dohertj2/scadaproj
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
da669bfc9bc1b893108d9e59cd82c3cdc09bf263
scadaproj/ZB.MOM.WW.Telemetry/tests/ZB.MOM.WW.Telemetry.Serilog.Tests/RedactionTests.cs
T
Joseph Doherty 05cc62aab3 Implement nested log redaction (Telemetry-002) 
RedactionEnricher now projects each property into a mutable view the ILogRedactor
can edit: scalars stay as their CLR value, while StructureValue/SequenceValue/
DictionaryValue become nested IDictionary<string,object?>/IList<object?> the
redactor descends into recursively. A field nested inside a destructured {@Object}
can now be masked or removed — closing the gap documented as a limitation.

- Project/Rebuild round-trip preserves StructureValue.TypeTag and original
  dictionary keys; redactor-synthesised plain dicts/lists are rebuilt too.
- Untouched properties are not reallocated: structural ValueEquals skips write-back
  unless a property actually changed. Scalar fast path and no-redactor/no-property
  short-circuits retained.
- +5 nested-reach tests (mask/remove a field, sequence element, dictionary value,
  two-levels-deep); the old 'cannot reach' limitation test replaced. Serilog 34, 0 warnings.
- ILogRedactor XML doc + library README updated to document the recursive reach.
2026-06-01 12:12:26 -04:00

478 lines
19 KiB
C#
Raw Blame History

using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Serilog;
using Serilog.Core;
using Serilog.Events;
using Serilog.Sinks.InMemory;
using ZB.MOM.WW.Telemetry;
using ZB.MOM.WW.Telemetry.Serilog;
namespace ZB.MOM.WW.Telemetry.Serilog.Tests;
public sealed class RedactionTests
{
private const string Masked = "***";
private sealed class FakeRedactor : ILogRedactor
{
public void Redact(IDictionary<string, object?> properties)
{
if (properties.ContainsKey("apiKey"))
{
properties["apiKey"] = Masked;
}
}
}
private sealed class RemovingRedactor : ILogRedactor
{
private readonly string _key;
public RemovingRedactor(string key) => _key = key;
public void Redact(IDictionary<string, object?> properties) => properties.Remove(_key);
}
/// <summary>Masks a field nested inside a destructured <c>{@command}</c> object.</summary>
private sealed class NestedFieldRedactor : ILogRedactor
{
public void Redact(IDictionary<string, object?> properties)
{
if (properties.TryGetValue("command", out var value)
&& value is IDictionary<string, object?> command
&& command.ContainsKey("ApiKey"))
{
command["ApiKey"] = Masked;
}
}
}
/// <summary>Removes a field nested inside a destructured <c>{@command}</c> object.</summary>
private sealed class NestedRemovingRedactor : ILogRedactor
{
public void Redact(IDictionary<string, object?> properties)
{
if (properties.TryGetValue("command", out var value)
&& value is IDictionary<string, object?> command)
{
command.Remove("ApiKey");
}
}
}
/// <summary>Masks an element inside a destructured <c>{@items}</c> sequence.</summary>
private sealed class SequenceElementRedactor : ILogRedactor
{
public void Redact(IDictionary<string, object?> properties)
{
if (properties.TryGetValue("items", out var value) && value is IList<object?> items)
{
for (var i = 0; i < items.Count; i++)
{
if (items[i] is string s && s.StartsWith("secret", StringComparison.Ordinal))
{
items[i] = Masked;
}
}
}
}
}
/// <summary>Masks a value inside a destructured <c>{@map}</c> dictionary.</summary>
private sealed class DictionaryValueRedactor : ILogRedactor
{
public void Redact(IDictionary<string, object?> properties)
{
if (properties.TryGetValue("map", out var value)
&& value is IDictionary<string, object?> map
&& map.ContainsKey("token"))
{
map["token"] = Masked;
}
}
}
/// <summary>Masks a field two levels deep inside a destructured object graph.</summary>
private sealed class DeepFieldRedactor : ILogRedactor
{
public void Redact(IDictionary<string, object?> properties)
{
if (properties.TryGetValue("payload", out var value)
&& value is IDictionary<string, object?> payload
&& payload.TryGetValue("Inner", out var innerValue)
&& innerValue is IDictionary<string, object?> inner
&& inner.ContainsKey("ApiKey"))
{
inner["ApiKey"] = Masked;
}
}
}
// Named types so a destructured StructureValue's TypeTag is deterministic in assertions.
private sealed record Command(string Name, string ApiKey);
private sealed record Envelope(Inner Inner);
private sealed record Inner(string ApiKey, string Note);
private static string? ScalarOrNull(LogEvent logEvent, string propertyName) =>
logEvent.Properties.TryGetValue(propertyName, out var value) && value is ScalarValue scalar
? scalar.Value?.ToString()
: null;
/// <summary>
/// Builds a logger wired with <paramref name="redactor"/>, logs one event, and returns it —
/// the shared harness for the redaction tests.
