mxaccessgw/src/MxGateway.Tests/Diagnostics/GatewayLogRedactorTests.cs

using MxGateway.Server.Diagnostics;

namespace MxGateway.Tests.Diagnostics;

public sealed class GatewayLogRedactorTests
{
    [Fact]
    public void RedactApiKey_PreservesKeyIdAndRemovesSecret()
    {
        string? redacted = GatewayLogRedactor.RedactApiKey("Bearer mxgw_operator01_super-secret");

        Assert.Equal("Bearer mxgw_operator01_[redacted]", redacted);
        Assert.DoesNotContain("super-secret", redacted);
    }

    [Fact]
    public void RedactApiKey_RemovesSecretContainingUnderscores()
    {
        string? redacted = GatewayLogRedactor.RedactApiKey("Bearer mxgw_operator01_super_secret_value");

        Assert.Equal("Bearer mxgw_operator01_[redacted]", redacted);
        Assert.DoesNotContain("super_secret_value", redacted);
    }

    [Theory]
    [InlineData("AuthenticateUser")]
    [InlineData("WriteSecured")]
    [InlineData("WriteSecured2")]
    public void IsCredentialBearingCommand_IdentifiesSensitiveMxAccessCommands(string commandMethod)
    {
        Assert.True(GatewayLogRedactor.IsCredentialBearingCommand(commandMethod));
    }

    [Fact]
    public void RedactCommandValue_DoesNotLogRawValuesByDefault()
    {
        object? redacted = GatewayLogRedactor.RedactCommandValue("Write", "plaintext-tag-value");

        Assert.Equal("[redacted]", redacted);
    }

    [Fact]
    public void RedactCommandValue_RedactsSecuredWriteEvenWhenValueLoggingIsEnabled()
    {
        object? redacted = GatewayLogRedactor.RedactCommandValue(
            "WriteSecured",
            "credential-bearing-value",
            valueLoggingEnabled: true);

        Assert.Equal("[redacted]", redacted);
    }

    [Fact]
    public void RedactCommandValue_AllowsNonSensitiveValueOnlyWhenValueLoggingIsEnabled()
    {
        object? redacted = GatewayLogRedactor.RedactCommandValue(
            "Write",
            "diagnostic-value",
            valueLoggingEnabled: true);

        Assert.Equal("diagnostic-value", redacted);
    }

    [Fact]
    public void LogScope_RedactsClientIdentityBeforeScopeStateIsCreated()
    {
        GatewayLogScope scope = new(
            SessionId: "session-1",
            WorkerProcessId: 1234,
            CorrelationId: 99,
            CommandMethod: "AuthenticateUser",
            ClientIdentity: "Bearer mxgw_admin_secret");

        IReadOnlyDictionary<string, object?> values = scope.ToDictionary();

        Assert.Equal("session-1", values["SessionId"]);
        Assert.Equal(1234, values["WorkerProcessId"]);
        Assert.Equal((ulong)99, values["CorrelationId"]);
        Assert.Equal("AuthenticateUser", values["CommandMethod"]);
        Assert.Equal("Bearer mxgw_admin_[redacted]", values["ClientIdentity"]);
    }
}