postmanlabs
diff --git a/‎data_masks/redaction_test.go
Lines changed: 71 additions & 0 deletions b/‎data_masks/redaction_test.go
Lines changed: 71 additions & 0 deletions
diff --git a/‎data_masks/redactor.go
Lines changed: 62 additions & 0 deletions b/‎data_masks/redactor.go
Lines changed: 62 additions & 0 deletions
diff --git a/‎data_masks/testdata/001-expected-zero-all-primitives.pb.txt
Lines changed: 118 additions & 0 deletions b/‎data_masks/testdata/001-expected-zero-all-primitives.pb.txt
Lines changed: 118 additions & 0 deletions
diff --git a/‎data_masks/testdata/005-expected-redacted-path.pb.txt
Lines changed: 118 additions & 0 deletions b/‎data_masks/testdata/005-expected-redacted-path.pb.txt
Lines changed: 118 additions & 0 deletions
@@ -115,6 +115,54 @@ func TestRedaction(t *testing.T) {
 	}
 }
 
+func TestZeroAllPrimitives(t *testing.T) {
+	testCases := map[string]struct {
+		agentConfig  optionals.Optional[*kgxapi.FieldRedactionConfig]
+		inputFile    string
+		expectedFile string
+	}{
+		"zero all primitives": {
+			inputFile:    "001-witness.pb.txt",
+			expectedFile: "001-expected-zero-all-primitives.pb.txt",
+		},
+		"redact secret in path": {
+			inputFile:    "005-witness.pb.txt",
+			expectedFile: "005-expected-redacted-path.pb.txt",
+		},
+	}
+
+	for testName, testCase := range testCases {
+		func() {
+			ctrl := gomock.NewController(t)
+			mockClient := mockrest.NewMockLearnClient(ctrl)
+			defer ctrl.Finish()
+
+			agentConfig := kgxapi.NewServiceAgentConfig()
+			if fieldsToRedact, exists := testCase.agentConfig.Get(); exists {
+				agentConfig.FieldsToRedact = fieldsToRedact
+			}
+
+			mockClient.
+				EXPECT().
+				GetDynamicAgentConfigForService(gomock.Any(), gomock.Any()).
+				AnyTimes().
+				Return(agentConfig, nil)
+
+			o, err := NewRedactor(akid.GenerateServiceID(), mockClient)
+			assert.NoError(t, err)
+
+			testWitness := test.LoadWitnessFromFileOrDie(filepath.Join("testdata", testCase.inputFile))
+			expectedWitness := test.LoadWitnessFromFileOrDie(filepath.Join("testdata", testCase.expectedFile))
+
+			o.ZeroAllPrimitives(testWitness.Method)
+
+			if diff := cmp.Diff(expectedWitness, testWitness, cmpOptions...); diff != "" {
+				t.Errorf("found unexpected diff in test case %q:\n%s", testName, diff)
+			}
+		}()
+	}
+}
+
 func BenchmarkRedaction(b *testing.B) {
 	ctrl := gomock.NewController(b)
 	mockClient := mockrest.NewMockLearnClient(ctrl)
@@ -137,3 +185,26 @@ func BenchmarkRedaction(b *testing.B) {
 		o.RedactSensitiveData(testWitness.Method)
 	}
 }
+
+func BenchmarkZeroAllPrimitives(b *testing.B) {
+	ctrl := gomock.NewController(b)
+	mockClient := mockrest.NewMockLearnClient(ctrl)
+	defer ctrl.Finish()
+
+	mockClient.
+		EXPECT().
+		GetDynamicAgentConfigForService(gomock.Any(), gomock.Any()).
+		AnyTimes().
+		Return(kgxapi.NewServiceAgentConfig(), nil)
+
+	o, err := NewRedactor(akid.GenerateServiceID(), mockClient)
+	assert.NoError(b, err)
+
+	testWitness := test.LoadWitnessFromFileOrDie(filepath.Join("testdata", "001-witness.pb.txt"))
+
+	b.ResetTimer()
+
+	for i := 0; i < b.N; i++ {
+		o.ZeroAllPrimitives(testWitness.Method)
+	}
+}
@@ -131,6 +131,18 @@ func (o *Redactor) RedactSensitiveData(m *pb.Method) {
 	vis.Apply(&pov, m)
 }
 
+func (o *Redactor) ZeroAllPrimitives(m *pb.Method) {
+	o.userConfig.RLock()
+	defer o.userConfig.RUnlock()
+
+	zpv := zeroPrimitivesVisitor{
+		redactionOptions: o,
+	}
+	vis.Apply(&zpv, m)
+
+	m.GetMeta().GetHttp().Obfuscation = pb.HTTPMethodMeta_ZERO_VALUE
+}
+
 // Determines whether fields with the given name should be redacted. Caller must
 // hold at least a read lock on muUserConfig.
 func (o *Redactor) redactFieldsNamed(fieldName string) bool {
@@ -261,3 +273,53 @@ func (*redactPrimitivesVisitor) EnterData(self interface{}, _ vis.SpecVisitorCon
 func redactPrimitive(p *pb.Primitive) {
 	p.Value = spec_util.NewPrimitiveString(RedactionString).Value
 }
+
+// Replaces all primitive values with zero values.
+type zeroPrimitivesVisitor struct {
+	vis.DefaultSpecVisitorImpl
+	redactionOptions *Redactor
+}
+
+var _ vis.DefaultSpecVisitor = (*zeroPrimitivesVisitor)(nil)
+
+// EnterData processes the given data and replaces all the primitive values
+// with zero values, regardless of its metadata.
