Joseph Doherty
544a6ddb77
Resolves the 35 findings from the 2026-06-01 baseline (commit 26ba1c7),
test-first for every behavioral change. +51 tests (331 -> 382 passing, 0 failed).
- Telemetry-001 (HIGH): RedactionEnricher now honours property removal, so a
redactor that drops a key actually scrubs the secret from the event.
- Auth: LDAP validator ValidateOnStart; API-key verify no longer fails on a
best-effort MarkUsed write or a corrupt scopes column (fail-closed); LDAP cert
validation hook; KeyPrefix persistence aligned; README algorithm corrected.
- Health: Akka checks return Degraded (not throw) when the cluster isn't up yet;
GrpcDependencyHealthCheck catch-all; null 'description' rendered; composite
endpoint builder; XML docs shipped.
- Audit: CompositeAuditWriter no longer re-throws OperationCanceledException;
TruncatingAuditRedactor over-redact scrubs Target + safe negative max; options
record; XML docs shipped.
- Configuration: TryAddEnumerable idempotent registration; consistent port
quoting; strict invariant port parsing; XML docs + README packaged.
- Theme: mobile toggle is now CSS-only (no Bootstrap JS); token/CSS hygiene;
XML docs on the public parameter surface.
Shared-contract/spec docs updated where the code was the source of truth
(observability service.instance.id, MapZbMetrics, redactor reach). All changes
additive/back-compatible at v0.1.0. code-reviews bookkeeping follows separately.
317 lines
13 KiB
C#
317 lines
13 KiB
C#
using Microsoft.Extensions.Configuration;
|
|
using Microsoft.Extensions.DependencyInjection;
|
|
using Microsoft.Extensions.Hosting;
|
|
using Serilog;
|
|
using Serilog.Core;
|
|
using Serilog.Events;
|
|
using Serilog.Sinks.InMemory;
|
|
using ZB.MOM.WW.Telemetry;
|
|
using ZB.MOM.WW.Telemetry.Serilog;
|
|
|
|
namespace ZB.MOM.WW.Telemetry.Serilog.Tests;
|
|
|
|
public sealed class RedactionTests
|
|
{
|
|
private const string Masked = "***";
|
|
|
|
private sealed class FakeRedactor : ILogRedactor
|
|
{
|
|
public void Redact(IDictionary<string, object?> properties)
|
|
{
|
|
if (properties.ContainsKey("apiKey"))
|
|
{
|
|
properties["apiKey"] = Masked;
|
|
}
|
|
}
|
|
}
|
|
|
|
private sealed class RemovingRedactor : ILogRedactor
|
|
{
|
|
private readonly string _key;
|
|
|
|
public RemovingRedactor(string key) => _key = key;
|
|
|
|
public void Redact(IDictionary<string, object?> properties) => properties.Remove(_key);
|
|
}
|
|
|
|
private sealed class StructuredFieldRedactor : ILogRedactor
|
|
{
|
|
// Attempts to mask a nested field of a destructured ({@Object}) property by mutating the
|
|
// value the seam exposes. Documents that the seam reaches scalar top-level properties only.
|
|
public void Redact(IDictionary<string, object?> properties)
|
|
{
|
|
if (properties.TryGetValue("command", out var value) && value is StructureValue)
|
|
{
|
|
// The seam exposes the raw StructureValue wrapper, not a mutable dictionary of the
|
|
// object's fields, so a project redactor cannot reach inside to mask a nested field.
