feat(audit): ScadaBridge C2 — ScadaBridgeAuditRedactor/SafeDefaultAuditRedactor : IAuditRedactor on canonical record (Task 2.5)

2026-06-02 11:00:36 -04:00
parent 3d77dc003c
commit adfb4d385c
7 changed files with 1541 additions and 316 deletions
@@ -0,0 +1,91 @@
+using System.Text.RegularExpressions;
+using ZB.MOM.WW.Audit;
+using ZB.MOM.WW.ScadaBridge.AuditLog.Payload;
+using ZB.MOM.WW.ScadaBridge.Commons.Types.Audit;
+
+namespace ZB.MOM.WW.ScadaBridge.AuditLog.Redaction;
+
+/// <summary>
+/// Canonical-record analogue of <see cref="SafeDefaultAuditPayloadFilter"/> for
+/// stage C2 (Task 2.5): a minimal always-safe <see cref="IAuditRedactor"/>
+/// fallback for composition roots that bypass the full
+/// <see cref="ScadaBridgeAuditRedactor"/>. Performs line-oriented HTTP header
+/// redaction for the always-sensitive defaults (Authorization, X-Api-Key,
+/// Cookie, Set-Cookie) on the <c>RequestSummary</c> / <c>ResponseSummary</c>
+/// fields carried inside <c>ZB.MOM.WW.Audit.AuditEvent.DetailsJson</c>. Does NOT
+/// perform body-regex redaction, SQL-parameter redaction, or truncation — those
+/// need <see cref="ScadaBridgeAuditRedactor"/> with live options. Contract:
+/// over-redact safely, never throw, never miss a header on the default
+/// sensitive list.
+/// </summary>
+public sealed class SafeDefaultAuditRedactor : IAuditRedactor
+{
+    /// <summary>Singleton instance — the redactor is stateless and side-effect-free.</summary>
+    public static SafeDefaultAuditRedactor Instance { get; } = new SafeDefaultAuditRedactor();
+
+    private static readonly string[] DefaultHeaderRedactList =
+    {
+        "Authorization",
+        "X-Api-Key",
+        "Cookie",
+        "Set-Cookie",
+    };
+
+    private static readonly Regex HeaderRegex = new(
+        @"(?<name>[A-Za-z][A-Za-z0-9\-_]*)\s*:\s*(?<value>[^\r\n]*)",
+        RegexOptions.Compiled | RegexOptions.IgnoreCase);
+
+    private SafeDefaultAuditRedactor() { }
+
+    /// <inheritdoc />
+    public AuditEvent Apply(AuditEvent rawEvent)
+    {
+        ArgumentNullException.ThrowIfNull(rawEvent);
+
+        // Fast path: no DetailsJson means no summaries to scrub.
+        if (string.IsNullOrEmpty(rawEvent.DetailsJson))
+        {
+            return rawEvent;
+        }
+
+        try
+        {
+            var d = AuditDetailsCodec.Deserialize(rawEvent.DetailsJson);
+            var scrubbed = d with
+            {
+                RequestSummary = RedactHeaders(d.RequestSummary),
+                ResponseSummary = RedactHeaders(d.ResponseSummary),
+            };
+            return rawEvent with { DetailsJson = AuditDetailsCodec.Serialize(scrubbed) };
+        }
+        catch
+        {
+            // Over-redact: drop both summaries entirely so a malformed parse
+            // path never leaks the original. The contract is "never throw."
+            var safe = new AuditDetails
+            {
+                RequestSummary = "[redacted by SafeDefaultAuditRedactor]",
+                ResponseSummary = "[redacted by SafeDefaultAuditRedactor]",
+            };
+            return rawEvent with { DetailsJson = AuditDetailsCodec.Serialize(safe) };
+        }
+    }
+
+    private static string? RedactHeaders(string? summary)
+    {
+        if (string.IsNullOrEmpty(summary)) return summary;
+
+        return HeaderRegex.Replace(summary, m =>
+        {
+            var name = m.Groups["name"].Value;
+            foreach (var sensitive in DefaultHeaderRedactList)
+            {
+                if (string.Equals(name, sensitive, StringComparison.OrdinalIgnoreCase))
+                {
+                    return $"{name}: [REDACTED]";
+                }
+            }
+            return m.Value;
+        });
+    }
+}