change: unify the keyring and key_encrypt_salt fields (#10771)

Author: RitterHou

apisix/cli/file.lua

@@ -175,7 +175,7 @@ local function path_is_multi_type(path, type_val)
         return true
     end
 
-    if path == "apisix->ssl->key_encrypt_salt" then
+    if path == "apisix->data_encryption->keyring" then
         return true
     end
 

apisix/cli/schema.lua

@@ -224,7 +224,12 @@ local config_schema = {
                                 }
                             }
                         },
-                        key_encrypt_salt = {
+                    }
+                },
+                data_encryption = {
+                    type = "object",
+                    properties = {
+                        keyring = {
                             anyOf = {
                                 {
                                     type = "array",

apisix/plugin.lua

@@ -906,7 +906,8 @@ local enable_data_encryption
 local function enable_gde()
     if enable_data_encryption == nil then
         enable_data_encryption =
-            core.table.try_read_attr(local_conf, "apisix", "data_encryption", "enable")
+            core.table.try_read_attr(local_conf, "apisix", "data_encryption",
+                    "enable_encrypt_fields")
         _M.enable_data_encryption = enable_data_encryption
     end
 

apisix/ssl.lua

@@ -92,17 +92,6 @@ local function init_iv_tbl(ivs)
 end
 
 
-local _aes_128_cbc_with_iv_tbl_ssl
-local function get_aes_128_cbc_with_iv_ssl(local_conf)
-    if _aes_128_cbc_with_iv_tbl_ssl == nil then
-        local ivs = core.table.try_read_attr(local_conf, "apisix", "ssl", "key_encrypt_salt")
-        _aes_128_cbc_with_iv_tbl_ssl = init_iv_tbl(ivs)
-    end
-
-    return _aes_128_cbc_with_iv_tbl_ssl
-end
-
-
 local _aes_128_cbc_with_iv_tbl_gde
 local function get_aes_128_cbc_with_iv_gde(local_conf)
     if _aes_128_cbc_with_iv_tbl_gde == nil then
@@ -127,43 +116,31 @@ end
 
 function _M.aes_encrypt_pkey(origin, field)
     local local_conf = core.config.local_conf()
+    local aes_128_cbc_with_iv_tbl_gde = get_aes_128_cbc_with_iv_gde(local_conf)
+    local aes_128_cbc_with_iv_gde = aes_128_cbc_with_iv_tbl_gde[1]
 
     if not field then
-        -- default used by ssl
-        local aes_128_cbc_with_iv_tbl_ssl = get_aes_128_cbc_with_iv_ssl(local_conf)
-        local aes_128_cbc_with_iv_ssl = aes_128_cbc_with_iv_tbl_ssl[1]
-        if aes_128_cbc_with_iv_ssl ~= nil and core.string.has_prefix(origin, "---") then
-            return encrypt(aes_128_cbc_with_iv_ssl, origin)
+        if aes_128_cbc_with_iv_gde ~= nil and core.string.has_prefix(origin, "---") then
+            return encrypt(aes_128_cbc_with_iv_gde, origin)
         end
     else
         if field == "data_encrypt" then
-            local aes_128_cbc_with_iv_tbl_gde = get_aes_128_cbc_with_iv_gde(local_conf)
-            local aes_128_cbc_with_iv_gde = aes_128_cbc_with_iv_tbl_gde[1]
             if aes_128_cbc_with_iv_gde ~= nil then
                 return encrypt(aes_128_cbc_with_iv_gde, origin)
             end
         end
     end
-
     return origin
 end
 
 
 local function aes_decrypt_pkey(origin, field)
-    local local_conf = core.config.local_conf()
-    local aes_128_cbc_with_iv_tbl
-
-    if not field then
-        if core.string.has_prefix(origin, "---") then
-            return origin
-        end
-        aes_128_cbc_with_iv_tbl = get_aes_128_cbc_with_iv_ssl(local_conf)
-    else
-        if field == "data_encrypt" then
-            aes_128_cbc_with_iv_tbl = get_aes_128_cbc_with_iv_gde(local_conf)
-        end
+    if not field and core.string.has_prefix(origin, "---") then
+        return origin
     end
 
