSN35.woff2 │ ├── lato-latin-300-normal-YUMVEFOL.woff2 │ ├── lato-latin-700-normal-2XVSBPG4.woff2 │ ├── lato-latin-ext-300-normal-VPGGJKJL.woff2 │ ├── lato-latin-ext-700-normal-Q2L5DVMW.woff2 │ ├── merriweather-cyrillic-300-italic-M6KMXZSZ.woff2 │ ├── merriweather-cyrillic-300-normal-7PAAHU3N.woff2 │ ├── merriweather-cyrillic-ext-300-italic-JP3ZEV2P.woff2 │ ├── merriweather-cyrillic-ext-300-normal-5LF5LCEK.woff2 │ ├── merriweather-latin-300-italic-353COS6Q.woff2 │ ├── merriweather-latin-300-normal-RWDJH4FN.woff2 │ ├── merriweather-latin-ext-300-italic-MWCA36KE.woff2 │ ├── merriweather-latin-ext-300-normal-K6L27CZ5.woff2 │ ├── merriweather-vietnamese-300-italic-EHHNZPUO.woff2 │ ├── merriweather-vietnamese-300-normal-U376L4Z4.woff2 │ ├── remixicon-NKANDIL5.woff2 │ ├── search_items-B61ACA4F.js │ └── sidebar_items-2C2E7F21.js ├── index.html └── search.html ├── include ├── credentials_obfuscation.hrl └── otp_crypto.hrl ├── priv └── schema │ └── credentials_obfuscation.schema ├── rebar.config ├── rebar.lock ├── src ├── credentials_obfuscation.app.src ├── credentials_obfuscation.erl ├── credentials_obfuscation_app.erl ├── credentials_obfuscation_pbe.erl ├── credentials_obfuscation_sup.erl └── credentials_obfuscation_svc.erl └── test ├── credentials_obfuscation_SUITE.erl └── credentials_obfuscation_pbe_SUITE.erl /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | ## Proposed Changes 2 | 3 | Please describe the big picture of your changes here to communicate to the 4 | RabbitMQ team why we should accept this pull request. If it fixes a bug or 5 | resolves a feature request, be sure to link to that issue. 6 | 7 | A pull request that doesn't explain **why** the change was made has a much 8 | lower chance of being accepted. 9 | 10 | If English isn't your first language, don't worry about it and try to 11 | communicate the problem you are trying to solve to the best of your abilities. 12 | As long as we can understand the intent, it's all good. 13 | 14 | ## Types of Changes 15 | 16 | What types of changes does your code introduce to this project? 17 | _Put an `x` in the boxes that apply_ 18 | 19 | - [ ] Bug fix (non-breaking change which fixes issue #NNNN) 20 | - [ ] New feature (non-breaking change which adds functionality) 21 | - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) 22 | - [ ] Documentation (correction or otherwise) 23 | - [ ] Cosmetics (whitespace, appearance) 24 | 25 | ## Checklist 26 | 27 | _Put an `x` in the boxes that apply. You can also fill these out after creating 28 | the PR. If you're unsure about any of them, don't hesitate to ask on the 29 | mailing list. We're here to help! This is simply a reminder of what we are 30 | going to look for before merging your code._ 31 | 32 | - [ ] I have read the `CONTRIBUTING.md` document 33 | - [ ] I have signed the CA (see https://cla.pivotal.io/sign/rabbitmq) 34 | - [ ] All tests pass locally with my changes 35 | - [ ] I have added tests that prove my fix is effective or that my feature works 36 | - [ ] I have added necessary documentation (if appropriate) 37 | - [ ] Any dependent changes have been merged and published in related repositories 38 | 39 | ## Further Comments 40 | 41 | If this is a relatively large or complex change, kick off the discussion by 42 | explaining why you chose the solution you did and what alternatives you 43 | considered, etc. 44 | -------------------------------------------------------------------------------- /.github/workflows/main.yml: -------------------------------------------------------------------------------- 1 | name: credentials-obfuscation 2 | on: push 3 | jobs: 4 | build: 5 | runs-on: ${{ matrix.os }} 6 | strategy: 7 | matrix: 8 | otp_version: [25, 26, 27] 9 | os: [ubuntu-latest, windows-latest] 10 | steps: 11 | - uses: actions/checkout@v4 12 | - uses: erlef/setup-beam@v1 13 | with: 14 | otp-version: ${{ matrix.otp_version }} 15 | rebar3-version: '3' 16 | - run: rebar3 compile 17 | - run: rebar3 dialyzer 18 | - run: rebar3 eunit 19 | - run: rebar3 ct --verbose --verbosity=3 --readable=true 20 | - uses: actions/upload-artifact@v4 21 | if: failure() 22 | with: 23 | name: ct-logs-${{matrix.os}}-${{matrix.otp_version}} 24 | path: _build/test/logs 25 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .rebar3 2 | rebar3.crashdump 3 | _* 4 | .eunit 5 | .tool-versions 6 | *.o 7 | *.beam 8 | *.plt 9 | *.swp 10 | *.swo 11 | .erlang.cookie 12 | erl_crash.dump 13 | .sw? 14 | .*.sw? 15 | *.beam 16 | /.erlang.mk/ 17 | /cover/ 18 | /deps/ 19 | /ebin/ 20 | /log/ 21 | /logs/ 22 | /plugins/ 23 | /xrefr 24 | elvis 25 | callgrind* 26 | ct.coverdata 27 | test/ct.cover.spec 28 | _build 29 | 30 | credentials_obfuscation.d 31 | *.plt 32 | *.d 33 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | ## [v3.5.0](https://github.com/rabbitmq/credentials-obfuscation/tree/v3.5.0) (2025-03-24) 4 | 5 | [Full Changelog](https://github.com/rabbitmq/credentials-obfuscation/compare/v3.4.0...v3.5.0) 6 | 7 | **Implemented enhancements:** 8 | 9 | - Add cuttlefish schema [\#28](https://github.com/rabbitmq/credentials-obfuscation/issues/28) 10 | 11 | **Merged pull requests:** 12 | 13 | - Prepare for v3.5.0 [\#34](https://github.com/rabbitmq/credentials-obfuscation/pull/34) ([lukebakken](https://github.com/lukebakken)) 14 | - Remove defaults and unset if undefined [\#30](https://github.com/rabbitmq/credentials-obfuscation/pull/30) ([SimonUnge](https://github.com/SimonUnge)) 15 | - Add schema file [\#29](https://github.com/rabbitmq/credentials-obfuscation/pull/29) ([SimonUnge](https://github.com/SimonUnge)) 16 | 17 | ## [v3.4.0](https://github.com/rabbitmq/credentials-obfuscation/tree/v3.4.0) (2023-05-04) 18 | 19 | [Full Changelog](https://github.com/rabbitmq/credentials-obfuscation/compare/v3.3.0...v3.4.0) 20 | 21 | - Copy paste some crypto type definitions from OTP to make dialyzer happy 22 | - Exclude `shake128` and `shake256` (new hashing algorithms introduced in OTP26) from the tests as they don't support what we do 23 | - Add OTP26 to CI 24 | - Remove OTP23 from CI 25 | 26 | ## [v3.3.0](https://github.com/rabbitmq/credentials-obfuscation/tree/v3.3.0) (2023-03-04) 27 | 28 | [Full Changelog](https://github.com/rabbitmq/credentials-obfuscation/compare/v3.2.0...v3.3.0) 29 | 30 | **Closed issues:** 31 | 32 | - Remove rebar3\_hex plugin from rebar.config [\#22](https://github.com/rabbitmq/credentials-obfuscation/issues/22) 33 | 34 | **Merged pull requests:** 35 | 36 | - Update README.md [\#24](https://github.com/rabbitmq/credentials-obfuscation/pull/24) ([L1nY4n](https://github.com/L1nY4n)) 37 | - Include rebar3\_hex in project\_plugins, not plugins [\#23](https://github.com/rabbitmq/credentials-obfuscation/pull/23) ([newmanjeff](https://github.com/newmanjeff)) 38 | 39 | ## Changes between 3.1.0 and 3.2.0 (Nov 7, 2022) 40 | 41 | GitHub milestone: [link](https://github.com/rabbitmq/credentials-obfuscation/milestone/8closed=1) 42 | 43 | ## Changes Between 2.4.0 and 3.0.0 (May 2, 2022) 44 | 45 | ### Fallback Secret Support 46 | 47 | An alternative secret now can be provided to be used as fallback. 48 | This is useful for key migrations (rotations, upgrades, and so on) 49 | when some stored pieces of state can still use the old key. 50 | 51 | Contributed by @luos. 52 | 53 | GitHub issue: [rabbitmq/credentials-obfuscation#15](https://github.com/rabbitmq/credentials-obfuscation/pull/15) 54 | 55 | ### Support for Erlang/OTP 25 56 | 57 | The library supports Erlang 25 and drops support for Erlang versions < 22.3. 58 | 59 | ## Changes Between 2.3.0 and 2.4.0 (February 18, 2021) 60 | 61 | ### Support for Erlang/OTP 24 and the new Crypto API 62 | 63 | The library now supports Erlang 24 and drops support for Erlang versions < 22.1. 64 | 65 | Contributed by Dominic @dmorneau Morneau. 66 | 67 | GitHub issue: [#10](https://github.com/rabbitmq/credentials-obfuscation/pull/10). 68 | 69 | 70 | ## Changes Between 2.2.0 and 2.3.0 (December 18, 2020) 71 | 72 | ### Defaults for Better Efficiency 73 | 74 | The library now uses a weaker cipher suite by default for a significant 75 | gain in efficiency: 76 | 77 | * AES CBC with a 128-bit key 78 | * SHA-256 instead of SHA-512 for hashing 79 | * A single iteration instead of 1000 80 | 81 | AES CBC with a 128-bit key is a reasonable default 82 | for this library's use case, in-memory obfuscation of transient process state. 83 | 84 | Users who need to use a suite with stronger security 85 | guarantees, such as AES CBC with a 256-bit key, 86 | can override the default: 87 | 88 | ``` erl 89 | ok = application:set_env(credentials_obfuscation, cipher, aes_cbc256), 90 | ok = application:set_env(credentials_obfuscation, hash, sha512), 91 | ok = application:set_env(credentials_obfuscation, iterations, 300). 92 | ``` 93 | 94 | Contributed by CloudAMQP. 95 | 96 | GitHub issue: [#9](https://github.com/rabbitmq/credentials-obfuscation/pull/9) 97 | 98 | ## Changes Between 2.1.0 and 2.2.0 (August 18, 2020) 99 | 100 | ### List Values are Coerced to Binaries 101 | 102 | This library works with binary inputs and outputs. Input list values will now be 103 | converted to binaries automatically for convenience. Decrypted values will always 104 | be returned as binaries. 105 | 106 | For the purpose of credentials, the two types are usually semantically equivalent. 107 | When that's not the case, we highly recommend using binaries exclusively instead 108 | of a mix of binaries and lists (Erlang strings). 109 | 110 | 111 | ## Changes Between 2.1.0 and 2.1.1 (July 29h, 2020) 112 | 113 | ### More Graceful Handling of Encryption Timeouts 114 | 115 | Should an encryption operation time out (can happen on nodes nearly maxing out their scheduler/CPU resources), 116 | a plain text value is returned to the caller. This is similar to how other 117 | "encrypting was not possible" scenarios are handled. The caller must 118 | decide whether using unencrypted values can be appropriate in such low probability scenarios 119 | or must be treated as an error. 120 | 121 | GitHub issue: [#7](https://github.com/rabbitmq/credentials-obfuscation/pull/7) 122 | 123 | 124 | ## Changes Between 2.0.0 and 2.1.0 (July 20th, 2020) 125 | 126 | ### License Change 127 | 128 | The library is now double-licensed under the Apache Software License 2.0 129 | and Mozilla Public License 2.0 (previously: under the ASL2 and Mozilla Public License 1.1). 130 | 131 | ### Minimum Supported Erlang Version Bump 132 | 133 | The library now requires OTP 21.3 or a later version. 134 | 135 | 136 | ## Changes Between 1.x and 2.0.0 137 | 138 | ### Secret Seeding 139 | 140 | The application now requires an explicitly provided secret for seeding 141 | of private key generation. This is done using the `credentials_obfuscation:set_secret/1` function 142 | after the application was started and before it is used. 143 | 144 | 145 | \* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)* 146 | -------------------------------------------------------------------------------- /HISTORY.md: -------------------------------------------------------------------------------- 1 | # Change Log 2 | 3 | ## Changes between 3.1.0 and 3.2.0 (Nov 7, 2022) 4 | 5 | GitHub milestone: [link](https://github.com/rabbitmq/credentials-obfuscation/milestone/8closed=1) 6 | 7 | ## Changes Between 2.4.0 and 3.0.0 (May 2, 2022) 8 | 9 | ### Fallback Secret Support 10 | 11 | An alternative secret now can be provided to be used as fallback. 12 | This is useful for key migrations (rotations, upgrades, and so on) 13 | when some stored pieces of state can still use the old key. 14 | 15 | Contributed by @luos. 16 | 17 | GitHub issue: [rabbitmq/credentials-obfuscation#15](https://github.com/rabbitmq/credentials-obfuscation/pull/15) 18 | 19 | ### Support for Erlang/OTP 25 20 | 21 | The library supports Erlang 25 and drops support for Erlang versions < 22.3. 22 | 23 | ## Changes Between 2.3.0 and 2.4.0 (February 18, 2021) 24 | 25 | ### Support for Erlang/OTP 24 and the new Crypto API 26 | 27 | The library now supports Erlang 24 and drops support for Erlang versions < 22.1. 28 | 29 | Contributed by Dominic @dmorneau Morneau. 30 | 31 | GitHub issue: [#10](https://github.com/rabbitmq/credentials-obfuscation/pull/10). 32 | 33 | 34 | ## Changes Between 2.2.0 and 2.3.0 (December 18, 2020) 35 | 36 | ### Defaults for Better Efficiency 37 | 38 | The library now uses a weaker cipher suite by default for a significant 39 | gain in efficiency: 40 | 41 | * AES CBC with a 128-bit key 42 | * SHA-256 instead of SHA-512 for hashing 43 | * A single iteration instead of 1000 44 | 45 | AES CBC with a 128-bit key is a reasonable default 46 | for this library's use case, in-memory obfuscation of transient process state. 47 | 48 | Users who need to use a suite with stronger security 49 | guarantees, such as AES CBC with a 256-bit key, 50 | can override the default: 51 | 52 | ``` erl 53 | ok = application:set_env(credentials_obfuscation, cipher, aes_cbc256), 54 | ok = application:set_env(credentials_obfuscation, hash, sha512), 55 | ok = application:set_env(credentials_obfuscation, iterations, 300). 56 | ``` 57 | 58 | Contributed by CloudAMQP. 59 | 60 | GitHub issue: [#9](https://github.com/rabbitmq/credentials-obfuscation/pull/9) 61 | 62 | ## Changes Between 2.1.0 and 2.2.0 (August 18, 2020) 63 | 64 | ### List Values are Coerced to Binaries 65 | 66 | This library works with binary inputs and outputs. Input list values will now be 67 | converted to binaries automatically for convenience. Decrypted values will always 68 | be returned as binaries. 69 | 70 | For the purpose of credentials, the two types are usually semantically equivalent. 71 | When that's not the case, we highly recommend using binaries exclusively instead 72 | of a mix of binaries and lists (Erlang strings). 73 | 74 | 75 | ## Changes Between 2.1.0 and 2.1.1 (July 29h, 2020) 76 | 77 | ### More Graceful Handling of Encryption Timeouts 78 | 79 | Should an encryption operation time out (can happen on nodes nearly maxing out their scheduler/CPU resources), 80 | a plain text value is returned to the caller. This is similar to how other 81 | "encrypting was not possible" scenarios are handled. The caller must 82 | decide whether using unencrypted values can be appropriate in such low probability scenarios 83 | or must be treated as an error. 84 | 85 | GitHub issue: [#7](https://github.com/rabbitmq/credentials-obfuscation/pull/7) 86 | 87 | 88 | ## Changes Between 2.0.0 and 2.1.0 (July 20th, 2020) 89 | 90 | ### License Change 91 | 92 | The library is now double-licensed under the Apache Software License 2.0 93 | and Mozilla Public License 2.0 (previously: under the ASL2 and Mozilla Public License 1.1). 94 | 95 | ### Minimum Supported Erlang Version Bump 96 | 97 | The library now requires OTP 21.3 or a later version. 98 | 99 | 100 | ## Changes Between 1.x and 2.0.0 101 | 102 | ### Secret Seeding 103 | 104 | The application now requires an explicitly provided secret for seeding 105 | of private key generation. This is done using the `credentials_obfuscation:set_secret/1` function 106 | after the application was started and before it is used. 107 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | This package, the credential obfuscation library, is double-licensed under 2 | the Mozilla Public License 2.0 ("MPL") and the Apache License version 2 ("ASL"). For the MPL, 3 | please see LICENSE-MPL-RabbitMQ. For the ASL, please see LICENSE-APACHE2. 4 | 5 | If you have any questions regarding licensing, please contact us at 6 | info@rabbitmq.com. 7 | -------------------------------------------------------------------------------- /LICENSE-APACHE2: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | https://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | https://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /LICENSE-MPL-RabbitMQ: -------------------------------------------------------------------------------- 1 | Mozilla Public License Version 2.0 2 | ================================== 3 | 4 | 1. Definitions 5 | -------------- 6 | 7 | 1.1. "Contributor" 8 | means each individual or legal entity that creates, contributes to 9 | the creation of, or owns Covered Software. 10 | 11 | 1.2. "Contributor Version" 12 | means the combination of the Contributions of others (if any) used 13 | by a Contributor and that particular Contributor's Contribution. 14 | 15 | 1.3. "Contribution" 16 | means Covered Software of a particular Contributor. 17 | 18 | 1.4. "Covered Software" 19 | means Source Code Form to which the initial Contributor has attached 20 | the notice in Exhibit A, the Executable Form of such Source Code 21 | Form, and Modifications of such Source Code Form, in each case 22 | including portions thereof. 23 | 24 | 1.5. "Incompatible With Secondary Licenses" 25 | means 26 | 27 | (a) that the initial Contributor has attached the notice described 28 | in Exhibit B to the Covered Software; or 29 | 30 | (b) that the Covered Software was made available under the terms of 31 | version 1.1 or earlier of the License, but not also under the 32 | terms of a Secondary License. 33 | 34 | 1.6. "Executable Form" 35 | means any form of the work other than Source Code Form. 36 | 37 | 1.7. "Larger Work" 38 | means a work that combines Covered Software with other material, in 39 | a separate file or files, that is not Covered Software. 40 | 41 | 1.8. "License" 42 | means this document. 43 | 44 | 1.9. "Licensable" 45 | means having the right to grant, to the maximum extent possible, 46 | whether at the time of the initial grant or subsequently, any and 47 | all of the rights conveyed by this License. 48 | 49 | 1.10. "Modifications" 50 | means any of the following: 51 | 52 | (a) any file in Source Code Form that results from an addition to, 53 | deletion from, or modification of the contents of Covered 54 | Software; or 55 | 56 | (b) any new file in Source Code Form that contains any Covered 57 | Software. 58 | 59 | 1.11. "Patent Claims" of a Contributor 60 | means any patent claim(s), including without limitation, method, 61 | process, and apparatus claims, in any patent Licensable by such 62 | Contributor that would be infringed, but for the grant of the 63 | License, by the making, using, selling, offering for sale, having 64 | made, import, or transfer of either its Contributions or its 65 | Contributor Version. 66 | 67 | 1.12. "Secondary License" 68 | means either the GNU General Public License, Version 2.0, the GNU 69 | Lesser General Public License, Version 2.1, the GNU Affero General 70 | Public License, Version 3.0, or any later versions of those 71 | licenses. 72 | 73 | 1.13. "Source Code Form" 74 | means the form of the work preferred for making modifications. 75 | 76 | 1.14. "You" (or "Your") 77 | means an individual or a legal entity exercising rights under this 78 | License. For legal entities, "You" includes any entity that 79 | controls, is controlled by, or is under common control with You. For 80 | purposes of this definition, "control" means (a) the power, direct 81 | or indirect, to cause the direction or management of such entity, 82 | whether by contract or otherwise, or (b) ownership of more than 83 | fifty percent (50%) of the outstanding shares or beneficial 84 | ownership of such entity. 