refactor(logging): correlation scope + redaction on shared ILogRedactor seam

Move the per-request correlation context and secret redaction off the MEL mechanism onto the Serilog primitives the shared bootstrap consumes. - GatewayRequestLoggingMiddlewareExtensions now pushes the correlation properties (SessionId / WorkerProcessId / CorrelationId / CommandMethod / ClientIdentity) via Serilog LogContext.PushProperty for the request lifetime and pops them on completion, replacing MEL ILogger.BeginScope. Header parsing and property names are unchanged; GatewayLogScope remains the data holder. - Add GatewayLogRedactorAdapter : ILogRedactor delegating to the existing GatewayLogRedactor policy (mxgw_ bearer tokens / credential-bearing command values), registered as a singleton so the shared RedactionEnricher masks secrets on every event. Remove the now-dead GatewayLoggerExtensions MEL helper. - Tests: add GatewayLogRedactorAdapterTests; serialize the four host-building test classes into one non-parallel collection (HostBuildingCollection) so the process-wide Serilog bootstrap logger is not frozen by two concurrent host builds racing in parallel collections. The net48/x86 worker is untouched.
2026-06-01 08:06:28 -04:00
parent 4bf71a0b2c
commit deba5ed115
10 changed files with 236 additions and 27 deletions
@@ -0,0 +1,64 @@
 using ZB.MOM.WW.Telemetry.Serilog;
 namespace ZB.MOM.WW.MxGateway.Server.Diagnostics;
 /// <summary>
 /// Bridges the gateway's <see cref="GatewayLogRedactor"/> policy onto the shared
 /// <see cref="ILogRedactor"/> seam consumed by <c>ZB.MOM.WW.Telemetry.Serilog</c>'s redaction
 /// enricher. Applied to every Serilog log event before it reaches a sink, it masks the same
 /// secrets the original MEL-scope path masked: API-key bearer tokens / client identities
 /// (<c>mxgw_*</c>) and command values for credential-bearing MXAccess commands. All masking
 /// decisions delegate to <see cref="GatewayLogRedactor"/> — this type adds no new policy.
 /// </summary>
 public sealed class GatewayLogRedactorAdapter : ILogRedactor
 {
    /// <summary>Property name carrying a client identity / authorization header value.</summary>
    private const string ClientIdentityProperty = "ClientIdentity";
    /// <summary>Property name carrying a raw authorization header value.</summary>
    private const string AuthorizationProperty = "Authorization";
    /// <summary>Property name carrying the MXAccess command method, used to gate value redaction.</summary>
    private const string CommandMethodProperty = "CommandMethod";
    /// <summary>Property name carrying a command payload value that may bear credentials.</summary>
    private const string CommandValueProperty = "CommandValue";
    /// <summary>
    /// Masks any sensitive values in <paramref name="properties"/> in place using the shared
    /// <see cref="GatewayLogRedactor"/> policy. Identity/authorization properties have their API-key
    /// secret stripped; a command value is redacted when its associated command method bears
    /// credentials.
