feat: add experimental rust request logging masking extension (#4030)

* feat: add rust request logging masking sidecar

Signed-off-by: lucarlig <luca.carlig@ibm.com>

* perf: cache key sensitivity in rust masking sidecar

Signed-off-by: lucarlig <luca.carlig@ibm.com>

* feat: restore pyo3 request logging path

Signed-off-by: lucarlig <luca.carlig@ibm.com>

* refactor: rename request logging native extension

Signed-off-by: lucarlig <luca.carlig@ibm.com>

* perf: add native json request logging fast path

Signed-off-by: lucarlig <luca.carlig@ibm.com>

* test: cover request logging native fallback paths

Signed-off-by: lucarlig <luca.carlig@ibm.com>

* feat: generate stubs for request logging native extension

Signed-off-by: lucarlig <luca.carlig@ibm.com>

* perf: reuse request logging key sensitivity cache

Signed-off-by: lucarlig <luca.carlig@ibm.com>

* chore: normalize detect-secrets baseline after rebase

Signed-off-by: lucarlig <luca.carlig@ibm.com>

---------

Signed-off-by: lucarlig <luca.carlig@ibm.com>

Author: lucarlig

.secrets.baseline

@@ -5814,7 +5814,7 @@
         "hashed_secret": "ff37a98a9963d347e9749a5c1b3936a4a245a6ff",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 2221,
+        "line_number": 2225,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -5860,23 +5860,23 @@
         "hashed_secret": "f2b14f68eb995facb3a1c35287b778d5bd785511",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 171,
+        "line_number": 175,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "1073ab6cda4b991cd29f9e83a307f34004ae9327",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 177,
+        "line_number": 181,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "d4fe581561f18ee5006254a7e53f53cbed780bc2",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 259,
+        "line_number": 268,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -7964,23 +7964,23 @@
         "hashed_secret": "1a91d62f7ca67399625a4368a6ab5d4a3baa6073",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 98,
+        "line_number": 115,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "dbdab9be92cacdae6a97e8601332bfaa8545800f",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 99,
+        "line_number": 116,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "4ea8d2335b430796cf3f500368c5b0f5b1dc90f5",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 151,
+        "line_number": 213,
         "type": "Secret Keyword",
         "verified_result": null
       }

mcpgateway/config.py

@@ -350,6 +350,10 @@ class Settings(BaseSettings):
 
     # Security Validation & Sanitization
     experimental_validate_io: bool = Field(default=False, description="Enable experimental input validation and output sanitization")
+    experimental_rust_request_logging_masking_enabled: bool = Field(
+        default=False,
+        description="Enable experimental Rust native extension for request logging sensitive-data masking",
+    )
     validation_middleware_enabled: bool = Field(default=False, description="Enable validation middleware for all requests")
     validation_strict: bool = Field(default=True, description="Strict validation mode - reject on violations")
     sanitize_output: bool = Field(default=True, description="Sanitize output to remove control characters")

mcpgateway/middleware/request_logging_middleware.py

@@ -46,6 +46,7 @@
 """
 
 # Standard
+import importlib
 import logging
 import re
 import secrets
@@ -74,6 +75,9 @@
 # Initialize structured logger for gateway boundary logging
 structured_logger = get_structured_logger("http_gateway")
 
+_RUST_REQUEST_LOGGING_MODULE = None
+_RUST_REQUEST_LOGGING_IMPORT_FAILED = False
+
 SENSITIVE_KEYS = frozenset(
     {
         "password",
@@ -183,6 +187,11 @@ def mask_sensitive_data(data, max_depth: int = 10):
         >>> mask_sensitive_data({"level": {"nested": {}}}, max_depth=1)
         {'level': '<nested too deep>'}
     """
+    if getattr(settings, "experimental_rust_request_logging_masking_enabled", False) is True:
+        rust_module = _load_rust_request_logging_module()
+        if rust_module is not None:
+            return rust_module.mask_sensitive_data(data, max_depth)
+
     if max_depth <= 0:
         return "<nested too deep>"
 
