feat(p7-05): fill signal & log stubs — SignalHandlerTests, ServerLoggerTests

- Add RemovePassFromTrace, RemoveAuthTokenFromTrace, RemoveSecretsFromTrace static methods to ServerLogging (mirrors removeSecretsFromTrace/redact in server/client.go); uses same regex patterns as Go source to redact only the first match's value with [REDACTED]. - Update ClientConnection.RemoveSecretsFromTrace stub to delegate to ServerLogging.RemoveSecretsFromTrace. - Add 2 unit tests to SignalHandlerTests (T:2919 invalid command, T:2920 invalid PID); mark 14 process-injection/subprocess tests as deferred ([Fact(Skip=…)]). - Create ServerLoggerTests with 3 test methods (T:2020, T:2021, T:2022) covering NoPasswordsFromConnectTrace, RemovePassFromTrace (8 theory cases), RemoveAuthTokenFromTrace (8 theory cases). - DB: 3 log tests → complete, 2 signal tests → complete, 14 signal tests → deferred. - All 663 unit tests pass (was 645), 14 deferred skipped.
2026-02-26 19:15:57 -05:00
parent 364329cc1e
commit 917cd33442
7 changed files with 327 additions and 6 deletions
--- a/dotnet/src/ZB.MOM.NatsNet.Server/ClientConnection.cs
+++ b/dotnet/src/ZB.MOM.NatsNet.Server/ClientConnection.cs
@@ -1139,7 +1139,8 @@ public sealed partial class ClientConnection
    internal void ProcessErr(string err)   { /* TODO session 09 */ }

    // features 442-443: removeSecretsFromTrace, redact
-    internal static string RemoveSecretsFromTrace(string s) => s;
+    // Delegates to ServerLogging.RemoveSecretsFromTrace (the real implementation lives there).
+    internal static string RemoveSecretsFromTrace(string s) => ServerLogging.RemoveSecretsFromTrace(s);
    internal static string Redact(string s) => s;

    // feature 444: computeRTT
--- a/dotnet/src/ZB.MOM.NatsNet.Server/Internal/NatsLogger.cs
+++ b/dotnet/src/ZB.MOM.NatsNet.Server/Internal/NatsLogger.cs
@@ -14,6 +14,7 @@
 // Adapted from server/log.go in the NATS server Go source.

 using System.Collections.Concurrent;
+using System.Text.RegularExpressions;
 using Microsoft.Extensions.Logging;

 namespace ZB.MOM.NatsNet.Server.Internal;
@@ -156,6 +157,53 @@ public sealed class ServerLogging
        var statement = string.Format(format, args);
        Warnf("{0}", statement);
    }
+
+    // ---- Trace sanitization ----
+    // Mirrors removeSecretsFromTrace / redact in server/client.go.
+    // passPat  = `"?\s*pass\S*?"?\s*[:=]\s*"?(([^",\r\n}])*)` — captures the value of any pass/password field.
+    // tokenPat = `"?\s*auth_token\S*?"?\s*[:=]\s*"?(([^",\r\n}])*)` — captures auth_token value.
+    // Only the FIRST match is redacted (mirrors the Go break-after-first-match behaviour).
+
+    // Go: "?\s*pass\S*?"?\s*[:=]\s*"?(([^",\r\n}])*)
+    private static readonly Regex s_passPattern = new(
+        @"""?\s*pass\S*?""?\s*[:=]\s*""?(([^"",\r\n}])*)",
+        RegexOptions.Compiled);
+
+    // Go: "?\s*auth_token\S*?"?\s*[:=]\s*"?(([^",\r\n}])*)
+    private static readonly Regex s_authTokenPattern = new(
+        @"""?\s*auth_token\S*?""?\s*[:=]\s*""?(([^"",\r\n}])*)",
+        RegexOptions.Compiled);
+
+    /// <summary>
+    /// Removes passwords from a protocol trace string.
+    /// Mirrors <c>removeSecretsFromTrace</c> in client.go (pass step).
+    /// Only the first occurrence is redacted.
+    /// </summary>
+    public static string RemovePassFromTrace(string s)
+        => RedactFirst(s_passPattern, s);
+
+    /// <summary>
+    /// Removes auth_token from a protocol trace string.
+    /// Mirrors <c>removeSecretsFromTrace</c> in client.go (auth_token step).
+    /// Only the first occurrence is redacted.
+    /// </summary>
+    public static string RemoveAuthTokenFromTrace(string s)
+        => RedactFirst(s_authTokenPattern, s);
+
+    /// <summary>
+    /// Removes both passwords and auth tokens from a protocol trace string.
+    /// Mirrors <c>removeSecretsFromTrace</c> in client.go.
+    /// </summary>
+    public static string RemoveSecretsFromTrace(string s)
+        => RemoveAuthTokenFromTrace(RemovePassFromTrace(s));
+
+    private static string RedactFirst(Regex pattern, string s)
+    {
+        var m = pattern.Match(s);
+        if (!m.Success) return s;
+        var cap = m.Groups[1]; // captured value substring
+        return string.Concat(s.AsSpan(0, cap.Index), "[REDACTED]", s.AsSpan(cap.Index + cap.Length));
+    }
 }

