001/* 002 * Copyright 2015-2022 Transmogrify LLC, 2022-2026 Revetware LLC. 003 * 004 * Licensed under the Apache License, Version 2.0 (the "License"); 005 * you may not use this file except in compliance with the License. 006 * You may obtain a copy of the License at 007 * 008 * http://www.apache.org/licenses/LICENSE-2.0 009 * 010 * Unless required by applicable law or agreed to in writing, software 011 * distributed under the License is distributed on an "AS IS" BASIS, 012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 013 * See the License for the specific language governing permissions and 014 * limitations under the License. 015 */ 016 017package com.pyranid; 018 019import org.jspecify.annotations.NonNull; 020import org.jspecify.annotations.Nullable; 021 022import javax.annotation.concurrent.ThreadSafe; 023 024/** 025 * Converts non-secure bound parameter values into safe display values for diagnostics. 026 * <p> 027 * This is display-only: it does not change what is bound to the database. Pyranid never invokes a 028 * {@code ParameterRedactor} for {@link SecureParameter} values; {@link SecureParameter#getMask()} always wins. For batch 029 * executions, Pyranid renders a bounded batch summary and does not invoke this redactor for individual batch values. 030 * <p> 031 * <strong>Scope.</strong> A {@code ParameterRedactor} governs Pyranid's rendering of its own {@code parameters=[...]} 032 * diagnostic list only. It does <em>not</em> reach text the database driver itself produces: driver error messages can 033 * echo bound values (for example, constraint-violation detail), and only values explicitly wrapped with 034 * {@link Parameters#secure} trigger Pyranid's best-effort scrub of driver-echoed text - see {@link SecureParameter} 035 * for that mechanism and its limits. Note that under the default {@link #none()}, non-secure values render verbatim 036 * in statement logs and exception text; configure {@link #redactAll()} or a custom redactor if diagnostics may leave 037 * a trusted boundary. 038 * <p> 039 * Redaction failures are fail-fast. If an implementation throws, Pyranid propagates the failure from the diagnostic 040 * rendering call site. 041 * 042 * @author <a href="https://www.revetkn.com">Mark Allen</a> 043 * @since 4.4.0 044 */ 045@ThreadSafe 046@FunctionalInterface 047public interface ParameterRedactor { 048 /** 049 * Redacts a single non-secure parameter for diagnostics. 050 * 051 * @param statementContext current SQL context 052 * @param parameterIndex zero-based index into {@link StatementContext#getParameters()} after IN-list expansion 053 * @param parameter parameter value to render safely 054 * @return the safe display value 055 */ 056 @Nullable 057 Object redactParameter(@NonNull StatementContext<?> statementContext, 058 int parameterIndex, 059 @Nullable Object parameter); 060 061 /** 062 * Acquires the default redactor, which renders non-secure values verbatim for non-batch executions. 063 * 064 * @return the default redactor 065 */ 066 @NonNull 067 static ParameterRedactor none() { 068 return (statementContext, parameterIndex, parameter) -> parameter; 069 } 070 071 /** 072 * Acquires a redactor that masks every non-secure value as {@code <redacted>}. 073 * 074 * @return a redactor that masks every non-secure value 075 */ 076 @NonNull 077 static ParameterRedactor redactAll() { 078 return (statementContext, parameterIndex, parameter) -> SecureParameterSupport.DEFAULT_MASK; 079 } 080}