Addressed feedback, modified config

Author: rads-1996

shared/AppInsightsCore/Tests/Unit/src/ai/AppInsightsCommon.tests.ts

@@ -3,7 +3,7 @@ import { Assert, AITestClass } from "@microsoft/ai-test-framework";
 import { DiagnosticLogger } from "../../../../src/diagnostics/DiagnosticLogger";
 import { IConfiguration } from "../../../../src/interfaces/ai/IConfiguration";
 import { dataSanitizeInput, dataSanitizeKey, dataSanitizeMessage, DataSanitizerValues, dataSanitizeString, dataSanitizeUrl } from "../../../../src/telemetry/ai/Common/DataSanitizer";
-
+import { UrlRedactionOptions } from "../../../../src/enums/ai/UrlRedactionOptions"
 
 export class ApplicationInsightsTests extends AITestClass {
     logger = new DiagnosticLogger();
@@ -395,7 +395,8 @@ export class ApplicationInsightsTests extends AITestClass {
             test: () => {
                 // URLs with sensitive query parameters
                 let config = {
-                    appendRedactQueryParams: ["authorize", "api_key", "password"]
+                    redactUrls: UrlRedactionOptions.append,
+                    redactQueryParams: ["authorize", "api_key", "password"]
                 } as IConfiguration;
                 const urlWithSensitiveParams = "https://example.com/api?Signature=secret&authorize=value";
                 const expectedRedactedUrl = "https://example.com/api?Signature=REDACTED&authorize=REDACTED";
@@ -407,11 +408,12 @@ export class ApplicationInsightsTests extends AITestClass {
         });
 
         this.testCase({
-            name: 'DataSanitizerTests: dataSanitizeUrl properly redacts sensitive query parameters ( only custom)',
+            name: 'DataSanitizerTests: dataSanitizeUrl properly redacts sensitive query parameters (only custom)',
             test: () => {
                 // URLs with sensitive query parameters
                 let config = {
-                    replaceRedactQueryParams: ["authorize", "api_key", "password"]
+                    redactUrls: UrlRedactionOptions.replace,
+                    redactQueryParams: ["authorize", "api_key", "password"]
                 } as IConfiguration;
                 const urlWithSensitiveParams = "https://example.com/api?Signature=secret&authorize=value";
                 const expectedRedactedUrl = "https://example.com/api?Signature=secret&authorize=REDACTED";

shared/AppInsightsCore/Tests/Unit/src/ai/ApplicationInsightsCore.Tests.ts

@@ -11,6 +11,7 @@ import { _InternalLogMessage, DiagnosticLogger } from "../../../../src/diagnosti
 import { ActiveStatus } from "../../../../src/enums/ai/InitActiveStatusEnum";
 import { createAsyncPromise, createAsyncRejectedPromise, createAsyncResolvedPromise, createTimeoutPromise, doAwaitResponse } from "@nevware21/ts-async";
 import { setBypassLazyCache } from "@nevware21/ts-utils";
+import { UrlRedactionOptions } from "../../../../src/enums/ai/UrlRedactionOptions"
 
 const AIInternalMessagePrefix = "AITR_";
 const MaxInt32 = 0xFFFFFFFF;
@@ -2073,7 +2074,6 @@ export class ApplicationInsightsCoreTests extends AITestClass {
             test: () => {
                 let config = {
                     redactUrls: false,
-                    redactQueryParams: false,
                 } as IConfiguration;
                 const url = "https://username:password@example.com:8443/path/to/resource?sig=secret&color=blue#section2";
                 const redactedLocation = fieldRedaction(url, config);
@@ -2215,7 +2215,8 @@ export class ApplicationInsightsCoreTests extends AITestClass {
             name: "FieldRedaction: should redact custom query parameters defined in redactQueryParams and replace custom queryParams",
             test: () => {
                 let config = {
-                    replaceRedactQueryParams: ["authorize", "api_key", "password"]
+                    redactUrls: UrlRedactionOptions.replace,
+                    redactQueryParams: ["authorize", "api_key", "password"]
                 } as IConfiguration;
 