 /// <summary>
--- a/dotnet/tests/ZB.MOM.NatsNet.Server.Tests/Internal/ServerLoggerTests.cs
+++ b/dotnet/tests/ZB.MOM.NatsNet.Server.Tests/Internal/ServerLoggerTests.cs
@@ -0,0 +1,138 @@
+// Copyright 2012-2025 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using Shouldly;
+using ZB.MOM.NatsNet.Server.Internal;
+
+namespace ZB.MOM.NatsNet.Server.Tests.Internal;
+
+/// <summary>
+/// Tests for server logging trace sanitization (RemovePassFromTrace, RemoveAuthTokenFromTrace).
+/// Mirrors server/log_test.go — TestNoPasswordsFromConnectTrace, TestRemovePassFromTrace,
+/// TestRemoveAuthTokenFromTrace.
+/// </summary>
+public class ServerLoggerTests
+{
+    // ---------------------------------------------------------------------------
+    // T:2020 — TestNoPasswordsFromConnectTrace
+    // ---------------------------------------------------------------------------
+
+    /// <summary>
+    /// Mirrors TestNoPasswordsFromConnectTrace.
+    /// Verifies that a CONNECT trace with a password or auth_token does not
+    /// expose the secret value after sanitization.
+    /// </summary>
+    [Fact] // T:2020
+    public void NoPasswordsFromConnectTrace_ShouldSucceed()
+    {
+        const string connectWithPass =
+            """CONNECT {"verbose":false,"pedantic":false,"user":"derek","pass":"s3cr3t","tls_required":false}""";
+        const string connectWithToken =
+            """CONNECT {"verbose":false,"auth_token":"secret-token","tls_required":false}""";
+
+        ServerLogging.RemovePassFromTrace(connectWithPass).ShouldNotContain("s3cr3t");
+        ServerLogging.RemoveAuthTokenFromTrace(connectWithToken).ShouldNotContain("secret-token");
+    }
+
+    // ---------------------------------------------------------------------------
+    // T:2021 — TestRemovePassFromTrace
+    // ---------------------------------------------------------------------------
+
+    /// <summary>
+    /// Mirrors TestRemovePassFromTrace — covers all test vectors from log_test.go.
+    /// Each case verifies that RemovePassFromTrace redacts the first pass/password value
+    /// with [REDACTED] while leaving other fields intact.
+    /// </summary>
+    [Theory] // T:2021
+    [InlineData(
+        "user and pass",
+        "CONNECT {\"user\":\"derek\",\"pass\":\"s3cr3t\"}\r\n",
+        "CONNECT {\"user\":\"derek\",\"pass\":\"[REDACTED]\"}\r\n")]
+    [InlineData(
+        "user and pass extra space",
+        "CONNECT {\"user\":\"derek\",\"pass\":  \"s3cr3t\"}\r\n",
+        "CONNECT {\"user\":\"derek\",\"pass\":  \"[REDACTED]\"}\r\n")]
+    [InlineData(
+        "user and pass is empty",
+        "CONNECT {\"user\":\"derek\",\"pass\":\"\"}\r\n",
+        "CONNECT {\"user\":\"derek\",\"pass\":\"[REDACTED]\"}\r\n")]
+    [InlineData(
+        "user and pass is empty whitespace",
+        "CONNECT {\"user\":\"derek\",\"pass\":\"               \"}\r\n",
+        "CONNECT {\"user\":\"derek\",\"pass\":\"[REDACTED]\"}\r\n")]
+    [InlineData(
+        "only pass",
+        "CONNECT {\"pass\":\"s3cr3t\",}\r\n",
+        "CONNECT {\"pass\":\"[REDACTED]\",}\r\n")]
+    [InlineData(
+        "complete connect",
+        "CONNECT {\"echo\":true,\"verbose\":false,\"pedantic\":false,\"user\":\"foo\",\"pass\":\"s3cr3t\",\"tls_required\":false,\"name\":\"APM7JU94z77YzP6WTBEiuw\"}\r\n",
+        "CONNECT {\"echo\":true,\"verbose\":false,\"pedantic\":false,\"user\":\"foo\",\"pass\":\"[REDACTED]\",\"tls_required\":false,\"name\":\"APM7JU94z77YzP6WTBEiuw\"}\r\n")]
+    [InlineData(
+        "user and pass are filtered",
+        "CONNECT {\"user\":\"s3cr3t\",\"pass\":\"s3cr3t\"}\r\n",
+        "CONNECT {\"user\":\"s3cr3t\",\"pass\":\"[REDACTED]\"}\r\n")]
+    [InlineData(
+        "single long password",
+        "CONNECT {\"pass\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"}\r\n",
+        "CONNECT {\"pass\":\"[REDACTED]\"}\r\n")]
+    public void RemovePassFromTrace_ShouldSucceed(string name, string input, string expected)
+    {
+        _ = name; // used for test display only
+        ServerLogging.RemovePassFromTrace(input).ShouldBe(expected);
