[AWS Payload Tagging] Fix the default redaction rules and the redaction rules extraction tool.

Author: ygree

dd-trace-api/src/main/java/datadog/trace/api/ConfigDefaults.java

@@ -253,60 +253,120 @@ public final class ConfigDefaults {
 
   public static final List<String> DEFAULT_CLOUD_COMMON_PAYLOAD_TAGGING =
       asList(
-          // Sns
-          "$.Attributes.KmsMasterKeyId",
-          "$.Attributes.Token",
-          // EventBridge (RedactionRulesExtractor.java for eventbridge-2015-10-07)
-          "$.AuthParameters.OAuthParameters.OAuthHttpParameters.HeaderParameters[*].Value",
-          "$.AuthParameters.OAuthParameters.OAuthHttpParameters.QueryStringParameters[*].Value",
-          "$.AuthParameters.OAuthParameters.OAuthHttpParameters.BodyParameters[*].Value",
-          "$.AuthParameters.InvocationHttpParameters.HeaderParameters[*].Value",
-          "$.AuthParameters.InvocationHttpParameters.QueryStringParameters[*].Value",
-          "$.AuthParameters.InvocationHttpParameters.BodyParameters[*].Value",
-          "$.Targets[*].RedshiftDataParameters.Sql",
-          "$.Targets[*].RedshiftDataParameters.Sqls",
-          "$.Targets[*].AppSyncParameters.GraphQLOperation",
           // S3 (RedactionRulesExtractor.java for s3-2006-03-01)
-          "$.SSEKMSKeyId",
-          "$.SSEKMSEncryptionContext",
-          "$.ServerSideEncryptionConfiguration.Rules[*].ApplyServerSideEncryptionByDefault.KMSMasterKeyID",
-          "$.InventoryConfiguration.Destination.S3BucketDestination.Encryption.SSEKMS.KeyId");
+          // ./services/s3/src/main/resources/codegen-resources/service-2.json
+          "$.CopyObject.SSEKMSKeyId",
+          "$.CopyObject.SSEKMSEncryptionContext",
+          "$.CreateMultipartUpload.SSEKMSKeyId",
+          "$.CreateMultipartUpload.SSEKMSEncryptionContext",
+          "$.PutObject.SSEKMSKeyId",
+          "$.PutObject.SSEKMSEncryptionContext",
+
+          // https://github.com/DataDog/dd-trace-js/blob/5658024a4a0c78476be6b04c13e821b6f9f86762/packages/dd-trace/src/payload-tagging/config/aws.json
+          "$.Attributes.KmsMasterKeyId",
+          "$.Attributes.Token");
 
