Add exclusion predefined redaction keywords (#7457)

jpbempel · web-flow · commit 770734c87ce4 · 2024-08-29T17:14:10.000+02:00
In the list of predefined keywords some of them could be too generic
or wanted see the content of a session for example.
introduced the config parameter
DD_DYNAMIC_ISTRUMENTATION_REDACTION_EXCLUDED_IDENTIFIERS for a
comma list of identifiers you want to exclude from redacted keywords
diff --git a/dd-java-agent/agent-debugger/debugger-bootstrap/src/main/java/datadog/trace/bootstrap/debugger/util/Redaction.java b/dd-java-agent/agent-debugger/debugger-bootstrap/src/main/java/datadog/trace/bootstrap/debugger/util/Redaction.java
@@ -110,10 +110,15 @@ public class Redaction {
   private static List<String> redactedPackages;
 
   static {
+    initKeywords();
+  }
+
+  static void initKeywords() {
     /*
      * based on sentry list: https://github.com/getsentry/sentry-python/blob/fefb454287b771ac31db4e30fa459d9be2f977b8/sentry_sdk/scrubber.py#L17-L58
      */
     KEYWORDS.addAll(PREDEFINED_KEYWORDS);
+    KEYWORDS.removeAll(Config.get().getDebuggerRedactionExcludedIdentifiers());
   }
 
   public static void addUserDefinedKeywords(Config config) {
diff --git a/dd-java-agent/agent-debugger/debugger-bootstrap/src/test/java/datadog/trace/bootstrap/debugger/util/RedactionTest.java b/dd-java-agent/agent-debugger/debugger-bootstrap/src/test/java/datadog/trace/bootstrap/debugger/util/RedactionTest.java
@@ -4,6 +4,9 @@
 
 import datadog.trace.api.Config;
 import java.lang.reflect.Field;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
 import org.junit.jupiter.api.Test;
 
 class RedactionTest {
@@ -48,6 +51,20 @@ public void userDefinedTypes() {
     }
   }
 
+  @Test
+  public void exclusions() {
+    Config config = Config.get();
+    setFieldInConfig(
+        config, "debuggerRedactionExcludedIdentifiers", new HashSet<>(Arrays.asList("password")));
+    Redaction.initKeywords();
+    try {
+      assertFalse(Redaction.isRedactedKeyword("password"));
+    } finally {
+      setFieldInConfig(config, "debuggerRedactionExcludedIdentifiers", Collections.emptySet());
+      Redaction.initKeywords();
+    }
+  }
+
   private static void setFieldInConfig(Config config, String fieldName, Object value) {
     try {
       Field field = config.getClass().getDeclaredField(fieldName);
diff --git a/dd-trace-api/src/main/java/datadog/trace/api/config/DebuggerConfig.java b/dd-trace-api/src/main/java/datadog/trace/api/config/DebuggerConfig.java
@@ -24,6 +24,8 @@ public final class DebuggerConfig {
   public static final String DEBUGGER_CAPTURE_TIMEOUT = "dynamic.instrumentation.capture.timeout";
   public static final String DEBUGGER_REDACTED_IDENTIFIERS =
       "dynamic.instrumentation.redacted.identifiers";
+  public static final String DEBUGGER_REDACTION_EXCLUDED_IDENTIFIERS =
+      "dynamic.instrumentation.redaction.excluded.identifiers";
   public static final String DEBUGGER_REDACTED_TYPES = "dynamic.instrumentation.redacted.types";
   public static final String DEBUGGER_SYMBOL_ENABLED = "symbol.database.upload.enabled";
   public static final String DEBUGGER_SYMBOL_FORCE_UPLOAD = "internal.force.symbol.database.upload";
diff --git a/internal-api/src/main/java/datadog/trace/api/Config.java b/internal-api/src/main/java/datadog/trace/api/Config.java
@@ -235,6 +235,7 @@
 import static datadog.trace.api.config.DebuggerConfig.DEBUGGER_PROBE_FILE_LOCATION;
 import static datadog.trace.api.config.DebuggerConfig.DEBUGGER_REDACTED_IDENTIFIERS;
 import static datadog.trace.api.config.DebuggerConfig.DEBUGGER_REDACTED_TYPES;
+import static datadog.trace.api.config.DebuggerConfig.DEBUGGER_REDACTION_EXCLUDED_IDENTIFIERS;
 import static datadog.trace.api.config.DebuggerConfig.DEBUGGER_SPAN_DEBUG_ENABLED;
 import static datadog.trace.api.config.DebuggerConfig.DEBUGGER_SYMBOL_ENABLED;
 import static datadog.trace.api.config.DebuggerConfig.DEBUGGER_SYMBOL_FLUSH_THRESHOLD;
@@ -872,6 +873,7 @@ public static String getHostName() {
   private final String debuggerExcludeFiles;
   private final int debuggerCaptureTimeout;
   private final String debuggerRedactedIdentifiers;
+  private final Set<String> debuggerRedactionExcludedIdentifiers;
   private final String debuggerRedactedTypes;
   private final boolean debuggerSymbolEnabled;
   private final boolean debuggerSymbolForceUpload;
@@ -1970,6 +1972,8 @@ PROFILING_DATADOG_PROFILER_ENABLED, isDatadogProfilerSafeInCurrentEnvironment())
     debuggerCaptureTimeout =
         configProvider.getInteger(DEBUGGER_CAPTURE_TIMEOUT, DEFAULT_DEBUGGER_CAPTURE_TIMEOUT);
     debuggerRedactedIdentifiers = configProvider.getString(DEBUGGER_REDACTED_IDENTIFIERS, null);
+    debuggerRedactionExcludedIdentifiers =
+        tryMakeImmutableSet(configProvider.getList(DEBUGGER_REDACTION_EXCLUDED_IDENTIFIERS));
     debuggerRedactedTypes = configProvider.getString(DEBUGGER_REDACTED_TYPES, null);
     debuggerSymbolEnabled =
         configProvider.getBoolean(DEBUGGER_SYMBOL_ENABLED, DEFAULT_DEBUGGER_SYMBOL_ENABLED);
@@ -3424,6 +3428,10 @@ public String getDebuggerRedactedIdentifiers() {
     return debuggerRedactedIdentifiers;
   }
 
+  public Set<String> getDebuggerRedactionExcludedIdentifiers() {
+    return debuggerRedactionExcludedIdentifiers;
+  }
+
   public String getDebuggerRedactedTypes() {
     return debuggerRedactedTypes;
   }
