From 9a268678c0f473f581d9b9199f74bb0cdae1e1e2 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Thu, 21 Mar 2024 17:49:48 +0545 Subject: [PATCH 01/10] feat: enable sensitive fields encryption by default --- conf/config-default.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/config-default.yaml b/conf/config-default.yaml index 8c1f941a3e63..d22dcdb24260 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -118,7 +118,7 @@ apisix: disable_sync_configuration_during_start: false # Safe exit. TO BE REMOVED. data_encryption: # Data encryption settings. - enable_encrypt_fields: false # Whether enable encrypt fields specified in `encrypt_fields` in plugin schema. + enable_encrypt_fields: true # Whether enable encrypt fields specified in `encrypt_fields` in plugin schema. keyring: # This field is used to encrypt the private key of SSL and the `encrypt_fields` # in plugin schema. - qeddd145sfvddff3 # Set the encryption key for AES-128-CBC. It should be a hexadecimal string From e1accceff37acf57c5a2ea99a61ad0fd7bb8a28b Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Fri, 22 Mar 2024 12:02:29 +0545 Subject: [PATCH 02/10] encrypt fields only when using etcd --- apisix/plugin.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apisix/plugin.lua b/apisix/plugin.lua index 3d1256609390..4e8eb63ed5f4 100644 --- a/apisix/plugin.lua +++ b/apisix/plugin.lua @@ -907,7 +907,7 @@ local function enable_gde() if enable_data_encryption == nil then enable_data_encryption = core.table.try_read_attr(local_conf, "apisix", "data_encryption", - "enable_encrypt_fields") + "enable_encrypt_fields") and (core.json.encode(core.config.type) == "etcd") _M.enable_data_encryption = enable_data_encryption end From 7c2994b844aef288030392d85bcc9bfbfb46ad0a Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Fri, 22 Mar 2024 12:05:52 +0545 Subject: [PATCH 03/10] make test compatible --- t/plugin/key-auth.t | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/t/plugin/key-auth.t b/t/plugin/key-auth.t index 138f1d647124..d962c3bd0832 100644 --- a/t/plugin/key-auth.t +++ b/t/plugin/key-auth.t @@ -23,6 +23,31 @@ use t::APISIX 'no_plan'; repeat_each(2); no_long_string(); no_root_location(); + +add_block_preprocessor(sub { + my ($block) = @_; + + my $user_yaml_config = <<_EOC_; +deployment: + role: traditional + role_traditional: + config_provider: etcd + admin: + admin_key: null +apisix: + node_listen: 1984 + proxy_mode: http&stream + stream_proxy: + tcp: + - 9100 + enable_resolv_search_opt: false + data_encryption: + enable_encrypt_fields: false +_EOC_ + $block->set_value("yaml_config", $user_yaml_config); +}); + + run_tests; __DATA__ From 3c96bbf3593cc8704ce9430284efb05926760cd4 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Fri, 22 Mar 2024 12:10:08 +0545 Subject: [PATCH 04/10] remove trailing space --- t/plugin/key-auth.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/plugin/key-auth.t b/t/plugin/key-auth.t index d962c3bd0832..aff44fb0f49a 100644 --- a/t/plugin/key-auth.t +++ b/t/plugin/key-auth.t @@ -42,7 +42,7 @@ apisix: - 9100 enable_resolv_search_opt: false data_encryption: - enable_encrypt_fields: false + enable_encrypt_fields: false _EOC_ $block->set_value("yaml_config", $user_yaml_config); }); From b448dcef6418b3cfe3a858025abf868e732678a7 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Fri, 22 Mar 2024 14:35:24 +0545 Subject: [PATCH 05/10] fix condition check --- apisix/plugin.