Scrub names from messages in logging/telemetry (#5053)

* Scrub names from messages in logging/telemetry

* removing commented code

* feedback

* detekt

Author: manodnyab

plugins/core/jetbrains-community/src/software/aws/toolkits/jetbrains/core/credentials/sso/DiskCache.kt

@@ -32,6 +32,7 @@ import software.aws.toolkits.core.utils.touch
 import software.aws.toolkits.core.utils.tryDirOp
 import software.aws.toolkits.core.utils.tryFileOp
 import software.aws.toolkits.core.utils.tryOrNull
+import software.aws.toolkits.jetbrains.services.telemetry.scrubNames
 import software.aws.toolkits.telemetry.AuthTelemetry
 import software.aws.toolkits.telemetry.Result
 import java.io.InputStream
@@ -111,7 +112,7 @@ class DiskCache(
                 source = "loadClientRegistration",
                 result = Result.Failed,
                 reason = "Failed to load Client Registration",
-                reasonDesc = "Load Step:$stage failed. Unable to load file"
+                reasonDesc = "Load Step:$stage failed. Cache file does not exist"
             )
             return null
         }
@@ -136,7 +137,7 @@ class DiskCache(
                 source = "invalidateClientRegistration",
                 result = Result.Failed,
                 reason = "Failed to invalidate Client Registration",
-                reasonDesc = e.message ?: e::class.java.name
+                reasonDesc = e.message?.let { scrubNames(it) } ?: e::class.java.name
             )
             throw e
         }
@@ -152,7 +153,7 @@ class DiskCache(
                 source = "invalidateAccessToken",
                 result = Result.Failed,
                 reason = "Failed to invalidate Access Token",
-                reasonDesc = e.message ?: e::class.java.name
+                reasonDesc = e.message?.let { scrubNames(it) } ?: e::class.java.name
             )
             throw e
         }
@@ -186,7 +187,7 @@ class DiskCache(
                 source = "invalidateAccessToken",
                 result = Result.Failed,
                 reason = "Failed to invalidate Access Token",
-                reasonDesc = e.message ?: e::class.java.name
+                reasonDesc = e.message?.let { scrubNames(it) } ?: e::class.java.name
             )
             throw e
         }
@@ -282,7 +283,7 @@ class DiskCache(
                 source = "writeKey",
                 result = Result.Failed,
                 reason = "Failed to write to cache",
-                reasonDesc = e.message ?: e::class.java.name
+                reasonDesc = e.message?.let { scrubNames(it) } ?: e::class.java.name
             )
             throw e
         }

plugins/core/jetbrains-community/src/software/aws/toolkits/jetbrains/core/credentials/sso/SsoAccessTokenProvider.kt

@@ -24,6 +24,7 @@ import software.aws.toolkits.jetbrains.core.credentials.sono.SONO_URL
 import software.aws.toolkits.jetbrains.core.credentials.sso.pkce.PKCE_CLIENT_NAME
 import software.aws.toolkits.jetbrains.core.credentials.sso.pkce.ToolkitOAuthService
 import software.aws.toolkits.jetbrains.core.webview.getAuthType
+import software.aws.toolkits.jetbrains.services.telemetry.scrubNames
 import software.aws.toolkits.jetbrains.utils.assertIsNonDispatchThread
 import software.aws.toolkits.jetbrains.utils.sleepWithCancellation
 import software.aws.toolkits.resources.AwsCoreBundle
@@ -183,7 +184,7 @@ class SsoAccessTokenProvider(
                 source = "accessToken",
                 result = Result.Failed,
                 reason = "Failed to write AccessToken to cache",
-                reasonDesc = e.message ?: e::class.java.name,
+                reasonDesc = e.message?.let { scrubNames(it) } ?: e::class.java.name,
             )
             throw e
         }
@@ -225,7 +226,7 @@ class SsoAccessTokenProvider(
                 source = "registerDAGClient",
                 result = Result.Failed,
                 reason = "Failed to write DeviceAuthorizationClientRegistration to cache",
-                reasonDesc = e.message ?: e::class.java.name
+                reasonDesc = e.message?.let { scrubNames(it) } ?: e::class.java.name
             )
             throw e
         }
@@ -277,7 +278,7 @@ class SsoAccessTokenProvider(
                 source = "registerPkceClient",
                 result = Result.Failed,
                 reason = "Failed to write PKCEClientRegistration to cache",
-                reasonDesc = e.message ?: e::class.java.name
+                reasonDesc = e.message?.let { scrubNames(it) } ?: e::class.java.name
             )
             throw e
         }

