ivuorinen/monolog-gdpr-filter
1
0
Fork 0
mirror of https://github.com/ivuorinen/monolog-gdpr-filter.git synced 2026-02-10 07:48:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: performance, integrations, advanced features (#2)

Browse Source 
* feat: performance, integrations, advanced features

* chore: fix linting problems

* chore: suppressions and linting

* chore(lint): pre-commit linting, fixes

* feat: comprehensive input validation, security hardening, and regression testing

- Add extensive input validation throughout codebase with proper error handling
- Implement comprehensive security hardening with ReDoS protection and bounds checking
- Add 3 new regression test suites covering critical bugs, security, and validation scenarios
- Enhance rate limiting with memory management and configurable cleanup intervals
- Update configuration security settings and improve Laravel integration
- Fix TODO.md timestamps to reflect actual development timeline
- Strengthen static analysis configuration and improve code quality standards

* feat: configure static analysis tools and enhance development workflow

- Complete configuration of Psalm, PHPStan, and Rector for harmonious static analysis.
- Fix invalid configurations and tool conflicts that prevented proper code quality analysis.
- Add comprehensive safe analysis script with interactive workflow, backup/restore
  capabilities, and dry-run modes. Update documentation with linting policy
  requiring issue resolution over suppression.
- Clean completed items from TODO to focus on actionable improvements.
- All static analysis tools now work together seamlessly to provide
  code quality insights without breaking existing functionality.

* fix(test): update Invalid regex pattern expectation

* chore: phpstan, psalm fixes

* chore: phpstan, psalm fixes, more tests

* chore: tooling tweaks, cleanup

* chore: tweaks to get the tests pass

* fix(lint): rector config tweaks and successful run

* feat: refactoring, more tests, fixes, cleanup

* chore: deduplication, use constants

* chore: psalm fixes

* chore: ignore phpstan deliberate errors in tests

* chore: improve codebase, deduplicate code

* fix: lint

* chore: deduplication, codebase simplification, sonarqube fixes

* fix: resolve SonarQube reliability rating issues

Fix useless object instantiation warnings in test files by assigning
instantiated objects to variables. This resolves the SonarQube reliability
rating issue (was C, now targeting A).

Changes:
- tests/Strategies/MaskingStrategiesTest.php: Fix 3 instances
- tests/Strategies/FieldPathMaskingStrategyTest.php: Fix 1 instance

The tests use expectException() to verify that constructors throw
exceptions for invalid input. SonarQube flagged standalone `new`
statements as useless. Fixed by assigning to variables with explicit
unset() and fail() calls.

All tests pass (623/623) and static analysis tools pass.

* fix: resolve more SonarQube detected issues

* fix: resolve psalm detected issues

* fix: resolve more SonarQube detected issues

* fix: resolve psalm detected issues

* fix: duplications

* fix: resolve SonarQube reliability rating issues

* fix: resolve psalm and phpstan detected issues
This commit is contained in:
Ismo Vuorinen
2025-10-31 13:59:01 +02:00
committed by GitHub
parent 63637900c8
commit 00c6f76c97
126 changed files with 30815 additions and 921 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
src/ConditionalRuleFactory.php Normal file
View File

@@ -0,0 +1,73 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter;
use Adbar\Dot;
use Closure;
use Monolog\LogRecord;
/**
* Factory for creating conditional masking rules.
*
* This class provides static methods to create various types of
* conditional rules that determine when masking should be applied.
*/
final class ConditionalRuleFactory
{
/**
* Create a conditional rule based on log level.
*
* @param array<string> $levels Log levels that should trigger masking
*
* @psalm-return Closure(LogRecord):bool
*/
public static function createLevelBasedRule(array $levels): Closure
{
return fn(LogRecord $record): bool => in_array($record->level->name, $levels, true);
}
/**
* Create a conditional rule based on context field presence.
*
* @param string $fieldPath Dot-notation path to check
*
* @psalm-return Closure(LogRecord):bool
*/
public static function createContextFieldRule(string $fieldPath): Closure
{
return function (LogRecord $record) use ($fieldPath): bool {
$accessor = new Dot($record->context);
return $accessor->has($fieldPath);
};
}
/**
* Create a conditional rule based on context field value.
*
* @param string $fieldPath Dot-notation path to check
* @param mixed $expectedValue Expected value
*
* @psalm-return Closure(LogRecord):bool
*/
public static function createContextValueRule(string $fieldPath, mixed $expectedValue): Closure
{
return function (LogRecord $record) use ($fieldPath, $expectedValue): bool {
$accessor = new Dot($record->context);
return $accessor->get($fieldPath) === $expectedValue;
};
}
/**
* Create a conditional rule based on channel name.
*
* @param array<string> $channels Channel names that should trigger masking
*
* @psalm-return Closure(LogRecord):bool
*/
public static function createChannelBasedRule(array $channels): Closure
{
return fn(LogRecord $record): bool => in_array($record->channel, $channels, true);
}
}

171
src/ContextProcessor.php Normal file
View File

@@ -0,0 +1,171 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter;
use Adbar\Dot;
use Throwable;
/**
* Handles context field processing operations for GDPR masking.
*
* This class extracts field-level masking logic from GdprProcessor
* to reduce the main class's method count and improve separation of concerns.
*
* @internal This class is for internal use within the GDPR processor
*/
class ContextProcessor
{
/**
* @param array<string,FieldMaskConfig|string> $fieldPaths Dot-notation path => FieldMaskConfig
* @param array<string,callable(mixed):string> $customCallbacks Dot-notation path => callback
* @param callable(string,mixed,mixed):void|null $auditLogger Optional audit logger callback
* @param \Closure(string):string $regexProcessor Function to process strings with regex patterns
*/
public function __construct(
private readonly array $fieldPaths,
private readonly array $customCallbacks,
private $auditLogger,
private readonly \Closure $regexProcessor
) {
}
/**
* Mask field paths in the context using the configured field masks.
*
* @param Dot<array-key, mixed> $accessor
* @return string[] Array of processed field paths
* @psalm-return list<string>
*/
public function maskFieldPaths(Dot $accessor): array
{
$processedFields = [];
foreach ($this->fieldPaths as $path => $config) {
if (!$accessor->has($path)) {
continue;
}
$value = $accessor->get($path, "");
$action = $this->maskValue($path, $value, $config);
if ($action['remove'] ?? false) {
$accessor->delete($path);
$this->logAudit($path, $value, null);
$processedFields[] = $path;
continue;
}
$masked = $action['masked'];
if ($masked !== null && $masked !== $value) {
$accessor->set($path, $masked);
$this->logAudit($path, $value, $masked);
}
$processedFields[] = $path;
}
return $processedFields;
}
/**
* Process custom callbacks on context fields.
*
* @param Dot<array-key, mixed> $accessor
* @return string[] Array of processed field paths
* @psalm-return list<string>
*/
public function processCustomCallbacks(Dot $accessor): array
{
$processedFields = [];
foreach ($this->customCallbacks as $path => $callback) {
if (!$accessor->has($path)) {
continue;
}
$value = $accessor->get($path);
try {
$masked = $callback($value);
if ($masked !== $value) {
$accessor->set($path, $masked);
$this->logAudit($path, $value, $masked);
}
$processedFields[] = $path;
} catch (Throwable $e) {
// Log callback error but continue processing
$sanitized = SecuritySanitizer::sanitizeErrorMessage($e->getMessage());
$errorMsg = 'Callback failed: ' . $sanitized;
$this->logAudit($path . '_callback_error', $value, $errorMsg);
$processedFields[] = $path;
}
}
return $processedFields;
}
/**
* Mask a single value according to config or callback.
* Returns an array: ['masked' => value|null, 'remove' => bool]
*
* @psalm-return array{masked: mixed, remove: bool}
* @psalm-param mixed $value
*/
public function maskValue(string $path, mixed $value, FieldMaskConfig|string|null $config): array
{
$result = ['masked' => null, 'remove' => false];
if (array_key_exists($path, $this->customCallbacks)) {
$callback = $this->customCallbacks[$path];
$result['masked'] = $callback($value);
return $result;
}
if ($config instanceof FieldMaskConfig) {
switch ($config->type) {
case FieldMaskConfig::MASK_REGEX:
$result['masked'] = ($this->regexProcessor)((string) $value);
break;
case FieldMaskConfig::REMOVE:
$result['masked'] = null;
$result['remove'] = true;
break;
case FieldMaskConfig::REPLACE:
$result['masked'] = $config->replacement;
break;
default:
// Return the type as string for unknown types
$result['masked'] = $config->type;
break;
}
} else {
// Backward compatibility: treat string as replacement
$result['masked'] = $config;
}
return $result;
}
/**
* Audit logger helper.
*
* @param string $path Dot-notation path of the field
* @param mixed $original Original value before masking
* @param null|string $masked Masked value after processing, or null if removed
*/
public function logAudit(string $path, mixed $original, string|null $masked): void
{
if (is_callable($this->auditLogger) && $original !== $masked) {
// Only log if the value was actually changed
call_user_func($this->auditLogger, $path, $original, $masked);
}
}
/**
* Set the audit logger callable.
*
* @param callable(string,mixed,mixed):void|null $auditLogger
*/
public function setAuditLogger(?callable $auditLogger): void
{
$this->auditLogger = $auditLogger;
}
}

195
src/DataTypeMasker.php Normal file
View File

@@ -0,0 +1,195 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter;
use Ivuorinen\MonologGdprFilter\MaskConstants as Mask;
/**
* Handles data type-based masking of values.
*
* This class applies masking based on PHP data types
* according to configured masking rules.
*/
final class DataTypeMasker
{
/**
* @param array<string,string> $dataTypeMasks Type-based masking: type => mask pattern
* @param callable(string, mixed, mixed):void|null $auditLogger
*/
public function __construct(
private readonly array $dataTypeMasks,
private $auditLogger = null
) {}
/**
* Get default data type masking configuration.
*
* @return string[]
*
* @psalm-return array{
* integer: '***INT***',
* double: '***FLOAT***',
* string: '***STRING***',
* boolean: '***BOOL***',
* NULL: '***NULL***',
* array: '***ARRAY***',
* object: '***OBJECT***',
* resource: '***RESOURCE***'
* }
*/
public static function getDefaultMasks(): array
{
return [
'integer' => Mask::MASK_INT,
'double' => Mask::MASK_FLOAT,
'string' => Mask::MASK_STRING,
'boolean' => Mask::MASK_BOOL,
'NULL' => Mask::MASK_NULL,
'array' => Mask::MASK_ARRAY,
'object' => Mask::MASK_OBJECT,
'resource' => Mask::MASK_RESOURCE,
];
}
/**
* Apply data type-based masking to a value.
*
* @param mixed $value The value to mask.
* @param (callable(array<mixed>|string, int=):(array<mixed>|string))|null $recursiveMaskCallback
* @return mixed The masked value.
*
* @psalm-param mixed $value The value to mask.
*/
public function applyMasking(mixed $value, ?callable $recursiveMaskCallback = null): mixed
{
if ($this->dataTypeMasks === []) {
return $value;
}
$type = gettype($value);
if (!isset($this->dataTypeMasks[$type])) {
return $value;
}
$mask = $this->dataTypeMasks[$type];
// Special handling for different types
return match ($type) {
'integer' => is_numeric($mask) ? (int)$mask : $mask,
'double' => is_numeric($mask) ? (float)$mask : $mask,
'boolean' => $this->maskBoolean($mask, $value),
'NULL' => $mask === 'preserve' ? null : $mask,
'array' => $this->maskArray($mask, $value, $recursiveMaskCallback),
'object' => (object) ['masked' => $mask, 'original_class' => $value::class],
default => $mask,
};
}
/**
* Mask a boolean value.
*/
private function maskBoolean(string $mask, bool $value): bool|string
{
if ($mask === 'preserve') {
return $value;
}
if ($mask === 'true') {
return true;
}
if ($mask === 'false') {
return false;
}
return $mask;
}
/**
* Mask an array value.
*
* @param array<mixed> $value
* @param (callable(array<mixed>|string, int=):(array<mixed>|string))|null $recursiveMaskCallback
* @return array<mixed>|string
*/
private function maskArray(string $mask, array $value, ?callable $recursiveMaskCallback): array|string
{
// For arrays, we can return a masked indicator or process recursively
if ($mask === 'recursive' && $recursiveMaskCallback !== null) {
return $recursiveMaskCallback($value, 0);
}
return [$mask];
}
/**
* Apply data type masking to an entire context structure.
*
* @param array<mixed> $context
* @param array<string> $processedFields Array of field paths already processed
* @param string $currentPath Current dot-notation path for nested processing
* @param (callable(array<mixed>|string, int=):(array<mixed>|string))|null $recursiveMaskCallback
* @return array<mixed>
*/
public function applyToContext(
array $context,
array $processedFields = [],
string $currentPath = '',
?callable $recursiveMaskCallback = null
): array {
$result = [];
foreach ($context as $key => $value) {
$fieldPath = $currentPath === '' ? (string)$key : $currentPath . '.' . $key;
// Skip fields that have already been processed by field paths or custom callbacks
if (in_array($fieldPath, $processedFields, true)) {
$result[$key] = $value;
continue;
}
$result[$key] = $this->processFieldValue(
$value,
$fieldPath,
$processedFields,
$recursiveMaskCallback
);
}
return $result;
}
/**
* Process a single field value, applying masking if applicable.
*
* @param mixed $value
* @param string $fieldPath
* @param array<string> $processedFields
* @param (callable(array<mixed>|string, int=):(array<mixed>|string))|null $recursiveMaskCallback
* @return mixed
*/
private function processFieldValue(
mixed $value,
string $fieldPath,
array $processedFields,
?callable $recursiveMaskCallback
): mixed {
if (is_array($value)) {
return $this->applyToContext($value, $processedFields, $fieldPath, $recursiveMaskCallback);
}
$type = gettype($value);
if (!isset($this->dataTypeMasks[$type])) {
return $value;
}
$masked = $this->applyMasking($value, $recursiveMaskCallback);
if ($masked !== $value && $this->auditLogger !== null) {
($this->auditLogger)($fieldPath, $value, $masked);
}
return $masked;
}
}