+    local local_conf = core.config.local_conf()
+    local aes_128_cbc_with_iv_tbl = get_aes_128_cbc_with_iv_gde(local_conf)
     if #aes_128_cbc_with_iv_tbl == 0 then
         return origin
     end

conf/config-default.yaml

@@ -108,16 +108,6 @@ apisix:
                                 # Disabled by default because it renders Perfect Forward Secrecy (FPS)
                                 # useless. See https://github.com/mozilla/server-side-tls/issues/135.
 
-    key_encrypt_salt:           # This field is only used to encrypt the private key of SSL.
-      - edd1c9f0985e76a2        # Set the encryption key for AES-128-CBC. It should be a
-                                # hexadecimal string of length 16.
-                                # If not set, APISIX saves the original data into etcd.
-                                # CAUTION: If you would like to update the key, add the new key as the
-                                # first item in the array and keep the older keys below the newly added
-                                # key, so that data can be decrypted with the older keys and encrypted
-                                # with the new key. Removing the old keys directly can render the data
-                                # unrecoverable.
-
     # fallback_sni: "my.default.domain"      # Fallback SNI to be used if the client does not send SNI during
     #                                        # the handshake.
 
@@ -128,11 +118,13 @@ apisix:
 
   disable_sync_configuration_during_start: false  # Safe exit. TO BE REMOVED.
 
-  data_encryption:                # Encrypt fields specified in `encrypt_fields` in plugin schema.
-    enable: false
-    keyring:                      # Set the encryption key for AES-128-CBC. It should be a
-      - qeddd145sfvddff3          # hexadecimal string of length 16.
-                                  # If not set, APISIX saves the original data into etcd.
+  data_encryption:                # Data encryption settings.
+    enable_encrypt_fields: false  # Whether enable encrypt fields specified in `encrypt_fields` in plugin schema.
+    keyring:                      # This field is used to encrypt the private key of SSL and the `encrypt_fields`
+                                  # in plugin schema.
+      - qeddd145sfvddff3          # Set the encryption key for AES-128-CBC. It should be a hexadecimal string
+                                  # of length 16.
+      - edd1c9f0985e76a2          # If not set, APISIX saves the original data into etcd.
                                   # CAUTION: If you would like to update the key, add the new key as the
                                   # first item in the array and keep the older keys below the newly added
                                   # key, so that data can be decrypted with the older keys and encrypted

t/admin/ssl2.t

@@ -431,8 +431,8 @@ qr/"snis":\["update1.com","update2.com"\]/
 --- yaml_config
 apisix:
     node_listen: 1984
-    ssl:
-        key_encrypt_salt: "edd1c9f0985e76a2"
+    data_encryption:
+        keyring: "qeddd145sfvddff3"
 --- config
     location /t {
         content_by_lua_block {
@@ -468,8 +468,8 @@ false
 --- yaml_config
 apisix:
     node_listen: 1984
-    ssl:
-        key_encrypt_salt: "edd1c9f0985e76a2"
+    data_encryption:
+        keyring: "qeddd145sfvddff3"
 --- config
     location /t {
         content_by_lua_block {

t/admin/ssl4.t

@@ -110,14 +110,14 @@ run_tests;
 