plugins/core/jetbrains-community/src/software/aws/toolkits/jetbrains/services/telemetry/TelemetryUtils.kt

@@ -200,3 +200,69 @@ val ALLOWED_CODE_EXTENSIONS = setOf(
     "yml",
     "zig"
 )
+
+fun scrubNames(messageToBeScrubbed: String, username: String? = getSystemUserName()): String {
+    var scrubbedMessage = ""
+    var processedMessage = messageToBeScrubbed
+    if (!username.isNullOrEmpty() && username.length > 2) {
+        processedMessage = processedMessage.replace(username, "x")
+    }
+
+    // Replace contiguous whitespace with 1 space.
+    processedMessage = processedMessage.replace(Regex("""\s+"""), " ")
+
+    // 1. split on whitespace.
+    // 2. scrub words that match username or look like filepaths.
+    val words = processedMessage.split(Regex("""\s+"""))
+    for (word in words) {
+        val pathSegments = word.split(Regex("""[/\\]""")).filter { it != "" }
+        if (pathSegments.size < 2) {
+            // Not a filepath.
+            scrubbedMessage += " $word"
+            continue
+        }
+
+        // Replace all (non-allowlisted) ASCII filepath segments with "x".
+        // "/foo/bar/aws/sso/" => "/x/x/aws/sso/"
+        var scrubbed = ""
+        // Get the frontmatter ("/", "../", "~/", or "./").
+        val start = slashdot.find(word.trimStart())?.value.orEmpty()
+        val firstVal = pathSegments[0].trimStart().replace(slashdot, "")
+
+        val ps = pathSegments.filterIndexed { i, _ -> i != 0 }.toMutableList()
+        ps.add(0, firstVal)
+
+        for (seg in ps) {
+            when {
+                driveLetterRegex.matches(seg) -> scrubbed += seg
+                commonFilePathPatterns.contains(seg) -> scrubbed += "/$seg"
+                else -> {
+                    // Save the first non-ASCII (unicode) char, if any.
+                    val nonAscii = Regex("""[^\p{ASCII}]""").find(seg)?.value.orEmpty()
+                    // Replace all chars (except [^…]) with "x" .
+                    val ascii = seg.replace(Regex("""[^$\[\](){}:;'" ]+"""), "x")
+                    scrubbed += "/${ascii}$nonAscii"
+                }
+            }
+        }
+
+        // includes leading '.', eg: '.json'
+        val fileExt = fileExtRegex.find(pathSegments.last())?.value.orEmpty()
+        val newString = " ${start.replace(Regex("""\\"""), "/")}${scrubbed.removePrefix("//").removePrefix("/").removePrefix("\\")}$fileExt"
+        scrubbedMessage += newString
+    }
+
+    return scrubbedMessage.trim()
+}
+
+val fileExtRegex = Regex("""\.[^./]+$""")
+val slashdot = Regex("""^[~.]*[/\\]*""")
+
+/** Allowlisted filepath segments. */
+val commonFilePathPatterns = setOf(
+    "~", ".", "..", ".aws", "aws", "sso", "cache", "credentials", "config",
+    "Users", "users", "home", "tmp", "aws-toolkit-jetbrains"
+)
+val driveLetterRegex = Regex("""^[a-zA-Z]:""")
+
+fun getSystemUserName(): String? = System.getProperty("user.name") ?: null

plugins/core/jetbrains-community/tst/software/aws/toolkits/jetbrains/services/telemetry/TelemetryUtilsTest.kt