85 | 86 | 2. License Grants and Conditions 87 | -------------------------------- 88 | 89 | 2.1. Grants 90 | 91 | Each Contributor hereby grants You a world-wide, royalty-free, 92 | non-exclusive license: 93 | 94 | (a) under intellectual property rights (other than patent or trademark) 95 | Licensable by such Contributor to use, reproduce, make available, 96 | modify, display, perform, distribute, and otherwise exploit its 97 | Contributions, either on an unmodified basis, with Modifications, or 98 | as part of a Larger Work; and 99 | 100 | (b) under Patent Claims of such Contributor to make, use, sell, offer 101 | for sale, have made, import, and otherwise transfer either its 102 | Contributions or its Contributor Version. 103 | 104 | 2.2. Effective Date 105 | 106 | The licenses granted in Section 2.1 with respect to any Contribution 107 | become effective for each Contribution on the date the Contributor first 108 | distributes such Contribution. 109 | 110 | 2.3. Limitations on Grant Scope 111 | 112 | The licenses granted in this Section 2 are the only rights granted under 113 | this License. No additional rights or licenses will be implied from the 114 | distribution or licensing of Covered Software under this License. 115 | Notwithstanding Section 2.1(b) above, no patent license is granted by a 116 | Contributor: 117 | 118 | (a) for any code that a Contributor has removed from Covered Software; 119 | or 120 | 121 | (b) for infringements caused by: (i) Your and any other third party's 122 | modifications of Covered Software, or (ii) the combination of its 123 | Contributions with other software (except as part of its Contributor 124 | Version); or 125 | 126 | (c) under Patent Claims infringed by Covered Software in the absence of 127 | its Contributions. 128 | 129 | This License does not grant any rights in the trademarks, service marks, 130 | or logos of any Contributor (except as may be necessary to comply with 131 | the notice requirements in Section 3.4). 132 | 133 | 2.4. Subsequent Licenses 134 | 135 | No Contributor makes additional grants as a result of Your choice to 136 | distribute the Covered Software under a subsequent version of this 137 | License (see Section 10.2) or under the terms of a Secondary License (if 138 | permitted under the terms of Section 3.3). 139 | 140 | 2.5. Representation 141 | 142 | Each Contributor represents that the Contributor believes its 143 | Contributions are its original creation(s) or it has sufficient rights 144 | to grant the rights to its Contributions conveyed by this License. 145 | 146 | 2.6. Fair Use 147 | 148 | This License is not intended to limit any rights You have under 149 | applicable copyright doctrines of fair use, fair dealing, or other 150 | equivalents. 151 | 152 | 2.7. Conditions 153 | 154 | Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted 155 | in Section 2.1. 156 | 157 | 3. Responsibilities 158 | ------------------- 159 | 160 | 3.1. Distribution of Source Form 161 | 162 | All distribution of Covered Software in Source Code Form, including any 163 | Modifications that You create or to which You contribute, must be under 164 | the terms of this License. You must inform recipients that the Source 165 | Code Form of the Covered Software is governed by the terms of this 166 | License, and how they can obtain a copy of this License. You may not 167 | attempt to alter or restrict the recipients' rights in the Source Code 168 | Form. 169 | 170 | 3.2. Distribution of Executable Form 171 | 172 | If You distribute Covered Software in Executable Form then: 173 | 174 | (a) such Covered Software must also be made available in Source Code 175 | Form, as described in Section 3.1, and You must inform recipients of 176 | the Executable Form how they can obtain a copy of such Source Code 177 | Form by reasonable means in a timely manner, at a charge no more 178 | than the cost of distribution to the recipient; and 179 | 180 | (b) You may distribute such Executable Form under the terms of this 181 | License, or sublicense it under different terms, provided that the 182 | license for the Executable Form does not attempt to limit or alter 183 | the recipients' rights in the Source Code Form under this License. 184 | 185 | 3.3. Distribution of a Larger Work 186 | 187 | You may create and distribute a Larger Work under terms of Your choice, 188 | provided that You also comply with the requirements of this License for 189 | the Covered Software. If the Larger Work is a combination of Covered 190 | Software with a work governed by one or more Secondary Licenses, and the 191 | Covered Software is not Incompatible With Secondary Licenses, this 192 | License permits You to additionally distribute such Covered Software 193 | under the terms of such Secondary License(s), so that the recipient of 194 | the Larger Work may, at their option, further distribute the Covered 195 | Software under the terms of either this License or such Secondary 196 | License(s). 197 | 198 | 3.4. Notices 199 | 200 | You may not remove or alter the substance of any license notices 201 | (including copyright notices, patent notices, disclaimers of warranty, 202 | or limitations of liability) contained within the Source Code Form of 203 | the Covered Software, except that You may alter any license notices to 204 | the extent required to remedy known factual inaccuracies. 205 | 206 | 3.5. Application of Additional Terms 207 | 208 | You may choose to offer, and to charge a fee for, warranty, support, 209 | indemnity or liability obligations to one or more recipients of Covered 210 | Software. However, You may do so only on Your own behalf, and not on 211 | behalf of any Contributor. You must make it absolutely clear that any 212 | such warranty, support, indemnity, or liability obligation is offered by 213 | You alone, and You hereby agree to indemnify every Contributor for any 214 | liability incurred by such Contributor as a result of warranty, support, 215 | indemnity or liability terms You offer. You may include additional 216 | disclaimers of warranty and limitations of liability specific to any 217 | jurisdiction. 218 | 219 | 4. Inability to Comply Due to Statute or Regulation 220 | --------------------------------------------------- 221 | 222 | If it is impossible for You to comply with any of the terms of this 223 | License with respect to some or all of the Covered Software due to 224 | statute, judicial order, or regulation then You must: (a) comply with 225 | the terms of this License to the maximum extent possible; and (b) 226 | describe the limitations and the code they affect. Such description must 227 | be placed in a text file included with all distributions of the Covered 228 | Software under this License. Except to the extent prohibited by statute 229 | or regulation, such description must be sufficiently detailed for a 230 | recipient of ordinary skill to be able to understand it. 231 | 232 | 5. Termination 233 | -------------- 234 | 235 | 5.1. The rights granted under this License will terminate automatically 236 | if You fail to comply with any of its terms. However, if You become 237 | compliant, then the rights granted under this License from a particular 238 | Contributor are reinstated (a) provisionally, unless and until such 239 | Contributor explicitly and finally terminates Your grants, and (b) on an 240 | ongoing basis, if such Contributor fails to notify You of the 241 | non-compliance by some reasonable means prior to 60 days after You have 242 | come back into compliance. Moreover, Your grants from a particular 243 | Contributor are reinstated on an ongoing basis if such Contributor 244 | notifies You of the non-compliance by some reasonable means, this is the 245 | first time You have received notice of non-compliance with this License 246 | from such Contributor, and You become compliant prior to 30 days after 247 | Your receipt of the notice. 248 | 249 | 5.2. If You initiate litigation against any entity by asserting a patent 250 | infringement claim (excluding declaratory judgment actions, 251 | counter-claims, and cross-claims) alleging that a Contributor Version 252 | directly or indirectly infringes any patent, then the rights granted to 253 | You by any and all Contributors for the Covered Software under Section 254 | 2.1 of this License shall terminate. 255 | 256 | 5.3. In the event of termination under Sections 5.1 or 5.2 above, all 257 | end user license agreements (excluding distributors and resellers) which 258 | have been validly granted by You or Your distributors under this License 259 | prior to termination shall survive termination. 260 | 261 | ************************************************************************ 262 | * * 263 | * 6. Disclaimer of Warranty * 264 | * ------------------------- * 265 | * * 266 | * Covered Software is provided under this License on an "as is" * 267 | * basis, without warranty of any kind, either expressed, implied, or * 268 | * statutory, including, without limitation, warranties that the * 269 | * Covered Software is free of defects, merchantable, fit for a * 270 | * particular purpose or non-infringing. The entire risk as to the * 271 | * quality and performance of the Covered Software is with You. * 272 | * Should any Covered Software prove defective in any respect, You * 273 | * (not any Contributor) assume the cost of any necessary servicing, * 274 | * repair, or correction. This disclaimer of warranty constitutes an * 275 | * essential part of this License. No use of any Covered Software is * 276 | * authorized under this License except under this disclaimer. * 277 | * * 278 | ************************************************************************ 279 | 280 | ************************************************************************ 281 | * * 282 | * 7. Limitation of Liability * 283 | * -------------------------- * 284 | * * 285 | * Under no circumstances and under no legal theory, whether tort * 286 | * (including negligence), contract, or otherwise, shall any * 287 | * Contributor, or anyone who distributes Covered Software as * 288 | * permitted above, be liable to You for any direct, indirect, * 289 | * special, incidental, or consequential damages of any character * 290 | * including, without limitation, damages for lost profits, loss of * 291 | * goodwill, work stoppage, computer failure or malfunction, or any * 292 | * and all other commercial damages or losses, even if such party * 293 | * shall have been informed of the possibility of such damages. This * 294 | * limitation of liability shall not apply to liability for death or * 295 | * personal injury resulting from such party's negligence to the * 296 | * extent applicable law prohibits such limitation. Some * 297 | * jurisdictions do not allow the exclusion or limitation of * 298 | * incidental or consequential damages, so this exclusion and * 299 | * limitation may not apply to You. * 300 | * * 301 | ************************************************************************ 302 | 303 | 8. Litigation 304 | ------------- 305 | 306 | Any litigation relating to this License may be brought only in the 307 | courts of a jurisdiction where the defendant maintains its principal 308 | place of business and such litigation shall be governed by laws of that 309 | jurisdiction, without reference to its conflict-of-law provisions. 310 | Nothing in this Section shall prevent a party's ability to bring 311 | cross-claims or counter-claims. 312 | 313 | 9. Miscellaneous 314 | ---------------- 315 | 316 | This License represents the complete agreement concerning the subject 317 | matter hereof. If any provision of this License is held to be 318 | unenforceable, such provision shall be reformed only to the extent 319 | necessary to make it enforceable. Any law or regulation which provides 320 | that the language of a contract shall be construed against the drafter 321 | shall not be used to construe this License against a Contributor. 322 | 323 | 10. Versions of the License 324 | --------------------------- 325 | 326 | 10.1. New Versions 327 | 328 | Mozilla Foundation is the license steward. Except as provided in Section 329 | 10.3, no one other than the license steward has the right to modify or 330 | publish new versions of this License. Each version will be given a 331 | distinguishing version number. 332 | 333 | 10.2. Effect of New Versions 334 | 335 | You may distribute the Covered Software under the terms of the version 336 | of the License under which You originally received the Covered Software, 337 | or under the terms of any subsequent version published by the license 338 | steward. 339 | 340 | 10.3. Modified Versions 341 | 342 | If you create software not governed by this License, and you want to 343 | create a new license for such software, you may create and use a 344 | modified version of this License if you rename the license and remove 345 | any references to the name of the license steward (except to note that 346 | such modified license differs from this License). 347 | 348 | 10.4. Distributing Source Code Form that is Incompatible With Secondary 349 | Licenses 350 | 351 | If You choose to distribute Source Code Form that is Incompatible With 352 | Secondary Licenses under the terms of this version of the License, the 353 | notice described in Exhibit B of this License must be attached. 354 | 355 | Exhibit A - Source Code Form License Notice 356 | ------------------------------------------- 357 | 358 | This Source Code Form is subject to the terms of the Mozilla Public 359 | License, v. 2.0. If a copy of the MPL was not distributed with this 360 | file, You can obtain one at http://mozilla.org/MPL/2.0/. 361 | 362 | If it is not possible or desirable to put the notice in a particular 363 | file, then You may include the notice in a location (such as a LICENSE 364 | file in a relevant directory) where a recipient would be likely to look 365 | for such a notice. 366 | 367 | You may add additional accurate notices of copyright ownership. 368 | 369 | Exhibit B - "Incompatible With Secondary Licenses" Notice 370 | --------------------------------------------------------- 371 | 372 | This Source Code Form is "Incompatible With Secondary Licenses", as 373 | defined by the Mozilla Public License, v. 2.0. 374 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Credential Obfuscator 2 | 3 | This is a small library OTP application that acts as a helper. It encrypts and decrypts sensitive data 4 | typically stored in processes state with a one-off key (key material must be provided on node start). 5 | One example of such sensitive data is credentials used to access remote services. 6 | 7 | This is necessary to avoid the sensitive values logged when process state is dumped by 8 | the Erlang runtime (`error_logger`). 9 | 10 | Note that this application **cannot protect against heap dumping attacks** and only helps 11 | avoid sensitive data appearing in log files. 12 | 13 | ## Supported Erlang/OTP Versions 14 | 15 | This library uses the modern `crypto` API and **requires Erlang 23.2 or a later version**. 16 | 17 | ## Usage 18 | 19 | First, make the `credentials_obfuscation` application a dependency of your project. 20 | 21 | Then, during the start-up of your application, and after the `credentials_obfuscation` application starts, 22 | provide the secret value: 23 | 24 | ``` erl 25 | CookieBin = atom_to_binary(erlang:get_cookie(), latin1), 26 | credentials_obfuscation:set_secret(CookieBin) 27 | ``` 28 | 29 | To use a random value, do the following: 30 | 31 | ``` erl 32 | Bytes = crypto:strong_rand_bytes(128), 33 | credentials_obfuscation:set_secret(Bytes) 34 | ``` 35 | 36 | To encrypt and decrypt a binary or list value: 37 | 38 | ``` erl 39 | Encrypted = credentials_obfuscation:encrypt(<<"abc">>). 40 | % => {encrypted,<<"KdH0bP4CYasbA3X79nKShEJhajQ7D7wz1G4yqJmDS4d7zRuuUhAPuQKxdDVgxQtO">>} 41 | 42 | credentials_obfuscation:decrypt(Encrypted). 43 | % => <<"abc">> 44 | ``` 45 | 46 | Lists (char lists in Elixir) will be converted to binaries before encryption. 47 | This means that decrypted values will alwyas be returned as binaries. 48 | 49 | Lists here mean "byte lists", that is Unicode characters are not 50 | supported. This should still be sufficient for encryption of 51 | URIs, generated credentials, and many kinds of sensitive identifiers. 52 | 53 | ## License and Copyright 54 | 55 | See [LICENSE](./LICENSE). 56 | 57 | (c) 2019-2023 VMware, Inc or its affiliates. 58 | 59 | (c) 2023-2024 Broadcom, Inc or its subsidiaries. 60 | -------------------------------------------------------------------------------- /doc/.build: -------------------------------------------------------------------------------- 1 | 404.html 2 | api-reference.html 3 | credentials_obfuscation.html 4 | credentials_obfuscation_app.html 5 | credentials_obfuscation_pbe.html 6 | credentials_obfuscation_sup.html 7 | credentials_obfuscation_svc.html 8 | dist/handlebars.runtime-NWIB6V2M.js 9 | dist/handlebars.templates-IV5W3OL2.js 10 | dist/html-XN2TSG4M.js 11 | dist/html-erlang-6FXMBT73.css 12 | dist/inconsolata-latin-400-normal-RGKDDNDD.woff2 13 | dist/inconsolata-latin-700-normal-DTS2D7TO.woff2 14 | dist/inconsolata-latin-ext-400-normal-K7HVGTP7.woff2 15 | dist/inconsolata-latin-ext-700-normal-4MPBLFZC.woff2 16 | dist/inconsolata-vietnamese-400-normal-IGQPHHJH.woff2 17 | dist/inconsolata-vietnamese-700-normal-LHEGSN35.woff2 18 | dist/lato-latin-300-normal-YUMVEFOL.woff2 19 | dist/lato-latin-700-normal-2XVSBPG4.woff2 20 | dist/lato-latin-ext-300-normal-VPGGJKJL.woff2 21 | dist/lato-latin-ext-700-normal-Q2L5DVMW.woff2 22 | dist/merriweather-cyrillic-300-italic-M6KMXZSZ.woff2 23 | dist/merriweather-cyrillic-300-normal-7PAAHU3N.woff2 24 | dist/merriweather-cyrillic-ext-300-italic-JP3ZEV2P.woff2 25 | dist/merriweather-cyrillic-ext-300-normal-5LF5LCEK.woff2 26 | dist/merriweather-latin-300-italic-353COS6Q.woff2 27 | dist/merriweather-latin-300-normal-RWDJH4FN.woff2 28 | dist/merriweather-latin-ext-300-italic-MWCA36KE.woff2 29 | dist/merriweather-latin-ext-300-normal-K6L27CZ5.woff2 30 | dist/merriweather-vietnamese-300-italic-EHHNZPUO.woff2 31 | dist/merriweather-vietnamese-300-normal-U376L4Z4.woff2 32 | dist/remixicon-NKANDIL5.woff2 33 | dist/search_items-B61ACA4F.js 34 | dist/sidebar_items-2C2E7F21.js 35 | index.html 36 | search.html 37 | -------------------------------------------------------------------------------- /doc/404.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 404 — credentials_obfuscation v3.4.0 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 38 | 39 |
40 | 41 | 44 | 45 |
46 |
47 | 50 | 53 | 57 |
58 | 59 |
60 |
61 |
62 |
63 | 64 |
65 | 66 |
67 | 68 | credentials_obfuscation 69 | 70 | 71 | v3.4.0 72 | 73 |
74 | 81 |
82 | 83 |
84 | 85 |
86 | 87 |
88 | 89 |
90 |
91 | 92 |

