Excluding PII identifiers should work for DI tracers (#4564)

tylfin · watson · web-flow · commit 3b56d9f7a341 · 2025-05-14T19:02:20.000Z
Co-authored-by: Thomas Watson &lt;w@tson.dk&gt;
diff --git a/manifests/cpp_nginx.yml b/manifests/cpp_nginx.yml
@@ -53,6 +53,7 @@ tests/:
       Test_Debugger_InProduct_Enablement_Exception_Replay: irrelevant
     test_debugger_pii.py:
       Test_Debugger_PII_Redaction: irrelevant
+      Test_Debugger_PII_Redaction_Excluded_Identifiers: irrelevant
     test_debugger_probe_budgets.py:
       Test_Debugger_Probe_Budgets: irrelevant
     test_debugger_probe_snapshot.py:
diff --git a/manifests/dotnet.yml b/manifests/dotnet.yml
@@ -430,6 +430,7 @@ tests/:
       Test_Debugger_InProduct_Enablement_Exception_Replay: missing_feature
     test_debugger_pii.py:
       Test_Debugger_PII_Redaction: v2.50.0
+      Test_Debugger_PII_Redaction_Excluded_Identifiers: v2.50.0
     test_debugger_probe_budgets.py:
       Test_Debugger_Probe_Budgets: v2.53.0
     test_debugger_probe_snapshot.py:
diff --git a/manifests/golang.yml b/manifests/golang.yml
@@ -513,6 +513,7 @@ tests/:
       Test_Debugger_InProduct_Enablement_Exception_Replay: missing_feature
     test_debugger_pii.py:
       Test_Debugger_PII_Redaction: missing_feature (feature not implented)
+      Test_Debugger_PII_Redaction_Excluded_Identifiers: missing_feature (feature not implented)
     test_debugger_probe_budgets.py:
       Test_Debugger_Probe_Budgets: missing_feature (feature not implented)
     test_debugger_probe_snapshot.py:
diff --git a/manifests/java.yml b/manifests/java.yml
@@ -1747,6 +1747,15 @@ tests/:
         spring-boot-undertow: v1.38.0
         spring-boot-wildfly: v1.38.0
         uds-spring-boot: v1.33.0
+      Test_Debugger_PII_Redaction_Excluded_Identifiers:
+        '*': missing_feature
+        spring-boot: v1.49.0
+        spring-boot-jetty: v1.49.0
+        spring-boot-openliberty: v1.49.0
+        spring-boot-payara: v1.49.0
+        spring-boot-undertow: v1.49.0
+        spring-boot-wildfly: v1.49.0
+        uds-spring-boot: v1.49.0
     test_debugger_probe_budgets.py:
       Test_Debugger_Probe_Budgets:
         '*': missing_feature
diff --git a/manifests/nodejs.yml b/manifests/nodejs.yml
@@ -829,6 +829,11 @@ tests/:
         express4: v5.39.0
         express4-typescript: v5.39.0
         uds-express4: v5.39.0
+      Test_Debugger_PII_Redaction_Excluded_Identifiers:
+        '*': irrelevant
+        express4: v5.39.0
+        express4-typescript: v5.39.0
+        uds-express4: v5.39.0
     test_debugger_probe_budgets.py:
       Test_Debugger_Probe_Budgets: missing_feature
     test_debugger_probe_snapshot.py:
diff --git a/manifests/php.yml b/manifests/php.yml
@@ -417,6 +417,7 @@ tests/:
       Test_Debugger_InProduct_Enablement_Exception_Replay: missing_feature
     test_debugger_pii.py:
       Test_Debugger_PII_Redaction: missing_feature
+      Test_Debugger_PII_Redaction_Excluded_Identifiers: missing_feature
     test_debugger_probe_budgets.py:
       Test_Debugger_Probe_Budgets: missing_feature
     test_debugger_probe_snapshot.py:
diff --git a/manifests/python.yml b/manifests/python.yml
@@ -761,6 +761,11 @@ tests/:
         flask-poc: v2.11.0
         uds-flask: v2.11.0
         uwsgi-poc: v2.11.0
+      Test_Debugger_PII_Redaction_Excluded_Identifiers:
+        '*': missing_feature
+        flask-poc: v3.7.0
+        uds-flask: v3.7.0
+        uwsgi-poc: v3.7.0
     test_debugger_probe_budgets.py:
       Test_Debugger_Probe_Budgets:
         '*': missing_feature
diff --git a/manifests/ruby.yml b/manifests/ruby.yml
@@ -585,6 +585,7 @@ tests/:
         rails70: v2.8.0
         rails80: v2.8.0
         uds-rails: v2.12.0
+      Test_Debugger_PII_Redaction_Excluded_Identifiers: missing_feature
     test_debugger_probe_budgets.py:
       Test_Debugger_Probe_Budgets:
         "*": irrelevant
diff --git a/tests/debugger/test_debugger_pii.py b/tests/debugger/test_debugger_pii.py
@@ -111,8 +111,7 @@
 
