feat: Added log redaction for sensitive information (#213)

* feat: Added log redaction for sensitive information

* fix: birthday not yet reached this year test (#214)

* Apply suggestion from @coderabbitai[bot]

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Signed-off-by: Kashif Khan <[email protected]>

* fixed linter issue in logging.go

Signed-off-by: Kashif Khan <[email protected]>

---------

Signed-off-by: Kashif Khan <[email protected]>
Co-authored-by: Kashif Khan <[email protected]>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

Author: 3 people

logging/EXAMPLES.md

@@ -153,3 +153,35 @@ func main() {
 ```
 [2025-01-09 12:34:56] [INFO] CustomPrefix: This message has a custom prefix.
 ```
+
+### Redact sensitive information in logs
+
+```go
+package main
+
+import (
+ logging "github.com/kashifkhan0771/utils/logging"
+ "os"
+)
+
+func main() {
+ // Create a logger
+ logger := logging.NewLogger("MyApp", logging.DEBUG, os.Stdout)
+
+ // Set redaction rules for sensitive data
+ logger.SetRedactionRules(map[string]string{
+  "password:":    "***REDACTED***",
+  "credit_card=": "***REDACTED***",
+ })
+
+ // Log messages with sensitive data
+ logger.Info("User logged in with password:mysecretpass123")
+ logger.Error("Payment failed for credit_card=1234-5678-9876-5432")
+}
+```
+#### Output:
+
+```
+[2025-01-09 12:34:56] [INFO] MyApp: User logged in with password:***REDACTED***
+[2025-01-09 12:34:56] [ERROR] MyApp: Payment failed for credit_card=***REDACTED***
+```

logging/README.md

@@ -53,6 +53,20 @@ The `logging` package provides a simple, flexible, and color-coded logging syste
 - **Disable Colors**:  
   The `disableColors` field in the `Logger` struct can be set to `true` to disable color codes (useful for testing or plain-text logs).
 
+### Redaction
+
+The `logging` package can redact sensitive values before writing logs. Two methods are provided:
+
+- `SetRedactionRules(rules map[string]string)`
+  - Treats each map key as a literal pattern prefix (e.g., `password:` or `api_key=`).
+  - Matches the key plus the following non-space characters and replaces them with the key concatenated with the provided replacement.
+  - Example: `{"password:": "***REDACTED***"}` turns `password:secret` into `password:***REDACTED***`.
+
+- `SetRedactionRegex(patterns map[string]string) error`
+  - Accepts full regular expressions as keys and replacement strings as values.
+  - Compiles each regex and returns an error if any pattern is invalid.
+  - The replacement string replaces the matched substring.
+
 #### **Notes**
 
 - If the `minLevel` is set to `DEBUG`, all log messages will be displayed.

logging/logging.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"regexp"
 	"time"
 )
 
@@ -30,13 +31,20 @@ const (
 	ERROR                 // ERROR is used for critical error messages.
 )
 
+// RedactionRule defines how to redact sensitive information
+type RedactionRule struct {
+	Pattern     *regexp.Regexp // Regex pattern to match sensitive data
+	Replacement string         // Replacement text for matched patterns
+}
+
 // Logger is a configurable logging instance that supports multiple log levels,
 // optional colored output, and custom prefixes for log messages.
 type Logger struct {
-	minLevel      LogLevel  // Minimum log level for messages to be logged
-	prefix        string    // Prefix to prepend to all log messages
-	output        io.Writer // Output destination for log messages (e.g., os.Stdout)
-	disableColors bool      // Flag to disable color codes (useful for testing or non-ANSI terminals)
+	minLevel       LogLevel        // Minimum log level for messages to be logged
+	prefix         string          // Prefix to prepend to all log messages
+	output         io.Writer       // Output destination for log messages (e.g., os.Stdout)
+	disableColors  bool            // Flag to disable color codes (useful for testing or non-ANSI terminals)
+	redactionRules []RedactionRule // Rules for redacting sensitive information
 }
 
