diff --git a/apisix/cli/file.lua b/apisix/cli/file.lua index 94e790db65e3..88d0522a7e77 100644 --- a/apisix/cli/file.lua +++ b/apisix/cli/file.lua @@ -175,7 +175,7 @@ local function path_is_multi_type(path, type_val) return true end - if path == "apisix->ssl->key_encrypt_salt" then + if path == "apisix->data_encryption->keyring" then return true end diff --git a/apisix/cli/schema.lua b/apisix/cli/schema.lua index 6f6450b46e0c..836b88f6965a 100644 --- a/apisix/cli/schema.lua +++ b/apisix/cli/schema.lua @@ -224,7 +224,12 @@ local config_schema = { } } }, - key_encrypt_salt = { + } + }, + data_encryption = { + type = "object", + properties = { + keyring = { anyOf = { { type = "array", diff --git a/apisix/plugin.lua b/apisix/plugin.lua index b5da3f2163d5..3d1256609390 100644 --- a/apisix/plugin.lua +++ b/apisix/plugin.lua @@ -906,7 +906,8 @@ local enable_data_encryption local function enable_gde() if enable_data_encryption == nil then enable_data_encryption = - core.table.try_read_attr(local_conf, "apisix", "data_encryption", "enable") + core.table.try_read_attr(local_conf, "apisix", "data_encryption", + "enable_encrypt_fields") _M.enable_data_encryption = enable_data_encryption end diff --git a/apisix/ssl.lua b/apisix/ssl.lua index e14c92fc3c41..60ea0078c5bb 100644 --- a/apisix/ssl.lua +++ b/apisix/ssl.lua @@ -90,17 +90,6 @@ local function init_iv_tbl(ivs) end -local _aes_128_cbc_with_iv_tbl_ssl -local function get_aes_128_cbc_with_iv_ssl(local_conf) - if _aes_128_cbc_with_iv_tbl_ssl == nil then - local ivs = core.table.try_read_attr(local_conf, "apisix", "ssl", "key_encrypt_salt") - _aes_128_cbc_with_iv_tbl_ssl = init_iv_tbl(ivs) - end - - return _aes_128_cbc_with_iv_tbl_ssl -end - - local _aes_128_cbc_with_iv_tbl_gde local function get_aes_128_cbc_with_iv_gde(local_conf) if _aes_128_cbc_with_iv_tbl_gde == nil then @@ -125,43 +114,31 @@ end function _M.aes_encrypt_pkey(origin, field) local local_conf = core.config.local_conf() + local aes_128_cbc_with_iv_tbl_gde = get_aes_128_cbc_with_iv_gde(local_conf) + local aes_128_cbc_with_iv_gde = aes_128_cbc_with_iv_tbl_gde[1] if not field then - -- default used by ssl - local aes_128_cbc_with_iv_tbl_ssl = get_aes_128_cbc_with_iv_ssl(local_conf) - local aes_128_cbc_with_iv_ssl = aes_128_cbc_with_iv_tbl_ssl[1] - if aes_128_cbc_with_iv_ssl ~= nil and core.string.has_prefix(origin, "---") then - return encrypt(aes_128_cbc_with_iv_ssl, origin) + if aes_128_cbc_with_iv_gde ~= nil and core.string.has_prefix(origin, "---") then + return encrypt(aes_128_cbc_with_iv_gde, origin) end else if field == "data_encrypt" then - local aes_128_cbc_with_iv_tbl_gde = get_aes_128_cbc_with_iv_gde(local_conf) - local aes_128_cbc_with_iv_gde = aes_128_cbc_with_iv_tbl_gde[1] if aes_128_cbc_with_iv_gde ~= nil then return encrypt(aes_128_cbc_with_iv_gde, origin) end end end - return origin end local function aes_decrypt_pkey(origin, field) - local local_conf = core.config.local_conf() - local aes_128_cbc_with_iv_tbl - - if not field then - if core.string.has_prefix(origin, "---") then - return origin - end - aes_128_cbc_with_iv_tbl = get_aes_128_cbc_with_iv_ssl(local_conf) - else - if field == "data_encrypt" then - aes_128_cbc_with_iv_tbl = get_aes_128_cbc_with_iv_gde(local_conf) - end + if not field and core.string.has_prefix(origin, "---") then + return origin end + local local_conf = core.config.local_conf() + local aes_128_cbc_with_iv_tbl = get_aes_128_cbc_with_iv_gde(local_conf) if #aes_128_cbc_with_iv_tbl == 0 then return origin end diff --git a/conf/config-default.yaml b/conf/config-default.yaml index 6ab8db8aa608..94367a8687dd 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -108,16 +108,6 @@ apisix: # Disabled by default because it renders Perfect Forward Secrecy (FPS) # useless. See https://github.com/mozilla/server-side-tls/issues/135. - key_encrypt_salt: # This field is only used to encrypt the private key of SSL. - - edd1c9f0985e76a2 # Set the encryption key for AES-128-CBC. It should be a - # hexadecimal string of length 16. - # If not set, APISIX saves the original data into