fix(security): TLS ssl_verify hardcoding and credential encryption issues (#13203)

Author: AlinsRan

apisix/core/utils.lua

@@ -421,6 +421,9 @@ local function get_root_conf(str, conf, field)
     local num_of_matches = #matches
     for i = 1, num_of_matches - 1 , 1 do
         conf = conf[matches[i]]
+        if type(conf) ~= "table" then
+            return nil, nil
+        end
     end
 
     -- return the table and the last field
@@ -441,12 +444,12 @@ function _M.check_https(fields, conf, plugin_name)
 
         local new_conf, new_field = get_root_conf(field, conf)
         if not new_conf then
-            return
+            goto continue
         end
 
         local value = new_conf[new_field]
         if not value then
-            return
+            goto continue
         end
 
         if type(value) == "table" then
@@ -456,6 +459,8 @@ function _M.check_https(fields, conf, plugin_name)
         else
             find_and_log(field, plugin_name, value)
         end
+
+        ::continue::
     end
 end
 

apisix/plugins/ai-rag.lua

@@ -31,7 +31,10 @@ local HTTP_BAD_REQUEST = ngx.HTTP_BAD_REQUEST
 local schema = {
     type = "object",
     properties = {
-        type = "object",
+        ssl_verify = {
+            type = "boolean",
+            default = true,
+        },
         embeddings_provider = {
             type = "object",
             properties = {
@@ -83,12 +86,18 @@ local _M = {
 
 
 function _M.check_schema(conf)
+    core.utils.check_tls_bool({"ssl_verify"}, conf, _M.name)
+    core.utils.check_https({
+        "embeddings_provider.azure_openai.endpoint",
+        "vector_search_provider.azure_ai_search.endpoint",
+    }, conf, _M.name)
     return core.schema.check(schema, conf)
 end
 
 
 function _M.access(conf, ctx)
     local httpc = http.new()
+    local ssl_verify = conf.ssl_verify ~= false
     local body_tab, err = core.request.get_json_request_body_table()
     if not body_tab then
         return HTTP_BAD_REQUEST, err
@@ -120,7 +129,8 @@ function _M.access(conf, ctx)
     end
 
     local embeddings, status, err = embeddings_driver.get_embeddings(embeddings_provider_conf,
-                                                        body_tab["ai_rag"].embeddings, httpc)
+                                                        body_tab["ai_rag"].embeddings, httpc,
+                                                        ssl_verify)
     if not embeddings then
         core.log.error("could not get embeddings: ", err)
         return status, err
@@ -129,7 +139,7 @@ function _M.access(conf, ctx)
     local search_body = body_tab["ai_rag"].vector_search
     search_body.embeddings = embeddings
     local res, status, err = vector_search_driver.search(vector_search_provider_conf,
-                                                        search_body, httpc)
+                                                        search_body, httpc, ssl_verify)
     if not res then
         core.log.error("could not get vector_search result: ", err)
         return status, err

apisix/plugins/ai-rag/embeddings/azure_openai.lua

@@ -34,7 +34,7 @@ _M.schema = {
     required = { "endpoint", "api_key" }
 }
 
-function _M.get_embeddings(conf, body, httpc)
+function _M.get_embeddings(conf, body, httpc, ssl_verify)
     local body_tab, err = core.json.encode(body)
     if not body_tab then
         return nil, HTTP_INTERNAL_SERVER_ERROR, err
@@ -46,7 +46,8 @@ function _M.get_embeddings(conf, body, httpc)
             ["Content-Type"] = "application/json",
             ["api-key"] = conf.api_key,
         },
-        body = body_tab
+        body = body_tab,
+        ssl_verify = ssl_verify,
     })
 
     if not res or not res.body then

apisix/plugins/ai-rag/vector-search/azure_ai_search.lua

@@ -34,7 +34,7 @@ _M.schema = {
 }
 
 
-function _M.search(conf, search_body, httpc)
+function _M.search(conf, search_body, httpc, ssl_verify)
     local body = {
         vectorQueries = {
             {
@@ -55,7 +55,8 @@ function _M.search(conf, search_body, httpc)
             ["Content-Type"] = "application/json",
             ["api-key"] = conf.api_key,
         },
-        body = final_body
+        body = final_body,
+        ssl_verify = ssl_verify,
     })
 
     if not res or not res.body then

apisix/plugins/aws-lambda.lua

@@ -184,4 +184,14 @@ end
 
 local serverless_obj = require("apisix.plugins.serverless.generic-upstream")
 
