Re: [PR] feat: enable sensitive fields encryption by default [apisix]
shreemaan-abhishek merged PR #11076: URL: https://github.com/apache/apisix/pull/11076 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] feat: enable sensitive fields encryption by default [apisix]
shreemaan-abhishek commented on code in PR #11076: URL: https://github.com/apache/apisix/pull/11076#discussion_r1541332469 ## t/plugin/key-auth.t: ## @@ -23,6 +23,31 @@ use t::APISIX 'no_plan'; repeat_each(2); no_long_string(); no_root_location(); + +add_block_preprocessor(sub { +my ($block) = @_; + +my $user_yaml_config = <<_EOC_; +deployment: + role: traditional + role_traditional: +config_provider: etcd + admin: +admin_key: null +apisix: + node_listen: 1984 + proxy_mode: http + stream_proxy: +tcp: + - 9100 + enable_resolv_search_opt: false + data_encryption: +enable_encrypt_fields: false Review Comment: I think this should work. let me try -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] feat: enable sensitive fields encryption by default [apisix]
starsz commented on code in PR #11076: URL: https://github.com/apache/apisix/pull/11076#discussion_r1540720522 ## t/plugin/key-auth.t: ## @@ -23,6 +23,31 @@ use t::APISIX 'no_plan'; repeat_each(2); no_long_string(); no_root_location(); + +add_block_preprocessor(sub { +my ($block) = @_; + +my $user_yaml_config = <<_EOC_; +deployment: + role: traditional + role_traditional: +config_provider: etcd + admin: +admin_key: null +apisix: + node_listen: 1984 + proxy_mode: http + stream_proxy: +tcp: + - 9100 + enable_resolv_search_opt: false + data_encryption: +enable_encrypt_fields: false Review Comment: Could we only keep ``` apisix: data_encryption: enable_encrypt_fields: false ``` this ? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] feat: enable sensitive fields encryption by default [apisix]
shreemaan-abhishek commented on code in PR #11076: URL: https://github.com/apache/apisix/pull/11076#discussion_r1536768360 ## t/plugin/key-auth.t: ## @@ -23,6 +23,31 @@ use t::APISIX 'no_plan'; repeat_each(2); no_long_string(); no_root_location(); + +add_block_preprocessor(sub { +my ($block) = @_; + +my $user_yaml_config = <<_EOC_; +deployment: + role: traditional + role_traditional: +config_provider: etcd + admin: +admin_key: null +apisix: + node_listen: 1984 + proxy_mode: http + stream_proxy: +tcp: + - 9100 + enable_resolv_search_opt: false + data_encryption: +enable_encrypt_fields: false Review Comment: disable encrypt fields for this test file because this line in the tests: https://github.com/shreemaan-abhishek/apisix/blob/7c2994b844aef288030392d85bcc9bfbfb46ad0a/t/plugin/key-auth.t#L206-L207 expects response with sensitive fields in plain text... modifying the test to expect encrypted fields would make the tests too complex. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] feat: enable sensitive fields encryption by default [apisix]
shreemaan-abhishek commented on code in PR #11076: URL: https://github.com/apache/apisix/pull/11076#discussion_r1535104890 ## t/plugin/key-auth.t: ## @@ -23,6 +23,31 @@ use t::APISIX 'no_plan'; repeat_each(2); no_long_string(); no_root_location(); + +add_block_preprocessor(sub { +my ($block) = @_; + +my $user_yaml_config = <<_EOC_; +deployment: + role: traditional + role_traditional: +config_provider: etcd + admin: +admin_key: null +apisix: + node_listen: 1984 + proxy_mode: http + stream_proxy: +tcp: + - 9100 + enable_resolv_search_opt: false + data_encryption: +enable_encrypt_fields: false Review Comment: disable encrypt fields for test because this line in the tests: https://github.com/shreemaan-abhishek/apisix/blob/7c2994b844aef288030392d85bcc9bfbfb46ad0a/t/plugin/key-auth.t#L206-L207 expects response with sensitive fields in plain text... modifying the test to expect encrypted fields would make the tests too complex. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] feat: enable sensitive fields encryption by default [apisix]
shreemaan-abhishek commented on code in PR #11076: URL: https://github.com/apache/apisix/pull/11076#discussion_r1535103969 ## apisix/plugin.lua: ## @@ -907,7 +907,7 @@ local function enable_gde() if enable_data_encryption == nil then enable_data_encryption = core.table.try_read_attr(local_conf, "apisix", "data_encryption", -"enable_encrypt_fields") +"enable_encrypt_fields") and (core.json.encode(core.config.type) == "etcd") Review Comment: encrypt fields only when config type is etcd. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] feat: enable sensitive fields encryption by default [apisix]
