spacewander commented on code in PR #8487:
URL: https://github.com/apache/apisix/pull/8487#discussion_r1048077562
##########
apisix/plugin.lua:
##########
@@ -903,19 +926,57 @@ _M.decrypt_conf = decrypt_conf
local function encrypt_conf(name, conf, schema_type)
local schema = get_plugin_schema_for_gde(name, schema_type)
if not schema then
+ core.log.warn("failed to get schema for plugin: ", name)
return
end
- for key, props in pairs(schema.properties) do
- if props.type == "string" and props.encrypted and conf[key] then
- local encrypted = apisix_ssl.aes_encrypt_pkey(conf[key],
"data_encrypt")
- conf[key] = encrypted
+ if schema.encrypt_fields and not core.table.isempty(schema.encrypt_fields)
then
+ for _, key in ipairs(schema.encrypt_fields) do
+ if conf[key] then
+ local encrypted, err = apisix_ssl.aes_encrypt_pkey(conf[key],
"data_encrypt")
+ if not encrypted then
+ core.log.warn("failed to encrypt the conf of plugin [",
name,
+ "] key [", key, "], err: ", err)
+ else
+ conf[key] = encrypted
+ end
+ elseif core.string.find(key, ".") then
+ -- encrypt fields has indents
+ local res, err = re_split(key, "\\.", "jo")
+ if not res then
+ core.log.warn("failed to split key [", key, "], err: ",
err)
+ return
+ end
+
+ -- we only support two levels
+ if conf[res[1]] and conf[res[1]][res[2]] then
+ local encrypted, err = apisix_ssl.aes_encrypt_pkey(
+ conf[res[1]][res[2]],
"data_encrypt")
+ if not encrypted then
+ core.log.warn("failed to encrypt the conf of plugin
[", name,
+ "] key [", key, "], err: ", err)
+ else
+ conf[res[1]][res[2]] = encrypted
+ end
+ end
+ end
end
end
end
_M.encrypt_conf = encrypt_conf
+check_plugin_metadata = function(item)
+ local ok, err = check_single_plugin_schema(item.id, item,
+ core.schema.TYPE_METADATA, true)
+ if ok and enable_gde()then
Review Comment:
```suggestion
if ok and enable_gde() then
```
##########
docs/en/latest/plugins/key-auth.md:
##########
@@ -41,8 +41,6 @@ For Consumer:
|------|--------|-------------|----------------------------|
| key | string | required | Unique key for a Consumer. |
-NOTE: The schema for `key` also defines `encrypted = true`, which means that
the field will be stored encrypted in etcd. See [encrypted storage
fields](../plugin-develop.md#encrypted-storage-fields).
Review Comment:
Why just remove it?
##########
docs/zh/latest/plugins/key-auth.md:
##########
@@ -41,8 +41,6 @@ Consumer 端:
| ---- | ------ | ------ |
-------------------------------------------------------------------------------------------------------------
|
| key | string | 是 | 不同的 Consumer 应有不同的 `key`,它应当是唯一的。如果多个 Consumer
使用了相同的 `key`,将会出现请求匹配异常。 |
-注意:`key` 的 schema 中还定义了 `encrypted = true`,这意味着该字段将会被加密存储在 etcd 中。具体参考
[加密存储字段](../plugin-develop.md#加密存储字段)。
Review Comment:
Ditto
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
