added sensitive data redaction for powershell host

Author: Afroz Mohammed

generator/AWSPSGeneratorLib/FormatConfig/ConfigModel.cs

@@ -71,7 +71,7 @@ internal HashSet<string> TypeInclusionSet
         }
 
         /// <summary>
-        /// Specific types to exlude from the emitted formats. This list will be
+        /// Specific types to exclude from the emitted formats. This list will be
         /// automatically extended to include any types found in custom format files.
         /// </summary>
         [XmlArray]
@@ -245,16 +245,21 @@ public class ColumnConfig
         public HeaderAlignment HeaderAlignment { get; set; }
         [XmlAttribute]
         public int HeaderOrder { get; set; }
+        [XmlIgnore]
+        public bool IsSensitive { get; set; }
 
         [XmlAttribute]
         public string ScriptBlock { get; set; }
         [XmlAttribute]
         public string PropertyName { get; set; }
 
+
+
         public ColumnConfig()
         {
             ScriptBlock = null;
             PropertyName = null;
+            IsSensitive = false;
 
             HeaderLabel = null;
             HeaderWidth = 0;
@@ -268,6 +273,7 @@ public void Merge(ColumnConfig other)
             HeaderWidth = other.HeaderWidth != 0 ? other.HeaderWidth : this.HeaderWidth;
             HeaderAlignment = other.HeaderAlignment != HeaderAlignment.None ? other.HeaderAlignment : this.HeaderAlignment;
             HeaderOrder = other.HeaderOrder != 0 ? other.HeaderOrder : this.HeaderOrder;
+            IsSensitive = other.IsSensitive || this.IsSensitive;
 
             ScriptBlock = other.ScriptBlock ?? this.ScriptBlock;
             PropertyName = other.PropertyName ?? this.PropertyName;

generator/AWSPSGeneratorLib/Generators/FormatGenerator.cs

@@ -32,6 +32,8 @@ public class FormatGenerator : Generator
         private ConfigModelCollection ConfigCollection { get; set; }
 
         private const string AwsToolsPrefix = "AWS.Tools.";
+
+        private const string SensitiveDataRedactionMessage = "*** sensitive data redacted from host ***";
         #endregion
 
 
@@ -175,7 +177,8 @@ private void GenerateView(ConfigModel config, XmlWriter writer, Type type)
                     existingColumn.Merge(new ColumnConfig
                     {
                         HeaderLabel = name,
-                        PropertyName = name
+                        PropertyName = name,
+                        IsSensitive = property.IsSensitive()
                     });
 
                     newConfig.Columns.Add(existingColumn);
@@ -322,7 +325,16 @@ private void GenerateView_NonReflective(ConfigModel config, XmlWriter writer, Ty
                                 {
                                     writer.WriteStartElement(isTableView ? "TableColumnItem" : "ListItem");
                                     {
-                                        if (!string.IsNullOrEmpty(column.PropertyName))
+                                        if (column.IsSensitive)
+                                        {
+                                            if (!isTableView)
+                                                writer.WriteElementString("Label", column.PropertyName);
+
+                                            string scriptBlockValue =
+                                                $"if((Test-Path variable:AWSPowerShell_Show_Sensitive_Data) -and $false.Equals((Get-Variable AWSPowerShell_Show_Sensitive_Data).Value)){{'{SensitiveDataRedactionMessage}'}} else{{$_.{column.PropertyName}}}";
+                                            writer.WriteElementString("ScriptBlock", scriptBlockValue);
+                                        }
+                                        else if (!string.IsNullOrEmpty(column.PropertyName))
                                             writer.WriteElementString("PropertyName", column.PropertyName);
                                         else if (!string.IsNullOrEmpty(column.ScriptBlock))
                                             writer.WriteElementString("ScriptBlock", column.ScriptBlock);

generator/AWSPSGeneratorLib/Utils/Extensions.cs

@@ -4,6 +4,7 @@
 using System.Text;
 using System.Xml.Serialization;
 using System.IO;
+using System.Reflection;
 
 namespace AWSPowerShellGenerator.Utils
 {
@@ -45,5 +46,27 @@ public static string GetTypeFullCodeName(this Type t)
 
