nic-6443 opened a new pull request, #13564:
URL: https://github.com/apache/apisix/pull/13564

   fix: remove redundant "base64 decode ssl key failed" error log
   
   ### Description
   
   `aes_decrypt_pkey()` in `apisix/ssl.lua` is used for two things: decrypting 
SSL private keys, and decrypting any plugin field listed in a plugin's 
`encrypt_fields` (through `plugin.process_encrypt_field()`).
   
   When base64 decode fails it both logs `base64 decode ssl key failed` at 
**error** level and returns that same string to the caller. But every caller 
already logs the returned error with proper context — `validate()` / 
`parse_pem_priv_key()` on the SSL path, and `process_encrypt_field()` (which 
includes the plugin name and key path) on the encrypt_fields path. So the 
internal log is redundant.
   
   It is also misleading on the encrypt_fields path: the value being decoded is 
a plugin field, not an SSL key, yet the log says "ssl key". This is easy to 
trigger — add a field to a plugin's `encrypt_fields`, and any existing config 
that still stores that field as plaintext will fail to base64-decode on load, 
flooding `error.log` with confusing `base64 decode ssl key failed` lines that 
point at the wrong subsystem.
   
   This removes the redundant internal log and lets the callers report the 
error (they already do, with context). The returned error string is unchanged, 
so caller behavior is the same.
   
   ### Test
   
   Added a case in `t/node/data_encrypt3.t` that decrypts a non-base64 value 
and asserts the error is still returned to the caller but no longer written to 
`error.log`. It fails before this change and passes after.
   
   ### Checklist
   
   - [x] I have explained the need for this PR and the problem it solves
   - [x] I have explained the changes or the new features added to this PR
   - [x] I have added tests corresponding to this change
   - [ ] I have updated the documentation to reflect this change
   - [x] I have verified that this change is backward compatible


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to