This is an automated email from the ASF dual-hosted git repository.
spacewander pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 92b9bde fix: PATCH ssl should encrypt key (#3986)
92b9bde is described below
commit 92b9bde8ee047c4507be80452e4b907821455619
Author: 罗泽轩 <[email protected]>
AuthorDate: Wed Apr 7 01:10:18 2021 +0800
fix: PATCH ssl should encrypt key (#3986)
---
apisix/admin/ssl.lua | 18 +++++++++++++
t/admin/ssl2.t | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 90 insertions(+)
diff --git a/apisix/admin/ssl.lua b/apisix/admin/ssl.lua
index 3a6136e..943c4bd 100644
--- a/apisix/admin/ssl.lua
+++ b/apisix/admin/ssl.lua
@@ -207,12 +207,30 @@ function _M.patch(id, conf, sub_path)
local modified_index = res_old.body.node.modifiedIndex
if sub_path and sub_path ~= "" then
+ if sub_path == "key" then
+ conf = apisix_ssl.aes_encrypt_pkey(conf)
+ elseif sub_path == "keys" then
+ for i = 1, #conf do
+ conf[i] = apisix_ssl.aes_encrypt_pkey(conf[i])
+ end
+ end
+
local code, err, node_val = core.table.patch(node_value, sub_path,
conf)
node_value = node_val
if code then
return code, err
end
else
+ if conf.key then
+ conf.key = apisix_ssl.aes_encrypt_pkey(conf.key)
+ end
+
+ if conf.keys then
+ for i = 1, #conf.keys do
+ conf.keys[i] = apisix_ssl.aes_encrypt_pkey(conf.keys[i])
+ end
+ end
+
node_value = core.table.merge(node_value, conf);
end
diff --git a/t/admin/ssl2.t b/t/admin/ssl2.t
index 671bd2f..db9c631 100644
--- a/t/admin/ssl2.t
+++ b/t/admin/ssl2.t
@@ -408,3 +408,75 @@ wzarryret/7GFW1/3cz+hTj9/d45i25zArr3Pocfpur5mfz3fJO8jg==
}
--- response_body_like eval
qr/"snis":\["update1.com","update2.com"\]/
+
+
+
+=== TEST 12: PATCH encrypt ssl key
+--- yaml_config
+apisix:
+ node_listen: 1984
+ admin_key: null
+ ssl:
+ key_encrypt_salt: "edd1c9f0985e76a2"
+--- config
+ location /t {
+ content_by_lua_block {
+ local json = require("toolkit.json")
+ local t = require("lib.test_admin")
+
+ local ssl_cert = t.read_file("t/certs/apisix.crt")
+ local ssl_key = t.read_file("t/certs/apisix.key")
+ local data = {cert = ssl_cert, key = ssl_key, certs = {ssl_cert},
keys = {ssl_key}}
+ local code, message, res = t.test('/apisix/admin/ssl/1',
+ ngx.HTTP_PATCH,
+ json.encode(data)
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ ngx.say(message)
+ return
+ end
+
+ res = json.decode(res)
+ ngx.say(res.node.value.key == ssl_key)
+ ngx.say(res.node.value.keys[1] == ssl_key)
+ }
+ }
+--- response_body
+false
+false
+
+
+
+=== TEST 13: PATCH encrypt ssl key, sub_path
+--- yaml_config
+apisix:
+ node_listen: 1984
+ admin_key: null
+ ssl:
+ key_encrypt_salt: "edd1c9f0985e76a2"
+--- config
+ location /t {
+ content_by_lua_block {
+ local json = require("toolkit.json")
+ local t = require("lib.test_admin")
+
+ local ssl_key = t.read_file("t/certs/apisix.key")
+ local code, message, res = t.test('/apisix/admin/ssl/1/keys',
+ ngx.HTTP_PATCH,
+ json.encode({ssl_key})
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ ngx.say(message)
+ return
+ end
+
+ res = json.decode(res)
+ ngx.say(res.node.value.keys[1] == ssl_key)
+ }
+ }
+--- response_body
+false
