nic-6443 opened a new pull request, #13564: URL: https://github.com/apache/apisix/pull/13564
fix: remove redundant "base64 decode ssl key failed" error log ### Description `aes_decrypt_pkey()` in `apisix/ssl.lua` is used for two things: decrypting SSL private keys, and decrypting any plugin field listed in a plugin's `encrypt_fields` (through `plugin.process_encrypt_field()`). When base64 decode fails it both logs `base64 decode ssl key failed` at **error** level and returns that same string to the caller. But every caller already logs the returned error with proper context — `validate()` / `parse_pem_priv_key()` on the SSL path, and `process_encrypt_field()` (which includes the plugin name and key path) on the encrypt_fields path. So the internal log is redundant. It is also misleading on the encrypt_fields path: the value being decoded is a plugin field, not an SSL key, yet the log says "ssl key". This is easy to trigger — add a field to a plugin's `encrypt_fields`, and any existing config that still stores that field as plaintext will fail to base64-decode on load, flooding `error.log` with confusing `base64 decode ssl key failed` lines that point at the wrong subsystem. This removes the redundant internal log and lets the callers report the error (they already do, with context). The returned error string is unchanged, so caller behavior is the same. ### Test Added a case in `t/node/data_encrypt3.t` that decrypts a non-base64 value and asserts the error is still returned to the caller but no longer written to `error.log`. It fails before this change and passes after. ### Checklist - [x] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [x] I have added tests corresponding to this change - [ ] I have updated the documentation to reflect this change - [x] I have verified that this change is backward compatible -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
