Copilot commented on code in PR #12484:
URL: https://github.com/apache/apisix/pull/12484#discussion_r2264028968
##########
.github/workflows/source-install.yml:
##########
@@ -89,10 +89,24 @@ jobs:
run: |
wget
https://github.com/mikefarah/yq/releases/download/3.4.1/yq_linux_amd64 -O
/usr/bin/yq && sudo chmod +x /usr/bin/yq
get_admin_key() {
+ # First try to get the key from config.yaml
local admin_key=$(yq '.deployment.admin.admin_key[0].key'
conf/config.yaml)
+ # If the key is empty (auto-generated), extract it from logs
+ if [ -z "$admin_key" ] || [ "$admin_key" = "''" ] || [
"$admin_key" = "null" ]; then
+ admin_key=$(grep -A 10 "Generated admin keys for this
session:" logs/error.log | grep -E "^ [A-Za-z0-9]{32}$" | head -1 | sed 's/^
//')
Review Comment:
Same regex pattern issue as in common.sh - the pattern `[A-Za-z0-9]{32}`
doesn't match the actual character generation logic which can include symbols
and other ASCII characters.
```suggestion
admin_key=$(grep -A 10 "Generated admin keys for this
session:" logs/error.log | grep -E "^ [^\s]{32}$" | head -1 | sed 's/^ //')
```
##########
t/cli/common.sh:
##########
@@ -39,5 +39,33 @@ exit_if_not_customed_nginx() {
openresty -V 2>&1 | grep apisix-nginx-module || exit 0
}
+get_admin_key() {
+ # First try to get the key from config.yaml
+ local admin_key=$(yq '.deployment.admin.admin_key[0].key' conf/config.yaml
| sed 's/"//g')
+ echo "DEBUG: config.yaml admin_key: '$admin_key'" >&2
+ # If the key is empty (auto-generated), extract it from logs
+ if [ -z "$admin_key" ] || [ "$admin_key" = "''" ] || [ "$admin_key" =
"null" ]; then
+ for log_file in "logs/error.log" "/usr/local/apisix/logs/error.log"; do
+ if [ -f "$log_file" ]; then
+ echo "DEBUG: Checking log file: $log_file" >&2
+ admin_key=$(grep -A 10 "Generated admin keys for this
session:" "$log_file" 2>/dev/null | grep -E "^ [A-Za-z0-9]{32}$" | tail -1 |
sed 's/^ //' || true)
Review Comment:
The regex pattern assumes exactly 32 alphanumeric characters, but the key
generation in `apisix/core/admin_key.lua` uses `math.random(65, 90) +
math.random(0, 1) * 32` which can produce non-alphanumeric characters (ASCII
65-122 range includes symbols). The pattern should match the actual character
set used.
```suggestion
admin_key=$(grep -A 10 "Generated admin keys for this
session:" "$log_file" 2>/dev/null | grep -E "^ [A-Za-z\[\]\\\^_\`]{32}$" |
tail -1 | sed 's/^ //' || true)
```
##########
apisix/core/admin_key.lua:
##########
@@ -0,0 +1,167 @@
+--
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements. See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+
+--- Load or generate admin keys.
+--
+-- @module core.admin_key
+
+local fetch_local_conf = require("apisix.core.config_local").local_conf
+local try_read_attr = require("apisix.core.table").try_read_attr
+local log = require("apisix.core.log")
+local string = string
+local math = math
+local ipairs = ipairs
+local type = type
+local ngx = ngx
+
+local admin_key_shm_name = "admin-keys"
+local _M = {version = 0.1}
+local admin_keys_cache = {}
+
+function _M.admin_key_required()
+ local local_conf = fetch_local_conf()
+ return local_conf.deployment.admin.admin_key_required
+end
+
+function _M.get_admin_keys()
+ -- First check if admin key is required at all
+ if not _M.admin_key_required() then
+ -- When admin keys are not required, return empty table
+ return {}
+ end
+
+ -- First, try to load from cache
+ if #admin_keys_cache > 0 then
+ return admin_keys_cache
+ end
+
+ -- Try loading from shared memory
+ local admin_keys_shm = ngx.shared[admin_key_shm_name]
+ if admin_keys_shm and admin_keys_shm:get("completed") then
+ local total_keys = admin_keys_shm:get("total_keys") or 0
+ local keys = {}
+
+ for i = 1, total_keys do
+ local key_id = "admin_key_" .. i
+ local key_value = admin_keys_shm:get(key_id)
+ local role = admin_keys_shm:get(key_id .. "_role")
+ local name = admin_keys_shm:get(key_id .. "_name")
+ local autogenerated = admin_keys_shm:get(key_id ..
"_autogenerated") or false
+
+ if key_value and role then
+ keys[#keys + 1] = {
+ name = name ~= "" and name or nil,
+ role = role,
+ key = key_value,
+ autogenerated = autogenerated
+ }
+ end
+ end
+ if #keys > 0 then
+ admin_keys_cache = keys
+ end
+ end
+
+ return admin_keys_cache
+end
+
+function _M.init_worker()
+ local local_conf = fetch_local_conf()
+ if not local_conf or not local_conf.deployment then
+ return
+ end
+ local deployment_role = local_conf.deployment.role
+
+ if local_conf.deployment.admin and
local_conf.deployment.admin.admin_key_required == false then
+ return
+ end
+
+ if not deployment_role or
+ (deployment_role ~= "traditional" and deployment_role ~= "control_plane")
then
+ return
+ end
+
+ local config_admin_keys = try_read_attr(local_conf, "deployment", "admin",
"admin_key")
+ if not config_admin_keys or type(config_admin_keys) ~= "table" then
+ return
+ end
+
+ local admin_keys_shm = ngx.shared[admin_key_shm_name]
+ if not admin_keys_shm then
+ log.error("admin-keys shared memory zone not configured")
+ return
+ end
+
+ -- Only one worker can claim initialization, this flag will only be
cleared on full restart
+ local claimed_init = admin_keys_shm:safe_add("init_claimed",
ngx.worker.id() or 0)
+ if not claimed_init then
+ -- Another worker is handling initialization, no waiting needed
+ -- Keys will be loaded lazily when first accessed via get_admin_keys()
+ return
+ end
+
+ -- This worker won the initialization race
+ local generated_keys = {}
+ local has_autogenerated = false
+
+ for i, admin_key in ipairs(config_admin_keys) do
+ local key_id = "admin_key_" .. i
+ local key_value = admin_key.key
+
+ if admin_key.role == "admin" and admin_key.key == "" then
+ has_autogenerated = true
+ local key = ""
+ for _ = 1, 32 do
+ key = key .. string.char(math.random(65, 90) + math.random(0,
1) * 32)
+ end
Review Comment:
The key generation algorithm is predictable and may not provide sufficient
entropy. Consider using a cryptographically secure random generator like
`require('resty.random').bytes()` or OpenSSL's random functions for generating
admin keys.
```suggestion
local random_bytes = resty_random.bytes(32, true)
local key = ngx.encode_base64(random_bytes, true)
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