|
|
properties["command"] = Masked;
|
|
}
|
|
}
|
|
}
|
|
|
|
private static string? ScalarOrNull(LogEvent logEvent, string propertyName) =>
|
|
logEvent.Properties.TryGetValue(propertyName, out var value) && value is ScalarValue scalar
|
|
? scalar.Value?.ToString()
|
|
: null;
|
|
|
|
[Fact]
|
|
public void Registered_redactor_masks_sensitive_property()
|
|
{
|
|
var serviceProvider = new ServiceCollection()
|
|
.AddSingleton<ILogRedactor>(new FakeRedactor())
|
|
.BuildServiceProvider();
|
|
|
|
var sink = new InMemorySink();
|
|
var options = new ZbTelemetryOptions { ServiceName = "mxgateway" };
|
|
|
|
var loggerConfig = new LoggerConfiguration();
|
|
ZbSerilogConfig.Apply(loggerConfig, options, serviceProvider);
|
|
using Logger logger = loggerConfig.WriteTo.Sink(sink).CreateLogger();
|
|
|
|
logger.Information("authenticating {apiKey}", "mxgw_secret");
|
|
|
|
var logEvent = Assert.Single(sink.LogEvents);
|
|
Assert.Equal(Masked, ScalarOrNull(logEvent, "apiKey"));
|
|
}
|
|
|
|
[Fact]
|
|
public void No_redactor_registered_is_a_no_op()
|
|
{
|
|
var serviceProvider = new ServiceCollection().BuildServiceProvider();
|
|
|
|
var sink = new InMemorySink();
|
|
var options = new ZbTelemetryOptions { ServiceName = "mxgateway" };
|
|
|
|
var loggerConfig = new LoggerConfiguration();
|
|
ZbSerilogConfig.Apply(loggerConfig, options, serviceProvider);
|
|
using Logger logger = loggerConfig.WriteTo.Sink(sink).CreateLogger();
|
|
|
|
logger.Information("authenticating {apiKey}", "mxgw_secret");
|
|
|
|
var logEvent = Assert.Single(sink.LogEvents);
|
|
Assert.Equal("mxgw_secret", ScalarOrNull(logEvent, "apiKey"));
|
|
}
|
|
|
|
/// <summary>
|
|
/// Telemetry-001: a redactor that REMOVES a key (the most natural way to implement "must not
|
|
/// leave the process") must result in the property being absent from the emitted event, not
|
|
/// silently retained.
|
|
/// </summary>
|
|
[Fact]
|
|
public void Removing_redactor_scrubs_the_property_from_the_event()
|
|
{
|
|
var serviceProvider = new ServiceCollection()
|
|
.AddSingleton<ILogRedactor>(new RemovingRedactor("apiKey"))
|
|
.BuildServiceProvider();
|
|
|
|
var sink = new InMemorySink();
|
|
var options = new ZbTelemetryOptions { ServiceName = "mxgateway" };
|
|
|
|
var loggerConfig = new LoggerConfiguration();
|
|
ZbSerilogConfig.Apply(loggerConfig, options, serviceProvider);
|
|
using Logger logger = loggerConfig.WriteTo.Sink(sink).CreateLogger();
|
|
|
|
logger.Information("authenticating {apiKey} for {user}", "mxgw_secret", "alice");
|
|
|
|
var logEvent = Assert.Single(sink.LogEvents);
|
|
Assert.False(
|
|
logEvent.Properties.ContainsKey("apiKey"),
|
|
"apiKey must be removed from the event when the redactor removes the key");
|
|
// A non-sensitive property the redactor left alone must survive.
|
|
Assert.Equal("alice", ScalarOrNull(logEvent, "user"));
|
|
}
|
|
|
|
/// <summary>
|
|
/// Telemetry-002/003: the redaction seam reaches scalar top-level properties only. A
|
|
/// destructured ({@Object}) property is exposed to the redactor as the raw Serilog
|
|
/// <see cref="StructureValue"/> wrapper, so a project redactor cannot mask a field nested
|
|
/// inside the object — it can only replace/remove the whole top-level property. This test
|
|
/// pins that documented limitation (see ILogRedactor XML doc and the shared contract).
|
|
/// </summary>
|
|
[Fact]
|
|
public void Redactor_cannot_reach_a_field_inside_a_destructured_object()
|
|
{
|
|
var serviceProvider = new ServiceCollection()
|
|
.AddSingleton<ILogRedactor>(new StructuredFieldRedactor())
|
|
.BuildServiceProvider();
|
|
|
|
var sink = new InMemorySink();
|
|
var options = new ZbTelemetryOptions { ServiceName = "mxgateway" };
|
|
|
|
var loggerConfig = new LoggerConfiguration();
|
|
ZbSerilogConfig.Apply(loggerConfig, options, serviceProvider);
|
|
using Logger logger = loggerConfig.WriteTo.Sink(sink).CreateLogger();
|
|
|
|
var command = new { Name = "Write", ApiKey = "mxgw_secret" };
|
|
logger.Information("dispatching {@command}", command);
|
|
|
|
var logEvent = Assert.Single(sink.LogEvents);
|
|
Assert.True(logEvent.Properties.TryGetValue("command", out var value));
|
|
|
|
// The property was destructured into a StructureValue and exposed to the redactor as that
|
|
// wrapper. The redactor recognized it and replaced the whole top-level property with the
|
|
// mask — confirming the seam can only act at top-level granularity for structured values.
