[GitHub] [apisix] tzssangglass commented on a diff in pull request #8403: feat: support global data encryption of secret information

Tue, 29 Nov 2022 02:15:47 -0800 


tzssangglass commented on code in PR #8403:
URL: https://github.com/apache/apisix/pull/8403#discussion_r1034556937


##########
apisix/plugin.lua:
##########
@@ -849,6 +850,65 @@ check_plugin_metadata = function(item)
 end
 
 
+local function check_enable_and_get_plugin_schema(name, schema_type)
+    local plugin_schema = local_plugins_hash and local_plugins_hash[name]
+    local schema
+    if schema_type == core.schema.TYPE_CONSUMER then
+        schema = plugin_schema.consumer_schema
+    else
+        schema = plugin_schema.schema
+    end
+
+    return schema
+end
+
+
+local function decrypt_conf(name, conf, schema_type)
+    local enable = core.table.try_read_attr(local_conf, "apisix", 
"data_encryption", "enable")
+    if not enable then
+        return conf
+    end
+
+    local schema = check_enable_and_get_plugin_schema(name, schema_type)
+    if not schema then
+        return
+    end
+
+    for key, props in pairs(schema.properties) do
+        if props.type == "string" and props.encrypted and conf[key] then
+            local encrypted, err = apisix_ssl.aes_decrypt_pkey(conf[key], 
"data_encrypt")
+            if not encrypted then
+                core.log.warn("failed to decrypt the conf of plugin [", name,
+                               "] key [", key, "], err: ", err)
+            else
+                conf[key] = encrypted
+            end
+        end
+    end
+end
+_M.decrypt_conf = decrypt_conf
+
+
+local function encrypt_conf(name, conf, schema_type)
+    local enable = core.table.try_read_attr(local_conf, "apisix", 
"data_encryption", "enable")
+    if not enable then
+        return conf
+    end
+
+    local schema = check_enable_and_get_plugin_schema(name, schema_type)
+    if not schema then
+        return
+    end
+
+    for key, props in pairs(schema.properties) do

Review Comment:
   I know that since this PR does not include this case, we can optimize this 
point in the next PR.



##########
apisix/plugins/basic-auth.lua:
##########
@@ -39,7 +38,7 @@ local consumer_schema = {
     title = "work with consumer object",
     properties = {
         username = { type = "string" },
-        password = { type = "string" },
+        password = { type = "string", encrypted = true },

Review Comment:
   added



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to