   public static final List<String> DEFAULT_CLOUD_REQUEST_PAYLOAD_TAGGING =
       asList(
-          // Sns
+          // EventBridge (RedactionRulesExtractor.java for eventbridge-2015-10-07)
+          // ./services/eventbridge/src/main/resources/codegen-resources/service-2.json
+          "$.CreateConnection.AuthParameters.BasicAuthParameters.Password",
+          "$.CreateConnection.AuthParameters.OAuthParameters.ClientParameters.ClientSecret",
+          "$.CreateConnection.AuthParameters.OAuthParameters.OAuthHttpParameters.HeaderParameters[*].Value",
+          "$.CreateConnection.AuthParameters.OAuthParameters.OAuthHttpParameters.QueryStringParameters[*].Value",
+          "$.CreateConnection.AuthParameters.OAuthParameters.OAuthHttpParameters.BodyParameters[*].Value",
+          "$.CreateConnection.AuthParameters.ApiKeyAuthParameters.ApiKeyValue",
+          "$.CreateConnection.AuthParameters.InvocationHttpParameters.HeaderParameters[*].Value",
+          "$.CreateConnection.AuthParameters.InvocationHttpParameters.QueryStringParameters[*].Value",
+          "$.CreateConnection.AuthParameters.InvocationHttpParameters.BodyParameters[*].Value",
+          "$.PutTargets.Targets[*].RedshiftDataParameters.Sql",
+          "$.PutTargets.Targets[*].RedshiftDataParameters.Sqls",
+          "$.PutTargets.Targets[*].AppSyncParameters.GraphQLOperation",
+          "$.UpdateConnection.AuthParameters.BasicAuthParameters.Password",
+          "$.UpdateConnection.AuthParameters.OAuthParameters.ClientParameters.ClientSecret",
+          "$.UpdateConnection.AuthParameters.OAuthParameters.OAuthHttpParameters.HeaderParameters[*].Value",
+          "$.UpdateConnection.AuthParameters.OAuthParameters.OAuthHttpParameters.QueryStringParameters[*].Value",
+          "$.UpdateConnection.AuthParameters.OAuthParameters.OAuthHttpParameters.BodyParameters[*].Value",
+          "$.UpdateConnection.AuthParameters.ApiKeyAuthParameters.ApiKeyValue",
+          "$.UpdateConnection.AuthParameters.InvocationHttpParameters.HeaderParameters[*].Value",
+          "$.UpdateConnection.AuthParameters.InvocationHttpParameters.QueryStringParameters[*].Value",
+          "$.UpdateConnection.AuthParameters.InvocationHttpParameters.BodyParameters[*].Value",
+
+          // Sns (RedactionRulesExtractor.java for sns-2010-03-31)
+          // ./services/sns/src/main/resources/codegen-resources/service-2.json
+          "$.CheckIfPhoneNumberIsOptedOut.phoneNumber",
+          "$.CreateSMSSandboxPhoneNumber.PhoneNumber",
+          "$.DeleteSMSSandboxPhoneNumber.PhoneNumber",
+          "$.OptInPhoneNumber.phoneNumber",
+          "$.Publish.PhoneNumber",
+          "$.VerifySMSSandboxPhoneNumber.PhoneNumber",
+
+          // S3 (RedactionRulesExtractor.java for s3-2006-03-01)
+          // ./services/s3/src/main/resources/codegen-resources/service-2.json
+          "$.CompleteMultipartUpload.SSECustomerKey",
+          "$.CopyObject.SSECustomerKey",
+          "$.CopyObject.CopySourceSSECustomerKey",
+          "$.CreateMultipartUpload.SSECustomerKey",
+          "$.GetObject.SSECustomerKey",
+          "$.GetObjectAttributes.SSECustomerKey",
+          "$.HeadObject.SSECustomerKey",
+          "$.ListParts.SSECustomerKey",
+          "$.PutBucketEncryption.ServerSideEncryptionConfiguration.Rules[*].ApplyServerSideEncryptionByDefault.KMSMasterKeyID",
+          "$.PutBucketInventoryConfiguration.InventoryConfiguration.Destination.S3BucketDestination.Encryption.SSEKMS.KeyId",
+          "$.PutObject.SSECustomerKey",
+          "$.RestoreObject.RestoreRequest.OutputLocation.S3.Encryption.KMSKeyId",
+          "$.SelectObjectContent.SSECustomerKey",
+          "$.UploadPart.SSECustomerKey",
+          "$.UploadPartCopy.SSECustomerKey",
+          "$.UploadPartCopy.CopySourceSSECustomerKey",
+          "$.WriteGetObjectResponse.SSEKMSKeyId",
+
+          // https://github.com/DataDog/dd-trace-js/blob/5658024a4a0c78476be6b04c13e821b6f9f86762/packages/dd-trace/src/payload-tagging/config/aws.json
           "$.Attributes.PlatformCredential",
           "$.Attributes.PlatformPrincipal",
           "$.AWSAccountId",
           "$.Endpoint",
           "$.Token",
-          "$.OneTimePassword",
-          // Sns (RedactionRulesExtractor.java for sns-2010-03-31)
-          "$.phoneNumber",
-          "$.PhoneNumber",
-          // EventBridge (RedactionRulesExtractor.java for eventbridge-2015-10-07)
-          "$.AuthParameters.BasicAuthParameters.Password",
-          "$.AuthParameters.OAuthParameters.ClientParameters.ClientSecret",
-          "$.AuthParameters.ApiKeyAuthParameters.ApiKeyValue",
-          // S3 (RedactionRulesExtractor.java for s3-2006-03-01)
-          "$.SSECustomerKey",
-          "$.CopySourceSSECustomerKey",
-          "$.RestoreRequest.OutputLocation.S3.Encryption.KMSKeyId");
+          "$.OneTimePassword");
 
