runtime-v2: allow specify sensitive data path

brig · brig · commit b25c5f2913f6 · 2025-10-14T20:56:30.000-04:00
diff --git a/runtime/v2/runner-test/src/test/java/com/walmartlabs/concord/runtime/v2/runner/MainTest.java b/runtime/v2/runner-test/src/test/java/com/walmartlabs/concord/runtime/v2/runner/MainTest.java
@@ -1355,6 +1355,7 @@ public void testSensitiveData() throws Exception {
         assertLog(log, ".*" + Pattern.quote("map: {nonSecretButMasked=******, secret=******}") + ".*");
         assertLog(log, ".*" + Pattern.quote("map: {nonSecret=non secret value, secret=******}") + ".*");
         assertLog(log, ".*" + Pattern.quote("map.nested: {nonSecret=non secret value, secret={top-secret=******}}") + ".*");
+        assertLog(log, ".*" + Pattern.quote("map.path: {nonSecret=non secret value, key={top-secret=******, inner=non secret value}}") + ".*");
 
         assertLog(log, ".*" + Pattern.quote("plain: plain") + ".*");
 
diff --git a/runtime/v2/runner-test/src/test/java/com/walmartlabs/concord/runtime/v2/runner/tasks/Tasks.java b/runtime/v2/runner-test/src/test/java/com/walmartlabs/concord/runtime/v2/runner/tasks/Tasks.java
@@ -305,6 +305,18 @@ public Map<String, String> getSensitiveMapStrict(String str) {
             return result;
         }
 
+        @SensitiveData(paths = {"key.top-secret"})
+        public Map<String, Object> getSensitiveMapWithPath(String str) {
+            Map<String, Object> inner = new LinkedHashMap<>();
+            inner.put("top-secret", str);
+            inner.put("inner", "non secret value");
+
+            Map<String, Object> result = new LinkedHashMap<>();
+            result.put("nonSecret", "non secret value");
+            result.put("key", inner);
+            return result;
+        }
+
         @SensitiveData(keys = {"secret"}, includeNestedValues = true)
         public Map<String, Object> getSensitiveMapWithNested(String str) {
             Map<String, Object> result = new LinkedHashMap<>();
diff --git a/runtime/v2/runner-test/src/test/resources/com/walmartlabs/concord/runtime/v2/runner/sensitiveData/concord.yaml b/runtime/v2/runner-test/src/test/resources/com/walmartlabs/concord/runtime/v2/runner/sensitiveData/concord.yaml
@@ -12,6 +12,7 @@ flows:
     - log: "map: ${sensitiveTask.getSensitiveMap('XXX-MAP')}"
     - log: "map: ${sensitiveTask.getSensitiveMapStrict('XXX-MAP')}"
     - log: "map.nested: ${sensitiveTask.getSensitiveMapWithNested('top-secret-nested-value')}"
+    - log: "map.path: ${sensitiveTask.getSensitiveMapWithPath('mask-this-value')}"
 
     - log: "plain: ${sensitiveTask.getPlain('plain')}"
 
diff --git a/runtime/v2/runner/src/main/java/com/walmartlabs/concord/runtime/v2/runner/el/resolvers/SensitiveDataProcessor.java b/runtime/v2/runner/src/main/java/com/walmartlabs/concord/runtime/v2/runner/el/resolvers/SensitiveDataProcessor.java
@@ -21,6 +21,7 @@
  */
 
 import com.google.inject.Inject;
+import com.walmartlabs.concord.common.ConfigurationUtils;
 import com.walmartlabs.concord.runtime.v2.sdk.SensitiveData;
 import com.walmartlabs.concord.runtime.v2.sdk.SensitiveDataHolder;
 
@@ -39,6 +40,7 @@ public SensitiveDataProcessor(SensitiveDataHolder sensitiveDataHolder) {
         this.sensitiveDataHolder = sensitiveDataHolder;
     }
 
+    @SuppressWarnings("unchecked")
     public void process(Object value, Method method) {
         if (value == null || method == null) {
             return;
@@ -51,17 +53,44 @@ public void process(Object value, Method method) {
 
         if (value instanceof String) {
             sensitiveDataHolder.add((String) value);
-        } else if (value instanceof Map<?, ?> m) {
-            var keys = a.keys() != null && a.keys().length > 0 ? new HashSet<Object>(Arrays.asList(a.keys())) : m.keySet();
-
-            for (var key : keys) {
-                var v = m.get(key);
-                if (v instanceof String) {
-                    sensitiveDataHolder.add((String) v);
-                } else if (a.includeNestedValues() && v instanceof Map<?,?> nested) {
-                    processNestedValues(nested, 0);
+        }
+
+        if (value instanceof Map<?, ?> m) {
+            collectFromMap((Map<String, Object>) m, a);
+        }
+    }
+
+    private void collectFromMap(Map<String, Object> m, SensitiveData a) {
+        // paths
+        if (a.paths() != null && a.paths().length > 0) {
+            for (var p : a.paths()) {
+                var path = p.split("\\.");
+                if (ConfigurationUtils.has(m, path)) {
+                    var v = ConfigurationUtils.get(m, path);
+                    collectValue(v, a);
                 }
             }
+            return;
+        }
+
+        // all keys or specific keys
+        var keys = (a.keys() != null && a.keys().length > 0)
+                ? new HashSet<>(Arrays.asList(a.keys()))
+                : m.keySet();
+
+        for (var key : keys) {
+            collectValue(m.get(key), a);
+        }
+    }
+
+    private void collectValue(Object v, SensitiveData a) {
+        if (v instanceof String s) {
+            sensitiveDataHolder.add(s);
+            return;
+        }
+
+        if (a.includeNestedValues() && v instanceof Map<?, ?> nested) {
+            processNestedValues(nested, 0);
         }
     }
 
diff --git a/runtime/v2/sdk/src/main/java/com/walmartlabs/concord/runtime/v2/sdk/SensitiveData.java b/runtime/v2/sdk/src/main/java/com/walmartlabs/concord/runtime/v2/sdk/SensitiveData.java
@@ -51,5 +51,7 @@
 
     String[] keys() default {};
 
+    String[] paths() default {};
+
     boolean includeNestedValues() default false;
 }

Original file line number	Diff line number	Diff line change
`@@ -51,5 +51,7 @@`
`51`	`51`
`52`	`52`	`String[] keys() default {};`
`53`	`53`
	`54`	`+ String[] paths() default {};`
	`55`	`+`
`54`	`56`	`boolean includeNestedValues() default false;`
`55`	`57`	`}`