+    }
+
+    // ---------------------------------------------------------------------------
+    // T:2022 — TestRemoveAuthTokenFromTrace
+    // ---------------------------------------------------------------------------
+
+    /// <summary>
+    /// Mirrors TestRemoveAuthTokenFromTrace — covers representative test vectors
+    /// from log_test.go.  Each case verifies that RemoveAuthTokenFromTrace redacts
+    /// the first auth_token value with [REDACTED].
+    /// </summary>
+    [Theory] // T:2022
+    [InlineData(
+        "user and auth_token",
+        "CONNECT {\"user\":\"derek\",\"auth_token\":\"s3cr3t\"}\r\n",
+        "CONNECT {\"user\":\"derek\",\"auth_token\":\"[REDACTED]\"}\r\n")]
+    [InlineData(
+        "user and auth_token extra space",
+        "CONNECT {\"user\":\"derek\",\"auth_token\":  \"s3cr3t\"}\r\n",
+        "CONNECT {\"user\":\"derek\",\"auth_token\":  \"[REDACTED]\"}\r\n")]
+    [InlineData(
+        "user and auth_token is empty",
+        "CONNECT {\"user\":\"derek\",\"auth_token\":\"\"}\r\n",
+        "CONNECT {\"user\":\"derek\",\"auth_token\":\"[REDACTED]\"}\r\n")]
+    [InlineData(
+        "only auth_token",
+        "CONNECT {\"auth_token\":\"s3cr3t\",}\r\n",
+        "CONNECT {\"auth_token\":\"[REDACTED]\",}\r\n")]
+    [InlineData(
+        "complete connect",
+        "CONNECT {\"echo\":true,\"verbose\":false,\"pedantic\":false,\"auth_token\":\"s3cr3t\",\"tls_required\":false,\"name\":\"APM7JU94z77YzP6WTBEiuw\"}\r\n",
+        "CONNECT {\"echo\":true,\"verbose\":false,\"pedantic\":false,\"auth_token\":\"[REDACTED]\",\"tls_required\":false,\"name\":\"APM7JU94z77YzP6WTBEiuw\"}\r\n")]
+    [InlineData(
+        "user and token are filtered",
+        "CONNECT {\"user\":\"s3cr3t\",\"auth_token\":\"s3cr3t\"}\r\n",
+        "CONNECT {\"user\":\"s3cr3t\",\"auth_token\":\"[REDACTED]\"}\r\n")]
+    [InlineData(
+        "single long token",
+        "CONNECT {\"auth_token\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"}\r\n",
+        "CONNECT {\"auth_token\":\"[REDACTED]\"}\r\n")]
+    public void RemoveAuthTokenFromTrace_ShouldSucceed(string name, string input, string expected)
+    {
+        _ = name; // used for test display only
+        ServerLogging.RemoveAuthTokenFromTrace(input).ShouldBe(expected);
+    }
+}
--- a/dotnet/tests/ZB.MOM.NatsNet.Server.Tests/Internal/SignalHandlerTests.cs
+++ b/dotnet/tests/ZB.MOM.NatsNet.Server.Tests/Internal/SignalHandlerTests.cs
@@ -67,4 +67,100 @@ public class SignalHandlerTests
        var err = SignalHandler.ProcessSignal(ServerCommand.Stop, "not-a-pid");
        err.ShouldNotBeNull();
    }
+
+    // ---------------------------------------------------------------------------
+    // Tests ported from server/signal_test.go
+    // ---------------------------------------------------------------------------
+
+    /// <summary>
+    /// Mirrors TestProcessSignalInvalidCommand.
+    /// An out-of-range ServerCommand enum value is treated as an unknown signal
+    /// and ProcessSignal returns a non-null error.
+    /// </summary>
+    [Fact] // T:2919
+    public void ProcessSignalInvalidCommand_ShouldSucceed()
+    {
+        if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+            return; // Skip on Windows
+
+        var err = SignalHandler.ProcessSignal((ServerCommand)99, "123");
+        err.ShouldNotBeNull();
+    }
+
+    /// <summary>
+    /// Mirrors TestProcessSignalInvalidPid.
+    /// A non-numeric PID string returns an error containing "invalid pid".
+    /// </summary>
+    [Fact] // T:2920
+    public void ProcessSignalInvalidPid_ShouldSucceed()
+    {
+        if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+            return; // Skip on Windows
+
+        var err = SignalHandler.ProcessSignal(ServerCommand.Stop, "abc");
+        err.ShouldNotBeNull();
+        err!.Message.ShouldContain("invalid pid");
+    }
+
+    // ---------------------------------------------------------------------------
+    // Deferred signal tests — require pgrep/kill injection or real OS process spawning.