   public static final List<String> DEFAULT_CLOUD_RESPONSE_PAYLOAD_TAGGING =
       asList(
-          // Sns
+          // EventBridge (RedactionRulesExtractor.java for eventbridge-2015-10-07)
+          // ./services/eventbridge/src/main/resources/codegen-resources/service-2.json
+          "$.DescribeConnection.AuthParameters.OAuthParameters.OAuthHttpParameters.HeaderParameters[*].Value",
+          "$.DescribeConnection.AuthParameters.OAuthParameters.OAuthHttpParameters.QueryStringParameters[*].Value",
+          "$.DescribeConnection.AuthParameters.OAuthParameters.OAuthHttpParameters.BodyParameters[*].Value",
+          "$.DescribeConnection.AuthParameters.InvocationHttpParameters.HeaderParameters[*].Value",
+          "$.DescribeConnection.AuthParameters.InvocationHttpParameters.QueryStringParameters[*].Value",
+          "$.DescribeConnection.AuthParameters.InvocationHttpParameters.BodyParameters[*].Value",
+          "$.ListTargetsByRule.Targets[*].RedshiftDataParameters.Sql",
+          "$.ListTargetsByRule.Targets[*].RedshiftDataParameters.Sqls",
+          "$.ListTargetsByRule.Targets[*].AppSyncParameters.GraphQLOperation",
+
+          // Sns (Generated by RedactionRulesExtractor.java for sns-2010-03-31)
+          // ./services/sns/src/main/resources/codegen-resources/service-2.json
+          "$.ListOriginationNumbers.PhoneNumbers[*].PhoneNumber",
+          "$.ListPhoneNumbersOptedOut.phoneNumbers[*]",
+          "$.ListSMSSandboxPhoneNumbers.PhoneNumbers[*].PhoneNumber",
+
+          // S3 (RedactionRulesExtractor.java for s3-2006-03-01)
+          // ./services/s3/src/main/resources/codegen-resources/service-2.json
+          "$.CompleteMultipartUpload.SSEKMSKeyId",
+          "$.CreateSession.Credentials.SecretAccessKey",
+          "$.CreateSession.Credentials.SessionToken",
+          "$.GetBucketEncryption.ServerSideEncryptionConfiguration.Rules[*].ApplyServerSideEncryptionByDefault.KMSMasterKeyID",
+          "$.GetBucketInventoryConfiguration.InventoryConfiguration.Destination.S3BucketDestination.Encryption.SSEKMS.KeyId",
+          "$.GetObject.SSEKMSKeyId",
+          "$.HeadObject.SSEKMSKeyId",
+          "$.ListBucketInventoryConfigurations.InventoryConfigurationList[*].Destination.S3BucketDestination.Encryption.SSEKMS.KeyId",
+          "$.UploadPart.SSEKMSKeyId",
+          "$.UploadPartCopy.SSEKMSKeyId",
+
+          // https://github.com/DataDog/dd-trace-js/blob/5658024a4a0c78476be6b04c13e821b6f9f86762/packages/dd-trace/src/payload-tagging/config/aws.json
           "$.Endpoints.*.Token",
           "$.PlatformApplication.*.PlatformCredential",
           "$.PlatformApplication.*.PlatformPrincipal",
-          "$.Subscriptions.*.Endpoint",
-          // Sns (Generated by RedactionRulesExtractor.java for sns-2010-03-31)
-          "$.PhoneNumbers[*].PhoneNumber",
-          "$.phoneNumbers[*]",
-          // S3 (RedactionRulesExtractor.java for s3-2006-03-01)
-          "$.Credentials.SecretAccessKey",
-          "$.Credentials.SessionToken",
-          "$.InventoryConfigurationList[*].Destination.S3BucketDestination.Encryption.SSEKMS.KeyId");
+          "$.Subscriptions.*.Endpoint");
 
   private ConfigDefaults() {}
 }

dd-trace-core/src/test/java/datadog/trace/payloadtags/RedactionRulesExtractor.java

@@ -64,10 +64,9 @@ public static void main(String[] args) throws IOException {
       if (inputObject != null) {
         String inputShape = (String) inputObject.get("shape");
         collectSensitivePaths(
-            operationName,
             (Map<String, Object>) allShapes.get(inputShape),
             allShapes,
-            "$",
+            operationName,
             requestSensitivePaths);
       }
 
