Merge pull request #2 from stoberman37/feature/creditcardmask

Introduces masking of credit card numbers in log entries.

Author: sandermvanvliet

README.md

@@ -92,3 +92,29 @@ The effect is that the log message will be rendered as:
 `This is a sensitive ***MASKED***`
 
 See the [Serilog.Enrichers.Sensitive.Demo](src/Serilog.Enrichers.Sensitive.Demo/Program.cs) app for a code example of the above.
+
+## Extending to additional use cases
+
+Extending this enricher is a fairly straight forward process.
+
+1. Create your new class and inherit from the RegexMaskingOperator base class
+	1. Pass your regex pattern to the base constructor
+	2. To control if the regex replacement should even take place, override ShouldMaskInput, returning `true` if the mask should be applied, and `false` if it should not.
+	3. Override PreprocessInput if your use case requires adjusting the input string before the regex match is applied.
+	4. Override PreprocessMask if your use case requires adjusting the mask that is applied (for instance, if your regex includes named groups).  See the [CreditCardMaskingOperator](src/Serilog.Enrichers.Sensitive/CreditCardMaskingOperator.cs) for an example.
+1. When configuring your logger, pass your new encricher in the collection of masking operators
+
+```csharp
+var logger = new LoggerConfiguration()
+	.Enrich.WithSensitiveDataMasking(MaskingMode.InArea, new IMaskingOperator[]
+	{
+		new EmailAddressMaskingOperator(),
+		new IbanMaskingOperator(),
+		new CreditCardMaskingOperator(false),
+		new YourMaskingOperator()
+	})
+    .WriteTo.Console()
+    .CreateLogger();
+```
+
+

Serilog.Enrichers.Sensitive.sln

@@ -13,7 +13,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "test", "test", "{5953C623-0
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Serilog.Enrichers.Sensitive.Tests.Unit", "test\Serilog.Enrichers.Sensitive.Tests.Unit\Serilog.Enrichers.Sensitive.Tests.Unit.csproj", "{8784B51D-900B-44E5-A032-CEF6027CD178}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Serilog.Enrichers.Sensitive.Tests.Benchmark", "test\Serilog.Enrichers.Sensitive.Tests.Benchmark\Serilog.Enrichers.Sensitive.Tests.Benchmark.csproj", "{1C6B2313-3EBB-482F-8A78-2BB7C6FCFA06}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Serilog.Enrichers.Sensitive.Tests.Benchmark", "test\Serilog.Enrichers.Sensitive.Tests.Benchmark\Serilog.Enrichers.Sensitive.Tests.Benchmark.csproj", "{1C6B2313-3EBB-482F-8A78-2BB7C6FCFA06}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution

src/Serilog.Enrichers.Sensitive.Demo/Program.cs

@@ -1,37 +1,93 @@
 using System;
+using System.Threading;
+using System.Threading.Tasks;
+using Serilog.Core;
 
