fix: Exclude some stream fields to avoid leaking sensitive data (#17)

* fix: Exclude `pipelines` field `properties` to avoid leaking sensitive data in the stream

Signed-off-by: Edgar Ramírez Mondragón <edgarrm358@gmail.com>

* fix: Exclude additional fields

Signed-off-by: Edgar Ramírez Mondragón <edgarrm358@gmail.com>

---------

Signed-off-by: Edgar Ramírez Mondragón <edgarrm358@gmail.com>

Author: edgarrmondragon

pyproject.toml

@@ -2,7 +2,7 @@
 build-backend = "hatchling.build"
 requires = [
   "hatch-vcs>=0.5",
-  "hatchling>=1.29.0,<2",
+  "hatchling>=1.29,<2",
 ]
 
 [project]
@@ -52,7 +52,7 @@ test = [
   "pytest>=9",
   "pytest-github-actions-annotate-failures>=0.3",
   "singer-sdk[testing]",
-  "syrupy>=5.1.0",
+  "syrupy>=5.1",
 ]
 typing = [
   "mypy>=1.19.1",
@@ -78,7 +78,7 @@ select = [ "ALL" ]
 allow-star-arg-any = true
 [tool.ruff.lint.per-file-ignores]
 "tests/**/*.py" = [
-  "S101",  # assert is used by pytest
+  "S101", # assert is used by pytest
 ]
 [tool.ruff.lint.pydocstyle]
 convention = "google"

tap_meltano_cloud/streams/base.py

@@ -76,3 +76,65 @@ def get_stream_schema(self, *args: Any, **kwargs: Any) -> dict:
             "type": ["string", "null"],
         }
         return schema
+
+
+class _WorkspaceSchema(StreamSchema[str]):
+    """Schema for workspace streams — excludes sensitive fields.
+
+    ``deploymentSecret`` and ``sshPrivateKey`` can contain sensitive credentials,
+    so they are omitted until a reliable obfuscation mechanism exists.
+    See https://github.com/MeltanoLabs/tap-meltano-cloud/issues/15
+    """
+
+    @override
+    def get_stream_schema(self, *args: Any, **kwargs: Any) -> dict:
+        schema = super().get_stream_schema(*args, **kwargs)
+        schema["properties"].pop("deploymentSecret", None)
+        schema["properties"].pop("sshPrivateKey", None)
+        return schema
+
+
+class _PipelineSchema(_WorkspaceChildSchema):
+    """Schema for pipeline streams — excludes the ``properties`` field.
+
+    Pipeline properties can contain sensitive data and there is currently no
+    reliable way to obfuscate them, so the field is omitted until that
+    capability exists.  See https://github.com/MeltanoLabs/tap-meltano-cloud/issues/15
+    """
+
+    @override
+    def get_stream_schema(self, *args: Any, **kwargs: Any) -> dict:
+        schema = super().get_stream_schema(*args, **kwargs)
+        schema["properties"].pop("properties", None)
+        return schema
+
+
+class _DataComponentSchema(_WorkspaceChildSchema):
+    """Schema for data component streams — excludes the ``properties`` field.
+
+    Data component properties can contain sensitive data and there is currently no
+    reliable way to obfuscate them, so the field is omitted until that
+    capability exists.  See https://github.com/MeltanoLabs/tap-meltano-cloud/issues/15
+    """
+
+    @override
+    def get_stream_schema(self, *args: Any, **kwargs: Any) -> dict:
+        schema = super().get_stream_schema(*args, **kwargs)
+        schema["properties"].pop("properties", None)
+        return schema
+
+
+class _DataStoreSchema(_WorkspaceChildSchema):
+    """Schema for data store streams — excludes sensitive fields.
+
+    ``properties`` and ``jdbcUrl`` can contain sensitive data (credentials,
+    connection strings), so they are omitted until a reliable obfuscation
+    mechanism exists.  See https://github.com/MeltanoLabs/tap-meltano-cloud/issues/15
+    """
+
+    @override
+    def get_stream_schema(self, *args: Any, **kwargs: Any) -> dict:
+        schema = super().get_stream_schema(*args, **kwargs)
+        schema["properties"].pop("jdbcUrl", None)
+        schema["properties"].pop("properties", None)
+        return schema

tap_meltano_cloud/streams/by_workspace.py

@@ -2,11 +2,26 @@
 
 from __future__ import annotations
 
-from typing import Any
+import sys
+from typing import TYPE_CHECKING, Any
 
-from singer_sdk import StreamSchema
+from .base import (
+    OPENAPI_SCHEMA,
+    MeltanoCloudStream,
+    _DataComponentSchema,
+    _DataStoreSchema,
+    _PipelineSchema,
+    _WorkspaceChildSchema,
+    _WorkspaceSchema,
+)
 