@@ -76,10 +75,9 @@ public static void main(String[] args) throws IOException {
       if (outputObject != null) {
         String outputShape = (String) outputObject.get("shape");
         collectSensitivePaths(
-            operationName,
             (Map<String, Object>) allShapes.get(outputShape),
             allShapes,
-            "$",
+            operationName,
             responseSensitivePaths);
       }
 
@@ -88,12 +86,9 @@ public static void main(String[] args) throws IOException {
               operationObject.getOrDefault("errors", Collections.emptyList());
       for (Map<String, Object> error : errors) {
         String errorShape = (String) error.get("shape");
-        collectSensitivePaths(
-            operationName,
-            (Map<String, Object>) allShapes.get(errorShape),
-            allShapes,
-            "$",
-            errorsSensitivePaths);
+        Map<String, Object> shape = (Map<String, Object>) allShapes.get(errorShape);
+        Set<String> collectedSensitivePath = errorsSensitivePaths;
+        collectSensitivePaths(shape, allShapes, operationName, collectedSensitivePath);
       }
     }
 
@@ -103,23 +98,36 @@ public static void main(String[] args) throws IOException {
     requestSensitivePaths.removeAll(commonSensitivePaths);
     responseSensitivePaths.removeAll(commonSensitivePaths);
 
-    System.out.println("\nCommon sensitive paths:\n" + String.join("\n", commonSensitivePaths));
-    System.out.println("\nRequest sensitive paths:\n" + String.join("\n", requestSensitivePaths));
-    System.out.println("\nResponse sensitive paths:\n" + String.join("\n", responseSensitivePaths));
-    System.out.println("\nErrors sensitive paths:\n" + String.join("\n", errorsSensitivePaths));
+    System.out.println(
+        "\nCommon sensitive paths:\n\"" + String.join("\",\n\"", commonSensitivePaths) + "\"");
+    System.out.println(
+        "\nRequest sensitive paths:\n\"" + String.join("\",\n\"", requestSensitivePaths) + "\"");
+    System.out.println(
+        "\nResponse sensitive paths:\n\"" + String.join("\",\n\"", responseSensitivePaths) + "\"");
+    System.out.println(
+        "\nErrors sensitive paths:\n\"" + String.join("\",\n\"", errorsSensitivePaths) + "\"");
     Map<String, Object> metadata = (Map<String, Object>) map.get("metadata");
     System.out.println("serviceId: " + metadata.get("serviceId"));
     System.out.println("uid: " + metadata.get("uid"));
   }
 
   private static void collectSensitivePaths(
+      Map<String, Object> shape,
+      Map<String, Object> allShapes,
       String operationName,
+      Set<String> collectedSensitivePath) {
+    collectSensitivePathsRecursively(
+        shape, allShapes, "$." + operationName, "", collectedSensitivePath);
+  }
+
+  private static void collectSensitivePathsRecursively(
       Map<String, Object> shape,
       Map<String, Object> allShapes,
+      String prefix,
       String path,
       Set<String> sensitivePathsOut) {
     if ((boolean) shape.getOrDefault("sensitive", false)) {
-      sensitivePathsOut.add(path);
+      sensitivePathsOut.add(prefix + path);
       return;
     }
 
@@ -132,20 +140,20 @@ private static void collectSensitivePaths(
         String memberName = member.getKey();
         Map<String, Object> memberObject = (Map<String, Object>) member.getValue();
         String memberShape = (String) memberObject.get("shape");
-        collectSensitivePaths(
-            operationName,
+        collectSensitivePathsRecursively(
             (Map<String, Object>) allShapes.get(memberShape),
             allShapes,
+            prefix,
             path + "." + memberName,
             sensitivePathsOut);
       }
     } else if ("list".equals(shapeType)) {
       Map<String, Object> member = (Map<String, Object>) shape.get("member");
       String memberShape = (String) member.get("shape");
-      collectSensitivePaths(
-          operationName,
+      collectSensitivePathsRecursively(
           (Map<String, Object>) allShapes.get(memberShape),
           allShapes,
+          prefix,
           path + "[*]",
           sensitivePathsOut);
     }