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apisix/plugin.lua b/apisix/plugin.lua index 4e8eb63ed5f4..c6d1232ff6fa 100644 --- a/apisix/plugin.lua +++ b/apisix/plugin.lua @@ -907,7 +907,7 @@ local function enable_gde() if enable_data_encryption == nil then enable_data_encryption = core.table.try_read_attr(local_conf, "apisix", "data_encryption", - "enable_encrypt_fields") and (core.json.encode(core.config.type) == "etcd") + "enable_encrypt_fields") and (core.config.type == "etcd") _M.enable_data_encryption = enable_data_encryption end From f55bd79fff1159f1e7d62ef07bec14c7f1477adc Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Sat, 23 Mar 2024 18:57:59 +0545 Subject: [PATCH 06/10] fix test --- t/node/chash-hashon.t | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/t/node/chash-hashon.t b/t/node/chash-hashon.t index b5f3ae18c27a..7329332e3ffa 100644 --- a/t/node/chash-hashon.t +++ b/t/node/chash-hashon.t @@ -55,7 +55,7 @@ __DATA__ "username": "jack", "plugins": { "key-auth": { - "key": "auth-jack" + "key": "re62sf0vRJqOBjvJJ6RUcA==" } } } @@ -83,7 +83,7 @@ __DATA__ "username": "tom", "plugins": { "key-auth": { - "key": "auth-tom" + "key": "RAL/niDfEUpx+ynsoqWDuA==" } } } From 394ec19acbc7aa78dda2dbe4cb69f0bee2da840f Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Sun, 24 Mar 2024 11:25:23 +0545 Subject: [PATCH 07/10] fix test --- t/admin/consumers.t | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/t/admin/consumers.t b/t/admin/consumers.t index 916f2a960bb9..e406f6d5924b 100644 --- a/t/admin/consumers.t +++ b/t/admin/consumers.t @@ -87,7 +87,7 @@ passed "desc": "new consumer", "plugins": { "key-auth": { - "key": "auth-one" + "key": "4y+JvURBE6ZwRbbgaryrhg==" } } }, @@ -126,7 +126,7 @@ passed "desc": "new consumer", "plugins": { "key-auth": { - "key": "auth-one" + "key": "4y+JvURBE6ZwRbbgaryrhg==" } } }, From 14bcd0cc258f26ab1258665945b3e9727270a174 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Sun, 24 Mar 2024 12:05:29 +0545 Subject: [PATCH 08/10] fix test --- t/admin/consumers.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/admin/consumers.t b/t/admin/consumers.t index e406f6d5924b..e544bd165d97 100644 --- a/t/admin/consumers.t +++ b/t/admin/consumers.t @@ -126,7 +126,7 @@ passed "desc": "new consumer", "plugins": { "key-auth": { - "key": "4y+JvURBE6ZwRbbgaryrhg==" + "key": "auth-one" } } }, From f8e673743a65e5b30aff6d1073c779428c4ca98f Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Sun, 24 Mar 2024 12:53:46 +0545 Subject: [PATCH 09/10] fix test --- t/plugin/error-log-logger-clickhouse.t | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/t/plugin/error-log-logger-clickhouse.t b/t/plugin/error-log-logger-clickhouse.t index 91ef60b187d5..6846f6ef1d24 100644 --- a/t/plugin/error-log-logger-clickhouse.t +++ b/t/plugin/error-log-logger-clickhouse.t @@ -98,7 +98,7 @@ done --- error_log this is a warning message for test2 clickhouse body: INSERT INTO t FORMAT JSONEachRow -clickhouse headers: x-clickhouse-key:a +clickhouse headers: x-clickhouse-key:dpwomMlEsHH2L7wSUi6YiQ== clickhouse headers: x-clickhouse-user:default clickhouse headers: x-clickhouse-database:default --- wait: 3 @@ -133,7 +133,7 @@ clickhouse headers: x-clickhouse-database:default --- error_log this is a warning message for test3 clickhouse body: INSERT INTO t FORMAT JSONEachRow -clickhouse headers: x-clickhouse-key:a +clickhouse headers: x-clickhouse-key:dpwomMlEsHH2L7wSUi6YiQ== clickhouse headers: x-clickhouse-user:default clickhouse headers: x-clickhouse-database:default --- wait: 5 From c48dac57052d18ffadc8347b4bf9694ef270ac54 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Wed, 27 Mar 2024 21:09:15 +0545 Subject: [PATCH 10/10] review suggestion --- t/plugin/key-auth.t | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/t/plugin/key-auth.t b/t/plugin/key-auth.t index aff44fb0f49a..f68fe3088f4d 100644 --- a/t/plugin/key-auth.t +++ b/t/plugin/key-auth.t @@ -28,19 +28,7 @@ add_block_preprocessor(sub { my ($block) = @_; my $user_yaml_config = <<_EOC_; -deployment: - role: traditional - role_traditional: - config_provider: etcd - admin: - admin_key: null apisix: - node_listen: 1984 - proxy_mode: http&stream - stream_proxy: - tcp: - - 9100 - enable_resolv_search_opt: false data_encryption: enable_encrypt_fields: false _EOC_