 
 @features.debugger_pii_redaction
-@scenarios.debugger_pii_redaction
-class Test_Debugger_PII_Redaction(debugger.BaseDebuggerTest):
+class BaseDebuggerPIIRedactionTest(debugger.BaseDebuggerTest):
     ############ setup ############
     def _setup(self, *, line_probe=False):
         self.initialize_weblog_remote_config()
@@ -129,31 +128,34 @@ def _setup(self, *, line_probe=False):
         self.wait_for_all_probes(statuses=["EMITTING"])
 
     ############ assert ############
-    def _assert(self, redacted_keys, redacted_types, *, line_probe=False):
+    def _assert(self, excluded_identifiers=None, *, line_probe=False):
         self.collect()
         self.assert_setup_ok()
         self.assert_rc_state_not_error()
         self.assert_all_probes_are_emitting()
         self.assert_all_weblog_responses_ok()
 
-        self._validate_pii_keyword_redaction(redacted_keys, line_probe)
+        self._validate_pii_keyword_redaction(excluded_identifiers, line_probe)
         if context.library != "nodejs":  # Node.js does not support type redacting
-            self._validate_pii_type_redaction(redacted_types, line_probe)
+            self._validate_pii_type_redaction(line_probe)
 
-    def _validate_pii_keyword_redaction(self, should_redact_field_names, line_probe):
+    def _validate_pii_keyword_redaction(self, excluded_identifiers, line_probe):
         not_redacted = []
-        not_found = list(set(should_redact_field_names))
+        not_found = list(set(REDACTED_KEYS))
+        improperly_redacted = []
+        excluded_identifiers = excluded_identifiers if excluded_identifiers else []
 
         for probe_id in self.probe_ids:
             base = self.probe_snapshots[probe_id][0]
             snapshot = base.get("debugger", {}).get("snapshot") or base["debugger.snapshot"]
 
-            for field_name in should_redact_field_names:
-                if line_probe:
-                    fields = snapshot["captures"]["lines"]["64"]["locals"]["pii"]["fields"]
-                else:
-                    fields = snapshot["captures"]["return"]["locals"]["pii"]["fields"]
+            if line_probe:
+                fields = snapshot["captures"]["lines"]["64"]["locals"]["pii"]["fields"]
+            else:
+                fields = snapshot["captures"]["return"]["locals"]["pii"]["fields"]
 
+            # Check if fields that should be redacted are properly redacted
+            for field_name in set(REDACTED_KEYS):
                 if context.library == "ruby":
                     check_field_name = "@" + field_name
                 else:
@@ -162,29 +164,40 @@ def _validate_pii_keyword_redaction(self, should_redact_field_names, line_probe)
                 if check_field_name in fields:
                     not_found.remove(field_name)
 
-                    if "value" in fields[check_field_name]:
+                    # Fields not included in excluded_identifiers should not have values
+                    if "value" in fields[check_field_name] and field_name not in excluded_identifiers:
                         not_redacted.append(field_name)
 
-        error_message = ""
+                    # Fields included in excluded_identifiers should have values
+                    if "value" not in fields[check_field_name] and field_name in excluded_identifiers:
+                        improperly_redacted.append(field_name)
+
+        error_message = []
         if not_redacted:
             not_redacted.sort()
-            error_message = "Fields not properly redacted: " + "".join([f"{item}, " for item in not_redacted])
+            error_message.append("Fields not properly redacted: " + "".join([f"{item}, " for item in not_redacted]))
 
         if not_found:
             not_found.sort()
-            error_message += ". Fields not found: " + "".join([f"{item}, " for item in not_found])
+            error_message.append("Fields not found: " + "".join([f"{item}, " for item in not_found]))
 