81
src/DefaultPatterns.php Normal file
View File

@@ -0,0 +1,81 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter;
use Ivuorinen\MonologGdprFilter\MaskConstants as Mask;
/**
* Provides default GDPR regex patterns for common sensitive data types.
*/
final class DefaultPatterns
{
/**
* Get default GDPR regex patterns. Non-exhaustive, should be extended with your own.
*
* @return array<string, string>
*/
public static function get(): array
{
return [
// Finnish SSN (HETU)
'/\b\d{6}[-+A]?\d{3}[A-Z]\b/u' => Mask::MASK_HETU,
// US Social Security Number (strict: 3-2-4 digits)
'/^\d{3}-\d{2}-\d{4}$/' => Mask::MASK_USSSN,
// IBAN (strictly match Finnish IBAN with or without spaces, only valid groupings)
'/^FI\d{2}(?: ?\d{4}){3} ?\d{2}$/u' => Mask::MASK_IBAN,
// Also match fully compact Finnish IBAN (no spaces)
'/^FI\d{16}$/u' => Mask::MASK_IBAN,
// International phone numbers (E.164, +countrycode...)
'/^\+\d{1,3}[\s-]?\d{1,4}[\s-]?\d{1,4}[\s-]?\d{1,9}$/' => Mask::MASK_PHONE,
// Email address
'/^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$/' => Mask::MASK_EMAIL,
// Date of birth (YYYY-MM-DD)
'/^(19|20)\d{2}-[01]\d\-[0-3]\d$/' => Mask::MASK_DOB,
// Date of birth (DD/MM/YYYY)
'/^[0-3]\d\/[01]\d\/(19|20)\d{2}$/' => Mask::MASK_DOB,
// Passport numbers (A followed by 6 digits)
'/^A\d{6}$/' => Mask::MASK_PASSPORT,
// Credit card numbers (Visa, MC, Amex, Discover test numbers)
'/^(4111 1111 1111 1111|5500-0000-0000-0004|340000000000009|6011000000000004)$/' => Mask::MASK_CC,
// Generic 16-digit credit card (for test compatibility)
'/\b[0-9]{16}\b/u' => Mask::MASK_CC,
// Bearer tokens (JWT, at least 10 chars after Bearer)
'/^Bearer [A-Za-z0-9\-\._~\+\/]{10,}$/' => Mask::MASK_TOKEN,
// API keys (Stripe-like, 20+ chars, or sk_live|sk_test)
'/^(sk_(live|test)_[A-Za-z0-9]{16,}|[A-Za-z0-9\-_]{20,})$/' => Mask::MASK_APIKEY,
// MAC addresses
'/^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$/' => Mask::MASK_MAC,
// IP Addresses
// IPv4 address (dotted decimal notation)
'/\b(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\b/' => '***IPv4***',
// Vehicle Registration Numbers (more specific patterns)
// US License plates (specific formats: ABC-1234, ABC1234)
'/\b[A-Z]{2,3}[-\s]?\d{3,4}\b/' => Mask::MASK_VEHICLE,
// Reverse format (123-ABC)
'/\b\d{3,4}[-\s]?[A-Z]{2,3}\b/' => Mask::MASK_VEHICLE,
// National ID Numbers
// UK National Insurance Number (2 letters, 6 digits, 1 letter)
'/\b[A-Z]{2}\d{6}[A-Z]\b/' => Mask::MASK_UKNI,
// Canadian Social Insurance Number (3-3-3 format)
'/\b\d{3}[-\s]\d{3}[-\s]\d{3}\b/' => Mask::MASK_CASIN,
// UK Sort Code + Account (6 digits + 8 digits)
'/\b\d{6}[-\s]\d{8}\b/' => Mask::MASK_UKBANK,
// Canadian Transit + Account (5 digits + 7-12 digits)
'/\b\d{5}[-\s]\d{7,12}\b/' => Mask::MASK_CABANK,
// Health Insurance Numbers
// US Medicare number (various formats)
'/\b\d{3}[-\s]\d{2}[-\s]\d{4}\b/' => Mask::MASK_MEDICARE,
// European Health Insurance Card (starts with country code)
'/\b\d{2}[-\s]\d{4}[-\s]\d{4}[-\s]\d{4}[-\s]\d{1,4}\b/' => Mask::MASK_EHIC,
// IPv6 address (specific pattern with colons)
'/\b[0-9a-fA-F]{1,4}:[0-9a-fA-F:]{7,35}\b/' => '***IPv6***',
];
}
}

167
src/Exceptions/AuditLoggingException.php Normal file
View File

@@ -0,0 +1,167 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter\Exceptions;
use Throwable;
/**
* Exception thrown when audit logging operations fail.
*
* This exception is thrown when:
* - An audit logger callback throws an exception
* - Audit log data cannot be serialized
* - Rate-limited audit logging encounters errors
* - Audit logger configuration is invalid
*
* @api
*/
class AuditLoggingException extends GdprProcessorException
{
/**
* Create an exception for a failed audit logging callback.
*
* @param string $path The field path being audited
* @param mixed $original The original value
* @param mixed $masked The masked value
* @param string $reason The reason for the failure
* @param Throwable|null $previous Previous exception for chaining
*/
public static function callbackFailed(
string $path,
mixed $original,
mixed $masked,
string $reason,
?Throwable $previous = null
): static {
$message = sprintf("Audit logging callback failed for path '%s': %s", $path, $reason);
return self::withContext($message, [
'audit_type' => 'callback_failure',
'path' => $path,
'original_type' => gettype($original),
'masked_type' => gettype($masked),
'original_preview' => self::getValuePreview($original),
'masked_preview' => self::getValuePreview($masked),
'reason' => $reason,
], 0, $previous);
}
/**
* Create an exception for audit data serialization failure.
*
* @param string $path The field path being audited
* @param mixed $value The value that failed to serialize
* @param string $reason The reason for the serialization failure
* @param Throwable|null $previous Previous exception for chaining
*/
public static function serializationFailed(
string $path,
mixed $value,
string $reason,
?Throwable $previous = null
): static {
$message = sprintf("Audit data serialization failed for path '%s': %s", $path, $reason);
return self::withContext($message, [
'audit_type' => 'serialization_failure',
'path' => $path,
'value_type' => gettype($value),
'reason' => $reason,
], 0, $previous);
}
/**
* Create an exception for rate-limited audit logging failures.
*
* @param string $operationType The operation type being rate limited
* @param int $currentRequests Current number of requests
* @param int $maxRequests Maximum allowed requests
* @param string $reason The reason for the failure
* @param Throwable|null $previous Previous exception for chaining
*/
public static function rateLimitingFailed(
string $operationType,
int $currentRequests,
int $maxRequests,
string $reason,
?Throwable $previous = null
): static {
$message = sprintf("Rate-limited audit logging failed for operation '%s': %s", $operationType, $reason);
return self::withContext($message, [
'audit_type' => 'rate_limiting_failure',
'operation_type' => $operationType,
'current_requests' => $currentRequests,
'max_requests' => $maxRequests,
'reason' => $reason,
], 0, $previous);
}
/**
* Create an exception for invalid audit logger configuration.
*
* @param string $configurationIssue Description of the configuration issue
* @param array<string, mixed> $config The invalid configuration
* @param Throwable|null $previous Previous exception for chaining
*/
public static function invalidConfiguration(
string $configurationIssue,
array $config,
?Throwable $previous = null
): static {
$message = 'Invalid audit logger configuration: ' . $configurationIssue;
return self::withContext($message, [
'audit_type' => 'configuration_error',
'configuration_issue' => $configurationIssue,
'config' => $config,
], 0, $previous);
}
/**
* Create an exception for audit logger creation failure.
*
* @param string $loggerType The type of logger being created
* @param string $reason The reason for the creation failure
* @param Throwable|null $previous Previous exception for chaining
*/
public static function loggerCreationFailed(
string $loggerType,
string $reason,
?Throwable $previous = null
): static {
$message = sprintf("Audit logger creation failed for type '%s': %s", $loggerType, $reason);
return self::withContext($message, [
'audit_type' => 'logger_creation_failure',
'logger_type' => $loggerType,
'reason' => $reason,
], 0, $previous);
}
/**
* Get a safe preview of a value for logging.
*
* @param mixed $value The value to preview
* @return string Safe preview string
*/
private static function getValuePreview(mixed $value): string
{
if (is_string($value)) {
return substr($value, 0, 100) . (strlen($value) > 100 ? '...' : '');
}
if (is_array($value) || is_object($value)) {
$json = json_encode($value, JSON_UNESCAPED_SLASHES | JSON_PARTIAL_OUTPUT_ON_ERROR);
if ($json === false) {
return '[Unable to serialize]';
}
return substr($json, 0, 100) . (strlen($json) > 100 ? '...' : '');
}
return (string) $value;
}
}

135
src/Exceptions/CommandExecutionException.php Normal file
View File

@@ -0,0 +1,135 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter\Exceptions;
use Throwable;
/**
* Exception thrown when command execution fails.
*
* This exception is thrown when:
* - Artisan commands encounter runtime errors
* - Command input validation fails
* - Command operations fail during execution
* - Command result processing fails
* - File operations within commands fail
*
* @api
*/
class CommandExecutionException extends GdprProcessorException
{
/**
* Create an exception for command input validation failure.
*
* @param string $commandName The command that failed
* @param string $inputName The input parameter that failed validation
* @param mixed $inputValue The invalid input value
* @param string $reason The reason for validation failure
* @param Throwable|null $previous Previous exception for chaining
*/
public static function forInvalidInput(
string $commandName,
string $inputName,
mixed $inputValue,
string $reason,
?Throwable $previous = null
): static {
$message = sprintf(
"Command '%s' failed: invalid input '%s' - %s",
$commandName,
$inputName,
$reason
);
return self::withContext($message, [
'command_name' => $commandName,
'input_name' => $inputName,
'input_value' => $inputValue,
'reason' => $reason,
'category' => 'input_validation',
], 0, $previous);
}
/**
* Create an exception for command operation failure.
*
* @param string $commandName The command that failed
* @param string $operation The operation that failed
* @param string $reason The reason for failure
* @param Throwable|null $previous Previous exception for chaining
*/
public static function forOperation(
string $commandName,
string $operation,
string $reason,
?Throwable $previous = null
): static {
$message = sprintf(
"Command '%s' failed during operation '%s': %s",
$commandName,
$operation,
$reason
);
return self::withContext($message, [
'command_name' => $commandName,
'operation' => $operation,
'reason' => $reason,
'category' => 'operation_failure',
], 0, $previous);
}
/**
* Create an exception for pattern testing failure.
*
* @param string $pattern The pattern that failed testing
* @param string $testString The test string used
* @param string $reason The reason for test failure
* @param Throwable|null $previous Previous exception for chaining
*/
public static function forPatternTest(
string $pattern,
string $testString,
string $reason,
?Throwable $previous = null
): static {
$message = sprintf("Pattern test failed for '%s': %s", $pattern, $reason);
return self::withContext($message, [
'pattern' => $pattern,
'test_string' => $testString,
'reason' => $reason,
'category' => 'pattern_test',
], 0, $previous);
}
/**
* Create an exception for JSON processing failure in commands.
*
* @param string $commandName The command that failed
* @param string $jsonData The JSON data being processed
* @param string $reason The reason for JSON processing failure
* @param Throwable|null $previous Previous exception for chaining
*/
public static function forJsonProcessing(
string $commandName,
string $jsonData,
string $reason,
?Throwable $previous = null
): static {
$message = sprintf(
"Command '%s' failed to process JSON data: %s",
$commandName,
$reason
);
return self::withContext($message, [
'command_name' => $commandName,
'json_data' => $jsonData,
'reason' => $reason,
'category' => 'json_processing',
], 0, $previous);
}
}

63
src/Exceptions/GdprProcessorException.php Normal file
View File

@@ -0,0 +1,63 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter\Exceptions;
use Throwable;
use Exception;
/**
* Base exception class for all GDPR processor related errors.
*
* This serves as the parent class for all specific GDPR processing exceptions,
* allowing consumers to catch all GDPR-related errors with a single catch block.
*
* @api
*/
class GdprProcessorException extends Exception
{
/**
* Create a new GDPR processor exception.
*
* @param string $message The exception message
* @param int $code The exception code (default: 0)
* @param Throwable|null $previous Previous exception for chaining
*/
public function __construct(string $message = '', int $code = 0, ?Throwable $previous = null)
{
parent::__construct($message, $code, $previous);
}
/**
* Create an exception with additional context information.
*
* @param string $message The base exception message
* @param array<string, mixed> $context Additional context data
* @param int $code The exception code (default: 0)
* @param Throwable|null $previous Previous exception for chaining
*/
public static function withContext(
string $message,
array $context,
int $code = 0,
?Throwable $previous = null
): static {
$contextString = '';
if ($context !== []) {
$contextParts = [];
foreach ($context as $key => $value) {
$encoded = json_encode($value, JSON_UNESCAPED_SLASHES);
$contextParts[] = $key . ': ' . ($encoded === false ? '[unserializable]' : $encoded);
}
$contextString = ' [Context: ' . implode(', ', $contextParts) . ']';
}
/**
* @psalm-suppress UnsafeInstantiation
* @phpstan-ignore new.static
*/
return new static($message . $contextString, $code, $previous);
}
}