+    // These cannot be unit-tested without refactoring SignalHandler to accept
+    // injectable pgrep/kill delegates (as the Go source does).
+    // ---------------------------------------------------------------------------
+
+    /// <summary>Mirrors TestProcessSignalMultipleProcesses — deferred: requires pgrep injection.</summary>
+    [Fact(Skip = "deferred: requires pgrep/kill injection")] // T:2913
+    public void ProcessSignalMultipleProcesses_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestProcessSignalMultipleProcessesGlob — deferred: requires pgrep injection.</summary>
+    [Fact(Skip = "deferred: requires pgrep/kill injection")] // T:2914
+    public void ProcessSignalMultipleProcessesGlob_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestProcessSignalMultipleProcessesGlobPartial — deferred: requires pgrep injection.</summary>
+    [Fact(Skip = "deferred: requires pgrep/kill injection")] // T:2915
+    public void ProcessSignalMultipleProcessesGlobPartial_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestProcessSignalPgrepError — deferred: requires pgrep injection.</summary>
+    [Fact(Skip = "deferred: requires pgrep injection")] // T:2916
+    public void ProcessSignalPgrepError_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestProcessSignalPgrepMangled — deferred: requires pgrep injection.</summary>
+    [Fact(Skip = "deferred: requires pgrep injection")] // T:2917
+    public void ProcessSignalPgrepMangled_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestProcessSignalResolveSingleProcess — deferred: requires pgrep and kill injection.</summary>
+    [Fact(Skip = "deferred: requires pgrep/kill injection")] // T:2918
+    public void ProcessSignalResolveSingleProcess_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestProcessSignalQuitProcess — deferred: requires kill injection.</summary>
+    [Fact(Skip = "deferred: requires kill injection")] // T:2921
+    public void ProcessSignalQuitProcess_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestProcessSignalTermProcess — deferred: requires kill injection and commandTerm equivalent.</summary>
+    [Fact(Skip = "deferred: requires kill injection")] // T:2922
+    public void ProcessSignalTermProcess_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestProcessSignalReopenProcess — deferred: requires kill injection.</summary>
+    [Fact(Skip = "deferred: requires kill injection")] // T:2923
+    public void ProcessSignalReopenProcess_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestProcessSignalReloadProcess — deferred: requires kill injection.</summary>
+    [Fact(Skip = "deferred: requires kill injection")] // T:2924
+    public void ProcessSignalReloadProcess_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestProcessSignalLameDuckMode — deferred: requires kill injection and commandLDMode equivalent.</summary>
+    [Fact(Skip = "deferred: requires kill injection")] // T:2925
+    public void ProcessSignalLameDuckMode_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestProcessSignalTermDuringLameDuckMode — deferred: requires full server (RunServer) and real OS signal.</summary>
+    [Fact(Skip = "deferred: requires RunServer and real OS SIGTERM")] // T:2926
+    public void ProcessSignalTermDuringLameDuckMode_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestSignalInterruptHasSuccessfulExit — deferred: requires spawning a subprocess to test exit code on SIGINT.</summary>
+    [Fact(Skip = "deferred: requires subprocess process spawning")] // T:2927
+    public void SignalInterruptHasSuccessfulExit_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestSignalTermHasSuccessfulExit — deferred: requires spawning a subprocess to test exit code on SIGTERM.</summary>
+    [Fact(Skip = "deferred: requires subprocess process spawning")] // T:2928
+    public void SignalTermHasSuccessfulExit_ShouldSucceed() { }
 }
--- a/porting.db
+++ b/porting.db
--- a/reports/current.md
+++ b/reports/current.md
@@ -1,6 +1,6 @@
 # NATS .NET Porting Status Report

