PMM-14962 Avoid printing sensitive info into log stream

[maxkondr]

PMM-14962

Link to the Feature Build: Percona-Lab/pmm-submodules#4290

1. New Protobuf extension is introduced sensitive that contains several values:

• REDACT_TYPE_FULL - fully replace string value with redact mask
• REDACT_TYPE_MASK - partially replace string value with redact mask
• REDACT_TYPE_DSN - replace credentials only in DSN with redact mask

2. Our protobuf message fields were annotated accordingly like the following:

message BuiltinAgent {
    inventory.v1.AgentType type = 1;
    string dsn = 2 [(extensions.v1.sensitive) = REDACT_TYPE_DSN];
    ....
}

3. New logger helper function is introduced: logger.RedactMessage that shall be used in case proto message shall be printing into log stream. It does:

• lookups sensitive annotation for fields in proto message
• applies value redaction accordingly to define sensitivity (REDACT_TYPE_FULL, REDACT_TYPE_MASK, REDACT_TYPE_DSN)
• returns a copy of the original message with redacted values - so that it Is safe to use it without risk to change original message.
• it uses the internal cache in order to speedup reflection process - the first message processing builds the cache for this message type, the rest messages with the same message type will be processed much faster.
• this function shall be used like the following :

c.l.Debugf("Sending message (%d bytes): %s.", size, logger.RedactMessage(msg))
or
c.l.Debugf("Sending message (%d bytes):\n%s\n", size, prototext.Format(logger.RedactMessage(msg)))

4. The log output will look like the following:

time="2026-04-02T11:00:17.048+00:00" level=debug msg="Starting: 
/usr/local/percona/pmm/exporters/postgres_exporter ... (environment: 
DATA_SOURCE_NAME=postgres://***REDACTED***:***REDACTED***@127.0.0.1:5432/postgres?
connect_timeout=1&sslmode=disable)." ...

[codecov]

Codecov Report

❌ Patch coverage is 0% with 14 lines in your changes missing coverage. Please review.
✅ Project coverage is 47.67%. Comparing base (291c4f5) to head (9dad607).
⚠️ Report is 2 commits behind head on v3.

Files with missing lines	Patch %	Lines
agent/agents/process/process.go	0.00%	4 Missing ⚠️
agent/client/channel/channel.go	0.00%	4 Missing ⚠️
managed/services/agents/channel/channel.go	0.00%	4 Missing ⚠️
managed/services/agents/state.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##               v3    #5205      +/-   ##
==========================================
- Coverage   47.75%   47.67%   -0.08%     
==========================================
  Files         410      410              
  Lines       41981    41985       +4     
==========================================
- Hits        20046    20015      -31     
+ Misses      19957    19943      -14     
- Partials     1978     2027      +49     

Flag	Coverage Δ
admin	35.80% <ø> (ø)
agent	52.83% <0.00%> (-0.34%)	⬇️
managed	47.72% <0.00%> (+<0.01%)	⬆️
vmproxy	72.09% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ademidoff]

Good job! What is the performance implication of this?

[maxkondr]

Good job! What is the performance implication of this?

Results from benchmark tests:

BenchmarkFormatWithRedactionSetStateRequest-12       26769  43920 ns/op  69680 B/op  683 allocs/op
BenchmarkFormatWithoutRedactionSetStateRequest-12    41848  28942 ns/op  55237 B/op  376 allocs/op

But there are points:

1. Performance penalty is applied with enabled debug logging only
2. The redaction function is cached-based: the slowest execution will be when it processes the message type first. On the next iterations with the same message type it uses local cache and avoid reflection of the whole message.