Implement TRACE-level logging utilities and safe serialization for sensitive data

Author: oto-macenauer-absa

src/event_gate_lambda.py

@@ -22,32 +22,24 @@
 import sys
 from typing import Any, Dict
 
-import urllib3
-
 import boto3
 import jwt
 import requests
+import urllib3
+from cryptography.exceptions import UnsupportedAlgorithm
 from cryptography.hazmat.primitives import serialization
 from jsonschema import validate
 from jsonschema.exceptions import ValidationError
 
-# Added explicit import for serialization-related exceptions
-try:  # pragma: no cover - import guard
-    from cryptography.exceptions import UnsupportedAlgorithm  # type: ignore
-except Exception:  # pragma: no cover - very defensive
-    UnsupportedAlgorithm = Exception  # type: ignore
-
 # Import writer modules with explicit ImportError fallback
 try:
-    from . import writer_eventbridge, writer_kafka, writer_postgres
+    from . import writer_eventbridge
+    from . import writer_kafka
+    from . import writer_postgres
 except ImportError:  # fallback when executed outside package context
-    import writer_eventbridge, writer_kafka, writer_postgres  # type: ignore[no-redef]
-
-# Register custom TRACE level before using LOG_LEVEL env var
-try:
-    from .logging_levels import TRACE_LEVEL  # noqa: F401
-except Exception:  # pragma: no cover - defensive
-    TRACE_LEVEL = 5  # type: ignore
+    import writer_eventbridge  # type: ignore[no-redef]
+    import writer_kafka  # type: ignore[no-redef]
+    import writer_postgres  # type: ignore[no-redef]
 
 # Import configuration directory symbols with explicit ImportError fallback
 try:

src/logging_levels.py

@@ -13,6 +13,14 @@
     logging.addLevelName(TRACE_LEVEL, "TRACE")
 
     def trace(self: logging.Logger, message: str, *args, **kws):  # type: ignore[override]
+        """Log a message with TRACE level.
+
+        Args:
+            self: Logger instance.
+            message: Log message format string.
+            *args: Positional arguments for message formatting.
+            **kws: Keyword arguments passed to _log.
+        """
         if self.isEnabledFor(TRACE_LEVEL):
             self._log(TRACE_LEVEL, message, args, **kws)  # pylint: disable=protected-access
 

src/safe_serialization.py

@@ -0,0 +1,87 @@
+#
+# Copyright 2025 ABSA Group Limited
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+"""Safe serialization utilities for logging.
+
+Provides PII-safe, size-bounded JSON serialization for TRACE logging.
+"""
+
+import json
+import os
+from typing import Any, List, Set
+
+
+def _redact_sensitive_keys(obj: Any, redact_keys: Set[str]) -> Any:
+    """Recursively redact sensitive keys from nested structures.
+
+    Args:
+        obj: Object to redact (dict, list, or scalar).
+        redact_keys: Set of key names to redact (case-insensitive).
+
+    Returns:
+        Copy of obj with sensitive values replaced by "***REDACTED***".
+    """
+    if isinstance(obj, dict):
+        return {
+            k: "***REDACTED***" if k.lower() in redact_keys else _redact_sensitive_keys(v, redact_keys)
+            for k, v in obj.items()
+        }
+    if isinstance(obj, list):
+        return [_redact_sensitive_keys(item, redact_keys) for item in obj]
+    return obj
+
+
+def safe_serialize_for_log(message: Any, redact_keys: List[str] | None = None, max_bytes: int | None = None) -> str:
+    """Safely serialize a message for logging with redaction and size capping.
+
+    Args:
+        message: Object to serialize (typically a dict).
+        redact_keys: List of key names to redact (case-insensitive). If None, uses env TRACE_REDACT_KEYS.
+        max_bytes: Maximum serialized output size in bytes. If None, uses env TRACE_MAX_BYTES (default 10000).
+
+    Returns:
+        JSON string (redacted and truncated if needed), or empty string on serialization error.
+    """
+    # Apply configuration defaults
+    if redact_keys is None:
+        redact_keys_str = os.environ.get("TRACE_REDACT_KEYS", "password,secret,token,key,apikey,api_key")
+        redact_keys = [k.strip() for k in redact_keys_str.split(",") if k.strip()]
+    if max_bytes is None:
+        max_bytes = int(os.environ.get("TRACE_MAX_BYTES", "10000"))
+
+    # Normalize to case-insensitive set
+    redact_set = {k.lower() for k in redact_keys}
+
+    try:
+        # Redact sensitive keys
+        redacted = _redact_sensitive_keys(message, redact_set)
+        # Serialize with minimal whitespace
+        serialized = json.dumps(redacted, separators=(",", ":"))
+        # Truncate if needed
+        if len(serialized.encode("utf-8")) > max_bytes:
+            # Binary truncate to max_bytes and append marker
+            truncated_bytes = serialized.encode("utf-8")[:max_bytes]
+            # Ensure we don't break mid-multibyte character
+            try:
+                return truncated_bytes.decode("utf-8", errors="ignore") + "..."
+            except UnicodeDecodeError:  # pragma: no cover - defensive
+                return ""
+        return serialized
+    except (TypeError, ValueError, OverflowError):  # pragma: no cover - catch serialization errors
+        return ""
+
+
+__all__ = ["safe_serialize_for_log"]

