feat(auditlog): body regex redaction with over-redaction safety net (#23 M5)

src/ScadaLink.AuditLog/Payload/DefaultAuditPayloadFilter.cs

@@ -1,7 +1,9 @@
+using System.Collections.Concurrent;
 using System.Text;
 using System.Text.Encodings.Web;
 using System.Text.Json;
 using System.Text.Json.Nodes;
+using System.Text.RegularExpressions;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using ScadaLink.AuditLog.Configuration;
@@ -39,8 +41,10 @@ namespace ScadaLink.AuditLog.Payload;
 /// </para>
 /// <para>
 /// Stage order (each runs on every applicable field):
-/// header redaction → truncation. Bundle B will append body-regex and
-/// SQL-parameter stages after header redaction and before truncation.
+/// header redaction → body regex redaction → truncation. The SQL-parameter
+/// stage piggybacks on the body-redactor path; both run BEFORE truncation so
+/// the cap trims the redacted result, never bytes the redactor intended to
+/// hide.
 /// </para>
 /// </remarks>
 public sealed class DefaultAuditPayloadFilter : IAuditPayloadFilter
@@ -48,6 +52,16 @@ public sealed class DefaultAuditPayloadFilter : IAuditPayloadFilter
     private const string RedactedMarker = "<redacted>";
     private const string RedactorErrorMarker = "<redacted: redactor error>";
 
+    /// <summary>
+    /// Per-match regex timeout. Catastrophic-backtracking patterns trip a
+    /// <see cref="RegexMatchTimeoutException"/> when a single match takes
+    /// longer than this; the offending field is then over-redacted with
+    /// <see cref="RedactorErrorMarker"/> and the failure counter is bumped.
+    /// 50 ms is generous for normal patterns yet short enough that the
+    /// audit hot-path isn't held up by a misconfigured regex.
+    /// </summary>
+    private static readonly TimeSpan RegexMatchTimeout = TimeSpan.FromMilliseconds(50);
+
     /// <summary>
     /// JSON serializer options used to re-emit redacted summaries. The
     /// UnsafeRelaxedJsonEscaping encoder is required so the redaction marker
@@ -67,6 +81,17 @@ public sealed class DefaultAuditPayloadFilter : IAuditPayloadFilter
     private readonly ILogger<DefaultAuditPayloadFilter> _logger;
     private readonly IAuditRedactionFailureCounter _failureCounter;
 
+    /// <summary>
+    /// Compiled-regex cache keyed by pattern string. Lazy population: each
+    /// pattern is compiled on first use and cached forever (the entry's
+    /// <see cref="CompiledRegex"/> carries either the working <see cref="Regex"/>
+    /// or a sentinel marking the pattern as invalid so we don't retry the
+    /// failing compile on every call). ConcurrentDictionary is the right
+    /// thread-safety primitive here because the filter is a DI singleton
+    /// shared across the audit hot-path.
+    /// </summary>
+    private readonly ConcurrentDictionary<string, CompiledRegex> _regexCache = new();
+
     /// <summary>
     /// Primary constructor used by DI — pulls the optional redaction-failure
     /// counter from the container; a NoOp default is registered in
@@ -95,6 +120,20 @@ public sealed class DefaultAuditPayloadFilter : IAuditPayloadFilter
             var errorDetail = rawEvent.ErrorDetail;
             var extra = rawEvent.Extra;
 
+            // --- Body-regex stage (also runs BEFORE truncation) -----------
+            // Resolves the active regex set per event so per-target overrides
+            // bound to AuditEvent.Target are picked up; effectively a no-op
+            // when neither GlobalBodyRedactors nor the per-target additions
+            // are configured.
+            var bodyRegexes = ResolveBodyRegexes(opts, rawEvent.Target);
+            if (bodyRegexes.Count > 0)
+            {
+                request = RedactBody(request, bodyRegexes);
+                response = RedactBody(response, bodyRegexes);
+                errorDetail = RedactBody(errorDetail, bodyRegexes);
+                extra = RedactBody(extra, bodyRegexes);
+            }
+
             // --- Truncation stage -----------------------------------------
             var truncated = false;
             request = TruncateField(request, cap, ref truncated);
@@ -207,6 +246,125 @@ public sealed class DefaultAuditPayloadFilter : IAuditPayloadFilter
         }
     }
 