93 | 97 | 98 | Page not found 99 |

100 | 101 |

Sorry, but the page you were trying to get to, does not exist. You 102 | may want to try searching this site using the sidebar 103 | 104 | or using our API Reference page 105 | 106 | to find what you were looking for.

107 | 137 |
138 |
139 |
140 |
141 | 142 | 143 | 144 | 145 | -------------------------------------------------------------------------------- /doc/api-reference.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | API Reference — credentials_obfuscation v3.4.0 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 38 | 39 |
40 | 41 | 44 | 45 |
46 |
47 | 50 | 53 | 57 |
58 | 59 |
60 |
61 |
62 |
63 | 64 |
65 | 66 |
67 | 68 | credentials_obfuscation 69 | 70 | 71 | v3.4.0 72 | 73 |
74 | 81 |
82 | 83 |
84 | 85 |
86 | 87 |
88 | 89 |
90 |
91 | 92 |

93 | 97 | 98 | 99 | 100 | API Reference credentials_obfuscation v3.4.0 101 |

102 | 103 | 104 |
105 |

106 | 107 |

modules

108 | 109 | Modules 110 |

111 | 112 |
113 |
114 |
115 | credentials_obfuscation 116 | 117 |
118 | 119 |
120 |
121 |
122 | credentials_obfuscation_app 123 | 124 |
125 | 126 |
127 |
128 |
129 | credentials_obfuscation_pbe 130 | 131 |
132 | 133 |
134 |
135 |
136 | credentials_obfuscation_sup 137 | 138 |
139 | 140 |
141 |
142 |
143 | credentials_obfuscation_svc 144 | 145 |
146 | 147 |
148 | 149 |
150 |
151 | 152 | 153 |
154 |
155 | 156 |
157 |
158 | 159 |
160 |
161 | 191 |
192 |
193 |
194 |
195 | 196 | 197 | 198 | 199 | -------------------------------------------------------------------------------- /doc/credentials_obfuscation.epub: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rabbitmq/credentials-obfuscation/d69196b4daec228b8093396f69730506dcf317d5/doc/credentials_obfuscation.epub -------------------------------------------------------------------------------- /doc/credentials_obfuscation.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | credentials_obfuscation — credentials_obfuscation v3.4.0 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 38 | 39 |
40 | 41 | 44 | 45 |
46 |
47 | 50 | 53 | 57 |
58 | 59 |
60 |
61 |
62 |
63 | 64 |
65 | 66 |
67 | 68 | credentials_obfuscation 69 | 70 | 71 | v3.4.0 72 | 73 |
74 | 81 |
82 | 83 |
84 | 85 |
86 | 87 |
88 | 89 |
90 |
91 | 92 |

93 | 97 | 98 | 99 | credentials_obfuscation 100 | (credentials_obfuscation v3.4.0) 101 | 102 |

103 | 104 | 105 | 106 |
107 |

108 | 109 | 110 | Link to this section 111 | 112 | Summary 113 |

114 |
115 |

116 | Functions 117 |

118 | 119 |
120 |
121 | cipher() 122 | 123 |
124 | 125 |
126 | 127 |
128 |
129 | decrypt(Term) 130 | 131 |
132 | 133 |
134 | 135 |
136 |
137 | enabled() 138 | 139 |
140 | 141 |
142 | 143 |
144 |
145 | encrypt(Term) 146 | 147 |
148 | 149 |
150 | 151 |
152 |
153 | hash() 154 | 155 |
156 | 157 |
158 | 159 |
160 |
161 | iterations() 162 | 163 |
164 | 165 |
166 | 167 |
168 |
169 | refresh_config() 170 | 171 |
172 | 173 |
174 | 175 |
176 |
177 | secret() 178 | 179 |
180 | 181 |
182 | 183 |
184 |
185 | set_fallback_secret(Secret) 186 | 187 |
188 | 189 |
190 | 191 |
192 |
193 | set_secret(Secret) 194 | 195 |
196 | 197 |
198 | 199 |
200 | 201 |
202 | 203 | 204 |
205 |

206 | 207 | 208 | Link to this section 209 | 210 | Functions 211 |

212 |
213 |
214 | 215 |
216 | 217 | 218 | Link to this function 219 | 220 |

cipher()

221 | 222 | 223 |
224 | 225 |
226 | 227 |
228 | 229 | 
-spec cipher() -> atom().
230 | 231 |
232 | 233 | 234 |
235 |
236 |
237 | 238 |
239 | 240 | 241 | Link to this function 242 | 243 |

decrypt(Term)

244 | 245 | 246 |
247 | 248 |
249 | 250 |
251 | 252 | 
-spec decrypt(none | undefined) -> none | undefined;
253 |        ({plaintext, binary()} | {encrypted, binary()}) -> binary().
254 | 255 |
256 | 257 | 258 |
259 |
260 |
261 | 262 |
263 | 264 | 265 | Link to this function 266 | 267 |

enabled()

268 | 269 | 270 |
271 | 272 |
273 | 274 |
275 | 276 | 
-spec enabled() -> boolean().
277 | 278 |
279 | 280 | 281 |
282 |
283 |
284 | 285 |
286 | 287 | 288 | Link to this function 289 | 290 |

encrypt(Term)

291 | 292 | 293 |
294 | 295 |
296 | 297 |
298 | 299 | 
-spec encrypt(none | undefined) -> none | undefined;
300 |        (iodata()) -> {plaintext, binary()} | {encrypted, binary()}.
301 | 302 |
303 | 304 | 305 |
306 |
307 |
308 | 309 |
310 | 311 | 312 | Link to this function 313 | 314 |

hash()

315 | 316 | 317 |
318 | 319 |
320 | 321 |
322 | 323 | 
-spec hash() -> atom().
324 | 325 |
326 | 327 | 328 |
329 |
330 |
331 | 332 |
333 | 334 | 335 | Link to this function 336 | 337 |

iterations()

