[GitHub] [apisix] tzssangglass commented on a diff in pull request #8487: feat: data encryption support more plugins

Wed, 14 Dec 2022 04:42:08 -0800 


tzssangglass commented on code in PR #8487:
URL: https://github.com/apache/apisix/pull/8487#discussion_r1048421040


##########
apisix/plugin.lua:
##########
@@ -903,19 +926,57 @@ _M.decrypt_conf = decrypt_conf
 local function encrypt_conf(name, conf, schema_type)
     local schema = get_plugin_schema_for_gde(name, schema_type)
     if not schema then
+        core.log.warn("failed to get schema for plugin: ", name)
         return
     end
 
-    for key, props in pairs(schema.properties) do
-        if props.type == "string" and props.encrypted and conf[key] then
-            local encrypted = apisix_ssl.aes_encrypt_pkey(conf[key], 
"data_encrypt")
-            conf[key] = encrypted
+    if schema.encrypt_fields and not core.table.isempty(schema.encrypt_fields) 
then
+        for _, key in ipairs(schema.encrypt_fields) do
+            if conf[key] then
+                local encrypted, err = apisix_ssl.aes_encrypt_pkey(conf[key], 
"data_encrypt")
+                if not encrypted then
+                    core.log.warn("failed to encrypt the conf of plugin [", 
name,
+                                  "] key [", key, "], err: ", err)
+                else
+                    conf[key] = encrypted
+                end
+            elseif core.string.find(key, ".") then
+                -- encrypt fields has indents
+                local res, err = re_split(key, "\\.", "jo")
+                if not res then
+                    core.log.warn("failed to split key [", key, "], err: ", 
err)
+                    return
+                end
+
+                -- we only support two levels
+                if conf[res[1]] and conf[res[1]][res[2]] then
+                    local encrypted, err = apisix_ssl.aes_encrypt_pkey(
+                                           conf[res[1]][res[2]], 
"data_encrypt")
+                    if not encrypted then
+                        core.log.warn("failed to encrypt the conf of plugin 
[", name,
+                                      "] key [", key, "], err: ", err)
+                    else
+                        conf[res[1]][res[2]] = encrypted
+                    end
+                end
+            end
         end
     end
 end
 _M.encrypt_conf = encrypt_conf
 
 
+check_plugin_metadata = function(item)
+    local ok, err = check_single_plugin_schema(item.id, item,
+                                               core.schema.TYPE_METADATA, true)
+    if ok and enable_gde()then

Review Comment:
   done



##########
docs/en/latest/plugins/key-auth.md:
##########
@@ -41,8 +41,6 @@ For Consumer:
 |------|--------|-------------|----------------------------|
 | key  | string | required    | Unique key for a Consumer. |
 
-NOTE: The schema for `key` also defines `encrypted = true`, which means that 
the field will be stored encrypted in etcd. See [encrypted storage 
fields](../plugin-develop.md#encrypted-storage-fields).

Review Comment:
   type, fix it



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to