feat(audit): redactor + writer helpers (Null/Truncating/NoOp/Composite/Redacting)

Code-review fixes: CompositeAuditWriter re-throws OperationCanceledException (honors cancellation) + evt null-guard; RedactingAuditWriter evt null-guard; added marker-longer-than-max and cancellation-propagation regression tests.
2026-06-01 07:28:13 -04:00
parent 3934e528f2
commit 453ec7358d
11 changed files with 283 additions and 0 deletions
@@ -0,0 +1,28 @@
+namespace ZB.MOM.WW.Audit;
+
+/// <summary>Fans an event out to several writers. Best-effort: a failing writer does not stop the others.</summary>
+/// <remarks>A failing writer's exception is swallowed so the fan-out drains and the caller is never
+/// aborted — but <see cref="OperationCanceledException"/> is re-thrown so cancellation is honored.</remarks>
+public sealed class CompositeAuditWriter : IAuditWriter
+{
+    private readonly IReadOnlyList<IAuditWriter> _inner;
+
+    /// <summary>Creates a composite over the given writers.</summary>
+    public CompositeAuditWriter(IEnumerable<IAuditWriter> inner)
+    {
+        ArgumentNullException.ThrowIfNull(inner);
+        _inner = inner.ToArray();
+    }
+
+    /// <inheritdoc />
+    public async Task WriteAsync(AuditEvent evt, CancellationToken ct = default)
+    {
+        ArgumentNullException.ThrowIfNull(evt);
+        foreach (var writer in _inner)
+        {
+            try { await writer.WriteAsync(evt, ct).ConfigureAwait(false); }
+            catch (OperationCanceledException) { throw; } // honor cancellation; do not swallow
+            catch { /* best-effort seam: a failing writer must not stop the others or the caller */ }
+        }
+    }
+}
@@ -0,0 +1,12 @@
+namespace ZB.MOM.WW.Audit;
+
+/// <summary>Writer that discards events. Default when audit is disabled, and useful in tests.</summary>
+public sealed class NoOpAuditWriter : IAuditWriter
+{
+    /// <summary>Shared singleton instance.</summary>
+    public static readonly NoOpAuditWriter Instance = new();
+    private NoOpAuditWriter() { }
+
+    /// <inheritdoc />
+    public Task WriteAsync(AuditEvent evt, CancellationToken ct = default) => Task.CompletedTask;
+}
@@ -0,0 +1,12 @@
+namespace ZB.MOM.WW.Audit;
+
+/// <summary>Identity redactor — returns the event unchanged. The default when no policy is configured.</summary>
+public sealed class NullAuditRedactor : IAuditRedactor
+{
+    /// <summary>Shared singleton instance.</summary>
+    public static readonly NullAuditRedactor Instance = new();
+    private NullAuditRedactor() { }
+
+    /// <inheritdoc />
+    public AuditEvent Apply(AuditEvent rawEvent) => rawEvent;
+}
@@ -0,0 +1,24 @@
+namespace ZB.MOM.WW.Audit;
+
+/// <summary>Decorator: applies an <see cref="IAuditRedactor"/>, then delegates to an inner <see cref="IAuditWriter"/>.</summary>
+public sealed class RedactingAuditWriter : IAuditWriter
+{
+    private readonly IAuditRedactor _redactor;
+    private readonly IAuditWriter _inner;
+
+    /// <summary>Creates the decorator around <paramref name="inner"/> using <paramref name="redactor"/>.</summary>
+    public RedactingAuditWriter(IAuditRedactor redactor, IAuditWriter inner)
+    {
+        ArgumentNullException.ThrowIfNull(redactor);
+        ArgumentNullException.ThrowIfNull(inner);
+        _redactor = redactor;
+        _inner = inner;
+    }
+
+    /// <inheritdoc />
+    public Task WriteAsync(AuditEvent evt, CancellationToken ct = default)
+    {
+        ArgumentNullException.ThrowIfNull(evt);
+        return _inner.WriteAsync(_redactor.Apply(evt), ct);
+    }
+}
@@ -0,0 +1,41 @@
+namespace ZB.MOM.WW.Audit;
+
+/// <summary>
+/// Redactor that caps oversized <see cref="AuditEvent.DetailsJson"/> and <see cref="AuditEvent.Target"/>.
+/// Never throws — over-redacts (drops DetailsJson) on internal failure. The secret-field policy
+/// (which fields are sensitive) stays per-project; compose this with a project redactor as needed.
+/// </summary>
+public sealed class TruncatingAuditRedactor : IAuditRedactor
+{
+    private readonly TruncatingAuditRedactorOptions _options;
+
+    /// <summary>Creates the redactor with the given options (defaults when null).</summary>
+    public TruncatingAuditRedactor(TruncatingAuditRedactorOptions? options = null)
+        => _options = options ?? new TruncatingAuditRedactorOptions();
+
+    /// <inheritdoc />
+    public AuditEvent Apply(AuditEvent rawEvent)
+    {
+        try
+        {
+            return rawEvent with
+            {
+                Target = Truncate(rawEvent.Target, _options.MaxTargetLength),
+                DetailsJson = Truncate(rawEvent.DetailsJson, _options.MaxDetailsJsonLength),
+            };
+        }
+        catch
+        {
+            // Hard contract: never throw. Over-redact on internal failure.
+            return rawEvent with { DetailsJson = null };
+        }
+    }
+
+    private string? Truncate(string? value, int max)
+    {
+        if (value is null || value.Length <= max) return value;
+        var marker = _options.TruncationMarker;
+        if (marker.Length >= max) return marker[..max];
+        return string.Concat(value.AsSpan(0, max - marker.Length), marker);
+    }
+}
@@ -0,0 +1,12 @@
+namespace ZB.MOM.WW.Audit;
+
+/// <summary>Caps for <see cref="TruncatingAuditRedactor"/>.</summary>
+public sealed class TruncatingAuditRedactorOptions
+{
+    /// <summary>Max length of <see cref="AuditEvent.DetailsJson"/> before truncation. Default 4096.</summary>
+    public int MaxDetailsJsonLength { get; set; } = 4096;
+    /// <summary>Max length of <see cref="AuditEvent.Target"/> before truncation. Default 512.</summary>
+    public int MaxTargetLength { get; set; } = 512;
+    /// <summary>Marker appended to a truncated value. Default "…[truncated]".</summary>
+    public string TruncationMarker { get; set; } = "…[truncated]";
+}