338 | 339 | 340 |
341 | 342 |
343 | 344 |
345 | 346 | 
-spec iterations() -> non_neg_integer().
347 | 348 |
349 | 350 | 351 |
352 |
353 |
354 | 355 |
356 | 357 | 358 | Link to this function 359 | 360 |

refresh_config()

361 | 362 | 363 |
364 | 365 |
366 | 367 |
368 | 369 | 
-spec refresh_config() -> ok | {error, invalid_config}.
370 | 371 |
372 | 373 | 374 |
375 |
376 |
377 | 378 |
379 | 380 | 381 | Link to this function 382 | 383 |

secret()

384 | 385 | 386 |
387 | 388 |
389 | 390 |
391 | 392 | 
-spec secret() -> binary() | '$pending-secret'.
393 | 394 |
395 | 396 | 397 |
398 |
399 |
400 | 401 |
402 | 403 | 404 | Link to this function 405 | 406 |

set_fallback_secret(Secret)

407 | 408 | 409 |
410 | 411 |
412 | 413 |
414 | 415 | 
-spec set_fallback_secret(binary()) -> ok.
416 | 417 |
418 | 419 | 420 |
421 |
422 |
423 | 424 |
425 | 426 | 427 | Link to this function 428 | 429 |

set_secret(Secret)

430 | 431 | 432 |
433 | 434 |
435 | 436 |
437 | 438 | 
-spec set_secret(binary()) -> ok.
439 | 440 |
441 | 442 | 443 |
444 |
445 | 446 |
447 |
448 | 449 | 481 |
482 |
483 |
484 |
485 | 486 | 487 | 488 | 489 | -------------------------------------------------------------------------------- /doc/credentials_obfuscation_app.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | credentials_obfuscation_app — credentials_obfuscation v3.4.0 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 38 | 39 |
40 | 41 | 44 | 45 |
46 |
47 | 50 | 53 | 57 |
58 | 59 |
60 |
61 |
62 |
63 | 64 |
65 | 66 |
67 | 68 | credentials_obfuscation 69 | 70 | 71 | v3.4.0 72 | 73 |
74 | 81 |
82 | 83 |
84 | 85 |
86 | 87 |
88 | 89 |
90 |
91 | 92 |

93 | 97 | 98 | 99 | credentials_obfuscation_app 100 | (credentials_obfuscation v3.4.0) 101 | 102 |

103 | 104 | 105 | 106 |
107 |

108 | 109 | 110 | Link to this section 111 | 112 | Summary 113 |

114 |
115 |

116 | Functions 117 |

118 | 119 |
120 |
121 | start(StartType, StartArgs) 122 | 123 |
124 | 125 |
126 | 127 |
128 |
129 | stop(State) 130 | 131 |
132 | 133 |
134 | 135 |
136 | 137 |
138 | 139 | 140 |
141 |

142 | 143 | 144 | Link to this section 145 | 146 | Functions 147 |

148 |
149 |
150 | 151 |
152 | 153 | 154 | Link to this function 155 | 156 |

start(StartType, StartArgs)

157 | 158 | 159 |
160 | 161 |
162 | 163 |
164 | 165 | 
-spec start(_, _) -> {error, _} | {ok, pid()} | {ok, pid(), _}.
166 | 167 |
168 | 169 | 170 |
171 |
172 |
173 | 174 |
175 | 176 | 177 | Link to this function 178 | 179 |

stop(State)

180 | 181 | 182 |
183 | 184 |
185 | 186 |
187 | 188 | 
-spec stop(_) -> ok.
189 | 190 |
191 | 192 | 193 |
194 |
195 | 196 |
197 |
198 | 199 | 231 |
232 |
233 |
234 |
235 | 236 | 237 | 238 | 239 | -------------------------------------------------------------------------------- /doc/credentials_obfuscation_pbe.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | credentials_obfuscation_pbe — credentials_obfuscation v3.4.0 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 38 | 39 |
40 | 41 | 44 | 45 |
46 |
47 | 50 | 53 | 57 |
58 | 59 |
60 |
61 |
62 |
63 | 64 |
65 | 66 |
67 | 68 | credentials_obfuscation 69 | 70 | 71 | v3.4.0 72 | 73 |
74 | 81 |
82 | 83 |
84 | 85 |
86 | 87 |
88 | 89 |
90 |
91 | 92 |

93 | 97 | 98 | 99 | credentials_obfuscation_pbe 100 | (credentials_obfuscation v3.4.0) 101 | 102 |

103 | 104 | 105 | 106 |
107 |

108 | 109 | 110 | Link to this section 111 | 112 | Summary 113 |

114 |
115 |

116 | Types 117 |

118 | 119 |
120 |
121 | blake2/0 122 | 123 |
124 | 125 |
126 | 127 |
128 |
129 | cipher_iv/0 130 | 131 |
132 | 133 |
134 | 135 |
136 |
137 | compatibility_only_hash/0 138 | 139 |
140 | 141 |
142 | 143 |
144 |
145 | hash_algorithm/0 146 | 147 |
148 | 149 |
150 | 151 |
152 |
153 | sha3/0 154 | 155 |
156 | 157 |
158 | 159 |
160 |
161 | sha3_xof/0 162 | 163 |
164 | 165 |
166 | 167 |
168 |
169 |

170 | Functions 171 |

172 | 173 |
174 |
175 | decrypt(Cipher, Hash, Iterations, Secret, _) 176 | 177 |
178 | 179 |
180 | 181 |
182 |
183 | decrypt_term(Cipher, Hash, Iterations, Secret, Base64Binary) 184 | 185 |
186 | 187 |
188 | 189 |
190 |
191 | default_cipher() 192 | 193 |
194 | 195 |
196 | 197 |
198 |
199 | default_hash() 200 | 201 |
202 | 203 |
204 | 205 |
206 |
207 | default_iterations() 208 | 209 |
210 | 211 |
212 | 213 |
214 |
215 | encrypt(Cipher, Hash, Iterations, Secret, ClearText) 216 | 217 |
218 | 219 |
220 | 221 |
222 |
223 | encrypt_term(Cipher, Hash, Iterations, Secret, Term) 224 | 225 |
226 | 227 |
228 | 229 |
230 |
231 | supported_ciphers() 232 | 233 |
234 | 235 |
236 | 237 |
238 |
239 | supported_hashes() 240 | 241 |
242 | 243 |
244 | 245 |
246 | 247 |
248 | 249 | 250 |
251 |

252 | 253 | 254 | Link to this section 255 | 256 | Types 257 |

258 |
259 |
260 | 261 |
262 | 263 | 264 | Link to this type 265 | 266 |

blake2/0

267 | 268 | 269 |
270 | 271 |
272 | 273 |
274 | 275 | 
-type blake2() :: blake2b | blake2s.
276 | 277 |
278 | 279 | 280 |
281 |
282 |
283 | 284 |
285 | 286 | 287 | Link to this type 288 | 289 |

cipher_iv/0

290 | 291 | 292 |
293 | 294 |
295 | 296 |
297 | 298 | 
-type cipher_iv() ::
299 |     aes_128_cbc | aes_192_cbc | aes_256_cbc | aes_cbc | aes_128_ofb | aes_192_ofb | aes_256_ofb |
300 |     aes_128_cfb128 | aes_192_cfb128 | aes_256_cfb128 | aes_cfb128 | aes_128_cfb8 | aes_192_cfb8 |
301 |     aes_256_cfb8 | aes_cfb8 | aes_128_ctr | aes_192_ctr | aes_256_ctr | aes_ctr | blowfish_cbc |
302 |     blowfish_cfb64 | blowfish_ofb64 | chacha20 | des_ede3_cbc | des_ede3_cfb | des_cbc | des_cfb |
303 |     rc2_cbc.
304 | 305 |
306 | 307 | 308 |
309 |
310 |
311 | 312 |
313 | 314 | 315 | Link to this type 316 | 317 |

compatibility_only_hash/0

318 | 319 | 320 |
321 | 322 |
323 | 324 |
325 | 326 | 
-type compatibility_only_hash() :: md5 | md4.
327 | 328 |
329 | 330 | 331 |
332 |
333 |
334 | 335 |
336 | 337 | 338 | Link to this type 339 | 340 |

hash_algorithm/0

341 | 342 | 343 |
344 | 345 |
346 | 347 |
348 | 349 | 
-type hash_algorithm() ::
350 |     crypto:sha1() |
351 |     crypto:sha2() |
352 |     sha3() |
353 |     sha3_xof() |
354 |     blake2() |
355 |     ripemd160 |
356 |     compatibility_only_hash().
357 | 358 |
359 | 360 | 361 |
362 |
363 |
364 | 365 |
366 | 367 | 368 | Link to this type 369 | 370 |

sha3/0

371 | 372 | 373 |
374 | 375 |
376 | 377 |
378 | 379 | 
-type sha3() :: sha3_224 | sha3_256 | sha3_384 | sha3_512.
380 | 381 |
382 | 383 | 384 |
385 |
386 |
387 | 388 |
389 | 390 | 391 | Link to this type 392 | 393 |

sha3_xof/0

394 | 395 | 396 |
397 | 398 |
399 | 400 |
401 | 402 | 
-type sha3_xof() :: shake128 | shake256.
403 | 404 |
405 | 406 | 407 |
408 |
409 | 410 |
411 |
412 | 413 |
414 |

415 | 416 | 417 | Link to this section 418 | 419 | Functions 420 |

421 |
422 |
423 | 424 |
425 | 426 | 427 | Link to this function 428 | 429 |

decrypt(Cipher, Hash, Iterations, Secret, _)

430 | 431 | 432 |
433 | 434 |
435 | 436 |
437 | 438 | 
-spec decrypt(cipher_iv(),
439 |         hash_algorithm(),
440 |         pos_integer(),
441 |         iodata(),
442 |         {encrypted, binary() | [1..255]} | {plaintext, _}) ->
443 |            any().
444 | 445 |
446 | 447 | 448 |
449 |
450 |
451 | 452 |
453 | 454 | 455 | Link to this function 456 | 457 |

decrypt_term(Cipher, Hash, Iterations, Secret, Base64Binary)

458 | 459 | 460 |
461 | 462 |
463 | 464 | 465 |
466 |
467 |
468 | 469 |
470 | 471 | 472 | Link to this function 473 | 474 |

default_cipher()

475 | 476 | 477 |
478 | 479 |
480 | 481 | 482 |
483 |
484 |
485 | 486 |
487 | 488 | 489 | Link to this function 490 | 491 |

default_hash()

492 | 493 | 494 |
495 | 496 |
497 | 498 | 499 |
500 |
501 |
502 | 503 |
504 | 505 | 506 | Link to this function 507 | 508 |

default_iterations()

509 | 510 | 511 |
512 | 513 |
514 | 515 | 516 |
517 |
518 |
519 | 520 |
521 | 522 | 523 | Link to this function 524 | 525 |

encrypt(Cipher, Hash, Iterations, Secret, ClearText)

526 | 527 | 528 |
529 | 530 |
531 | 532 |
533 | 534 | 
-spec encrypt(cipher_iv(), hash_algorithm(), pos_integer(), iodata() | '$pending-secret', iodata()) ->
535 |            {plaintext, binary()} | {encrypted, binary()}.
536 | 537 |
538 | 539 | 540 |
541 |
542 |
543 | 544 |
545 | 546 | 547 | Link to this function 548 | 549 |

encrypt_term(Cipher, Hash, Iterations, Secret, Term)

550 | 551 | 552 |
553 | 554 |
555 | 556 | 557 |
558 |
559 |
560 | 561 |
562 | 563 | 564 | Link to this function 565 | 566 |

supported_ciphers()

567 | 568 | 569 |
570 | 571 |
572 | 573 | 574 |
575 |
576 |
577 | 578 |
579 | 580 | 581 | Link to this function 582 | 583 |

supported_hashes()

584 | 585 | 586 |
587 | 588 |
589 | 590 | 591 |
592 |
593 | 594 |
595 |
596 | 597 | 629 |
630 |
631 |
632 |
633 | 634 | 635 | 636 | 637 | -------------------------------------------------------------------------------- /doc/credentials_obfuscation_sup.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | credentials_obfuscation_sup — credentials_obfuscation v3.4.0 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 38 | 39 |
40 | 41 | 44 | 45 |
46 |
47 | 50 | 53 | 57 |
58 | 59 |
60 |
61 |
62 |
63 | 64 |
65 | 66 |
67 | 68 | credentials_obfuscation 69 | 70 | 71 | v3.4.0 72 | 73 |
74 | 81 |
82 | 83 |
84 | 85 |
86 | 87 |
88 | 89 |
90 |
91 | 92 |

93 | 97 | 98 | 99 | credentials_obfuscation_sup 100 | (credentials_obfuscation v3.4.0) 101 | 102 |

103 | 104 | 105 | 106 |
107 |

108 | 109 | 110 | Link to this section 111 | 112 | Summary 113 |

114 |
115 |

116 | Functions 117 |

118 | 119 |
120 |
121 | init(_) 122 | 123 |
124 | 125 |
126 | 127 |
128 |
129 | start_link() 130 | 131 |
132 | 133 |
134 | 135 |
136 | 137 |
138 | 139 | 140 |
141 |

142 | 143 | 144 | Link to this section 145 | 146 | Functions 147 |

148 |
149 |
150 | 151 |
152 | 153 | 154 | Link to this function 155 | 156 |

init(_)

157 | 158 | 159 |
160 | 161 |
162 | 163 | 164 |
165 |
166 |
167 | 168 |
169 | 170 | 171 | Link to this function 172 | 173 |

start_link()

174 | 175 | 176 |
177 | 178 |
179 | 180 |
181 | 182 | 
-spec start_link() -> ignore | {error, _} | {ok, pid()}.
183 | 184 |
185 | 186 | 187 |
188 |
189 | 190 |
191 |
192 | 193 | 225 |
226 |
227 |
228 |
229 | 230 | 231 | 232 | 233 | -------------------------------------------------------------------------------- /doc/credentials_obfuscation_svc.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | credentials_obfuscation_svc — credentials_obfuscation v3.4.0 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 38 | 39 |
40 | 41 | 44 | 45 |
46 |
47 | 50 | 53 | 57 |
58 | 59 |
60 |
61 |
62 |
63 | 64 |
65 | 66 |
67 | 68 | credentials_obfuscation 69 | 70 | 71 | v3.4.0 72 | 73 |
74 | 81 |
82 | 83 |
84 | 85 |
86 | 87 |
88 | 89 |
90 |
91 | 92 |

93 | 97 | 98 | 99 | credentials_obfuscation_svc 100 | (credentials_obfuscation v3.4.0) 101 | 102 |

