Add support to always mask a property

Author: sandermvanvliet

CHANGELOG

@@ -2,7 +2,8 @@
 
 ## 1.1.0
 
-- Add support to supply a custom mask value
+- Add support to supply a custom mask value [#6](https://github.com/serilog-contrib/Serilog.Enrichers.Sensitive/issues/6)
+- Add support to always mask a property regardless of value [#7](https://github.com/serilog-contrib/Serilog.Enrichers.Sensitive/issues/7)
 
 ## 1.0.0
 

README.md

@@ -101,7 +101,7 @@ In case the default mask value `***MASKED***` is not what you want, you can supp
 
 ```csharp
 var logger = new LoggerConfiguration()
-    .Enrich.WithSensitiveDataMasking(mask: "**")
+    .Enrich.WithSensitiveDataMasking(options => options.MaskValue = "**")
     .WriteTo.Console()
     .CreateLogger();
 ```
@@ -112,6 +112,27 @@ A example rendered message would then look like:
 
 You can specify any mask string as long as it's non-null or an empty string.
 
+## Always mask a property
+
+It may be that you always want to mask the value of a property regardless of whether it matches a pattern for any of the masking operators. In that case you can specify that the property is always masked:
+
+```csharp
+var logger = new LoggerConfiguration()
+    .Enrich.WithSensitiveDataMasking(options => options.MaskProperties.Add("email"))
+    .WriteTo.Console()
+    .CreateLogger();
+```
+
+> **Note:** The property names are treated case-insensitive. If you specify `EMAIL` and the property name is `eMaIL` it will still be masked.
+
+When you log any message with an `email` property it will be masked:
+
+```csharp
+logger.Information("This is a sensitive {Email}", "this doesn't match the regex at all");
+```
+
+the rendered log message comes out as: `"This is a sensitive ***MASKED***"`
+
 ## Extending to additional use cases
 
 Extending this enricher is a fairly straight forward process.

src/Serilog.Enrichers.Sensitive/ExtensionMethods.cs

@@ -43,5 +43,13 @@ public static LoggerConfiguration WithSensitiveDataMasking(
 	        return loggerConfiguration
 		        .With(new SensitiveDataEnricher(mode, operators, mask));
         }
+
+        public static LoggerConfiguration WithSensitiveDataMasking(
+            this LoggerEnrichmentConfiguration loggerConfiguration, 
+            Action<SensitiveDataEnricherOptions> options)
+        {
+            return loggerConfiguration
+                .With(new SensitiveDataEnricher(options));
+        }
     }
 }

src/Serilog.Enrichers.Sensitive/SensitiveDataEnricher.cs

@@ -2,6 +2,7 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Reflection;
+using System.Threading.Tasks;
 using Serilog.Core;
 using Serilog.Events;
 using Serilog.Parsing;
@@ -17,23 +18,45 @@ internal class SensitiveDataEnricher : ILogEventEnricher
         private readonly FieldInfo _messageTemplateBackingField;
         private readonly List<IMaskingOperator> _maskingOperators;
         private readonly string _maskValue;
+        private readonly List<string> _maskProperties;
 
-        public SensitiveDataEnricher(MaskingMode maskingMode, IEnumerable<IMaskingOperator> maskingOperators,
-            string mask = DefaultMaskValue)
+        public SensitiveDataEnricher(
+            Action<SensitiveDataEnricherOptions> options)
         {
-            if (string.IsNullOrEmpty(mask))
+            var enricherOptions = new SensitiveDataEnricherOptions();
+
+            if (options != null)
             {
-                throw new ArgumentNullException(nameof(mask), "The mask must be a non-empty string");
+                options(enricherOptions);
             }
 
-            _maskingMode = maskingMode;
-            _maskValue = mask;
+            if (string.IsNullOrEmpty(enricherOptions.MaskValue))
+            {
+                throw new ArgumentNullException("mask", "The mask must be a non-empty string");
+            }
+            
+            _maskingMode = enricherOptions.Mode;
+            _maskValue = enricherOptions.MaskValue;
+            _maskProperties = enricherOptions.MaskProperties ?? new List<string>();
 
             var fields = typeof(LogEvent).GetFields(BindingFlags.Instance | BindingFlags.NonPublic);
 
             _messageTemplateBackingField = fields.SingleOrDefault(f => f.Name.Contains("<MessageTemplate>"));
 
