Fix double-wrapping of encrypted password in etcd client#15192
Merged
michaelklishin merged 2 commits intorabbitmq:mainfrom Dec 31, 2025
Merged
Fix double-wrapping of encrypted password in etcd client#15192michaelklishin merged 2 commits intorabbitmq:mainfrom
michaelklishin merged 2 commits intorabbitmq:mainfrom
Conversation
The etcd peer discovery plugin crashes during startup when username and
password authentication is configured. The crash occurs with a
`function_clause` error in `rabbit_data_coercion:to_list/1` when it
receives a double-wrapped encrypted password structure like `{encrypted,
{plaintext, Binary}}`.
This change adds authentication to the etcd test suite to reproduce the
bug. The test suite now starts etcd with authentication enabled, creates
a `rabbitmq` user with password `s3kR37`, and passes these credentials
to the etcd client. The test also ensures the `credentials_obfuscation`
application starts before the etcd client to properly encrypt passwords.
The bug occurs in `deobfuscate/1` which wraps an already-encrypted
password with another `{encrypted, ...}` tuple, creating the
double-wrapped structure that causes `to_list/1` to fail.
Fixes rabbitmq#15191
The `deobfuscate/1` function wraps an already-encrypted password with
another `{encrypted, ...}` tuple, creating a double-wrapped structure
like `{encrypted, {encrypted, Binary}}`. This causes
`rabbit_data_coercion:to_list/1` to fail with a `function_clause` error
because it has no clause matching the double-wrapped structure.
This change removes the extra wrapping in `deobfuscate/1`. The password
parameter is already in the correct format `{encrypted, Binary}` or
`{plaintext, Binary}` from the `obfuscate/1` call, so it passes directly
to `credentials_obfuscation:decrypt/1` without modification.
This matches the pattern used in other modules like
`rabbit_federation_util` and `amqp_direct_connection` which call
`credentials_obfuscation:decrypt/1` directly on encrypted values.
Fixes rabbitmq#15191
dd05c92 to
b27de42
Compare
michaelklishin
approved these changes
Dec 31, 2025
michaelklishin
requested changes
Dec 31, 2025
michaelklishin
added a commit
that referenced
this pull request
Dec 31, 2025
Collaborator
michaelklishin
added a commit
that referenced
this pull request
Dec 31, 2025
#15192 by @lukebakken with a CI fix
This was referenced Dec 31, 2025
michaelklishin
added a commit
that referenced
this pull request
Dec 31, 2025
#15192 by @lukebakken with a CI fix (backport #15193)
michaelklishin
added a commit
that referenced
this pull request
Feb 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The etcd peer discovery plugin crashes during startup when username and password authentication is configured. The crash occurs with a
function_clauseerror inrabbit_data_coercion:to_list/1when it receives a double-wrapped encrypted password structure.The bug is in
deobfuscate/1which wraps an already-encrypted password with another{encrypted, ...}tuple, creating{encrypted, {encrypted, Binary}}. This double-wrapped structure causesto_list/1to fail because it has no clause matching this pattern.Solution
This PR removes the extra wrapping in
deobfuscate/1. The password parameter is already in the correct format{encrypted, Binary}or{plaintext, Binary}from theobfuscate/1call, so it passes directly tocredentials_obfuscation:decrypt/1without modification.This matches the pattern used in other modules like
rabbit_federation_utilandamqp_direct_connectionwhich callcredentials_obfuscation:decrypt/1directly on encrypted values.Testing
Added authentication to the etcd test suite to reproduce and verify the fix. The test suite now starts etcd with authentication enabled, creates a
rabbitmquser with password, and passes credentials to the etcd client. All tests pass with the fix applied.Fixes #15191