181
src/Exceptions/InvalidConfigurationException.php Normal file
View File

@@ -0,0 +1,181 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter\Exceptions;
use Throwable;
/**
* Exception thrown when GDPR processor configuration is invalid.
*
* This exception is thrown when:
* - Invalid field paths are provided
* - Invalid data type masks are specified
* - Invalid conditional rules are configured
* - Configuration values are out of acceptable ranges
* - Configuration structure is malformed
*
* @api
*/
class InvalidConfigurationException extends GdprProcessorException
{
/**
* Create an exception for an invalid field path.
*
* @param string $fieldPath The invalid field path
* @param string $reason The reason why the field path is invalid
* @param Throwable|null $previous Previous exception for chaining
*/
public static function forFieldPath(
string $fieldPath,
string $reason,
?Throwable $previous = null
): static {
$message = sprintf("Invalid field path '%s': %s", $fieldPath, $reason);
return self::withContext($message, [
'field_path' => $fieldPath,
'reason' => $reason,
], 0, $previous);
}
/**
* Create an exception for an invalid data type mask.
*
* @param string $dataType The invalid data type
* @param mixed $mask The invalid mask value
* @param string $reason The reason why the mask is invalid
* @param Throwable|null $previous Previous exception for chaining
*/
public static function forDataTypeMask(
string $dataType,
mixed $mask,
string $reason,
?Throwable $previous = null
): static {
$message = sprintf("Invalid data type mask for '%s': %s", $dataType, $reason);
return self::withContext($message, [
'data_type' => $dataType,
'mask' => $mask,
'reason' => $reason,
], 0, $previous);
}
/**
* Create an exception for an invalid conditional rule.
*
* @param string $ruleName The invalid rule name
* @param string $reason The reason why the rule is invalid
* @param Throwable|null $previous Previous exception for chaining
*/
public static function forConditionalRule(
string $ruleName,
string $reason,
?Throwable $previous = null
): static {
$message = sprintf("Invalid conditional rule '%s': %s", $ruleName, $reason);
return self::withContext($message, [
'rule_name' => $ruleName,
'reason' => $reason,
], 0, $previous);
}
/**
* Create an exception for an invalid configuration value.
*
* @param string $parameter The parameter name
* @param mixed $value The invalid value
* @param string $reason The reason why the value is invalid
* @param Throwable|null $previous Previous exception for chaining
*/
public static function forParameter(
string $parameter,
mixed $value,
string $reason,
?Throwable $previous = null
): static {
$message = sprintf("Invalid configuration parameter '%s': %s", $parameter, $reason);
return self::withContext($message, [
'parameter' => $parameter,
'value' => $value,
'reason' => $reason,
], 0, $previous);
}
/**
* Create an exception for an empty or null required value.
*
* @param string $parameter The parameter name that cannot be empty
* @param Throwable|null $previous Previous exception for chaining
*/
public static function emptyValue(
string $parameter,
?Throwable $previous = null
): static {
$message = sprintf("%s cannot be empty", ucfirst($parameter));
return self::withContext($message, [
'parameter' => $parameter,
], 0, $previous);
}
/**
* Create an exception for a value that exceeds maximum allowed length.
*
* @param string $parameter The parameter name
* @param int $actualLength The actual length
* @param int $maxLength The maximum allowed length
* @param Throwable|null $previous Previous exception for chaining
*/
public static function exceedsMaxLength(
string $parameter,
int $actualLength,
int $maxLength,
?Throwable $previous = null
): static {
$message = sprintf(
"%s length (%d) exceeds maximum allowed length (%d)",
ucfirst($parameter),
$actualLength,
$maxLength
);
return self::withContext($message, [
'parameter' => $parameter,
'actual_length' => $actualLength,
'max_length' => $maxLength,
], 0, $previous);
}
/**
* Create an exception for an invalid type.
*
* @param string $parameter The parameter name
* @param string $expectedType The expected type
* @param string $actualType The actual type
* @param Throwable|null $previous Previous exception for chaining
*/
public static function invalidType(
string $parameter,
string $expectedType,
string $actualType,
?Throwable $previous = null
): static {
$message = sprintf(
"%s must be of type %s, got %s",
ucfirst($parameter),
$expectedType,
$actualType
);
return self::withContext($message, [
'parameter' => $parameter,
'expected_type' => $expectedType,
'actual_type' => $actualType,
], 0, $previous);
}
}

203
src/Exceptions/InvalidRateLimitConfigurationException.php Normal file
View File

@@ -0,0 +1,203 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter\Exceptions;
use Throwable;
/**
* Exception thrown when rate limiter configuration is invalid.
*
* This exception is thrown when:
* - Maximum requests value is invalid
* - Time window value is invalid
* - Cleanup interval value is invalid
* - Rate limiting key is invalid or contains forbidden characters
*
* @api
*/
class InvalidRateLimitConfigurationException extends GdprProcessorException
{
/**
* Create an exception for an invalid maximum requests value.
*
* @param int|float|string $value The invalid value
* @param Throwable|null $previous Previous exception for chaining
*/
public static function invalidMaxRequests(
int|float|string $value,
?Throwable $previous = null
): static {
$message = sprintf('Maximum requests must be a positive integer, got: %s', $value);
return self::withContext($message, [
'parameter' => 'max_requests',
'value' => $value,
], 0, $previous);
}
/**
* Create an exception for an invalid time window value.
*
* @param int|float|string $value The invalid value
* @param Throwable|null $previous Previous exception for chaining
*/
public static function invalidTimeWindow(
int|float|string $value,
?Throwable $previous = null
): static {
$message = sprintf(
'Time window must be a positive integer representing seconds, got: %s',
$value
);
return self::withContext($message, [
'parameter' => 'time_window',
'value' => $value,
], 0, $previous);
}
/**
* Create an exception for an invalid cleanup interval.
*
* @param int|float|string $value The invalid value
* @param Throwable|null $previous Previous exception for chaining
*/
public static function invalidCleanupInterval(
int|float|string $value,
?Throwable $previous = null
): static {
$message = sprintf('Cleanup interval must be a positive integer, got: %s', $value);
return self::withContext($message, [
'parameter' => 'cleanup_interval',
'value' => $value,
], 0, $previous);
}
/**
* Create an exception for a time window that is too short.
*
* @param int $value The time window value
* @param int $minimum The minimum allowed value
* @param Throwable|null $previous Previous exception for chaining
*/
public static function timeWindowTooShort(
int $value,
int $minimum,
?Throwable $previous = null
): static {
$message = sprintf(
'Time window (%d seconds) is too short, minimum is %d seconds',
$value,
$minimum
);
return self::withContext($message, [
'parameter' => 'time_window',
'value' => $value,
'minimum' => $minimum,
], 0, $previous);
}
/**
* Create an exception for a cleanup interval that is too short.
*
* @param int $value The cleanup interval value
* @param int $minimum The minimum allowed value
* @param Throwable|null $previous Previous exception for chaining
*/
public static function cleanupIntervalTooShort(
int $value,
int $minimum,
?Throwable $previous = null
): static {
$message = sprintf(
'Cleanup interval (%d seconds) is too short, minimum is %d seconds',
$value,
$minimum
);
return self::withContext($message, [
'parameter' => 'cleanup_interval',
'value' => $value,
'minimum' => $minimum,
], 0, $previous);
}
/**
* Create an exception for an empty rate limiting key.
*
* @param Throwable|null $previous Previous exception for chaining
*/
public static function emptyKey(?Throwable $previous = null): static
{
return self::withContext('Rate limiting key cannot be empty', [
'parameter' => 'key',
], 0, $previous);
}
/**
* Create an exception for a rate limiting key that is too long.
*
* @param string $key The key that is too long
* @param int $maxLength The maximum allowed length
* @param Throwable|null $previous Previous exception for chaining
*/
public static function keyTooLong(
string $key,
int $maxLength,
?Throwable $previous = null
): static {
$message = sprintf(
'Rate limiting key length (%d) exceeds maximum (%d characters)',
strlen($key),
$maxLength
);
return self::withContext($message, [
'parameter' => 'key',
'key_length' => strlen($key),
'max_length' => $maxLength,
], 0, $previous);
}
/**
* Create an exception for a rate limiting key containing invalid characters.
*
* @param string $reason The reason why the key is invalid
* @param Throwable|null $previous Previous exception for chaining
*/
public static function invalidKeyFormat(
string $reason,
?Throwable $previous = null
): static {
return self::withContext($reason, [
'parameter' => 'key',
], 0, $previous);
}
/**
* Create an exception for a generic parameter validation failure.
*
* @param string $parameter The parameter name
* @param mixed $value The invalid value
* @param string $reason The reason why the value is invalid
* @param Throwable|null $previous Previous exception for chaining
*/
public static function forParameter(
string $parameter,
mixed $value,
string $reason,
?Throwable $previous = null
): static {
$message = sprintf("Invalid rate limit parameter '%s': %s", $parameter, $reason);
return self::withContext($message, [
'parameter' => $parameter,
'value' => $value,
'reason' => $reason,
], 0, $previous);
}
}

104
src/Exceptions/InvalidRegexPatternException.php Normal file
View File

@@ -0,0 +1,104 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter\Exceptions;
use Throwable;
/**
* Exception thrown when a regex pattern is invalid or cannot be compiled.
*
* This exception is thrown when:
* - A regex pattern has invalid syntax
* - A regex pattern cannot be compiled by PHP's PCRE engine
* - A regex pattern is detected as potentially vulnerable to ReDoS attacks
* - A regex pattern compilation results in a PCRE error
*
* @api
*/
class InvalidRegexPatternException extends GdprProcessorException
{
/**
* Create an exception for an invalid regex pattern.
*
* @param string $pattern The invalid regex pattern
* @param string $reason The reason why the pattern is invalid
* @param int $pcreError Optional PCRE error code
* @param Throwable|null $previous Previous exception for chaining
*/
public static function forPattern(
string $pattern,
string $reason,
int $pcreError = 0,
?Throwable $previous = null
): static {
$message = sprintf("Invalid regex pattern '%s': %s", $pattern, $reason);
if ($pcreError !== 0) {
$pcreErrorMessage = self::getPcreErrorMessage($pcreError);
$message .= sprintf(' (PCRE Error: %s)', $pcreErrorMessage);
}
return self::withContext($message, [
'pattern' => $pattern,
'reason' => $reason,
'pcre_error' => $pcreError,
'pcre_error_message' => $pcreError !== 0 ? self::getPcreErrorMessage($pcreError) : null,
], $pcreError, $previous);
}
/**
* Create an exception for a pattern that failed compilation.
*
* @param string $pattern The pattern that failed to compile
* @param int $pcreError The PCRE error code
* @param Throwable|null $previous Previous exception for chaining
*/
public static function compilationFailed(
string $pattern,
int $pcreError,
?Throwable $previous = null
): static {
return self::forPattern($pattern, 'Pattern compilation failed', $pcreError, $previous);
}
/**
* Create an exception for a pattern detected as vulnerable to ReDoS.
*
* @param string $pattern The potentially vulnerable pattern
* @param string $vulnerability Description of the vulnerability
* @param Throwable|null $previous Previous exception for chaining
*
* @return InvalidRegexPatternException&static
*/
public static function redosVulnerable(
string $pattern,
string $vulnerability,
?Throwable $previous = null
): static {
return self::forPattern($pattern, 'Potential ReDoS vulnerability: ' . $vulnerability, 0, $previous);
}
/**
* Get a human-readable error message for a PCRE error code.
*
* @param int $errorCode The PCRE error code
*
* @return string Human-readable error message
* @psalm-return non-empty-string
*/
private static function getPcreErrorMessage(int $errorCode): string
{
return match ($errorCode) {
PREG_NO_ERROR => 'No error',
PREG_INTERNAL_ERROR => 'Internal PCRE error',
PREG_BACKTRACK_LIMIT_ERROR => 'Backtrack limit exceeded',
PREG_RECURSION_LIMIT_ERROR => 'Recursion limit exceeded',
PREG_BAD_UTF8_ERROR => 'Invalid UTF-8 data',
PREG_BAD_UTF8_OFFSET_ERROR => 'Invalid UTF-8 offset',
PREG_JIT_STACKLIMIT_ERROR => 'JIT stack limit exceeded',
default => sprintf('Unknown PCRE error (code: %s)', $errorCode),
};
}
}

