Opensearch transport query sanitization (#15634)

Co-authored-by: Lauri Tulmin <ltulmin@splunk.com>

Author: mznet

instrumentation/opensearch/README.md

@@ -3,3 +3,10 @@
 | System property                                                | Type    | Default | Description                                         |
 | -------------------------------------------------------------- | ------- | ------- | --------------------------------------------------- |
 | `otel.instrumentation.opensearch.experimental-span-attributes` | Boolean | `false` | Enable the capture of experimental span attributes. |
+
+## Settings for the [OpenSearch Java Client](https://docs.opensearch.org/latest/clients/java/) instrumentation
+
+| System property                                                | Type    | Default | Description                                          |
+|----------------------------------------------------------------|---------|---------|------------------------------------------------------|
+| `otel.instrumentation.opensearch.experimental-span-attributes` | Boolean | `false` | Enable the capture of experimental span attributes.  |
+| `otel.instrumentation.opensearch.capture-search-query`         | Boolean | `true`  | Enable the capture of sanitized search query bodies. |

instrumentation/opensearch/opensearch-java-3.0/javaagent/build.gradle.kts

@@ -18,19 +18,20 @@ dependencies {
   library("org.opensearch.client:opensearch-java:3.0.0")
   compileOnly("com.google.auto.value:auto-value-annotations")
   annotationProcessor("com.google.auto.value:auto-value")
+  compileOnly("com.fasterxml.jackson.core:jackson-core")
 
   testImplementation("org.opensearch.client:opensearch-rest-client:3.0.0")
   testImplementation(project(":instrumentation:opensearch:opensearch-rest-common:testing"))
   testInstrumentation(project(":instrumentation:apache-httpclient:apache-httpclient-5.0:javaagent"))
 
-  // For testing AwsSdk2Transport
+  // AwsSdk2Transport supports awssdk version 2.26.0
   testInstrumentation(project(":instrumentation:apache-httpclient:apache-httpclient-4.0:javaagent"))
   testInstrumentation(project(":instrumentation:netty:netty-4.1:javaagent"))
-  testImplementation("software.amazon.awssdk:auth:2.22.0")
-  testImplementation("software.amazon.awssdk:identity-spi:2.22.0")
-  testImplementation("software.amazon.awssdk:apache-client:2.22.0")
-  testImplementation("software.amazon.awssdk:netty-nio-client:2.22.0")
-  testImplementation("software.amazon.awssdk:regions:2.22.0")
+  testImplementation("software.amazon.awssdk:auth:2.26.0")
+  testImplementation("software.amazon.awssdk:identity-spi:2.26.0")
+  testImplementation("software.amazon.awssdk:apache-client:2.26.0")
+  testImplementation("software.amazon.awssdk:netty-nio-client:2.26.0")
+  testImplementation("software.amazon.awssdk:regions:2.26.0")
 }
 
 tasks {
@@ -39,14 +40,34 @@ tasks {
     systemProperty("collectMetadata", findProperty("collectMetadata")?.toString() ?: "false")
   }
 
+  test {
+    filter {
+      excludeTestsMatching("OpenSearchDisabledCaptureSearchQueryTest")
+    }
+  }
+
+  val testDisabledCaptureSearchQuery by registering(Test::class) {
+    testClassesDirs = sourceSets.test.get().output.classesDirs
+    classpath = sourceSets.test.get().runtimeClasspath
+
+    filter {
+      includeTestsMatching("OpenSearchDisabledCaptureSearchQueryTest")
+    }
+    jvmArgs("-Dotel.instrumentation.opensearch.capture-search-query=false")
+  }
+
   val testStableSemconv by registering(Test::class) {
     testClassesDirs = sourceSets.test.get().output.classesDirs
     classpath = sourceSets.test.get().runtimeClasspath
+
+    filter {
+      excludeTestsMatching("OpenSearchDisabledCaptureSearchQueryTest")
+    }
     jvmArgs("-Dotel.semconv-stability.opt-in=database")
     systemProperty("metadataConfig", "otel.semconv-stability.opt-in=database")
   }
 
   check {
-    dependsOn(testStableSemconv)
+    dependsOn(testStableSemconv, testDisabledCaptureSearchQuery)
   }
 }

instrumentation/opensearch/opensearch-java-3.0/javaagent/src/main/java/io/opentelemetry/javaagent/instrumentation/opensearch/v3_0/OpenSearchAttributesGetter.java

