[8.13] Add an option to disable APM user redaction (elastic#176566) (e…

…lastic#177140)

# Backport

This will backport the following commits from `main` to `8.13`:
- [Add an option to disable APM user redaction
(elastic#176566)](elastic#176566)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Pierre
Gayvallet","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-02-18T15:30:01Z","message":"Add
an option to disable APM user redaction (elastic#176566)\n\n##
Summary\r\n\r\nFix
https://github.com/elastic/kibana/issues/174743\r\n\r\nAdd an
`elastic.apm.redactUsers` configuration option that defaults
to\r\n`true` (preserving current
behavior)\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine
<[email protected]>","sha":"d65460cb3973826f680b0934815b9de7a0682905","branchLabelMapping":{"^v8.14.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","Team:Core","v8.13.0","v8.14.0"],"title":"Add
an option to disable APM user
redaction","number":176566,"url":"https://github.com/elastic/kibana/pull/176566","mergeCommit":{"message":"Add
an option to disable APM user redaction (elastic#176566)\n\n##
Summary\r\n\r\nFix
https://github.com/elastic/kibana/issues/174743\r\n\r\nAdd an
`elastic.apm.redactUsers` configuration option that defaults
to\r\n`true` (preserving current
behavior)\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine
<[email protected]>","sha":"d65460cb3973826f680b0934815b9de7a0682905"}},"sourceBranch":"main","suggestedTargetBranches":["8.13"],"targetPullRequestStates":[{"branch":"8.13","label":"v8.13.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.14.0","branchLabelMappingKey":"^v8.14.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/176566","number":176566,"mergeCommit":{"message":"Add
an option to disable APM user redaction (elastic#176566)\n\n##
Summary\r\n\r\nFix
https://github.com/elastic/kibana/issues/174743\r\n\r\nAdd an
`elastic.apm.redactUsers` configuration option that defaults
to\r\n`true` (preserving current
behavior)\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine
<[email protected]>","sha":"d65460cb3973826f680b0934815b9de7a0682905"}}]}]
BACKPORT-->

Co-authored-by: Pierre Gayvallet <[email protected]>

packages/kbn-apm-config-loader/src/apm_config.ts

@@ -24,4 +24,5 @@ const apmReusableConfigSchema = schema.object(
 
 export const apmConfigSchema = apmReusableConfigSchema.extends({
   servicesOverrides: schema.maybe(schema.recordOf(schema.string(), apmReusableConfigSchema)),
+  redactUsers: schema.maybe(schema.boolean({ defaultValue: true })),
 });

packages/kbn-apm-config-loader/src/config.test.ts

@@ -405,4 +405,30 @@ describe('ApmConfiguration', () => {
       );
     });
   });
+
+  describe('isUsersRedactionEnabled', () => {
+    it('defaults to true', () => {
+      const kibanaConfig = {
+        elastic: {
+          apm: {},
+        },
+      };
+
+      const config = new ApmConfiguration(mockedRootDir, kibanaConfig, false);
+      expect(config.isUsersRedactionEnabled()).toEqual(true);
+    });
+
+    it('uses the value defined in the config if specified', () => {
+      const kibanaConfig = {
+        elastic: {
+          apm: {
+            redactUsers: false,
+          },
+        },
+      };
+
+      const config = new ApmConfiguration(mockedRootDir, kibanaConfig, false);
+      expect(config.isUsersRedactionEnabled()).toEqual(false);
+    });
+  });
 });