 // NewLogger creates and returns a new Logger instance with the specified prefix,
@@ -63,6 +71,58 @@ func NewLogger(prefix string, minLevel LogLevel, output io.Writer) *Logger {
 	}
 }
 
+// SetRedactionRules configures the logger to redact sensitive information based on
+// the provided patterns. Each key represents a pattern to match, and the value is
+// the replacement text.
+//
+// Parameters:
+//   - rules: A map where keys are patterns (e.g., "password=", "credit_card=") and
+//     values are replacement strings (e.g., "***REDACTED***").
+func (l *Logger) SetRedactionRules(rules map[string]string) {
+	l.redactionRules = make([]RedactionRule, 0, len(rules))
+	for pattern, replacement := range rules {
+		// Create a regex that matches the pattern followed by any non-space characters
+		regex := regexp.MustCompile(regexp.QuoteMeta(pattern) + `[^\s]+`)
+		l.redactionRules = append(l.redactionRules, RedactionRule{
+			Pattern:     regex,
+			Replacement: pattern + replacement,
+		})
+	}
+}
+
+// SetRedactionRegex allows users to define custom regex patterns for redaction.
+// This provides more flexibility than SetRedactionRules.
+//
+// Parameters:
+//   - patterns: A map where keys are regex patterns and values are replacement strings.
+func (l *Logger) SetRedactionRegex(patterns map[string]string) error {
+	rules := make([]RedactionRule, 0, len(patterns))
+	for pattern, replacement := range patterns {
+		regex, err := regexp.Compile(pattern)
+		if err != nil {
+			return fmt.Errorf("invalid regex pattern '%s': %w", pattern, err)
+		}
+		rules = append(rules, RedactionRule{
+			Pattern:     regex,
+			Replacement: replacement,
+		})
+	}
+
+	l.redactionRules = rules
+
+	return nil
+}
+
+// redact applies all configured redaction rules to the message
+func (l *Logger) redact(message string) string {
+	redactedMessage := message
+	for _, rule := range l.redactionRules {
+		redactedMessage = rule.Pattern.ReplaceAllString(redactedMessage, rule.Replacement)
+	}
+
+	return redactedMessage
+}
+
 // log handles the core logic of logging messages. It applies the appropriate
 // color coding (if enabled), formats the log message with a timestamp and prefix,
 // and writes it to the configured output destination.
@@ -75,6 +135,11 @@ func (l *Logger) log(level LogLevel, message string) {
 		return
 	}
 
+	// Apply redaction rules
+	if len(l.redactionRules) > 0 {
+		message = l.redact(message)
+	}
+
 	// Determine the color and level string for the log level
 	color := ""
 	levelStr := ""

