Redact DoNotLog annotated values in toString and introduce dangerousToString

[mpritham]

Before this PR

Third party libraries can call toString on objects when constructing exceptions, leading to DoNotLog annotated fields appearing in logs. Having toString not contain any DoNotLog data will prevent this class of error.

Conjure generates toString methods on objects containing DoNotLog field values.

This PR adds the redactToStringDoNotLog flag (default off), that when enabled:

• Objects render DoNotLog fields as <name>: REDACTED in toString and contain a new method dangerousToString (annotated DoNotLog) that returns the full representation for the rare cases that need it.
• DoNotLog aliases return the bare literal "REDACTED" from toString.
  • Aliases do not need the dangerousToString method because they expose an equivalent method get
• Union variants whose member is DoNotLog redact the value in the wrapper's toString (both sealed and non-sealed paths)
  • Unions do not need the dangerousToString method because they expose an equivalent method getValue

There are certain cases where developers are using the toString value of Conjure objects with DoNotLog fields, so the flag is disabled by default, and will be rolled out repo by repo.

After this PR

==COMMIT_MSG==
Redact DoNotLog annotated values in toString and introduce dangerousToString
==COMMIT_MSG==

Possible downsides?

This introduces a new method for every generated object. We can't naively generate the dangerousToString only for objects with DoNotLog fields: a DoNotLog field could be removed from an object definition while a client calls the dangerousToString method which would lead to an ABI break. Solutions that try to take the previous state of a Conjure definition when generated code seem complicated and would be a divergence from Conjure's simple IR based code gen.

[changelog-app]

Generate changelog in changelog/@unreleased

Type (Select exactly one)

• Feature (Adding new functionality)
• Improvement (Improving existing functionality)
• Fix (Fixing an issue with existing functionality)
• Break (Creating a new major version by breaking public APIs)
• Deprecation (Removing functionality in a non-breaking way)
• Migration (Automatically moving data/functionality to a new system)

Description

Redact DoNotLog annotated values in toString and introduce dangerousToString

Check the box to generate changelog(s)

• Generate changelog entry

[aldexis]

This is not in fact DoNotLog anymore

[aldexis]

There are certain cases where developers are using the toString value of Conjure objects with DoNotLog fields, so the flag is disabled by default, and will be rolled out repo by repo.

Since this will be generated on the producer, but may cause issues on the consumers, I don't think it's safe to simply turn on the flag? We may instead need to start always introducing the dangerousToString methods, so consumers can migrate across the board (and we can then write automation to migrate everything), then get the flag turned on to also redact the main toString?

[aldexis]

I wonder if we should still provide a dangerousToString method for unions, because value() is no quite the same here, and I wonder if this is going to make migration more painful. We can also just not do anything for now and wait until we see migration issues, if any

[aldexis]

What is the replacement for this/the union's toString method? getValue() is private access, so we can't use it, and the visitor seems overkill 🤔

[aldexis]

Won't this redact the entire value if it's do-not-log, when we now actually have safe toString for conjure objects, which we could leverage? Probably good enough for a start, but seems like we may want to revisit that approach?

This actually makes me wonder whether the overall object itself should even be marked DoNotLog anymore (iirc, this mostly indicates the stringified log safety?)