 namespace Serilog.Enrichers.Sensitive.Demo
 {
-    class Program
-    {
-        static void Main(string[] args)
-        {
-            var logger = new LoggerConfiguration()
-                .Enrich.WithSensitiveDataMasking()
-                .WriteTo.Console()
-                .CreateLogger();
-            
-            logger.Information("Hello, world");
-
-            using (logger.EnterSensitiveArea())
-            {
-                // An e-mail address in text
-                logger.Information("This is a secret email address: james.bond@universal-exports.co.uk");
-
-                // Works for properties too
-                logger.Information("This is a secret email address: {Email}", "james.bond@universal-exports.co.uk");
-
-                // IBANs are also masked
-                logger.Information("Bank transfer from Felix Leiter on NL02ABNA0123456789");
-                
-                // IBANs are also masked
-                logger.Information("Bank transfer from Felix Leiter on {BankAccount}", "NL02ABNA0123456789");
-            }
-            
-            // But outside the sensitive area nothing is masked
-            logger.Information("Felix can be reached at felix@cia.gov");
-
-            Console.ReadLine();
-        }
-    }
+	class Program
+	{
+		static async Task Main(string[] args)
+		{
+			var logger = new LoggerConfiguration()
+				.Enrich.WithSensitiveDataMasking(MaskingMode.InArea, new IMaskingOperator[]
+				{
+					new EmailAddressMaskingOperator(),
+					new IbanMaskingOperator(),
+					new CreditCardMaskingOperator(false)
+				})
+				.WriteTo.Console()
+				.CreateLogger();
+
+			logger.Information("Hello, world");
+
+			using (logger.EnterSensitiveArea())
+			{
+				// An e-mail address in text
+				logger.Information("This is a secret email address: james.bond@universal-exports.co.uk");
+
+				// Works for properties too
+				logger.Information("This is a secret email address: {Email}", "james.bond@universal-exports.co.uk");
+
+				// IBANs are also masked
+				logger.Information("Bank transfer from Felix Leiter on NL02ABNA0123456789");
+
+				// IBANs are also masked
+				logger.Information("Bank transfer from Felix Leiter on {BankAccount}", "NL02ABNA0123456789");
+
+				// Credit card numbers too
+				logger.Information("Credit Card Number: 4111111111111111");
+
+				// even works in an embedded XML string
+				var x = new
+				{
+					Key = 12345, XmlValue = "<MyElement><CreditCard>4111111111111111</CreditCard></MyElement>"
+				};
+				logger.Information("Object dump with embedded credit card: {x}", x);
+
+			}
+
+			// But outside the sensitive area nothing is masked
+			logger.Information("Felix can be reached at felix@cia.gov");
+
+
+			// Now, show that this works for async contexts too
+			logger.Information("Now, show the Async works");
+
+			var t1 = LogAsSensitiveAsync(logger);
+			var t2 = LogAsUnsensitiveAsync(logger);
+
+			await Task.WhenAll(t1, t2).ConfigureAwait(false);
+
+			Console.ReadLine();
+		}
+
+		private static async Task LogAsSensitiveAsync(Logger logger)
+		{
+			using (logger.EnterSensitiveArea())
+			{
+				await Task.Delay(new Random().Next(1000,2000)).ConfigureAwait(false);
+				// Put in a delay, so we are sure these run basically simultaneiously 
+				// An e-mail address in text
+				logger.Information("Sensitive: This is a secret email address: james.bond@universal-exports.co.uk");
+
+				// Works for properties too
+				await Task.Delay(new Random().Next(1000, 2000)).ConfigureAwait(false);
+				logger.Information("Sensitive: This is a secret email address: {Email}",
+					"james.bond@universal-exports.co.uk");
+			}
+		}
+
+		private static async Task LogAsUnsensitiveAsync(Logger logger)
+		{
+			// Put in a delay, so we are sure these run basically simultaneiously 
+			// An e-mail address in text
+			await Task.Delay(new Random().Next(1000, 2000)).ConfigureAwait(false);
+			logger.Information("This is a secret email address: james.bond@universal-exports.co.uk");
+
+			// Works for properties too
+			await Task.Delay(new Random().Next(1000, 2000)).ConfigureAwait(false);
+			logger.Information("This is a secret email address: {Email}", "james.bond@universal-exports.co.uk");
+		}
+	}
 }