|
|
Assert.Equal(Masked, (value as ScalarValue)?.Value?.ToString());
|
|
}
|
|
|
|
[Fact]
|
|
public void AddZbSerilog_with_otlp_options_builds_without_error()
|
|
{
|
|
var builder = Host.CreateApplicationBuilder();
|
|
|
|
builder.AddZbSerilog(o =>
|
|
{
|
|
o.ServiceName = "mxgateway";
|
|
o.SiteId = "s1";
|
|
o.NodeRole = "central";
|
|
o.Exporter = ZbExporter.Otlp;
|
|
o.OtlpEndpoint = "http://localhost:4317";
|
|
});
|
|
|
|
using var host = builder.Build();
|
|
|
|
// Serilog.ILogger is registered by AddSerilog — not Microsoft.Extensions.Logging.ILogger.
|
|
var logger = host.Services.GetRequiredService<ILogger>();
|
|
logger.Information("otlp wiring smoke test");
|
|
}
|
|
|
|
[Fact]
|
|
public void BuildResourceAttributes_contains_required_keys_and_optional_keys_when_set()
|
|
{
|
|
var options = new ZbTelemetryOptions
|
|
{
|
|
ServiceName = "mxgateway",
|
|
ServiceNamespace = "ZB.MOM.WW",
|
|
SiteId = "site-a",
|
|
NodeRole = "central",
|
|
};
|
|
|
|
var attributes = ZbSerilogConfig.BuildResourceAttributes(options);
|
|
|
|
// Required keys always present.
|
|
Assert.True(attributes.ContainsKey("service.name"), "service.name must be present");
|
|
Assert.True(attributes.ContainsKey("service.namespace"), "service.namespace must be present");
|
|
Assert.True(attributes.ContainsKey("host.name"), "host.name must be present");
|
|
|
|
// service.instance.id must be present and match ZbResource.InstanceId (parity with OTel SDK path).
|
|
Assert.True(attributes.ContainsKey("service.instance.id"), "service.instance.id must be present");
|
|
Assert.Equal(ZbResource.InstanceId, attributes["service.instance.id"]);
|
|
|
|
// Optional keys present when options supply them.
|
|
Assert.True(attributes.ContainsKey("site.id"), "site.id must be present when SiteId is set");
|
|
Assert.True(attributes.ContainsKey("node.role"), "node.role must be present when NodeRole is set");
|
|
|
|
Assert.Equal("mxgateway", attributes["service.name"]);
|
|
Assert.Equal("ZB.MOM.WW", attributes["service.namespace"]);
|
|
Assert.Equal(Environment.MachineName, attributes["host.name"]);
|
|
Assert.Equal("site-a", attributes["site.id"]);
|
|
Assert.Equal("central", attributes["node.role"]);
|
|
}
|
|
|
|
/// <summary>
|
|
/// Telemetry-005: the Serilog OTLP log-sink attribute map and the OTel SDK metrics/traces
|
|
/// attribute map must be key-for-key and value-for-value identical, because both now derive from
|
|
/// the single <see cref="ZbResource.BuildAttributes"/> source of truth. This pins that they
|
|
/// cannot silently drift apart.