177
src/Exceptions/MaskingOperationFailedException.php Normal file
View File

@@ -0,0 +1,177 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter\Exceptions;
use Throwable;
/**
* Exception thrown when a masking operation fails unexpectedly.
*
* This exception is thrown when:
* - A regex replacement operation fails
* - A field path masking operation encounters an error
* - A custom callback masking function throws an exception
* - Data type masking fails due to type conversion issues
* - JSON masking fails due to malformed JSON structures
*
* @api
*/
class MaskingOperationFailedException extends GdprProcessorException
{
/**
* Create an exception for a failed regex masking operation.
*
* @param string $pattern The regex pattern that failed
* @param string $input The input string being processed
* @param string $reason The reason for the failure
* @param Throwable|null $previous Previous exception for chaining
*/
public static function regexMaskingFailed(
string $pattern,
string $input,
string $reason,
?Throwable $previous = null
): static {
$message = sprintf("Regex masking failed for pattern '%s': %s", $pattern, $reason);
return self::withContext($message, [
'operation_type' => 'regex_masking',
'pattern' => $pattern,
'input_length' => strlen($input),
'input_preview' => substr($input, 0, 100) . (strlen($input) > 100 ? '...' : ''),
'reason' => $reason,
], 0, $previous);
}
/**
* Create an exception for a failed field path masking operation.
*
* @param string $fieldPath The field path that failed
* @param mixed $value The value being masked
* @param string $reason The reason for the failure
* @param Throwable|null $previous Previous exception for chaining
*/
public static function fieldPathMaskingFailed(
string $fieldPath,
mixed $value,
string $reason,
?Throwable $previous = null
): static {
$message = sprintf("Field path masking failed for path '%s': %s", $fieldPath, $reason);
return self::withContext($message, [
'operation_type' => 'field_path_masking',
'field_path' => $fieldPath,
'value_type' => gettype($value),
'value_preview' => self::getValuePreview($value),
'reason' => $reason,
], 0, $previous);
}
/**
* Create an exception for a failed custom callback masking operation.
*
* @param string $fieldPath The field path with the custom callback
* @param mixed $value The value being processed
* @param string $reason The reason for the failure
* @param Throwable|null $previous Previous exception for chaining
*/
public static function customCallbackFailed(
string $fieldPath,
mixed $value,
string $reason,
?Throwable $previous = null
): static {
$message = sprintf("Custom callback masking failed for path '%s': %s", $fieldPath, $reason);
return self::withContext($message, [
'operation_type' => 'custom_callback',
'field_path' => $fieldPath,
'value_type' => gettype($value),
'value_preview' => self::getValuePreview($value),
'reason' => $reason,
], 0, $previous);
}
/**
* Create an exception for a failed data type masking operation.
*
* @param string $dataType The data type being masked
* @param mixed $value The value being masked
* @param string $reason The reason for the failure
* @param Throwable|null $previous Previous exception for chaining
*/
public static function dataTypeMaskingFailed(
string $dataType,
mixed $value,
string $reason,
?Throwable $previous = null
): static {
$message = sprintf("Data type masking failed for type '%s': %s", $dataType, $reason);
return self::withContext($message, [
'operation_type' => 'data_type_masking',
'expected_type' => $dataType,
'actual_type' => gettype($value),
'value_preview' => self::getValuePreview($value),
'reason' => $reason,
], 0, $previous);
}
/**
* Create an exception for a failed JSON masking operation.
*
* @param string $jsonString The JSON string that failed to be processed
* @param string $reason The reason for the failure
* @param int $jsonError Optional JSON error code
* @param Throwable|null $previous Previous exception for chaining
*/
public static function jsonMaskingFailed(
string $jsonString,
string $reason,
int $jsonError = 0,
?Throwable $previous = null
): static {
$message = 'JSON masking failed: ' . $reason;
if ($jsonError !== 0) {
$jsonErrorMessage = json_last_error_msg();
$message .= sprintf(' (JSON Error: %s)', $jsonErrorMessage);
}
return self::withContext($message, [
'operation_type' => 'json_masking',
'json_preview' => substr($jsonString, 0, 200) . (strlen($jsonString) > 200 ? '...' : ''),
'json_length' => strlen($jsonString),
'reason' => $reason,
'json_error' => $jsonError,
'json_error_message' => $jsonError !== 0 ? json_last_error_msg() : null,
], 0, $previous);
}
/**
* Get a safe preview of a value for logging.
*
* @param mixed $value The value to preview
* @return string Safe preview string
*/
private static function getValuePreview(mixed $value): string
{
if (is_string($value)) {
return substr($value, 0, 100) . (strlen($value) > 100 ? '...' : '');
}
if (is_array($value) || is_object($value)) {
$json = json_encode($value, JSON_UNESCAPED_SLASHES | JSON_PARTIAL_OUTPUT_ON_ERROR);
if ($json === false) {
return '[Unable to serialize]';
}
return substr($json, 0, 100) . (strlen($json) > 100 ? '...' : '');
}
return (string) $value;
}
}

102
src/Exceptions/PatternValidationException.php Normal file
View File

@@ -0,0 +1,102 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter\Exceptions;
use Throwable;
/**
* Exception thrown when pattern validation fails.
*
* This exception is thrown when:
* - Regex patterns are invalid or malformed
* - Pattern security validation fails
* - Pattern syntax is incorrect
* - Pattern validation methods encounter errors
*
* @api
*/
class PatternValidationException extends GdprProcessorException
{
/**
* Create an exception for a failed pattern validation.
*
* @param string $pattern The pattern that failed validation
* @param string $reason The reason why validation failed
* @param Throwable|null $previous Previous exception for chaining
*/
public static function forPattern(
string $pattern,
string $reason,
?Throwable $previous = null
): static {
$message = sprintf("Pattern validation failed for '%s': %s", $pattern, $reason);
return self::withContext($message, [
'pattern' => $pattern,
'reason' => $reason,
], 0, $previous);
}
/**
* Create an exception for multiple pattern validation failures.
*
* @param array<string, string> $failedPatterns Array of pattern => error reason
* @param Throwable|null $previous Previous exception for chaining
*/
public static function forMultiplePatterns(
array $failedPatterns,
?Throwable $previous = null
): static {
$count = count($failedPatterns);
$message = sprintf("Pattern validation failed for %d pattern(s)", $count);
return self::withContext($message, [
'failed_patterns' => $failedPatterns,
'failure_count' => $count,
], 0, $previous);
}
/**
* Create an exception for pattern security validation failure.
*
* @param string $pattern The potentially unsafe pattern
* @param string $securityReason The security concern
* @param Throwable|null $previous Previous exception for chaining
*/
public static function securityValidationFailed(
string $pattern,
string $securityReason,
?Throwable $previous = null
): static {
$message = sprintf("Pattern security validation failed for '%s': %s", $pattern, $securityReason);
return self::withContext($message, [
'pattern' => $pattern,
'security_reason' => $securityReason,
'category' => 'security',
], 0, $previous);
}
/**
* Create an exception for pattern syntax errors.
*
* @param string $pattern The pattern with syntax errors
* @param string $syntaxError The syntax error details
* @param Throwable|null $previous Previous exception for chaining
*/
public static function syntaxError(
string $pattern,
string $syntaxError,
?Throwable $previous = null
): static {
$message = sprintf("Pattern syntax error in '%s': %s", $pattern, $syntaxError);
return self::withContext($message, [
'pattern' => $pattern,
'syntax_error' => $syntaxError,
'category' => 'syntax',
], 0, $previous);
}
}

169
src/Exceptions/RecursionDepthExceededException.php Normal file
View File

@@ -0,0 +1,169 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter\Exceptions;
use Throwable;
/**
* Exception thrown when the maximum recursion depth is exceeded during processing.
*
* This exception is thrown when:
* - The recursion depth limit is exceeded while processing nested structures
* - Circular references are detected in data structures
* - Extremely deep nesting threatens stack overflow
* - The configured maxDepth parameter is reached
*
* @api
*/
class RecursionDepthExceededException extends GdprProcessorException
{
/**
* Create an exception for exceeded recursion depth.
*
* @param int $currentDepth The current recursion depth when the exception occurred
* @param int $maxDepth The maximum allowed recursion depth
* @param string $path The field path where the depth was exceeded
* @param Throwable|null $previous Previous exception for chaining
*/
public static function depthExceeded(
int $currentDepth,
int $maxDepth,
string $path,
?Throwable $previous = null
): static {
$message = sprintf(
"Maximum recursion depth of %d exceeded (current: %d) at path '%s'",
$maxDepth,
$currentDepth,
$path
);
return self::withContext($message, [
'error_type' => 'depth_exceeded',
'current_depth' => $currentDepth,
'max_depth' => $maxDepth,
'field_path' => $path,
'safety_measure' => 'Processing stopped to prevent stack overflow',
], 0, $previous);
}
/**
* Create an exception for potential circular reference detection.
*
* @param string $path The field path where circular reference was detected
* @param int $currentDepth The current recursion depth
* @param int $maxDepth The maximum allowed recursion depth
* @param Throwable|null $previous Previous exception for chaining
*/
public static function circularReferenceDetected(
string $path,
int $currentDepth,
int $maxDepth,
?Throwable $previous = null
): static {
$message = sprintf(
"Potential circular reference detected at path '%s' (depth: %d/%d)",
$path,
$currentDepth,
$maxDepth
);
return self::withContext($message, [
'error_type' => 'circular_reference',
'field_path' => $path,
'current_depth' => $currentDepth,
'max_depth' => $maxDepth,
'safety_measure' => 'Processing stopped to prevent infinite recursion',
], 0, $previous);
}
/**
* Create an exception for extremely deep nesting scenarios.
*
* @param string $dataType The type of data structure causing deep nesting
* @param int $currentDepth The current recursion depth
* @param int $maxDepth The maximum allowed recursion depth
* @param string $path The field path with deep nesting
* @param Throwable|null $previous Previous exception for chaining
*/
public static function extremeNesting(
string $dataType,
int $currentDepth,
int $maxDepth,
string $path,
?Throwable $previous = null
): static {
$message = sprintf(
"Extremely deep nesting detected in %s at path '%s' (depth: %d/%d)",
$dataType,
$path,
$currentDepth,
$maxDepth
);
return self::withContext($message, [
'error_type' => 'extreme_nesting',
'data_type' => $dataType,
'field_path' => $path,
'current_depth' => $currentDepth,
'max_depth' => $maxDepth,
'suggestion' => 'Consider flattening the data structure or increasing maxDepth parameter',
], 0, $previous);
}
/**
* Create an exception for invalid depth configuration.
*
* @param int $invalidDepth The invalid depth value provided
* @param string $reason The reason why the depth is invalid
* @param Throwable|null $previous Previous exception for chaining
*/
public static function invalidDepthConfiguration(
int $invalidDepth,
string $reason,
?Throwable $previous = null
): static {
$message = sprintf('Invalid recursion depth configuration: %d (%s)', $invalidDepth, $reason);
return self::withContext($message, [
'error_type' => 'invalid_configuration',
'invalid_depth' => $invalidDepth,
'reason' => $reason,
'valid_range' => 'Depth must be a positive integer between 1 and 1000',
], 0, $previous);
}
/**
* Create an exception with recommendations for handling deep structures.
*
* @param int $currentDepth The current recursion depth
* @param int $maxDepth The maximum allowed recursion depth
* @param string $path The field path where the issue occurred
* @param array<string> $recommendations List of recommendations
* @param Throwable|null $previous Previous exception for chaining
*/
public static function withRecommendations(
int $currentDepth,
int $maxDepth,
string $path,
array $recommendations,
?Throwable $previous = null
): static {
$message = sprintf(
"Recursion depth limit reached at path '%s' (depth: %d/%d)",
$path,
$currentDepth,
$maxDepth
);
return self::withContext($message, [
'error_type' => 'depth_with_recommendations',
'current_depth' => $currentDepth,
'max_depth' => $maxDepth,
'field_path' => $path,
'recommendations' => $recommendations,
], 0, $previous);
}
}

133
src/Exceptions/RuleExecutionException.php Normal file
View File

@@ -0,0 +1,133 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter\Exceptions;
use Throwable;
/**
* Exception thrown when rule execution fails.
*
* This exception is thrown when:
* - Conditional rules fail during execution
* - Rule callbacks throw errors
* - Rule evaluation encounters runtime errors
* - Custom masking logic fails
* - Rule processing exceeds limits
*
* @api
*/
class RuleExecutionException extends GdprProcessorException
{
/**
* Create an exception for conditional rule execution failure.
*
* @param string $ruleName The rule that failed
* @param string $reason The reason for failure
* @param mixed $context Additional context about the failure
* @param Throwable|null $previous Previous exception for chaining
*/
public static function forConditionalRule(
string $ruleName,
string $reason,
mixed $context = null,
?Throwable $previous = null
): static {
$message = sprintf("Conditional rule '%s' execution failed: %s", $ruleName, $reason);
$contextData = [
'rule_name' => $ruleName,
'reason' => $reason,
'category' => 'conditional_rule',
];
if ($context !== null) {
$contextData['context'] = $context;
}
return self::withContext($message, $contextData, 0, $previous);
}
/**
* Create an exception for callback execution failure.
*
* @param string $callbackName The callback that failed
* @param string $fieldPath The field path being processed
* @param string $reason The reason for failure
* @param Throwable|null $previous Previous exception for chaining
*/
public static function forCallback(
string $callbackName,
string $fieldPath,
string $reason,
?Throwable $previous = null
): static {
$message = sprintf(
"Callback '%s' failed for field path '%s': %s",
$callbackName,
$fieldPath,
$reason
);
return self::withContext($message, [
'callback_name' => $callbackName,
'field_path' => $fieldPath,
'reason' => $reason,
'category' => 'callback_execution',
], 0, $previous);
}
/**
* Create an exception for rule timeout.
*
* @param string $ruleName The rule that timed out
* @param float $timeoutSeconds The timeout threshold in seconds
* @param float $actualTime The actual execution time
* @param Throwable|null $previous Previous exception for chaining
*/
public static function forTimeout(
string $ruleName,
float $timeoutSeconds,
float $actualTime,
?Throwable $previous = null
): static {
$message = sprintf(
"Rule '%s' execution timed out after %.3f seconds (limit: %.3f seconds)",
$ruleName,
$actualTime,
$timeoutSeconds
);
return self::withContext($message, [
'rule_name' => $ruleName,
'timeout_seconds' => $timeoutSeconds,
'actual_time' => $actualTime,
'category' => 'timeout',
], 0, $previous);
}
/**
* Create an exception for rule evaluation error.
*
* @param string $ruleName The rule that failed evaluation
* @param mixed $inputData The input data being evaluated
* @param string $reason The reason for evaluation failure
* @param Throwable|null $previous Previous exception for chaining
*/
public static function forEvaluation(
string $ruleName,
mixed $inputData,
string $reason,
?Throwable $previous = null
): static {
$message = sprintf("Rule '%s' evaluation failed: %s", $ruleName, $reason);
return self::withContext($message, [
'rule_name' => $ruleName,
'input_data' => $inputData,
'reason' => $reason,
'category' => 'evaluation',
], 0, $previous);
}
}

