elven-logs-interceptor-python 0.1.13__tar.gz → 0.1.15__tar.gz

{elven_logs_interceptor_python-0.1.13 → elven_logs_interceptor_python-0.1.15}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: elven-logs-interceptor-python
-Version: 0.1.13
+Version: 0.1.15
 Summary: Production-grade logs interceptor for Python with Loki transport, resilience, batching, and framework integrations.
 Author: Elven Observability
 License: MIT
@@ -124,8 +124,11 @@ logging.getLogger(__name__).info(
 Supported aliases: `warning(...)`, `exception(...)` and `critical(...)`.
 
 Sensitive fields such as `cpf`, `password`, `token` and `authorization` are
-redacted by default. Set `LOGS_FILTER_SANITIZE=false` only when raw sensitive
-data is explicitly required and approved.
+redacted by default. In messages, the library redacts only the sensitive
+fragment/value and preserves the rest of the log. In structured context,
+sensitive keys redact the full value. Set `LOGS_FILTER_SANITIZE=false`,
+`LOGS_SANITIZE=false`, or `UO_LOGS_SANITIZE=false` only when raw sensitive data
+is explicitly required and approved.
 
 ## Environment Variables
 
@@ -139,10 +142,13 @@ Required for direct Loki mode:
 - `LOGS_APP_NAME`
 
 For collector-first mode, set `LOGS_EXPORTER=otlp` (or `collector`) and use
-`OTEL_EXPORTER_OTLP_LOGS_ENDPOINT`. In this mode `LOGS_URL`, `LOKI_URL`,
-`LOGS_TENANT` and `LOGS_TOKEN` are not required by the library. `LOGS_URL` is
-intentionally ignored in collector mode to avoid accidentally posting OTLP logs
-to a direct Loki `/loki/api/v1/push` endpoint. Put tenant or auth headers in
+`OTEL_EXPORTER_OTLP_LOGS_ENDPOINT`. If the explicit logs endpoint is missing,
+the library derives `/v1/logs` from `OTEL_EXPORTER_OTLP_TRACES_ENDPOINT`,
+`OTEL_EXPORTER_OTLP_METRICS_ENDPOINT`, or `OTEL_EXPORTER_OTLP_ENDPOINT`.
+In this mode `LOGS_URL`, `LOKI_URL`, `LOGS_TENANT` and `LOGS_TOKEN` are not
+required by the library. `LOGS_URL` is intentionally ignored in collector mode
+to avoid accidentally posting OTLP logs to a direct Loki `/loki/api/v1/push`
+endpoint. Put tenant or auth headers in
 `OTEL_EXPORTER_OTLP_HEADERS`/`LOGS_OTLP_HEADERS` if your collector gateway
 requires them.
 
@@ -182,7 +188,7 @@ Filter:
 
 - `LOGS_FILTER_LEVELS`
 - `LOGS_FILTER_SAMPLING_RATE`
-- `LOGS_FILTER_SANITIZE`
+- `LOGS_FILTER_SANITIZE` (aliases: `LOGS_SANITIZE`, `UO_LOGS_SANITIZE`)
 - `LOGS_FILTER_MAX_MESSAGE_LENGTH`
 - `LOGS_FILTER_EXCLUDE_LOGGER_PREFIXES` (comma-separated)
 

{elven_logs_interceptor_python-0.1.13 → elven_logs_interceptor_python-0.1.15}/README.md

@@ -63,8 +63,11 @@ logging.getLogger(__name__).info(
 Supported aliases: `warning(...)`, `exception(...)` and `critical(...)`.
 
 Sensitive fields such as `cpf`, `password`, `token` and `authorization` are
-redacted by default. Set `LOGS_FILTER_SANITIZE=false` only when raw sensitive
-data is explicitly required and approved.
+redacted by default. In messages, the library redacts only the sensitive
+fragment/value and preserves the rest of the log. In structured context,
+sensitive keys redact the full value. Set `LOGS_FILTER_SANITIZE=false`,
+`LOGS_SANITIZE=false`, or `UO_LOGS_SANITIZE=false` only when raw sensitive data
+is explicitly required and approved.
 