/// </summary>
private static LogEvent LogWith(ILogRedactor redactor, string template, params object?[] args)
{
var serviceProvider = new ServiceCollection()
.AddSingleton<ILogRedactor>(redactor)
.BuildServiceProvider();
var sink = new InMemorySink();
var options = new ZbTelemetryOptions { ServiceName = "mxgateway" };
var loggerConfig = new LoggerConfiguration();
ZbSerilogConfig.Apply(loggerConfig, options, serviceProvider);
using Logger logger = loggerConfig.WriteTo.Sink(sink).CreateLogger();
logger.Information(template, args);
return Assert.Single(sink.LogEvents);
}
[Fact]
public void Registered_redactor_masks_sensitive_property()
{
var serviceProvider = new ServiceCollection()
.AddSingleton<ILogRedactor>(new FakeRedactor())
.BuildServiceProvider();
var sink = new InMemorySink();
var options = new ZbTelemetryOptions { ServiceName = "mxgateway" };
var loggerConfig = new LoggerConfiguration();
ZbSerilogConfig.Apply(loggerConfig, options, serviceProvider);
using Logger logger = loggerConfig.WriteTo.Sink(sink).CreateLogger();
logger.Information("authenticating {apiKey}", "mxgw_secret");
var logEvent = Assert.Single(sink.LogEvents);
Assert.Equal(Masked, ScalarOrNull(logEvent, "apiKey"));
}
[Fact]
public void No_redactor_registered_is_a_no_op()
{
var serviceProvider = new ServiceCollection().BuildServiceProvider();
var sink = new InMemorySink();
var options = new ZbTelemetryOptions { ServiceName = "mxgateway" };
var loggerConfig = new LoggerConfiguration();
ZbSerilogConfig.Apply(loggerConfig, options, serviceProvider);
using Logger logger = loggerConfig.WriteTo.Sink(sink).CreateLogger();
logger.Information("authenticating {apiKey}", "mxgw_secret");
var logEvent = Assert.Single(sink.LogEvents);
Assert.Equal("mxgw_secret", ScalarOrNull(logEvent, "apiKey"));
}
/// <summary>
/// Telemetry-001: a redactor that REMOVES a key (the most natural way to implement "must not
/// leave the process") must result in the property being absent from the emitted event, not
/// silently retained.
/// </summary>
[Fact]
public void Removing_redactor_scrubs_the_property_from_the_event()
{
var serviceProvider = new ServiceCollection()
.AddSingleton<ILogRedactor>(new RemovingRedactor("apiKey"))
.BuildServiceProvider();
var sink = new InMemorySink();
var options = new ZbTelemetryOptions { ServiceName = "mxgateway" };
var loggerConfig = new LoggerConfiguration();
ZbSerilogConfig.Apply(loggerConfig, options, serviceProvider);
using Logger logger = loggerConfig.WriteTo.Sink(sink).CreateLogger();
logger.Information("authenticating {apiKey} for {user}", "mxgw_secret", "alice");
var logEvent = Assert.Single(sink.LogEvents);
Assert.False(
logEvent.Properties.ContainsKey("apiKey"),
"apiKey must be removed from the event when the redactor removes the key");
// A non-sensitive property the redactor left alone must survive.
Assert.Equal("alice", ScalarOrNull(logEvent, "user"));
}
/// <summary>
/// Telemetry-002: a redactor can reach a field nested inside a destructured ({@Object})
/// property and mask it, leaving sibling fields and the structure's type tag intact.
/// </summary>
[Fact]
public void Redactor_masks_a_field_inside_a_destructured_object()
{
var logEvent = LogWith(
new NestedFieldRedactor(),
"dispatching {@command}",
new Command("Write", "mxgw_secret"));
var structure = Assert.IsType<StructureValue>(logEvent.Properties["command"]);
var fields = structure.Properties.ToDictionary(p => p.Name, p => p.Value);
Assert.Equal(Masked, (fields["ApiKey"] as ScalarValue)?.Value?.ToString());
Assert.Equal("Write", (fields["Name"] as ScalarValue)?.Value?.ToString());
Assert.Equal(nameof(Command), structure.TypeTag);
}
/// <summary>
/// Telemetry-002: a redactor can remove a field nested inside a destructured object; the
/// field is dropped from the rebuilt structure while siblings survive.
