chore(core/schema): use schema log filter when available

Author: kuhe

.changeset/lemon-wasps-itch.md

@@ -0,0 +1,5 @@
+---
+"@smithy/smithy-client": minor
+---
+
+default schema log filter

packages/smithy-client/src/command.ts

@@ -20,6 +20,8 @@ import type {
 } from "@smithy/types";
 import { SMITHY_CONTEXT_KEY } from "@smithy/types";
 
+import { schemaLogFilter } from "./schemaLogFilter";
+
 /**
  * @public
  */
@@ -130,8 +132,8 @@ class ClassBuilder<
   private _clientName = "";
   private _additionalContext = {} as HandlerExecutionContext;
   private _smithyContext = {} as Record<string, unknown>;
-  private _inputFilterSensitiveLog = (_: any) => _;
-  private _outputFilterSensitiveLog = (_: any) => _;
+  private _inputFilterSensitiveLog: any = undefined;
+  private _outputFilterSensitiveLog: any = undefined;
   private _serializer: (input: I, context: SerdeContext | any) => Promise<IHttpRequest> = null as any;
   private _deserializer: (output: IHttpResponse, context: SerdeContext | any) => Promise<O> = null as any;
   private _operationSchema?: OperationSchema;
@@ -268,8 +270,12 @@ class ClassBuilder<
           middlewareFn: closure._middlewareFn,
           clientName: closure._clientName,
           commandName: closure._commandName,
-          inputFilterSensitiveLog: closure._inputFilterSensitiveLog,
-          outputFilterSensitiveLog: closure._outputFilterSensitiveLog,
+          inputFilterSensitiveLog:
+            closure._inputFilterSensitiveLog ??
+            (closure._operationSchema ? schemaLogFilter.bind(null, closure._operationSchema!.input) : (_) => _),
+          outputFilterSensitiveLog:
+            closure._outputFilterSensitiveLog ??
+            (closure._operationSchema ? schemaLogFilter.bind(null, closure._operationSchema!.output) : (_) => _),
           smithyContext: closure._smithyContext,
           additionalContext: closure._additionalContext,
         });

packages/smithy-client/src/schemaLogFilter.spec.ts

@@ -0,0 +1,87 @@
+import { describe, test as it, expect } from "vitest";
+import { schemaLogFilter } from "./schemaLogFilter";
+import { list, map, SCHEMA, sim, struct } from "@smithy/core/schema";
+
+describe(schemaLogFilter.name, () => {
+  it("should filter sensitive trait-marked fields", () => {
+    const sensitiveString = sim("ns", "SensitiveString", 0, { sensitive: 1 });
+
+    const schema = struct(
+      "ns",
+      "Struct",
+      0,
+      ["a", "b", "sensitive", "nestedSensitive", "various"],
+      [
+        SCHEMA.STRING,
+        SCHEMA.STRING,
+        sensitiveString,
+        struct("ns", "NestedSensitiveStruct", 0, ["sensitive"], [sensitiveString]),
+        struct(
+          "ns",
+          "Various",
+          0,
+          ["boolean", "number", "struct", "list-s", "list", "map-s", "map"],
+          [
+            sim("ns", "Boolean", SCHEMA.BOOLEAN, { sensitive: 1 }),
+            sim("ns", "Numeric", SCHEMA.NUMERIC, { sensitive: 1 }),
+            struct("ns", "SensitiveStruct", { sensitive: 1 }, [], []),
+            list("ns", "List", 0, sensitiveString),
+            list("ns", "List", 0, SCHEMA.STRING),
+            map("ns", "Map", 0, sensitiveString, SCHEMA.STRING),
+            map("ns", "Map", 0, SCHEMA.STRING, SCHEMA.STRING),
+          ]
+        ),
+      ]
+    );
+
+    expect(
+      schemaLogFilter(schema, {
+        a: "a",
+        b: "b",
+        sensitive: "xyz",
+        nestedSensitive: {
+          sensitive: "xyz",
+        },
+        various: {
+          boolean: false,
+          number: 1,
+          struct: {
+            q: "rf",
+          },
+          "list-s": [1, 2, 3],
+          list: [4, 5, 6],
+          "map-s": {
+            a: "a",
+            b: "b",
+            c: "c",
+          },
+          map: {
+            a: "d",
+            b: "e",
+            c: "f",
+          },
+        },
+      })
+    ).toEqual({
+      a: "a",
+      b: "b",
+      sensitive: "***SensitiveInformation***",
+      nestedSensitive: {
+        sensitive: "***SensitiveInformation***",
+      },
+      various: {
+        boolean: "***SensitiveInformation***",
+        number: "***SensitiveInformation***",
+        struct: "***SensitiveInformation***",
+        "list-s": "***SensitiveInformation***",
+        list: [4, 5, 6],
+        "map-s": "***SensitiveInformation***",
+        map: {
+          a: "d",
+          b: "e",
+          c: "f",
+        },
+      },
+    });
+  });
+});