    /// </summary>
    /// <param name="properties">The mutable log-event property dictionary for the current event.</param>
    public void Redact(IDictionary<string, object?> properties)
    {
        ArgumentNullException.ThrowIfNull(properties);
        RedactIdentity(properties, ClientIdentityProperty);
        RedactIdentity(properties, AuthorizationProperty);
        RedactCommandValue(properties);
    }
    private static void RedactIdentity(IDictionary<string, object?> properties, string propertyName)
    {
        if (properties.TryGetValue(propertyName, out object? value) && value is string identity)
        {
            properties[propertyName] = GatewayLogRedactor.RedactClientIdentity(identity);
        }
    }
    private static void RedactCommandValue(IDictionary<string, object?> properties)
    {
        if (!properties.TryGetValue(CommandValueProperty, out object? value) || value is null)
        {
            return;
        }
        string? commandMethod = properties.TryGetValue(CommandMethodProperty, out object? method)
            ? method as string
            : null;
        properties[CommandValueProperty] = GatewayLogRedactor.RedactCommandValue(commandMethod, value);
    }
 }
@@ -1,20 +0,0 @@
 using Microsoft.Extensions.Logging;
 namespace ZB.MOM.WW.MxGateway.Server.Diagnostics;
 public static class GatewayLoggerExtensions
 {
    /// <summary>Begins a gateway log scope with the specified scope properties.</summary>
    /// <param name="logger">Logger used for diagnostic output.</param>
    /// <param name="scope">Scope properties to apply.</param>
    /// <returns>A disposable that ends the scope when disposed.</returns>
    public static IDisposable? BeginGatewayScope(
        this ILogger logger,
        GatewayLogScope scope)
    {
        ArgumentNullException.ThrowIfNull(logger);
        ArgumentNullException.ThrowIfNull(scope);
        return logger.BeginScope(scope.ToDictionary());
    }
 }
@@ -1,4 +1,5 @@
 using Microsoft.Extensions.Primitives;
 using Serilog.Context;
 namespace ZB.MOM.WW.MxGateway.Server.Diagnostics;
@@ -17,7 +18,12 @@ public static class GatewayRequestLoggingMiddlewareExtensions
    /// <summary>Header name for the command method name.</summary>
    public const string CommandMethodHeaderName = "x-command-method";
-    /// <summary>Adds gateway request logging scope middleware that reads correlation headers and redacts sensitive data.</summary>
+    /// <summary>
    /// Adds gateway request logging middleware that reads the correlation headers and pushes them
    /// as Serilog <see cref="LogContext"/> properties for the duration of the request. The pushed
    /// properties (SessionId / WorkerProcessId / CorrelationId / CommandMethod / ClientIdentity)
    /// are disposed when the request completes; the shared redaction enricher masks any secrets.
    /// </summary>
    /// <param name="app">Application builder.</param>
    public static IApplicationBuilder UseGatewayRequestLoggingScope(this IApplicationBuilder app)
    {
@@ -25,21 +31,56 @@ public static class GatewayRequestLoggingMiddlewareExtensions
        return app.Use(async (context, next) =>
        {
-            ILogger logger = context.RequestServices
+            GatewayLogScope scope = new(
                .GetRequiredService<ILoggerFactory>()
                .CreateLogger("MxGateway.Request");
            using IDisposable? scope = logger.BeginGatewayScope(new GatewayLogScope(
                SessionId: ReadHeader(context, SessionIdHeaderName),
                WorkerProcessId: ReadInt32Header(context, WorkerProcessIdHeaderName),
                CorrelationId: ReadUInt64Header(context, CorrelationIdHeaderName),
                CommandMethod: ReadHeader(context, CommandMethodHeaderName),
-                ClientIdentity: ReadHeader(context, "authorization")));
+                ClientIdentity: ReadHeader(context, "authorization"));
            using IDisposable correlationScope = PushCorrelationProperties(scope);
            await next(context);
        });
    }
    /// <summary>
    /// Pushes the populated <paramref name="scope"/> properties onto the Serilog
    /// <see cref="LogContext"/>, returning a single disposable that pops them all when the request
    /// completes. Only the properties present in <see cref="GatewayLogScope.ToDictionary"/> (which
    /// already applies the client-identity redaction policy) are pushed.
    /// </summary>
    /// <param name="scope">The correlation properties for the current request.</param>
    /// <returns>A disposable that removes the pushed properties on disposal.</returns>
    private static IDisposable PushCorrelationProperties(GatewayLogScope scope)
    {
        Stack<IDisposable> pushed = new();
        foreach (KeyValuePair<string, object?> property in scope.ToDictionary())
        {
            pushed.Push(LogContext.PushProperty(property.Key, property.Value));
        }
        return new CorrelationPropertyScope(pushed);
    }
    /// <summary>
    /// Disposes the pushed <see cref="LogContext"/> property bindings in reverse order, restoring
    /// the ambient context to its pre-request state.