@@ -26,7 +26,12 @@ public String getDbNamespace(OpenSearchRequest request) {
   @Override
   @Nullable
   public String getDbQueryText(OpenSearchRequest request) {
-    return request.getMethod() + " " + request.getEndpoint();
+    if (request.getBody() == null) {
+      // fall back to method and endpoint if capturing the query body is disabled or if the body is
+      // not available
+      return request.getMethod() + " " + request.getEndpoint();
+    }
+    return request.getBody();
   }
 
   @Override

instrumentation/opensearch/opensearch-java-3.0/javaagent/src/main/java/io/opentelemetry/javaagent/instrumentation/opensearch/v3_0/OpenSearchBodyExtractor.java

@@ -0,0 +1,99 @@
+/*
+ * Copyright The OpenTelemetry Authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package io.opentelemetry.javaagent.instrumentation.opensearch.v3_0;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static java.util.logging.Level.FINE;
+
+import com.fasterxml.jackson.core.JsonFactory;
+import jakarta.json.stream.JsonGenerator;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.util.Iterator;
+import java.util.logging.Logger;
+import javax.annotation.Nullable;
+import org.opensearch.client.json.JsonpMapper;
+import org.opensearch.client.json.NdJsonpSerializable;
+import org.opensearch.client.json.jackson.JacksonJsonpGenerator;
+import org.opensearch.client.json.jackson.JacksonJsonpMapper;
+
+public final class OpenSearchBodyExtractor {
+
+  private static final Logger logger = Logger.getLogger(OpenSearchBodyExtractor.class.getName());
+  private static final String QUERY_SEPARATOR = ";";
+  private static final JsonFactory JSON_FACTORY = new JsonFactory();
+
+  @Nullable
+  public static String extractSanitized(JsonpMapper mapper, Object request) {
+    try {
+      if (request instanceof NdJsonpSerializable) {
+        return serializeNdJsonSanitized(mapper, (NdJsonpSerializable) request);
+      }
+
+      return serializeSanitized(mapper, request);
+    } catch (Exception exception) {
+      logger.log(FINE, "Failure extracting body", exception);
+      return null;
+    }
+  }
+
+  @Nullable
+  private static String serializeSanitized(JsonpMapper mapper, Object item) throws IOException {
+    ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+    if (mapper instanceof JacksonJsonpMapper) {
+      // Use Jackson-based sanitizing generator for JacksonJsonpMapper
+      com.fasterxml.jackson.core.JsonGenerator jacksonGenerator =
+          JSON_FACTORY.createGenerator(baos);
+      com.fasterxml.jackson.core.JsonGenerator sanitizingGenerator =
+          new SanitizingJacksonJsonGenerator(jacksonGenerator);
+      try (JsonGenerator generator = new JacksonJsonpGenerator(sanitizingGenerator)) {
+        mapper.serialize(item, generator);
+      }
+    } else {
+      // Fallback for other mappers (may not work for all implementations)
+      JsonGenerator rawGenerator = mapper.jsonProvider().createGenerator(baos);
+      try (JsonGenerator generator = new SanitizingJsonGenerator(rawGenerator)) {
+        mapper.serialize(item, generator);
+      }
+    }
+
+    String result = baos.toString(UTF_8).trim();
+    return result.isEmpty() ? null : result;
+  }
+
+  @Nullable
+  private static String serializeNdJsonSanitized(JsonpMapper mapper, NdJsonpSerializable value)
+      throws IOException {
+    StringBuilder result = new StringBuilder();
+    Iterator<?> values = value._serializables();
+    boolean first = true;
+
+    while (values.hasNext()) {
+      Object item = values.next();
+      String itemStr;
+
+      if (item instanceof NdJsonpSerializable && item != value) {
+        // Recursively handle nested NdJsonpSerializable
+        itemStr = serializeNdJsonSanitized(mapper, (NdJsonpSerializable) item);
+      } else {
+        itemStr = serializeSanitized(mapper, item);
+      }
+
+      if (itemStr != null && !itemStr.isEmpty()) {
+        if (!first) {
+          result.append(QUERY_SEPARATOR);
+        }
+        result.append(itemStr);
+        first = false;
+      }
+    }
+
+    return result.length() == 0 ? null : result.toString();
+  }
+
+  private OpenSearchBodyExtractor() {}
+}

instrumentation/opensearch/opensearch-java-3.0/javaagent/src/main/java/io/opentelemetry/javaagent/instrumentation/opensearch/v3_0/OpenSearchRequest.java

