Make header name checking case insensitive (#119)

jhzeba · web-flow · commit 009b014a87a7 · 2025-05-30T11:15:14.000-07:00
diff --git a/data_masks/redaction_test.go b/data_masks/redaction_test.go
@@ -73,6 +73,14 @@ func TestRedaction(t *testing.T) {
 			inputFile:    "003-witness.pb.txt",
 			expectedFile: "003-expected-redact-by-name-and-by-name-regexp.pb.txt",
 		},
+
+		"agent config: redact by name and by regexp": {
+			agentConfig: optionals.Some(&kgxapi.FieldRedactionConfig{
+				FieldNameRegexps: []*regexp.Regexp{regexp.MustCompile("^value for key[12]$")},
+			}),
+			inputFile:    "004-witness.pb.txt",
+			expectedFile: "004-expected-redact-by-value-regexp.pb.txt",
+		},
 	}
 
 	for testName, testCase := range testCases {
diff --git a/data_masks/redactor.go b/data_masks/redactor.go
@@ -220,7 +220,7 @@ func (s *redactSensitiveInfoVisitor) isSensitiveString(v string) bool {
 			return true
 		}
 	}
-	return false
+	return s.redactionOptions.userConfig.redactStringRegex(v)
 }
 
 // Determines whether the given Primitive has a sensitive value.
diff --git a/data_masks/testdata/004-expected-redact-by-value-regexp.pb.txt b/data_masks/testdata/004-expected-redact-by-value-regexp.pb.txt
@@ -0,0 +1,125 @@
+# api_spec.Witness proto
+
+method: {
+  id: {
+    api_type: HTTP_REST
+  }
+  args: {
+    key: "gwLpCbDEj9U="
+    value: {
+      primitive: {
+        string_value: {
+          value: "curl/8.11.1"
+        }
+      }
+      meta: {
+        http: {
+          header: {
+            key: "User-Agent"
+          }
+        }
+      }
+    }
+  }
+  args: {
+    key: "h9izWKXxdQE="
+    value: {
+      primitive: {
+        string_value: {
+          value: "*/*"
+        }
+      }
+      meta: {
+        http: {
+          header: {
+            key: "Accept"
+          }
+        }
+      }
+    }
+  }
+  responses: {
+    key: "bogus hash"
+    value: {
+      struct: {
+        fields: {
+          key: "api-key"
+          value: {
+            primitive: {
+              string_value: {
+                value: "*REDACTED*"
+              }
+            }
+          }
+        }
+        fields: {
+          key: "by-value-regexp"
+          value: {
+            primitive: {
+              string_value: {
+                value: "*REDACTED*"
+              }
+            }
+          }
+        }
+        fields: {
+          key: "by-name"
+          value: {
+            primitive: {
+              string_value: {
+                value: "redact by name"
+              }
+            }
+          }
+        }
+        fields: {
+          key: "by-name-regexp"
+          value: {
+            primitive: {
+              string_value: {
+                value: "redact by name regexp"
+              }
+            }
+          }
+        }
+        fields: {
+          key: "key1"
+          value: {
+            primitive: {
+              string_value: {
+                value: "*REDACTED*"
+              }
+            }
+          }
+        }
+        fields: {
+          key: "key2"
+          value: {
+            primitive: {
+              string_value: {
+                value: "*REDACTED*"
+              }
+            }
+          }
+        }
+        fields: {
+          key: "never"
+          value: {
+            primitive: {
+              string_value: {
+                value: "never redacted"
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  meta: {
+    http: {
+      method: "GET"
+      path_template: "/"
+      host: "localhost:8080"
+    }
+  }
+}
diff --git a/data_masks/testdata/004-witness.pb.txt b/data_masks/testdata/004-witness.pb.txt
@@ -0,0 +1,125 @@
+# api_spec.Witness proto
+
+method: {
+  id: {
+    api_type: HTTP_REST
+  }
+  args: {
+    key: "gwLpCbDEj9U="
+    value: {
+      primitive: {
+        string_value: {
+          value: "curl/8.11.1"
+        }
+      }
+      meta: {
+        http: {
+          header: {
+            key: "User-Agent"
+          }
+        }
+      }
+    }
+  }
+  args: {
+    key: "h9izWKXxdQE="
+    value: {
+      primitive: {
+        string_value: {
+          value: "*/*"
+        }
+      }
+      meta: {
+        http: {
+          header: {
+            key: "Accept"
+          }
+        }
+      }
+    }
+  }
+  responses: {
+    key: "bogus hash"
+    value: {
+      struct: {
+        fields: {
+          key: "api-key"
+          value: {
+            primitive: {
+              string_value: {
+                value: "always redacted"
+              }
+            }
+          }
+        }
+        fields: {
+          key: "by-value-regexp"
+          value: {
+            primitive: {
+              string_value: {
+                value: "PMAK-123456789012345678901234"
+              }
+            }
+          }
+        }
+        fields: {
+          key: "by-name"
+          value: {
+            primitive: {
+              string_value: {
+                value: "redact by name"
+              }
+            }
+          }
+        }
+        fields: {
+          key: "by-name-regexp"
+          value: {
+            primitive: {
+              string_value: {
+                value: "redact by name regexp"
+              }
+            }
+          }
+        }
+        fields: {
+          key: "key1"
+          value: {
+            primitive: {
+              string_value: {
+                value: "value for key1"
+              }
+            }
+          }
+        }
+        fields: {
+          key: "key2"
+          value: {
+            primitive: {
+              string_value: {
+                value: "value for key2"
+              }
+            }
+          }
+        }
+        fields: {
+          key: "never"
+          value: {
+            primitive: {
+              string_value: {
+                value: "never redacted"
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  meta: {
+    http: {
+      method: "GET"
+      path_template: "/"
+      host: "localhost:8080"
+    }
+  }
+}
diff --git a/data_masks/user_redaction_config.go b/data_masks/user_redaction_config.go
@@ -3,6 +3,7 @@ package data_masks
 import (
 	"regexp"
 	go_slices "slices"
+	"strings"
 	"sync"
 