+func (*zeroPrimitivesVisitor) EnterData(self interface{}, _ vis.SpecVisitorContext, d *pb.Data) Cont {
+	dp := d.GetPrimitive()
+	if dp == nil {
+		return Continue
+	}
+
+	pv, err := spec_util.PrimitiveValueFromProto(dp)
+	if err != nil {
+		printer.Warningf("failed to zero out raw value, dropping\n")
+		d.Value = nil
+		return Continue
+	}
+
+	dp.Value = pv.Obfuscate().ToProto().Value
+	return Continue
+}
+
+func (s *zeroPrimitivesVisitor) EnterHTTPMethodMeta(self interface{}, ctx vis.SpecVisitorContext, meta *pb.HTTPMethodMeta) Cont {
+	pathSegments := strings.Split(meta.PathTemplate, "/")
+
+	for i, segment := range pathSegments {
+		// Check if the path segment contains sensitive information.
+		if s.isSensitiveString(segment) {
+			pathSegments[i] = RedactionString
+		}
+	}
+
+	meta.PathTemplate = strings.Join(pathSegments, "/")
+	return SkipChildren
+}
+
+func (s *zeroPrimitivesVisitor) isSensitiveString(v string) bool {
+	for _, pattern := range s.redactionOptions.SensitiveDataValuePatterns {
+		if pattern.MatchString(v) {
+			return true
+		}
+	}
+	return s.redactionOptions.userConfig.redactStringRegex(v)
+}
@@ -0,0 +1,118 @@
+# api_spec.Witness proto
+
+method: {
+    meta: {
+        http: {
+            method: "POST"
+            path_template: "/v1/doggos" 
+            host: "example.com"
+        }
+    }
+    args: {
+        key: "KC2RO-pCNJA=" 
+        value: {
+            primitive: {
+                string_value: {}
+            }
+            meta: {
+                http: {
+                    header: {
+                        key: "Normal-Header"
+                    }
+                }
+            }
+        }
+    }
+    args: {
+        key: "4F1vWo8G_-Q="
+        value: {
+            primitive: {
+                string_value: {}
+            }
+            meta: {
+                http: {
+                    header: {
+                        key: "x-access-token"
+                    }
+                }
+            }
+        }
+    }
+    args: {
+        key: "MWeG2T99uHI="
+        value: {
+            struct: {
+                fields: {
+                    key: "name" 
+                    value: {
+                        primitive: {
+                            string_value: {}
+                        }
+                    }
+                }
+                fields: {
+                    key: "number" 
+                    value: {
+                        primitive: {
+                            int64_value: {}
+                        }
+                    }
+                }
+                fields: {
+                    key: "secret-value" 
+                    value: {
+                        primitive: {
+                            string_value: {}
+                        }
+                    }
+                }
+            }
+            meta: {
+                http: {
+                    body: {
+                        content_type: JSON 
+                        other_type: "application/json"
+                    }
+                }
+            }
+        }
+    }
+    responses: {
+        key: "T7Jfr4mf1Zs=" 
+        value: {
+            struct: {
+                fields: {
+                    key: "homes" 
+                    value: {
+                        list: {
+                            elems: {
+                                primitive: {
+                                    string_value: {}
+                                }
+                            }
+                            elems: {
+                                primitive: {
+                                    string_value: {}
+                                }
+                            }
+                            elems: {
+                                primitive: {
+                                    string_value: {}
+                                }
+                            }
+                        }
+                    }
+                }
+            } 
+            meta: {
+                http: {
+                    body: {
+                        content_type: JSON 
+                        other_type: "application/json"
+                    }
+                    response_code: 404
+                }
+            }
+        }
+    }
+}
@@ -0,0 +1,118 @@
+# api_spec.Witness proto
+
+method: {
+    meta: {
+        http: {
+            method: "POST"
+            path_template: "/v1/doggos/*REDACTED*" 
+            host: "example.com"
+        }
+    }
+    args: {
+        key: "KC2RO-pCNJA=" 
+        value: {
+            primitive: {
+                string_value: {}
+            }
+            meta: {
+                http: {
+                    header: {
+                        key: "Normal-Header"
+                    }
+                }
+            }
+        }
+    }
+    args: {
+        key: "4F1vWo8G_-Q="
+        value: {
+            primitive: {
+                string_value: {}
+            }
+            meta: {
+                http: {
+                    header: {
+                        key: "x-access-token"
+                    }
+                }
+            }
+        }
+    }
+    args: {
+        key: "MWeG2T99uHI="
+        value: {
+            struct: {
+                fields: {
+                    key: "name" 
+                    value: {
+                        primitive: {
+                            string_value: {}
+                        }
+                    }
+                }
+                fields: {
+                    key: "number" 
+                    value: {
+                        primitive: {
+                            int64_value: {}
+                        }
+                    }
+                }
+                fields: {
+                    key: "secret-value" 
+                    value: {
+                        primitive: {
+                            string_value: {}
+                        }
+                    }
+                }
+            }
+            meta: {
+                http: {
+                    body: {
+                        content_type: JSON 
+                        other_type: "application/json"
+                    }
+                }
+            }
+        }
+    }
+    responses: {
+        key: "T7Jfr4mf1Zs=" 
+        value: {
+            struct: {
+                fields: {
+                    key: "homes" 
+                    value: {
+                        list: {
+                            elems: {
+                                primitive: {
+                                    string_value: {}
+                                }
+                            }
+                            elems: {
+                                primitive: {
+                                    string_value: {}
+                                }
+                            }
+                            elems: {
+                                primitive: {
+                                    string_value: {}
+                                }
+                            }
+                        }
+                    }
+                }
+            } 
+            meta: {
+                http: {
+                    body: {
+                        content_type: JSON 
+                        other_type: "application/json"
+                    }
+                    response_code: 404
+                }
+            }
+        }
+    }
+}