From cca94f103cf2c3fba80ddb0795a9d1bb8c1bce08 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Thu, 28 Mar 2024 12:39:43 +0545 Subject: [PATCH] feat: enable sensitive fields encryption by default (#11076) --- apisix/plugin.lua | 2 +- conf/config-default.yaml | 2 +- t/admin/consumers.t | 2 +- t/node/chash-hashon.t | 4 ++-- t/plugin/error-log-logger-clickhouse.t | 4 ++-- t/plugin/key-auth.t | 13 +++++++++++++ 6 files changed, 20 insertions(+), 7 deletions(-) diff --git a/apisix/plugin.lua b/apisix/plugin.lua index 3d1256609390..c6d1232ff6fa 100644 --- a/apisix/plugin.lua +++ b/apisix/plugin.lua @@ -907,7 +907,7 @@ local function enable_gde() if enable_data_encryption == nil then enable_data_encryption = core.table.try_read_attr(local_conf, "apisix", "data_encryption", - "enable_encrypt_fields") + "enable_encrypt_fields") and (core.config.type == "etcd") _M.enable_data_encryption = enable_data_encryption end diff --git a/conf/config-default.yaml b/conf/config-default.yaml index 8c1f941a3e63..d22dcdb24260 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -118,7 +118,7 @@ apisix: disable_sync_configuration_during_start: false # Safe exit. TO BE REMOVED. data_encryption: # Data encryption settings. - enable_encrypt_fields: false # Whether enable encrypt fields specified in `encrypt_fields` in plugin schema. + enable_encrypt_fields: true # Whether enable encrypt fields specified in `encrypt_fields` in plugin schema. keyring: # This field is used to encrypt the private key of SSL and the `encrypt_fields` # in plugin schema. - qeddd145sfvddff3 # Set the encryption key for AES-128-CBC. It should be a hexadecimal string diff --git a/t/admin/consumers.t b/t/admin/consumers.t index 916f2a960bb9..e544bd165d97 100644 --- a/t/admin/consumers.t +++ b/t/admin/consumers.t @@ -87,7 +87,7 @@ passed "desc": "new consumer", "plugins": { "key-auth": { - "key": "auth-one" + "key": "4y+JvURBE6ZwRbbgaryrhg==" } } }, diff --git a/t/node/chash-hashon.t b/t/node/chash-hashon.t index b5f3ae18c27a..7329332e3ffa 100644 --- a/t/node/chash-hashon.t +++ b/t/node/chash-hashon.t @@ -55,7 +55,7 @@ __DATA__ "username": "jack", "plugins": { "key-auth": { - "key": "auth-jack" + "key": "re62sf0vRJqOBjvJJ6RUcA==" } } } @@ -83,7 +83,7 @@ __DATA__ "username": "tom", "plugins": { "key-auth": { - "key": "auth-tom" + "key": "RAL/niDfEUpx+ynsoqWDuA==" } } } diff --git a/t/plugin/error-log-logger-clickhouse.t b/t/plugin/error-log-logger-clickhouse.t index 91ef60b187d5..6846f6ef1d24 100644 --- a/t/plugin/error-log-logger-clickhouse.t +++ b/t/plugin/error-log-logger-clickhouse.t @@ -98,7 +98,7 @@ done --- error_log this is a warning message for test2 clickhouse body: INSERT INTO t FORMAT JSONEachRow -clickhouse headers: x-clickhouse-key:a +clickhouse headers: x-clickhouse-key:dpwomMlEsHH2L7wSUi6YiQ== clickhouse headers: x-clickhouse-user:default clickhouse headers: x-clickhouse-database:default --- wait: 3 @@ -133,7 +133,7 @@ clickhouse headers: x-clickhouse-database:default --- error_log this is a warning message for test3 clickhouse body: INSERT INTO t FORMAT JSONEachRow -clickhouse headers: x-clickhouse-key:a +clickhouse headers: x-clickhouse-key:dpwomMlEsHH2L7wSUi6YiQ== clickhouse headers: x-clickhouse-user:default clickhouse headers: x-clickhouse-database:default --- wait: 5 diff --git a/t/plugin/key-auth.t b/t/plugin/key-auth.t index 138f1d647124..f68fe3088f4d 100644 --- a/t/plugin/key-auth.t +++ b/t/plugin/key-auth.t @@ -23,6 +23,19 @@ use t::APISIX 'no_plan'; repeat_each(2); no_long_string(); no_root_location(); + +add_block_preprocessor(sub { + my ($block) = @_; + + my $user_yaml_config = <<_EOC_; +apisix: + data_encryption: + enable_encrypt_fields: false +_EOC_ + $block->set_value("yaml_config", $user_yaml_config); +}); + + run_tests; __DATA__