feat: enable sensitive fields encryption by default (#11076)

apisix/plugin.lua

@@ -907,7 +907,7 @@ local function enable_gde()
     if enable_data_encryption == nil then
         enable_data_encryption =
             core.table.try_read_attr(local_conf, "apisix", "data_encryption",
-                    "enable_encrypt_fields")
+                    "enable_encrypt_fields") and (core.config.type == "etcd")
         _M.enable_data_encryption = enable_data_encryption
     end
 

conf/config-default.yaml

@@ -118,7 +118,7 @@ apisix:
   disable_sync_configuration_during_start: false  # Safe exit. TO BE REMOVED.
 
   data_encryption:                # Data encryption settings.
-    enable_encrypt_fields: false  # Whether enable encrypt fields specified in `encrypt_fields` in plugin schema.
+    enable_encrypt_fields: true   # Whether enable encrypt fields specified in `encrypt_fields` in plugin schema.
     keyring:                      # This field is used to encrypt the private key of SSL and the `encrypt_fields`
                                   # in plugin schema.
       - qeddd145sfvddff3          # Set the encryption key for AES-128-CBC. It should be a hexadecimal string

t/admin/consumers.t

@@ -87,7 +87,7 @@ passed
                         "desc": "new consumer",
                         "plugins": {
                             "key-auth": {
-                                "key": "auth-one"
+                                "key": "4y+JvURBE6ZwRbbgaryrhg=="
                             }
                         }
                     },

t/node/chash-hashon.t

@@ -55,7 +55,7 @@ __DATA__
                         "username": "jack",
                         "plugins": {
                             "key-auth": {
-                                "key": "auth-jack"
+                                "key": "re62sf0vRJqOBjvJJ6RUcA=="
                             }
                         }
                     }
@@ -83,7 +83,7 @@ __DATA__
                         "username": "tom",
                         "plugins": {
                             "key-auth": {
-                                "key": "auth-tom"
+                                "key": "RAL/niDfEUpx+ynsoqWDuA=="
                             }
                         }
                     }

t/plugin/error-log-logger-clickhouse.t

@@ -98,7 +98,7 @@ done
 --- error_log
 this is a warning message for test2
 clickhouse body: INSERT INTO t FORMAT JSONEachRow
-clickhouse headers: x-clickhouse-key:a
+clickhouse headers: x-clickhouse-key:dpwomMlEsHH2L7wSUi6YiQ==
 clickhouse headers: x-clickhouse-user:default
 clickhouse headers: x-clickhouse-database:default
 --- wait: 3
@@ -133,7 +133,7 @@ clickhouse headers: x-clickhouse-database:default
 --- error_log
 this is a warning message for test3
 clickhouse body: INSERT INTO t FORMAT JSONEachRow
-clickhouse headers: x-clickhouse-key:a
+clickhouse headers: x-clickhouse-key:dpwomMlEsHH2L7wSUi6YiQ==
 clickhouse headers: x-clickhouse-user:default
 clickhouse headers: x-clickhouse-database:default
 --- wait: 5

t/plugin/key-auth.t

@@ -23,6 +23,19 @@ use t::APISIX 'no_plan';
 repeat_each(2);
 no_long_string();
 no_root_location();
+
+add_block_preprocessor(sub {
+    my ($block) = @_;
+
+    my $user_yaml_config = <<_EOC_;
+apisix:
+  data_encryption:
+    enable_encrypt_fields: false
+_EOC_
+    $block->set_value("yaml_config", $user_yaml_config);
+});
+
+
 run_tests;
 
 __DATA__