103 | 104 | 105 | 106 |
107 |

108 | 109 | 110 | Link to this section 111 | 112 | Summary 113 |

114 |
115 |

116 | Functions 117 |

118 | 119 |
120 |
121 | code_change(OldVsn, State, Extra) 122 | 123 |
124 | 125 |
126 | 127 |
128 |
129 | decrypt(Term) 130 | 131 |
132 | 133 |
134 | 135 |
136 |
137 | encrypt(Term) 138 | 139 |
140 | 141 |
142 | 143 |
144 |
145 | get_config(Config) 146 | 147 |
148 | 149 |
150 | 151 |
152 |
153 | handle_call(_, From, State) 154 | 155 |
156 | 157 |
158 | 159 |
160 |
161 | handle_cast(Message, State) 162 | 163 |
164 | 165 |
166 | 167 |
168 |
169 | handle_info(Message, State) 170 | 171 |
172 | 173 |
174 | 175 |
176 |
177 | init(_) 178 | 179 |
180 | 181 |
182 | 183 |
184 |
185 | refresh_config() 186 | 187 |
188 | 189 |
190 | 191 |
192 |
193 | set_fallback_secret(Secret) 194 | 195 |
196 | 197 |
198 | 199 |
200 |
201 | set_secret(Secret) 202 | 203 |
204 | 205 |
206 | 207 |
208 |
209 | start_link() 210 | 211 |
212 | 213 |
214 | 215 |
216 |
217 | terminate(Reason, State) 218 | 219 |
220 | 221 |
222 | 223 |
224 | 225 |
226 | 227 | 228 |
229 |

230 | 231 | 232 | Link to this section 233 | 234 | Functions 235 |

236 |
237 |
238 | 239 |
240 | 241 | 242 | Link to this function 243 | 244 |

code_change(OldVsn, State, Extra)

245 | 246 | 247 |
248 | 249 |
250 | 251 | 252 |
253 |
254 |
255 | 256 |
257 | 258 | 259 | Link to this function 260 | 261 |

decrypt(Term)

262 | 263 | 264 |
265 | 266 |
267 | 268 |
269 | 270 | 
-spec decrypt({plaintext, binary()} | {encrypted, binary()}) -> binary().
271 | 272 |
273 | 274 | 275 |
276 |
277 |
278 | 279 |
280 | 281 | 282 | Link to this function 283 | 284 |

encrypt(Term)

285 | 286 | 287 |
288 | 289 |
290 | 291 |
292 | 293 | 
-spec encrypt(iodata()) -> {plaintext, binary()} | {encrypted, binary()} | binary().
294 | 295 |
296 | 297 | 298 |
299 |
300 |
301 | 302 |
303 | 304 | 305 | Link to this function 306 | 307 |

get_config(Config)

308 | 309 | 310 |
311 | 312 |
313 | 314 |
315 | 316 | 
-spec get_config(atom()) -> term().
317 | 318 |
319 | 320 | 321 |
322 |
323 |
324 | 325 |
326 | 327 | 328 | Link to this function 329 | 330 |

handle_call(_, From, State)

331 | 332 | 333 |
334 | 335 |
336 | 337 | 338 |
339 |
340 |
341 | 342 |
343 | 344 | 345 | Link to this function 346 | 347 |

handle_cast(Message, State)

348 | 349 | 350 |
351 | 352 |
353 | 354 | 355 |
356 |
357 |
358 | 359 |
360 | 361 | 362 | Link to this function 363 | 364 |

handle_info(Message, State)

365 | 366 | 367 |
368 | 369 |
370 | 371 | 372 |
373 |
374 |
375 | 376 |
377 | 378 | 379 | Link to this function 380 | 381 |

init(_)

382 | 383 | 384 |
385 | 386 |
387 | 388 | 389 |
390 |
391 |
392 | 393 |
394 | 395 | 396 | Link to this function 397 | 398 |

refresh_config()

399 | 400 | 401 |
402 | 403 |
404 | 405 |
406 | 407 | 
-spec refresh_config() -> ok | {error, invalid_config}.
408 | 409 |
410 | 411 | 412 |
413 |
414 |
415 | 416 |
417 | 418 | 419 | Link to this function 420 | 421 |

set_fallback_secret(Secret)

422 | 423 | 424 |
425 | 426 |
427 | 428 |
429 | 430 | 
-spec set_fallback_secret(binary()) -> ok.
431 | 432 |
433 | 434 | 435 |
436 |
437 |
438 | 439 |
440 | 441 | 442 | Link to this function 443 | 444 |

set_secret(Secret)

445 | 446 | 447 |
448 | 449 |
450 | 451 |
452 | 453 | 
-spec set_secret(binary()) -> ok.
454 | 455 |
456 | 457 | 458 |
459 |
460 |
461 | 462 |
463 | 464 | 465 | Link to this function 466 | 467 |

start_link()

468 | 469 | 470 |
471 | 472 |
473 | 474 | 475 |
476 |
477 |
478 | 479 |
480 | 481 | 482 | Link to this function 483 | 484 |

terminate(Reason, State)