             return typeName + "<" + args + ">";
         }
+
+        public static bool IsSensitive(this PropertyInfo propertyInfo)
+        {
+            dynamic awsPropertyAttribute = propertyInfo
+                .GetCustomAttributes().SingleOrDefault(attribute => attribute.GetType().FullName == "Amazon.Runtime.Internal.AWSPropertyAttribute");
+
+            return awsPropertyAttribute != null && awsPropertyAttribute.Sensitive;
+        }
+
+        /// <summary>
+        /// Checks if the type contains any sensitive data by going recursively over all the internal properties
+        /// </summary>
+        public static bool ContainsSensitiveData(this Type type, HashSet<Type> visitedTypes = null)
+        {
+            visitedTypes ??= [];
+
+            if (!visitedTypes.Add(type)) 
+                return false;
+
+            return type.GetProperties().Any(childProperty => IsSensitive(childProperty) || ContainsSensitiveData(childProperty.PropertyType, visitedTypes));
+        }
+
     }
 }

modules/AWSPowerShell/Common/CommonCmdlets.cs

@@ -526,4 +526,80 @@ protected override void ProcessRecord()
             }
         }
     }
+
+    /// <summary>
+    /// Controls the display of sensitive information in the PowerShell console output.
+    /// When set to false (default), sensitive data is masked in the console display.
+    /// When set to true, sensitive data is shown in plain text.
+    /// Note: This setting only affects console display - stored variables retain the original unmasked data regardless of this setting.
+    /// This cmdlet sets a shell variable AWSPowerShell_Show_Sensitive_Data using the scope.
+    /// </summary>
+    [Cmdlet("Set", "AWSSensitiveDataConfiguration")]
+    [AWSCmdlet("Controls the display of sensitive information in the PowerShell console output. When set to true, sensitive data is shown in plain text in the console output.")]
+    [OutputType("None")]
+    public class SetAWSSensitiveDataConfigurationCmdlet : PSCmdlet
+    {
+        #region Parameter ShowSensitiveData
+
+        /// <summary>
+        /// Controls whether sensitive data appears in PowerShell console output.
+        /// When set to true, displays un-redacted sensitive data in the console.
+        /// When set to false (default), automatically masks sensitive data in console output.
+        /// </summary>
+        [Parameter(ValueFromPipelineByPropertyName = true, Mandatory = true)]
+        public bool ShowSensitiveData { get; set; }
+
+        #endregion
+
+        #region Parameter Scope
+        /// <summary>
+        /// <para>
+        /// Sets the scope of the shell variable AWSPowerShell_Show_Sensitive_Data.
+        /// For details about variables scopes, see https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_scopes.
+        /// </para>
+        /// </summary>
+        [Parameter(ValueFromPipelineByPropertyName = true)]
+        public VariableScope Scope { get; set; }
+        #endregion
+
+        protected override void ProcessRecord()
+        {
+            base.ProcessRecord();
+            WriteVerbose($"Setting AWSShowSensitiveData to {ShowSensitiveData}");
+            string scope = MyInvocation.BoundParameters.ContainsKey("Scope") ? Scope.ToString() + ":" : "";
+
+            this.SessionState.PSVariable.Set(scope+ SessionKeys.AWSShowSensitiveData, ShowSensitiveData);
+        }
+    }
+
+    /// <summary>
+    /// Returns the current configuration value that controls how sensitive data is displayed in the PowerShell console.
+    /// This cmdlet returns a Boolean value indicating whether sensitive data is shown or redacted in console output.
+    /// </summary>
+    [Cmdlet("Get", "AWSSensitiveDataConfiguration")]
+    [AWSCmdlet("Gets the current configuration settings for sensitive data display in PowerShell output.")]
+    [OutputType("PSObject")]
+    public class GetAWSSensitiveDataConfigurationCmdlet : PSCmdlet
+    {
+        protected override void ProcessRecord()
+        {
+            base.ProcessRecord();
+            var showSensitiveData = this.SessionState.PSVariable.Get(SessionKeys.AWSShowSensitiveData);
+            var result = new PSObject();
+            
+            // in v4 default ShowSensitiveData is true
+            const bool defaultShowSensitiveData = true;
+
+            var noteProperty = new PSNoteProperty("ShowSensitiveData", defaultShowSensitiveData);
+            
+            if (showSensitiveData != null)
+            {
+                noteProperty.Value = (bool)showSensitiveData.Value;
+                
+            }
+
+            result.Properties.Add(noteProperty);
+            WriteObject(result);
+        }
+    }
 }

modules/AWSPowerShell/Common/CredentialsArguments.cs

@@ -799,6 +799,7 @@ internal static class SessionKeys
         public const string AWSCredentialsVariableName = "StoredAWSCredentials";
         public const string AWSRegionVariableName = "StoredAWSRegion";
         public const string AWSCallHistoryName = "AWSHistory";
+        public const string AWSShowSensitiveData = "AWSPowerShell_Show_Sensitive_Data";
         public const string AWSProxyVariableName = "AWSProxy";
     }
 