-from .base import OPENAPI_SCHEMA, MeltanoCloudStream, _WorkspaceChildSchema
+if sys.version_info >= (3, 12):
+    from typing import override
+else:
+    from typing_extensions import override
+
+if TYPE_CHECKING:
+    from singer_sdk.helpers.types import Context
 
 
 class _ByWorkspaceStream(MeltanoCloudStream):
@@ -28,7 +43,13 @@ class WorkspacesStream(_ByWorkspaceStream):
     name = "workspaces"
     path = "/workspaces/{workspaceId}"
     records_jsonpath = "$"
-    schema = StreamSchema(OPENAPI_SCHEMA, key="WorkspaceResource")
+    schema = _WorkspaceSchema(OPENAPI_SCHEMA, key="WorkspaceResource")
+
+    @override
+    def post_process(self, row: dict, context: Context | None = None) -> dict | None:
+        row.pop("deploymentSecret", None)
+        row.pop("sshPrivateKey", None)
+        return super().post_process(row, context)
 
 
 class PipelinesStream(_ByWorkspaceStream):
@@ -37,7 +58,12 @@ class PipelinesStream(_ByWorkspaceStream):
     name = "pipelines"
     path = "/workspaces/{workspaceId}/pipelines"
     records_jsonpath = "$._embedded.pipelines[*]"
-    schema = _WorkspaceChildSchema(OPENAPI_SCHEMA, key="PipelineResource")
+    schema = _PipelineSchema(OPENAPI_SCHEMA, key="PipelineResource")
+
+    @override
+    def post_process(self, row: dict, context: Context | None = None) -> dict | None:
+        row.pop("properties", None)
+        return super().post_process(row, context)
 
 
 class DatasetsStream(_ByWorkspaceStream):
@@ -73,7 +99,13 @@ class DataStoresStream(_ByWorkspaceStream):
     name = "datastores"
     path = "/workspaces/{workspaceId}/datastores"
     records_jsonpath = "$._embedded.datastores[*]"
-    schema = _WorkspaceChildSchema(OPENAPI_SCHEMA, key="DataStoreResource")
+    schema = _DataStoreSchema(OPENAPI_SCHEMA, key="DataStoreResource")
+
+    @override
+    def post_process(self, row: dict, context: Context | None = None) -> dict | None:
+        row.pop("jdbcUrl", None)
+        row.pop("properties", None)
+        return super().post_process(row, context)
 
 
 class DataComponentsStream(_ByWorkspaceStream):
@@ -82,4 +114,9 @@ class DataComponentsStream(_ByWorkspaceStream):
     name = "datacomponents"
     path = "/workspaces/{workspaceId}/datacomponents"
     records_jsonpath = "$._embedded.datacomponents[*]"
-    schema = _WorkspaceChildSchema(OPENAPI_SCHEMA, key="DataComponentResource")
+    schema = _DataComponentSchema(OPENAPI_SCHEMA, key="DataComponentResource")
+
+    @override
+    def post_process(self, row: dict, context: Context | None = None) -> dict | None:
+        row.pop("properties", None)
+        return super().post_process(row, context)

tap_meltano_cloud/streams/me.py

@@ -5,9 +5,15 @@
 import sys
 from typing import TYPE_CHECKING, Any
 
-from singer_sdk import StreamSchema
-
-from .base import OPENAPI_SCHEMA, MeltanoCloudStream, _WorkspaceChildSchema
+from .base import (
+    OPENAPI_SCHEMA,
+    MeltanoCloudStream,
+    _DataComponentSchema,
+    _DataStoreSchema,
+    _PipelineSchema,
+    _WorkspaceChildSchema,
+    _WorkspaceSchema,
+)
 
 if sys.version_info >= (3, 12):
     from typing import override
@@ -26,7 +32,7 @@ class WorkspacesStream(MeltanoCloudStream):
     name = "workspaces"
     path = "/workspaces"
     records_jsonpath = "$._embedded.workspaces[*]"
-    schema = StreamSchema(OPENAPI_SCHEMA, key="WorkspaceResource")
+    schema = _WorkspaceSchema(OPENAPI_SCHEMA, key="WorkspaceResource")
 
     @override
     def generate_child_contexts(
@@ -37,6 +43,12 @@ def generate_child_contexts(
         """Generate child contexts for workspace-scoped streams."""
         yield {"workspaceId": record["id"]}
 