@@ -6,15 +6,19 @@
 package io.opentelemetry.javaagent.instrumentation.opensearch.v3_0;
 
 import com.google.auto.value.AutoValue;
+import javax.annotation.Nullable;
 
 @AutoValue
 public abstract class OpenSearchRequest {
 
-  public static OpenSearchRequest create(String method, String endpoint) {
-    return new AutoValue_OpenSearchRequest(method, endpoint);
+  public static OpenSearchRequest create(String method, String endpoint, @Nullable String body) {
+    return new AutoValue_OpenSearchRequest(method, endpoint, body);
   }
 
   public abstract String getMethod();
 
   public abstract String getEndpoint();
+
+  @Nullable
+  public abstract String getBody();
 }

instrumentation/opensearch/opensearch-java-3.0/javaagent/src/main/java/io/opentelemetry/javaagent/instrumentation/opensearch/v3_0/OpenSearchSingletons.java

@@ -6,6 +6,7 @@
 package io.opentelemetry.javaagent.instrumentation.opensearch.v3_0;
 
 import io.opentelemetry.api.GlobalOpenTelemetry;
+import io.opentelemetry.instrumentation.api.incubator.config.internal.DeclarativeConfigUtil;
 import io.opentelemetry.instrumentation.api.incubator.semconv.db.DbClientAttributesExtractor;
 import io.opentelemetry.instrumentation.api.incubator.semconv.db.DbClientMetrics;
 import io.opentelemetry.instrumentation.api.incubator.semconv.db.DbClientSpanNameExtractor;
@@ -15,6 +16,10 @@
 public final class OpenSearchSingletons {
   private static final Instrumenter<OpenSearchRequest, Void> INSTRUMENTER = createInstrumenter();
 
+  public static final boolean CAPTURE_SEARCH_QUERY =
+      DeclarativeConfigUtil.getInstrumentationConfig(GlobalOpenTelemetry.get(), "opensearch")
+          .getBoolean("capture_search_query", true);
+
   public static Instrumenter<OpenSearchRequest, Void> instrumenter() {
     return INSTRUMENTER;
   }

instrumentation/opensearch/opensearch-java-3.0/javaagent/src/main/java/io/opentelemetry/javaagent/instrumentation/opensearch/v3_0/OpenSearchTransportInstrumentation.java

@@ -21,7 +21,11 @@
 import net.bytebuddy.asm.Advice;
 import net.bytebuddy.description.type.TypeDescription;
 import net.bytebuddy.matcher.ElementMatcher;
+import org.opensearch.client.json.JsonpMapper;
+import org.opensearch.client.opensearch.core.MsearchRequest;
+import org.opensearch.client.opensearch.core.SearchRequest;
 import org.opensearch.client.transport.Endpoint;
+import org.opensearch.client.transport.OpenSearchTransport;
 
 public class OpenSearchTransportInstrumentation implements TypeInstrumentation {
   @Override
@@ -60,10 +64,21 @@ private AdviceScope(OpenSearchRequest otelRequest, Context context, Scope scope)
     }
 
     @Nullable
-    public static AdviceScope start(Object request, Endpoint<Object, Object, Object> endpoint) {
+    public static AdviceScope start(
+        Object request, Endpoint<Object, Object, Object> endpoint, JsonpMapper jsonpMapper) {
       Context parentContext = Context.current();
+
+      String queryBody = null;
+
+      if (OpenSearchSingletons.CAPTURE_SEARCH_QUERY
+          && (request instanceof SearchRequest || request instanceof MsearchRequest)) {
+        queryBody = OpenSearchBodyExtractor.extractSanitized(jsonpMapper, request);
+      }
+
       OpenSearchRequest otelRequest =
-          OpenSearchRequest.create(endpoint.method(request), endpoint.requestUrl(request));
+          OpenSearchRequest.create(
+              endpoint.method(request), endpoint.requestUrl(request), queryBody);
+
       if (!instrumenter().shouldStart(parentContext, otelRequest)) {
         return null;
       }
@@ -94,9 +109,10 @@ public static class PerformRequestAdvice {
 
