fix: redact sensitive attributes

Author: scbjans

instrumentation/net_ldap/lib/opentelemetry/instrumentation/net/ldap/attribute_mapper.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+# Copyright The OpenTelemetry Authors
+#
+# SPDX-License-Identifier: Apache-2.0
+
+module OpenTelemetry
+  module Instrumentation
+    module Net
+      module LDAP
+        # attribute mapper to redact sensitive keys
+        class AttributeMapper
+          SENSITIVE_KEYS = %w[userPassword unicodePwd lmPassword ntPassword authPassword krbPrincipalKey sambaNTPassword sambaLMPassword].freeze
+
+          def self.redact(_value)
+            '[REDACTED]'
+          end
+
+          def self.map_json(json_string)
+            begin
+              parsed = JSON.parse(json_string)
+              redacted = deep_map(parsed)
+              JSON.generate(redacted)
+            rescue JSON::ParserError
+              json_string
+            end
+          end
+
+          def self.map(attributes)
+            deep_map(attributes)
+          end
+
+          def self.deep_map(obj)
+            case obj
+            when Hash
+              obj.each_with_object({}) do |(k, v), result|
+                key_str = k.to_s
+                result[k] = SENSITIVE_KEYS.include?(key_str) ? redact(v) : deep_map(v)
+              end
+            when Array
+              # Special case: LDAP operation tuple like ["replace", "unicodePwd", ["value"]]
+              if obj.size == 3 && obj[1].is_a?(String) && SENSITIVE_KEYS.include?(obj[1])
+                [obj[0], obj[1], ['[REDACTED]']]
+              else
+                obj.map { |item| deep_map(item) }
+              end
+            when String
+              map_json(obj)
+            else
+              obj
+            end
+          end
+        end
+      end
+    end
+  end
+end

instrumentation/net_ldap/lib/opentelemetry/instrumentation/net/ldap/instrumentation_service.rb

@@ -4,6 +4,8 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
+require_relative 'attribute_mapper'
+
 module OpenTelemetry
   module Instrumentation
     module Net
@@ -33,7 +35,7 @@ def instrument(event, payload)
 
             tracer.in_span(
               event,
-              attributes: attributes,
+              attributes: AttributeMapper.map(attributes),
               kind: :client
             ) do |span|
               yield(payload).tap do |response|

instrumentation/net_ldap/test/opentelemetry/instrumentation/net/ldap/instrumentation_test.rb

@@ -29,6 +29,7 @@ class FakeConnection
 
     def initialize
       @bind_success = Result.new(true, Net::LDAP::ResultCodeSuccess)
+      @modify_success = Result.new(true, Net::LDAP::ResultCodeSuccess)
       @search_success = Result.new(true, Net::LDAP::ResultCodeSizeLimitExceeded)
     end
 
@@ -45,6 +46,11 @@ def search(*args)
     def add(args)
       raise Net::LDAP::Error, 'Connection timed out - user specified timeout'
     end
+
+    # for testing redaction
+    def modify(args)
+      @modify_success
+    end
   end
 
   before do
@@ -115,5 +121,25 @@ def add(args)
         _(span.attributes['net.peer.port']).must_equal 636
       end
     end
+
+    describe 'when modify happens' do
+      it 'tracks the attributes with correct name & redacts sensitive information' do
+        ldap.connection = FakeConnection.new
+        ops = [
+          [:replace, :unicodePwd, ['P@ssw0rd']],
+        ]
+        assert ldap.modify(dn: 'CN=test,OU=test,DC=com', operations: ops)
+
+        _(exporter.finished_spans.size).must_equal 1
+        _(span.name).must_equal 'modify.net_ldap'
+        _(span.attributes['ldap.auth']).must_equal '{"method":"anonymous"}'
+        _(span.attributes['ldap.base']).must_equal 'dc=com'
+        _(span.attributes['ldap.encryption']).must_equal '{"method":"simple_tls","tls_options":{"foo":"bar"}}'
+        _(span.attributes['ldap.payload']).must_equal '{"dn":"CN=test,OU=test,DC=com","operations":[["replace","unicodePwd",["[REDACTED]"]]]}'
+        _(span.attributes['ldap.status_code']).must_equal 0
+        _(span.attributes['net.peer.name']).must_equal 'test.mocked.com'
+        _(span.attributes['net.peer.port']).must_equal 636
+      end
+    end
   end
 end