@@ -0,0 +1,66 @@
+// Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package software.aws.toolkits.jetbrains.services.telemetry
+
+import org.assertj.core.api.Assertions.assertThat
+import org.junit.jupiter.params.ParameterizedTest
+import org.junit.jupiter.params.provider.Arguments
+import org.junit.jupiter.params.provider.MethodSource
+import java.util.stream.Stream
+
+class TelemetryUtilsTest {
+
+    @ParameterizedTest
+    @MethodSource("scrubNamesTestCases")
+    fun testScrubNames(input: String, expected: String) {
+        val fakeUser = "jdoe123"
+        assertThat(expected).isEqualTo(scrubNames(input, fakeUser))
+    }
+
+    companion object {
+        @JvmStatic
+        fun scrubNamesTestCases(): Stream<Arguments> = Stream.of(
+            Arguments.of("", ""),
+            Arguments.of("a ./ b", "a ./ b"),
+            Arguments.of("a ../ b", "a ../ b"),
+            Arguments.of("a /.. b", "a /.. b"),
+            Arguments.of("a //..// b", "a //..// b"),
+            Arguments.of("a / b", "a / b"),
+            Arguments.of("a ~/ b", "a ~/ b"),
+            Arguments.of("a //// b", "a //// b"),
+            Arguments.of("a .. b", "a .. b"),
+            Arguments.of("a . b", "a . b"),
+            Arguments.of("      lots      of         space       ", "lots of space"),
+            Arguments.of(
+                "Failed to save c:/fooß/aïböcß/aób∑c/∑ö/ππ¨p/ö/a/bar123öabc/baz.txt no permissions (error!)",
+                "Failed to save c:/xß/xï/xó/x∑/xπ/xö/x/xö/x.txt no permissions (error!)"
+            ),
+            Arguments.of(
+                "user: jdoe123 file: C:/Users/user1/.aws/sso/cache/abc123.json (regex: /foo/)",
+                "user: x file: C:/Users/x/.aws/sso/cache/x.json (regex: /x/)"
+            ),
+            Arguments.of("/Users/user1/foo.jso", "/Users/x/x.jso"),
+            Arguments.of("/Users/user1/foo.js", "/Users/x/x.js"),
+            Arguments.of("/Users/user1/noFileExtension", "/Users/x/x"),
+            Arguments.of("/Users/user1/minExtLength.a", "/Users/x/x.a"),
+            Arguments.of("/Users/user1/extIsNum.123456", "/Users/x/x.123456"),
+            Arguments.of("/Users/user1/foo.looooooooongextension", "/Users/x/x.looooooooongextension"),
+            Arguments.of("/Users/user1/multipleExts.ext1.ext2.ext3", "/Users/x/x.ext3"),
+            Arguments.of("c:\\fooß\\bar\\baz.txt", "c:/xß/x/x.txt"),
+            Arguments.of("unc path: \\\\server$\\pipename\\etc END", "unc path: //x$/x/x END"),
+            Arguments.of(
+                "c:\\Users\\user1\\.aws\\sso\\cache\\abc123.json jdoe123 abc",
+                "c:/Users/x/.aws/sso/cache/x.json x abc"
+            ),
+            Arguments.of("unix /home/jdoe123/.aws/config failed", "unix /home/x/.aws/config failed"),
+            Arguments.of("unix ~jdoe123/.aws/config failed", "unix ~x/.aws/config failed"),
+            Arguments.of("unix ../../.aws/config failed", "unix ../../.aws/config failed"),
+            Arguments.of("unix ~/.aws/config failed", "unix ~/.aws/config failed"),
+            Arguments.of(
+                "/Users/user1/.aws/sso/cache/abc123.json no space",
+                "/Users/x/.aws/sso/cache/x.json no space"
+            )
+        )
+    }
+}