-        if error_message != "":
-            raise ValueError(error_message)
+        if improperly_redacted:
+            improperly_redacted.sort()
+            error_message.append(
+                "Excluded fields improperly redacted: " + "".join([f"{item}, " for item in improperly_redacted])
+            )
 
-    def _validate_pii_type_redaction(self, should_redact_types, line_probe):
+        if error_message:
+            raise ValueError(". ".join(error_message))
+
+    def _validate_pii_type_redaction(self, line_probe):
         not_redacted = []
 
         for probe_id in self.probe_ids:
             base = self.probe_snapshots[probe_id][0]
             snapshot = base.get("debugger", {}).get("snapshot") or base["debugger.snapshot"]
 
-            for type_name in should_redact_types:
+            for type_name in REDACTED_TYPES:
                 if line_probe:
                     type_info = snapshot["captures"]["lines"]["64"]["locals"][type_name]
                 else:
@@ -196,11 +209,14 @@ def _validate_pii_type_redaction(self, should_redact_types, line_probe):
         error_message = ""
         if not_redacted:
             not_redacted.sort()
-            error_message = "Types not properly redacted: " + "".join([f"{item}, " for item in not_redacted])
+            error_message += "Types not properly redacted: " + "".join([f"{item}, " for item in not_redacted])
 
         if error_message != "":
             raise ValueError(error_message)
 
+
+@scenarios.debugger_pii_redaction
+class Test_Debugger_PII_Redaction(BaseDebuggerPIIRedactionTest):
     ############ test ############
     ### method ###
     def setup_pii_redaction_method_full(self):
@@ -215,11 +231,25 @@ def setup_pii_redaction_method_full(self):
     )
     @missing_feature(context.library == "nodejs", reason="Not yet implemented", force_skip=True)
     def test_pii_redaction_method_full(self):
-        self._assert(REDACTED_KEYS, REDACTED_TYPES)
+        self._assert()
 
     ### line ###
     def setup_pii_redaction_line_full(self):
         self._setup(line_probe=True)
 
     def test_pii_redaction_line_full(self):
-        self._assert(REDACTED_KEYS, REDACTED_TYPES, line_probe=True)
+        self._assert(line_probe=True)
+
+
+@scenarios.tracing_config_nondefault_4
+class Test_Debugger_PII_Redaction_Excluded_Identifiers(BaseDebuggerPIIRedactionTest):
+    ### excluded identifiers ###
+    def setup_pii_redaction_excluded_identifiers(self):
+        self._setup(line_probe=True)
+
+    @bug(context.library == "java", reason="DEBUG-3745")
+    @bug(context.library == "ruby", reason="DEBUG-3747")
+    @bug(context.library == "python", reason="DEBUG-3746")
+    def test_pii_redaction_excluded_identifiers(self):
+        excluded_identifiers = ["_2fa", "cookie", "sessionid"]
+        self._assert(excluded_identifiers, line_probe=True)
diff --git a/utils/_context/_scenarios/__init__.py b/utils/_context/_scenarios/__init__.py
@@ -644,10 +644,15 @@ class _Scenarios:
     tracing_config_nondefault_4 = EndToEndScenario(
         "TRACING_CONFIG_NONDEFAULT_4",
         weblog_env={
+            "DD_DYNAMIC_INSTRUMENTATION_ENABLED": "true",
+            "DD_DYNAMIC_INSTRUMENTATION_REDACTED_IDENTIFIERS": "customidentifier1,customidentifier2",
+            "DD_DYNAMIC_INSTRUMENTATION_REDACTED_TYPES": "weblog.Models.Debugger.CustomPii,com.datadoghq.system_tests.springboot.CustomPii,CustomPii",  # noqa: E501
+            "DD_DYNAMIC_INSTRUMENTATION_REDACTION_EXCLUDED_IDENTIFIERS": "_2fa,cookie,sessionid",
             "DD_LOGS_INJECTION": "true",
             "DD_TRACE_128_BIT_TRACEID_LOGGING_ENABLED": "false",
         },
         doc="",
+        rc_api_enabled=True,
     )
 
     parametric = ParametricScenario("PARAMETRIC", doc="WIP")
