[PR] feat: enhance encrypt_fields to support nested structures [apisix]

Thu, 09 Apr 2026 02:30:43 -0700 


nic-6443 opened a new pull request, #13192:
URL: https://github.com/apache/apisix/pull/13192

   ## Description
   
   Enhance the `encrypt_fields` mechanism in `plugin.lua` to support nested and 
complex field structures. The current implementation only handles flat keys and 
2-level dotted paths (e.g., `sasl.password`).
   
   ### What's changed
   
   **Core: Rewrite encrypt/decrypt traversal logic** (`apisix/plugin.lua`)
   
   Replace the flat/2-level `if/elseif` logic with a recursive 
`process_encrypt_field()` helper that supports:
   
   1. **Arbitrary depth dotted paths** — e.g., `auth.gcp.service_account_json` 
traverses 3 levels deep
   2. **Array traversal at intermediate nodes** — when an intermediate value is 
an array (e.g., `instances`), iterate each element and continue recursion
   3. **Leaf type dispatch**:
      - `string` → encrypt/decrypt directly
      - `array of strings` → iterate and encrypt/decrypt each element
      - `map of strings` → iterate and encrypt/decrypt each value
   
   Uses `core.table.isarray()` for reliable array vs map detection.
   
   **Plugin schema updates:**
   
   | Plugin | encrypt_fields added |
   |---|---|
   | ai-proxy | `auth.header`, `auth.query`, `auth.gcp.service_account_json` |
   | ai-proxy-multi | `instances.auth.header`, `instances.auth.query`, 
`instances.auth.gcp.service_account_json` |
   | ai-rag | `embeddings_provider.azure_openai.api_key`, 
`vector_search_provider.azure_ai_search.api_key` |
   
   ### Backward compatibility
   
   - Flat keys (e.g., `password`) continue to work unchanged
   - Existing 2-level dotted paths (e.g., `sasl.password`, `auth.password`) 
continue to work
   - Regression tests included for both cases
   
   ### Tests
   
   Added `t/node/data_encrypt3.t` with 7 test cases covering:
   - Map of strings encryption (ai-proxy `auth.header`, `auth.query`)
   - 3-level nested string (ai-proxy `auth.gcp.service_account_json`, ai-rag 
API keys)
   - Array with nested encrypted fields (ai-proxy-multi 
`instances[].auth.header`)
   - Nil/missing field handling
   - Flat key regression (basic-auth `password`)
   - 2-level dotted path regression (kafka-proxy `sasl.password`)
   - Array of strings leaf encryption via `process_encrypt_field`
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to