+    @override
+    def post_process(self, row: dict, context: Context | None = None) -> dict | None:
+        row.pop("deploymentSecret", None)
+        row.pop("sshPrivateKey", None)
+        return super().post_process(row, context)
+
 
 class _WorkspaceChildStream(MeltanoCloudStream):
     """Base class for workspace-child streams driven by the me WorkspacesStream."""
@@ -50,7 +62,12 @@ class PipelinesStream(_WorkspaceChildStream):
     name = "pipelines"
     path = "/workspaces/{workspaceId}/pipelines"
     records_jsonpath = "$._embedded.pipelines[*]"
-    schema = _WorkspaceChildSchema(OPENAPI_SCHEMA, key="PipelineResource")
+    schema = _PipelineSchema(OPENAPI_SCHEMA, key="PipelineResource")
+
+    @override
+    def post_process(self, row: dict, context: Context | None = None) -> dict | None:
+        row.pop("properties", None)
+        return super().post_process(row, context)
 
 
 class DatasetsStream(_WorkspaceChildStream):
@@ -86,7 +103,13 @@ class DataStoresStream(_WorkspaceChildStream):
     name = "datastores"
     path = "/workspaces/{workspaceId}/datastores"
     records_jsonpath = "$._embedded.datastores[*]"
-    schema = _WorkspaceChildSchema(OPENAPI_SCHEMA, key="DataStoreResource")
+    schema = _DataStoreSchema(OPENAPI_SCHEMA, key="DataStoreResource")
+
+    @override
+    def post_process(self, row: dict, context: Context | None = None) -> dict | None:
+        row.pop("jdbcUrl", None)
+        row.pop("properties", None)
+        return super().post_process(row, context)
 
 
 class DataComponentsStream(_WorkspaceChildStream):
@@ -95,4 +118,9 @@ class DataComponentsStream(_WorkspaceChildStream):
     name = "datacomponents"
     path = "/workspaces/{workspaceId}/datacomponents"
     records_jsonpath = "$._embedded.datacomponents[*]"
-    schema = _WorkspaceChildSchema(OPENAPI_SCHEMA, key="DataComponentResource")
+    schema = _DataComponentSchema(OPENAPI_SCHEMA, key="DataComponentResource")
+
+    @override
+    def post_process(self, row: dict, context: Context | None = None) -> dict | None:
+        row.pop("properties", None)
+        return super().post_process(row, context)

tests/__snapshots__/test_schema_evolution/test_catalog_changes[datacomponents].json

@@ -39,15 +39,6 @@
         "inclusion": "available"
       }
     },
-    {
-      "breadcrumb": [
-        "properties",
-        "properties"
-      ],
-      "metadata": {
-        "inclusion": "available"
-      }
-    },
     {
       "breadcrumb": [
         "properties",
@@ -30963,15 +30954,6 @@
           "null"
         ]
       },
-      "properties": {
-        "additionalProperties": {
-          "type": "string"
-        },
-        "type": [
-          "object",
-          "null"
-        ]
-      },
       "repositoryPath": {
         "type": [
           "string",

tests/__snapshots__/test_schema_evolution/test_catalog_changes[datastores].json

@@ -39,15 +39,6 @@
         "inclusion": "available"
       }
     },
-    {
-      "breadcrumb": [
-        "properties",
-        "properties"
-      ],
-      "metadata": {
-        "inclusion": "available"
-      }
-    },
     {
       "breadcrumb": [
         "properties",
@@ -149,15 +140,6 @@
         "inclusion": "available"
       }
     },
-    {
-      "breadcrumb": [
-        "properties",
-        "jdbcUrl"
-      ],
-      "metadata": {
-        "inclusion": "available"
-      }
-    },
     {
       "breadcrumb": [
         "properties",
@@ -30971,12 +30953,6 @@
         "format": "uuid",
         "type": "string"
       },
-      "jdbcUrl": {
-        "type": [
-          "string",
-          "null"
-        ]
-      },
       "lastModified": {
         "format": "date-time",
         "type": [
@@ -31002,15 +30978,6 @@
           "null"
         ]
       },
-      "properties": {
-        "additionalProperties": {
-          "type": "string"
-        },
-        "type": [
-          "object",
-          "null"
-        ]
-      },
       "repositoryPath": {
         "type": [
           "string",

tests/__snapshots__/test_schema_evolution/test_catalog_changes[pipelines].json

@@ -93,15 +93,6 @@
         "inclusion": "available"
       }
     },
-    {
-      "breadcrumb": [
-        "properties",
-        "properties"
-      ],
-      "metadata": {
-        "inclusion": "available"
-      }
-    },
     {
       "breadcrumb": [
         "properties",
@@ -330,15 +321,6 @@
           "null"
         ]
       },
-      "properties": {
-        "additionalProperties": {
-          "type": "string"
-        },
-        "type": [
-          "object",
-          "null"
-        ]
-      },
       "repositoryPath": {
         "type": [
           "string",