@@ -60,7 +60,7 @@ __DATA__
6060 ngx.HTTP_GET
6161 )
6262
63- local_conf, err = core.config.local_conf(true)
63+ local local_conf, err = core.config.local_conf(true)
6464 local enable_data_encryption =
6565 core.table.try_read_attr(local_conf, "apisix", "data_encryption",
6666 "enable_encrypt_fields") and (core.config.type == "etcd")
@@ -228,3 +228,53 @@ GET /t
228228--- response_body_like
229229nil
230230\{"message":"Key not found"\}
231+
232+
233+
234+ === TEST 8: first successful GET decrypts even when enable_data_encryption is not yet initialized
235+ --- config
236+ location /t {
237+ content_by_lua_block {
238+ local core = require("apisix.core")
239+ local plugin = require("apisix.plugin")
240+ local t = require("lib.test_admin").test
241+
242+ local code, body = t('/apisix/admin/plugin_metadata/azure-functions',
243+ ngx.HTTP_PUT,
244+ [[{
245+ "master_apikey": "foo"
246+ }]]
247+ )
248+ if code >= 300 then
249+ ngx.status = code
250+ ngx.say(body)
251+ return
252+ end
253+ ngx.sleep(0.1)
254+
255+ -- etcd keeps the field encrypted
256+ local etcd = require("apisix.core.etcd")
257+ local res = assert(etcd.get('/plugin_metadata/azure-functions'))
258+ local encrypted = res.body.node.value.master_apikey
259+ ngx.say("etcd encrypted: ",
260+ tostring(type(encrypted) == "string" and #encrypted > 0
261+ and encrypted ~= "foo"))
262+
263+ -- simulate a fresh worker: the flag has not been initialized yet
264+ plugin.enable_data_encryption = nil
265+
266+ -- first GET must still decrypt because enable_gde() forces init
267+ local code, message, res = t('/apisix/admin/plugin_metadata/azure-functions',
268+ ngx.HTTP_GET
269+ )
270+ res = core.json.decode(res)
271+ ngx.say("admin decrypted: ", res.value.master_apikey)
272+
273+ t('/apisix/admin/plugin_metadata/azure-functions', ngx.HTTP_DELETE)
274+ }
275+ }
276+ --- request
277+ GET /t
278+ --- response_body
279+ etcd encrypted: true
280+ admin decrypted: foo
0 commit comments