                 const url = "https://example.com/path?auth_token=12345&name=test&authorize=secret";
@@ -2228,7 +2229,8 @@ export class ApplicationInsightsCoreTests extends AITestClass {
             name: "FieldRedaction: should redact both default and custom query parameters",
             test: () => {
                 let config = {
-                    appendRedactQueryParams: ["auth_token"]
+                    redactUrls: UrlRedactionOptions.append,
+                    redactQueryParams: ["auth_token"]
                 } as IConfiguration;
 
                 const url = "https://example.com/path?sig=abc123&auth_token=12345&name=test";
@@ -2238,16 +2240,16 @@ export class ApplicationInsightsCoreTests extends AITestClass {
             }
         });
         this.testCase({
-            name: "FieldRedaction:should redact custom parameters when redactUrls is disabled but redactQueryParams is not false",
+            name: "FieldRedaction:should replace custom parameters redactQueryParams when user specifies the replace config",
             test: () => {
                 let config = {
-                    redactUrls: false,
-                    replaceRedactQueryParams: ["authorize", "api_key"]
+                    redactUrls: UrlRedactionOptions.replace,
+                    redactQueryParams: ["authorize", "api_key"]
                 } as IConfiguration;
 
                 const url = "https://username:password@example.com/path?auth_token=12345&authorize=secret";
                 const redactedLocation = fieldRedaction(url, config);
-                Assert.equal(redactedLocation, "https://username:password@example.com/path?auth_token=12345&authorize=REDACTED",
+                Assert.equal(redactedLocation, "https://REDACTED:REDACTED@example.com/path?auth_token=12345&authorize=REDACTED",
                     "URL with custom sensitive parameters should be redacted when query redaction is not disabled");
             }
         });
@@ -2269,7 +2271,8 @@ export class ApplicationInsightsCoreTests extends AITestClass {
             name: "FieldRedaction:should handle complex URLs with both credentials and custom query parameters",
             test: () => {
                 let config = {
-                    appendRedactQueryParams: ["authorize", "session_id"]
+                    redactUrls: UrlRedactionOptions.append,
+                    redactQueryParams: ["authorize", "session_id"]
                 } as IConfiguration;
 
                 const url = "https://user:pass@example.com/path?sig=secret&authorize=abc123&visible=true&session_id=xyz789";
@@ -2601,7 +2604,7 @@ export class ApplicationInsightsCoreTests extends AITestClass {
                 name: "FieldRedaction: should redact credentials while preserving query strings when redactQueryParams is false",
             test: () => {
                     let config = {
-                        redactQueryParams: false
+                        redactUrls: 5
                     } as IConfiguration;
                     const url = "https://user:password@example.com/path?sig=secret&color=blue&token=abc123";
                 const redactedLocation = fieldRedaction(url, config);
@@ -2614,7 +2617,8 @@ export class ApplicationInsightsCoreTests extends AITestClass {
             name: "FieldRedaction: should handle custom parameters with multiple occurrences and empty values",
             test: () => {
                 let config = {
-                    replaceRedactQueryParams: ["auth_token", "session_id"]
+                    redactUrls: UrlRedactionOptions.replace,
+                    redactQueryParams: ["auth_token", "session_id"]
                 } as IConfiguration;
                 const url = "https://example.com/path?auth_token=first&name=test&auth_token=&session_id=abc&session_id=";
                 const redactedLocation = fieldRedaction(url, config);
@@ -2638,24 +2642,23 @@ export class ApplicationInsightsCoreTests extends AITestClass {
         });
 
