Merge branch 'master' of https://github.com/apache/apisix into logger…

…-encoding
apache · Jan 30, 2024 · ffee98e · ffee98e
2 parents 5d2bf5e + 2c19fb1
commit ffee98e
Show file tree

Hide file tree

Showing 33 changed files with 258 additions and 147 deletions.
diff --git a/apisix/cli/file.lua b/apisix/cli/file.lua
@@ -175,7 +175,7 @@ local function path_is_multi_type(path, type_val)
         return true
     end
 
-    if path == "apisix->ssl->key_encrypt_salt" then
+    if path == "apisix->data_encryption->keyring" then
         return true
     end
 

diff --git a/apisix/cli/schema.lua b/apisix/cli/schema.lua
@@ -224,7 +224,12 @@ local config_schema = {
                                 }
                             }
                         },
-                        key_encrypt_salt = {
+                    }
+                },
+                data_encryption = {
+                    type = "object",
+                    properties = {
+                        keyring = {
                             anyOf = {
                                 {
                                     type = "array",

diff --git a/apisix/plugin.lua b/apisix/plugin.lua
@@ -906,7 +906,8 @@ local enable_data_encryption
 local function enable_gde()
     if enable_data_encryption == nil then
         enable_data_encryption =
-            core.table.try_read_attr(local_conf, "apisix", "data_encryption", "enable")
+            core.table.try_read_attr(local_conf, "apisix", "data_encryption",
+                    "enable_encrypt_fields")
         _M.enable_data_encryption = enable_data_encryption
     end
 

diff --git a/apisix/plugins/body-transformer.lua b/apisix/plugins/body-transformer.lua
@@ -34,7 +34,7 @@ local next              = next
 local transform_schema = {
     type = "object",
     properties = {
-        input_format = { type = "string", enum = {"xml", "json", "encoded", "args"} },
+        input_format = { type = "string", enum = {"xml", "json", "encoded", "args", "plain"} },
         template = { type = "string" },
         template_is_base64 = { type = "boolean" },
     },
@@ -129,7 +129,7 @@ end
 local function transform(conf, body, typ, ctx, request_method)
     local out = {}
     local format = conf[typ].input_format
-    if body or request_method == "GET" then
+    if (body or request_method == "GET") and format ~= "plain" then
         local err
         if format then
             out, err = decoders[format](body)

diff --git a/apisix/plugins/grpc-web.lua b/apisix/plugins/grpc-web.lua
@@ -21,6 +21,8 @@ local req_set_uri       = ngx.req.set_uri
 local req_set_body_data = ngx.req.set_body_data
 local decode_base64     = ngx.decode_base64
 local encode_base64     = ngx.encode_base64
+local bit               = require("bit")
+local string            = string
 
 
 local ALLOW_METHOD_OPTIONS = "OPTIONS"
@@ -87,7 +89,7 @@ function _M.access(conf, ctx)
     -- set grpc path
     if not (ctx.curr_req_matched and ctx.curr_req_matched[":ext"]) then
         core.log.error("routing configuration error, grpc-web plugin only supports ",
-                       "`prefix matching` pattern routing")
+            "`prefix matching` pattern routing")
         return 400
     end
 
@@ -130,6 +132,7 @@ function _M.header_filter(conf, ctx)
         core.response.set_header("Access-Control-Allow-Origin", DEFAULT_CORS_ALLOW_ORIGIN)
     end
     core.response.set_header("Content-Type", ctx.grpc_web_mime)
+    core.response.set_header("Access-Control-Expose-Headers", "grpc-message,grpc-status")
 end
 