106
src/Exceptions/ServiceRegistrationException.php Normal file
View File

@@ -0,0 +1,106 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter\Exceptions;
use Throwable;
/**
* Exception thrown when Laravel service registration fails.
*
* This exception is thrown when:
* - Service provider fails to register GDPR processor
* - Configuration publishing fails
* - Logging channel registration fails
* - Artisan command registration fails
* - Service binding or resolution fails
*
* @api
*/
class ServiceRegistrationException extends GdprProcessorException
{
/**
* Create an exception for channel registration failure.
*
* @param string $channelName The channel that failed to register
* @param string $reason The reason for failure
* @param Throwable|null $previous Previous exception for chaining
*/
public static function forChannel(
string $channelName,
string $reason,
?Throwable $previous = null
): static {
$message = sprintf("Failed to register GDPR processor with channel '%s': %s", $channelName, $reason);
return self::withContext($message, [
'channel_name' => $channelName,
'reason' => $reason,
'category' => 'channel_registration',
], 0, $previous);
}
/**
* Create an exception for service binding failure.
*
* @param string $serviceName The service that failed to bind
* @param string $reason The reason for failure
* @param Throwable|null $previous Previous exception for chaining
*/
public static function forServiceBinding(
string $serviceName,
string $reason,
?Throwable $previous = null
): static {
$message = sprintf("Failed to bind service '%s': %s", $serviceName, $reason);
return self::withContext($message, [
'service_name' => $serviceName,
'reason' => $reason,
'category' => 'service_binding',
], 0, $previous);
}
/**
* Create an exception for configuration publishing failure.
*
* @param string $configPath The configuration path that failed
* @param string $reason The reason for failure
* @param Throwable|null $previous Previous exception for chaining
*/
public static function forConfigPublishing(
string $configPath,
string $reason,
?Throwable $previous = null
): static {
$message = sprintf("Failed to publish configuration to '%s': %s", $configPath, $reason);
return self::withContext($message, [
'config_path' => $configPath,
'reason' => $reason,
'category' => 'config_publishing',
], 0, $previous);
}
/**
* Create an exception for command registration failure.
*
* @param string $commandClass The command class that failed to register
* @param string $reason The reason for failure
* @param Throwable|null $previous Previous exception for chaining
*/
public static function forCommandRegistration(
string $commandClass,
string $reason,
?Throwable $previous = null
): static {
$message = sprintf("Failed to register command '%s': %s", $commandClass, $reason);
return self::withContext($message, [
'command_class' => $commandClass,
'reason' => $reason,
'category' => 'command_registration',
], 0, $previous);
}
}

213
src/FieldMaskConfig.php
View File

@@ -1,11 +1,19 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter;
use Ivuorinen\MonologGdprFilter\Exceptions\InvalidConfigurationException;
use Ivuorinen\MonologGdprFilter\Exceptions\InvalidRegexPatternException;
use Ivuorinen\MonologGdprFilter\MaskConstants as Mask;
/**
* FieldMaskConfig: config for masking/removal per field path
* FieldMaskConfig: configuration for masking/removal per field path.
*
* @api
*/
final class FieldMaskConfig
final readonly class FieldMaskConfig
{
public const MASK_REGEX = 'mask_regex';
@@ -13,7 +21,206 @@ final class FieldMaskConfig
public const REPLACE = 'replace';
public function __construct(public string $type, public ?string $replacement = null)
public function __construct(
public string $type,
public ?string $replacement = null
) {}
/**
* Create a configuration for field removal.
*/
public static function remove(): self
{
return new self(self::REMOVE);
}
/**
* Create a configuration for static replacement.
*
* @param string $replacement The replacement value
*/
public static function replace(string $replacement): self
{
return new self(self::REPLACE, $replacement);
}
/**
* Create a configuration that uses the processor's global regex patterns.
* This is a shorthand for indicating "apply regex masking from the processor".
*/
public static function useProcessorPatterns(): self
{
return new self(self::MASK_REGEX);
}
/**
* Create a configuration for regex-based masking.
*
* @param string $pattern The regex pattern
* @param string $replacement The replacement string (default: '***MASKED***')
*
* @throws InvalidConfigurationException|InvalidRegexPatternException When pattern
* is empty or invalid, or replacement is empty
*/
public static function regexMask(string $pattern, string $replacement = Mask::MASK_MASKED): self
{
// Validate pattern is not empty
if (trim($pattern) === '') {
throw InvalidConfigurationException::emptyValue('regex pattern');
}
// Validate replacement is not empty
if (trim($replacement) === '') {
throw InvalidConfigurationException::emptyValue('replacement string');
}
// Validate regex pattern syntax
if (!self::isValidRegexPattern($pattern)) {
throw InvalidRegexPatternException::forPattern($pattern, 'Invalid regex pattern syntax');
}
return new self(self::MASK_REGEX, $pattern . '::' . $replacement);
}
/**
* Check if this configuration should remove the field.
*/
public function shouldRemove(): bool
{
return $this->type === self::REMOVE;
}
/**
* Check if this configuration has a regex pattern.
*/
public function hasRegexPattern(): bool
{
return $this->type === self::MASK_REGEX;
}
/**
* Get the regex pattern from a regex mask configuration.
*
* @return string|null The regex pattern or null if not a regex mask
*/
public function getRegexPattern(): ?string
{
if ($this->type !== self::MASK_REGEX || $this->replacement === null) {
return null;
}
$parts = explode('::', $this->replacement, 2);
return $parts[0] ?? null;
}
/**
* Get the replacement value.
*
* @return string|null The replacement value
*/
public function getReplacement(): ?string
{
if ($this->type === self::MASK_REGEX && $this->replacement !== null) {
$parts = explode('::', $this->replacement, 2);
return $parts[1] ?? Mask::MASK_MASKED;
}
return $this->replacement;
}
/**
* Convert to array representation.
*
* @return (null|string)[]
*
* @psalm-return array{type: string, replacement: null|string}
*/
public function toArray(): array
{
return [
'type' => $this->type,
'replacement' => $this->replacement,
];
}
/**
* Create from array representation.
*
* @param array<string, mixed> $data
*
* @throws InvalidConfigurationException|InvalidRegexPatternException When data contains invalid values
*/
public static function fromArray(array $data): self
{
$type = $data['type'] ?? self::REPLACE;
$replacement = $data['replacement'] ?? null;
// Validate type
$validTypes = [self::MASK_REGEX, self::REMOVE, self::REPLACE];
if (!in_array($type, $validTypes, true)) {
$validList = implode(', ', $validTypes);
throw InvalidConfigurationException::forParameter(
'type',
$type,
sprintf("Must be one of: %s", $validList)
);
}
// Validate replacement for REPLACE type - only when explicitly provided
if (
$type === self::REPLACE &&
array_key_exists('replacement', $data) &&
($replacement === null || trim($replacement) === '')
) {
throw InvalidConfigurationException::forParameter(
'replacement',
null,
'Cannot be null or empty for REPLACE type'
);
}
return new self($type, $replacement);
}
/**
* Validate if a regex pattern is syntactically correct.
*
* @param string $pattern The regex pattern to validate
* @return bool True if valid, false otherwise
*/
private static function isValidRegexPattern(string $pattern): bool
{
// Suppress warnings for invalid patterns
$previousErrorReporting = error_reporting(E_ERROR);
try {
// Test the pattern by attempting to use it
/** @psalm-suppress ArgumentTypeCoercion - Pattern validated by caller */
$result = @preg_match($pattern, '');
// Check if preg_match succeeded (returns 0 or 1) or failed (returns false)
$isValid = $result !== false;
// Additional check for PREG errors
if ($isValid && preg_last_error() !== PREG_NO_ERROR) {
$isValid = false;
}
// Additional validation for effectively empty patterns
// Check for patterns that are effectively empty (like '//' or '/\s*/')
// Extract the pattern content between delimiters
if ($isValid && preg_match('/^(.)(.*?)\1[gimuxXs]*$/', $pattern, $matches)) {
$patternContent = $matches[2];
// Reject patterns that are empty or only whitespace-based
if ($patternContent === '' || trim($patternContent) === '' || $patternContent === '\s*') {
$isValid = false;
}
}
return $isValid;
} finally {
// Restore previous error reporting level
error_reporting($previousErrorReporting);
}
}
}

