Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support more sensitive fields for encryption #11095

Merged
merged 15 commits into from
Mar 29, 2024
Merged

feat: support more sensitive fields for encryption #11095

merged 15 commits into from
Mar 29, 2024

Conversation

shreemaan-abhishek
Copy link
Contributor

@shreemaan-abhishek shreemaan-abhishek commented Mar 27, 2024
edited
Loading

Description

Some sensitive plugin fields aren't under the protection of encrypt_fields feature. It has been addressed in this PR.

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

@shreemaan-abhishek shreemaan-abhishek marked this pull request as ready for review March 27, 2024 08:02
starsz
starsz reviewed Mar 27, 2024
View reviewed changes
@shreemaan-abhishek shreemaan-abhishek mentioned this pull request Mar 28, 2024
Open
starsz
starsz reviewed Mar 28, 2024
View reviewed changes
apisix/plugins/jwe-decrypt.lua
end

local encrypted = core.table.try_read_attr(local_conf, "apisix", "data_encryption",
"enable_encrypt_fields") and (core.config.type == "etcd")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need to add this ?
I think the check_schema is run before the fields encrypted.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if data encryption is enabled then the secret length will be more than 32. So we should not check the length if data encryption is on.

I think the check_schema is run before the fields encrypted.

yes. This is why we cannot use the code in plugin.lua, so I just copied the logic 😅

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if data encryption is enabled then the secret length will be more than 32.

Why the secret length will be more than 32. Is the secret is encrypted?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, exactly.

@shreemaan-abhishek shreemaan-abhishek merged commit a7a5a2b into apache:master Mar 29, 2024
59 checks passed
@shreemaan-abhishek shreemaan-abhishek deleted the feat/add-more branch March 29, 2024 04:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@starsz starsz starsz approved these changes

@moonming moonming moonming approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@shreemaan-abhishek @starsz @moonming