 function _M.body_filter(conf, ctx)
@@ -147,6 +150,50 @@ function _M.body_filter(conf, ctx)
         chunk = encode_base64(chunk)
         ngx_arg[1] = chunk
     end
+
+    --[[
+    upstream_trailer_* available since NGINX version 1.13.10 :
+    https://nginx.org/en/docs/http/ngx_http_upstream_module.html#var_upstream_trailer_
+
+    grpc-web trailer format reference:
+    envoyproxy/envoy/source/extensions/filters/http/grpc_web/grpc_web_filter.cc
+
+    Format for grpc-web trailer
+        1 byte: 0x80
+        4 bytes: length of the trailer
+        n bytes: trailer
+
+    --]]
+    local status = ctx.var.upstream_trailer_grpc_status
+    local message = ctx.var.upstream_trailer_grpc_message
+    if status ~= "" and status ~= nil then
+        local status_str = "grpc-status:" .. status
+        local status_msg = "grpc-message:" .. ( message or "")
+        local grpc_web_trailer = status_str .. "\r\n" .. status_msg .. "\r\n"
+        local len = #grpc_web_trailer
+
+        -- 1 byte: 0x80
+        local trailer_buf = string.char(0x80)
+        -- 4 bytes: length of the trailer
+        trailer_buf = trailer_buf .. string.char(
+            bit.band(bit.rshift(len, 24), 0xff),
+            bit.band(bit.rshift(len, 16), 0xff),
+            bit.band(bit.rshift(len, 8), 0xff),
+            bit.band(len, 0xff)
+        )
+        -- n bytes: trailer
+        trailer_buf = trailer_buf .. grpc_web_trailer
+
+        if ctx.grpc_web_encoding == CONTENT_ENCODING_BINARY then
+            ngx_arg[1] = ngx_arg[1] .. trailer_buf
+        else
+            ngx_arg[1] = ngx_arg[1] .. encode_base64(trailer_buf)
+        end
+
+        -- clear trailer
+        ctx.var.upstream_trailer_grpc_status = nil
+        ctx.var.upstream_trailer_grpc_message = nil
+    end
 end
 
 return _M
diff --git a/apisix/ssl.lua b/apisix/ssl.lua
@@ -92,17 +92,6 @@ local function init_iv_tbl(ivs)
 end
 
 
-local _aes_128_cbc_with_iv_tbl_ssl
-local function get_aes_128_cbc_with_iv_ssl(local_conf)
-    if _aes_128_cbc_with_iv_tbl_ssl == nil then
-        local ivs = core.table.try_read_attr(local_conf, "apisix", "ssl", "key_encrypt_salt")
-        _aes_128_cbc_with_iv_tbl_ssl = init_iv_tbl(ivs)
-    end
-
-    return _aes_128_cbc_with_iv_tbl_ssl
-end
-
-
 local _aes_128_cbc_with_iv_tbl_gde
 local function get_aes_128_cbc_with_iv_gde(local_conf)
     if _aes_128_cbc_with_iv_tbl_gde == nil then
@@ -127,43 +116,31 @@ end
 
 function _M.aes_encrypt_pkey(origin, field)
     local local_conf = core.config.local_conf()
+    local aes_128_cbc_with_iv_tbl_gde = get_aes_128_cbc_with_iv_gde(local_conf)
+    local aes_128_cbc_with_iv_gde = aes_128_cbc_with_iv_tbl_gde[1]
 
     if not field then
-        -- default used by ssl
-        local aes_128_cbc_with_iv_tbl_ssl = get_aes_128_cbc_with_iv_ssl(local_conf)
-        local aes_128_cbc_with_iv_ssl = aes_128_cbc_with_iv_tbl_ssl[1]
-        if aes_128_cbc_with_iv_ssl ~= nil and core.string.has_prefix(origin, "---") then
-            return encrypt(aes_128_cbc_with_iv_ssl, origin)
+        if aes_128_cbc_with_iv_gde ~= nil and core.string.has_prefix(origin, "---") then
+            return encrypt(aes_128_cbc_with_iv_gde, origin)
         end
     else
         if field == "data_encrypt" then
-            local aes_128_cbc_with_iv_tbl_gde = get_aes_128_cbc_with_iv_gde(local_conf)
-            local aes_128_cbc_with_iv_gde = aes_128_cbc_with_iv_tbl_gde[1]
             if aes_128_cbc_with_iv_gde ~= nil then
                 return encrypt(aes_128_cbc_with_iv_gde, origin)
             end
         end
     end
-
     return origin
 end
 
 
 local function aes_decrypt_pkey(origin, field)
-    local local_conf = core.config.local_conf()
-    local aes_128_cbc_with_iv_tbl
-
-    if not field then
-        if core.string.has_prefix(origin, "---") then
-            return origin
-        end
-        aes_128_cbc_with_iv_tbl = get_aes_128_cbc_with_iv_ssl(local_conf)
-    else
-        if field == "data_encrypt" then
-            aes_128_cbc_with_iv_tbl = get_aes_128_cbc_with_iv_gde(local_conf)
-        end
+    if not field and core.string.has_prefix(origin, "---") then
+        return origin
     end
 