@@ -262,6 +271,11 @@ def mask_sensitive_headers(headers):
         >>> "******" in result["Cookie"]
         True
     """
+    if getattr(settings, "experimental_rust_request_logging_masking_enabled", False) is True:
+        rust_module = _load_rust_request_logging_module()
+        if rust_module is not None:
+            return rust_module.mask_sensitive_headers(headers)
+
     masked_headers = {}
     for key, value in headers.items():
         key_lower = key.lower()
@@ -275,6 +289,43 @@ def mask_sensitive_headers(headers):
     return masked_headers
 
 
+def _mask_json_payload_for_logging(payload: bytes, max_depth: int = 10) -> str:
+    """Mask a JSON payload for logging, preferring the native bytes fast path."""
+    if getattr(settings, "experimental_rust_request_logging_masking_enabled", False) is True:
+        rust_module = _load_rust_request_logging_module()
+        if rust_module is not None and hasattr(rust_module, "mask_sensitive_json_bytes"):
+            try:
+                masked_payload = rust_module.mask_sensitive_json_bytes(payload, max_depth)
+                if isinstance(masked_payload, bytes):
+                    return masked_payload.decode("utf-8", errors="ignore")
+                return str(masked_payload)
+            except Exception:
+                pass
+
+    json_payload = orjson.loads(payload)
+    payload_to_log = mask_sensitive_data(json_payload, max_depth)
+    return orjson.dumps(payload_to_log).decode()
+
+
+def _load_rust_request_logging_module():
+    """Load the experimental Rust masking native extension on demand."""
+    global _RUST_REQUEST_LOGGING_IMPORT_FAILED, _RUST_REQUEST_LOGGING_MODULE
+
+    if _RUST_REQUEST_LOGGING_MODULE is None:
+        if _RUST_REQUEST_LOGGING_IMPORT_FAILED:
+            return None
+        try:
+            _RUST_REQUEST_LOGGING_MODULE = importlib.import_module("request_logging_masking_native_extension")
+        except ImportError as exc:
+            _RUST_REQUEST_LOGGING_IMPORT_FAILED = True
+            logger.warning(
+                f"Experimental Rust request logging masking is enabled but the native extension is unavailable; "
+                f"falling back to Python masking. Install the request logging masking native extension first. ({exc})"
+            )
+            return None
+    return _RUST_REQUEST_LOGGING_MODULE
+
+
 class RequestLoggingMiddleware(BaseHTTPMiddleware):
     """Middleware for logging HTTP requests with sensitive data masking.
 
@@ -597,16 +648,13 @@ async def dispatch(self, request: Request, call_next: Callable):
                 truncated = False
                 body_to_log = body
 
-            payload = body_to_log.decode("utf-8", errors="ignore").strip()
+            payload = body_to_log.strip()
             if payload:
                 try:
-                    json_payload = orjson.loads(payload)
-                    payload_to_log = mask_sensitive_data(json_payload)
-                    # Use orjson without indent for performance (compact output)
-                    payload_str = orjson.dumps(payload_to_log).decode()
+                    payload_str = _mask_json_payload_for_logging(payload)
                 except orjson.JSONDecodeError:
                     # For non-JSON payloads, still mask potential sensitive data
-                    payload_str = payload
+                    payload_str = payload.decode("utf-8", errors="ignore")
                     for sensitive_key in SENSITIVE_KEYS:
                         if sensitive_key in payload_str.lower():
                             payload_str = "<contains sensitive data - masked>"