426
src/GdprProcessor.php
View File

@@ -2,6 +2,11 @@
namespace Ivuorinen\MonologGdprFilter;
use Ivuorinen\MonologGdprFilter\Exceptions\PatternValidationException;
use Ivuorinen\MonologGdprFilter\Exceptions\InvalidRegexPatternException;
use Closure;
use Throwable;
use Error;
use Adbar\Dot;
use Monolog\LogRecord;
use Monolog\Processor\ProcessorInterface;
@@ -14,232 +19,278 @@ use Monolog\Processor\ProcessorInterface;
*/
class GdprProcessor implements ProcessorInterface
{
private readonly DataTypeMasker $dataTypeMasker;
private readonly JsonMasker $jsonMasker;
private readonly ContextProcessor $contextProcessor;
private readonly RecursiveProcessor $recursiveProcessor;
/**
* @param array<string,string> $patterns Regex pattern => replacement
* @param array<string,FieldMaskConfig>|string[] $fieldPaths Dot-notation path => FieldMaskConfig
* @param array<string,?callable> $customCallbacks Dot-notation path => callback(value): string
* @param callable|null $auditLogger Opt. audit logger callback:
* @param array<string,FieldMaskConfig|string> $fieldPaths Dot-notation path => FieldMaskConfig
* @param array<string,callable(mixed):string> $customCallbacks Dot-notation path => callback(value): string
* @param callable(string,mixed,mixed):void|null $auditLogger Opt. audit logger callback:
* fn(string $path, mixed $original, mixed $masked)
* @param int $maxDepth Maximum recursion depth for nested structures (default: 100)
* @param array<string,string> $dataTypeMasks Type-based masking: type => mask pattern
* @param array<string,callable(LogRecord):bool> $conditionalRules Conditional masking rules:
* rule_name => condition_callback
*
* @throws \InvalidArgumentException When any parameter is invalid
*/
public function __construct(
private readonly array $patterns,
private readonly array $fieldPaths = [],
private readonly array $customCallbacks = [],
private $auditLogger = null
private $auditLogger = null,
int $maxDepth = 100,
array $dataTypeMasks = [],
private readonly array $conditionalRules = []
) {
// Validate all constructor parameters using InputValidator
InputValidator::validateAll(
$patterns,
$fieldPaths,
$customCallbacks,
$auditLogger,
$maxDepth,
$dataTypeMasks,
$conditionalRules
);
// Pre-validate and cache patterns for better performance
PatternValidator::cachePatterns($patterns);
// Initialize data type masker
$this->dataTypeMasker = new DataTypeMasker($dataTypeMasks, $auditLogger);
// Initialize recursive processor for data structure processing
$this->recursiveProcessor = new RecursiveProcessor(
$this->regExpMessage(...),
$this->dataTypeMasker,
$auditLogger,
$maxDepth
);
// Initialize JSON masker with recursive mask callback
/** @psalm-suppress InvalidArgument - recursiveMask is intentionally impure due to audit logging */
$this->jsonMasker = new JsonMasker(
$this->recursiveProcessor->recursiveMask(...),
$auditLogger
);
// Initialize context processor for field-level operations
$this->contextProcessor = new ContextProcessor(
$fieldPaths,
$customCallbacks,
$auditLogger,
$this->regExpMessage(...)
);
}
/**
* FieldMaskConfig: config for masking/removal per field path using regex.
*/
public static function maskWithRegex(): FieldMaskConfig
{
return new FieldMaskConfig(FieldMaskConfig::MASK_REGEX);
}
/**
* FieldMaskConfig: Remove field from context.
*/
public static function removeField(): FieldMaskConfig
{
return new FieldMaskConfig(FieldMaskConfig::REMOVE);
}
/**
* FieldMaskConfig: Replace field value with a static string.
*/
public static function replaceWith(string $replacement): FieldMaskConfig
{
return new FieldMaskConfig(FieldMaskConfig::REPLACE, $replacement);
}
/**
* Default GDPR regex patterns. Non-exhaustive, should be extended with your own.
* Create a rate-limited audit logger wrapper.
*
* @return array<array-key, string>
* @param callable(string,mixed,mixed):void $auditLogger The underlying audit logger
* @param string $profile Rate limiting profile: 'strict', 'default', 'relaxed', or 'testing'
*/
public static function getDefaultPatterns(): array
{
return [
// Finnish SSN (HETU)
'/\b\d{6}[-+A]?\d{3}[A-Z]\b/u' => '***HETU***',
// US Social Security Number (strict: 3-2-4 digits)
'/^\d{3}-\d{2}-\d{4}$/' => '***USSSN***',
// IBAN (strictly match Finnish IBAN with or without spaces, only valid groupings)
'/^FI\d{2}(?: ?\d{4}){3} ?\d{2}$/u' => '***IBAN***',
// Also match fully compact Finnish IBAN (no spaces)
'/^FI\d{16}$/u' => '***IBAN***',
// International phone numbers (E.164, +countrycode...)
'/^\+\d{1,3}[\s-]?\d{1,4}[\s-]?\d{1,4}[\s-]?\d{1,9}$/' => '***PHONE***',
// Email address
'/^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$/' => '***EMAIL***',
// Date of birth (YYYY-MM-DD)
'/^(19|20)\d{2}-[01]\d\-[0-3]\d$/' => '***DOB***',
// Date of birth (DD/MM/YYYY)
'/^[0-3]\d\/[01]\d\/(19|20)\d{2}$/' => '***DOB***',
// Passport numbers (A followed by 6 digits)
'/^A\d{6}$/' => '***PASSPORT***',
// Credit card numbers (Visa, MC, Amex, Discover test numbers)
'/^(4111 1111 1111 1111|5500-0000-0000-0004|340000000000009|6011000000000004)$/' => '***CC***',
// Generic 16-digit credit card (for test compatibility)
'/\b[0-9]{16}\b/u' => '***CC***',
// Bearer tokens (JWT, at least 10 chars after Bearer)
'/^Bearer [A-Za-z0-9\-\._~\+\/]{10,}$/' => '***TOKEN***',
// API keys (Stripe-like, 20+ chars, or sk_live|sk_test)
'/^(sk_(live|test)_[A-Za-z0-9]{16,}|[A-Za-z0-9\-_]{20,})$/' => '***APIKEY***',
// MAC addresses
'/^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$/' => '***MAC***',
];
public static function createRateLimitedAuditLogger(
callable $auditLogger,
string $profile = 'default'
): RateLimitedAuditLogger {
return RateLimitedAuditLogger::create($auditLogger, $profile);
}
/**
* Create a simple audit logger that logs to an array (useful for testing).
*
* @param array<array-key, mixed> $logStorage Reference to array for storing logs
* @psalm-param array<array{path: string, original: mixed, masked: mixed}> $logStorage
* @psalm-param-out array<array{path: string, original: mixed, masked: mixed, timestamp: int<1, max>}> $logStorage
* @phpstan-param-out array<array-key, mixed> $logStorage
* @param bool $rateLimited Whether to apply rate limiting (default: false for testing)
*
*
* @psalm-return RateLimitedAuditLogger|Closure(string, mixed, mixed):void
* @psalm-suppress ReferenceConstraintViolation - The closure always sets timestamp, but Psalm can't infer this through RateLimitedAuditLogger wrapper
*/
public static function createArrayAuditLogger(
array &$logStorage,
bool $rateLimited = false
): Closure|RateLimitedAuditLogger {
$baseLogger = function (string $path, mixed $original, mixed $masked) use (&$logStorage): void {
$logStorage[] = [
'path' => $path,
'original' => $original,
'masked' => $masked,
'timestamp' => time()
];
};
return $rateLimited
? self::createRateLimitedAuditLogger($baseLogger, 'testing')
: $baseLogger;
}
/**
* Process a log record to mask sensitive information.
*
* @param LogRecord $record The log record to process
* @return LogRecord The processed log record with masked message and context
*
* @psalm-suppress MissingOverrideAttribute Override is available from PHP 8.3
*/
#[\Override]
public function __invoke(LogRecord $record): LogRecord
{
// Check conditional rules first - if any rule returns false, skip masking
if (!$this->shouldApplyMasking($record)) {
return $record;
}
$message = $this->regExpMessage($record->message);
$context = $record->context;
$accessor = new Dot($context);
$processedFields = [];
if ($this->fieldPaths !== []) {
$this->maskFieldPaths($accessor);
$processedFields = array_merge($processedFields, $this->contextProcessor->maskFieldPaths($accessor));
}
if ($this->customCallbacks !== []) {
$processedFields = array_merge(
$processedFields,
$this->contextProcessor->processCustomCallbacks($accessor)
);
}
if ($this->fieldPaths !== [] || $this->customCallbacks !== []) {
$context = $accessor->all();
// Apply data type masking to the entire context after field/callback processing
$context = $this->dataTypeMasker->applyToContext(
$context,
$processedFields,
'',
$this->recursiveProcessor->recursiveMask(...)
);
} else {
$context = $this->recursiveMask($context);
$context = $this->recursiveProcessor->recursiveMask($context, 0);
}
return $record->with(message: $message, context: $context);
}
/**
* Mask a string using all regex patterns sequentially.
* Check if masking should be applied based on conditional rules.
*/
public function regExpMessage(string $message = ''): string
private function shouldApplyMasking(LogRecord $record): bool
{
foreach ($this->patterns as $regex => $replacement) {
/**
* @var array<array-key, non-empty-string> $regex
*/
$result = @preg_replace($regex, $replacement, $message);
if ($result === null) {
if (is_callable($this->auditLogger)) {
call_user_func($this->auditLogger, 'preg_replace_error', $message, $message);
// If no conditional rules are defined, always apply masking
if ($this->conditionalRules === []) {
return true;
}
// All conditional rules must return true for masking to be applied
foreach ($this->conditionalRules as $ruleName => $ruleCallback) {
try {
if (!$ruleCallback($record)) {
// Log which rule prevented masking
if ($this->auditLogger !== null) {
($this->auditLogger)(
'conditional_skip',
$ruleName,
'Masking skipped due to conditional rule'
);
}
return false;
}
} catch (Throwable $e) {
// If a rule throws an exception, log it and default to applying masking
if ($this->auditLogger !== null) {
$sanitized = SecuritySanitizer::sanitizeErrorMessage($e->getMessage());
$errorMsg = 'Rule error: ' . $sanitized;
($this->auditLogger)('conditional_error', $ruleName, $errorMsg);
}
continue;
}
if ($result === '' || $result === '0') {
// If the result is empty, we can skip further processing
return $message;
}
$message = $result;
}
return $message;
return true;
}
/**
* Mask only specified paths in context (fieldPaths)
* Mask a string using all regex patterns with optimized caching and batch processing.
* Also handles JSON strings within the message.
*/
private function maskFieldPaths(Dot $accessor): void
public function regExpMessage(string $message = ''): string
{
foreach ($this->fieldPaths as $path => $config) {
if (!$accessor->has($path)) {
continue;
}
$value = $accessor->get($path, "");
$action = $this->maskValue($path, $value, $config);
if ($action['remove'] ?? false) {
$accessor->delete($path);
$this->logAudit($path, $value, null);
continue;
}
$masked = $action['masked'];
if ($masked !== null && $masked !== $value) {
$accessor->set($path, $masked);
$this->logAudit($path, $value, $masked);
}
// Early return for empty messages
if ($message === '') {
return $message;
}
// Track original message for empty result protection
$originalMessage = $message;
// Handle JSON strings and regular patterns in a coordinated way
$message = $this->maskMessageWithJsonSupport($message);
return $message === '' || $message === '0' ? $originalMessage : $message;
}
/**
* Mask a single value according to config or callback
* Returns an array: ['masked' => value|null, 'remove' => bool]
*
* @psalm-return array{masked: string|null, remove: bool}
* Mask message content, handling both JSON structures and regular patterns.
*/
private function maskValue(string $path, mixed $value, null|FieldMaskConfig|string $config): array
private function maskMessageWithJsonSupport(string $message): string
{
/** @noinspection PhpArrayIndexImmediatelyRewrittenInspection */
$result = ['masked' => null, 'remove' => false];
if (array_key_exists($path, $this->customCallbacks) && $this->customCallbacks[$path] !== null) {
$result['masked'] = call_user_func($this->customCallbacks[$path], $value);
return $result;
}
// Use JsonMasker to process JSON structures
$result = $this->jsonMasker->processMessage($message);
if ($config instanceof FieldMaskConfig) {
switch ($config->type) {
case FieldMaskConfig::MASK_REGEX:
$result['masked'] = $this->regExpMessage($value);
break;
case FieldMaskConfig::REMOVE:
$result['masked'] = null;
$result['remove'] = true;
break;
case FieldMaskConfig::REPLACE:
$result['masked'] = $config->replacement;
break;
default:
// Return the type as string for unknown types
$result['masked'] = $config->type;
break;
// Now apply regular patterns to the entire result
foreach ($this->patterns as $regex => $replacement) {
try {
/** @psalm-suppress ArgumentTypeCoercion */
$newResult = preg_replace($regex, $replacement, $result, -1, $count);
if ($newResult === null) {
$error = preg_last_error_msg();
if ($this->auditLogger !== null) {
($this->auditLogger)('preg_replace_error', $result, 'Error: ' . $error);
}
continue;
}
if ($count > 0) {
$result = $newResult;
}
} catch (Error $e) {
if ($this->auditLogger !== null) {
($this->auditLogger)('regex_error', $regex, $e->getMessage());
}
continue;
}
} else {
// Backward compatibility: treat string as replacement
$result['masked'] = $config;
}
return $result;
}
/**
* Audit logger helper
* Recursively mask all string values in an array using regex patterns with depth limiting
* and memory-efficient processing for large nested structures.
*
* @param string $path Dot-notation path of the field
* @param mixed $original Original value before masking
* @param null|string $masked Masked value after processing, or null if removed
* @param array<mixed>|string $data
* @param int $currentDepth Current recursion depth
* @return array<mixed>|string
*/
private function logAudit(string $path, mixed $original, string|null $masked): void
public function recursiveMask(array|string $data, int $currentDepth = 0): array|string
{
if (is_callable($this->auditLogger) && $original !== $masked) {
// Only log if the value was actually changed
call_user_func($this->auditLogger, $path, $original, $masked);
}
}
/**
* Recursively mask all string values in an array using regex patterns.
*/
protected function recursiveMask(string|array $data): string|array
{
if (is_string($data)) {
return $this->regExpMessage($data);
}
foreach ($data as $key => $value) {
$data[$key] = $this->recursiveMask($value);
}
return $data;
return $this->recursiveProcessor->recursiveMask($data, $currentDepth);
}
/**
@@ -247,26 +298,71 @@ class GdprProcessor implements ProcessorInterface
*/
public function maskMessage(string $value = ''): string
{
/** @var array<array-key, non-empty-string> $keys */
$keys = array_keys($this->patterns);
$values = array_values($this->patterns);
$result = @preg_replace($keys, $values, $value);
if ($result === null) {
if (is_callable($this->auditLogger)) {
call_user_func($this->auditLogger, 'preg_replace_error', $value, $value);
try {
/** @psalm-suppress ArgumentTypeCoercion */
$result = preg_replace($keys, $values, $value);
if ($result === null) {
$error = preg_last_error_msg();
if ($this->auditLogger !== null) {
($this->auditLogger)('preg_replace_batch_error', $value, 'Error: ' . $error);
}
return $value;
}
return $result;
} catch (Error $error) {
if ($this->auditLogger !== null) {
($this->auditLogger)('regex_batch_error', implode(', ', $keys), $error->getMessage());
}
return $value;
}
return $result;
}
/**
* Set the audit logger callable.
*
* @param callable(string,mixed,mixed):void|null $auditLogger
*/
public function setAuditLogger(?callable $auditLogger): void
{
$this->auditLogger = $auditLogger;
// Propagate to child processors
$this->contextProcessor->setAuditLogger($auditLogger);
$this->recursiveProcessor->setAuditLogger($auditLogger);
}
/**
* Validate an array of patterns for security and syntax.
*
* @param array<string, string> $patterns Array of regex pattern => replacement
*
* @throws \Ivuorinen\MonologGdprFilter\Exceptions\PatternValidationException When patterns are invalid
*/
public static function validatePatternsArray(array $patterns): void
{
try {
PatternValidator::validateAll($patterns);
} catch (InvalidRegexPatternException $e) {
throw PatternValidationException::forMultiplePatterns(
['validation_error' => $e->getMessage()],
$e
);
}
}
/**
* Get default GDPR regex patterns for common sensitive data types.
*
* @return array<string, string>
*/
public static function getDefaultPatterns(): array
{
return DefaultPatterns::get();
}
}