     @Advice.OnMethodEnter(suppress = Throwable.class)
     public static AdviceScope onEnter(
+        @Advice.This OpenSearchTransport openSearchTransport,
         @Advice.Argument(0) Object request,
         @Advice.Argument(1) Endpoint<Object, Object, Object> endpoint) {
-      return AdviceScope.start(request, endpoint);
+      return AdviceScope.start(request, endpoint, openSearchTransport.jsonpMapper());
     }
 
     @Advice.OnMethodExit(onThrowable = Throwable.class, suppress = Throwable.class)
@@ -114,9 +130,11 @@ public static class PerformRequestAsyncAdvice {
 
     @Advice.OnMethodEnter(suppress = Throwable.class)
     public static Object[] onEnter(
+        @Advice.This OpenSearchTransport openSearchTransport,
         @Advice.Argument(0) Object request,
         @Advice.Argument(1) Endpoint<Object, Object, Object> endpoint) {
-      AdviceScope adviceScope = AdviceScope.start(request, endpoint);
+      AdviceScope adviceScope =
+          AdviceScope.start(request, endpoint, openSearchTransport.jsonpMapper());
       return new Object[] {adviceScope};
     }
 

instrumentation/opensearch/opensearch-java-3.0/javaagent/src/main/java/io/opentelemetry/javaagent/instrumentation/opensearch/v3_0/SanitizingJacksonJsonGenerator.java

@@ -0,0 +1,99 @@
+/*
+ * Copyright The OpenTelemetry Authors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package io.opentelemetry.javaagent.instrumentation.opensearch.v3_0;
+
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.core.util.JsonGeneratorDelegate;
+import java.io.IOException;
+import java.math.BigDecimal;
+import java.math.BigInteger;
+
+/**
+ * A Jackson JsonGenerator wrapper that sanitizes all literal values by replacing them with "?".
+ * This is used to sanitize OpenSearch query bodies before they are captured as span attributes,
+ * ensuring that sensitive data is not exposed in telemetry.
+ */
+final class SanitizingJacksonJsonGenerator extends JsonGeneratorDelegate {
+
+  private static final String MASKED_VALUE = "?";
+
+  SanitizingJacksonJsonGenerator(JsonGenerator delegate) {
+    super(delegate);
+  }
+
+  // String value methods - sanitize
+
+  @Override
+  public void writeString(String value) throws IOException {
+    delegate.writeString(MASKED_VALUE);
+  }
+
+  @Override
+  public void writeString(char[] buffer, int offset, int length) throws IOException {
+    delegate.writeString(MASKED_VALUE);
+  }
+
+  @Override
+  public void writeRawUTF8String(byte[] buffer, int offset, int length) throws IOException {
+    delegate.writeString(MASKED_VALUE);
+  }
+
+  @Override
+  public void writeUTF8String(byte[] buffer, int offset, int length) throws IOException {
+    delegate.writeString(MASKED_VALUE);
+  }
+
+  // Number value methods - sanitize
+
+  @Override
+  public void writeNumber(int value) throws IOException {
+    delegate.writeString(MASKED_VALUE);
+  }
+
+  @Override
+  public void writeNumber(long value) throws IOException {
+    delegate.writeString(MASKED_VALUE);
+  }
+
+  @Override
+  public void writeNumber(float value) throws IOException {
+    delegate.writeString(MASKED_VALUE);
+  }
+
+  @Override
+  public void writeNumber(double value) throws IOException {
+    delegate.writeString(MASKED_VALUE);
+  }
+
+  @Override
+  public void writeNumber(BigInteger value) throws IOException {
+    delegate.writeString(MASKED_VALUE);
+  }
+
+  @Override
+  public void writeNumber(BigDecimal value) throws IOException {
+    delegate.writeString(MASKED_VALUE);
+  }
+
+  @Override
+  public void writeNumber(String encodedValue) throws IOException {
+    delegate.writeString(MASKED_VALUE);
+  }
+
+  // Boolean value methods - sanitize
+
+  @Override
+  public void writeBoolean(boolean value) throws IOException {
+    delegate.writeString(MASKED_VALUE);
+  }
+
+  // Null value methods - sanitize
+
+  @Override
+  public void writeNull() throws IOException {
+    delegate.writeString(MASKED_VALUE);
+  }
+}