src/Serilog.Enrichers.Sensitive/CreditCardMaskingOperator.cs

@@ -0,0 +1,27 @@
+using System.Text.RegularExpressions;
+
+namespace Serilog.Enrichers.Sensitive
+{
+	public class CreditCardMaskingOperator : RegexMaskingOperator
+	{
+		private const string CreditCardPartialReplacePattern =
+			@"(?<leading4>\d{4}(?<sep>[ -]?))(?<toMask>\d{4}\k<sep>*\d{2})(?<trailing6>\d{2}\k<sep>*\d{4})";
+
+		private const string CreditCardFullReplacePattern =
+			@"(?<toMask>\d{4}(?<sep>[ -]?)\d{4}\k<sep>*\d{4}\k<sep>*\d{4})";
+
+		private readonly string _replacementPattern;
+
+		public CreditCardMaskingOperator() : this(true)
+		{
+		}
+
+		public CreditCardMaskingOperator(bool fullMask) 
+			: base(fullMask ? CreditCardFullReplacePattern : CreditCardPartialReplacePattern, RegexOptions.IgnoreCase | RegexOptions.Compiled)
+		{
+			_replacementPattern = fullMask ? "{0}" : "${{leading4}}{0}${{trailing6}}";
+		}
+
+		protected override string PreprocessMask(string mask) => string.Format(_replacementPattern, mask);
+	}
+}

src/Serilog.Enrichers.Sensitive/EmailAddressMaskingOperator.cs

@@ -2,37 +2,27 @@
 
 namespace Serilog.Enrichers.Sensitive
 {
-    public class EmailAddressMaskingOperator : IMaskingOperator
+    public class EmailAddressMaskingOperator : RegexMaskingOperator
     {
-        private static readonly Regex EmailReplaceRegex = new Regex(
-            "(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|\"(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21\\x23-\\x5b\\x5d-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])*\")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21-\\x5a\\x53-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])+)\\])",
-            RegexOptions.IgnoreCase | RegexOptions.Compiled);
+	    private const string EmailPattern =
+		    "(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|\"(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21\\x23-\\x5b\\x5d-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])*\")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21-\\x5a\\x53-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])+)\\])";
 
-        public MaskingResult Mask(string input, string mask)
+        public EmailAddressMaskingOperator() : base(EmailPattern, RegexOptions.IgnoreCase | RegexOptions.Compiled)
         {
-            // Naive approach to deal with URL encoded values
-            // most likely this should properly URL decode once it
-            // finds this marker in the input string
-            if (input.Contains("%40"))
-            {
-                input = input.Replace("%40", "@");
-            }
+        }
 
-            // Early exit so we avoid the regex.
-            // Probably needs a benchmark to see
-            // if this actually helps.
-            if (!input.Contains("@"))
-            {
-                return MaskingResult.NoMatch;
-            }
+        protected override string PreprocessInput(string input)
+        {
+	        if (input.Contains("%40"))
+	        {
+		        input = input.Replace("%40", "@");
+	        }
+	        return input;
+        }
 
-            // Note that if we get here we _always_ assume
-            // a successful replacement.
-            return new MaskingResult
-            {
-                Result = EmailReplaceRegex.Replace(input, mask),
-                Match = true
-            };
+        protected override bool ShouldMaskInput(string input)
+        {
+	        return input.Contains("@");
         }
     }
 }

src/Serilog.Enrichers.Sensitive/ExtensionMethods.cs

@@ -1,4 +1,5 @@
-using Serilog.Configuration;
+using System.Collections.Generic;
+using Serilog.Configuration;
 
 namespace Serilog.Enrichers.Sensitive
 {
@@ -15,14 +16,20 @@ public static SensitiveArea EnterSensitiveArea(this ILogger logger)
 
         public static LoggerConfiguration WithSensitiveDataMasking(this LoggerEnrichmentConfiguration loggerConfiguration)
         {
-            return loggerConfiguration
-                .With(new SensitiveDataEnricher(MaskingMode.Globally, SensitiveDataEnricher.DefaultOperators));
+            return loggerConfiguration.WithSensitiveDataMasking(MaskingMode.Globally, SensitiveDataEnricher.DefaultOperators);
         }
 
         public static LoggerConfiguration WithSensitiveDataMaskingInArea(this LoggerEnrichmentConfiguration loggerConfiguration)
         {
-            return loggerConfiguration
-                .With(new SensitiveDataEnricher(MaskingMode.InArea, SensitiveDataEnricher.DefaultOperators));
+	        return loggerConfiguration.WithSensitiveDataMasking(MaskingMode.InArea, SensitiveDataEnricher.DefaultOperators);
+        }
+
+        public static LoggerConfiguration WithSensitiveDataMasking(
+	        this LoggerEnrichmentConfiguration loggerConfiguration, MaskingMode mode,
+	        IEnumerable<IMaskingOperator> operators)
+        {
+	        return loggerConfiguration
+		        .With(new SensitiveDataEnricher(mode, operators));
         }
     }
 }

