@optimizely-opal/opal-tool-ocp-sdk 1.0.0-beta.1 → 1.0.0-beta.10

package/src/logging/ToolLogger.ts

@@ -0,0 +1,292 @@
+import { logger, LogVisibility } from '@zaiusinc/app-sdk';
+import * as App from '@zaiusinc/app-sdk';
+
+const MAX_PARAM_LOG_LENGTH = 128;
+const MAX_BODY_LOG_LENGTH = 256;
+const MAX_ARRAY_ITEMS = 2;
+
+/**
+ * Utility class for logging Opal tool requests and responses with security considerations
+ */
+export class ToolLogger {
+  private static readonly SENSITIVE_FIELDS = [
+    // Authentication / secrets
+    'password',
+    'pass',
+    'secret',
+    'key',
+    'token',
+    'auth',
+    'credentials',
+    'access_token',
+    'refresh_token',
+    'api_key',
+    'private_key',
+    'client_secret',
+    'session_token',
+    'authorization',
+
+    // Payment-related
+    'card_number',
+    'credit_card',
+    'cvv',
+    'expiry_date',
+
+    // Personal info
+    'ssn', // social security number
+    'nid', // national ID
+    'passport',
+    'dob', // date of birth
+    'email',
+    'phone',
+    'address',
+
+    // Misc / environment
+    'otp',
+    'pin',
+    'security_answer',
+    'security_question',
+    'signing_key',
+    'encryption_key',
+    'jwt',
+    'bearer_token'
+  ];
+
+  /**
+   * Redacts sensitive data from an object
+   */
+  private static redactSensitiveDataAndTruncate(data: any, maxDepth = 5, accumulatedLength = 0): any {
+    if (accumulatedLength > MAX_BODY_LOG_LENGTH) {
+      return '';
+    }
+    if (maxDepth <= 0) {
+      return '[MAX_DEPTH_EXCEEDED]';
+    }
+
+    if (data === null || data === undefined) {
+      return data;
+    }
+
+    if (typeof data === 'string') {
+      if (data.length > MAX_PARAM_LOG_LENGTH) {
+        const lead = data.substring(0, MAX_PARAM_LOG_LENGTH - 10);
+        const tail = data.substring(data.length - 10);
+        return `${lead}...[${data.length - MAX_PARAM_LOG_LENGTH} truncated]...${tail}`;
+      } else {
+        return data;
+      }
+    }
+
+    if (typeof data === 'number' || typeof data === 'boolean') {
+      return data;
+    }
+
+    if (Array.isArray(data)) {
+      const truncated = data.slice(0, MAX_ARRAY_ITEMS);
+      const result = truncated.map((item) => this.redactSensitiveDataAndTruncate(item, maxDepth, accumulatedLength));
+      if (data.length > MAX_ARRAY_ITEMS) {
+        result.push(`... (${data.length - MAX_ARRAY_ITEMS} more items truncated)`);
+      }
+      return result;
+    }
+
+    if (typeof data === 'object') {
+      const result: any = {};
+      for (const [key, value] of Object.entries(data)) {
+        if (accumulatedLength > MAX_BODY_LOG_LENGTH) {
+          break;
+        }
+        // Check if this field contains sensitive data
+        const isSensitive = this.isSensitiveField(key);
+
+        if (isSensitive) {
+          result[key] = '[REDACTED]';
+        } else {
+          result[key] = this.redactSensitiveDataAndTruncate(value, maxDepth - 1, accumulatedLength);
+        }
+
+        if (result[key]) {
+          accumulatedLength += JSON.stringify(result[key]).length;
+        }
+      }
+      return result;
+    }
+
+    return data;
+  }
+
+  /**
+   * Checks if a field name is considered sensitive
+   */
+  private static isSensitiveField(fieldName: string): boolean {
+    const lowerKey = fieldName.toLowerCase();
+    return this.SENSITIVE_FIELDS.some((sensitiveField) =>
+      lowerKey.includes(sensitiveField)
+    );
+  }
+
+  /**
+   * Creates a summary of request parameters
+   */
+  private static createParameterSummary(params: any): any {
+    if (!params) {
+      return null;
+    }
+
+    return this.redactSensitiveDataAndTruncate(params);
+  }
+
+  /**
+   * Calculates content length of response data
+   */
+  private static calculateContentLength(response?: App.Response) {
+    if (!response) {
+      return 0;
+    }
+
+    try {
+      return response.bodyAsU8Array?.length || 'unknown';
+    } catch {
+      return 'unknown';
+    }
+  }
+
+  /**
+   * Extracts the response body as a string or parsed JSON object
+   */
+  private static getResponseBody(response?: App.Response): any {
+    if (!response) {
+      return null;
+    }
+
+    try {
