001/*
002 * Copyright 2015-2022 Transmogrify LLC, 2022-2026 Revetware LLC.
003 *
004 * Licensed under the Apache License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 *
008 * http://www.apache.org/licenses/LICENSE-2.0
009 *
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 */
016
017package com.pyranid;
018
019import org.jspecify.annotations.NonNull;
020import org.jspecify.annotations.Nullable;
021
022import javax.annotation.concurrent.ThreadSafe;
023
024/**
025 * Converts non-secure bound parameter values into safe display values for diagnostics.
026 * <p>
027 * This is display-only: it does not change what is bound to the database. Pyranid never invokes a
028 * {@code ParameterRedactor} for {@link SecureParameter} values; {@link SecureParameter#getMask()} always wins. For batch
029 * executions, Pyranid renders a bounded batch summary and does not invoke this redactor for individual batch values.
030 * <p>
031 * <strong>Scope.</strong> A {@code ParameterRedactor} governs Pyranid's rendering of its own {@code parameters=[...]}
032 * diagnostic list only. It does <em>not</em> reach text the database driver itself produces: driver error messages can
033 * echo bound values (for example, constraint-violation detail), and only values explicitly wrapped with
034 * {@link Parameters#secure} trigger Pyranid's best-effort scrub of driver-echoed text - see {@link SecureParameter}
035 * for that mechanism and its limits. Note that under the default {@link #none()}, non-secure values render verbatim
036 * in statement logs and exception text; configure {@link #redactAll()} or a custom redactor if diagnostics may leave
037 * a trusted boundary.
038 * <p>
039 * Redaction failures are fail-fast. If an implementation throws, Pyranid propagates the failure from the diagnostic
040 * rendering call site.
041 *
042 * @author <a href="https://www.revetkn.com">Mark Allen</a>
043 * @since 4.4.0
044 */
045@ThreadSafe
046@FunctionalInterface
047public interface ParameterRedactor {
048        /**
049         * Redacts a single non-secure parameter for diagnostics.
050         *
051         * @param statementContext current SQL context
052         * @param parameterIndex   zero-based index into {@link StatementContext#getParameters()} after IN-list expansion
053         * @param parameter        parameter value to render safely
054         * @return the safe display value
055         */
056        @Nullable
057        Object redactParameter(@NonNull StatementContext<?> statementContext,
058                                                                                                 int parameterIndex,
059                                                                                                 @Nullable Object parameter);
060
061        /**
062         * Acquires the default redactor, which renders non-secure values verbatim for non-batch executions.
063         *
064         * @return the default redactor
065         */
066        @NonNull
067        static ParameterRedactor none() {
068                return (statementContext, parameterIndex, parameter) -> parameter;
069        }
070
071        /**
072         * Acquires a redactor that masks every non-secure value as {@code <redacted>}.
073         *
074         * @return a redactor that masks every non-secure value
075         */
076        @NonNull
077        static ParameterRedactor redactAll() {
078                return (statementContext, parameterIndex, parameter) -> SecureParameterSupport.DEFAULT_MASK;
079        }
080}