packages/kbn-apm-config-loader/src/config.ts

@@ -93,6 +93,11 @@ export class ApmConfiguration {
     return baseConfig;
   }
 
+  public isUsersRedactionEnabled(): boolean {
+    const { redactUsers = true } = this.getConfigFromKibanaConfig();
+    return redactUsers;
+  }
+
   private getBaseConfig() {
     if (!this.baseConfig) {
       const configFromSources = this.getConfigFromAllSources();
@@ -287,7 +292,8 @@ export class ApmConfiguration {
    * Reads APM configuration from different sources and merges them together.
    */
   private getConfigFromAllSources(): AgentConfigOptions {
-    const { servicesOverrides, ...configFromKibanaConfig } = this.getConfigFromKibanaConfig();
+    const { servicesOverrides, redactUsers, ...configFromKibanaConfig } =
+      this.getConfigFromKibanaConfig();
     const configFromEnv = this.getConfigFromEnv(configFromKibanaConfig);
     const config = merge({}, configFromKibanaConfig, configFromEnv);
 

packages/kbn-apm-config-loader/src/init_apm.test.ts

@@ -15,14 +15,17 @@ describe('initApm', () => {
   let apmAddFilterMock: jest.Mock;
   let apmStartMock: jest.Mock;
   let getConfig: jest.Mock;
+  let isUsersRedactionEnabled: jest.Mock;
 
   beforeEach(() => {
     apmAddFilterMock = apm.addFilter as jest.Mock;
     apmStartMock = apm.start as jest.Mock;
     getConfig = jest.fn();
+    isUsersRedactionEnabled = jest.fn();
 
     mockLoadConfiguration.mockImplementation(() => ({
       getConfig,
+      isUsersRedactionEnabled,
     }));
   });
 
@@ -46,13 +49,29 @@ describe('initApm', () => {
     expect(getConfig).toHaveBeenCalledWith('service-name');
   });
 
-  it('registers a filter using `addFilter`', () => {
+  it('calls `apmConfigLoader.isUsersRedactionEnabled`', () => {
+    initApm(['foo', 'bar'], 'rootDir', true, 'service-name');
+
+    expect(isUsersRedactionEnabled).toHaveBeenCalledTimes(1);
+  });
+
+  it('registers a filter using `addFilter` when user redaction is enabled', () => {
+    isUsersRedactionEnabled.mockReturnValue(true);
+
     initApm(['foo', 'bar'], 'rootDir', true, 'service-name');
 
     expect(apmAddFilterMock).toHaveBeenCalledTimes(1);
     expect(apmAddFilterMock).toHaveBeenCalledWith(expect.any(Function));
   });
 
+  it('does not register a filter using `addFilter` when user redaction is disabled', () => {
+    isUsersRedactionEnabled.mockReturnValue(false);
+
+    initApm(['foo', 'bar'], 'rootDir', true, 'service-name');
+
+    expect(apmAddFilterMock).not.toHaveBeenCalled();
+  });
+
   it('starts apm with the config returned from `getConfig`', () => {
     const config = {
       foo: 'bar',

packages/kbn-apm-config-loader/src/init_apm.ts

@@ -16,24 +16,27 @@ export const initApm = (
 ) => {
   const apmConfigLoader = loadConfiguration(argv, rootDir, isDistributable);
   const apmConfig = apmConfigLoader.getConfig(serviceName);
+  const shouldRedactUsers = apmConfigLoader.isUsersRedactionEnabled();
 
   // we want to only load the module when effectively used
   // eslint-disable-next-line @typescript-eslint/no-var-requires
   const apm = require('elastic-apm-node');
 
   // Filter out all user PII
-  apm.addFilter((payload: Record<string, any>) => {
-    try {
-      if (payload.context?.user && typeof payload.context.user === 'object') {
-        Object.keys(payload.context.user).forEach((key) => {
-          payload.context.user[key] = '[REDACTED]';
-        });
+  if (shouldRedactUsers) {
+    apm.addFilter((payload: Record<string, any>) => {
+      try {
+        if (payload.context?.user && typeof payload.context.user === 'object') {
+          Object.keys(payload.context.user).forEach((key) => {
+            payload.context.user[key] = '[REDACTED]';
+          });
+        }
+      } catch (e) {
+        // just silently ignore the error
       }
-    } catch (e) {
-      // just silently ignore the error
-    }
-    return payload;
-  });
+      return payload;
+    });
+  }
 
   apm.start(apmConfig);
 };