Remove capture_params setting

[lrafeei]

EDIT: The work on this PR will be deferred to the next deprecation removal cycle.

The future intent is to deprecate the following:

1. capture_params setting
2. WSGI environ dictionary key newrelic.capture_request_params and any other "newrelic.*" WSGI environ dictionary keys since there are APIs that perform the same tasks
3. capture_request_params() API
4. Any "newrelic.*" WSGI environ dictionary keys since there are APIs that perform the same tasks

Some background on the agent attributes and the request_parameters that get added:
transaction._request_params dict is populated in WebTransaction.__init__ if HSM is disabled
transaction.request_parameters is a property that returns the transaction._request_params dict with keys that are prefaced with “request.parameters.”
transaction.agent_attributes is a property that takes transaction._agent_attributes dict and runs it through settings.attribute_filter

in Transaction.exit:
self._update_agent_attributes() # adds more to self._agent_attributes dict
root_agent_attributes = dict(self._agent_attributes)
root_agent_attributes.update(self.request_parameters)
...
agent_attributes = self.agent_attributes # takes self._agent_attributes and runs it through attribute_filter
agent_attributes.extend(self.filter_request_parameters(self.request_parameters))

root_agent_attributes is populated with unfiltered self._agent_attributes and self.request_parameters
agent_attributes is populated with filtered versions of self._agent_attributes and self.request_parameters as seen by self.agent_attributes and self.filter_request_parameters(self.request_parameters), respectively.

If the intention is to keep capture_request_params() or have some version of this, the application attribute settings should not be modified. Instead, circumvent this by updating self._agent_attributes to include self.request_parameters() when capture_request_params() is True, and clear self._request_params when capture_request_params() is set to False

And where HSM is enabled, put some version of this code for all DESTINATION.attributes.include in apply_local_high_security_mode_setting() to strip any variation of the "request.parameters.*" filters:

no_request_parameters_in_attributes_include = [
        attr for attr in settings.attributes.include if not attr.startswith("request.parameters.")
]
if settings.attributes.enabled and (settings.attributes.include != no_request_parameters_in_attributes_include):
    _logger.info(log_template, "attributes.include", str(settings.attributes.include), str(no_request_parameters_in_attributes_include))
    settings.attributes.include = no_request_parameters_in_attributes_include

===========

This PR removes the deprecated capture_params setting.

While this setting has been removed, there are two settings that heavily relied upon this setting that were not removed:

• environ setting newrelic.capture_request_params
• capture_request_params API

Request parameters are a special kind of agent attribute that is prefaced with request.parameters.—with settings such as HSM, these need to be disabled. The analogous settings for capture_params are as follows:

capture_params = True:
attributes.enabled = True
attributes.include=["request.parameters.*"]

capture_params = False:
attributes.enabled=True
attributes.exclude=["request.parameters.*"]

(Default behavior, where the collection of request.parameters is disabled by default)
capture_params = None:
attributes.enabled=True

[github-actions]

🦙 MegaLinter status: ✅ SUCCESS

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	6		0	0	0.91s
✅ MARKDOWN	markdownlint	7	0	0	0	1.3s
✅ MARKDOWN	markdown-link-check	7		0	0	27.25s
✅ PYTHON	ruff	933	3	0	0	1.02s
✅ PYTHON	ruff-format	933	3	0	0	0.33s
✅ YAML	prettier	13	0	0	0	1.45s
✅ YAML	v8r	13		0	0	6.57s
✅ YAML	yamllint	13		0	0	0.64s

See detailed report in MegaLinter reports

[codecov-commenter]

Codecov Report

❌ Patch coverage is 16.66667% with 10 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (develop-11.0.0@bdcf2e8). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
newrelic/api/transaction.py	25.00%	5 Missing and 1 partial ⚠️
newrelic/config.py	0.00%	4 Missing ⚠️

Additional details and impacted files

@@                Coverage Diff                @@
##             develop-11.0.0    #1485   +/-   ##
=================================================
  Coverage                  ?   65.05%           
=================================================
  Files                     ?      204           
  Lines                     ?    23546           
  Branches                  ?     3717           
=================================================
  Hits                      ?    15318           
  Misses                    ?     6904           
  Partials                  ?     1324           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[TimPansino]

Haven't finished reading the whole thing yet, but I think this might need some redesign so posting these initial comments early.

[TimPansino]

This section's behavior seems potentially incorrect with regards to high security. If high security mode is enabled, there shouldn't be any params captured. If it's not, THEN we could add the request params to the include list. Otherwise, we're going to see some conflicting settings for include and exclude where it's unclear which one should win.

Beyond that, this isn't correct as a user can set the include list to have a specific param included, and it will be included despite the exclude list set to *. This is because the attribute system prioritizes more specific over general when rules conflict.

This code seems like it's just recreating the behavior of capture_params under the hood, when really we should be taking it out altogether. Can we just remove this _capture_request_params attribute and replace it with:

1. Checking for high security mode, and not allowing any param captures at all if enabled.
2. Capturing the params and putting them through the attribute filter.

I'm not sure what the defaults are here and we may need to consider them, but that seems like the most sensible behavior.

[TimPansino]

This is not correct. The above explanation applies, where a user can set all params to be excluded with exclude set to request.parameters.*, but then include only specific params with include settings like request.parameters.my_param.

The current change breaks this functionality by not capturing them in the first place, so the more specific rules won't win like they're supposed to.

[lrafeei]

Edited the PR description for more information, but the work on this will be deferred to the next deprecation cycle.