    /// </summary>
    private sealed class CorrelationPropertyScope(Stack<IDisposable> bindings) : IDisposable
    {
        private readonly Stack<IDisposable> _bindings = bindings;
        public void Dispose()
        {
            while (_bindings.Count > 0)
            {
                _bindings.Pop().Dispose();
            }
        }
    }
    private static string? ReadHeader(HttpContext context, string headerName)
    {
        return context.Request.Headers.TryGetValue(headerName, out StringValues values)
@@ -84,6 +84,8 @@ public static class GatewayApplication
    /// <c>ZB.MOM.WW.Telemetry.Serilog</c> bootstrap (<see cref="ZbSerilogExtensions.AddZbSerilog"/>).
    /// Sinks and minimum level come from the <c>Serilog</c> configuration section; identity
    /// (<c>SiteId</c>/<c>NodeRole</c>) is read from <c>MxGateway:Telemetry</c> when present.
    /// Also registers the project's <see cref="ILogRedactor"/> adapter so the shared redaction
    /// enricher masks gateway secrets on every event.
    /// </summary>
    /// <param name="builder">The web application builder being configured.</param>
    private static void ConfigureSerilog(WebApplicationBuilder builder)
@@ -91,6 +93,8 @@ public static class GatewayApplication
        string? siteId = builder.Configuration["MxGateway:Telemetry:SiteId"];
        string? nodeRole = builder.Configuration["MxGateway:Telemetry:NodeRole"];
        builder.Services.AddSingleton<ILogRedactor, GatewayLogRedactorAdapter>();
        builder.AddZbSerilog(options =>
        {
            options.ServiceName = "mxgateway";
@@ -0,0 +1,92 @@
 using ZB.MOM.WW.MxGateway.Server.Diagnostics;
 using ZB.MOM.WW.Telemetry.Serilog;
 namespace ZB.MOM.WW.MxGateway.Tests.Diagnostics;
 /// <summary>
 /// Pins that <see cref="GatewayLogRedactorAdapter"/> applies the gateway's redaction policy through
 /// the shared <see cref="ILogRedactor"/> seam — the same secrets the former MEL-scope path masked
 /// must still be masked once events flow through the Serilog redaction enricher.
 /// </summary>
 public sealed class GatewayLogRedactorAdapterTests
 {
    private readonly ILogRedactor _redactor = new GatewayLogRedactorAdapter();
    /// <summary>Verifies the client identity property has its API-key secret stripped in place.</summary>
    [Fact]
    public void Redact_StripsApiKeySecretFromClientIdentity()
    {
        Dictionary<string, object?> properties = new()
        {
            ["ClientIdentity"] = "Bearer mxgw_operator01_super-secret",
        };
        _redactor.Redact(properties);
        Assert.Equal("Bearer mxgw_operator01_[redacted]", properties["ClientIdentity"]);
        Assert.DoesNotContain("super-secret", (string?)properties["ClientIdentity"]);
    }
    /// <summary>Verifies a raw authorization header property is redacted too.</summary>
    [Fact]
    public void Redact_StripsApiKeySecretFromAuthorizationProperty()
    {
        Dictionary<string, object?> properties = new()
        {
            ["Authorization"] = "Bearer mxgw_admin_top-secret",
        };
        _redactor.Redact(properties);
        Assert.Equal("Bearer mxgw_admin_[redacted]", properties["Authorization"]);
    }
    /// <summary>Verifies a command value is redacted for a credential-bearing command method.</summary>
    [Fact]
    public void Redact_RedactsCommandValueForCredentialBearingCommand()
    {
        Dictionary<string, object?> properties = new()
        {
            ["CommandMethod"] = "WriteSecured",
            ["CommandValue"] = "credential-bearing-value",
        };
        _redactor.Redact(properties);
        Assert.Equal(GatewayLogRedactor.RedactedValue, properties["CommandValue"]);
    }
    /// <summary>Verifies a command value is redacted by default (value logging disabled) for any command.</summary>
    [Fact]
    public void Redact_RedactsCommandValueByDefault()
    {
        Dictionary<string, object?> properties = new()
        {
            ["CommandMethod"] = "Write",
            ["CommandValue"] = "plaintext-tag-value",
        };
        _redactor.Redact(properties);
        Assert.Equal(GatewayLogRedactor.RedactedValue, properties["CommandValue"]);
    }
    /// <summary>Verifies non-sensitive properties are left untouched.</summary>
    [Fact]
    public void Redact_LeavesNonSensitivePropertiesUnchanged()
    {
        Dictionary<string, object?> properties = new()
        {
            ["SessionId"] = "session-1",
            ["CorrelationId"] = (ulong)99,
            ["ClientIdentity"] = "Bearer plain-token-no-marker",
        };
        _redactor.Redact(properties);
        Assert.Equal("session-1", properties["SessionId"]);
        Assert.Equal((ulong)99, properties["CorrelationId"]);
        // No mxgw_ marker — identity passes through unchanged.
