forked from baron/baron-sso
140 lines
3.9 KiB
Dart
140 lines
3.9 KiB
Dart
class LogPolicy {
|
|
static const Set<String> _sensitiveKeys = {
|
|
'password',
|
|
'currentpassword',
|
|
'newpassword',
|
|
'oldpassword',
|
|
'token',
|
|
'accesstoken',
|
|
'refreshtoken',
|
|
'secret',
|
|
'clientsecret',
|
|
'authorization',
|
|
'cookie',
|
|
'setcookie',
|
|
'verificationcode',
|
|
'code',
|
|
'loginchallenge',
|
|
'loginverifier',
|
|
'sessionjwt',
|
|
'accessjwt',
|
|
'refreshjwt',
|
|
};
|
|
|
|
static bool isProductionEnv(String? appEnv) {
|
|
final env = (appEnv ?? '').trim().toLowerCase();
|
|
return env == 'prod' ||
|
|
env == 'production' ||
|
|
env == 'stage' ||
|
|
env == 'staging';
|
|
}
|
|
|
|
static ({bool enabled, bool specified}) parseOptionalBoolFlag(String? raw) {
|
|
final value = (raw ?? '').trim().toLowerCase();
|
|
if (value == '1' ||
|
|
value == 'true' ||
|
|
value == 'yes' ||
|
|
value == 'y' ||
|
|
value == 'on') {
|
|
return (enabled: true, specified: true);
|
|
}
|
|
if (value == '0' ||
|
|
value == 'false' ||
|
|
value == 'no' ||
|
|
value == 'n' ||
|
|
value == 'off') {
|
|
return (enabled: false, specified: true);
|
|
}
|
|
return (enabled: false, specified: false);
|
|
}
|
|
|
|
static bool debugEnabled({
|
|
required String? appEnv,
|
|
required String? productionDebugFlag,
|
|
}) {
|
|
if (!isProductionEnv(appEnv)) {
|
|
return true;
|
|
}
|
|
final flag = parseOptionalBoolFlag(productionDebugFlag);
|
|
return flag.specified && flag.enabled;
|
|
}
|
|
|
|
static bool shouldRelayClientLog({
|
|
required String level,
|
|
required String? appEnv,
|
|
required String? productionDebugFlag,
|
|
}) {
|
|
final flag = parseOptionalBoolFlag(productionDebugFlag);
|
|
final debugRelayEnabled = isProductionEnv(appEnv)
|
|
? flag.specified && flag.enabled
|
|
: !(flag.specified && !flag.enabled);
|
|
|
|
if (debugRelayEnabled) {
|
|
return true;
|
|
}
|
|
final normalized = level.trim().toUpperCase();
|
|
return normalized == 'SEVERE' ||
|
|
normalized == 'ERROR' ||
|
|
normalized == 'WARNING' ||
|
|
normalized == 'WARN';
|
|
}
|
|
|
|
static String sanitizeMessage(String message) {
|
|
if (message.trim().isEmpty) {
|
|
return message;
|
|
}
|
|
var sanitized = message.replaceAllMapped(
|
|
RegExp(
|
|
r'"(password|currentpassword|newpassword|oldpassword|token|accesstoken|refreshtoken|secret|clientsecret|authorization|cookie|setcookie|verificationcode|code|loginchallenge|loginverifier|sessionjwt|accessjwt|refreshjwt)"\s*:\s*"[^"]*"',
|
|
caseSensitive: false,
|
|
),
|
|
(match) {
|
|
final key = match.group(1) ?? 'sensitive';
|
|
return '"$key":"*****"';
|
|
},
|
|
);
|
|
sanitized = sanitized.replaceAllMapped(
|
|
RegExp(
|
|
r'\b(password|current_password|currentpassword|new_password|newpassword|old_password|oldpassword|token|access_token|accesstoken|refresh_token|refreshtoken|authorization|cookie|session_jwt|sessionjwt|access_jwt|accessjwt|refresh_jwt|refreshjwt)\b\s*[:=]\s*([^\s,;]+)',
|
|
caseSensitive: false,
|
|
),
|
|
(match) {
|
|
final key = match.group(1) ?? 'sensitive';
|
|
return '$key=*****';
|
|
},
|
|
);
|
|
return sanitized;
|
|
}
|
|
|
|
static Map<String, dynamic> sanitizeData(Map<String, dynamic> input) {
|
|
final output = <String, dynamic>{};
|
|
for (final entry in input.entries) {
|
|
if (_isSensitiveKey(entry.key)) {
|
|
output[entry.key] = '*****';
|
|
} else {
|
|
output[entry.key] = _sanitizeValue(entry.value);
|
|
}
|
|
}
|
|
return output;
|
|
}
|
|
|
|
static dynamic _sanitizeValue(dynamic value) {
|
|
if (value is Map<String, dynamic>) {
|
|
return sanitizeData(value);
|
|
}
|
|
if (value is List) {
|
|
return value.map(_sanitizeValue).toList(growable: false);
|
|
}
|
|
if (value is String) {
|
|
return sanitizeMessage(value);
|
|
}
|
|
return value;
|
|
}
|
|
|
|
static bool _isSensitiveKey(String key) {
|
|
var normalized = key.trim().toLowerCase();
|
|
normalized = normalized.replaceAll(RegExp(r'[-_.\s]'), '');
|
|
return _sensitiveKeys.contains(normalized);
|
|
}
|
|
}
|