src/trace_logging.py

@@ -0,0 +1,51 @@
+#
+# Copyright 2025 ABSA Group Limited
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+"""Trace-level logging utilities.
+
+Provides reusable TRACE-level payload logging for writer modules.
+"""
+
+import logging
+from typing import Any, Dict
+
+from .logging_levels import TRACE_LEVEL
+from .safe_serialization import safe_serialize_for_log
+
+
+def log_payload_at_trace(logger: logging.Logger, writer_name: str, topic_name: str, message: Dict[str, Any]) -> None:
+    """Log message payload at TRACE level with safe serialization.
+
+    Args:
+        logger: Logger instance to use for logging.
+        writer_name: Name of the writer (e.g., "EventBridge", "Kafka", "Postgres").
+        topic_name: Topic name being written to.
+        message: Message payload to log.
+    """
+    if not logger.isEnabledFor(TRACE_LEVEL):
+        return
+
+    try:
+        safe_payload = safe_serialize_for_log(message)
+        if safe_payload:
+            logger.trace(  # type: ignore[attr-defined]
+                "%s payload topic=%s payload=%s", writer_name, topic_name, safe_payload
+            )
+    except (TypeError, ValueError):  # pragma: no cover - defensive serialization guard
+        logger.trace("%s payload topic=%s <unserializable>", writer_name, topic_name)  # type: ignore[attr-defined]
+
+
+__all__ = ["log_payload_at_trace"]

src/writer_eventbridge.py

@@ -26,9 +26,7 @@
 import boto3
 from botocore.exceptions import BotoCoreError, ClientError
 
-# Ensure TRACE level is registered
-from . import logging_levels  # noqa: F401
-from .logging_levels import TRACE_LEVEL
+from .trace_logging import log_payload_at_trace
 
 STATE: Dict[str, Any] = {"logger": logging.getLogger(__name__), "event_bus_arn": "", "client": None}
 
@@ -72,14 +70,7 @@ def write(topic_name: str, message: Dict[str, Any]) -> Tuple[bool, Optional[str]
         logger.debug("EventBridge client not initialized - skipping")
         return True, None
 
-    # TRACE-level payload logging
-    if logger.isEnabledFor(TRACE_LEVEL):
-        try:
-            logger.trace(  # type: ignore[attr-defined]
-                "EventBridge payload topic=%s payload=%s", topic_name, json.dumps(message, separators=(",", ":"))
-            )
-        except Exception:  # pragma: no cover - defensive serialization guard
-            logger.trace("EventBridge payload topic=%s <unserializable>", topic_name)  # type: ignore[attr-defined]
+    log_payload_at_trace(logger, "EventBridge", topic_name, message)
 
     try:
         logger.debug("Sending to eventBridge %s", topic_name)

src/writer_kafka.py

@@ -26,8 +26,7 @@
 
 from confluent_kafka import Producer
 
-# Add TRACE level import
-from .logging_levels import TRACE_LEVEL  # type: ignore
+from .trace_logging import log_payload_at_trace
 
 try:  # KafkaException may not exist in stubbed test module
     from confluent_kafka import KafkaException  # type: ignore
@@ -94,14 +93,7 @@ def write(topic_name: str, message: Dict[str, Any]) -> Tuple[bool, Optional[str]
         logger.debug("Kafka producer not initialized - skipping")
         return True, None
 
-    # TRACE-level payload logging prior to produce
-    if logger.isEnabledFor(TRACE_LEVEL):
-        try:
-            logger.trace(  # type: ignore[attr-defined]
-                "Kafka payload topic=%s payload=%s", topic_name, json.dumps(message, separators=(",", ":"))
-            )
-        except Exception:  # pragma: no cover - defensive
-            logger.trace("Kafka payload topic=%s <unserializable>", topic_name)  # type: ignore[attr-defined]
+    log_payload_at_trace(logger, "Kafka", topic_name, message)
 
     errors: list[Any] = []
     try:

src/writer_postgres.py

@@ -31,8 +31,7 @@
 except ImportError:  # pragma: no cover - environment without psycopg2
     psycopg2 = None  # type: ignore
 
-# Ensure TRACE level is registered
-from .logging_levels import TRACE_LEVEL  # type: ignore
+from .trace_logging import log_payload_at_trace
 
 # Define a unified psycopg2 error base for safe exception handling even if psycopg2 missing
 if psycopg2 is not None:  # type: ignore
@@ -274,14 +273,7 @@ def write(topic_name: str, message: Dict[str, Any]) -> Tuple[bool, Optional[str]
             _logger.debug("psycopg2 not available - skipping actual Postgres write")
             return True, None
 
-        # TRACE-level payload logging (only when we intend to write)
-        if _logger.isEnabledFor(TRACE_LEVEL):
-            try:
-                _logger.trace(  # type: ignore[attr-defined]
-                    "Postgres payload topic=%s payload=%s", topic_name, json.dumps(message, separators=(",", ":"))
-                )
-            except Exception:  # pragma: no cover - defensive
-                _logger.trace("Postgres payload topic=%s <unserializable>", topic_name)  # type: ignore[attr-defined]
+        log_payload_at_trace(_logger, "Postgres", topic_name, message)
 
         with psycopg2.connect(  # type: ignore[attr-defined]
             database=POSTGRES["database"],