         this.testCase({
-            name: "FieldRedaction: should preserve credentials while redacting query strings when redactUrls is false",
+            name: "FieldRedaction: should redact all parts of the URL (username, password, default query params) when redactUrls is set to True",
             test: () => {
                 let config = {
-                    redactUrls: false
+                    redactUrls: true
                 } as IConfiguration;
                 const url = "https://user:password@example.com/path?sig=secret&color=blue&token=abc123";
                 const redactedLocation = fieldRedaction(url, config);
-                Assert.equal(redactedLocation, "https://user:password@example.com/path?sig=REDACTED&color=blue&token=abc123",
-                    "Query string values should be redacted while credentials remain unchanged when redactUrls is false");
+                Assert.equal(redactedLocation, "https://REDACTED:REDACTED@example.com/path?sig=REDACTED&color=blue&token=abc123",
+                "All parts of the URL should be redacted when redactUrls is true");
             }
         });
 
         this.testCase({
             name: "FieldRedaction: should not redact credentials or query strings when redactUrls and redactQueryParams are false",
             test: () => {
                 let config = {
-                    redactUrls: false,
-                    redactQueryParams: false
+                    redactUrls: UrlRedactionOptions.false
                 } as IConfiguration;
                 const url = "https://user:password@example.com/path?sig=secret&color=blue&token=abc123";
                 const redactedLocation = fieldRedaction(url, config);

shared/AppInsightsCore/src/enums/ai/UrlRedactionOptions.ts

@@ -0,0 +1,41 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+/**
+ * Controls how the user can configure which parts of the URL should be redacted. Example, certain query parameters, username and password, etc.
+ * @since <next_release_version>
+ */
+export const enum UrlRedactionOptions {
+    /**
+     * The default value, will redact the username and password as well as the default set of query parameters
+     */
+    true = 1,
+
+    /**
+     * Does not redact username and password or any query parameters, the URL will be left as is. Note: this is not recommended as it may lead 
+     * to sensitive data being sent in clear text.
+     */
+    false = 2,
+
+    /**
+     * This will append any additional queryParams that the user has provided through redactQueryParams config to the default set i.e to
+     * @defaultValue ["sig", "Signature", "AWSAccessKeyId", "X-Goog-Signature"]. 
+     */
+    append = 3,
+
+    /**
+     * This will replace the default set of query parameters to redact with the query parameters defined in redactQueryParams config, if provided by the user.
+     */
+    replace = 4,
+
+    /**
+     * This will redact username and password in the URL but will not redact any query parameters, even those in the default set.
+     */
+    usernamePasswordOnly = 5,
+
+    /**
+     * This will only redact the query parameter in the default set of query parameters to redact. It will not redact username and password.
+     */
+    queryParamsOnly = 6,
+
+}

shared/AppInsightsCore/src/interfaces/ai/IConfiguration.ts

@@ -2,6 +2,7 @@
 // Licensed under the MIT License.
 import { IPromise } from "@nevware21/ts-async";
 import { eTraceHeadersMode } from "../../enums/ai/TraceHeadersMode";
+import { UrlRedactionOptions } from "../../enums/ai/UrlRedactionOptions";
 import { IOTelConfig } from "../otel/config/IOTelConfig";
 import { IAppInsightsCore } from "./IAppInsightsCore";
 import { IChannelControls } from "./IChannelControls";
@@ -231,17 +232,11 @@ export interface IConfiguration extends IOTelConfig {
      */
     expCfg?: IExceptionConfig;
 
-    /**
-     * [Optional] A flag to enable or disable redaction for username and password in URLs.
-     * @defaultValue true
-     */
-    redactUrls?: boolean;
-
     /**
      * [Optional] A flag to enable or disable redaction for query parameters.
      * @defaultValue true
      */
-    redactQueryParams?: boolean;
+    redactUrls?: boolean | UrlRedactionOptions;
 