-Generated: 2026-02-27 00:07:45 UTC
+Generated: 2026-02-27 00:15:57 UTC

 ## Modules (12 total)

@@ -21,11 +21,10 @@ Generated: 2026-02-27 00:07:45 UTC

 | Status | Count |
 |--------|-------|
-| complete | 209 |
-| deferred | 201 |
+| complete | 214 |
+| deferred | 215 |
 | n_a | 187 |
 | not_started | 2527 |
-| stub | 19 |
 | verified | 114 |

 ## Library Mappings (36 total)
@@ -37,4 +36,4 @@ Generated: 2026-02-27 00:07:45 UTC

 ## Overall Progress

-**4194/6942 items complete (60.4%)**
+**4199/6942 items complete (60.5%)**
--- a/reports/report_364329c.md
+++ b/reports/report_364329c.md
@@ -0,0 +1,39 @@
+# NATS .NET Porting Status Report
+
+Generated: 2026-02-27 00:15:57 UTC
+
+## Modules (12 total)
+
+| Status | Count |
+|--------|-------|
+| not_started | 1 |
+| verified | 11 |
+
+## Features (3673 total)
+
+| Status | Count |
+|--------|-------|
+| complete | 3368 |
+| n_a | 26 |
+| verified | 279 |
+
+## Unit Tests (3257 total)
+
+| Status | Count |
+|--------|-------|
+| complete | 214 |
+| deferred | 215 |
+| n_a | 187 |
+| not_started | 2527 |
+| verified | 114 |
+
+## Library Mappings (36 total)
+
+| Status | Count |
+|--------|-------|
+| mapped | 36 |
+
+
+## Overall Progress
+
+**4199/6942 items complete (60.5%)**