feat: data encryption support more plugins (#8487)

Fixes #8407

Author: tzssangglass

apisix/admin/init.lua

@@ -204,6 +204,8 @@ local function run()
         if method == "get" and plugin.enable_data_encryption then
             if seg_res == "consumers" then
                 utils.decrypt_params(plugin.decrypt_conf, data, core.schema.TYPE_CONSUMER)
+            elseif seg_res == "plugin_metadata" then
+                utils.decrypt_params(plugin.decrypt_conf, data, core.schema.TYPE_METADATA)
             else
                 utils.decrypt_params(plugin.decrypt_conf, data)
             end

apisix/admin/plugin_metadata.lua

@@ -18,6 +18,7 @@ local pcall   = pcall
 local require = require
 local core    = require("apisix.core")
 local utils   = require("apisix.admin.utils")
+local encrypt_conf = require("apisix.plugin").encrypt_conf
 
 local injected_mark = "injected metadata_schema"
 local _M = {
@@ -73,6 +74,8 @@ local function check_conf(plugin_name, conf)
         ok, err = plugin_object.check_schema(conf, core.schema.TYPE_METADATA)
     end
 
+    encrypt_conf(plugin_name, conf, core.schema.TYPE_METADATA)
+
     if not ok then
         return nil, {error_msg = "invalid configuration: " .. err}
     end

apisix/admin/utils.lua

@@ -102,6 +102,12 @@ function _M.decrypt_params(decrypt_func, body, schema_type)
             decrypt_func(name, conf, schema_type)
         end
     end
+
+    -- metadata
+    if schema_type == core.schema.TYPE_METADATA then
+        local conf = body.node and body.node.value
+        decrypt_func(conf.name, conf, schema_type)
+    end
 end
 
 return _M

apisix/plugin.lua

@@ -21,6 +21,7 @@ local enable_debug  = require("apisix.debug").enable_debug
 local wasm          = require("apisix.wasm")
 local expr          = require("resty.expr.v1")
 local apisix_ssl    = require("apisix.ssl")
+local re_split      = require("ngx.re").split
 local ngx           = ngx
 local crc32         = ngx.crc32_short
 local ngx_exit      = ngx.exit
@@ -844,12 +845,6 @@ local function check_single_plugin_schema(name, plugin_conf, schema_type, skip_d
 end
 
 
-check_plugin_metadata = function(item)
-    return check_single_plugin_schema(item.id, item,
-        core.schema.TYPE_METADATA, true)
-end
-
-
 local enable_data_encryption
 local function enable_gde()
     if enable_data_encryption == nil then
@@ -868,9 +863,15 @@ local function get_plugin_schema_for_gde(name, schema_type)
     end
 
     local plugin_schema = local_plugins_hash and local_plugins_hash[name]
+    if not plugin_schema then
+        return nil
+    end
+
     local schema
     if schema_type == core.schema.TYPE_CONSUMER then
         schema = plugin_schema.consumer_schema
+    elseif schema_type == core.schema.TYPE_METADATA then
+        schema = plugin_schema.metadata_schema
     else
         schema = plugin_schema.schema
     end
@@ -882,17 +883,39 @@ end
 local function decrypt_conf(name, conf, schema_type)
     local schema = get_plugin_schema_for_gde(name, schema_type)
     if not schema then
+        core.log.warn("failed to get schema for plugin: ", name)
         return
     end
 
-    for key, props in pairs(schema.properties) do
-        if props.type == "string" and props.encrypted and conf[key] then
-            local encrypted, err = apisix_ssl.aes_decrypt_pkey(conf[key], "data_encrypt")
-            if not encrypted then
-                core.log.warn("failed to decrypt the conf of plugin [", name,
-                               "] key [", key, "], err: ", err)
-            else
-                conf[key] = encrypted
+    if schema.encrypt_fields and not core.table.isempty(schema.encrypt_fields) then
+        for _, key in ipairs(schema.encrypt_fields) do
+            if conf[key] then
+                local decrypted, err = apisix_ssl.aes_decrypt_pkey(conf[key], "data_encrypt")
+                if not decrypted then
+                    core.log.warn("failed to decrypt the conf of plugin [", name,
+                                  "] key [", key, "], err: ", err)
+                else
+                    conf[key] = decrypted
+                end
+            elseif core.string.find(key, ".") then
+                -- decrypt fields has indents
+                local res, err = re_split(key, "\\.", "jo")
+                if not res then
+                    core.log.warn("failed to split key [", key, "], err: ", err)
+                    return
+                end
+
+                -- we only support two levels
+                if conf[res[1]] and conf[res[1]][res[2]] then
+                    local decrypted, err = apisix_ssl.aes_decrypt_pkey(
+                                           conf[res[1]][res[2]], "data_encrypt")
+                    if not decrypted then
+                        core.log.warn("failed to decrypt the conf of plugin [", name,
+                                      "] key [", key, "], err: ", err)
+                    else
+                        conf[res[1]][res[2]] = decrypted
+                    end
+                end
             end
         end
     end
@@ -903,19 +926,57 @@ _M.decrypt_conf = decrypt_conf
 local function encrypt_conf(name, conf, schema_type)
     local schema = get_plugin_schema_for_gde(name, schema_type)
     if not schema then
+        core.log.warn("failed to get schema for plugin: ", name)
         return
     end
 
