Properly redact oauth tokens with toString()

Author: rli

plugins/core/core/src/software/aws/toolkits/core/utils/SensitiveField.kt

@@ -5,6 +5,7 @@ package software.aws.toolkits.core.utils
 
 import kotlin.reflect.full.hasAnnotation
 import kotlin.reflect.full.memberProperties
+import kotlin.reflect.full.superclasses
 
 @Target(AnnotationTarget.PROPERTY)
 annotation class SensitiveField
@@ -23,7 +24,13 @@ fun redactedString(o: Any): String {
         properties.forEachIndexed { i, prop ->
             append(prop.name)
             append("=")
-            if (prop.hasAnnotation<SensitiveField>()) {
+
+            // @Inherited does not work in Kotlin
+            // https://youtrack.jetbrains.com/issue/KT-22265/Support-for-inherited-annotations
+            if (
+                prop.hasAnnotation<SensitiveField>() ||
+                clazz.superclasses.flatMap { superClazz -> superClazz.members.filter { it.name == prop.name }}.any { it.hasAnnotation<SensitiveField>() }
+            ) {
                 if (prop.getter.call(o) == null) {
                     append("null")
                 } else {

plugins/core/jetbrains-community/tst/software/aws/toolkits/jetbrains/core/credentials/sso/AccessTokenTest.kt

@@ -0,0 +1,38 @@
+// Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package software.aws.toolkits.jetbrains.core.credentials.sso
+
+import org.assertj.core.api.Assertions.assertThat
+import org.junit.jupiter.api.Test
+import java.time.Instant
+
+class AccessTokenTest {
+    @Test
+    fun `DeviceAuthorizationGrantToken#toString has redacted values`() {
+        val sut = DeviceAuthorizationGrantToken(
+            startUrl = "clearText",
+            region = "clearText",
+            accessToken = "hiddenText",
+            refreshToken = "hiddenText",
+            expiresAt = Instant.EPOCH,
+            createdAt = Instant.EPOCH,
+        )
+
+        assertThat(sut.toString()).doesNotContain("hiddenText")
+    }
+
+    @Test
+    fun `PKCEAuthorizationGrantToken#toString has redacted values`() {
+        val sut = PKCEAuthorizationGrantToken(
+            issuerUrl = "clearText",
+            region = "clearText",
+            accessToken = "hiddenText",
+            refreshToken = "hiddenText",
+            expiresAt = Instant.EPOCH,
+            createdAt = Instant.EPOCH,
+        )
+
+        assertThat(sut.toString()).doesNotContain("hiddenText")
+    }
+}

plugins/core/jetbrains-community/tst/software/aws/toolkits/jetbrains/core/credentials/sso/ClientRegistrationTest.kt

@@ -0,0 +1,39 @@
+// Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package software.aws.toolkits.jetbrains.core.credentials.sso
+
+import org.assertj.core.api.Assertions.assertThat
+import org.junit.jupiter.api.Test
+import java.time.Instant
+
+class ClientRegistrationTest {
+    @Test
+    fun `DeviceAuthorizationClientRegistration#toString has redacted values`() {
+        val sut = DeviceAuthorizationClientRegistration(
+            clientId = "clearText",
+            clientSecret = "hiddenText",
+            expiresAt = Instant.EPOCH,
+            scopes = listOf("clearText"),
+        )
+
+        assertThat(sut.toString()).doesNotContain("hiddenText")
+    }
+
+    @Test
+    fun `PKCEClientRegistration#toString has redacted values`() {
+        val sut = PKCEClientRegistration(
+            clientId = "clearText",
+            clientSecret = "hiddenText",
+            expiresAt =  Instant.EPOCH,
+            scopes = listOf("clearText"),
+            issuerUrl = "clearText",
+            region = "clearText",
+            clientType = "clearText",
+            grantTypes = listOf("clearText"),
+            redirectUris = listOf("clearText")
+        )
+
+        assertThat(sut.toString()).doesNotContain("hiddenText")
+    }
+}