etcd. - # CAUTION: If you would like to update the key, add the new key as the - # first item in the array and keep the older keys below the newly added - # key, so that data can be decrypted with the older keys and encrypted - # with the new key. Removing the old keys directly can render the data - # unrecoverable. - # fallback_sni: "my.default.domain" # Fallback SNI to be used if the client does not send SNI during # # the handshake. @@ -128,11 +118,13 @@ apisix: disable_sync_configuration_during_start: false # Safe exit. TO BE REMOVED. - data_encryption: # Encrypt fields specified in `encrypt_fields` in plugin schema. - enable: false - keyring: # Set the encryption key for AES-128-CBC. It should be a - - qeddd145sfvddff3 # hexadecimal string of length 16. - # If not set, APISIX saves the original data into etcd. + data_encryption: # Data encryption settings. + enable_encrypt_fields: false # Whether enable encrypt fields specified in `encrypt_fields` in plugin schema. + keyring: # This field is used to encrypt the private key of SSL and the `encrypt_fields` + # in plugin schema. + - qeddd145sfvddff3 # Set the encryption key for AES-128-CBC. It should be a hexadecimal string + # of length 16. + - edd1c9f0985e76a2 # If not set, APISIX saves the original data into etcd. # CAUTION: If you would like to update the key, add the new key as the # first item in the array and keep the older keys below the newly added # key, so that data can be decrypted with the older keys and encrypted diff --git a/t/admin/ssl2.t b/t/admin/ssl2.t index da286db1a44b..15abf37eb5f0 100644 --- a/t/admin/ssl2.t +++ b/t/admin/ssl2.t @@ -431,8 +431,8 @@ qr/"snis":\["update1.com","update2.com"\]/ --- yaml_config apisix: node_listen: 1984 - ssl: - key_encrypt_salt: "edd1c9f0985e76a2" + data_encryption: + keyring: "qeddd145sfvddff3" --- config location /t { content_by_lua_block { @@ -468,8 +468,8 @@ false --- yaml_config apisix: node_listen: 1984 - ssl: - key_encrypt_salt: "edd1c9f0985e76a2" + data_encryption: + keyring: "qeddd145sfvddff3" --- config location /t { content_by_lua_block { diff --git a/t/admin/ssl4.t b/t/admin/ssl4.t index fe3b8fcae449..4b69f85383c9 100644 --- a/t/admin/ssl4.t +++ b/t/admin/ssl4.t @@ -110,14 +110,14 @@ run_tests; __DATA__ -=== TEST 1: set ssl(sni: www.test.com), encrypt with the first key_encrypt_salt +=== TEST 1: set ssl(sni: www.test.com), encrypt with the first keyring --- yaml_config apisix: node_listen: 1984 - ssl: - key_encrypt_salt: + data_encryption: + keyring: - edd1c9f0985e76a1 - - edd1c9f0985e76a2 + - qeddd145sfvddff3 --- config location /t { content_by_lua_block { @@ -152,8 +152,8 @@ passed --- yaml_config apisix: node_listen: 1984 - ssl: - key_encrypt_salt: "edd1c9f0985e76a1" + data_encryption: + keyring: "edd1c9f0985e76a1" --- config location /t { content_by_lua_block { @@ -182,12 +182,12 @@ passed -=== TEST 3: client request with the old style key_encrypt_salt +=== TEST 3: client request with the old style keyring --- yaml_config apisix: node_listen: 1984 - ssl: - key_encrypt_salt: "edd1c9f0985e76a1" + data_encryption: + keyring: "edd1c9f0985e76a1" --- response_body eval qr{connected: 1 ssl handshake: true @@ -207,12 +207,12 @@ server name: "www.test.com" -=== TEST 4: client request with the new style key_encrypt_salt +=== TEST 4: client request with the new style keyring --- yaml_config apisix: node_listen: 1984 - ssl: - key_encrypt_salt: + data_encryption: + keyring: - edd1c9f0985e76a1 --- response_body eval qr{connected: 1 @@ -233,26 +233,26 @@ server name: "www.test.com" -=== TEST 5: client request failed with the wrong key_encrypt_salt +=== TEST 5: client request failed with the wrong keyring --- yaml_config apisix: node_listen: 1984 - ssl: - key_encrypt_salt: - - edd1c9f0985e76a2 + data_encryption: + keyring: + - qeddd145sfvddff3 --- error_log decrypt ssl key failed [alert] -=== TEST 6: client request successfully, use the two key_encrypt_salt to decrypt in turn +=== TEST 6: client request successfully, use the two keyring to decrypt in turn --- yaml_config apisix: node_listen: 1984 - ssl: - key_encrypt_salt: - - edd1c9f0985e76a2 + data_encryption: + keyring: + - qeddd145sfvddff3 - edd1c9f0985e76a1 --- response_body eval qr{connected: 1 @@ -273,8 +273,8 @@ close: 1 nil} --- yaml_config apisix: node_listen: 1984 - ssl: - key_encrypt_salt: + data_encryption: + keyring: - edd1c9f0985e76a1 --- config location /t { @@ -292,8 +292,8 @@ location /t { --- yaml_config apisix: node_listen: 1984 - ssl: - key_encrypt_salt: null + data_encryption: + keyring: null --- config location /t { content_by_lua_block { @@ -324,12 +324,12 @@ passed -=== TEST 9: client request without key_encrypt_salt +=== TEST 9: client request without keyring --- yaml_config apisix: node_listen: 1984 - ssl: - key_encrypt_salt: null + data_encryption: + keyring: null --- response_body eval qr{connected: 1 ssl handshake: true @@ -353,8 +353,8 @@ server name: "www.test.com" --- yaml_config apisix: node_listen: 1984 - ssl: - key_encrypt_salt: null + data_encryption: + keyring: null --- config location /t { content_by_lua_block { @@ -371,8 +371,8 @@ location /t { --- yaml_config apisix: node_listen: 1984 - ssl: - key_encrypt_salt: null + data_encryption: + keyring: null --- config location /t { content_by_lua_block { diff --git a/t/node/data_encrypt.t b/t/node/data_encrypt.t index 8746c88d50b0..0dece7d467fc 100644 --- a/t/node/data_encrypt.t +++ b/t/node/data_encrypt.t @@ -39,7 +39,7 @@ __DATA__ --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config @@ -129,7 +129,7 @@ passed --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- request @@ -145,7 +145,7 @@ hello world --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config @@ -230,7 +230,7 @@ passed --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- request @@ -247,7 +247,7 @@ hello world --- yaml_config apisix: data_encryption: - enable: false + enable_encrypt_fields: false keyring: - edd1c9f0985e76a2 --- config @@ -291,7 +291,7 @@ bar --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config @@ -344,7 +344,7 @@ failed to decrypt the conf of plugin [basic-auth] key [password], err: decrypt s --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config @@ -402,7 +402,7 @@ failed to decrypt the conf of plugin [basic-auth] key [password], err: decrypt s --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- request @@ -419,7 +419,7 @@ hello world --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config @@ -478,7 +478,7 @@ passed --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - qeddd145sfvddff3 - edd1c9f0985e76a2 @@ -495,7 +495,7 @@ hello world --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config diff --git a/t/node/data_encrypt2.t b/t/node/data_encrypt2.t index 14296189842b..d9476228da6d 100644 --- a/t/node/data_encrypt2.t +++ b/t/node/data_encrypt2.t @@ -38,7 +38,7 @@ __DATA__ --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config @@ -101,7 +101,7 @@ abc123 --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- request @@ -121,7 +121,7 @@ clickhouse headers: x-clickhouse-database:default --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config @@ -189,7 +189,7 @@ abc123 --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config @@ -268,7 +268,7 @@ def456 --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config @@ -345,7 +345,7 @@ abc123 --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- request @@ -365,7 +365,7 @@ clickhouse headers: x-clickhouse-database:default --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config @@ -443,7 +443,7 @@ abc123 --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- request @@ -463,7 +463,7 @@ clickhouse headers: x-clickhouse-database:default --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config @@ -567,7 +567,7 @@ passed --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config @@ -645,7 +645,7 @@ vU/ZHVJw7b0XscDJ1Fhtig== --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config @@ -704,7 +704,7 @@ apisix: --- yaml_config apisix: data_encryption: - enable: false + enable_encrypt_fields: false --- config location /t { content_by_lua_block { diff --git