masked senstive config data

Author: bhillkeyfactor

HydrantCAProxy/HydrantIdCAPlugin.cs

@@ -52,7 +52,7 @@ public void Initialize(IAnyCAPluginConfigProvider configProvider, ICertificateDa
                     certDataReader = certificateDataReader;
                     Config = configProvider;
                     var rawData = JsonConvert.SerializeObject(configProvider.CAConnectionData);
-                    _logger.LogTrace("Initialize: raw config JSON: {Json}", rawData);
+                    _logger.LogTrace("Initialize: config JSON (sensitive keys masked): {Json}", MaskConfigForLog(rawData));
                     _config = JsonConvert.DeserializeObject<HydrantIdCAPluginConfig.Config>(rawData);
                 });
 
@@ -78,6 +78,38 @@ public void Initialize(IAnyCAPluginConfigProvider configProvider, ICertificateDa
             }
         }
 
+        private static readonly HashSet<string> _sensitiveConfigKeys = new HashSet<string>(StringComparer.OrdinalIgnoreCase)
+        {
+            HydrantIdCAPluginConfig.ConfigConstants.HydrantIdAuthId,
+            HydrantIdCAPluginConfig.ConfigConstants.HydrantIdAuthKey
+        };
+
+        private static string MaskConfigForLog(string rawJson)
+        {
+            if (string.IsNullOrEmpty(rawJson)) return rawJson;
+            try
+            {
+                var token = Newtonsoft.Json.Linq.JToken.Parse(rawJson);
+                if (token is Newtonsoft.Json.Linq.JObject obj)
+                {
+                    foreach (var prop in obj.Properties())
+                    {
+                        if (_sensitiveConfigKeys.Contains(prop.Name) &&
+                            prop.Value.Type != Newtonsoft.Json.Linq.JTokenType.Null)
+                        {
+                            prop.Value = "***REDACTED***";
+                        }
+                    }
+                    return obj.ToString(Newtonsoft.Json.Formatting.None);
+                }
+                return token.ToString(Newtonsoft.Json.Formatting.None);
+            }
+            catch
+            {
+                return "***REDACTED***";
+            }
+        }
+
         private static List<string> CheckRequiredValues(Dictionary<string, object> connectionInfo, params string[] args)
         {
             List<string> errors = new List<string>();
@@ -135,7 +167,7 @@ public Task ValidateCAConnectionInfo(Dictionary<string, object> connectionInfo)
 
             _logger.LogDebug("Validating HydrantId CA Connection properties");
             var rawData = JsonConvert.SerializeObject(connectionInfo);
-            _logger.LogTrace("ValidateCAConnectionInfo: raw connectionInfo JSON: {Json}", rawData);
+            _logger.LogTrace("ValidateCAConnectionInfo: connectionInfo JSON (sensitive keys masked): {Json}", MaskConfigForLog(rawData));
 
             _config = JsonConvert.DeserializeObject<HydrantIdCAPluginConfig.Config>(rawData);