tests/Common/Common.AWSSensitiveDataConfiguration.Tests.ps1

@@ -0,0 +1,90 @@
+BeforeAll {
+  . (Join-Path (Join-Path (Get-Location) "Include") "TestIncludes.ps1")
+  . (Join-Path (Join-Path (Get-Location) "Include") "TestHelper.ps1")
+  . (Join-Path (Join-Path (Get-Location) "Include") "ServiceTestHelper.ps1")
+  $helper = New-Object ServiceTestHelper
+  $helper.BeforeAll()
+  $script:region = 'us-west-2'
+  $script:secretName = 'integrationtests-sensitive-data-redaction-' + [DateTime]::Now.ToFileTime()
+  $script:secretValue = 'testvalue'
+  $script:redactedValue = [Regex]::Escape('*** sensitive data redacted from host ***')
+  $null = New-SECSecret -Name $script:secretName -SecretString $script:secretValue -Region $script:region }
+
+AfterAll {
+  $helper.AfterAll()
+  $deletedSecret = Remove-SECSecret -SecretId $script:secretName -DeleteWithNoRecovery $true -Region $script:region -Force
+}
+
+Describe -Tag "Smoke" "AWSSensitiveDataConfiguration Default" {
+
+  Context "Sensitive data redaction defaults" {
+    BeforeAll {
+      $secret = Get-SECSecretValue -SecretId $script:secretName -Region $script:region
+    }
+    It "Sensitive data not redacted when dereferenced" {
+      $secret.SecretString | Should -BeExactly $script:secretValue
+    }
+
+    It "Sensitive data not redacted in the host by default" {
+      $secretInHost = ($secret | Out-String -Stream).Where({ $_ -like "SecretString*" })[0]
+      $secretInHost | Should -MatchExactly $script:secretValue
+    }
+
+    It "Null Sensitive data not redacted in the host" {
+      $secretInHost = ($secret | Out-String -Stream).Where({ $_ -like "SecretBinary*" })[0]
+      $secretInHost | Should -Not -MatchExactly $script:redactedValue
+    }
+
+    It 'Get-AWSSensitiveDataConfiguration ShowSensitiveData default should be $true' {
+      (Get-AWSSensitiveDataConfiguration).ShowSensitiveData | Should -BeExactly $true
+    }
+  }
+  Context "Sensitive data redaction ShowSensitiveData" {
+    BeforeAll {
+      Set-AWSSensitiveDataConfiguration -ShowSensitiveData $true
+      $secret = Get-SECSecretValue -SecretId $script:secretName -Region $script:region
+    }
+    
+    It "Sensitive data not redacted when dereferenced" {
+      $secret.SecretString | Should -BeExactly $script:secretValue
+    }
+
+    It "Sensitive data not redacted in the host" {
+      $secretInHost = ($secret | Out-String -Stream).Where({ $_ -like "SecretString*" })[0]
+      $secretInHost | Should -MatchExactly $script:secretValue
+    }
+
+    It "Null Sensitive data not redacted in the host" {
+      $secretInHost = ($secret | Out-String -Stream).Where({ $_ -like "SecretBinary*" })[0]
+      $secretInHost | Should -Not -MatchExactly $script:redactedValue
+    }
+
+    It 'Get-AWSSensitiveDataConfiguration ShowSensitiveData should be $true' {
+      (Get-AWSSensitiveDataConfiguration).ShowSensitiveData | Should -BeExactly $true
+    }
+  }
+  Context 'Sensitive data redaction ShowSensitiveData to $false' {
+    BeforeAll {
+      Set-AWSSensitiveDataConfiguration -ShowSensitiveData $false
+      $secret = Get-SECSecretValue -SecretId $script:secretName -Region $script:region
+    }
+
+    It "Sensitive data not redacted when dereferenced" {
+      $secret.SecretString | Should -BeExactly $script:secretValue
+    }
+
+    It "Sensitive data redacted in the host" {
+      $secretInHost = ($secret | Out-String -Stream).Where({ $_ -like "SecretString*" })[0]
+      $secretInHost | Should -MatchExactly $script:redactedValue
+    }
+
+    It "Null Sensitive data redacted in the host" {
+      $secretInHost = ($secret | Out-String -Stream).Where({ $_ -like "SecretBinary*" })[0]
+      $secretInHost | Should -MatchExactly $script:redactedValue
+    }
+
+    It 'Get-AWSSensitiveDataConfiguration ShowSensitiveData should be $false' {
+      (Get-AWSSensitiveDataConfiguration).ShowSensitiveData | Should -BeExactly $false
+    }
+  }
+}