Integration with secrecy crate for sensitive data

[byronwasti]

When handling sensitive data that we don't want to have accidentally logged it is helpful to have them wrapped in some sort of Secret<T> type (such as the Secret<T> type from the secrecy crate) which will print something like [REDACTED] instead of the data. As of right now we have to manually do the mapping from the Smithy-rs input types to the wrapped Secret<T> types, which means we have a layer with the sensitive data not wrapped in a redacting type.

If the Smithy-rs input and output generated types provided the sensitive data pre-wrapped in Secret<T> it would remove this layer where we could accidentally log the raw data and make it easier to audit for the .expose_secret() call.

[byronwasti]

It sounds like this might already be the case if using the @sensitive smithy trait with publicConstrainedShapes enabled

[david-perez]

publicConstrainedShapes is unrelated to handling of the @sensitive trait. @sensitive should be honored regardless. The way it's handled is that we adjust Debug implementations to redact sensitive contents.

So, for example, the following model:

@http(uri: "/operation", method: "POST")
operation Operation {
    input: OperationInputOutput
    output: OperationInputOutput
}

structure OperationInputOutput {
    secretStructure: SecretStructure

    secretString: SecretString

    regularString: String
}

@sensitive
structure SecretStructure {
    password: String
}

@sensitive
string SecretString

Generates:

impl std::fmt::Debug for SecretStructure {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        let mut formatter = f.debug_struct("SecretStructure");
        formatter.field("password", &"*** Sensitive Data Redacted ***");
        formatter.finish()
    }
}

impl std::fmt::Debug for OperationInput {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        let mut formatter = f.debug_struct("OperationInput");
        formatter.field("secret_structure", &"*** Sensitive Data Redacted ***");
        formatter.field("secret_string", &"*** Sensitive Data Redacted ***");
        formatter.field("regular_string", &self.regular_string);
        formatter.finish()
    }
}

An important thing to note here is that the SecretString string shape is generated in Rust as a regular std::string::String. We can't override Debug/Display on a standard library type, so if you log it, you're unprotected. If you think we should newtype @sensitive simple shapes, feel free to weigh in on #1833.

[david-perez]

(I added the server tag because if we were to do this, we would only be able to do it in the server: adding and removing @sensitive is a backwards-compatible change in the Smithy model, so we can't newtype a shape in Secret<T> because that would be a Rust breaking change.)

[byronwasti]

Ah ok, I see, thanks for the clarification! It looks like #1833 is what we're looking for. Happy to have this ticket closed as a duplicate of that one

[david-perez]

Sure! Closing in favor of #1833 then.

If anyone stumbles across this issue and would like smithy-rs server SDKs to integrate with secrecy or another crate with a use case that is not covered by the current implementation of @sensitive and #1833, feel free to open a new issue.