 ## Environment Variables
 
@@ -78,10 +81,13 @@ Required for direct Loki mode:
 - `LOGS_APP_NAME`
 
 For collector-first mode, set `LOGS_EXPORTER=otlp` (or `collector`) and use
-`OTEL_EXPORTER_OTLP_LOGS_ENDPOINT`. In this mode `LOGS_URL`, `LOKI_URL`,
-`LOGS_TENANT` and `LOGS_TOKEN` are not required by the library. `LOGS_URL` is
-intentionally ignored in collector mode to avoid accidentally posting OTLP logs
-to a direct Loki `/loki/api/v1/push` endpoint. Put tenant or auth headers in
+`OTEL_EXPORTER_OTLP_LOGS_ENDPOINT`. If the explicit logs endpoint is missing,
+the library derives `/v1/logs` from `OTEL_EXPORTER_OTLP_TRACES_ENDPOINT`,
+`OTEL_EXPORTER_OTLP_METRICS_ENDPOINT`, or `OTEL_EXPORTER_OTLP_ENDPOINT`.
+In this mode `LOGS_URL`, `LOKI_URL`, `LOGS_TENANT` and `LOGS_TOKEN` are not
+required by the library. `LOGS_URL` is intentionally ignored in collector mode
+to avoid accidentally posting OTLP logs to a direct Loki `/loki/api/v1/push`
+endpoint. Put tenant or auth headers in
 `OTEL_EXPORTER_OTLP_HEADERS`/`LOGS_OTLP_HEADERS` if your collector gateway
 requires them.
 
@@ -121,7 +127,7 @@ Filter:
 
 - `LOGS_FILTER_LEVELS`
 - `LOGS_FILTER_SAMPLING_RATE`
-- `LOGS_FILTER_SANITIZE`
+- `LOGS_FILTER_SANITIZE` (aliases: `LOGS_SANITIZE`, `UO_LOGS_SANITIZE`)
 - `LOGS_FILTER_MAX_MESSAGE_LENGTH`
 - `LOGS_FILTER_EXCLUDE_LOGGER_PREFIXES` (comma-separated)
 

{elven_logs_interceptor_python-0.1.13 → elven_logs_interceptor_python-0.1.15}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "elven-logs-interceptor-python"
-version = "0.1.13"
+version = "0.1.15"
 description = "Production-grade logs interceptor for Python with Loki transport, resilience, batching, and framework integrations."
 readme = "README.md"
 requires-python = ">=3.10"

{elven_logs_interceptor_python-0.1.13 → elven_logs_interceptor_python-0.1.15}/src/logs_interceptor/infrastructure/filter/log_filter.py

@@ -5,7 +5,7 @@ import re
 from ...config import ResolvedFilterConfig
 from ...domain.entities import LogEntryEntity
 from ...types import LogLevel
-from ...utils import detect_sensitive_data, sanitize_data, should_sample
+from ...utils import redact_sensitive_text, sanitize_data, should_sample
 
 
 class LogFilter:
@@ -35,8 +35,8 @@ class LogFilter:
         if self._config.sanitize and context is not None:
             context = sanitize_data(context, self._config.sensitive_patterns)
 
-        if self._config.sanitize and detect_sensitive_data(message, self._config.sensitive_patterns):
-            message = "[REDACTED]"
+        if self._config.sanitize:
+            message = redact_sensitive_text(message, self._config.sensitive_patterns)
 
         return LogEntryEntity(
             id=entry.id,

{elven_logs_interceptor_python-0.1.13 → elven_logs_interceptor_python-0.1.15}/src/logs_interceptor/utils.py

@@ -82,6 +82,17 @@ def _normalize_logs_exporter(value: str | None) -> str:
     return "loki"
 