src/Serilog.Enrichers.Sensitive/IMaskingOperator.cs

@@ -1,6 +1,7 @@
 namespace Serilog.Enrichers.Sensitive
 {
-    public interface IMaskingOperator
+
+	public interface IMaskingOperator
     {
         MaskingResult Mask(string input, string mask);
     }

src/Serilog.Enrichers.Sensitive/IbanMaskingOperator.cs

@@ -1,18 +1,11 @@
-using System.Text.RegularExpressions;
-
-namespace Serilog.Enrichers.Sensitive
+namespace Serilog.Enrichers.Sensitive
 {
-    public class IbanMaskingOperator : IMaskingOperator
+    public class IbanMaskingOperator : RegexMaskingOperator
     {
-        private static readonly Regex IbanReplaceRegex = new Regex("[a-zA-Z]{2}[0-9]{2}[a-zA-Z0-9]{4}[0-9]{7}([a-zA-Z0-9]?){0,16}", RegexOptions.Compiled);
+		private const string IbanReplacePattern = "[a-zA-Z]{2}[0-9]{2}[a-zA-Z0-9]{4}[0-9]{7}([a-zA-Z0-9]?){0,16}";
 
-        public MaskingResult Mask(string input, string mask)
-        {
-            return new MaskingResult
-            {
-                Match = true,
-                Result = IbanReplaceRegex.Replace(input, mask)
-            };
-        }
+		public IbanMaskingOperator() : base(IbanReplacePattern)
+		{
+		}
     }
 }

src/Serilog.Enrichers.Sensitive/RegexMaskingOperator.cs

@@ -0,0 +1,47 @@
+using System;
+using System.Text.RegularExpressions;
+
+namespace Serilog.Enrichers.Sensitive
+{
+	public abstract class RegexMaskingOperator : IMaskingOperator
+	{
+		private readonly Regex _regex;
+
+		protected RegexMaskingOperator(string regexString) : this(regexString, RegexOptions.Compiled)
+		{
+		}
+
+		protected RegexMaskingOperator(string regexString, RegexOptions options)
+		{
+			_regex = new Regex(regexString ?? throw new ArgumentNullException(nameof(regexString)), options);
+			if (string.IsNullOrWhiteSpace(regexString))
+			{
+				throw new ArgumentOutOfRangeException(nameof(regexString), "Regex pattern cannot be empty or whitespace.");
+			}
+		}
+
+		public MaskingResult Mask(string input, string mask)
+		{
+			var preprocessedInput = PreprocessInput(input);
+			if (!ShouldMaskInput(preprocessedInput))
+			{
+				return MaskingResult.NoMatch;
+			}
+
+			var maskedResult = _regex.Replace(preprocessedInput, PreprocessMask(mask));
+			var result = new MaskingResult
+			{
+				Result = maskedResult,
+				Match = maskedResult != input
+			};
+
+			return result;
+		}
+
+		protected virtual bool ShouldMaskInput(string input) => true;
+
+		protected virtual string PreprocessInput(string input) => input;
+
+		protected virtual string PreprocessMask(string mask) => mask;
+	}
+}

src/Serilog.Enrichers.Sensitive/SensitiveDataEnricher.cs

@@ -84,7 +84,8 @@ private string ReplaceSensitiveDataFromString(string input)
         public static IEnumerable<IMaskingOperator> DefaultOperators => new List<IMaskingOperator>
         {
             new EmailAddressMaskingOperator(),
-            new IbanMaskingOperator()
+            new IbanMaskingOperator(),
+            new CreditCardMaskingOperator()
         };
 
     }