+    local local_conf = core.config.local_conf()
+    local aes_128_cbc_with_iv_tbl = get_aes_128_cbc_with_iv_gde(local_conf)
     if #aes_128_cbc_with_iv_tbl == 0 then
         return origin
     end

diff --git a/conf/config-default.yaml b/conf/config-default.yaml
@@ -108,16 +108,6 @@ apisix:
                                 # Disabled by default because it renders Perfect Forward Secrecy (FPS)
                                 # useless. See https://github.com/mozilla/server-side-tls/issues/135.
 
-    key_encrypt_salt:           # This field is only used to encrypt the private key of SSL.
-      - edd1c9f0985e76a2        # Set the encryption key for AES-128-CBC. It should be a
-                                # hexadecimal string of length 16.
-                                # If not set, APISIX saves the original data into etcd.
-                                # CAUTION: If you would like to update the key, add the new key as the
-                                # first item in the array and keep the older keys below the newly added
-                                # key, so that data can be decrypted with the older keys and encrypted
-                                # with the new key. Removing the old keys directly can render the data
-                                # unrecoverable.
-
     # fallback_sni: "my.default.domain"      # Fallback SNI to be used if the client does not send SNI during
     #                                        # the handshake.
 
@@ -128,11 +118,13 @@ apisix:
 
   disable_sync_configuration_during_start: false  # Safe exit. TO BE REMOVED.
 
-  data_encryption:                # Encrypt fields specified in `encrypt_fields` in plugin schema.
-    enable: false
-    keyring:                      # Set the encryption key for AES-128-CBC. It should be a
-      - qeddd145sfvddff3          # hexadecimal string of length 16.
-                                  # If not set, APISIX saves the original data into etcd.
+  data_encryption:                # Data encryption settings.
+    enable_encrypt_fields: false  # Whether enable encrypt fields specified in `encrypt_fields` in plugin schema.
+    keyring:                      # This field is used to encrypt the private key of SSL and the `encrypt_fields`
+                                  # in plugin schema.
+      - qeddd145sfvddff3          # Set the encryption key for AES-128-CBC. It should be a hexadecimal string
+                                  # of length 16.
+      - edd1c9f0985e76a2          # If not set, APISIX saves the original data into etcd.
                                   # CAUTION: If you would like to update the key, add the new key as the
                                   # first item in the array and keep the older keys below the newly added
                                   # key, so that data can be decrypted with the older keys and encrypted

diff --git a/docs/en/latest/plugins/multi-auth.md b/docs/en/latest/plugins/multi-auth.md
@@ -75,8 +75,6 @@ curl http://127.0.0.1:9180/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f1
 }'
 ```
 
-You can also use the [APISIX Dashboard](/docs/dashboard/USER_GUIDE) to complete the operation through a web UI.
-
 Once you have created Consumer objects, you can then configure a Route or a Service to authenticate requests:
 
 ```shell
@@ -113,16 +111,16 @@ curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13
 
 After you have configured the Plugin as mentioned above, you can make a request to the Route as shown below:
 
-request with basic-auth
+Send a request with `basic-auth` credentials:
 
 ```shell
 curl -i -ufoo1:bar1 http://127.0.0.1:9080/hello
 ```
 
-request with key-auth
+Send a request with `key-auth` credentials:
 
 ```shell
-curl http://127.0.0.2:9080/hello -H 'apikey: auth-one' -i
+curl http://127.0.0.1:9080/hello -H 'apikey: auth-one' -i
 ```
 
 ```
@@ -131,11 +129,9 @@ HTTP/1.1 200 OK
 hello, world
 ```
 