logging/logging_test.go

@@ -97,6 +97,145 @@ func TestLogger(t *testing.T) {
 	}
 }
 
+func TestLoggerRedaction(t *testing.T) {
+	tests := []struct {
+		name           string
+		rules          map[string]string
+		message        string
+		wantContains   string
+		wantNotContain string
+	}{
+		{
+			name: "success - redact password",
+			rules: map[string]string{
+				"password:": "***REDACTED***",
+			},
+			message:        "User logged in with password:mysecretpass123",
+			wantContains:   "password:***REDACTED***",
+			wantNotContain: "mysecretpass123",
+		},
+		{
+			name: "success - redact credit card",
+			rules: map[string]string{
+				"credit_card=": "***REDACTED***",
+			},
+			message:        "Payment processed with credit_card=1234-5678-9876-5432",
+			wantContains:   "credit_card=***REDACTED***",
+			wantNotContain: "1234-5678-9876-5432",
+		},
+		{
+			name: "success - redact multiple fields",
+			rules: map[string]string{
+				"password:":    "***REDACTED***",
+				"email=":       "***REDACTED***",
+				"credit_card=": "***REDACTED***",
+			},
+			message:        "User [email protected] logged in with password:secret123",
+			wantContains:   "email=***REDACTED***",
+			wantNotContain: "[email protected]",
+		},
+		{
+			name:           "success - no redaction without rules",
+			rules:          map[string]string{},
+			message:        "User logged in with password:secret",
+			wantContains:   "password:secret",
+			wantNotContain: "REDACTED",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			buffer := &bytes.Buffer{}
+			logger := logging.NewLogger("Test", logging.INFO, buffer)
+			logger.SetRedactionRules(tt.rules)
+
+			logger.Info(tt.message)
+
+			output := buffer.String()
+			if !strings.Contains(output, tt.wantContains) {
+				t.Errorf("Expected output to contain '%v', got: %v", tt.wantContains, output)
+			}
+			if tt.wantNotContain != "" && strings.Contains(output, tt.wantNotContain) {
+				t.Errorf("Expected output NOT to contain '%v', got: %v", tt.wantNotContain, output)
+			}
+		})
+	}
+}
+
+func TestLoggerRedactionRegex(t *testing.T) {
+	tests := []struct {
+		name           string
+		patterns       map[string]string
+		message        string
+		wantContains   string
+		wantNotContain string
+		wantErr        bool
+	}{
+		{
+			name: "success - redact email with regex",
+			patterns: map[string]string{
+				`\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b`: "[EMAIL REDACTED]",
+			},
+			message:        "Contact us at [email protected] for help",
+			wantContains:   "[EMAIL REDACTED]",
+			wantNotContain: "[email protected]",
+		},
+		{
+			name: "success - redact credit card numbers",
+			patterns: map[string]string{
+				`\b\d{4}-\d{4}-\d{4}-\d{4}\b`: "[CARD REDACTED]",
+			},
+			message:        "Card number: 1234-5678-9012-3456",
+			wantContains:   "[CARD REDACTED]",
+			wantNotContain: "1234-5678-9012-3456",
+		},
+		{
+			name: "success - redact phone numbers",
+			patterns: map[string]string{
+				`\b\d{3}-\d{3}-\d{4}\b`: "[PHONE REDACTED]",
+			},
+			message:        "Call me at 555-123-4567",
+			wantContains:   "[PHONE REDACTED]",
+			wantNotContain: "555-123-4567",
+		},
+		{
+			name: "error - invalid regex pattern",
+			patterns: map[string]string{
+				`[invalid(regex`: "REDACTED",
+			},
+			message: "test message",
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			buffer := &bytes.Buffer{}
+			logger := logging.NewLogger("Test", logging.INFO, buffer)
+
+			err := logger.SetRedactionRegex(tt.patterns)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("SetRedactionRegex() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+
+			if tt.wantErr {
+				return
+			}
+
+			logger.Info(tt.message)
+
+			output := buffer.String()
+			if !strings.Contains(output, tt.wantContains) {
+				t.Errorf("Expected output to contain '%v', got: %v", tt.wantContains, output)
+			}
+			if tt.wantNotContain != "" && strings.Contains(output, tt.wantNotContain) {
+				t.Errorf("Expected output NOT to contain '%v', got: %v", tt.wantNotContain, output)
+			}
+		})
+	}
+}
+
 // ================================================================================
 // ### BENCHMARKS
 // ================================================================================
@@ -108,3 +247,15 @@ func BenchmarkLogger(b *testing.B) {
 		logger.Info("This is an info message")
 	}
 }
+
+func BenchmarkLoggerWithRedaction(b *testing.B) {
+	logger := logging.NewLogger("Test", logging.INFO, io.Discard)
+	logger.SetRedactionRules(map[string]string{
+		"password:": "***REDACTED***",
+		"email=":    "***REDACTED***",
+	})
+	b.ReportAllocs()
+	for b.Loop() {
+		logger.Info("User [email protected] logged in with password:secret123")
+	}
+}