nic-6443 opened a new pull request, #13525: URL: https://github.com/apache/apisix/pull/13525
### Description When data encryption (`data_encryption.enable_encrypt_fields`, enabled by default since 3.10.0) is on, every Admin API PATCH request re-encrypts the plugin fields declared in `encrypt_fields`, even though the stored values are already ciphertext. The ciphertext grows with every PATCH, while the data plane decrypts exactly once, so plugins end up running with a corrupted secret. For example, after PATCHing an unrelated field on a route that uses `ai-proxy`, the gateway starts sending a garbled API key upstream and gets 401 responses. Root cause: the PATCH handler in `apisix/admin/resource.lua` reads the raw resource from etcd (where `encrypt_fields` hold ciphertext), merges the patch into it, and then passes the merged value to `check_conf`, which unconditionally calls `encrypt_conf`. So the already-encrypted fields get wrapped in another encryption layer on every PATCH. Fix: decrypt the stored plugin conf right after fetching it from etcd and before the merge, reusing the same decryption helpers the GET path uses (`utils.decrypt_params` + `plugin.decrypt_conf`). The merged value is then plaintext, and `check_conf` re-encrypts it exactly once on write. Both the whole-body PATCH and the sub-path PATCH variants are covered. Affected resource types: all PATCH-able resources whose `check_conf` encrypts plugin fields — routes, services, plugin_configs, global_rules and consumer_groups. Consumers, credentials and plugin_metadata do not support PATCH. Upstream `tls.client_key` is not affected, since its encryption is guarded by a PEM-prefix check and is therefore already idempotent. #### Which issue(s) this PR fixes: Fixes #13351 ### Checklist - [x] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [x] I have added tests corresponding to this change - [ ] I have updated the documentation to reflect this change - [x] I have verified that this change is backward compatible (If not, please discuss on the [APISIX mailing list](https://github.com/apache/apisix/tree/master#community) first) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
