Sensitive map/list members (#3065)

aws · Jul 17, 2024 · 0c33950 · 0c33950
1 parent 730798d
commit 0c33950
Show file tree

Hide file tree

Showing 6 changed files with 290 additions and 3 deletions.
diff --git a/build_tools/aws-sdk-code-generator/lib/aws-sdk-code-generator/views/types_module.rb b/build_tools/aws-sdk-code-generator/lib/aws-sdk-code-generator/views/types_module.rb
@@ -85,8 +85,20 @@ def eventstreams
       def struct_members(shape)
         return if shape['members'].nil?
         members = shape['members'].map do |member_name, member_ref|
+          member_target = @api['shapes'][member_ref['shape']]
           sensitive = !!(member_ref['sensitive'] ||
-            @api['shapes'][member_ref['shape']]['sensitive'])
+            member_target['sensitive'])
+
+          case member_target["type"]
+          when 'map'
+            key_shape = @api['shapes'][member_target['key']['shape']]
+            value_shape = @api['shapes'][member_target['value']['shape']]
+            sensitive ||= !!(key_shape['sensitive'] || value_shape['sensitive'])
+          when 'list'
+            list_member = @api['shapes'][member_target['member']['shape']]
+            sensitive ||= !!(list_member['sensitive'])
+          end
+
           StructMember.new(
             member_name: underscore(member_name),
             sensitive: sensitive

diff --git a/build_tools/aws-sdk-code-generator/spec/fixtures/interfaces/sensitive/api.json b/build_tools/aws-sdk-code-generator/spec/fixtures/interfaces/sensitive/api.json
@@ -0,0 +1,211 @@
+{
+  "metadata": {
+    "endpointPrefix": "svc",
+    "serviceId": "sample_svc",
+    "protocol": "rest-json"
+  },
+  "operations":{
+    "KitchenSinkOperation": {
+      "name":"KitchenSinkOperation",
+      "http":{
+        "method":"POST",
+        "requestUri":"/KitchenSinkOperation"
+      },
+      "input":{"shape":"KitchenSink"},
+      "output":{"shape":"KitchenSink"}
+    }
+  },
+  "shapes": {
+    "KitchenSink": {
+      "type": "structure",
+      "members": {
+        "Blob": {
+          "shape": "Blob"
+        },
+        "Boolean": {
+          "shape": "Boolean"
+        },
+        "Double": {
+          "shape": "Double"
+        },
+        "EmptyStruct": {
+          "shape": "EmptyStruct"
+        },
+        "Float": {
+          "shape": "Float"
+        },
+        "Integer": {
+          "shape": "Integer"
+        },
+        "JsonValue": {
+          "shape": "JsonValue",
+          "jsonvalue": true
+        },
+        "ListOfStrings": {
+          "shape": "ListOfStrings"
+        },
+        "ListOfStructs": {
+          "shape": "ListOfStructs"
+        },
+        "Long": {
+          "shape": "Long"
+        },
+        "MapOfListsOfStrings": {
+          "shape": "MapOfListsOfStrings"
+        },
+        "MapOfMaps": {
+          "shape": "MapOfMapOfStrings"
+        },
+        "MapOfStrings": {
+          "shape": "MapOfStrings"
+        },
+        "MapOfStructs": {
+          "shape": "MapOfStructs"
+        },
+        "SimpleStruct": {
+          "shape": "SimpleStruct"
+        },
+        "String": {
+          "shape": "String"
+        },
+        "StructWithJsonName": {
+          "shape": "StructWithJsonName"
+        },
+        "Timestamp": {
+          "shape": "Timestamp"
+        }
+      }
+    },
+    "Blob": {
+      "type": "blob",
+      "sensitive": true
+    },
+    "Boolean": {
+      "type": "boolean",
+      "box": true,
+      "sensitive": true
+    },
+    "Double": {
+      "type": "double",
+      "box": true,
+      "sensitive": true
+    },
+    "EmptyStruct": {
+      "type": "structure",
+      "members": {}
+    },
+    "Float": {
+      "type": "float",
+      "box": true,
+      "sensitive": true
+    },
+    "Integer": {
+      "type": "integer",
+      "box": true,
+      "sensitive": true
+    },
+    "JsonValue": {
+      "type": "string",
+      "sensitive": true
+    },
+    "ListOfListOfStrings": {
+      "type": "list",
+      "member": {
+        "shape": "ListOfStrings"
+      }
+    },
+    "ListOfStrings": {
+      "type": "list",
+      "member": {
+        "shape": "String"
+      }
+    },
+    "ListOfStructs": {
+      "type": "list",
+      "member": {
+        "shape": "SimpleStruct"
+      }
+    },
+    "Long": {
+      "type": "long",
+      "box": true,
+      "sensitive": true
+    },
+    "MapOfListsOfStrings": {
+      "type": "map",
+      "key": {
+        "shape": "String"
+      },
+      "value": {
+        "shape": "ListOfStrings"
+      }
+    },
+    "MapOfMapOfStrings": {
+      "type": "map",
+      "key": {
+        "shape": "String"
+      },
+      "value": {
+        "shape": "MapOfStrings"
+      }
+    },
+    "MapOfStrings": {
+      "type": "map",
+      "key": {
+        "shape": "String"
+      },
+      "value": {
+        "shape": "String"
+      }
+    },
+    "MapOfStructs": {
+      "type": "map",
+      "key": {
+        "shape": "String"
+      },
+      "value": {
+        "shape": "SimpleStruct"
+      }
+    },
+    "ListOfKitchenSinks": {
+      "type": "list",
+      "member": {
+        "shape": "KitchenSink"
+      }
+    },
+    "MapOfKitchenSinks": {
+      "type": "map",
+      "key": {
+        "shape": "String"
+      },
+      "value": {
+        "shape": "KitchenSink"
+      }
+    },
+    "SimpleStruct": {
+      "type": "structure",
+      "members": {
+        "Value": {
+          "shape": "String"
+        }
+      },
+      "sensitive": true
+    },
+    "String": {
+      "type": "string",
+      "sensitive": true
+    },
+    "StructWithJsonName": {
+      "type": "structure",
+      "members": {
+        "Value": {
+          "shape": "String"
+        }
+      }
+    },
+    "Timestamp": {
+      "type": "timestamp",
+      "sensitive": true
+    }
+  }
+}
diff --git a/build_tools/aws-sdk-code-generator/spec/interfaces/sensitive_spec.rb b/build_tools/aws-sdk-code-generator/spec/interfaces/sensitive_spec.rb
@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require_relative '../spec_helper'
+
+describe 'Types Interface:' do
+  describe 'Sensitive members' do
+    before(:all) do
+      SpecHelper.generate_service(['Sensitive'], multiple_files: false)
+    end
+
+    let(:client) do
+      Sensitive::Client.new(
+        stub_responses: true,
+      )
+    end
+
+    describe '#kitchen_sink' do
+      it 'filters all sensitive members' do
+        resp = client.kitchen_sink_operation
+        expected = {
+          blob: '[FILTERED]',
+          boolean: '[FILTERED]',
+          double: '[FILTERED]',
+          empty_struct: {},
+          float: '[FILTERED]',
+          integer: '[FILTERED]',
+          json_value: '[FILTERED]',
+          list_of_strings: '[FILTERED]',
+          list_of_structs: '[FILTERED]',
+          long: '[FILTERED]',
+          map_of_lists_of_strings: '[FILTERED]',
+          map_of_maps: '[FILTERED]',
+          map_of_strings: '[FILTERED]',
+          map_of_structs: '[FILTERED]',
+          simple_struct: '[FILTERED]',
+          string: '[FILTERED]',
+          struct_with_json_name: { value: '[FILTERED]' },
+          timestamp: '[FILTERED]'
+        }
+
+        expect(resp.to_s).to eq(expected.to_s)
+      end
+    end
+  end
+end
diff --git a/gems/aws-sdk-core/CHANGELOG.md b/gems/aws-sdk-core/CHANGELOG.md
@@ -1,6 +1,8 @@
 Unreleased Changes
 ------------------
 