tests/performance/test_request_logging_masking_native_extension_benchmark.py

@@ -0,0 +1,197 @@
+# -*- coding: utf-8 -*-
+"""Benchmark the request-logging masking Rust native extension against the Python path."""
+
+# Standard
+from __future__ import annotations
+
+import importlib
+import statistics
+import subprocess
+import time
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Any, Callable
+
+# First-Party
+from mcpgateway.config import settings
+from mcpgateway.middleware import request_logging_middleware
+from mcpgateway.middleware.request_logging_middleware import mask_sensitive_data, mask_sensitive_headers
+
+REPO_ROOT = Path(__file__).resolve().parents[2]
+NATIVE_EXTENSION_MANIFEST = REPO_ROOT / "tools_rust" / "request_logging_masking_native_extension" / "Cargo.toml"
+
+
+@dataclass(frozen=True)
+class BenchmarkScenario:
+    name: str
+    python_fn: Callable[[Any], Any]
+    public_native_fn: Callable[[Any], Any]
+    direct_native_fn: Callable[[Any], Any]
+    payload: Any
+    iterations: int
+
+
+def _build_scenarios(native_extension: Any) -> list[BenchmarkScenario]:
+    def python_data(payload: Any) -> Any:
+        settings.experimental_rust_request_logging_masking_enabled = False
+        return mask_sensitive_data(payload, 12)
+
+    def public_native_data(payload: Any) -> Any:
+        settings.experimental_rust_request_logging_masking_enabled = True
+        return mask_sensitive_data(payload, 12)
+
+    def direct_native_data(payload: Any) -> Any:
+        return native_extension.mask_sensitive_data(payload, 12)
+
+    def python_headers(payload: Any) -> Any:
+        settings.experimental_rust_request_logging_masking_enabled = False
+        return mask_sensitive_headers(payload)
+
+    def public_native_headers(payload: Any) -> Any:
+        settings.experimental_rust_request_logging_masking_enabled = True
+        return mask_sensitive_headers(payload)
+
+    def direct_native_headers(payload: Any) -> Any:
+        return native_extension.mask_sensitive_headers(payload)
+
+    return [
+        BenchmarkScenario(
+            name="nested_payload_masking",
+            python_fn=python_data,
+            public_native_fn=public_native_data,
+            direct_native_fn=direct_native_data,
+            payload={
+                "events": [
+                    {
+                        "actor": {"userName": f"user-{index}", "sessionToken": f"token-{index}", "sessionCount": index},
+                        "request": {
+                            "clientSecret": f"secret-{index}",
+                            "payload": {"safeField": "value" * 8, "authDevice": f"device-{index}", "auth_count": index},
+                        },
+                    }
+                    for index in range(1024)
+                ]
+            },
+            iterations=120,
+        ),
+        BenchmarkScenario(
+            name="headers_masking",
+            python_fn=python_headers,
+            public_native_fn=public_native_headers,
+            direct_native_fn=direct_native_headers,
+            payload={
+                **{f"X-Custom-{index}": f"value-{index}" for index in range(512)},
+                **{f"X-Api-Key-{index}": f"secret-{index}" for index in range(256)},
+                "Cookie": "; ".join([f"jwt_token_{index}=abc{index}" for index in range(128)]),
+            },
+            iterations=300,
+        ),
+    ]
+
+
+def test_build_scenarios_exposes_public_and_direct_native_paths(monkeypatch):
+    native_extension = type(
+        "NativeExtension",
+        (),
+        {
+            "mask_sensitive_data": staticmethod(lambda payload, max_depth: {"path": "direct", "payload": payload, "max_depth": max_depth}),
+            "mask_sensitive_headers": staticmethod(lambda payload: {"path": "direct", "payload": payload}),
+        },
+    )()
+    observed_flags: list[bool] = []
+
+    def fake_mask_sensitive_data(payload: Any, max_depth: int = 10) -> Any:
+        observed_flags.append(settings.experimental_rust_request_logging_masking_enabled)
+        return {"path": "public" if settings.experimental_rust_request_logging_masking_enabled else "python", "max_depth": max_depth}
+
+    def fake_mask_sensitive_headers(payload: Any) -> Any:
+        observed_flags.append(settings.experimental_rust_request_logging_masking_enabled)