packages/smithy-client/src/schemaLogFilter.ts

@@ -0,0 +1,46 @@
+import { NormalizedSchema } from "@smithy/core/schema";
+import type { SchemaRef } from "@smithy/types";
+
+const SENSITIVE_STRING = "***SensitiveInformation***";
+
+/**
+ * Redacts sensitive parts of any data object using its schema, for logging.
+ *
+ * @internal
+ * @param schema - with filtering traits.
+ * @param data - to be logged.
+ */
+export function schemaLogFilter(schema: SchemaRef, data: unknown): any {
+  if (data == null) {
+    return data;
+  }
+  const ns = NormalizedSchema.of(schema);
+  if (ns.getMergedTraits().sensitive) {
+    return SENSITIVE_STRING;
+  }
+
+  if (ns.isListSchema()) {
+    const isSensitive = !!ns.getValueSchema().getMergedTraits().sensitive;
+    if (isSensitive) {
+      return SENSITIVE_STRING;
+    }
+  } else if (ns.isMapSchema()) {
+    const isSensitive =
+      !!ns.getKeySchema().getMergedTraits().sensitive || !!ns.getValueSchema().getMergedTraits().sensitive;
+    if (isSensitive) {
+      return SENSITIVE_STRING;
+    }
+  } else if (ns.isStructSchema() && typeof data === "object") {
+    const object = data as Record<string, unknown>;
+
+    const newObject = {} as any;
+    for (const [member, memberNs] of ns.structIterator()) {
+      if (object[member] != null) {
+        newObject[member] = schemaLogFilter(memberNs, object[member]);
+      }
+    }
+    return newObject;
+  }
+
+  return data;
+}

private/smithy-rpcv2-cbor-schema/src/commands/EmptyInputOutputCommand.ts

@@ -66,7 +66,6 @@ export class EmptyInputOutputCommand extends $Command
   })
   .s("RpcV2Protocol", "EmptyInputOutput", {})
   .n("RpcV2ProtocolClient", "EmptyInputOutputCommand")
-  .f(void 0, void 0)
   .sc(EmptyInputOutput)
   .build() {
   /** @internal type navigation helper, not in runtime. */

private/smithy-rpcv2-cbor-schema/src/commands/Float16Command.ts

@@ -68,7 +68,6 @@ export class Float16Command extends $Command
   })
   .s("RpcV2Protocol", "Float16", {})
   .n("RpcV2ProtocolClient", "Float16Command")
-  .f(void 0, void 0)
   .sc(Float16)
   .build() {
   /** @internal type navigation helper, not in runtime. */

private/smithy-rpcv2-cbor-schema/src/commands/FractionalSecondsCommand.ts

@@ -68,7 +68,6 @@ export class FractionalSecondsCommand extends $Command
   })
   .s("RpcV2Protocol", "FractionalSeconds", {})
   .n("RpcV2ProtocolClient", "FractionalSecondsCommand")
-  .f(void 0, void 0)
   .sc(FractionalSeconds)
   .build() {
   /** @internal type navigation helper, not in runtime. */

private/smithy-rpcv2-cbor-schema/src/commands/GreetingWithErrorsCommand.ts

@@ -81,7 +81,6 @@ export class GreetingWithErrorsCommand extends $Command
   })
   .s("RpcV2Protocol", "GreetingWithErrors", {})
   .n("RpcV2ProtocolClient", "GreetingWithErrorsCommand")
-  .f(void 0, void 0)
   .sc(GreetingWithErrors)
   .build() {
   /** @internal type navigation helper, not in runtime. */

private/smithy-rpcv2-cbor-schema/src/commands/NoInputOutputCommand.ts

@@ -65,7 +65,6 @@ export class NoInputOutputCommand extends $Command
   })
   .s("RpcV2Protocol", "NoInputOutput", {})
   .n("RpcV2ProtocolClient", "NoInputOutputCommand")
-  .f(void 0, void 0)
   .sc(NoInputOutput)
   .build() {
   /** @internal type navigation helper, not in runtime. */

private/smithy-rpcv2-cbor-schema/src/commands/OperationWithDefaultsCommand.ts

@@ -134,7 +134,6 @@ export class OperationWithDefaultsCommand extends $Command
   })
   .s("RpcV2Protocol", "OperationWithDefaults", {})
   .n("RpcV2ProtocolClient", "OperationWithDefaultsCommand")
-  .f(void 0, void 0)
   .sc(OperationWithDefaults)
   .build() {
   /** @internal type navigation helper, not in runtime. */