shreemaan-abhishek commented on code in PR #11076: URL: https://github.com/apache/apisix/pull/11076#discussion_r1536768092 ## t/admin/consumers.t: ## @@ -87,7 +87,7 @@ passed "desc": "new consumer", "plugins": { "key-auth": { -"key": "auth-one" +"key": "4y+JvURBE6ZwRbbgaryrhg==" Review Comment: since data encryption is `true` now, the body returned after a `PUT` operation would consist of encrypted information. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] feat: enable sensitive fields encryption by default [apisix]
shreemaan-abhishek commented on code in PR #11076: URL: https://github.com/apache/apisix/pull/11076#discussion_r1536767842 ## apisix/plugin.lua: ## @@ -907,7 +907,7 @@ local function enable_gde() if enable_data_encryption == nil then enable_data_encryption = core.table.try_read_attr(local_conf, "apisix", "data_encryption", -"enable_encrypt_fields") +"enable_encrypt_fields") and (core.config.type == "etcd") Review Comment: encrypt fields only when config type is etcd. Without this addition, enabling `encrypt_fields` on standalone mode would cause unexpected failures. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] feat: enable sensitive fields encryption by default [apisix]
shreemaan-abhishek commented on code in PR #11076: URL: https://github.com/apache/apisix/pull/11076#discussion_r1535104890 ## t/plugin/key-auth.t: ## @@ -23,6 +23,31 @@ use t::APISIX 'no_plan'; repeat_each(2); no_long_string(); no_root_location(); + +add_block_preprocessor(sub { +my ($block) = @_; + +my $user_yaml_config = <<_EOC_; +deployment: + role: traditional + role_traditional: +config_provider: etcd + admin: +admin_key: null +apisix: + node_listen: 1984 + proxy_mode: http + stream_proxy: +tcp: + - 9100 + enable_resolv_search_opt: false + data_encryption: +enable_encrypt_fields: false Review Comment: disable encrypt fields for test because this line in the tests: https://github.com/shreemaan-abhishek/apisix/blob/7c2994b844aef288030392d85bcc9bfbfb46ad0a/t/plugin/key-auth.t#L206-L207 expects response with sensitive fields in plain text... modifying the test to expect encrypted fields would make the tests too complex. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] feat: enable sensitive fields encryption by default [apisix]
shreemaan-abhishek commented on code in PR #11076: URL: https://github.com/apache/apisix/pull/11076#discussion_r1535103969 ## apisix/plugin.lua: ## @@ -907,7 +907,7 @@ local function enable_gde() if enable_data_encryption == nil then enable_data_encryption = core.table.try_read_attr(local_conf, "apisix", "data_encryption", -"enable_encrypt_fields") +"enable_encrypt_fields") and (core.json.encode(core.config.type) == "etcd") Review Comment: encrypt fields only when config type is etcd. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] feat: enable sensitive fields encryption by default [apisix]
moonming commented on PR #11076: URL: https://github.com/apache/apisix/pull/11076#issuecomment-2014406380 > > Expected behavior is to not update > > > > By default `encrypt_fields` will be updated to true (only in the `config-default.yaml`, the users still have the freedom to set it to `false`. Got it, so it's a break change -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] feat: enable sensitive fields encryption by default [apisix]
shreemaan-abhishek commented on PR #11076: URL: https://github.com/apache/apisix/pull/11076#issuecomment-2014324909 > Expected behavior is to not update By default `encrypt_fields` will be updated to true, the users still have the freedom to set it to `false`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] feat: enable sensitive fields encryption by default [apisix]
moonming commented on PR #11076: URL: https://github.com/apache/apisix/pull/11076#issuecomment-2014285960 If a user upgrades APISIX from an old version to a new version, will this configuration be updated? Expected behavior is to not update -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] feat: enable sensitive fields encryption by default [apisix]
shreemaan-abhishek commented on PR #11076: URL: https://github.com/apache/apisix/pull/11076#issuecomment-2012205949 I suppose test cases are not needed. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] feat: enable sensitive fields encryption by default [apisix]
shreemaan-abhishek opened a new pull request, #11076: URL: https://github.com/apache/apisix/pull/11076 ### Description Fixes https://lists.apache.org/thread/30wf080qvrzokronrx283sy8x8kondqf ### Checklist - [x] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [ ] I have added tests corresponding to this change - [ ] I have updated the documentation to reflect this change - [ ] I have verified that this change is backward compatible (If not, please discuss on the [APISIX mailing list](https://github.com/apache/apisix/tree/master#community) first) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org