 	"github.com/akitasoftware/akita-libs/api_schema"
@@ -12,8 +13,8 @@ import (
 )
 
 type userRedactionConfig struct {
-	fieldNames       sets.Set[string]
-	fieldNameRegexps []*regexp.Regexp
+	fieldNames    sets.Set[string]
+	stringRegexps []*regexp.Regexp
 
 	// Protects this instance.
 	mu sync.RWMutex
@@ -23,22 +24,31 @@ type userRedactionConfig struct {
 func newUserRedactionConfig(
 	agentConfig *api_schema.ServiceAgentConfig,
 ) *userRedactionConfig {
+	fieldNames := make([]string, 0, len(agentConfig.FieldsToRedact.FieldNames))
+	for _, fieldName := range agentConfig.FieldsToRedact.FieldNames {
+		fieldNames = append(fieldNames, strings.ToLower(fieldName))
+	}
+
 	return &userRedactionConfig{
-		fieldNames:       sets.NewSet(agentConfig.FieldsToRedact.FieldNames...),
-		fieldNameRegexps: agentConfig.FieldsToRedact.FieldNameRegexps,
+		fieldNames:    sets.NewSet(fieldNames...),
+		stringRegexps: agentConfig.FieldsToRedact.FieldNameRegexps,
 	}
 }
 
 // Determines whether fields with the given name should be redacted according to
 // this configuration.
 func (c *userRedactionConfig) redactFieldsNamed(fieldName string) bool {
-	if c.fieldNames.Contains(fieldName) {
+	if c.fieldNames.Contains(strings.ToLower(fieldName)) {
 		return true
 	}
 
+	return c.redactStringRegex(fieldName)
+}
+
+func (c *userRedactionConfig) redactStringRegex(v string) bool {
 	// Determine whether to redact based on user-specified regular expressions.
-	for _, re := range c.fieldNameRegexps {
-		if re.MatchString(fieldName) {
+	for _, re := range c.stringRegexps {
+		if re.MatchString(v) {
 			return true
 		}
 	}
@@ -50,13 +60,18 @@ func (c *userRedactionConfig) redactFieldsNamed(fieldName string) bool {
 func (c *userRedactionConfig) update(
 	agentConfig *api_schema.ServiceAgentConfig,
 ) {
-	newFieldNames := sets.NewSet(agentConfig.FieldsToRedact.FieldNames...)
+	fieldNames := make([]string, 0, len(agentConfig.FieldsToRedact.FieldNames))
+	for _, fieldName := range agentConfig.FieldsToRedact.FieldNames {
+		fieldNames = append(fieldNames, strings.ToLower(fieldName))
+	}
+
+	newFieldNames := sets.NewSet(fieldNames...)
 
 	// Filter out empty regular expressions from the incoming configuration. These
 	// match everything, which is almost certainly not what is intended. If the
 	// user wants to match everything, they can use a different regular
 	// expression, such as `$`.
-	newFieldNameRegexps := slices.Filter(
+	newStringRegexps := slices.Filter(
 		agentConfig.FieldsToRedact.FieldNameRegexps,
 		func(re *regexp.Regexp) bool {
 			return len(re.String()) > 0
@@ -73,8 +88,8 @@ func (c *userRedactionConfig) update(
 		}
 
 		if !go_slices.EqualFunc(
-			c.fieldNameRegexps,
-			newFieldNameRegexps,
+			c.stringRegexps,
+			newStringRegexps,
 			func(r1, r2 *regexp.Regexp) bool {
 				return r1.String() == r2.String()
 			},
@@ -96,10 +111,10 @@ func (c *userRedactionConfig) update(
 		c.mu.Unlock()
 		printer.Debugln("Updated user redaction config")
 		printer.Debugf("field names: %v\n", newFieldNames.AsSlice())
-		printer.Debugf("field name regexps: %v\n", newFieldNameRegexps)
+		printer.Debugf("string regexps: %v\n", newStringRegexps)
 	}()
 	c.fieldNames = newFieldNames
-	c.fieldNameRegexps = newFieldNameRegexps
+	c.stringRegexps = newStringRegexps
 }
 
 func (c *userRedactionConfig) RLock() {

Original file line number	Diff line number	Diff line change
`@@ -220,7 +220,7 @@ func (s *redactSensitiveInfoVisitor) isSensitiveString(v string) bool {`
`220`	`220`	`return true`
`221`	`221`	`}`
`222`	`222`	`}`
`223`		`- return false`
	`223`	`+ return s.redactionOptions.userConfig.redactStringRegex(v)`
`224`	`224`	`}`
`225`	`225`
`226`	`226`	`// Determines whether the given Primitive has a sensitive value.`