 
+def _resolve_logs_exporter(env: Mapping[str, str]) -> str:
+    explicit = env.get("LOGS_EXPORTER") or env.get("LOGS_TRANSPORT") or env.get("OTEL_LOGS_EXPORTER")
+    if explicit:
+        return _normalize_logs_exporter(explicit)
+    if env.get("LOGS_URL"):
+        return "loki"
+    if _resolve_otlp_logs_url(env):
+        return "otlp"
+    return "loki"
+
+
 def _parse_kv_csv(raw: str | None) -> dict[str, str]:
     headers: dict[str, str] = {}
     if not raw:
@@ -99,7 +110,29 @@ def _parse_kv_csv(raw: str | None) -> dict[str, str]:
 def _resolve_logs_url(env: Mapping[str, str], exporter: str) -> str:
     if exporter != "otlp":
         return env.get("LOGS_URL", "")
-    return env.get("OTEL_EXPORTER_OTLP_LOGS_ENDPOINT", "")
+    return _resolve_otlp_logs_url(env)
+
+
+def _resolve_otlp_logs_url(env: Mapping[str, str]) -> str:
+    return (
+        env.get("OTEL_EXPORTER_OTLP_LOGS_ENDPOINT")
+        or _derive_otlp_logs_endpoint(
+            env.get("OTEL_EXPORTER_OTLP_TRACES_ENDPOINT")
+            or env.get("OTEL_EXPORTER_OTLP_METRICS_ENDPOINT")
+            or env.get("OTEL_EXPORTER_OTLP_ENDPOINT")
+        )
+    )
+
+
+def _derive_otlp_logs_endpoint(endpoint: str | None) -> str:
+    if not endpoint:
+        return ""
+    normalized = endpoint.rstrip("/")
+    if normalized.endswith("/v1/logs"):
+        return normalized
+    if normalized.endswith("/v1/traces") or normalized.endswith("/v1/metrics"):
+        return normalized.rsplit("/", 1)[0] + "/logs"
+    return normalized + "/v1/logs"
 
 
 def is_debug_enabled() -> bool:
@@ -359,6 +392,87 @@ def detect_sensitive_data(text: str, patterns: Iterable[str]) -> bool:
     return any(pattern.search(text) for pattern in common_patterns)
 
 
+def redact_sensitive_text(text: str, sensitive_patterns: Iterable[str]) -> str:
+    """Redact sensitive values while preserving the surrounding log message."""
+    patterns = list(sensitive_patterns)
+    redacted = text
+
+    for pattern in patterns:
+        redacted = _redact_key_value_pattern(redacted, pattern)
+
+    common_replacements: tuple[tuple[re.Pattern[str], str], ...] = (
+        (
+            re.compile(r"(Bearer)\s+[A-Za-z0-9\-._~+/=]+", re.IGNORECASE),
+            r"\1 [REDACTED]",
+        ),
+        (
+            re.compile(r"(Basic)\s+[A-Za-z0-9+/=]+", re.IGNORECASE),
+            r"\1 [REDACTED]",
+        ),
+        (
+            re.compile(r"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b"),
+            "[REDACTED]",
+        ),
+        (
+            re.compile(r"\b(?:\d{4}[-\s]?){3}\d{4}\b"),
+            "[REDACTED]",
+        ),
+        (
+            re.compile(r"\b\d{3}-\d{2}-\d{4}\b"),
+            "[REDACTED]",
+        ),
+        (
+            re.compile(r"\b\d{3}\.\d{3}\.\d{3}-\d{2}\b"),
+            "[REDACTED]",
+        ),
+    )
+    for common_pattern, replacement in common_replacements:
+        redacted = common_pattern.sub(replacement, redacted)
+
+    for pattern in patterns:
+        if _looks_like_value_pattern(pattern):
+            redacted = re.sub(pattern, "[REDACTED]", redacted, flags=re.IGNORECASE)
+
+    return redacted
+
+
+def _redact_key_value_pattern(text: str, key_pattern: str) -> str:
+    quoted = re.compile(
+        rf"(?P<prefix>(?:[\"']?{key_pattern}[\"']?)\s*[:=]\s*)(?P<quote>[\"'])(?P<value>.*?)(?P=quote)",
+        re.IGNORECASE,
+    )
+    redacted = quoted.sub(r"\g<prefix>\g<quote>[REDACTED]\g<quote>", text)
+
+    unquoted = re.compile(
+        rf"(?P<prefix>(?:[\"']?{key_pattern}[\"']?)\s*[:=]\s*)(?P<value>[^\s,;&}}\]\"']+)",
+        re.IGNORECASE,
+    )
+
+    def _replace_unquoted(match: re.Match[str]) -> str:
+        value = match.group("value")
+        if value.lower() in {"bearer", "basic"} or value == "[REDACTED]":
+            return match.group(0)
+        return f"{match.group('prefix')}[REDACTED]"
+
+    redacted = unquoted.sub(_replace_unquoted, redacted)
+
+    query = re.compile(
+        rf"(?P<prefix>[?&](?:{key_pattern})=)(?P<value>[^&#\s]+)",
+        re.IGNORECASE,
+    )
+    return query.sub(r"\g<prefix>[REDACTED]", redacted)
+
+
+def _looks_like_value_pattern(pattern: str) -> bool:
+    # Plain words such as "token" and "password" are key indicators by default;
+    # redacting those words directly would destroy harmless messages like
+    # "Gerando token de acesso". Regex-looking patterns are treated as values.
+    keyish_terms = r"password|token|secret|api|key|authorization|credit|card|ssn|cpf"
+    if re.search(keyish_terms, pattern, re.IGNORECASE):
+        return False
+    return bool(re.search(r"\\d|\[0-9|\{\d|[\^$]", pattern))
+
+
 def sanitize_data(
     data: dict[str, Any],
     sensitive_patterns: Iterable[str],
@@ -382,16 +496,14 @@ def sanitize_data(
             continue
 