a/t/node/upstream-mtls.t b/t/node/upstream-mtls.t index e8eacc3bc45e..b7bff235aa6a 100644 --- a/t/node/upstream-mtls.t +++ b/t/node/upstream-mtls.t @@ -337,8 +337,8 @@ GET /t --- yaml_config apisix: node_listen: 1984 - ssl: - key_encrypt_salt: null + data_encryption: + keyring: null --- config location /t { content_by_lua_block { diff --git a/t/plugin/authz-casdoor.t b/t/plugin/authz-casdoor.t index 25fab487a29d..aef07faccbd8 100644 --- a/t/plugin/authz-casdoor.t +++ b/t/plugin/authz-casdoor.t @@ -448,7 +448,7 @@ failed when accessing token: invalid access_token --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config diff --git a/t/plugin/authz-keycloak3.t b/t/plugin/authz-keycloak3.t index 619417bc36d5..e467705fe66d 100644 --- a/t/plugin/authz-keycloak3.t +++ b/t/plugin/authz-keycloak3.t @@ -113,7 +113,7 @@ Location: http://127.0.0.1/test --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config diff --git a/t/plugin/csrf.t b/t/plugin/csrf.t index 1edc30239c4c..6ed8b959256c 100644 --- a/t/plugin/csrf.t +++ b/t/plugin/csrf.t @@ -332,7 +332,7 @@ hello world --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config diff --git a/t/plugin/elasticsearch-logger.t b/t/plugin/elasticsearch-logger.t index ba9b6bfd9c84..1706f5c289cd 100644 --- a/t/plugin/elasticsearch-logger.t +++ b/t/plugin/elasticsearch-logger.t @@ -454,7 +454,7 @@ check elasticsearch custom body success --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config diff --git a/t/plugin/error-log-logger-clickhouse.t b/t/plugin/error-log-logger-clickhouse.t index 41dfe15d43fb..91ef60b187d5 100644 --- a/t/plugin/error-log-logger-clickhouse.t +++ b/t/plugin/error-log-logger-clickhouse.t @@ -218,7 +218,7 @@ passed --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config @@ -278,7 +278,7 @@ bar --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config diff --git a/t/plugin/google-cloud-logging2.t b/t/plugin/google-cloud-logging2.t index def2ca0ca00a..11e86288e543 100644 --- a/t/plugin/google-cloud-logging2.t +++ b/t/plugin/google-cloud-logging2.t @@ -75,7 +75,7 @@ passed --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config diff --git a/t/plugin/hmac-auth3.t b/t/plugin/hmac-auth3.t index df41efaa16a5..70c5048c89dd 100644 --- a/t/plugin/hmac-auth3.t +++ b/t/plugin/hmac-auth3.t @@ -704,7 +704,7 @@ passed --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index 3ab089a974c6..c28fad3075a7 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -326,7 +326,7 @@ passed --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config @@ -382,7 +382,7 @@ IRWpPjbDq5BCgHyIllnOMA== --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config diff --git a/t/plugin/kafka-proxy.t b/t/plugin/kafka-proxy.t index 52ba9d8742b6..eedc6d986f0f 100644 --- a/t/plugin/kafka-proxy.t +++ b/t/plugin/kafka-proxy.t @@ -62,7 +62,7 @@ property "sasl" validation failed: property "password" validation failed: wrong --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config diff --git a/t/plugin/openid-connect2.t b/t/plugin/openid-connect2.t index 29c49aedbeb8..bbb775beb8b9 100644 --- a/t/plugin/openid-connect2.t +++ b/t/plugin/openid-connect2.t @@ -85,7 +85,7 @@ __DATA__ --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config diff --git a/t/plugin/rocketmq-logger2.t b/t/plugin/rocketmq-logger2.t index af84ecf28d7f..7f3d054fa6ed 100644 --- a/t/plugin/rocketmq-logger2.t +++ b/t/plugin/rocketmq-logger2.t @@ -447,7 +447,7 @@ done --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config diff --git a/t/plugin/sls-logger.t b/t/plugin/sls-logger.t index 9e668e1bf3b0..940ddf6a2be8 100644 --- a/t/plugin/sls-logger.t +++ b/t/plugin/sls-logger.t @@ -264,7 +264,7 @@ passed --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config diff --git a/t/plugin/tencent-cloud-cls.t b/t/plugin/tencent-cloud-cls.t index 6005504da12e..92b78f29d46e 100644 --- a/t/plugin/tencent-cloud-cls.t +++ b/t/plugin/tencent-cloud-cls.t @@ -346,7 +346,7 @@ passed --- yaml_config apisix: data_encryption: - enable: true + enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config