Joseph Doherty
101 lines
3.2 KiB
C#
101 lines
3.2 KiB
C#
namespace MxGateway.Server.Diagnostics;
|
|
|
|
/// <summary>
|
|
/// Redacts sensitive information from log entries.
|
|
/// </summary>
|
|
public static class GatewayLogRedactor
|
|
{
|
|
/// <summary>Placeholder for redacted values.</summary>
|
|
public const string RedactedValue = "[redacted]";
|
|
|
|
private static readonly HashSet<string> SensitiveCommandMethods = new(StringComparer.OrdinalIgnoreCase)
|
|
{
|
|
"AuthenticateUser",
|
|
"WriteSecured",
|
|
"WriteSecured2"
|
|
};
|
|
|
|
/// <summary>
|
|
/// Determines whether a command method bears credentials.
|
|
/// </summary>
|
|
/// <param name="commandMethod">The command method name to check.</param>
|
|
public static bool IsCredentialBearingCommand(string? commandMethod)
|
|
{
|
|
return commandMethod is not null
|
|
&& SensitiveCommandMethods.Contains(commandMethod);
|
|
}
|
|
|
|
/// <summary>
|
|
/// Redacts the API key secret portion of a Bearer authorization header.
|
|
/// </summary>
|
|
/// <param name="authorizationHeader">The authorization header value to redact.</param>
|
|
public static string? RedactApiKey(string? authorizationHeader)
|
|
{
|
|
if (string.IsNullOrWhiteSpace(authorizationHeader))
|
|
{
|
|
return authorizationHeader;
|
|
}
|
|
|
|
const string bearerPrefix = "Bearer ";
|
|
if (!authorizationHeader.StartsWith(bearerPrefix, StringComparison.OrdinalIgnoreCase))
|
|
{
|
|
return RedactedValue;
|
|
}
|
|
|
|
string token = authorizationHeader[bearerPrefix.Length..].Trim();
|
|
|
|
if (!token.StartsWith("mxgw_", StringComparison.OrdinalIgnoreCase))
|
|
{
|
|
return $"{bearerPrefix}{RedactedValue}";
|
|
}
|
|
|
|
string[] tokenParts = token.Split('_', 3, StringSplitOptions.RemoveEmptyEntries);
|
|
if (tokenParts.Length < 2)
|
|
{
|
|
return $"{bearerPrefix}mxgw_{RedactedValue}";
|
|
}
|
|
|
|
return $"{bearerPrefix}mxgw_{tokenParts[1]}_{RedactedValue}";
|
|
}
|
|
|
|
/// <summary>
|
|
/// Redacts the client identity if it contains an API key.
|
|
/// </summary>
|
|
/// <param name="clientIdentity">The client identity string to redact.</param>
|
|
public static string? RedactClientIdentity(string? clientIdentity)
|
|
{
|
|
if (string.IsNullOrWhiteSpace(clientIdentity))
|
|
{
|
|
return clientIdentity;
|
|
}
|
|
|
|
return clientIdentity.Contains("mxgw_", StringComparison.OrdinalIgnoreCase)
|
|
? RedactApiKey(clientIdentity)
|
|
: clientIdentity;
|
|
}
|
|
|
|
/// <summary>
|
|
/// Redacts a command value if it contains credentials or value logging is disabled.
|
|
/// </summary>
|
|
/// <param name="commandMethod">The command method name to check for credentials.</param>
|
|
/// <param name="value">The command value to redact.</param>
|
|
/// <param name="valueLoggingEnabled">Whether value logging is enabled.</param>
|
|
public static object? RedactCommandValue(
|
|
string? commandMethod,
|
|
object? value,
|
|
bool valueLoggingEnabled = false)
|
|
{
|
|
if (value is null)
|
|
{
|
|
return null;
|
|
}
|
|
|
|
if (!valueLoggingEnabled || IsCredentialBearingCommand(commandMethod))
|
|
{
|
|
return RedactedValue;
|
|
}
|
|
|
|
return value;
|
|
}
|
|
}
|