You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/12/12 06:35:40 UTC
[GitHub] [apisix] spacewander commented on a diff in pull request #8487: feat: data encryption support more plugins
spacewander commented on code in PR #8487:
URL: https://github.com/apache/apisix/pull/8487#discussion_r1045444109
##########
apisix/plugin.lua:
##########
@@ -903,19 +926,57 @@ _M.decrypt_conf = decrypt_conf
local function encrypt_conf(name, conf, schema_type)
local schema = get_plugin_schema_for_gde(name, schema_type)
if not schema then
+ core.log.warn("failed to get schema for plugin: ", name)
return
end
- for key, props in pairs(schema.properties) do
- if props.type == "string" and props.encrypted and conf[key] then
- local encrypted = apisix_ssl.aes_encrypt_pkey(conf[key], "data_encrypt")
- conf[key] = encrypted
+ if schema.encrypt_fields and core.table.nkeys(schema.encrypt_fields) > 0 then
Review Comment:
Better to use `core.table.isempty`?
##########
docs/zh/latest/plugins/openid-connect.md:
##########
@@ -61,6 +61,8 @@ description: OpenID Connect(OIDC)是基于 OAuth 2.0 的身份认证协议
| session | object | 否 | | | 当设置 bearer_only 为 false 时,openid-connect 插件将使用 Authorization Code 在 IDP 上进行认证,因此你必须设置 session 相关设置。 |
| session.secret | string | 是 | 自动生成 | 16 个以上字符 | 用于 session 加密和 HMAC 计算的密钥。 |
+NOTE: `encrypt_fields = {"client_secret"}` is also defined in the schema, which means that the field will be stored encrypted in etcd. See [encrypted storage fields](../plugin-develop.md#encrypted-storage-fields).
Review Comment:
Let's use Chinese
##########
docs/en/latest/plugin-develop.md:
##########
@@ -300,13 +300,21 @@ Specify the parameters to be stored encrypted. (Requires APISIX version >= 3.1.0
Some plugins require parameters to be stored encrypted, such as the `password` parameter of the `basic-auth` plugin. This plugin needs to specify in the `schema` which parameters need to be stored encrypted.
```lua
-password = { type = "string", encrypted = true },
+encrypt_fields = {"password"}
```
-Parameters can be stored encrypted by specifying `encrypted = true` in the `schema`. APISIX will provide the following functionality.
+If it is a nested parameter, such as the `clickhouse.password` parameter of the `error-log-logger` plugin, it needs to be separated by `.`:
-- When adding and updating resources via the `Admin API`, APISIX automatically encrypts parameters with `encrypted = true` and stores them in etcd
-- When fetching resources via the `Admin API` and when running the plugin, APISIX automatically decrypts the `encrypted = true` parameter
+```lua
+encrypt_fields = {"clickhouse.password"}
+```
+
+Currently only two levels of nesting are supported.
Review Comment:
Let's make it clear that we don't support fields in array
##########
docs/en/latest/plugins/openid-connect.md:
##########
@@ -61,6 +61,8 @@ description: OpenID Connect allows the client to obtain user information from th
| session | object | False | | | When bearer_only is set to false, openid-connect will use Authorization Code flow to authenticate on the IDP, so you need to set the session-related configuration. |
| session.secret | string | True | Automatic generation | 16 or more characters | The key used for session encrypt and HMAC operation. |
+注意:schema 中还定义了 `encrypt_fields = {"client_secret"}`,这意味着该字段将会被加密存储在 etcd 中。具体参考 [加密存储字段](../plugin-develop.md#加密存储字段)。
Review Comment:
Let's use English
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org