Add encryption for AI Connector API keys#560
Conversation
…hat uses the Displace Secrets Manager (if it exists) to encrypt and decrypt AI Connector API Keys
…encryption was on
…en reactivate the plugin, we re-encrypt their keys
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message. To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## develop #560 +/- ##
=============================================
- Coverage 76.48% 75.37% -1.11%
- Complexity 1869 2078 +209
=============================================
Files 89 99 +10
Lines 7990 8602 +612
=============================================
+ Hits 6111 6484 +373
- Misses 1879 2118 +239
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
Point for discussion: As mentioned in the PR description, this PR relies on the Displace Secrets Manager plugin to do the actual encryption and decryption. I have not yet included that plugin with this PR so you have to manually install that to test things. While I think that's fine for testing, ideally we find a better way if this is something we want to actually release. A couple options to consider:
There's pros and cons to all of those approaches. I'd lean towards option 2 for now even though that does mean bloating our repo a bit. I think option 3 is likely the best approach but does mean we end up installing and activating a plugin without the user fully understanding that's happening. |
|
@ericmann - I'd be curious for your thoughts on the above, as this could be a good testing ground for this approach as one that could make its way towards WP core with lessons learned from usage within the AI plugin |
|
As I wasn't on the call 2 weeks ago, and the AI-summaries leave much to be desired... Is there a specific reason not to ship and hook in our own Encryption class? What are the cons here? Putting aside any misgivings I have about bringing in reliance on a non-established 3pp (nothing stopping them from shipping their own integration with the AI plugin), the solution itself seems like overkill for what we need. |
The plugin used here was being floated as a solution that could make it into Core. So like many other things we have here, this was an attempt to try that out and prove it works to hopefully help move that conversation around. That said, see point 4 in my comment. I'm happy to build out a custom encryption class if we think that's a better approach. |
|
Also happy to build or use another approach, especially if there's something that's potentially a MUCH better connection for core. But lacking that, getting something out there as part of an Experiment will get us some real-world feedback to continue iterating towards something that perhaps in 7.1/7.2 makes it to core. |
|
I didn’t find any reference to https://core.trac.wordpress.org/ticket/64789 in this PR. For the record, I initiated a related discussion on WordPress Trac about how to store two-way encrypted values in WordPress, addressing the need for connectors. |
|
@dkotter for the purposes of getting this experiment into the plugin for further testing, let's go with option 2 (copy plugin into our repo) so we can get this merged/released and iterate later as we get feedback / discussion evolves |
…ew includes/Vendor directory. Add a namespace to all files to avoid conflicts with other sites that include the full plugin
…keep the code as close as possible to source
… our new vendor code
Okay, this was a bit more complicated (since it was set up as a normal plugin and can't just copy a plugin into another plugin and have things directly work) but this is done now. I didn't copy over everything (there's some admin and WP-CLI things we don't directly need yet) and I added a custom namespace to the files I did bring over to prevent conflicts with sites that may be using that plugin directly. But this should be working now without any need for extra dependencies. |
|
Could be an oddity of my testing, but trying to save API keys is now giving me an error using Playground to test this PR:
|
What?
See comment: #467 (comment)
Ensures any AI Connector API key is passed through encryption when saved and then decrypted when used.
Why?
WordPress 7.0 introduces a new Connectors API and a big part of that is supporting AI Connectors that authenticate via API keys. These keys are currently stored as plain-text in the database, meaning those can "easily" be leaked. Encrypting those keys increases the level of security here.
This is meant as a PoC to demonstrate how this could be done. Ultimately it would be great to get similar changes in WordPress Core.
How?
includes/Vendordirectory and a namespace was added to avoid collisions with sites that are directly using that plugin. Note we don't copy all the code over but just the pieces we need. File names have been changed slightly to work with our autoloading and a custom namespace added to each file but otherwise all code was directly copiedUse of AI Tools
AI assistance: Yes
Tool(s): Claude Code
Model(s): Opus 4.7, Opus 4.8
Used for: Iterated on an initial plan and then executed on that plan. Final iteration and testing done by me. Was also used to evaluate the Displace Secrets Manager plugin and figure out the best way to bring that into our repo.
Testing Instructions
npm i && npm run buildconnectors_ai_openai_api_key. This value of this option should be blank_secret_ai/openai_api_key. There should be an encrypted valueChangelog Entry