+      const contentType = response.headers?.get('content-type') || '';
+      const isJson = contentType.includes('application/json') || contentType.includes('application/problem+json');
+      const isText = contentType.startsWith('text/');
+
+      if (!isJson && !isText) {
+        return null;
+      }
+
+      // Try to access bodyAsU8Array - this may throw
+      const bodyData = response.bodyAsU8Array;
+      if (!bodyData) {
+        return null;
+      }
+
+      // Convert Uint8Array to string
+      const bodyString = Buffer.from(bodyData).toString();
+      if (!bodyString) {
+        return null;
+      }
+
+      // Try to parse as JSON if content-type indicates JSON
+      if (isJson) {
+        try {
+          return JSON.parse(bodyString);
+        } catch {
+          // If JSON parsing fails, return as string
+          return bodyString;
+        }
+      }
+
+      // Return as plain text for non-JSON content types
+      return bodyString;
+    } catch {
+      return null;
+    }
+  }
+
+  /**
+   * Creates a summary of response body with security redaction and truncation
+   * For failed responses (4xx, 5xx): returns full body with redacted sensitive data
+   * For successful responses (2xx): returns first 100 chars with redacted sensitive data
+   */
+  private static createResponseBodySummary(response?: App.Response, success?: boolean): any {
+    const body = this.getResponseBody(response);
+    if (body === null || body === undefined) {
+      return null;
+    }
+
+    // For objects (parsed JSON), apply redaction
+    if (typeof body === 'object') {
+      // For failed responses, don't truncate strings within the object
+      const redactedBody = this.redactSensitiveDataAndTruncate(body, 5);
+
+      // For successful responses, truncate to first MAX_BODY_LOG_LENGTH chars
+      if (success) {
+        const bodyString = JSON.stringify(redactedBody);
+        if (bodyString.length > MAX_BODY_LOG_LENGTH) {
+          const truncated = bodyString.substring(0, MAX_BODY_LOG_LENGTH);
+          return `${truncated}... (truncated)`;
+        }
+        return redactedBody;
+      }
+
+      // For failed responses, return full redacted body
+      return redactedBody;
+    }
+
+    // For strings (plain text or unparseable JSON)
+    if (typeof body === 'string') {
+      // For successful responses, truncate to first 100 chars
+      if (success) {
+        if (body.length > MAX_BODY_LOG_LENGTH) {
+          return `${body.substring(0, MAX_BODY_LOG_LENGTH)}... (truncated)`;
+        }
+        return body;
+      }
+
+      // For failed responses, return full body
+      return body;
+    }
+
+    return body;
+  }
+
+  /**
+   * Logs an incoming request
+   */
+  public static logRequest(
+    req: App.Request,
+  ): void {
+    const params = req.bodyJSON && req.bodyJSON.parameters ? req.bodyJSON.parameters : req.bodyJSON;
+    const requestLog = {
+      event: 'opal_tool_request',
+      path: req.path,
+      method: req.method,
+      parameters: this.createParameterSummary(params)
+    };
+
+    // Log with Zaius audience so developers only see requests for accounts they have access to
+    logger.info(LogVisibility.Zaius, JSON.stringify(requestLog));
+  }
+
+  /**
+   * Logs a successful response
+   */
+  public static logResponse(
+    req: App.Request,
+    response: App.Response,
+    processingTimeMs?: number
+  ): void {
+    const success = response.status >= 200 && response.status < 300;
+    const responseLog: any = {
+      event: 'opal_tool_response',
+      path: req.path,
+      duration: processingTimeMs ? `${processingTimeMs}ms` : undefined,
+      status: response.status,
+      contentType: response.headers?.get('content-type') || 'unknown',
+      contentLength: this.calculateContentLength(response),
+      success
+    };
+
+    const responseBodySummary = this.createResponseBodySummary(response, success);
+    if (responseBodySummary) {
+      responseLog.responseBody = responseBodySummary;
+    }
+
+    // Log with Zaius audience so developers only see requests for accounts they have access to
+    logger.info(LogVisibility.Zaius, JSON.stringify(responseLog));
+  }
+}