check for sensitive data before generating a filter function

kuhe · kuhe · commit b837e38e3593 · 2023-03-17T21:01:42.000Z
diff --git a/config/checkstyle/checkstyle.xml b/config/checkstyle/checkstyle.xml
@@ -22,7 +22,7 @@
     <!-- Files must contain a copyright header, with or without a year. -->
     <module name="RegexpHeader">
         <property name="header"
-                  value="/\*\n \* Copyright( 20(19|20|21|22)|) Amazon\.com, Inc\. or its affiliates\. All Rights Reserved\.\n"/>
+                  value="/\*\n \* Copyright( 20(19|20|21|22|23)|) Amazon\.com, Inc\. or its affiliates\. All Rights Reserved\.\n"/>
         <property name="fileExtensions" value="java"/>
     </module>
 
diff --git a/smithy-typescript-codegen/src/main/java/software/amazon/smithy/typescript/codegen/CommandGenerator.java b/smithy-typescript-codegen/src/main/java/software/amazon/smithy/typescript/codegen/CommandGenerator.java
@@ -46,6 +46,7 @@
 import software.amazon.smithy.typescript.codegen.endpointsV2.RuleSetParameterFinder;
 import software.amazon.smithy.typescript.codegen.integration.ProtocolGenerator;
 import software.amazon.smithy.typescript.codegen.integration.RuntimeClientPlugin;
+import software.amazon.smithy.typescript.codegen.validation.SensitiveDataFinder;
 import software.amazon.smithy.utils.OptionalUtils;
 import software.amazon.smithy.utils.SmithyInternalApi;
 
@@ -73,6 +74,7 @@ final class CommandGenerator implements Runnable {
     private final Symbol outputType;
     private final ProtocolGenerator protocolGenerator;
     private final ApplicationProtocol applicationProtocol;
+    private final SensitiveDataFinder sensitiveDataFinder = new SensitiveDataFinder();
 
     CommandGenerator(
             TypeScriptSettings settings,
@@ -313,20 +315,25 @@ private void generateCommandMiddlewareResolver(String configType) {
                 writer.openBlock("inputFilterSensitiveLog: ", ",", () -> {
                     OptionalUtils.ifPresentOrElse(operationIndex.getInput(operation),
                         input -> {
-                            Symbol inputSymbol = symbolProvider.toSymbol(input);
-                            String filterFunctionName = inputSymbol.getName() + "FilterSensitiveLog";
-                            writer.addImport(
-                                filterFunctionName,
-                                filterFunctionName,
-                                inputSymbol.getNamespace()
-                            );
-                            writer.writeInline(filterFunctionName);
+                            if (sensitiveDataFinder.findsSensitiveData(input, model)) {
+                                Symbol inputSymbol = symbolProvider.toSymbol(input);
+                                String filterFunctionName = inputSymbol.getName() + "FilterSensitiveLog";
+                                writer.addImport(
+                                    filterFunctionName,
+                                    filterFunctionName,
+                                    inputSymbol.getNamespace()
+                                );
+                                writer.writeInline(filterFunctionName);
+                            } else {
+                                writer.writeInline("(_: any) => _");
+                            }
                         },
-                        () -> writer.writeInline("(input: any) => input"));
+                        () -> writer.writeInline("(_: any) => _"));
                 });
                 writer.openBlock("outputFilterSensitiveLog: ", ",", () -> {
                     OptionalUtils.ifPresentOrElse(operationIndex.getOutput(operation),
                         output -> {
+                            if (sensitiveDataFinder.findsSensitiveData(output, model)) {
                             Symbol outputSymbol = symbolProvider.toSymbol(output);
                             String filterFunctionName = outputSymbol.getName() + "FilterSensitiveLog";
                             writer.addImport(
@@ -335,8 +342,11 @@ private void generateCommandMiddlewareResolver(String configType) {
                                 outputSymbol.getNamespace()
                             );
                             writer.writeInline(filterFunctionName);
+                            } else {
+                                writer.writeInline("(_: any) => _");
+                            }
                         },
-                        () -> writer.writeInline("(output: any) => output"));
+                        () -> writer.writeInline("(_: any) => _"));
                 });
             });
             writer.write("const { requestHandler } = configuration;");
diff --git a/smithy-typescript-codegen/src/main/java/software/amazon/smithy/typescript/codegen/StructureGenerator.java b/smithy-typescript-codegen/src/main/java/software/amazon/smithy/typescript/codegen/StructureGenerator.java
@@ -29,19 +29,22 @@
 import software.amazon.smithy.model.traits.ErrorTrait;
 import software.amazon.smithy.typescript.codegen.TypeScriptSettings.RequiredMemberMode;
 import software.amazon.smithy.typescript.codegen.integration.HttpProtocolGeneratorUtils;
+import software.amazon.smithy.typescript.codegen.validation.SensitiveDataFinder;
 import software.amazon.smithy.utils.SmithyInternalApi;
 