299
src/InputValidator.php Normal file
View File

@@ -0,0 +1,299 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter;
use Ivuorinen\MonologGdprFilter\Exceptions\InvalidConfigurationException;
use Ivuorinen\MonologGdprFilter\Exceptions\InvalidRegexPatternException;
/**
* Validates constructor parameters for GdprProcessor.
*
* This class is responsible for validating all input parameters
* to ensure they meet the requirements before processing.
*/
final class InputValidator
{
/**
* Validate all constructor parameters for early error detection.
*
* @param array<string,string> $patterns
* @param array<string,FieldMaskConfig|string> $fieldPaths
* @param array<string,callable(mixed):string> $customCallbacks
* @param callable(string,mixed,mixed):void|null $auditLogger
* @param int $maxDepth
* @param array<string,string> $dataTypeMasks
* @param array<string,callable> $conditionalRules
*
* @throws InvalidConfigurationException When any parameter is invalid
*/
public static function validateAll(
array $patterns,
array $fieldPaths,
array $customCallbacks,
mixed $auditLogger,
int $maxDepth,
array $dataTypeMasks,
array $conditionalRules
): void {
self::validatePatterns($patterns);
self::validateFieldPaths($fieldPaths);
self::validateCustomCallbacks($customCallbacks);
self::validateAuditLogger($auditLogger);
self::validateMaxDepth($maxDepth);
self::validateDataTypeMasks($dataTypeMasks);
self::validateConditionalRules($conditionalRules);
}
/**
* Validate patterns array for proper structure and valid regex patterns.
*
* @param array<string,string> $patterns
*
* @throws InvalidConfigurationException When patterns are invalid
*/
public static function validatePatterns(array $patterns): void
{
foreach ($patterns as $pattern => $replacement) {
// Validate pattern key
/** @psalm-suppress DocblockTypeContradiction - Runtime validation for defensive programming */
if (!is_string($pattern)) {
throw InvalidConfigurationException::invalidType(
'pattern',
'string',
gettype($pattern)
);
}
if (trim($pattern) === '') {
throw InvalidConfigurationException::emptyValue('pattern');
}
// Validate replacement value
/** @psalm-suppress DocblockTypeContradiction - Runtime validation for defensive programming */
if (!is_string($replacement)) {
throw InvalidConfigurationException::invalidType(
'pattern replacement',
'string',
gettype($replacement)
);
}
// Validate regex pattern syntax
if (!PatternValidator::isValid($pattern)) {
throw InvalidRegexPatternException::forPattern(
$pattern,
'Invalid regex pattern syntax'
);
}
}
}
/**
* Validate field paths array for proper structure.
*
* @param array<string,FieldMaskConfig|string> $fieldPaths
*
* @throws InvalidConfigurationException When field paths are invalid
*/
public static function validateFieldPaths(array $fieldPaths): void
{
foreach ($fieldPaths as $path => $config) {
// Validate path key
/** @psalm-suppress DocblockTypeContradiction - Runtime validation for defensive programming */
if (!is_string($path)) {
throw InvalidConfigurationException::invalidType(
'field path',
'string',
gettype($path)
);
}
if (trim($path) === '') {
throw InvalidConfigurationException::emptyValue('field path');
}
// Validate config value
/** @psalm-suppress DocblockTypeContradiction - Runtime validation for defensive programming */
if (!($config instanceof FieldMaskConfig) && !is_string($config)) {
throw InvalidConfigurationException::invalidType(
'field path value',
'FieldMaskConfig or string',
gettype($config)
);
}
if (is_string($config) && trim($config) === '') {
throw InvalidConfigurationException::forFieldPath(
$path,
'Cannot have empty string value'
);
}
}
}
/**
* Validate custom callbacks array for proper structure.
*
* @param array<string,callable(mixed):string> $customCallbacks
*
* @throws InvalidConfigurationException When custom callbacks are invalid
*/
public static function validateCustomCallbacks(array $customCallbacks): void
{
foreach ($customCallbacks as $path => $callback) {
// Validate path key
/** @psalm-suppress DocblockTypeContradiction - Runtime validation for defensive programming */
if (!is_string($path)) {
throw InvalidConfigurationException::invalidType(
'custom callback path',
'string',
gettype($path)
);
}
if (trim($path) === '') {
throw InvalidConfigurationException::emptyValue('custom callback path');
}
// Validate callback value
if (!is_callable($callback)) {
throw InvalidConfigurationException::forParameter(
'custom callback for ' . $path,
$callback,
'Must be callable'
);
}
}
}
/**
* Validate audit logger parameter.
*
* @param callable(string,mixed,mixed):void|null $auditLogger
*
* @throws InvalidConfigurationException When audit logger is invalid
*/
public static function validateAuditLogger(mixed $auditLogger): void
{
if ($auditLogger !== null && !is_callable($auditLogger)) {
$type = gettype($auditLogger);
throw InvalidConfigurationException::invalidType(
'audit logger',
'callable or null',
$type
);
}
}
/**
* Validate max depth parameter for reasonable bounds.
*
* @throws InvalidConfigurationException When max depth is invalid
*/
public static function validateMaxDepth(int $maxDepth): void
{
if ($maxDepth <= 0) {
throw InvalidConfigurationException::forParameter(
'max_depth',
$maxDepth,
'Must be a positive integer'
);
}
if ($maxDepth > 1000) {
throw InvalidConfigurationException::forParameter(
'max_depth',
$maxDepth,
'Cannot exceed 1,000 for stack safety'
);
}
}
/**
* Validate data type masks array for proper structure.
*
* @param array<string,string> $dataTypeMasks
*
* @throws InvalidConfigurationException When data type masks are invalid
*/
public static function validateDataTypeMasks(array $dataTypeMasks): void
{
$validTypes = ['integer', 'double', 'string', 'boolean', 'NULL', 'array', 'object', 'resource'];
foreach ($dataTypeMasks as $type => $mask) {
// Validate type key
/** @psalm-suppress DocblockTypeContradiction - Runtime validation for defensive programming */
if (!is_string($type)) {
$typeGot = gettype($type);
throw InvalidConfigurationException::invalidType(
'data type mask key',
'string',
$typeGot
);
}
if (!in_array($type, $validTypes, true)) {
$validList = implode(', ', $validTypes);
throw InvalidConfigurationException::forDataTypeMask(
$type,
null,
"Must be one of: $validList"
);
}
// Validate mask value
/** @psalm-suppress DocblockTypeContradiction - Runtime validation for defensive programming */
if (!is_string($mask)) {
throw InvalidConfigurationException::invalidType(
'data type mask value',
'string',
gettype($mask)
);
}
if (trim($mask) === '') {
throw InvalidConfigurationException::forDataTypeMask(
$type,
'',
'Cannot be empty'
);
}
}
}
/**
* Validate conditional rules array for proper structure.
*
* @param array<string,callable> $conditionalRules
*
* @throws InvalidConfigurationException When conditional rules are invalid
*/
public static function validateConditionalRules(array $conditionalRules): void
{
foreach ($conditionalRules as $ruleName => $callback) {
// Validate rule name key
/** @psalm-suppress DocblockTypeContradiction - Runtime validation for defensive programming */
if (!is_string($ruleName)) {
throw InvalidConfigurationException::invalidType(
'conditional rule name',
'string',
gettype($ruleName)
);
}
if (trim($ruleName) === '') {
throw InvalidConfigurationException::emptyValue('conditional rule name');
}
// Validate callback value
if (!is_callable($callback)) {
throw InvalidConfigurationException::forConditionalRule(
$ruleName,
'Must have a callable callback'
);
}
}
}
}

227
src/JsonMasker.php Normal file
View File

@@ -0,0 +1,227 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter;
use JsonException;
/**
* Handles JSON structure detection and masking within log messages.
*
* This class provides methods to find JSON structures in strings,
* parse them, apply masking, and re-encode them.
*/
final class JsonMasker
{
/**
* @param callable(array<mixed>|string, int=):array<mixed>|string $recursiveMaskCallback
* @param callable(string, mixed, mixed):void|null $auditLogger
*/
public function __construct(
private $recursiveMaskCallback,
private $auditLogger = null
) {}
/**
* Find and process JSON structures in the message.
*/
public function processMessage(string $message): string
{
$result = '';
$length = strlen($message);
$i = 0;
while ($i < $length) {
$char = $message[$i];
if ($char === '{' || $char === '[') {
// Found potential JSON start, try to extract balanced structure
$jsonCandidate = $this->extractBalancedStructure($message, $i);
if ($jsonCandidate !== null) {
// Process the candidate
$processed = $this->processCandidate($jsonCandidate);
$result .= $processed;
$i += strlen($jsonCandidate);
continue;
}
}
$result .= $char;
$i++;
}
return $result;
}
/**
* Extract a balanced JSON structure starting from the given position.
*/
public function extractBalancedStructure(string $message, int $startPos): ?string
{
$length = strlen($message);
$startChar = $message[$startPos];
$endChar = $startChar === '{' ? '}' : ']';
$level = 0;
$inString = false;
$escaped = false;
for ($i = $startPos; $i < $length; $i++) {
$char = $message[$i];
if ($this->isEscapedCharacter($escaped)) {
$escaped = false;
continue;
}
if ($this->isEscapeStart($char, $inString)) {
$escaped = true;
continue;
}
if ($char === '"') {
$inString = !$inString;
continue;
}
if ($inString) {
continue;
}
$balancedEnd = $this->processStructureChar($char, $startChar, $endChar, $level, $message, $startPos, $i);
if ($balancedEnd !== null) {
return $balancedEnd;
}
}
// No balanced structure found
return null;
}
/**
* Check if current character is escaped.
*/
private function isEscapedCharacter(bool $escaped): bool
{
return $escaped;
}
/**
* Check if current character starts an escape sequence.
*/
private function isEscapeStart(string $char, bool $inString): bool
{
return $char === '\\' && $inString;
}
/**
* Process a structure character (bracket or brace) and update nesting level.
*
* @return string|null Returns the extracted structure if complete, null otherwise
*/
private function processStructureChar(
string $char,
string $startChar,
string $endChar,
int &$level,
string $message,
int $startPos,
int $currentPos
): ?string {
if ($char === $startChar) {
$level++;
} elseif ($char === $endChar) {
$level--;
if ($level === 0) {
// Found complete balanced structure
return substr($message, $startPos, $currentPos - $startPos + 1);
}
}
return null;
}
/**
* Process a potential JSON candidate string.
*/
public function processCandidate(string $potentialJson): string
{
try {
// Try to parse as JSON
$decoded = json_decode($potentialJson, true, 512, JSON_THROW_ON_ERROR);
// If successfully decoded, apply masking and re-encode
if ($decoded !== null) {
$masked = ($this->recursiveMaskCallback)($decoded, 0);
$reEncoded = $this->encodePreservingEmptyObjects($masked, $potentialJson);
if ($reEncoded !== false) {
// Log the operation if audit logger is available
if ($this->auditLogger !== null && $reEncoded !== $potentialJson) {
($this->auditLogger)('json_masked', $potentialJson, $reEncoded);
}
return $reEncoded;
}
}
} catch (JsonException) {
// Not valid JSON, leave as-is to be processed by regular patterns
}
return $potentialJson;
}
/**
* Encode JSON while preserving empty object structures from the original.
*
* @param array<mixed>|string $data The data to encode.
* @param string $originalJson The original JSON string.
*
* @return false|string The encoded JSON string or false on failure.
*/
public function encodePreservingEmptyObjects(array|string $data, string $originalJson): string|false
{
// Handle simple empty cases first
if (in_array($data, ['', '0', []], true)) {
if ($originalJson === '{}') {
return '{}';
}
if ($originalJson === '[]') {
return '[]';
}
}
// Encode the processed data
$encoded = json_encode($data, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
if ($encoded === false) {
return false;
}
// Fix empty arrays that should be empty objects by comparing with original
return $this->fixEmptyObjects($encoded, $originalJson);
}
/**
* Fix empty arrays that should be empty objects in the encoded JSON.
*/
public function fixEmptyObjects(string $encoded, string $original): string
{
// Count empty objects in original and empty arrays in encoded
$originalEmptyObjects = substr_count($original, '{}');
$encodedEmptyArrays = substr_count($encoded, '[]');
// If we lost empty objects (they became arrays), fix them
if ($originalEmptyObjects > 0 && $encodedEmptyArrays >= $originalEmptyObjects) {
// Replace empty arrays with empty objects, up to the number we had originally
for ($i = 0; $i < $originalEmptyObjects; $i++) {
$encoded = preg_replace('/\[\]/', '{}', $encoded, 1) ?? $encoded;
}
}
return $encoded;
}
}