-    for key, props in pairs(schema.properties) do
-        if props.type == "string" and props.encrypted and conf[key] then
-            local encrypted = apisix_ssl.aes_encrypt_pkey(conf[key], "data_encrypt")
-            conf[key] = encrypted
+    if schema.encrypt_fields and not core.table.isempty(schema.encrypt_fields) then
+        for _, key in ipairs(schema.encrypt_fields) do
+            if conf[key] then
+                local encrypted, err = apisix_ssl.aes_encrypt_pkey(conf[key], "data_encrypt")
+                if not encrypted then
+                    core.log.warn("failed to encrypt the conf of plugin [", name,
+                                  "] key [", key, "], err: ", err)
+                else
+                    conf[key] = encrypted
+                end
+            elseif core.string.find(key, ".") then
+                -- encrypt fields has indents
+                local res, err = re_split(key, "\\.", "jo")
+                if not res then
+                    core.log.warn("failed to split key [", key, "], err: ", err)
+                    return
+                end
+
+                -- we only support two levels
+                if conf[res[1]] and conf[res[1]][res[2]] then
+                    local encrypted, err = apisix_ssl.aes_encrypt_pkey(
+                                           conf[res[1]][res[2]], "data_encrypt")
+                    if not encrypted then
+                        core.log.warn("failed to encrypt the conf of plugin [", name,
+                                      "] key [", key, "], err: ", err)
+                    else
+                        conf[res[1]][res[2]] = encrypted
+                    end
+                end
+            end
         end
     end
 end
 _M.encrypt_conf = encrypt_conf
 
 
+check_plugin_metadata = function(item)
+    local ok, err = check_single_plugin_schema(item.id, item,
+                                               core.schema.TYPE_METADATA, true)
+    if ok and enable_gde() then
+        decrypt_conf(item.name, item, core.schema.TYPE_METADATA)
+    end
+
+    return ok, err
+end
+
+
 local function check_schema(plugins_conf, schema_type, skip_disabled_plugin)
     for name, plugin_conf in pairs(plugins_conf) do
         local ok, err = check_single_plugin_schema(name, plugin_conf,

apisix/plugins/authz-casdoor.lua

@@ -32,6 +32,7 @@ local schema = {
         client_secret = {type = "string"},
         callback_url = {type = "string", pattern = "^[^%?]+[^/]$"}
     },
+    encrypt_fields = {"client_secret"},
     required = {
         "callback_url", "endpoint_addr", "client_id", "client_secret"
     }

apisix/plugins/authz-keycloak.lua

@@ -71,6 +71,7 @@ local schema = {
             maxLength = 4096
         },
     },
+    encrypt_fields = {"client_secret"},
     required = {"client_id"},
     allOf = {
         -- Require discovery or token endpoint.

apisix/plugins/basic-auth.lua

@@ -38,8 +38,9 @@ local consumer_schema = {
     title = "work with consumer object",
     properties = {
         username = { type = "string" },
-        password = { type = "string", encrypted = true },
+        password = { type = "string" },
     },
+    encrypt_fields = {"password"},
     required = {"username", "password"},
 }
 

apisix/plugins/clickhouse-logger.lua

@@ -36,7 +36,7 @@ local schema = {
         endpoint_addr = core.schema.uri_def,
         endpoint_addrs = {items = core.schema.uri_def, type = "array", minItems = 1},
         user = {type = "string", default = ""},
-        password = {type = "string", default = "", encrypted = true},
+        password = {type = "string", default = ""},
         database = {type = "string", default = ""},
         logtable = {type = "string", default = ""},
         timeout = {type = "integer", minimum = 1, default = 3},
@@ -47,6 +47,7 @@ local schema = {
         {required = {"endpoint_addr", "user", "password", "database", "logtable"}},
         {required = {"endpoint_addrs", "user", "password", "database", "logtable"}}
     },
+    encrypt_fields = {"password"},
 }
 
 

apisix/plugins/csrf.lua

@@ -44,6 +44,7 @@ local schema = {
             default = "apisix-csrf-token"
         }
     },
+    encrypt_fields = {"key"},
     required = {"key"}
 }
 

apisix/plugins/elasticsearch-logger.lua

@@ -67,6 +67,7 @@ local schema = {
             default = true
         }
     },
+    encrypt_fields = {"auth.password"},
     required = { "endpoint_addr", "field" },
 }