        Assert.Equal("Bearer plain-token-no-marker", properties["ClientIdentity"]);
    }
 }
@@ -5,9 +5,11 @@ using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Options;
 using ZB.MOM.WW.MxGateway.Server;
 using ZB.MOM.WW.MxGateway.Server.Dashboard;
 using ZB.MOM.WW.MxGateway.Tests.Gateway;
 namespace ZB.MOM.WW.MxGateway.Tests.Gateway.Dashboard;
 [Collection(HostBuildingCollection.Name)]
 public sealed class DashboardCookieOptionsTests
 {
    /// <summary>Verifies that the application configures secure dashboard authentication cookies.</summary>
@@ -4,9 +4,11 @@ using Microsoft.Extensions.DependencyInjection;
 using ZB.MOM.WW.MxGateway.Server;
 using ZB.MOM.WW.MxGateway.Server.Dashboard;
 using ZB.MOM.WW.MxGateway.Server.Dashboard.Hubs;
 using ZB.MOM.WW.MxGateway.Tests.Gateway;
 namespace ZB.MOM.WW.MxGateway.Tests.Gateway.Dashboard;
 [Collection(HostBuildingCollection.Name)]
 public sealed class DashboardHubsRegistrationTests
 {
    /// <summary>Verifies that dashboard build maps all three hubs and token endpoint.</summary>
@@ -9,6 +9,7 @@ using ZB.MOM.WW.MxGateway.Server.Metrics;
 namespace ZB.MOM.WW.MxGateway.Tests.Gateway;
 [Collection(HostBuildingCollection.Name)]
 public sealed class GatewayApplicationTests
 {
    /// <summary>Verifies that Build maps the live health check endpoint.</summary>
@@ -0,0 +1,21 @@
 namespace ZB.MOM.WW.MxGateway.Tests.Gateway;
 /// <summary>
 /// Groups every test that constructs a full gateway host via <c>GatewayApplication.Build</c> into a
 /// single, non-parallel xUnit collection.
 ///
 /// <para>
 /// The shared <c>ZB.MOM.WW.Telemetry.Serilog</c> bootstrap (<c>AddZbSerilog</c>) installs a global
 /// <see cref="global::Serilog.Log.Logger"/> bootstrap logger on each host build and freezes it during
 /// <c>builder.Build()</c>. That global is process-wide, so two host builds racing in parallel
 /// collections interleave on it and the loser throws "The logger is already frozen." Serializing the
 /// host-building tests (which is the only place a full host is built) removes the race without
 /// changing any production behaviour — the gateway process only ever builds one host.
 /// </para>
 /// </summary>
 [CollectionDefinition(Name, DisableParallelization = true)]
 public sealed class HostBuildingCollection
 {
    /// <summary>Collection name shared by every host-building test class.</summary>
    public const string Name = "Gateway host building";
 }
@@ -5,12 +5,14 @@ using Microsoft.Extensions.DependencyInjection;
 using ZB.MOM.WW.MxGateway.Server;
 using ZB.MOM.WW.MxGateway.Server.Configuration;
 using ZB.MOM.WW.MxGateway.Server.Security.Authentication;
 using ZB.MOM.WW.MxGateway.Tests.Gateway;
 namespace ZB.MOM.WW.MxGateway.Tests.Security.Authentication;
 /// <summary>
 /// Tests for <see cref="SqliteAuthStore"/>.
 /// </summary>
 [Collection(HostBuildingCollection.Name)]
 public sealed class SqliteAuthStoreTests : IDisposable
 {
    private readonly List<TempDatabaseDirectory> _tempDirectories = [];