+    /// <summary>
+    /// Combine the global and per-target body-redactor lists for a single
+    /// event, returning the compiled-regex set to apply. Patterns that failed
+    /// compilation are silently skipped — the compile-time failure was logged
+    /// once on first encounter; we never let one bad pattern starve the rest.
+    /// </summary>
+    private IReadOnlyList<Regex> ResolveBodyRegexes(AuditLogOptions opts, string? target)
+    {
+        var hasGlobal = opts.GlobalBodyRedactors is { Count: > 0 };
+        var perTargetAdditions = (target != null
+            && opts.PerTargetOverrides.TryGetValue(target, out var over)
+            && over.AdditionalBodyRedactors is { Count: > 0 })
+            ? over.AdditionalBodyRedactors
+            : null;
+
+        if (!hasGlobal && perTargetAdditions == null)
+        {
+            return Array.Empty<Regex>();
+        }
+
+        var result = new List<Regex>();
+        if (hasGlobal)
+        {
+            foreach (var pattern in opts.GlobalBodyRedactors)
+            {
+                if (TryGetCompiledRegex(pattern, out var rx))
+                {
+                    result.Add(rx!);
+                }
+            }
+        }
+        if (perTargetAdditions != null)
+        {
+            foreach (var pattern in perTargetAdditions)
+            {
+                if (TryGetCompiledRegex(pattern, out var rx))
+                {
+                    result.Add(rx!);
+                }
+            }
+        }
+        return result;
+    }
+
+    /// <summary>
+    /// Resolve a compiled regex from the cache, compiling it on first use.
+    /// Returns <c>false</c> for patterns that are invalid OR whose compile
+    /// took longer than 100 ms (the spec calls catastrophic-backtracking
+    /// guesses at compile time "invalid"); the failure is logged once and
+    /// the sentinel cache entry prevents repeat compile attempts.
+    /// </summary>
+    private bool TryGetCompiledRegex(string pattern, out Regex? regex)
+    {
+        var entry = _regexCache.GetOrAdd(pattern, CompileRegex);
+        regex = entry.Regex;
+        return entry.Regex != null;
+    }
+
+    private CompiledRegex CompileRegex(string pattern)
+    {
+        try
+        {
+            var swStart = System.Diagnostics.Stopwatch.GetTimestamp();
+            var rx = new Regex(pattern, RegexOptions.Compiled, RegexMatchTimeout);
+            var elapsedMs = (System.Diagnostics.Stopwatch.GetTimestamp() - swStart)
+                * 1000d / System.Diagnostics.Stopwatch.Frequency;
+            if (elapsedMs > 100)
+            {
+                _logger.LogWarning(
+                    "Body redactor pattern compiled in {Elapsed}ms (> 100ms cap); rejecting '{Pattern}'",
+                    elapsedMs, pattern);
+                return CompiledRegex.Invalid;
+            }
+            return new CompiledRegex(rx);
+        }
+        catch (Exception ex)
+        {
+            _logger.LogWarning(
+                ex,
+                "Body redactor pattern '{Pattern}' failed to compile; skipping",
+                pattern);
+            return CompiledRegex.Invalid;
+        }
+    }
+
+    /// <summary>
+    /// Apply each compiled body-redactor regex to <paramref name="value"/> in
+    /// turn, replacing every match with <see cref="RedactedMarker"/>. If any
+    /// single regex match throws (most commonly
+    /// <see cref="RegexMatchTimeoutException"/>) the field is over-redacted
+    /// with <see cref="RedactorErrorMarker"/> and the failure counter is
+    /// incremented — the user-facing action is never aborted.
+    /// </summary>
+    private string? RedactBody(string? value, IReadOnlyList<Regex> regexes)
+    {
+        if (value is null)
+        {
+            return null;
+        }
+        var current = value;
+        foreach (var rx in regexes)
+        {
+            try
+            {
+                current = rx.Replace(current, RedactedMarker);
+            }
+            catch (Exception ex)
+            {
+                _logger.LogWarning(
+                    ex,
+                    "Body redactor '{Pattern}' faulted; over-redacting field with '{Marker}'",
+                    rx.ToString(), RedactorErrorMarker);
+                try { _failureCounter.Increment(); } catch { /* swallow per §7 */ }
+                return RedactorErrorMarker;
+            }
+        }
+        return current;
+    }
+
     private static string? TruncateField(string? value, int cap, ref bool truncated)
     {
         if (value is null)
@@ -251,4 +409,21 @@ public sealed class DefaultAuditPayloadFilter : IAuditPayloadFilter
         AuditStatus.Delivered or AuditStatus.Submitted or AuditStatus.Forwarded => false,
         _ => true,
     };
+
+    /// <summary>
+    /// Cache entry for a body-redactor pattern. Carries the working
+    /// <see cref="Regex"/> on the success path, or the
+    /// <see cref="Invalid"/> sentinel for patterns that failed to compile
+    /// (or exceeded the 100 ms compile budget). The sentinel lets us skip
+    /// repeat compile attempts on every event without re-throwing on the
+    /// hot-path.
+    /// </summary>
+    private readonly struct CompiledRegex
+    {
+        public static readonly CompiledRegex Invalid = new(null);
+
+        public Regex? Regex { get; }
+
+        public CompiledRegex(Regex? regex) => Regex = regex;
+    }
 }