485 | 486 | 487 |
488 | 489 |
490 | 491 | 492 |
493 |
494 | 495 |
496 |
497 | 498 | 530 |
531 |
532 |
533 |
534 | 535 | 536 | 537 | 538 | -------------------------------------------------------------------------------- /doc/dist/handlebars.runtime-NWIB6V2M.js: -------------------------------------------------------------------------------- 1 | /**! 2 | 3 | @license 4 | handlebars v4.7.7 5 | 6 | Copyright (C) 2011-2019 by Yehuda Katz 7 | 8 | Permission is hereby granted, free of charge, to any person obtaining a copy 9 | of this software and associated documentation files (the "Software"), to deal 10 | in the Software without restriction, including without limitation the rights 11 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 12 | copies of the Software, and to permit persons to whom the Software is 13 | furnished to do so, subject to the following conditions: 14 | 15 | The above copyright notice and this permission notice shall be included in 16 | all copies or substantial portions of the Software. 17 | 18 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 19 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 20 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 21 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 22 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 23 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 24 | THE SOFTWARE. 25 | 26 | */(function(r,e){typeof exports=="object"&&typeof module=="object"?module.exports=e():typeof define=="function"&&define.amd?define([],e):typeof exports=="object"?exports.Handlebars=e():r.Handlebars=e()})(this,function(){return function(u){var r={};function e(n){if(r[n])return r[n].exports;var t=r[n]={exports:{},id:n,loaded:!1};return u[n].call(t.exports,t,t.exports,e),t.loaded=!0,t.exports}return e.m=u,e.c=r,e.p="",e(0)}([function(u,r,e){"use strict";var n=e(1).default,t=e(2).default;r.__esModule=!0;var f=e(3),a=n(f),i=e(36),l=t(i),h=e(5),v=t(h),P=e(4),H=n(P),C=e(37),E=n(C),I=e(43),o=t(I);function g(){var y=new a.HandlebarsEnvironment;return H.extend(y,a),y.SafeString=l.default,y.Exception=v.default,y.Utils=H,y.escapeExpression=H.escapeExpression,y.VM=E,y.template=function(p){return E.template(p,y)},y}var w=g();w.create=g,o.default(w),w.default=w,r.default=w,u.exports=r.default},function(u,r){"use strict";r.default=function(e){if(e&&e.__esModule)return e;var n={};if(e!=null)for(var t in e)Object.prototype.hasOwnProperty.call(e,t)&&(n[t]=e[t]);return n.default=e,n},r.__esModule=!0},function(u,r){"use strict";r.default=function(e){return e&&e.__esModule?e:{default:e}},r.__esModule=!0},function(u,r,e){"use strict";var n=e(2).default;r.__esModule=!0,r.HandlebarsEnvironment=g;var t=e(4),f=e(5),a=n(f),i=e(9),l=e(29),h=e(31),v=n(h),P=e(32),H="4.7.7";r.VERSION=H;var C=8;r.COMPILER_REVISION=C;var E=7;r.LAST_COMPATIBLE_COMPILER_REVISION=E;var I={1:"<= 1.0.rc.2",2:"== 1.0.0-rc.3",3:"== 1.0.0-rc.4",4:"== 1.x.x",5:"== 2.0.0-alpha.x",6:">= 2.0.0-beta.1",7:">= 4.0.0 <4.3.0",8:">= 4.3.0"};r.REVISION_CHANGES=I;var o="[object Object]";function g(y,p,R){this.helpers=y||{},this.partials=p||{},this.decorators=R||{},i.registerDefaultHelpers(this),l.registerDefaultDecorators(this)}g.prototype={constructor:g,logger:v.default,log:v.default.log,registerHelper:function(p,R){if(t.toString.call(p)===o){if(R)throw new a.default("Arg not supported with multiple helpers");t.extend(this.helpers,p)}else this.helpers[p]=R},unregisterHelper:function(p){delete this.helpers[p]},registerPartial:function(p,R){if(t.toString.call(p)===o)t.extend(this.partials,p);else{if(typeof R>"u")throw new a.default('Attempting to register a partial called "'+p+'" as undefined');this.partials[p]=R}},unregisterPartial:function(p){delete this.partials[p]},registerDecorator:function(p,R){if(t.toString.call(p)===o){if(R)throw new a.default("Arg not supported with multiple decorators");t.extend(this.decorators,p)}else this.decorators[p]=R},unregisterDecorator:function(p){delete this.decorators[p]},resetLoggedPropertyAccesses:function(){P.resetLoggedProperties()}};var w=v.default.log;r.log=w,r.createFrame=t.createFrame,r.logger=v.default},function(u,r){"use strict";r.__esModule=!0,r.extend=a,r.indexOf=v,r.escapeExpression=P,r.isEmpty=H,r.createFrame=C,r.blockParams=E,r.appendContextPath=I;var e={"&":"&","<":"<",">":">",'"':""","'":"'","`":"`","=":"="},n=/[&<>"'`=]/g,t=/[&<>"'`=]/;function f(o){return e[o]}function a(o){for(var g=1;g0?(a.ids&&(a.ids=[a.name]),t.helpers.each(f,a)):i(this);if(a.data&&a.ids){var h=n.createFrame(a.data);h.contextPath=n.appendContextPath(a.data.contextPath,a.name),a={data:h}}return l(f,a)})},u.exports=r.default},function(u,r,e){(function(n){"use strict";var t=e(12).default,f=e(2).default;r.__esModule=!0;var a=e(4),i=e(5),l=f(i);r.default=function(h){h.registerHelper("each",function(v,P){if(!P)throw new l.default("Must pass iterator to #each");var H=P.fn,C=P.inverse,E=0,I="",o=void 0,g=void 0;P.data&&P.ids&&(g=a.appendContextPath(P.data.contextPath,P.ids[0])+"."),a.isFunction(v)&&(v=v.call(this)),P.data&&(o=a.createFrame(P.data));function w(b,F,c){o&&(o.key=b,o.index=F,o.first=F===0,o.last=!!c,g&&(o.contextPath=g+b)),I=I+H(v[b],{data:o,blockParams:a.blockParams([v[b],b],[g+b,null])})}if(v&&typeof v=="object")if(a.isArray(v))for(var y=v.length;E=0?a=i:a=parseInt(a,10)}return a},log:function(a){if(a=t.lookupLevel(a),typeof console<"u"&&t.lookupLevel(t.level)<=a){var i=t.methodMap[a];console[i]||(i="log");for(var l=arguments.length,h=Array(l>1?l-1:0),v=1;v=P.LAST_COMPATIBLE_COMPILER_REVISION&&O<=P.COMPILER_REVISION))if(O 2 | 3 | 4 | 5 | credentials_obfuscation v3.4.0 — Documentation 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /doc/search.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | Search — credentials_obfuscation v3.4.0 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 38 | 39 |
40 | 41 | 44 | 45 |
46 |
47 | 50 | 53 | 57 |
58 | 59 |
60 |
61 |
62 |
63 | 64 |
65 | 66 |
67 | 68 | credentials_obfuscation 69 | 70 | 71 | v3.4.0 72 | 73 |
74 | 81 |
82 | 83 |
84 | 85 |
86 | 87 |
88 | 89 |
90 |
91 | 92 | 104 | 105 | 135 |
136 |
137 |
138 |
139 | 140 | 141 | 142 | 143 | -------------------------------------------------------------------------------- /include/credentials_obfuscation.hrl: -------------------------------------------------------------------------------- 1 | -define(PENDING_SECRET, '$pending-secret'). 2 | -------------------------------------------------------------------------------- /include/otp_crypto.hrl: -------------------------------------------------------------------------------- 1 | -type cipher_iv() :: aes_128_cbc 2 | | aes_192_cbc 3 | | aes_256_cbc 4 | | aes_cbc 5 | 6 | | aes_128_ofb 7 | | aes_192_ofb 8 | | aes_256_ofb 9 | 10 | | aes_128_cfb128 11 | | aes_192_cfb128 12 | | aes_256_cfb128 13 | | aes_cfb128 14 | 15 | | aes_128_cfb8 16 | | aes_192_cfb8 17 | | aes_256_cfb8 18 | | aes_cfb8 19 | 20 | | aes_128_ctr 21 | | aes_192_ctr 22 | | aes_256_ctr 23 | | aes_ctr 24 | 25 | | blowfish_cbc 26 | | blowfish_cfb64 27 | | blowfish_ofb64 28 | | chacha20 29 | | des_ede3_cbc 30 | | des_ede3_cfb 31 | 32 | | des_cbc 33 | | des_cfb 34 | | rc2_cbc . 35 | 36 | 37 | -type sha3() :: sha3_224 | sha3_256 | sha3_384 | sha3_512 . 38 | -type sha3_xof() :: shake128 | shake256 . 39 | -type blake2() :: blake2b | blake2s . 40 | -type compatibility_only_hash() :: md5 | md4 . 41 | -type hash_algorithm() :: crypto:sha1() | crypto:sha2() | sha3() | sha3_xof() | blake2() | ripemd160 | compatibility_only_hash() . 42 | 43 | -------------------------------------------------------------------------------- /priv/schema/credentials_obfuscation.schema: -------------------------------------------------------------------------------- 1 | % ============================== 2 | % Credentials Obfuscation schema 3 | % ============================== 4 | 5 | {mapping, "credentials_obfuscation.enabled", "credentials_obfuscation.enabled", 6 | [{datatype, {enum, [true, false]}}]}. 7 | 8 | {mapping, "credentials_obfuscation.cipher", "credentials_obfuscation.cipher", 9 | [{datatype, atom}]}. 10 | 11 | {translation, "credentials_obfuscation.cipher", 12 | fun(Conf) -> 13 | case cuttlefish:conf_get("credentials_obfuscation.cipher", Conf, undefined) of 14 | undefined -> cuttlefish:unset(); 15 | Setting -> 16 | case 17 | lists:member(Setting, 18 | credentials_obfuscation_pbe:supported_ciphers()) 19 | of 20 | true -> 21 | Setting; 22 | false -> 23 | cuttlefish:invalid("Unsupported cipher") 24 | end 25 | end 26 | end}. 27 | 28 | 29 | {mapping, "credentials_obfuscation.hash", "credentials_obfuscation.hash", 30 | [{datatype, atom}]}. 31 | 32 | {translation, "credentials_obfuscation.hash", 33 | fun(Conf) -> 34 | case cuttlefish:conf_get("credentials_obfuscation.hash", Conf, undefined) of 35 | undefined -> cuttlefish:unset(); 36 | Setting -> 37 | case 38 | lists:member(Setting, 39 | credentials_obfuscation_pbe:supported_hashes()) 40 | of 41 | true -> 42 | Setting; 43 | false -> 44 | cuttlefish:invalid("Unsupported hash") 45 | end 46 | end 47 | end}. 48 | 49 | {mapping, "credentials_obfuscation.iterations", "credentials_obfuscation.iterations", 50 | [{datatype, integer}, {validators, ["non_zero_positive_integer"]}]}. 51 | 52 | {validator, "non_zero_positive_integer", "number should be greater or equal to one", 53 | fun(Int) when is_integer(Int) -> 54 | Int >= 1 55 | end}. 56 | -------------------------------------------------------------------------------- /rebar.config: -------------------------------------------------------------------------------- 1 | {minimum_otp_vsn, "23.2"}. 2 | {erl_opts, []}. 3 | {deps, []}. 4 | 5 | {shell, [ 6 | % {config, "config/sys.config"}, 7 | {apps, [credentials_obfuscation]} 8 | ]}. 9 | 10 | {dialyzer, [ 11 | {warnings, [error_handling, unmatched_returns]}, 12 | {plt_extra_apps, [public_key]} 13 | ]}. 14 | 15 | {xref_extra_paths, ["test"]}. 16 | 17 | {xref_checks, [ 18 | undefined_function_calls, 19 | undefined_functions, 20 | locals_not_used, 21 | % exports_not_used, 22 | deprecated_function_calls, 23 | deprecated_functions 24 | ]}. 25 | 26 | {project_plugins, [rebar3_hex, rebar3_ex_doc]}. 27 | 28 | {hex, [{doc, ex_doc}]}. 29 | -------------------------------------------------------------------------------- /rebar.lock: -------------------------------------------------------------------------------- 1 | []. 2 | -------------------------------------------------------------------------------- /src/credentials_obfuscation.app.src: -------------------------------------------------------------------------------- 1 | {application,credentials_obfuscation, 2 | [{description,"Helper library that obfuscates sensitive values in process state"}, 3 | {vsn,"3.5.0"}, 4 | {licenses,["MPL2.0","ASL2"]}, 5 | {links,[{"GitHub", 6 | "https://github.com/rabbitmq/credentials-obfuscation"}]}, 7 | {registered,[]}, 8 | {mod,{credentials_obfuscation_app,[]}}, 9 | {applications,[kernel,stdlib,crypto]}, 10 | {env,[{enabled,true}]}, 11 | {modules,[]}]}. 12 | -------------------------------------------------------------------------------- /src/credentials_obfuscation.erl: -------------------------------------------------------------------------------- 1 | %% This Source Code Form is subject to the terms of the Mozilla Public 2 | %% License, v. 2.0. If a copy of the MPL was not distributed with this 3 | %% file, You can obtain one at https://mozilla.org/MPL/2.0/. 4 | %% 5 | %% Copyright (c) 2019-2022 VMware, Inc. or its affiliates. All rights reserved. 6 | %% 7 | 8 | -module(credentials_obfuscation). 9 | 10 | %% Configuration API 11 | -export([enabled/0, cipher/0, hash/0, iterations/0, secret/0]). 12 | 13 | %% API 14 | -export([set_secret/1, set_fallback_secret/1, encrypt/1, decrypt/1, refresh_config/0]). 15 | 16 | -spec enabled() -> boolean(). 17 | enabled() -> 18 | credentials_obfuscation_svc:get_config(enabled). 19 | 20 | -spec cipher() -> atom(). 21 | cipher() -> 22 | credentials_obfuscation_svc:get_config(cipher). 23 | 24 | -spec hash() -> atom(). 25 | hash() -> 26 | credentials_obfuscation_svc:get_config(hash). 27 | 28 | -spec iterations() -> non_neg_integer(). 29 | iterations() -> 30 | credentials_obfuscation_svc:get_config(iterations). 31 | 32 | -spec secret() -> binary() | '$pending-secret'. 33 | secret() -> 34 | credentials_obfuscation_svc:get_config(secret). 35 | 36 | -spec set_secret(binary()) -> ok. 37 | set_secret(Secret) when is_binary(Secret) -> 38 | ok = credentials_obfuscation_svc:set_secret(Secret). 39 | 40 | 41 | -spec set_fallback_secret(binary()) -> ok. 42 | set_fallback_secret(Secret) when is_binary(Secret) -> 43 | ok = credentials_obfuscation_svc:set_fallback_secret(Secret). 44 | 45 | -spec encrypt(none | undefined) -> none | undefined; 46 | (iodata()) -> {plaintext, binary()} | {encrypted, binary()}. 47 | encrypt(none) -> none; 48 | encrypt(undefined) -> undefined; 49 | encrypt(Term) -> 50 | credentials_obfuscation_svc:encrypt(Term). 51 | 52 | -spec decrypt(none | undefined) -> none | undefined; 53 | ({plaintext, binary()} | {encrypted, binary()}) -> binary(). 54 | decrypt(none) -> none; 55 | decrypt(undefined) -> undefined; 56 | decrypt(Term) -> 57 | credentials_obfuscation_svc:decrypt(Term). 58 | 59 | -spec refresh_config() -> ok | {error, invalid_config}. 60 | refresh_config() -> 61 | credentials_obfuscation_svc:refresh_config(). 62 | -------------------------------------------------------------------------------- /src/credentials_obfuscation_app.erl: -------------------------------------------------------------------------------- 1 | %% This Source Code Form is subject to the terms of the Mozilla Public 2 | %% License, v. 2.0. If a copy of the MPL was not distributed with this 3 | %% file, You can obtain one at https://mozilla.org/MPL/2.0/. 4 | %% 5 | %% Copyright (c) 2019-2022 VMware, Inc. or its affiliates. All rights reserved. 6 | %% 7 | 8 | -module(credentials_obfuscation_app). 9 | 10 | -behaviour(application). 11 | 12 | -export([start/2, stop/1]). 13 | 14 | -spec start(_,_) -> {'error', _} | {'ok', pid()} | {'ok', pid(), _}. 15 | start(_StartType, _StartArgs) -> 16 | credentials_obfuscation_sup:start_link(). 17 | 18 | -spec stop(_) -> 'ok'. 19 | stop(_State) -> 20 | ok. 21 | -------------------------------------------------------------------------------- /src/credentials_obfuscation_pbe.erl: -------------------------------------------------------------------------------- 1 | %% This Source Code Form is subject to the terms of the Mozilla Public 2 | %% License, v. 2.0. If a copy of the MPL was not distributed with this 3 | %% file, You can obtain one at https://mozilla.org/MPL/2.0/. 4 | %% 5 | %% Copyright (c) 2019-2022 VMware, Inc. or its affiliates. All rights reserved. 6 | %% 7 | 8 | -module(credentials_obfuscation_pbe). 9 | 10 | -include("credentials_obfuscation.hrl"). 11 | -include("otp_crypto.hrl"). 