-            _maskingOperators = maskingOperators.ToList();
+            _maskingOperators = enricherOptions.MaskingOperators.ToList();
+        }
+
+        public SensitiveDataEnricher(
+            MaskingMode maskingMode, 
+            IEnumerable<IMaskingOperator> maskingOperators,
+            string mask = DefaultMaskValue)
+        : this(options =>
+        {
+            options.MaskValue = mask;
+            options.Mode = maskingMode;
+            options.MaskingOperators = maskingOperators.ToList();
+        })
+        {
         }
 
         public void Enrich(LogEvent logEvent, ILogEventPropertyFactory propertyFactory)
@@ -46,7 +69,14 @@ public void Enrich(LogEvent logEvent, ILogEventPropertyFactory propertyFactory)
 
                 foreach (var property in logEvent.Properties.ToList())
                 {
-                    if (property.Value is ScalarValue scalar && scalar.Value is string stringValue)
+                    if (_maskProperties.Contains(property.Key, StringComparer.InvariantCultureIgnoreCase))
+                    {
+                        logEvent.AddOrUpdateProperty(
+                            new LogEventProperty(
+                                property.Key,
+                                new ScalarValue(_maskValue)));
+                    }
+                    else if (property.Value is ScalarValue scalar && scalar.Value is string stringValue)
                     {
                         logEvent.AddOrUpdateProperty(
                             new LogEventProperty(

src/Serilog.Enrichers.Sensitive/SensitiveDataEnricherOptions.cs

@@ -0,0 +1,27 @@
+using System.Collections.Generic;
+using System.Linq;
+
+namespace Serilog.Enrichers.Sensitive
+{
+    public class SensitiveDataEnricherOptions
+    {
+        /// <summary>
+        /// Sets whether masking should happen for all log messages ('Globally') or only in sensitive areas ('SensitiveArea')
+        /// </summary>
+        public MaskingMode Mode { get; set; }
+        /// <summary>
+        /// The string that replaces the sensitive value, defaults to '***MASKED***'
+        /// </summary>
+        public string MaskValue { get; set; } = SensitiveDataEnricher.DefaultMaskValue;
+        /// <summary>
+        /// The list of masking operators that are available
+        /// </summary>
+        /// <remarks>By default this list contains <see cref="SensitiveDataEnricher.DefaultOperators"/>, if you want to have only your specific enricher(s) supply a new list instead of calling <c>Add()</c></remarks>
+        public List<IMaskingOperator> MaskingOperators { get; set; } = SensitiveDataEnricher.DefaultOperators.ToList();
+        /// <summary>
+        /// The list of properties that should always be masked regardless of whether they match the pattern of any of the masking operators
+        /// </summary>
+        /// <remarks>The property name is case-insensitive, when the property is present on the log message it will always be masked even if it is empty</remarks>
+        public List<string> MaskProperties { get; set; } = new List<string>();
+    }
+}

test/Serilog.Enrichers.Sensitive.Tests.Unit/WhenMaskingSensitiveDataBasedOnPropertyName.cs

@@ -0,0 +1,57 @@
+using Serilog.Sinks.InMemory;
+using Serilog.Sinks.InMemory.Assertions;
+using Xunit;
+
+namespace Serilog.Enrichers.Sensitive.Tests.Unit
+{
+    public class WhenMaskingSensitiveDataBasedOnPropertyName
+    {
+        [Fact]
+        public void GivenLogMessageHasSpecificProperty_PropertyValueIsMasked()
+        {
+            var inMemorySink = new InMemorySink();
+
+            var logger =  new LoggerConfiguration()
+                .Enrich.WithSensitiveDataMasking(options =>
+                {
+                    options.MaskProperties.Add("Email");
+                })
+                .WriteTo.Sink(inMemorySink)
+                .CreateLogger();
+
+            logger.Information("Example {Email}", "this doesn't match the e-mail regex");
+
+            inMemorySink
+                .Should()
+                .HaveMessage("Example {Email}")
+                .Appearing()
+                .Once()
+                .WithProperty("Email")
+                .WithValue("***MASKED***");
+        }
+
+        [Fact]
+        public void GivenLogMessageHasSpecificPropertyAndLogMessageHasPropertyButLowerCase_PropertyValueIsMasked()
+        {
+            var inMemorySink = new InMemorySink();
+
+            var logger =  new LoggerConfiguration()
+                .Enrich.WithSensitiveDataMasking(options =>
+                {
+                    options.MaskProperties.Add("Email");
+                })
+                .WriteTo.Sink(inMemorySink)
+                .CreateLogger();
+
+            logger.Information("Example {email}", "this doesn't match the e-mail regex");
+
+            inMemorySink
+                .Should()
+                .HaveMessage("Example {email}")
+                .Appearing()
+                .Once()
+                .WithProperty("email")
+                .WithValue("***MASKED***");
+        }
+    }
+}

test/Serilog.Enrichers.Sensitive.Tests.Unit/WhenMaskingWithCustomMaskValue.cs

@@ -12,7 +12,7 @@ public class WhenMaskingWithCustomMaskValue
         public void GivenMaskValueIsNull_ArgumentNullExceptionIsThrown()
         {
             Action action = () => new LoggerConfiguration()
-                .Enrich.WithSensitiveDataMasking(null)
+                .Enrich.WithSensitiveDataMasking(options => options.MaskValue = null)
                 .CreateLogger();
 
             action