Add option to exclude properties from masking

Author: sandermvanvliet

CHANGELOG

@@ -3,6 +3,7 @@
 ## 1.3.0
 
 - Add the default enricher logo to package [#5](https://github.com/serilog-contrib/Serilog.Enrichers.Sensitive/issues/5)
+- Add option to exclude properties from masking [#9](https://github.com/serilog-contrib/Serilog.Enrichers.Sensitive/issues/9)
 
 ## 1.2.0
 

README.md

@@ -133,6 +133,28 @@ logger.Information("This is a sensitive {Email}", "this doesn't match the regex
 
 the rendered log message comes out as: `"This is a sensitive ***MASKED***"`
 
+## Never mask a property
+
+It may be that you never want to mask the value of a property regardless of whether it matches a pattern for any of the masking operators. In that case you can specify that the property is never masked:
+
+```csharp
+var logger = new LoggerConfiguration()
+    .Enrich.WithSensitiveDataMasking(options => options.ExcludeProperties.Add("email"))
+    .WriteTo.Console()
+    .CreateLogger();
+```
+
+> **Note:** The property names are treated case-insensitive. If you specify `EMAIL` and the property name is `eMaIL` it will still be excluded.
+
+When you log any message with an `email` property it will not be masked:
+
+```csharp
+logger.Information("This is a sensitive {Email}", "[email protected]");
+```
+
+the rendered log message comes out as: `"This is a sensitive [email protected]"`
+
+
 ## Extending to additional use cases
 
 Depending on the type of masking operation you want to perform, the `RegexMaskingOperator` base class is most likely your best starting point. It provides a number of extension points:

src/Serilog.Enrichers.Sensitive/SensitiveDataEnricher.cs

@@ -19,6 +19,7 @@ internal class SensitiveDataEnricher : ILogEventEnricher
         private readonly List<IMaskingOperator> _maskingOperators;
         private readonly string _maskValue;
         private readonly List<string> _maskProperties;
+        private readonly List<string> _excludeProperties;
 
         public SensitiveDataEnricher(
             Action<SensitiveDataEnricherOptions> options)
@@ -38,6 +39,7 @@ public SensitiveDataEnricher(
             _maskingMode = enricherOptions.Mode;
             _maskValue = enricherOptions.MaskValue;
             _maskProperties = enricherOptions.MaskProperties ?? new List<string>();
+            _excludeProperties = enricherOptions.ExcludeProperties ?? new List<string>();
 
             var fields = typeof(LogEvent).GetFields(BindingFlags.Instance | BindingFlags.NonPublic);
 
@@ -69,6 +71,11 @@ public void Enrich(LogEvent logEvent, ILogEventPropertyFactory propertyFactory)
 
                 foreach (var property in logEvent.Properties.ToList())
                 {
+                    if (_excludeProperties.Contains(property.Key, StringComparer.InvariantCultureIgnoreCase))
+                    {
+                        continue;
+                    }
+
                     if (_maskProperties.Contains(property.Key, StringComparer.InvariantCultureIgnoreCase))
                     {
                         logEvent.AddOrUpdateProperty(

src/Serilog.Enrichers.Sensitive/SensitiveDataEnricherOptions.cs

@@ -23,5 +23,13 @@ public class SensitiveDataEnricherOptions
         /// </summary>
         /// <remarks>The property name is case-insensitive, when the property is present on the log message it will always be masked even if it is empty</remarks>
         public List<string> MaskProperties { get; set; } = new List<string>();
+        /// <summary>
+        /// The list of properties that should never be masked
+        /// </summary>
+        /// <remarks>
+        /// <para>The property name is case-insensitive, when the property is present on the log message it will always be masked even if it is empty.</para>
+        /// <para>This property takes precedence over <see cref="MaskProperties"/> and the masking operators.</para>
+        /// </remarks>
+        public List<string> ExcludeProperties { get; set; } = new List<string>();
     }
 }

test/Serilog.Enrichers.Sensitive.Tests.Unit/WhenMaskingSensitiveDataBasedOnPropertyName.cs

@@ -53,5 +53,54 @@ public void GivenLogMessageHasSpecificPropertyAndLogMessageHasPropertyButLowerCa
                 .WithProperty("email")
                 .WithValue("***MASKED***");
         }
+
+        [Fact]
+        public void GivenLogMessageHasSpecificPropertyAndPropertyIsExcluded_PropertyValueIsNotMasked()
+        {
+            var inMemorySink = new InMemorySink();
+
+            var logger =  new LoggerConfiguration()
+                .Enrich.WithSensitiveDataMasking(options =>
+                {
+                    options.ExcludeProperties.Add("Email");
+                })
+                .WriteTo.Sink(inMemorySink)
+                .CreateLogger();
+
+            logger.Information("Example {email}", "[email protected]");
+
+            inMemorySink
+                .Should()
+                .HaveMessage("Example {email}")
+                .Appearing()
+                .Once()
+                .WithProperty("email")
+                .WithValue("[email protected]");
+        }
+
+        [Fact]
+        public void GivenLogMessageHasSpecificPropertyAndPropertyIsExcludedAndAlsoIncluded_PropertyValueIsNotMasked()
+        {
+            var inMemorySink = new InMemorySink();
+
+            var logger =  new LoggerConfiguration()
+                .Enrich.WithSensitiveDataMasking(options =>
+                {
+                    options.MaskProperties.Add("Email");
+                    options.ExcludeProperties.Add("Email");
+                })
+                .WriteTo.Sink(inMemorySink)
+                .CreateLogger();
+
+            logger.Information("Example {email}", "[email protected]");
+
+            inMemorySink
+                .Should()
+                .HaveMessage("Example {email}")
+                .Appearing()
+                .Once()
+                .WithProperty("email")
+                .WithValue("[email protected]");
+        }
     }
 }