12 | 13 | -export([supported_ciphers/0, supported_hashes/0, default_cipher/0, default_hash/0, default_iterations/0]). 14 | -export([encrypt_term/5, decrypt_term/5]). 15 | -export([encrypt/5, decrypt/5]). 16 | 17 | 18 | %% Supported ciphers and hashes 19 | 20 | %% We only support block ciphers that use an initialization vector. 21 | 22 | %% AEAD ciphers expect Associated Data (AD), which we don't have. It would be 23 | %% convenient if there was a way to get this list rather than hardcode it: 24 | %% https://bugs.erlang.org/browse/ERL-1479. 25 | -define(AEAD_CIPHERS, [aes_gcm, aes_ccm, chacha20_poly1305]). 26 | 27 | supported_ciphers() -> 28 | SupportedByCrypto = crypto:supports(ciphers), 29 | lists:filter(fun(Cipher) -> 30 | Mode = maps:get(mode, crypto:cipher_info(Cipher)), 31 | not lists:member(Mode, [ccm_mode, ecb_mode, gcm_mode]) 32 | end, 33 | SupportedByCrypto) -- ?AEAD_CIPHERS. 34 | 35 | supported_hashes() -> 36 | crypto:supports(hashs). 37 | 38 | %% Default encryption parameters. 39 | default_cipher() -> 40 | aes_128_cbc. 41 | 42 | default_hash() -> 43 | sha256. 44 | 45 | default_iterations() -> 46 | 1. 47 | 48 | %% Encryption/decryption of arbitrary Erlang terms. 49 | 50 | encrypt_term(_Cipher, _Hash, _Iterations, ?PENDING_SECRET, Term) -> 51 | {plaintext, Term}; 52 | encrypt_term(Cipher, Hash, Iterations, Secret, Term) -> 53 | encrypt(Cipher, Hash, Iterations, Secret, term_to_binary(Term)). 54 | 55 | decrypt_term(_Cipher, _Hash, _Iterations, _Secret, {plaintext, Term}) -> 56 | Term; 57 | decrypt_term(Cipher, Hash, Iterations, Secret, Base64Binary) -> 58 | binary_to_term(decrypt(Cipher, Hash, Iterations, Secret, Base64Binary)). 59 | 60 | %% The cipher for encryption is from the list of supported ciphers. 61 | %% The hash for generating the key from the secret is from the list 62 | %% of supported hashes. See crypto:supports/0 to obtain both lists. 63 | %% The key is generated by applying the hash N times with N >= 1. 64 | %% 65 | %% The encrypt/5 function returns a base64 binary and the decrypt/5 66 | %% function accepts that same base64 binary. 67 | 68 | -spec encrypt(cipher_iv(), hash_algorithm(), 69 | pos_integer(), iodata() | '$pending-secret', iodata()) -> {plaintext, binary()} | {encrypted, binary()}. 70 | encrypt(_Cipher, _Hash, _Iterations, ?PENDING_SECRET, ClearText) -> 71 | {plaintext, iolist_to_binary(ClearText)}; 72 | encrypt(Cipher, Hash, Iterations, Secret, ClearText) when is_list(ClearText) -> 73 | encrypt(Cipher, Hash, Iterations, Secret, list_to_binary(ClearText)); 74 | encrypt(Cipher, Hash, Iterations, Secret, ClearText) when is_binary(ClearText) -> 75 | Salt = crypto:strong_rand_bytes(16), 76 | Ivec = crypto:strong_rand_bytes(iv_length(Cipher)), 77 | Key = make_key(Cipher, Hash, Iterations, Secret, Salt), 78 | Binary = crypto:crypto_one_time(Cipher, Key, Ivec, pad(Cipher, ClearText), true), 79 | Encrypted = base64:encode(<>), 80 | {encrypted, Encrypted}. 81 | 82 | -spec decrypt(cipher_iv(), hash_algorithm(), 83 | pos_integer(), iodata(), {'encrypted', binary() | [1..255]} | {'plaintext', _}) -> any(). 84 | decrypt(_Cipher, _Hash, _Iterations, _Secret, {plaintext, ClearText}) -> 85 | ClearText; 86 | decrypt(Cipher, Hash, Iterations, Secret, {encrypted, Base64Binary}) -> 87 | IvLength = iv_length(Cipher), 88 | << Salt:16/binary, Ivec:IvLength/binary, Binary/bits >> = base64:decode(Base64Binary), 89 | Key = make_key(Cipher, Hash, Iterations, Secret, Salt), 90 | unpad(crypto:crypto_one_time(Cipher, Key, Ivec, Binary, false)). 91 | 92 | %% Generate a key from a secret. 93 | 94 | make_key(Cipher, Hash, Iterations, Secret, Salt) -> 95 | Key = pubkey_pbe:pbdkdf2(Secret, Salt, Iterations, key_length(Cipher), 96 | fun hmac/4, Hash, hash_length(Hash)), 97 | if 98 | Cipher =:= des3_cbc; Cipher =:= des3_cbf; Cipher =:= des3_cfb; 99 | Cipher =:= des_ede3; Cipher =:= des_ede3_cbc; 100 | Cipher =:= des_ede3_cbf; Cipher =:= des_ede3_cfb -> 101 | << A:8/binary, B:8/binary, C:8/binary >> = Key, 102 | [A, B, C]; 103 | true -> 104 | Key 105 | end. 106 | 107 | hmac(SubType, Key, Data, MacLength) -> 108 | crypto:macN(hmac, SubType, Key, Data, MacLength). 109 | 110 | %% Functions to pad/unpad input to a multiplier of block size. 111 | 112 | pad(Cipher, Data) -> 113 | BlockSize = block_size(Cipher), 114 | N = BlockSize - (byte_size(Data) rem BlockSize), 115 | Pad = list_to_binary(lists:duplicate(N, N)), 116 | <>. 117 | 118 | unpad(Data) -> 119 | N = binary:last(Data), 120 | binary:part(Data, 0, byte_size(Data) - N). 121 | 122 | hash_length(Type) -> 123 | maps:get(size, crypto:hash_info(Type)). 124 | 125 | iv_length(Type) -> 126 | maps:get(iv_length, crypto:cipher_info(Type)). 127 | 128 | key_length(Type) -> 129 | maps:get(key_length, crypto:cipher_info(Type)). 130 | 131 | block_size(Type) -> 132 | maps:get(block_size, crypto:cipher_info(Type)). 133 | -------------------------------------------------------------------------------- /src/credentials_obfuscation_sup.erl: -------------------------------------------------------------------------------- 1 | %% This Source Code Form is subject to the terms of the Mozilla Public 2 | %% License, v. 2.0. If a copy of the MPL was not distributed with this 3 | %% file, You can obtain one at https://mozilla.org/MPL/2.0/. 4 | %% 5 | %% Copyright (c) 2019-2022 VMware, Inc. or its affiliates. All rights reserved. 6 | %% 7 | 8 | -module(credentials_obfuscation_sup). 9 | 10 | -behaviour(supervisor). 11 | 12 | %% API 13 | -export([start_link/0]). 14 | 15 | %% Supervisor callbacks 16 | -export([init/1]). 17 | 18 | %% =================================================================== 19 | %% API functions 20 | %% =================================================================== 21 | 22 | -spec start_link() -> 'ignore' | {'error', _} | {'ok', pid()}. 23 | start_link() -> 24 | supervisor:start_link({local, ?MODULE}, ?MODULE, []). 25 | 26 | %% =================================================================== 27 | %% Supervisor callbacks 28 | %% =================================================================== 29 | 30 | init([]) -> 31 | SupFlags = #{ 32 | strategy => one_for_one, 33 | intensity => 1, 34 | period => 5 35 | }, 36 | ChildSpec = #{ 37 | id => credentials_obfuscaton_svc, 38 | start => {credentials_obfuscation_svc, start_link, []} 39 | }, 40 | {ok, {SupFlags, [ChildSpec]}}. 41 | -------------------------------------------------------------------------------- /src/credentials_obfuscation_svc.erl: -------------------------------------------------------------------------------- 1 | %% This Source Code Form is subject to the terms of the Mozilla Public 2 | %% License, v. 2.0. If a copy of the MPL was not distributed with this 3 | %% file, You can obtain one at https://mozilla.org/MPL/2.0/. 4 | %% 5 | %% Copyright (c) 2019-2022 VMware, Inc. or its affiliates. All rights reserved. 6 | %% 7 | 8 | -module(credentials_obfuscation_svc). 9 | 10 | -behaviour(gen_server). 11 | 12 | -include("credentials_obfuscation.hrl"). 13 | 14 | %% API functions 15 | -export([start_link/0, 16 | get_config/1, 17 | refresh_config/0, 18 | set_secret/1, 19 | set_fallback_secret/1, 20 | encrypt/1, 21 | decrypt/1]). 22 | 23 | %% gen_server callbacks 24 | -export([init/1, 25 | handle_call/3, 26 | handle_cast/2, 27 | handle_info/2, 28 | terminate/2, 29 | code_change/3]). 30 | 31 | -record(state, {enabled :: boolean(), 32 | cipher :: atom(), 33 | hash :: atom(), 34 | iterations :: non_neg_integer(), 35 | secret :: binary() | '$pending-secret', 36 | fallback_secret :: binary() | undefined}). 37 | 38 | -define(TIMEOUT, 30000). 39 | -define(VALUE_TAG, credentials_obfuscation). 40 | 41 | %%%=================================================================== 42 | %%% API functions 43 | %%%=================================================================== 44 | 45 | start_link() -> 46 | gen_server:start_link({local, ?MODULE}, ?MODULE, [], []). 47 | 48 | -spec get_config(atom()) -> term(). 49 | get_config(Config) -> 50 | gen_server:call(?MODULE, {get_config, Config}). 51 | 52 | -spec refresh_config() -> ok | {error, invalid_config}. 53 | refresh_config() -> 54 | gen_server:call(?MODULE, refresh_config). 55 | 56 | -spec set_secret(binary()) -> ok. 57 | set_secret(Secret) when is_binary(Secret) -> 58 | gen_server:call(?MODULE, {set_secret, Secret}). 59 | 60 | -spec set_fallback_secret(binary()) -> ok. 61 | set_fallback_secret(Secret) when is_binary(Secret) -> 62 | gen_server:call(?MODULE, {set_fallback_secret, Secret}). 63 | 64 | 65 | -spec encrypt(iodata()) -> {plaintext, binary()} | {encrypted, binary()} | binary(). 66 | encrypt(Term) -> 67 | Bin = to_binary(Term), 68 | try 69 | gen_server:call(?MODULE, {encrypt, Bin}, ?TIMEOUT) 70 | catch exit:{timeout, _} -> 71 | %% We treat timeouts the same way we do other "encryption is impossible" 72 | %% scenarios: return the original value. This won't be acceptable to every user 73 | %% but might be to some. There is no right or wrong answer to whether 74 | %% availability or security are more important, so the users have to decide 75 | %% whether using {plaintext, Term} results is appropriate in their specific case. 76 | {plaintext, Bin}; 77 | _:_ -> 78 | %% see above 79 | {plaintext, Bin} 80 | end. 81 | 82 | -spec decrypt({plaintext, binary()} | {encrypted, binary()}) -> binary(). 83 | decrypt(Term) -> 84 | gen_server:call(?MODULE, {decrypt, Term}, ?TIMEOUT). 85 | 86 | %%%=================================================================== 87 | %%% gen_server callbacks 88 | %%%=================================================================== 89 | 90 | init([]) -> 91 | init_state(). 92 | 93 | handle_call({get_config, enabled}, _From, #state{enabled=Enabled}=State) -> 94 | {reply, Enabled, State}; 95 | handle_call({get_config, cipher}, _From, #state{cipher=Cipher}=State) -> 96 | {reply, Cipher, State}; 97 | handle_call({get_config, hash}, _From, #state{hash=Hash}=State) -> 98 | {reply, Hash, State}; 99 | handle_call({get_config, iterations}, _From, #state{iterations=Iterations}=State) -> 100 | {reply, Iterations, State}; 101 | handle_call({get_config, secret}, _From, #state{secret=Secret}=State) -> 102 | {reply, Secret, State}; 103 | handle_call(refresh_config, _From, State0) -> 104 | try refresh_config(State0) of 105 | State1 -> 106 | {reply, ok, State1} 107 | catch _:_ -> 108 | {reply, {error, invalid_config}, State0} 109 | end; 110 | handle_call({encrypt, Term}, _From, #state{enabled=false}=State) -> 111 | {reply, Term, State}; 112 | handle_call({encrypt, Term}, _From, #state{cipher=Cipher, 113 | hash=Hash, 114 | iterations=Iterations, 115 | secret=Secret} = State) -> 116 | % We need to wrap the data in a tuple to be able to say if the decryption was 117 | % successful or not. We may just receive junk data if the secret is incorrect 118 | % upon decryption. 119 | ClearText = {?VALUE_TAG, Term}, 120 | Encrypted = credentials_obfuscation_pbe:encrypt_term(Cipher, Hash, Iterations, Secret, ClearText), 121 | case Encrypted of 122 | {plaintext, {?VALUE_TAG, Term}} -> 123 | {reply, {plaintext, Term}, State}; 124 | _ -> {reply, Encrypted, State} 125 | end; 126 | handle_call({decrypt, Term}, _From, #state{enabled=false}=State) -> 127 | {reply, Term, State}; 128 | handle_call({decrypt, {plaintext, Term}}, _From, State) -> 129 | {reply, Term, State}; 130 | handle_call({decrypt, Term}, _From, #state{cipher=Cipher, 131 | hash=Hash, 132 | iterations=Iterations, 133 | secret=Secret, 134 | fallback_secret=FallbackSecret}=State) -> 135 | case try_decrypt(Cipher, Hash, Iterations, Secret, Term) of 136 | {ok, Decrypted} -> 137 | {reply, Decrypted, State}; 138 | {error, _E} -> 139 | case try_decrypt(Cipher, Hash, Iterations, FallbackSecret, Term) of 140 | {ok, Decrypted2} -> 141 | {reply, Decrypted2, State}; 142 | _E2 -> 143 | {reply, Term, State} 144 | end 145 | end; 146 | handle_call({set_secret, Secret}, _From, State0) -> 147 | State1 = State0#state{secret = Secret}, 148 | {reply, ok, State1}; 149 | handle_call({set_fallback_secret, Secret}, _From, State0) -> 150 | State1 = State0#state{fallback_secret = Secret}, 151 | {reply, ok, State1}. 152 | 153 | handle_cast(_Message, State) -> 154 | {noreply, State}. 155 | 156 | handle_info(_Message, State) -> 157 | {noreply, State}. 158 | 159 | terminate(_Reason, _State) -> 160 | ok. 161 | 162 | code_change(_OldVsn, State, _Extra) -> 163 | {ok, State}. 164 | 165 | 166 | -spec init_state() -> {'ok', #state{enabled::boolean(), cipher::atom(), hash::atom(), iterations::pos_integer(), secret::'$pending-secret'}}. 167 | init_state() -> 168 | {ok, Enabled, Cipher, Hash, Iterations} = get_config_values(), 169 | ok = check(Cipher, Hash, Iterations), 170 | State = #state{enabled = Enabled, cipher = Cipher, hash = Hash, 171 | iterations = Iterations, secret = ?PENDING_SECRET}, 172 | {ok, State}. 173 | 174 | -spec refresh_config(#state{enabled::boolean(), cipher::atom(), hash::atom(), iterations::non_neg_integer(), secret::'$pending-secret' | binary()}) -> 175 | #state{enabled::boolean(), cipher::atom(), hash::atom(), iterations::non_neg_integer(), secret::'$pending-secret' | binary()}. 176 | refresh_config(#state{secret=Secret}=State0) -> 177 | {ok, Enabled, Cipher, Hash, Iterations} = get_config_values(), 178 | ok = case Enabled of 179 | true -> check(Cipher, Hash, Iterations); 180 | false -> ok 181 | end, 182 | State0#state{enabled = Enabled, cipher = Cipher, hash = Hash, 183 | iterations = Iterations, secret = Secret}. 184 | 185 | get_config_values() -> 186 | Enabled = application:get_env(credentials_obfuscation, enabled, true), 187 | Cipher = application:get_env(credentials_obfuscation, cipher, 188 | credentials_obfuscation_pbe:default_cipher()), 189 | Hash = application:get_env(credentials_obfuscation, hash, 190 | credentials_obfuscation_pbe:default_hash()), 191 | Iterations = application:get_env(credentials_obfuscation, iterations, 192 | credentials_obfuscation_pbe:default_iterations()), 193 | {ok, Enabled, Cipher, Hash, Iterations}. 194 | 195 | check(Cipher, Hash, Iterations) -> 196 | Value = <<"dummy">>, 197 | TempSecret = crypto:strong_rand_bytes(128), 198 | E = credentials_obfuscation_pbe:encrypt(Cipher, Hash, Iterations, TempSecret, Value), 199 | Value = credentials_obfuscation_pbe:decrypt(Cipher, Hash, Iterations, TempSecret, E), 200 | ok. 201 | 202 | try_decrypt(Cipher, Hash, Iterations, Secret, Term) -> 203 | try 204 | {?VALUE_TAG, Decrypted} = 205 | credentials_obfuscation_pbe:decrypt_term(Cipher, Hash, Iterations, Secret, Term), 206 | {ok, Decrypted} 207 | catch 208 | ErrorType:Error:_Stacktrace -> 209 | {error, {ErrorType, Error}} 210 | end. 211 | 212 | % currently the callers may rely on this process converting strings to binary 213 | to_binary(Term) -> 214 | try 215 | iolist_to_binary(Term) 216 | catch 217 | _:_ -> 218 | %% `none' prevents the argument from appearing in the stackstrace 219 | erlang:error(badarg, none) 220 | end. 221 | -------------------------------------------------------------------------------- /test/credentials_obfuscation_SUITE.erl: -------------------------------------------------------------------------------- 1 | %% This Source Code Form is subject to the terms of the Mozilla Public 2 | %% License, v. 2.0. If a copy of the MPL was not distributed with this 3 | %% file, You can obtain one at https://mozilla.org/MPL/2.0/. 