+* Issue - Ensure that nested sensitive members and sensitive members of lists and maps are filtered.
+
 3.201.1 (2024-07-05)
 ------------------
 

diff --git a/gems/aws-sdk-core/lib/aws-sdk-core/log/param_filter.rb b/gems/aws-sdk-core/lib/aws-sdk-core/log/param_filter.rb
@@ -55,14 +55,14 @@ def filter_hash(values, type)
           filtered[key] = if @enabled && filters.include?(key)
             '[FILTERED]'
           else
-            filter(value, type)
+            filter(value, value.class)
           end
         end
         filtered
       end
 
       def filter_array(values, type)
-        values.map { |value| filter(value, type) }
+        values.map { |value| filter(value, value.class) }
       end
 
     end

diff --git a/gems/aws-sdk-core/spec/aws/log/param_filter_spec.rb b/gems/aws-sdk-core/spec/aws/log/param_filter_spec.rb
@@ -26,6 +26,13 @@ class OldServiceType < Struct.new(
         include Aws::Structure
       end
 
+      class ComplexSensitiveType < Struct.new(
+        :nested
+      )
+        SENSITIVE = []
+        include Aws::Structure
+      end
+
       describe '#filter' do
         it 'filters sensitive hash params' do
           filtered = subject.filter(
@@ -55,6 +62,16 @@ class OldServiceType < Struct.new(
           expect(filtered).to eq(sensitive_member: '[FILTERED]')
         end
 
+        it 'filters nested sensitive params' do
+          filtered = subject.filter(
+            {nested: { password: 'peccy', peccy_id: 'peccy-id' }},
+            ComplexSensitiveType
+          )
+          expect(filtered).to eq(nested: {
+            password: '[FILTERED]', peccy_id: 'peccy-id'
+          })
+        end
+
         context 'with additional filters' do
           subject { Aws::Log::ParamFilter.new(filter: [:peccy_id]) }