internal/awsutil: Add suppressing logging sensitive API parameters (#398

)

Adds suppressing logging sensitive API parameters marked with the
`sensitive` trait. This prevents the API type's `String` method
returning a string representation of the API type with sensitive fields
printed such as keys and passwords.

Related to aws/aws-sdk-go#2310
Fixes #251

CHANGELOG_PENDING.md

@@ -10,14 +10,17 @@ Deprecations
 * Removes support for deprecated Go versions ([#393](https://github.com/aws/aws-sdk-go-v2/pull/393))
   * Removes support for Go version specific files from the SDK. Also removes irrelevant build tags, and updates the README.md file. 
   * Raises the minimum supported version to Go 1.11 for the SDK. Older versions may work, but are not actively supported
-  
+
 SDK Features
 ---
 
 SDK Enhancements
 ---
+* `internal/awsutil`: Add suppressing logging sensitive API parameters ([#398](https://github.com/aws/aws-sdk-go-v2/pull/398))
+  * Adds suppressing logging sensitive API parameters marked with the `sensitive` trait. This prevents the API type's `String` method returning a string representation of the API type with sensitive fields printed such as keys and passwords.
+  * Related to [aws/aws-sdk-go#2310](https://github.com/aws/aws-sdk-go/pull/2310)
+  * Fixes [#251](https://github.com/aws/aws-sdk-go-v2/issues/251)
 * `aws/request` : Retryer is now a named field on Request. ([#393](https://github.com/aws/aws-sdk-go-v2/pull/393))
 
 SDK Bugs
 ---
-* `private/model/api`: Fixes broken test for code generation. ([#393](https://github.com/aws/aws-sdk-go-v2/pull/393))

Makefile

@@ -19,7 +19,6 @@ SDK_EXAMPLES_PKGS=./example/...
 SDK_MODELS_PKGS=./models/...
 SDK_ALL_PKGS=${SDK_COMPA_PKGS} ${SDK_EXAMPLES_PKGS} ${SDK_MODELS_PKGS}
 
-SDK_V1_USAGE=$(shell go list -f '''{{ if not .Standard }}{{ range $$_, $$name := .Imports }} * {{ $$.ImportPath }} -> {{ $$name }}{{ print "\n" }}{{ end }}{{ end }}''' ./... | sort -u | grep '''/aws-sdk-go/''')
 
 all: generate unit
 
@@ -144,7 +143,9 @@ vet:
 
 sdkv1check:
 	@echo "Checking for usage of AWS SDK for Go v1"
-	@if [ ! -z "${SDK_V1_USAGE}" ]; then echo "Using of V1 SDK packages"; echo "${SDK_V1_USAGE}"; exit 1; fi
+	@sdkv1usage=`go list -test -f '''{{ if not .Standard }}{{ range $$_, $$name := .Imports }} * {{ $$.ImportPath }} -> {{ $$name }}{{ print "\n" }}{{ end }}{{ range $$_, $$name := .TestImports }} *: {{ $$.ImportPath }} -> {{ $$name }}{{ print "\n" }}{{ end }}{{ end}}''' ./... | sort -u | grep '''/aws-sdk-go/'''`; \
+	echo "$$sdkv1usage"; \
+	if [ "$$sdkv1usage" != "" ]; then exit 1; fi
 
 ################
 # Dependencies #

go.mod

@@ -4,9 +4,10 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/go-sql-driver/mysql v1.4.0
 	github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af
-	github.com/pkg/errors v0.8.0
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/stretchr/testify v1.2.2 // indirect
 	golang.org/x/net v0.0.0-20181201002055-351d144fa1fc
 	google.golang.org/appengine v1.2.0 // indirect
 )
+
+go 1.11

go.sum

@@ -5,8 +5,6 @@ github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
-github.com/pkg/errors v0.8.0 h1:WdK/asTD0HN+q6hsWO3/vpuAkAr+tw6aNJNDFFf0+qw=
-github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=

internal/awsutil/string_value.go

@@ -23,28 +23,27 @@ func stringValue(v reflect.Value, indent int, buf *bytes.Buffer) {
 	case reflect.Struct:
 		buf.WriteString("{\n")
 
-		names := []string{}
 		for i := 0; i < v.Type().NumField(); i++ {
-			name := v.Type().Field(i).Name
-			f := v.Field(i)
-			if name[0:1] == strings.ToLower(name[0:1]) {
+			ft := v.Type().Field(i)
+			fv := v.Field(i)
+
+			if ft.Name[0:1] == strings.ToLower(ft.Name[0:1]) {
 				continue // ignore unexported fields
 			}
-			if (f.Kind() == reflect.Ptr || f.Kind() == reflect.Slice) && f.IsNil() {
+			if (fv.Kind() == reflect.Ptr || fv.Kind() == reflect.Slice) && fv.IsNil() {
 				continue // ignore unset fields
 			}
-			names = append(names, name)
-		}
 
-		for i, n := range names {
-			val := v.FieldByName(n)
 			buf.WriteString(strings.Repeat(" ", indent+2))
-			buf.WriteString(n + ": ")
-			stringValue(val, indent+2, buf)
+			buf.WriteString(ft.Name + ": ")
 
-			if i < len(names)-1 {
-				buf.WriteString(",\n")
+			if tag := ft.Tag.Get("sensitive"); tag == "true" {
+				buf.WriteString("<sensitive>")
+			} else {
+				stringValue(fv, indent+2, buf)
 			}
+
+			buf.WriteString(",\n")
 		}
 
 		buf.WriteString("\n" + strings.Repeat(" ", indent) + "}")

internal/awsutil/string_value_test.go

@@ -0,0 +1,50 @@
+package awsutil_test
+
+import (
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/internal/awsutil"
+)
+
+type testStruct struct {
+	Field1 string
+	Field2 *string
+	Field3 []byte `sensitive:"true"`
+	Value  []string
+}
+
+func TestStringValue(t *testing.T) {
+	cases := map[string]struct {
+		Value  interface{}
+		Expect string
+	}{
+		"general": {
+			Value: testStruct{
+				Field1: "abc123",
+				Field2: aws.String("abc123"),
+				Field3: []byte("don't show me"),
+				Value: []string{
+					"first",
+					"second",
+				},
+			},
+			Expect: `{
+  Field1: "abc123",
+  Field2: "abc123",
+  Field3: <sensitive>,
+  Value: ["first","second"],
+
+}`,
+		},
+	}
+
+	for d, c := range cases {
+		t.Run(d, func(t *testing.T) {
+			actual := awsutil.StringValue(c.Value)
+			if e, a := c.Expect, actual; e != a {
+				t.Errorf("expect:\n%v\nactual:\n%v\n", e, a)
+			}
+		})
+	}
+}

private/model/api/shape.go

@@ -116,6 +116,9 @@ type Shape struct {
 	// Flags that the shape cannot be rename. Prevents the shape from being
 	// renamed further by the Input/Output.
 	AliasedShapeName bool
+
+	// Sensitive types should not be logged by SDK type loggers.
+	Sensitive bool `json:"sensitive"`
 }
 
 // ErrorCodeName will return the error shape's name formated for
@@ -509,6 +512,10 @@ func (ref *ShapeRef) GoTags(toplevel bool, isRequired bool) string {
 		tags = append(tags, ShapeTag{"idempotencyToken", "true"})
 	}
 
+	if ref.Shape.Sensitive {
+		tags = append(tags, ShapeTag{"sensitive", "true"})
+	}
+
 	if ref.Ignore {
 		tags = append(tags, ShapeTag{"ignore", "true"})
 	}