modifications based on the feedback

anafalcao · anafalcao · commit 63c7918876c5 · 2025-01-31T09:33:55.000-03:00
diff --git a/aws_lambda_powertools/utilities/data_masking/base.py b/aws_lambda_powertools/utilities/data_masking/base.py
@@ -3,6 +3,7 @@
 import functools
 import logging
 import warnings
+from copy import deepcopy
 from typing import TYPE_CHECKING, Any, Callable, Mapping, Sequence, overload
 
 from jsonpath_ng.ext import parse
@@ -304,21 +305,11 @@ def _apply_masking_rules(self, data: dict, masking_rules: dict) -> dict:
         Returns:
             dict: The masked data dictionary
         """
-        result = data.copy()
+        result = deepcopy(data)
 
         for path, rule in masking_rules.items():
             try:
-                if ".." in path:
-                    # Handle recursive descent paths (e.g., "address..name")
-                    base_path, field = path.split("..")
-                    jsonpath_expr = parse(f"$.{base_path}..{field}")
-                elif "[" in path:
-                    # Handle array notation paths (e.g., "address[*].street")
-                    jsonpath_expr = parse(f"$.{path}")
-                else:
-                    # Handle simple field names (e.g., "email")
-                    jsonpath_expr = parse(f"$.{path}")
-
+                jsonpath_expr = parse(f"$.{path}")
                 matches = jsonpath_expr.find(result)
 
                 if not matches:
@@ -329,14 +320,8 @@ def _apply_masking_rules(self, data: dict, masking_rules: dict) -> dict:
                     try:
                         value = match.value
                         if value is not None:
-                            if isinstance(value, dict):
-                                # Handle dictionary values by masking each field
-                                for k, v in value.items():
-                                    if v is not None:
-                                        value[k] = self.provider.erase(str(v), **rule)
-                            else:
-                                masked_value = self.provider.erase(str(value), **rule)
-                                match.full_path.update(result, masked_value)
+                            masked_value = self.provider.erase(str(value), **rule)
+                            match.full_path.update(result, masked_value)
 
                     except Exception as e:
                         warnings.warn(f"Error masking value for path {path}: {str(e)}", stacklevel=2)
diff --git a/docs/utilities/data_masking.md b/docs/utilities/data_masking.md
@@ -123,7 +123,7 @@ The `erase` method also supports additional flags for more advanced and flexible
 
 === "dynamic_mask"
 
-    (bool) When set to `True`, this flag enables custom masking behavior. It activates the use of advanced masking techniques such as pattern-based or regex-based masking.
+    (bool) Enables dynamic masking behavior when set to `True`, by maintaining the original length and structure of the text replacing with *.
 
     > Expression: `data_masker.erase(data, fields=["address.zip"], dynamic_mask=True)`
 
@@ -152,6 +152,16 @@ The `erase` method also supports additional flags for more advanced and flexible
     ```python hl_lines="20"
     --8<-- "examples/data_masking/src/custom_data_masking.py"
     ```
+=== "Input example"
+
+    ```json
+    --8<-- "examples/data_masking/src/payload_custom_masking.json"
+    ```
+=== "Masking rules output example"
+
+    ```json hl_lines="4 5 10 21"
+    --8<-- "examples/data_masking/src/output_custom_masking.json"
+    ```
 
 ### Encrypting data
 
diff --git a/examples/data_masking/src/custom_data_masking.py b/examples/data_masking/src/custom_data_masking.py
@@ -13,8 +13,8 @@ def lambda_handler(event: dict, context: LambdaContext) -> dict:
     masking_rules = {
         "email": {"regex_pattern": "(.)(.*)(@.*)", "mask_format": r"\1****\3"},
         "age": {"dynamic_mask": True},
-        "address.zip": {"dynamic_mask": True, "custom_mask": "xxx"},
-        "address.street": {"dynamic_mask": False},
+        "address.zip": {"custom_mask": "xxx"},
+        "$.other_address[?(@.postcode > 12000)]": {"custom_mask": "Masked"},
     }
 
     result = data_masker.erase(data, masking_rules=masking_rules)
diff --git a/examples/data_masking/src/output_custom_masking.json b/examples/data_masking/src/output_custom_masking.json
@@ -0,0 +1,29 @@
+{
+    "id": 1,
+    "name": "John Doe",
+    "age": "**",
+    "email": "j****@example.com",
+    "address": {
+        "street": "123 Main St",
+        "city": "Anytown",
+        "state": "CA",
+        "zip": "xxx",
+        "postcode": 12345,
+        "product": {
+            "name": "Car"
+        }
+    },
+    "other_address": [
+        {
+            "postcode": 11345,
+            "street": "123 Any Drive"
+        },
+        "Masked"
+    ],
+    "company_address": {
+        "street": "456 ACME Ave",
+        "city": "Anytown",
+        "state": "CA",
+        "zip": "12345"
+    }
+}
diff --git a/examples/data_masking/src/payload_custom_masking.json b/examples/data_masking/src/payload_custom_masking.json
@@ -0,0 +1,34 @@
+{
+    "body": {
+        "id": 1,
+        "name": "Jane Doe",
+        "age": 30,
+        "email": "janedoe@example.com",
+        "address": {
+            "street": "123 Main St",
+            "city": "Anytown",
+            "state": "CA",
+            "zip": "12345",
+            "postcode": 12345,
+            "product": {
+                "name": "Car"
+            }
+        },
+        "other_address": [
+            {
+                "postcode": 11345,
+                "street": "123 Any Drive"
+            },
+            {
+                "postcode": 67890,
+                "street": "100 Main Street,"
+            }
+        ],
+        "company_address": {
+            "street": "456 ACME Ave",
+            "city": "Anytown",
+            "state": "CA",
+            "zip": "12345"
+        }
+    }
+}
diff --git a/tests/unit/data_masking/_aws_encryption_sdk/test_unit_data_masking.py b/tests/unit/data_masking/_aws_encryption_sdk/test_unit_data_masking.py
@@ -218,12 +218,16 @@ def test_parsing_nonexistent_fields_warning_on_missing_field():
 
 
 def test_regex_mask(data_masker):
-    data = "Hello! My name is Fulano Ciclano"
+    # GIVEN a str data type
+    data = "Hello! My name is John Doe"
+
+    # WHEN erase is called with regex pattern and mask format
     regex_pattern = r"\b[A-Z][a-z]+ [A-Z][a-z]+\b"
     mask_format = "XXXX XXXX"
 
     result = data_masker.erase(data, regex_pattern=regex_pattern, mask_format=mask_format)
 
+    # THEN the result is the regex part masked by the masked format
     assert result == "Hello! My name is XXXX XXXX"
 
 
