apache · shreemaan-abhishek · Mar 29, 2024 · Mar 27, 2024 · Mar 27, 2024 · Mar 27, 2024
diff --git a/apisix/plugins/jwe-decrypt.lua b/apisix/plugins/jwe-decrypt.lua
@@ -51,6 +51,7 @@ local consumer_schema = {
         is_base64_encoded = { type = "boolean" },
     },
     required = { "key", "secret" },
+    encrypt_fields = { "key", "secret" },
 }
 
 
@@ -71,15 +72,26 @@ function _M.check_schema(conf, schema_type)
             return false, err
         end
 
-        -- restrict the length of secret, we use A256GCM for encryption,
-        -- so the length should be 32 chars only
-        if conf.is_base64_encoded then
-            if #base64.decode_base64url(conf.secret) ~= 32 then
-                 return false, "the secret length after base64 decode should be 32 chars"
-            end
-        else
-            if #conf.secret ~= 32 then
-                return false, "the secret length should be 32 chars"
+        local local_conf, err = core.config.local_conf(true)
+        if not local_conf then
+            return false, "failed to load the configuration file: " .. err
+        end
+
+        local encrypted = core.table.try_read_attr(local_conf, "apisix", "data_encryption",
+        "enable_encrypt_fields") and (core.config.type == "etcd")
+
+        -- if encrypted, the secret length will exceed 32 so don't check
+        if not encrypted then
+            -- restrict the length of secret, we use A256GCM for encryption,
+            -- so the length should be 32 chars only
+            if conf.is_base64_encoded then
+                if #base64.decode_base64url(conf.secret) ~= 32 then
+                    return false, "the secret length after base64 decode should be 32 chars"
+                end
+            else
+                if #conf.secret ~= 32 then
+                    return false, "the secret length should be 32 chars"
+                end
             end
         end
 

diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua
@@ -268,7 +268,7 @@ local schema = {
             }
         }
     },
-    encrypt_fields = {"client_secret"},
+    encrypt_fields = {"client_secret", "client_rsa_private_key"},
     required = {"client_id", "client_secret", "discovery"}
 }
 

diff --git a/apisix/plugins/openwhisk.lua b/apisix/plugins/openwhisk.lua
@@ -49,7 +49,8 @@ local schema = {
         keepalive_timeout = {type = "integer", minimum = 1000, default = 60000},
         keepalive_pool = {type = "integer", minimum = 1, default = 5}
     },
-    required = {"api_host", "service_token", "namespace", "action"}
+    required = {"api_host", "service_token", "namespace", "action"},
+    encrypt_fields = {"service_token"}
 }
 
 

diff --git a/apisix/utils/redis-schema.lua b/apisix/utils/redis-schema.lua
@@ -44,6 +44,7 @@ local policy_to_additional_properties = {
             },
         },
         required = {"redis_host"},
+        encrypt_fields = {"redis_password"}
     },
     ["redis-cluster"] = {
         properties = {

diff --git a/t/plugin/jwe-decrypt.t b/t/plugin/jwe-decrypt.t
@@ -95,6 +95,10 @@ done
 
 
 === TEST 4: secret length too long
+--- yaml_config
+apisix:
+  data_encryption:
+    enable_encrypt_fields: false
 --- config
     location /t {
         content_by_lua_block {
@@ -115,6 +119,10 @@ done
 
 
 === TEST 5: secret length too long(base64 encode)
+--- yaml_config
+apisix:
+  data_encryption:
+    enable_encrypt_fields: false
 --- config
     location /t {
         content_by_lua_block {