         if isinstance(value, str):
-            sanitized[key] = "[REDACTED]" if detect_sensitive_data(value, sensitive_patterns) else value
+            sanitized[key] = redact_sensitive_text(value, sensitive_patterns)
             continue
 
         if isinstance(value, list):
             transformed: list[Any] = []
             for item in value:
                 if isinstance(item, str):
-                    transformed.append(
-                        "[REDACTED]" if detect_sensitive_data(item, sensitive_patterns) else item
-                    )
+                    transformed.append(redact_sensitive_text(item, sensitive_patterns))
                 elif isinstance(item, dict):
                     transformed.append(sanitize_data(item, sensitive_patterns, seen))
                 else:
@@ -534,9 +646,7 @@ def load_config_from_env() -> LogsInterceptorConfig:
     if compression_value not in {"none", "gzip", "brotli", "snappy"}:
         compression_value = "gzip"
 
-    exporter = _normalize_logs_exporter(
-        env.get("LOGS_EXPORTER") or env.get("LOGS_TRANSPORT") or env.get("OTEL_LOGS_EXPORTER")
-    )
+    exporter = _resolve_logs_exporter(env)
     headers = {
         **_parse_kv_csv(env.get("LOGS_HEADERS")),
         **_parse_kv_csv(env.get("LOGS_OTLP_HEADERS")),
@@ -588,7 +698,12 @@ def load_config_from_env() -> LogsInterceptorConfig:
         filter=FilterConfig(
             levels=_env_levels(env.get("LOGS_FILTER_LEVELS")),
             sampling_rate=parse_float_range(env.get("LOGS_FILTER_SAMPLING_RATE"), 1.0, 0.0, 1.0),
-            sanitize=parse_bool(env.get("LOGS_FILTER_SANITIZE"), True),
+            sanitize=parse_bool(
+                env.get("LOGS_FILTER_SANITIZE")
+                or env.get("LOGS_SANITIZE")
+                or env.get("UO_LOGS_SANITIZE"),
+                True,
+            ),
             max_message_length=parse_int_range(
                 env.get("LOGS_FILTER_MAX_MESSAGE_LENGTH"), 8192, 64, 1_000_000
             ),