     /**
      * [Optional] Additional query parameters to redact beyond the default set.
@@ -250,16 +245,7 @@ export interface IConfiguration extends IOTelConfig {
      * @defaultValue ["sig", "Signature", "AWSAccessKeyId", "X-Goog-Signature"]
      * @example ["sig", "Signature", "AWSAccessKeyId", "X-Goog-Signature","auth_token", "api_key", "private_data"]
      */
-    appendRedactQueryParams?: string[];
-
-    /**
-     * [Optional] Replaces the default set with a custom set of query parameters to redact.
-     * Use this to specify custom parameters that contain sensitive information.
-     * These will replace the default parameters that are redacted.
-     * @defaultValue ["sig", "Signature", "AWSAccessKeyId", "X-Goog-Signature"]
-     * @example ["auth_token", "api_key", "private_data"]
-     */
-    replaceRedactQueryParams?: string[];
+    redactQueryParams?: string[];
 
     ///**
     // * [Optional] Internal SDK configuration for developers

shared/AppInsightsCore/src/utils/EnvUtils.ts

@@ -8,6 +8,7 @@ import {
     isFunction, isNullOrUndefined, isString, isUndefined, mathMax, strIndexOf, strSubstring
 } from "@nevware21/ts-utils";
 import { DEFAULT_SENSITIVE_PARAMS, STR_EMPTY, STR_REDACTED } from "../constants/InternalConstants";
+import { UrlRedactionOptions } from "../enums/ai/UrlRedactionOptions";
 import { IConfiguration } from "../interfaces/ai/IConfiguration";
 import { strContains } from "./HelperFuncs";
 
@@ -455,10 +456,10 @@ function redactQueryParameters(url: string, config?: IConfiguration): string {
         return url;
     }
 
-    if (config && config.appendRedactQueryParams) {
-        sensitiveParams = DEFAULT_SENSITIVE_PARAMS.concat(config.appendRedactQueryParams);
-    } else if (config && config.replaceRedactQueryParams) {
-        sensitiveParams = config.replaceRedactQueryParams;
+    if (config && config.redactUrls === UrlRedactionOptions.append) {
+        sensitiveParams = DEFAULT_SENSITIVE_PARAMS.concat(config.redactQueryParams);
+    } else if (config && config.redactUrls === UrlRedactionOptions.replace) {
+        sensitiveParams = config.redactQueryParams;
     } else {
         sensitiveParams = DEFAULT_SENSITIVE_PARAMS;
     }
@@ -545,25 +546,33 @@ export function fieldRedaction(input: string, config: IConfiguration): string {
     if (!input || !isString(input) || strIndexOf(input, " ") !== -1) {
         return input;
     }
-    const isRedactionDisabled = config && config.redactUrls === false;
-    const isQueryParamRedactionDisabled = config && config.redactQueryParams === false;
-    if (isRedactionDisabled && isQueryParamRedactionDisabled) {
+    const isRedactionDisabled = config && (config.redactUrls === false || config.redactUrls === UrlRedactionOptions.false);
+    if (isRedactionDisabled) {
         return input;
     }
 
-    const hasCredentials = strIndexOf(input, "@") !== -1;
-    const hasQueryParams = strIndexOf(input, "?") !== -1;
+    let hasCredentials = strIndexOf(input, "@") !== -1;
+    let hasQueryParams = strIndexOf(input, "?") !== -1;
 
     // If no credentials and no query params, return original
     if (!hasCredentials && !hasQueryParams) {
         return input;
     }
+
+    if (config.redactUrls === UrlRedactionOptions.usernamePasswordOnly) {
+        hasQueryParams = false;
+    }
+
+    if (config.redactUrls === UrlRedactionOptions.queryParamsOnly) {
+        hasCredentials = false;
+    }
+
     try {
         let result = input;
-        if (hasCredentials && !isRedactionDisabled) {
+        if (hasCredentials) {
             result = redactUserInfo(input);
         }
-        if (hasQueryParams && !isQueryParamRedactionDisabled) {
+        if (hasQueryParams) {
             result = redactQueryParameters(result, config);
         }
         return result;