 __DATA__
 
-=== TEST 1: set ssl(sni: www.test.com), encrypt with the first key_encrypt_salt
+=== TEST 1: set ssl(sni: www.test.com), encrypt with the first keyring
 --- yaml_config
 apisix:
     node_listen: 1984
-    ssl:
-        key_encrypt_salt:
+    data_encryption:
+        keyring:
             - edd1c9f0985e76a1
-            - edd1c9f0985e76a2
+            - qeddd145sfvddff3
 --- config
 location /t {
     content_by_lua_block {
@@ -152,8 +152,8 @@ passed
 --- yaml_config
 apisix:
     node_listen: 1984
-    ssl:
-        key_encrypt_salt: "edd1c9f0985e76a1"
+    data_encryption:
+        keyring: "edd1c9f0985e76a1"
 --- config
     location /t {
         content_by_lua_block {
@@ -182,12 +182,12 @@ passed
 
 
 
-=== TEST 3: client request with the old style key_encrypt_salt
+=== TEST 3: client request with the old style keyring
 --- yaml_config
 apisix:
     node_listen: 1984
-    ssl:
-        key_encrypt_salt: "edd1c9f0985e76a1"
+    data_encryption:
+        keyring: "edd1c9f0985e76a1"
 --- response_body eval
 qr{connected: 1
 ssl handshake: true
@@ -207,12 +207,12 @@ server name: "www.test.com"
 
 
 
-=== TEST 4: client request with the new style key_encrypt_salt
+=== TEST 4: client request with the new style keyring
 --- yaml_config
 apisix:
     node_listen: 1984
-    ssl:
-        key_encrypt_salt:
+    data_encryption:
+        keyring:
             - edd1c9f0985e76a1
 --- response_body eval
 qr{connected: 1
@@ -233,26 +233,26 @@ server name: "www.test.com"
 
 
 
-=== TEST 5: client request failed with the wrong key_encrypt_salt
+=== TEST 5: client request failed with the wrong keyring
 --- yaml_config
 apisix:
     node_listen: 1984
-    ssl:
-        key_encrypt_salt:
-            - edd1c9f0985e76a2
+    data_encryption:
+        keyring:
+            - qeddd145sfvddff3
 --- error_log
 decrypt ssl key failed
 [alert]
 
 
 
-=== TEST 6: client request successfully, use the two key_encrypt_salt to decrypt in turn
+=== TEST 6: client request successfully, use the two keyring to decrypt in turn
 --- yaml_config
 apisix:
     node_listen: 1984
-    ssl:
-        key_encrypt_salt:
-            - edd1c9f0985e76a2
+    data_encryption:
+        keyring:
+            - qeddd145sfvddff3
             - edd1c9f0985e76a1
 --- response_body eval
 qr{connected: 1
@@ -273,8 +273,8 @@ close: 1 nil}
 --- yaml_config
 apisix:
     node_listen: 1984
-    ssl:
-        key_encrypt_salt:
+    data_encryption:
+        keyring:
             - edd1c9f0985e76a1
 --- config
 location /t {
@@ -292,8 +292,8 @@ location /t {
 --- yaml_config
 apisix:
     node_listen: 1984
-    ssl:
-        key_encrypt_salt: null
+    data_encryption:
+        keyring: null
 --- config
 location /t {
     content_by_lua_block {
@@ -324,12 +324,12 @@ passed
 
 
 
-=== TEST 9: client request without key_encrypt_salt
+=== TEST 9: client request without keyring
 --- yaml_config
 apisix:
     node_listen: 1984
-    ssl:
-        key_encrypt_salt: null
+    data_encryption:
+        keyring: null
 --- response_body eval
 qr{connected: 1
 ssl handshake: true
@@ -353,8 +353,8 @@ server name: "www.test.com"
 --- yaml_config
 apisix:
     node_listen: 1984
-    ssl:
-        key_encrypt_salt: null
+    data_encryption:
+        keyring: null
 --- config
 location /t {
     content_by_lua_block {
@@ -371,8 +371,8 @@ location /t {
 --- yaml_config
 apisix:
     node_listen: 1984
-    ssl:
-        key_encrypt_salt: null
+    data_encryption:
+        keyring: null
 --- config
 location /t {
     content_by_lua_block {