-return serverless_obj(plugin_name, plugin_version, priority, request_processor, aws_authz_schema)
+local plugin = serverless_obj(plugin_name, plugin_version, priority, request_processor,
+                              aws_authz_schema)
+
+-- encrypt sensitive credential fields at rest
+plugin.schema.encrypt_fields = {
+    "authorization.apikey",
+    "authorization.iam.accesskey",
+    "authorization.iam.secretkey",
+}
+
+return plugin

apisix/plugins/wolf-rbac.lua

@@ -48,6 +48,9 @@ local schema = {
             type = "string",
             default = "X-"
         },
+        ssl_verify = {
+            type = "boolean",
+        },
     }
 }
 
@@ -108,7 +111,7 @@ local function new_headers()
 end
 
 -- timeout in ms
-local function http_req(method, uri, body, myheaders, timeout)
+local function http_req(method, uri, body, myheaders, timeout, ssl_verify)
     if not myheaders then
         myheaders = new_headers()
     end
@@ -122,7 +125,7 @@ local function http_req(method, uri, body, myheaders, timeout)
         method = method,
         headers = myheaders,
         body = body,
-        ssl_verify = false
+        ssl_verify = ssl_verify == true,
     })
 
     if not res then
@@ -134,21 +137,23 @@ local function http_req(method, uri, body, myheaders, timeout)
     return res
 end
 
-local function http_get(uri, myheaders, timeout)
-    return http_req("GET", uri, nil, myheaders, timeout)
+local function http_get(uri, myheaders, timeout, ssl_verify)
+    return http_req("GET", uri, nil, myheaders, timeout, ssl_verify)
 end
 
 
 function _M.check_schema(conf)
-    local check = {"server"}
-    core.utils.check_https(check, conf, plugin_name)
-    core.log.info("input conf server: ", conf.server)
-
     local ok, err = core.schema.check(schema, conf)
     if not ok then
         return false, err
     end
 
+    local check = {"server"}
+    core.utils.check_https(check, conf, plugin_name)
+    core.log.info("input conf server: ", conf.server)
+
+    core.utils.check_tls_bool({"ssl_verify"}, conf, plugin_name)
+
     return true
 end
 
@@ -170,7 +175,8 @@ local function fetch_rbac_token(ctx)
 end
 
 
-local function check_url_permission(server, appid, action, resName, client_ip, wolf_token)
+local function check_url_permission(server, appid, action, resName,
+                                    client_ip, wolf_token, ssl_verify)
     local retry_max = 3
     local errmsg
     local userInfo
@@ -186,7 +192,7 @@ local function check_url_permission(server, appid, action, resName, client_ip, w
 
     for i = 1, retry_max do
         -- TODO: read apisix info.
-        res, err = http_get(url, headers, timeout)
+        res, err = http_get(url, headers, timeout, ssl_verify)
         if err then
             break
         else
@@ -271,9 +277,10 @@ function _M.rewrite(conf, ctx)
     end
     core.log.info("consumer appid: ", appid)
     local server = cur_consumer.auth_conf.server
+    local ssl_verify = cur_consumer.auth_conf.ssl_verify
 
     local res = check_url_permission(server, appid, action, url,
-                    client_ip, wolf_token)
+                    client_ip, wolf_token, ssl_verify)
     core.log.info(" check_url_permission(appid: ", appid,
                   ", action: ", action, ", url: ", url,
                   ") res status: ", res.status, ", err: ", res.err)
@@ -341,43 +348,47 @@ local function get_consumer(appid)
     return consumer
 end
 