-If the request is not authorized, an error will be thrown:
+If the request is not authorized, an `401 Unauthorized` error will be thrown:
 
-```shell
-HTTP/1.1 401 Unauthorized
-...
+```json
 {"message":"Authorization Failed"}
 ```
 

diff --git a/docs/en/latest/plugins/openid-connect.md b/docs/en/latest/plugins/openid-connect.md
@@ -245,7 +245,7 @@ You should also ensure that the `redirect_uri` include the scheme, such as `http
 
 #### 2. Missing Session Secret
 
-If you deploy APISIX in the [standalone mode](/apisix/production/deployment-modes#standalone-mode), make sure that `session.secret` is configured.
+If you deploy APISIX in the [standalone mode](../deployment-modes.md#standalone), make sure that `session.secret` is configured.
 
 User sessions are stored in browser as cookies and encrypted with session secret. The secret is automatically generated and saved to etcd if no secret is configured through the `session.secret` attribute. However, in standalone mode, etcd is no longer the configuration center. Therefore, you should explicitly configure `session.secret` for this plugin in the YAML configuration center `apisix.yaml`.
 

diff --git a/docs/zh/latest/plugins/multi-auth.md b/docs/zh/latest/plugins/multi-auth.md
@@ -75,8 +75,6 @@ curl http://127.0.0.1:9180/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f1
 }'
 ```
 
-您也可以使用 [APISIX Dashboard](/docs/dashboard/USER_GUIDE) 通过 web UI 来完成操作。
-
 创建 Consumer 之后，您可以配置一个路由或服务来验证请求：
 
 ```shell
@@ -122,7 +120,7 @@ curl -i -ufoo1:bar1 http://127.0.0.1:9080/hello
 请求开启 key-auth 插件的 API
 
 ```shell
-curl http://127.0.0.2:9080/hello -H 'apikey: auth-one' -i
+curl http://127.0.0.1:9080/hello -H 'apikey: auth-one' -i
 ```
 
 ```
@@ -131,11 +129,9 @@ HTTP/1.1 200 OK
 hello, world
 ```
 
-如果请求未授权，将会返回如下错误：
+如果请求未授权，将会返回 `401 Unauthorized` 错误：
 
-```shell
-HTTP/1.1 401 Unauthorized
-...
+```json
 {"message":"Authorization Failed"}
 ```
 

diff --git a/docs/zh/latest/plugins/openid-connect.md b/docs/zh/latest/plugins/openid-connect.md
@@ -244,7 +244,7 @@ the error request to the redirect_uri path, but there's no session state found
 
 #### 2. 缺少 Session Secret
 
-如果您在[standalone 模式](/apisix/product/deployment-modes#standalone-mode)下部署 APISIX，请确保配置了 `session.secret`。
+如果您在[standalone 模式](../../../en/latest/deployment-modes.md#standalone)下部署 APISIX，请确保配置了 `session.secret`。
 
 用户 session 作为 cookie 存储在浏览器中，并使用 session 密钥进行加密。如果没有通过 `session.secret` 属性配置机密，则会自动生成机密并将其保存到 etcd。然而，在独立模式下，etcd 不再是配置中心。因此，您应该在 YAML 配置中心 `apisix.yaml` 中为此插件显式配置 `session.secret`。
 

diff --git a/t/admin/ssl2.t b/t/admin/ssl2.t
@@ -431,8 +431,8 @@ qr/"snis":\["update1.com","update2.com"\]/
 --- yaml_config
 apisix:
     node_listen: 1984
-    ssl:
-        key_encrypt_salt: "edd1c9f0985e76a2"
+    data_encryption:
+        keyring: "qeddd145sfvddff3"
 --- config
     location /t {
         content_by_lua_block {
@@ -468,8 +468,8 @@ false
 --- yaml_config
 apisix:
     node_listen: 1984
-    ssl:
-        key_encrypt_salt: "edd1c9f0985e76a2"
+    data_encryption:
+        keyring: "qeddd145sfvddff3"
 --- config
     location /t {
         content_by_lua_block {