/// </summary>
[Fact]
public void Redactor_removes_a_field_inside_a_destructured_object()
{
var logEvent = LogWith(
new NestedRemovingRedactor(),
"dispatching {@command}",
new Command("Write", "mxgw_secret"));
var structure = Assert.IsType<StructureValue>(logEvent.Properties["command"]);
var names = structure.Properties.Select(p => p.Name).ToList();
Assert.DoesNotContain("ApiKey", names);
Assert.Contains("Name", names);
}
/// <summary>Telemetry-002: a redactor can mask an element nested inside a destructured sequence.</summary>
[Fact]
public void Redactor_masks_an_element_inside_a_destructured_sequence()
{
var logEvent = LogWith(
new SequenceElementRedactor(),
"items {@items}",
(object)new[] { "keep", "secret-token" });
var sequence = Assert.IsType<SequenceValue>(logEvent.Properties["items"]);
var elements = sequence.Elements.Select(e => (e as ScalarValue)?.Value?.ToString()).ToList();
Assert.Equal(new[] { "keep", Masked }, elements);
}
/// <summary>Telemetry-002: a redactor can mask a value nested inside a destructured dictionary.</summary>
[Fact]
public void Redactor_masks_a_value_inside_a_destructured_dictionary()
{
var map = new Dictionary<string, string> { ["user"] = "alice", ["token"] = "secret" };
var logEvent = LogWith(new DictionaryValueRedactor(), "map {@map}", map);
var dictionary = Assert.IsType<DictionaryValue>(logEvent.Properties["map"]);
var pairs = dictionary.Elements.ToDictionary(
e => (string)e.Key.Value!,
e => (e.Value as ScalarValue)?.Value?.ToString());
Assert.Equal("alice", pairs["user"]);
Assert.Equal(Masked, pairs["token"]);
}
/// <summary>Telemetry-002: nested reach is recursive — a field two levels deep is reachable.</summary>
[Fact]
public void Redactor_masks_a_field_two_levels_deep()
{
var logEvent = LogWith(
new DeepFieldRedactor(),
"payload {@payload}",
new Envelope(new Inner("secret", "keep")));
var outer = Assert.IsType<StructureValue>(logEvent.Properties["payload"]);
var innerValue = outer.Properties.Single(p => p.Name == "Inner").Value;
var inner = Assert.IsType<StructureValue>(innerValue);
var fields = inner.Properties.ToDictionary(p => p.Name, p => p.Value);
Assert.Equal(Masked, (fields["ApiKey"] as ScalarValue)?.Value?.ToString());
Assert.Equal("keep", (fields["Note"] as ScalarValue)?.Value?.ToString());
}
/// <summary>
/// A structured property the redactor does not touch must survive redaction unchanged
/// (siblings, values, and type tag intact) even while a scalar property is masked.
/// </summary>
[Fact]
public void Untouched_structured_property_survives_redaction_intact()
{
var logEvent = LogWith(
new FakeRedactor(),
"dispatching {apiKey} {@command}",
"mxgw_secret",
new Command("Write", "open"));
Assert.Equal(Masked, ScalarOrNull(logEvent, "apiKey"));
var structure = Assert.IsType<StructureValue>(logEvent.Properties["command"]);
var fields = structure.Properties.ToDictionary(p => p.Name, p => p.Value);
Assert.Equal("Write", (fields["Name"] as ScalarValue)?.Value?.ToString());
Assert.Equal("open", (fields["ApiKey"] as ScalarValue)?.Value?.ToString());
Assert.Equal(nameof(Command), structure.TypeTag);
}
[Fact]
public void AddZbSerilog_with_otlp_options_builds_without_error()
{
var builder = Host.CreateApplicationBuilder();
builder.AddZbSerilog(o =>
{
o.ServiceName = "mxgateway";
o.SiteId = "s1";
o.NodeRole = "central";
o.Exporter = ZbExporter.Otlp;
o.OtlpEndpoint = "http://localhost:4317";
});
using var host = builder.Build();
// Serilog.ILogger is registered by AddSerilog — not Microsoft.Extensions.Logging.ILogger.
var logger = host.Services.GetRequiredService<ILogger>();
logger.Information("otlp wiring smoke test");
}
[Fact]
public void BuildResourceAttributes_contains_required_keys_and_optional_keys_when_set()
{
var options = new ZbTelemetryOptions
{
ServiceName = "mxgateway",
ServiceNamespace = "ZB.MOM.WW",
SiteId = "site-a",
NodeRole = "central",
};
var attributes = ZbSerilogConfig.BuildResourceAttributes(options);
// Required keys always present.
Assert.True(attributes.ContainsKey("service.name"), "service.name must be present");
Assert.True(attributes.ContainsKey("service.namespace"), "service.namespace must be present");
Assert.True(attributes.ContainsKey("host.name"), "host.name must be present");
// service.instance.id must be present and match ZbResource.InstanceId (parity with OTel SDK path).
Assert.True(attributes.ContainsKey("service.instance.id"), "service.instance.id must be present");
Assert.Equal(ZbResource.InstanceId, attributes["service.instance.id"]);
// Optional keys present when options supply them.