 /**
  * Generates normal structures and error structures.
  *
  * Renders structures as interfaces.
  *
- * <p>A namespace is created with the same name as the structure to
+ * <p>
+ * A namespace is created with the same name as the structure to
  * provide helper functionality for checking if a given value is
  * known to be of the same type as the structure. This will be
  * even more useful if/when inheritance is added to Smithy.
  *
- * <p>Note that the {@code required} trait on structures is used to
+ * <p>
+ * Note that the {@code required} trait on structures is used to
  * determine whether or not a generated TypeScript interface uses
  * required members. This is typically not recommended in other languages
  * since it's documented as backward-compatible for a model to migrate a
@@ -55,7 +58,8 @@
  * deserializers will need to set previously required properties to
  * undefined too.
  *
- * <p>The generator will explicitly state that a required property can
+ * <p>
+ * The generator will explicitly state that a required property can
  * be set to {@code undefined}. This makes it clear that undefined checks
  * need to be made when using {@code --strictNullChecks}, but has no
  * effect otherwise.
@@ -69,22 +73,23 @@ final class StructureGenerator implements Runnable {
     private final StructureShape shape;
     private final boolean includeValidation;
     private final RequiredMemberMode requiredMemberMode;
+    private final SensitiveDataFinder sensitiveDataFinder = new SensitiveDataFinder();
 
     /**
      * sets 'includeValidation' to 'false' and requiredMemberMode
      * to {@link RequiredMemberMode#NULLABLE}.
      */
     StructureGenerator(Model model, SymbolProvider symbolProvider, TypeScriptWriter writer, StructureShape shape) {
         this(model, symbolProvider, writer, shape, false,
-            RequiredMemberMode.NULLABLE);
+                RequiredMemberMode.NULLABLE);
     }
 
     StructureGenerator(Model model,
-                       SymbolProvider symbolProvider,
-                       TypeScriptWriter writer,
-                       StructureShape shape,
-                       boolean includeValidation,
-                       RequiredMemberMode requiredMemberMode) {
+            SymbolProvider symbolProvider,
+            TypeScriptWriter writer,
+            StructureShape shape,
+            boolean includeValidation,
+            RequiredMemberMode requiredMemberMode) {
         this.model = model;
         this.symbolProvider = symbolProvider;
         this.writer = writer;
@@ -105,20 +110,24 @@ public void run() {
     /**
      * Renders a normal, non-error structure.
      *
-     * <p>For example, given the following Smithy model:
+     * <p>
+     * For example, given the following Smithy model:
      *
-     * <pre>{@code
+     * <pre>
+     * {@code
      * namespace smithy.example
      *
      * structure Person {
-     *     @required
+     *     &#64;required
      *     name: String,
-     *     @range(min: 1)
+     *     &#64;range(min: 1)
      *     age: Integer,
      * }
-     * }</pre>
+     * }
+     * </pre>
      *
-     * <p>The following TypeScript is rendered:
+     * <p>
+     * The following TypeScript is rendered:
      *
      * <pre>{@code
      * export interface Person {
@@ -129,7 +138,8 @@ public void run() {
      * export const PersonFilterSensitiveLog = (obj: Person): any => ({...obj});
      * }</pre>
      *
-     * <p>If validation is enabled, it generates the following:
+     * <p>
+     * If validation is enabled, it generates the following:
      *
      * <pre>{@code
      * export interface Person {
@@ -174,15 +184,17 @@ private void renderNonErrorStructure() {
     private void renderStructureNamespace(StructuredMemberWriter structuredMemberWriter, boolean includeValidation) {
         Symbol symbol = symbolProvider.toSymbol(shape);
         String objectParam = "obj";
-        writer.writeDocs("@internal");
-        writer.openBlock("export const $LFilterSensitiveLog = ($L: $L): any => ({", "})",
-            symbol.getName(),
-            objectParam,
-            symbol.getName(),
-            () -> {
-                structuredMemberWriter.writeFilterSensitiveLog(writer, objectParam);
-            }
-        );
+
+        if (sensitiveDataFinder.findsSensitiveData(shape, model)) {
+            writer.writeDocs("@internal");
+            writer.openBlock("export const $LFilterSensitiveLog = ($L: $L): any => ({", "})",
+                    symbol.getName(),
+                    objectParam,
+                    symbol.getName(),
+                    () -> {
+                        structuredMemberWriter.writeFilterSensitiveLog(writer, objectParam);
+                    });
+        }
 