-local function request_to_wolf_server(method, uri, headers, body)
+local function request_to_wolf_server(method, uri, headers, body, ssl_verify)
     headers["Content-Type"] = "application/json; charset=utf-8"
     local timeout = 1000 * 5
-    core.log.info("request to wolf-server [method: ", method,
-                  ", uri: ", uri, ", timeout: ", timeout, "] ....")
-    local res, err = http_req(method, uri, core.json.encode(body), headers, timeout)
-    if not res then
-        core.log.error("request to wolf-server [method: ", method,
-                       ", uri: ", uri, "] failed! err: ", err)
+    local request_debug = core.json.delay_encode(
+        {method = method, uri = uri, timeout = timeout}
+    )
+
+    core.log.info("request [", request_debug, "] ....")
+    local encoded_body, err = core.json.encode(body)
+    if not encoded_body then
+        core.log.error("request [", request_debug, "] failed! err: ", err)
         return core.response.exit(500,
             fail_response("request to wolf-server failed!")
         )
     end
-    core.log.info("request to wolf-server [method: ", method,
-                  ", uri: ", uri, "] status: ", res.status)
 
-    if res.status ~= 200 then
-        core.log.error("request to wolf-server [method: ", method,
-                        ", uri: ", uri, "] failed! status: ", res.status)
+    local res, err = http_req(method, uri, encoded_body, headers, timeout, ssl_verify)
+    if not res then
+        core.log.error("request [", request_debug, "] failed! err: ", err)
         return core.response.exit(500,
-        fail_response("request to wolf-server failed!")
+            fail_response("request to wolf-server failed!")
         )
     end
+    core.log.info("request [", request_debug, "] status: ", res.status)
+
+    if res.status ~= 200 then
+        core.log.error("request [", request_debug, "] failed! status: ",
+                       res.status)
+        return core.response.exit(500, fail_response("request to wolf-server failed!"))
+    end
     local body, err = json.decode(res.body)
     if not body then
-        core.log.error("request to wolf-server [method: ", method,
-                       ", uri: ", uri, "] failed! err:", err)
+        core.log.error("request [", request_debug, "] failed! err:", err)
         return core.response.exit(500, fail_response("request to wolf-server failed!"))
     end
     if not body.ok then
-        core.log.error("request to wolf-server [method: ", method,
-                       ", uri: ", uri, "] failed! reason: ", body.reason)
+        core.log.error("request [", request_debug, "] failed! reason: ", body.reason)
         return core.response.exit(200, fail_response("request to wolf-server failed!"))
     end
 
-    core.log.info("request to wolf-server [method: ", method,
-                  ", uri: ", uri, "] success")
+    core.log.info("request [", request_debug, "] success!")
     return body
 end
 
@@ -396,7 +407,7 @@ local function wolf_rbac_login()
 
     local uri = consumer.auth_conf.server .. '/wolf/rbac/login.rest'
     local headers = new_headers()
-    local body = request_to_wolf_server('POST', uri, headers, args)
+    local body = request_to_wolf_server('POST', uri, headers, args, consumer.auth_conf.ssl_verify)
 
     local userInfo = body.data.userInfo
     local wolf_token = body.data.token
@@ -440,7 +451,7 @@ local function wolf_rbac_change_pwd()
     local uri = consumer.auth_conf.server .. '/wolf/rbac/change_pwd'
     local headers = new_headers()
     headers['x-rbac-token'] = wolf_token
-    request_to_wolf_server('POST', uri, headers, args)
+    request_to_wolf_server('POST', uri, headers, args, consumer.auth_conf.ssl_verify)
     core.response.exit(200, success_response('success to change password', { }))
 end
 
@@ -455,7 +466,7 @@ local function wolf_rbac_user_info()
     local uri = consumer.auth_conf.server .. '/wolf/rbac/user_info'
     local headers = new_headers()
     headers['x-rbac-token'] = wolf_token
-    local body = request_to_wolf_server('GET', uri, headers, {})
+    local body = request_to_wolf_server('GET', uri, headers, {}, consumer.auth_conf.ssl_verify)
     local userInfo = body.data.userInfo
     core.response.exit(200, success_response(nil, {user_info = userInfo}))
 end