+        return {"path": "public" if settings.experimental_rust_request_logging_masking_enabled else "python"}
+
+    monkeypatch.setattr("tests.performance.test_request_logging_masking_native_extension_benchmark.mask_sensitive_data", fake_mask_sensitive_data)
+    monkeypatch.setattr("tests.performance.test_request_logging_masking_native_extension_benchmark.mask_sensitive_headers", fake_mask_sensitive_headers)
+
+    scenarios = {scenario.name: scenario for scenario in _build_scenarios(native_extension)}
+
+    public_data = scenarios["nested_payload_masking"].public_native_fn({"k": "v"})
+    direct_data = scenarios["nested_payload_masking"].direct_native_fn({"k": "v"})
+    python_data = scenarios["nested_payload_masking"].python_fn({"k": "v"})
+    public_headers = scenarios["headers_masking"].public_native_fn({"Authorization": "Bearer x"})
+    direct_headers = scenarios["headers_masking"].direct_native_fn({"Authorization": "Bearer x"})
+
+    assert public_data["path"] == "public"
+    assert direct_data["path"] == "direct"
+    assert python_data["path"] == "python"
+    assert public_headers["path"] == "public"
+    assert direct_headers["path"] == "direct"
+    assert observed_flags == [True, False, True]
+
+
+def _ensure_native_extension_installed() -> Any:
+    subprocess.run(["uv", "run", "maturin", "develop", "--release", "--manifest-path", str(NATIVE_EXTENSION_MANIFEST)], check=True, cwd=REPO_ROOT)
+    return importlib.import_module("request_logging_masking_native_extension")
+
+
+def _measure(label: str, fn: Callable[[Any], Any], payload: Any, iterations: int) -> tuple[float, float]:
+    samples = []
+    for _ in range(iterations):
+        started = time.perf_counter_ns()
+        fn(payload)
+        samples.append(time.perf_counter_ns() - started)
+
+    median_ms = statistics.median(samples) / 1_000_000
+    p95_ms = statistics.quantiles(samples, n=100)[94] / 1_000_000
+    print(f"{label}: median={median_ms:.3f}ms p95={p95_ms:.3f}ms")
+    return median_ms, p95_ms
+
+
+def _assert_parity(python_fn: Callable[[Any], Any], rust_fn: Callable[[Any], Any], payloads: list[Any]) -> None:
+    for payload in payloads:
+        python_result = python_fn(payload)
+        rust_result = rust_fn(payload)
+        if python_result != rust_result:
+            raise AssertionError(f"Parity mismatch for payload {payload!r}: python={python_result!r} rust={rust_result!r}")
+
+
+def _prepare_public_native_path(native_extension: Any) -> None:
+    settings.experimental_rust_request_logging_masking_enabled = True
+    request_logging_middleware._RUST_REQUEST_LOGGING_MODULE = native_extension
+    request_logging_middleware._RUST_REQUEST_LOGGING_IMPORT_FAILED = False
+
+
+def main() -> None:
+    native_extension = _ensure_native_extension_installed()
+    _prepare_public_native_path(native_extension)
+
+    scenarios = _build_scenarios(native_extension)
+
+    _assert_parity(
+        scenarios[0].python_fn,
+        scenarios[0].direct_native_fn,
+        [
+            {"password": "secret", "nested": {"authToken": "abc", "ok": "value"}},
+            {"token_count": 3, "tokenizer": "ok", "privateKey": "secret"},
+            [{"jwt_token": "abc"}, {"normal": "value"}],
+        ],
+    )
+    _assert_parity(
+        scenarios[1].python_fn,
+        scenarios[1].direct_native_fn,
+        [
+            {"Authorization": "Bearer abc", "Cookie": "jwt_token=abc; theme=dark", "X-Trace-Id": "123"},
+            {"X-Auth-Count": "5", "X-Api-Key": "secret"},
+        ],
+    )
+
+    for scenario in scenarios:
+        print(f"\n{scenario.name} ({scenario.iterations} iterations)")
+        python_median, _ = _measure("python", scenario.python_fn, scenario.payload, scenario.iterations)
+        public_native_median, _ = _measure("public_native", scenario.public_native_fn, scenario.payload, scenario.iterations)
+        direct_native_median, _ = _measure("direct_native", scenario.direct_native_fn, scenario.payload, scenario.iterations)
+        print(f"public_speedup={python_median / public_native_median:.2f}x")
+        print(f"direct_speedup={python_median / direct_native_median:.2f}x")
+        print(f"public_overhead={(public_native_median / direct_native_median - 1) * 100:.1f}%")
+
+
+if __name__ == "__main__":
+    main()