         if (!includeValidation) {
             return;
@@ -212,19 +224,23 @@ private void renderStructureNamespace(StructuredMemberWriter structuredMemberWri
      * (ServiceException in case of server SDK), and add the appropriate fault
      * property.
      *
-     * <p>Given the following Smithy structure:
+     * <p>
+     * Given the following Smithy structure:
      *
-     * <pre>{@code
+     * <pre>
+     * {@code
      * namespace smithy.example
      *
-     * @error("client")
+     * &#64;error("client")
      * structure NoSuchResource {
-     *     @required
+     *     &#64;required
      *     resourceType: String
      * }
-     * }</pre>
+     * }
+     * </pre>
      *
-     * <p>The following TypeScript is generated:
+     * <p>
+     * The following TypeScript is generated:
      *
      * <pre>{@code
      * import { ExceptionOptionType as __ExceptionOptionType } from "@aws-sdk/smithy-client";
@@ -262,7 +278,8 @@ private void renderErrorStructure() {
         }
         StructuredMemberWriter structuredMemberWriter = new StructuredMemberWriter(model, symbolProvider,
                 shape.getAllMembers().values(), this.requiredMemberMode);
-        // since any error interface must extend from JavaScript Error interface, message member is already
+        // since any error interface must extend from JavaScript Error interface,
+        // message member is already
         // required in the JavaScript Error interface
         structuredMemberWriter.skipMembers.add("message");
         structuredMemberWriter.writeMembers(writer, shape);
diff --git a/smithy-typescript-codegen/src/main/java/software/amazon/smithy/typescript/codegen/validation/SensitiveDataFinder.java b/smithy-typescript-codegen/src/main/java/software/amazon/smithy/typescript/codegen/validation/SensitiveDataFinder.java
@@ -0,0 +1,83 @@
+/*
+ * Copyright 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.smithy.typescript.codegen.validation;
+
+import java.util.HashMap;
+import java.util.Map;
+import software.amazon.smithy.model.Model;
+import software.amazon.smithy.model.shapes.CollectionShape;
+import software.amazon.smithy.model.shapes.MapShape;
+import software.amazon.smithy.model.shapes.MemberShape;
+import software.amazon.smithy.model.shapes.Shape;
+import software.amazon.smithy.model.shapes.SimpleShape;
+import software.amazon.smithy.model.traits.SensitiveTrait;
+
+public class SensitiveDataFinder {
+    private Map<Shape, Boolean> cache = new HashMap<>();
+
+    public boolean findsSensitiveData(Shape shape, Model model) {
+        boolean found = findRecursive(shape, model);
+        cache.put(shape, found);
+        return found;
+    }
+
+    private boolean findRecursive(Shape shape, Model model) {
+        if (cache.containsKey(shape)) {
+            return cache.get(shape);
+        }
+
+        if (shape.hasTrait(SensitiveTrait.class)) {
+            cache.put(shape, true);
+            return true;
+        }
+
+        if (shape instanceof MemberShape) {
+            MemberShape memberShape = (MemberShape) shape;
+            if (memberShape.getMemberTrait(model, SensitiveTrait.class).isPresent()) {
+                cache.put(shape, true);
+                return true;
+            }
+            Shape memberTarget = model.expectShape(memberShape.getTarget());
+            return findRecursive(memberTarget, model);
+        }
+
+        if (shape.getMemberTrait(model, SensitiveTrait.class).isPresent()) {
+            cache.put(shape, true);
+            return true;
+        } else if (shape instanceof SimpleShape) {
+            cache.put(shape, false);
+            return false;
+        } else if (shape.isStructureShape() || shape.isUnionShape()) {
+            boolean found = shape.getAllMembers()
+                    .values()
+                    .stream()
+                    .anyMatch(m -> findRecursive(m, model));
+
+            cache.put(shape, found);
+            return found;
+        } else if (shape instanceof CollectionShape) {
+            MemberShape collectionMember = ((CollectionShape) shape).getMember();
+            return findRecursive(collectionMember, model);
+        } else if (shape instanceof MapShape) {
+            MemberShape keyMember = ((MapShape) shape).getKey();
+            MemberShape valMember = ((MapShape) shape).getValue();
+            return findRecursive(keyMember, model) || findRecursive(valMember, model);
+        }
+
+        cache.put(shape, false);
+        return false;
+    }
+}
diff --git a/smithy-typescript-codegen/src/test/java/software/amazon/smithy/typescript/codegen/validation/SensitiveDataFinderTest.java b/smithy-typescript-codegen/src/test/java/software/amazon/smithy/typescript/codegen/validation/SensitiveDataFinderTest.java