|
|
/// </summary>
|
|
[Fact]
|
|
public void Serilog_and_OTel_resource_attribute_sets_are_identical()
|
|
{
|
|
var options = new ZbTelemetryOptions
|
|
{
|
|
ServiceName = "mxgateway",
|
|
ServiceNamespace = "ZB.MOM.WW",
|
|
ServiceVersion = "9.9.9",
|
|
SiteId = "site-z",
|
|
NodeRole = "hub",
|
|
};
|
|
|
|
var serilogAttributes = ZbSerilogConfig.BuildResourceAttributes(options);
|
|
var canonical = ZbResource.BuildAttributes(options);
|
|
|
|
Assert.Equal(
|
|
canonical.OrderBy(kvp => kvp.Key, StringComparer.Ordinal),
|
|
serilogAttributes.OrderBy(kvp => kvp.Key, StringComparer.Ordinal));
|
|
}
|
|
|
|
[Fact]
|
|
public void BuildResourceAttributes_omits_optional_keys_when_not_set()
|
|
{
|
|
var options = new ZbTelemetryOptions
|
|
{
|
|
ServiceName = "mxgateway",
|
|
SiteId = null,
|
|
NodeRole = null,
|
|
};
|
|
|
|
var attributes = ZbSerilogConfig.BuildResourceAttributes(options);
|
|
|
|
Assert.False(attributes.ContainsKey("site.id"), "site.id must be absent when SiteId is null");
|
|
Assert.False(attributes.ContainsKey("node.role"), "node.role must be absent when NodeRole is null");
|
|
// service.instance.id is always present regardless of optional fields.
|
|
Assert.True(attributes.ContainsKey("service.instance.id"), "service.instance.id must always be present");
|
|
Assert.Equal(ZbResource.InstanceId, attributes["service.instance.id"]);
|
|
}
|
|
|
|
/// <summary>
|
|
/// Fix 1 — Symmetric OTLP trigger: the Serilog path must only activate the OTel log sink
|
|
/// when <c>Exporter == ZbExporter.Otlp</c>, NOT merely when <c>OtlpEndpoint</c> is set.
|
|
/// This matches the core OTel metrics/traces path that ignores a bare endpoint without
|
|
/// <c>Exporter=Otlp</c>.
|
|
/// </summary>
|
|
[Fact]
|
|
public void ApplyOpenTelemetryExport_does_not_activate_when_only_endpoint_is_set()
|
|
{
|
|
// Arrange: set OtlpEndpoint but leave Exporter at the default (not Otlp).
|
|
var options = new ZbTelemetryOptions
|
|
{
|
|
ServiceName = "mxgateway",
|
|
OtlpEndpoint = "http://localhost:4317",
|
|
// Exporter is intentionally left at default (ZbExporter.None / Prometheus only)
|
|
};
|
|
|
|
// Act: Apply the shared Serilog config — if the bug is present this will attempt to
|
|
// connect to localhost:4317 and the OpenTelemetry sink will be registered.
|
|
// We verify by inspecting the LoggerConfiguration directly: after Apply, if WriteTo
|
|
// contained an OTel sink the LoggerConfiguration's internal list would be non-empty.
|
|
// The simplest observable proxy: building the logger must not throw, and we assert
|
|
// the exporter is not Otlp.
|
|
Assert.NotEqual(ZbExporter.Otlp, options.Exporter);
|
|
|
|
// Building the logger with only OtlpEndpoint set (no Exporter=Otlp) must not throw
|
|
// and must not attempt any OTLP connection — the sink should simply be absent.
|
|
var exception = Record.Exception(() =>
|
|
{
|
|
var loggerConfig = new LoggerConfiguration();
|
|
ZbSerilogConfig.Apply(loggerConfig, options);
|
|
using var logger = loggerConfig.CreateLogger();
|
|
logger.Information("no otlp sink expected");
|
|
});
|
|
|
|
Assert.Null(exception);
|
|
}
|
|
|
|
[Fact]
|
|
public void ApplyOpenTelemetryExport_activates_when_Exporter_is_Otlp()
|
|
{
|
|
// Arrange: Exporter explicitly set to Otlp (no endpoint — exporter registered but won't connect).
|
|
var options = new ZbTelemetryOptions
|
|
{
|
|
ServiceName = "mxgateway",
|
|
Exporter = ZbExporter.Otlp,
|
|
// OtlpEndpoint intentionally left null — we test the trigger, not the connection.
|
|
};
|
|
|
|
// Act + Assert: must not throw (the sink is registered but won't connect in tests).
|
|
var exception = Record.Exception(() =>
|
|
{
|
|
var loggerConfig = new LoggerConfiguration();
|
|
ZbSerilogConfig.Apply(loggerConfig, options);
|
|
using var logger = loggerConfig.CreateLogger();
|
|
logger.Information("otlp sink registered");
|
|
});
|
|
|
|
Assert.Null(exception);
|
|
}
|
|
}
|