4 | %% 5 | %% Copyright (c) 2019-2022 VMware, Inc. or its affiliates. All rights reserved. 6 | %% 7 | 8 | -module(credentials_obfuscation_SUITE). 9 | -include_lib("common_test/include/ct.hrl"). 10 | -include_lib("eunit/include/eunit.hrl"). 11 | 12 | -compile(export_all). 13 | 14 | all() -> 15 | AllTests = [encrypt_decrypt, 16 | encrypt_decrypt_char_list_value, 17 | encrypt_decrypt_invalid_char_list_value, 18 | use_predefined_secret, 19 | use_cookie_as_secret, 20 | change_of_secret_returns_passed_in_data, 21 | fallback_secret, 22 | encryption_happens_only_when_secret_available, 23 | change_default_cipher, 24 | disabled, 25 | refresh_configuration, 26 | refresh_configuration_invalid_cipher, 27 | application_failure_for_invalid_cipher], 28 | case {os:getenv("GITHUB_ACTIONS"), os:type()} of 29 | {false, _} -> 30 | AllTests; 31 | {true, {unix, _}} -> 32 | AllTests; 33 | {_, {win32, _}} -> 34 | % ct:pal("skipping some tests on GitHub actions on Windows"), 35 | % Tests0 = lists:delete(use_cookie_as_secret, AllTests), 36 | % Tests1 = lists:delete(encryption_happens_only_when_secret_available, Tests0), 37 | % Tests1 38 | AllTests 39 | end. 40 | 41 | init_per_testcase(disabled, Config) -> 42 | ok = application:set_env(credentials_obfuscation, enabled, false), 43 | {ok, _} = application:ensure_all_started(credentials_obfuscation), 44 | Config; 45 | init_per_testcase(refresh_configuration, Config) -> 46 | ok = application:set_env(credentials_obfuscation, enabled, true), 47 | {ok, _} = application:ensure_all_started(credentials_obfuscation), 48 | Config; 49 | init_per_testcase(use_predefined_secret, Config) -> 50 | ok = application:set_env(credentials_obfuscation, secret, <<"credentials-obfuscation#2">>), 51 | {ok, _} = application:ensure_all_started(credentials_obfuscation), 52 | Config; 53 | init_per_testcase(use_cookie_as_secret, Config) -> 54 | ok = application:set_env(credentials_obfuscation, secret, cookie), 55 | Config; 56 | init_per_testcase(encryption_happens_only_when_secret_available, Config) -> 57 | ok = application:set_env(credentials_obfuscation, enabled, true), 58 | Config; 59 | init_per_testcase(change_default_cipher, Config) -> 60 | ok = application:set_env(credentials_obfuscation, cipher, aes_256_cbc), 61 | ok = application:set_env(credentials_obfuscation, hash, sha512), 62 | ok = application:set_env(credentials_obfuscation, iterations, 100), 63 | {ok, _} = application:ensure_all_started(credentials_obfuscation), 64 | Config; 65 | init_per_testcase(application_failure_for_invalid_cipher, Config) -> 66 | ok = application:set_env(credentials_obfuscation, cipher, dummy_cipher), 67 | Config; 68 | init_per_testcase(_TestCase, Config) -> 69 | {ok, _} = application:ensure_all_started(credentials_obfuscation), 70 | Secret = crypto:strong_rand_bytes(128), 71 | ok = credentials_obfuscation:set_secret(Secret), 72 | Config. 73 | 74 | end_per_testcase(_TestCase, Config) -> 75 | case application:stop(credentials_obfuscation) of 76 | ok -> 77 | ok; 78 | {error, {not_started, credentials_obfuscation}} -> 79 | ok 80 | end, 81 | [ok = application:unset_env(credentials_obfuscation, Key) || {Key, _} <- application:get_all_env(credentials_obfuscation)], 82 | Config. 83 | 84 | encrypt_decrypt(_Config) -> 85 | Credentials = <<"guest">>, 86 | Encrypted = credentials_obfuscation:encrypt(Credentials), 87 | ?assertNotEqual(Credentials, Encrypted), 88 | ?assertEqual(Credentials, credentials_obfuscation:decrypt(Encrypted)), 89 | ok. 90 | 91 | encrypt_decrypt_char_list_value(_Config) -> 92 | Credentials = "guest", 93 | Expected = <<"guest">>, 94 | Encrypted = credentials_obfuscation:encrypt(Credentials), 95 | ?assertNotEqual(Expected, Encrypted), 96 | ?assertEqual(Expected, credentials_obfuscation:decrypt(Encrypted)), 97 | ok. 98 | 99 | encrypt_decrypt_invalid_char_list_value(_Config) -> 100 | InvalidCredentials = "guest " ++ [128557], 101 | Secret = credentials_obfuscation:secret(), 102 | ?assert(is_binary(Secret)), 103 | 104 | Result = 105 | try 106 | credentials_obfuscation:encrypt(InvalidCredentials), 107 | ok 108 | catch 109 | C:E:ST -> 110 | {C, E, ST} 111 | end, 112 | %% bad argument is not present in stacktrace 113 | ?assertMatch({error, badarg, [{credentials_obfuscation_svc, to_binary, 1, _}|_]}, Result), 114 | %% ensure the server did not crash and preserved original secret 115 | ?assertEqual(Secret, credentials_obfuscation:secret()), 116 | ok. 117 | 118 | use_predefined_secret(_Config) -> 119 | Secret = crypto:strong_rand_bytes(128), 120 | ok = credentials_obfuscation:set_secret(Secret), 121 | ?assertEqual(Secret, credentials_obfuscation:secret()), 122 | ok. 123 | 124 | use_cookie_as_secret(_Config) -> 125 | _ = net_kernel:stop(), 126 | ?assertEqual(nocookie, erlang:get_cookie()), 127 | 128 | %% Start epmd 129 | os:cmd("erl -boot no_dot_erlang -sname epmd-starter -noinput -s erlang halt"), 130 | 131 | {ok, _} = net_kernel:start(['use_cookie_as_secret@localhost']), 132 | Cookie = erlang:get_cookie(), 133 | ?assertNotEqual(nocookie, Cookie), 134 | {ok, _} = application:ensure_all_started(credentials_obfuscation), 135 | CookieBin = atom_to_binary(Cookie, utf8), 136 | ok = credentials_obfuscation:set_secret(CookieBin), 137 | ?assertEqual(CookieBin, credentials_obfuscation:secret()), 138 | ok = net_kernel:stop(). 139 | 140 | %% change of secret should not crash the credentials_obfuscation_svc process 141 | change_of_secret_returns_passed_in_data(_Config) -> 142 | Secret1 = crypto:strong_rand_bytes(128), 143 | Secret2 = crypto:strong_rand_bytes(128), 144 | Uri = <<"amqp://super:secret@localhost:5672">>, 145 | ok = credentials_obfuscation:set_secret(Secret1), 146 | Encrypted = credentials_obfuscation:encrypt(Uri), 147 | ok = credentials_obfuscation:set_secret(Secret2), 148 | ?assertEqual(Encrypted, credentials_obfuscation:decrypt(Encrypted)), 149 | ok. 150 | 151 | fallback_secret(_Config) -> 152 | Secret1 = crypto:strong_rand_bytes(128), 153 | Secret2 = crypto:strong_rand_bytes(128), 154 | Uri = <<"amqp://super:secret@localhost:5672">>, 155 | ok = credentials_obfuscation:set_secret(Secret1), 156 | Encrypted = credentials_obfuscation:encrypt(Uri), 157 | 158 | ok = credentials_obfuscation:set_secret(Secret2), 159 | Encrypted2 = credentials_obfuscation:encrypt(Uri), 160 | 161 | ?assertEqual(Encrypted, credentials_obfuscation:decrypt(Encrypted)), 162 | 163 | ok = credentials_obfuscation:set_fallback_secret(Secret1), 164 | 165 | ?assertEqual(Uri, credentials_obfuscation:decrypt(Encrypted)), 166 | ?assertEqual(Uri, credentials_obfuscation:decrypt(Encrypted2)), 167 | ok. 168 | 169 | encryption_happens_only_when_secret_available(_Config) -> 170 | _ = net_kernel:stop(), 171 | Uri = <<"amqp://super:secret@localhost:5672">>, 172 | {ok, _} = application:ensure_all_started(credentials_obfuscation), 173 | 174 | ?assertEqual(nocookie, erlang:get_cookie()), 175 | 176 | ?assert(credentials_obfuscation:enabled()), 177 | ?assertEqual('$pending-secret', credentials_obfuscation:secret()), 178 | 179 | NotReallyEncryptedUri = credentials_obfuscation:encrypt(Uri), 180 | ?assertEqual({plaintext, Uri}, NotReallyEncryptedUri), 181 | ?assertEqual(Uri, credentials_obfuscation:decrypt(NotReallyEncryptedUri)), 182 | 183 | %% Strings are converted to binaries even if no secret available 184 | UriStr = "amqp://super:secret@localhost:5672", 185 | NotReallyEncryptedUri2 = credentials_obfuscation:encrypt(UriStr), 186 | ?assertEqual({plaintext, Uri}, NotReallyEncryptedUri2), 187 | ?assertEqual(Uri, credentials_obfuscation:decrypt(NotReallyEncryptedUri2)), 188 | 189 | %% Start epmd 190 | os:cmd("erl -boot no_dot_erlang -sname epmd-starter -noinput -s erlang halt"), 191 | 192 | % start up disterl, which creates a cookie 193 | {ok, _} = net_kernel:start(['use_cookie_as_secret@localhost']), 194 | Cookie = erlang:get_cookie(), 195 | ?assertNotEqual(nocookie, Cookie), 196 | 197 | CookieBin = atom_to_binary(Cookie, utf8), 198 | ok = credentials_obfuscation:set_secret(CookieBin), 199 | ?assertEqual(CookieBin, credentials_obfuscation:secret()), 200 | 201 | EncryptedUri = credentials_obfuscation:encrypt(Uri), 202 | {encrypted, _} = EncryptedUri, 203 | ?assertEqual(Uri, credentials_obfuscation:decrypt(EncryptedUri)), 204 | 205 | ok = net_kernel:stop(). 206 | 207 | change_default_cipher(_Config) -> 208 | ?assertNotEqual(credentials_obfuscation_pbe:default_cipher(), credentials_obfuscation:cipher()), 209 | ?assertNotEqual(credentials_obfuscation_pbe:default_hash(), credentials_obfuscation:hash()), 210 | ?assertNotEqual(credentials_obfuscation_pbe:default_iterations(), credentials_obfuscation:iterations()), 211 | Credentials = <<"guest">>, 212 | Encrypted = credentials_obfuscation:encrypt(Credentials), 213 | ?assertNotEqual(Credentials, Encrypted), 214 | ?assertEqual(Credentials, credentials_obfuscation:decrypt(Encrypted)), 215 | ok. 216 | 217 | disabled(_Config) -> 218 | ?assertNot(credentials_obfuscation:enabled()), 219 | Credentials = <<"guest">>, 220 | ?assertEqual(Credentials, credentials_obfuscation:encrypt(Credentials)), 221 | ?assertEqual(Credentials, credentials_obfuscation:decrypt(Credentials)), 222 | 223 | %% Strings are converted to binaries even if no secret available 224 | CredentialsStr = "guest", 225 | ?assertEqual(Credentials, credentials_obfuscation:encrypt(CredentialsStr)), 226 | ?assertEqual(Credentials, credentials_obfuscation:decrypt(Credentials)), 227 | ok. 228 | 229 | refresh_configuration(_Config) -> 230 | ?assert(credentials_obfuscation:enabled()), 231 | ok = application:set_env(credentials_obfuscation, enabled, false), 232 | ok = credentials_obfuscation:refresh_config(), 233 | ?assertNot(credentials_obfuscation:enabled()), 234 | Value = <<"foobarbazbat">>, 235 | ?assertEqual(Value, credentials_obfuscation:encrypt(Value)), 236 | ?assertEqual(Value, credentials_obfuscation:decrypt(Value)), 237 | ok. 238 | 239 | refresh_configuration_invalid_cipher(_Config) -> 240 | ?assert(credentials_obfuscation:enabled()), 241 | 242 | Cipher = credentials_obfuscation:cipher(), 243 | 244 | Credentials = <<"guest">>, 245 | Encrypted = credentials_obfuscation:encrypt(Credentials), 246 | ?assertNotEqual(Credentials, Encrypted), 247 | ?assertMatch({encrypted, _}, Encrypted), 248 | ?assertEqual(Credentials, credentials_obfuscation:decrypt(Encrypted)), 249 | 250 | %% try to load invalid config 251 | ok = application:set_env(credentials_obfuscation, cipher, dummy_cipher), 252 | ?assertEqual({error, invalid_config}, credentials_obfuscation:refresh_config()), 253 | 254 | %% cipher is unchanged and encrypting still works 255 | ?assertEqual(Cipher, credentials_obfuscation:cipher()), 256 | ?assertMatch({encrypted, _}, credentials_obfuscation:encrypt(Credentials)), 257 | ok. 258 | 259 | application_failure_for_invalid_cipher(_Config) -> 260 | {error, _} = application:ensure_all_started(credentials_obfuscation), 261 | ok. 262 | -------------------------------------------------------------------------------- /test/credentials_obfuscation_pbe_SUITE.erl: -------------------------------------------------------------------------------- 1 | %% This Source Code Form is subject to the terms of the Mozilla Public 2 | %% License, v. 2.0. If a copy of the MPL was not distributed with this 3 | %% file, You can obtain one at https://mozilla.org/MPL/2.0/. 4 | %% 5 | %% Copyright (c) 2019-2022 VMware, Inc. or its affiliates. All rights reserved. 6 | %% 7 | 8 | -module(credentials_obfuscation_pbe_SUITE). 9 | -include_lib("common_test/include/ct.hrl"). 10 | -compile(export_all). 11 | 12 | %% This cipher is listed as supported on macOS, but doesn't actually work. 13 | %% OTP bug: https://bugs.erlang.org/browse/ERL-1478 14 | -define(SKIPPED_CIPHERS, [aes_ige256]). 15 | -define(SKIPPED_HASHES, [shake128, shake256]). 16 | 17 | all() -> [ 18 | encrypt_decrypt, 19 | encrypt_decrypt_charlist_value, 20 | encrypt_decrypt_term 21 | ]. 22 | 23 | encrypt_decrypt(_Config) -> 24 | %% Take all available block ciphers. 25 | Hashes = credentials_obfuscation_pbe:supported_hashes() -- ?SKIPPED_HASHES, 26 | Ciphers = credentials_obfuscation_pbe:supported_ciphers() -- ?SKIPPED_CIPHERS, 27 | %% For each cipher, try to encrypt and decrypt data sizes from 0 to 64 bytes 28 | %% with a random Secret. 29 | _ = [begin 30 | Secret = crypto:strong_rand_bytes(16), 31 | Iterations = rand:uniform(100), 32 | Data = crypto:strong_rand_bytes(64), 33 | [begin 34 | Expected = binary:part(Data, 0, Len), 35 | Enc = credentials_obfuscation_pbe:encrypt(C, H, Iterations, Secret, Expected), 36 | Expected = iolist_to_binary(credentials_obfuscation_pbe:decrypt(C, H, Iterations, Secret, Enc)) 37 | end || Len <- lists:seq(0, byte_size(Data))] 38 | end || H <- Hashes, C <- Ciphers], 39 | ok. 40 | 41 | 42 | encrypt_decrypt_charlist_value(_Config) -> 43 | Hashes = credentials_obfuscation_pbe:supported_hashes() -- ?SKIPPED_HASHES, 44 | Ciphers = credentials_obfuscation_pbe:supported_ciphers() -- ?SKIPPED_CIPHERS, 45 | _ = [begin 46 | Secret = crypto:strong_rand_bytes(16), 47 | Iterations = rand:uniform(100), 48 | Data = crypto:strong_rand_bytes(64), 49 | [begin 50 | Expected = binary:part(Data, 0, Len), 51 | Enc = credentials_obfuscation_pbe:encrypt(C, H, Iterations, Secret, binary_to_list(Expected)), 52 | Expected = iolist_to_binary(credentials_obfuscation_pbe:decrypt(C, H, Iterations, Secret, Enc)) 53 | end || Len <- lists:seq(0, byte_size(Data))] 54 | end || H <- Hashes, C <- Ciphers], 55 | ok. 56 | 57 | encrypt_decrypt_term(_Config) -> 58 | %% Take all available block ciphers. 59 | Hashes = credentials_obfuscation_pbe:supported_hashes() -- ?SKIPPED_HASHES, 60 | Ciphers = credentials_obfuscation_pbe:supported_ciphers() -- ?SKIPPED_CIPHERS, 61 | %% Different Erlang terms to try encrypting. 62 | DataSet = [ 63 | 10000, 64 | [5672], 65 | [{"127.0.0.1", 5672}, 66 | {"::1", 5672}], 67 | [{connection, info}, {channel, info}], 68 | [{cacertfile, "/path/to/testca/cacert.pem"}, 69 | {certfile, "/path/to/server/cert.pem"}, 70 | {keyfile, "/path/to/server/key.pem"}, 71 | {verify, verify_peer}, 72 | {fail_if_no_peer_cert, false}], 73 | [<<".*">>, <<".*">>, <<".*">>] 74 | ], 75 | _ = [begin 76 | Secret = crypto:strong_rand_bytes(16), 77 | Iterations = rand:uniform(100), 78 | Enc = credentials_obfuscation_pbe:encrypt_term(C, H, Iterations, Secret, Data), 79 | Data = credentials_obfuscation_pbe:decrypt_term(C, H, Iterations, Secret, Enc) 80 | end || H <- Hashes, C <- Ciphers, Data <- DataSet], 81 | ok. 82 | 83 | --------------------------------------------------------------------------------