Assert.True(attributes.ContainsKey("site.id"), "site.id must be present when SiteId is set");
Assert.True(attributes.ContainsKey("node.role"), "node.role must be present when NodeRole is set");
Assert.Equal("mxgateway", attributes["service.name"]);
Assert.Equal("ZB.MOM.WW", attributes["service.namespace"]);
Assert.Equal(Environment.MachineName, attributes["host.name"]);
Assert.Equal("site-a", attributes["site.id"]);
Assert.Equal("central", attributes["node.role"]);
}
/// <summary>
/// Telemetry-005: the Serilog OTLP log-sink attribute map and the OTel SDK metrics/traces
/// attribute map must be key-for-key and value-for-value identical, because both now derive from
/// the single <see cref="ZbResource.BuildAttributes"/> source of truth. This pins that they
/// cannot silently drift apart.
/// </summary>
[Fact]
public void Serilog_and_OTel_resource_attribute_sets_are_identical()
{
var options = new ZbTelemetryOptions
{
ServiceName = "mxgateway",
ServiceNamespace = "ZB.MOM.WW",
ServiceVersion = "9.9.9",
SiteId = "site-z",
NodeRole = "hub",
};
var serilogAttributes = ZbSerilogConfig.BuildResourceAttributes(options);
var canonical = ZbResource.BuildAttributes(options);
Assert.Equal(
canonical.OrderBy(kvp => kvp.Key, StringComparer.Ordinal),
serilogAttributes.OrderBy(kvp => kvp.Key, StringComparer.Ordinal));
}
[Fact]
public void BuildResourceAttributes_omits_optional_keys_when_not_set()
{
var options = new ZbTelemetryOptions
{
ServiceName = "mxgateway",
SiteId = null,
NodeRole = null,
};
var attributes = ZbSerilogConfig.BuildResourceAttributes(options);
Assert.False(attributes.ContainsKey("site.id"), "site.id must be absent when SiteId is null");
Assert.False(attributes.ContainsKey("node.role"), "node.role must be absent when NodeRole is null");
// service.instance.id is always present regardless of optional fields.
Assert.True(attributes.ContainsKey("service.instance.id"), "service.instance.id must always be present");
Assert.Equal(ZbResource.InstanceId, attributes["service.instance.id"]);
}
/// <summary>
/// Fix 1 — Symmetric OTLP trigger: the Serilog path must only activate the OTel log sink
/// when <c>Exporter == ZbExporter.Otlp</c>, NOT merely when <c>OtlpEndpoint</c> is set.
/// This matches the core OTel metrics/traces path that ignores a bare endpoint without
/// <c>Exporter=Otlp</c>.
/// </summary>
[Fact]
public void ApplyOpenTelemetryExport_does_not_activate_when_only_endpoint_is_set()
{
// Arrange: set OtlpEndpoint but leave Exporter at the default (not Otlp).
var options = new ZbTelemetryOptions
{
ServiceName = "mxgateway",
OtlpEndpoint = "http://localhost:4317",
// Exporter is intentionally left at default (ZbExporter.None / Prometheus only)
};
// Act: Apply the shared Serilog config — if the bug is present this will attempt to
// connect to localhost:4317 and the OpenTelemetry sink will be registered.
// We verify by inspecting the LoggerConfiguration directly: after Apply, if WriteTo
// contained an OTel sink the LoggerConfiguration's internal list would be non-empty.
// The simplest observable proxy: building the logger must not throw, and we assert
// the exporter is not Otlp.
Assert.NotEqual(ZbExporter.Otlp, options.Exporter);
// Building the logger with only OtlpEndpoint set (no Exporter=Otlp) must not throw
// and must not attempt any OTLP connection — the sink should simply be absent.
var exception = Record.Exception(() =>
{
var loggerConfig = new LoggerConfiguration();
ZbSerilogConfig.Apply(loggerConfig, options);
using var logger = loggerConfig.CreateLogger();
logger.Information("no otlp sink expected");
});
Assert.Null(exception);
}
[Fact]
public void ApplyOpenTelemetryExport_activates_when_Exporter_is_Otlp()
{
// Arrange: Exporter explicitly set to Otlp (no endpoint — exporter registered but won't connect).
var options = new ZbTelemetryOptions
{
ServiceName = "mxgateway",
Exporter = ZbExporter.Otlp,
// OtlpEndpoint intentionally left null — we test the trigger, not the connection.
};
// Act + Assert: must not throw (the sink is registered but won't connect in tests).
var exception = Record.Exception(() =>
{
var loggerConfig = new LoggerConfiguration();
ZbSerilogConfig.Apply(loggerConfig, options);
using var logger = loggerConfig.CreateLogger();
logger.Information("otlp sink registered");
});
Assert.Null(exception);
}
}
Reference in New Issue View Git Blame Copy Permalink