216
src/Laravel/Commands/GdprDebugCommand.php Normal file
View File

@@ -0,0 +1,216 @@
<?php
namespace Ivuorinen\MonologGdprFilter\Laravel\Commands;
use Monolog\LogRecord;
use DateTimeImmutable;
use Monolog\Level;
use JsonException;
use Illuminate\Console\Command;
use Ivuorinen\MonologGdprFilter\GdprProcessor;
use Ivuorinen\MonologGdprFilter\Exceptions\CommandExecutionException;
/**
* Artisan command for debugging GDPR configuration and testing.
*
* This command provides information about the current GDPR configuration
* and allows testing with sample log data.
*
* @api
* @psalm-suppress PropertyNotSetInConstructor
*/
class GdprDebugCommand extends Command
{
private const COMMAND_NAME = 'gdpr:debug';
/**
* The name and signature of the console command.
*
* @var string
*/
protected $signature = 'gdpr:debug
{--test-data= : JSON string of sample data to test}
{--show-patterns : Show all configured patterns}
{--show-config : Show current configuration}';
/**
* The console command description.
*
* @var string
*/
protected $description = 'Debug GDPR configuration and test with sample data';
/**
* Execute the console command.
*/
public function handle(): int
{
$this->info('GDPR Filter Debug Information');
$this->line('=============================');
// Show configuration if requested
if ((bool)$this->option('show-config')) {
$this->showConfiguration();
}
// Show patterns if requested
if ((bool)$this->option('show-patterns')) {
$this->showPatterns();
}
// Test with sample data if provided
$testData = (string)$this->option('test-data');
if ($testData !== '' && $testData !== '0') {
$this->testWithSampleData($testData);
}
if (!$this->option('show-config') && !$this->option('show-patterns') && !$testData) {
$this->showSummary();
}
return 0;
}
/**
* Show current GDPR configuration.
*/
protected function showConfiguration(): void
{
$this->line('');
$this->info('Current Configuration:');
$this->line('----------------------');
$config = \config('gdpr', []);
$this->line('Auto Register: ' . ($config['auto_register'] ?? true ? 'Yes' : 'No'));
$this->line('Max Depth: ' . ($config['max_depth'] ?? 100));
$this->line('Audit Logging: ' . (($config['audit_logging']['enabled'] ?? false) ? 'Enabled' : 'Disabled'));
$channels = $config['channels'] ?? [];
$this->line('Channels: ' . (empty($channels) ? 'None' : implode(', ', $channels)));
$fieldPaths = $config['field_paths'] ?? [];
$this->line('Field Paths: ' . count($fieldPaths) . ' configured');
$customCallbacks = $config['custom_callbacks'] ?? [];
$this->line('Custom Callbacks: ' . count($customCallbacks) . ' configured');
}
/**
* Show all configured patterns.
*/
protected function showPatterns(): void
{
$this->line('');
$this->info('Configured Patterns:');
$this->line('--------------------');
$config = \config('gdpr', []);
/**
* @var array<string, mixed>|null $patterns
*/
$patterns = $config['patterns'] ?? null;
if (count($patterns) === 0 && empty($patterns)) {
$this->line('No patterns configured - using defaults');
$patterns = GdprProcessor::getDefaultPatterns();
}
foreach ($patterns as $pattern => $replacement) {
$this->line(sprintf('%s => %s', $pattern, $replacement));
}
$this->line('');
$this->line('Total patterns: ' . count($patterns));
}
/**
* Test GDPR processing with sample data.
*/
protected function testWithSampleData(string $testData): void
{
$this->line('');
$this->info('Testing with sample data:');
$this->line('-------------------------');
try {
$data = json_decode($testData, true, 512, JSON_THROW_ON_ERROR);
$processor = \app('gdpr.processor');
// Test with a sample log record
$logRecord = new LogRecord(
datetime: new DateTimeImmutable(),
channel: 'test',
level: Level::Info,
message: $data['message'] ?? 'Test message',
context: $data['context'] ?? []
);
$result = $processor($logRecord);
$this->line('Original Message: ' . $logRecord->message);
$this->line('Processed Message: ' . $result->message);
if ($logRecord->context !== []) {
$this->line('');
$this->line('Original Context:');
$this->line((string)json_encode($logRecord->context, JSON_PRETTY_PRINT));
$this->line('Processed Context:');
$this->line((string)json_encode($result->context, JSON_PRETTY_PRINT));
}
} catch (JsonException $e) {
throw CommandExecutionException::forJsonProcessing(
self::COMMAND_NAME,
$testData,
$e->getMessage(),
$e
);
} catch (\Throwable $e) {
throw CommandExecutionException::forOperation(
self::COMMAND_NAME,
'data processing',
$e->getMessage(),
$e
);
}
}
/**
* Show summary information.
*/
protected function showSummary(): void
{
$this->line('');
$this->info('Quick Summary:');
$this->line('--------------');
try {
\app('gdpr.processor');
$this->line('<info>✓</info> GDPR processor is registered and ready');
$config = \config('gdpr', []);
$patterns = $config['patterns'] ?? GdprProcessor::getDefaultPatterns();
$this->line('Patterns configured: ' . count($patterns));
} catch (\Throwable $exception) {
throw CommandExecutionException::forOperation(
self::COMMAND_NAME,
'configuration check',
'GDPR processor is not properly configured: ' . $exception->getMessage(),
$exception
);
}
$this->line('');
$this->info('Available options:');
$this->line(' --show-config Show current configuration');
$this->line(' --show-patterns Show all regex patterns');
$this->line(' --test-data Test with JSON sample data');
$this->line('');
$this->info('Example usage:');
$this->line(' php artisan gdpr:debug --show-config');
$this->line(' php artisan gdpr:debug --test-data=\'{"message":"Email: test@example.com"}\'');
}
}

191
src/Laravel/Commands/GdprTestPatternCommand.php Normal file
View File

@@ -0,0 +1,191 @@
<?php
namespace Ivuorinen\MonologGdprFilter\Laravel\Commands;
use Illuminate\Console\Command;
use Ivuorinen\MonologGdprFilter\GdprProcessor;
use Ivuorinen\MonologGdprFilter\Exceptions\PatternValidationException;
use Ivuorinen\MonologGdprFilter\Exceptions\CommandExecutionException;
/**
* Artisan command for testing GDPR regex patterns.
*
* This command allows developers to test regex patterns against sample data
* to ensure they work correctly before deploying to production.
*
* @api
* @psalm-suppress PropertyNotSetInConstructor
*/
class GdprTestPatternCommand extends Command
{
/**
* The name and signature of the console command.
*
* @var string
*/
protected $signature = 'gdpr:test-pattern
{pattern : The regex pattern to test}
{replacement : The replacement text}
{test-string : The string to test against}
{--validate : Validate the pattern for security}';
/**
* The console command description.
*
* @var string
*/
protected $description = 'Test GDPR regex patterns against sample data';
/**
* Execute the console command.
*
* @psalm-return 0|1
*/
public function handle(): int
{
$args = $this->extractAndNormalizeArguments();
$pattern = $args[0];
$replacement = $args[1];
$testString = $args[2];
$validate = $args[3];
$this->displayTestHeader($pattern, $replacement, $testString);
if ($validate && !$this->validatePattern($pattern, $replacement)) {
return 1;
}
return $this->executePatternTest($pattern, $replacement, $testString);
}
/**
* Extract and normalize command arguments.
*
* @return array{string, string, string, bool}
*/
private function extractAndNormalizeArguments(): array
{
$pattern = $this->argument('pattern');
$replacement = $this->argument('replacement');
$testString = $this->argument('test-string');
$validate = $this->option('validate');
$pattern = is_array($pattern) ? $pattern[0] : $pattern;
$replacement = is_array($replacement) ? $replacement[0] : $replacement;
$testString = is_array($testString) ? $testString[0] : $testString;
$validate = is_bool($validate) ? $validate : (bool) $validate;
return [
(string) ($pattern ?? ''),
(string) ($replacement ?? ''),
(string) ($testString ?? ''),
$validate,
];
}
/**
* Display the test header with pattern information.
*/
private function displayTestHeader(string $pattern, string $replacement, string $testString): void
{
$this->info('Testing GDPR Pattern');
$this->line('====================');
$this->line('Pattern: ' . $pattern);
$this->line('Replacement: ' . $replacement);
$this->line('Test String: ' . $testString);
$this->line('');
}
/**
* Validate the pattern if requested.
*/
private function validatePattern(string $pattern, string $replacement): bool
{
$this->info('Validating pattern...');
try {
GdprProcessor::validatePatternsArray([$pattern => $replacement]);
$this->line('<info>✓</info> Pattern is valid and secure');
} catch (PatternValidationException $e) {
$this->error('✗ Pattern validation failed: ' . $e->getMessage());
return false;
}
$this->line('');
return true;
}
/**
* Execute the pattern test.
*/
private function executePatternTest(string $pattern, string $replacement, string $testString): int
{
$this->info('Testing pattern match...');
try {
$this->validateInputs($pattern, $testString);
$processor = new GdprProcessor([$pattern => $replacement]);
$result = $processor->regExpMessage($testString);
$this->displayTestResult($result, $testString);
$this->showMatchDetails($pattern, $testString);
} catch (CommandExecutionException $exception) {
$this->error('✗ Pattern test failed: ' . $exception->getMessage());
return 1;
}
return 0;
}
/**
* Validate inputs are not empty.
*/
private function validateInputs(string $pattern, string $testString): void
{
if ($pattern === '' || $pattern === '0') {
throw CommandExecutionException::forInvalidInput(
'gdpr:test-pattern',
'pattern',
$pattern,
'Pattern cannot be empty'
);
}
if ($testString === '' || $testString === '0') {
throw CommandExecutionException::forInvalidInput(
'gdpr:test-pattern',
'test-string',
$testString,
'Test string cannot be empty'
);
}
}
/**
* Display the test result.
*/
private function displayTestResult(string $result, string $testString): void
{
if ($result === $testString) {
$this->line('<comment>-</comment> No match found - string unchanged');
} else {
$this->line('<info>✓</info> Pattern matched!');
$this->line('Result: ' . $result);
}
}
/**
* Show detailed matching information.
*/
private function showMatchDetails(string $pattern, string $testString): void
{
$matches = [];
if (preg_match($pattern, $testString, $matches)) {
$this->line('');
$this->info('Match details:');
foreach ($matches as $index => $match) {
$this->line(sprintf(' [%s]: %s', $index, $match));
}
}
}
}

36
src/Laravel/Facades/Gdpr.php Normal file
View File

@@ -0,0 +1,36 @@
<?php
namespace Ivuorinen\MonologGdprFilter\Laravel\Facades;
use Ivuorinen\MonologGdprFilter\FieldMaskConfig;
use Monolog\LogRecord;
use Illuminate\Support\Facades\Facade;
/**
* Laravel Facade for GDPR Processor.
*
* @method static string regExpMessage(string $message = '')
* @method static array<string, string> getDefaultPatterns()
* @method static FieldMaskConfig maskWithRegex()
* @method static FieldMaskConfig removeField()
* @method static FieldMaskConfig replaceWith(string $replacement)
* @method static void validatePatterns(array<string, string> $patterns)
* @method static void clearPatternCache()
* @method static LogRecord __invoke(LogRecord $record)
*
* @see \Ivuorinen\MonologGdprFilter\GdprProcessor
* @api
*/
class Gdpr extends Facade
{
/**
* Get the registered name of the component.
*
*
* @psalm-return 'gdpr.processor'
*/
protected static function getFacadeAccessor(): string
{
return 'gdpr.processor';
}
}

115
src/Laravel/GdprServiceProvider.php Normal file
View File

@@ -0,0 +1,115 @@
<?php
namespace Ivuorinen\MonologGdprFilter\Laravel;
use Illuminate\Contracts\Foundation\Application;
use Illuminate\Support\Facades\Log;
use Illuminate\Support\ServiceProvider;
use Illuminate\Support\Carbon;
use Ivuorinen\MonologGdprFilter\GdprProcessor;
use Ivuorinen\MonologGdprFilter\Laravel\Commands\GdprTestPatternCommand;
use Ivuorinen\MonologGdprFilter\Laravel\Commands\GdprDebugCommand;
use Ivuorinen\MonologGdprFilter\Exceptions\ServiceRegistrationException;
/**
* Laravel Service Provider for Monolog GDPR Filter.
*
* This service provider automatically registers the GDPR processor with Laravel's logging system
* and provides configuration management and artisan commands.
*
* @api
*/
class GdprServiceProvider extends ServiceProvider
{
/**
* Register services.
*/
public function register(): void
{
$this->mergeConfigFrom(__DIR__ . '/../../config/gdpr.php', 'gdpr');
$this->app->singleton('gdpr.processor', function (Application $app): GdprProcessor {
$config = $app->make('config')->get('gdpr', []);
$patterns = $config['patterns'] ?? GdprProcessor::getDefaultPatterns();
$fieldPaths = $config['field_paths'] ?? [];
$customCallbacks = $config['custom_callbacks'] ?? [];
$maxDepth = $config['max_depth'] ?? 100;
$auditLogger = null;
if ($config['audit_logging']['enabled'] ?? false) {
$auditLogger = function (string $path, mixed $original, mixed $masked): void {
Log::channel('gdpr-audit')->info('GDPR Processing', [
'path' => $path,
'original_type' => gettype($original),
'was_masked' => $original !== $masked,
'timestamp' => Carbon::now()->toISOString(),
]);
};
}
return new GdprProcessor(
$patterns,
$fieldPaths,
$customCallbacks,
$auditLogger,
$maxDepth
);
});
$this->app->alias('gdpr.processor', GdprProcessor::class);
}
/**
* Bootstrap services.
*/
public function boot(): void
{
// Publish configuration file
$this->publishes([
__DIR__ . '/../../config/gdpr.php' => $this->app->configPath('gdpr.php'),
], 'gdpr-config');
// Register artisan commands
if ($this->app->runningInConsole()) {
$this->commands([
GdprTestPatternCommand::class,
GdprDebugCommand::class,
]);
}
// Auto-register with Laravel's logging system if enabled
if (\config('gdpr.auto_register', true)) {
$this->registerWithLogging();
}
}
/**
* Automatically register GDPR processor with Laravel's logging channels.
*/
protected function registerWithLogging(): void
{
$logger = $this->app->make('log');
$processor = $this->app->make('gdpr.processor');
// Get channels to apply GDPR processing to
$channels = \config('gdpr.channels', ['single', 'daily', 'stack']);
foreach ($channels as $channelName) {
try {
$channelLogger = $logger->channel($channelName);
if (method_exists($channelLogger, 'pushProcessor')) {
$channelLogger->pushProcessor($processor);
}
} catch (\Throwable $e) {
// Log proper service registration failure but continue with other channels
$exception = ServiceRegistrationException::forChannel(
$channelName,
$e->getMessage(),
$e
);
Log::debug('GDPR service registration warning: ' . $exception->getMessage());
}
}
}
}

207
src/Laravel/Middleware/GdprLogMiddleware.php Normal file
View File

@@ -0,0 +1,207 @@
<?php
/**
* Laravel Middleware for GDPR-compliant logging using MonologGdprFilter.
* This middleware logs HTTP requests and responses while filtering out sensitive data
* according to GDPR guidelines.
*/
namespace Ivuorinen\MonologGdprFilter\Laravel\Middleware;
use JsonException;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Log;
use Ivuorinen\MonologGdprFilter\GdprProcessor;
use Ivuorinen\MonologGdprFilter\MaskConstants;
/**
* Middleware for GDPR-compliant request/response logging.
*
* This middleware automatically logs HTTP requests and responses
* with GDPR filtering applied to sensitive data.
*
* @api
*/
class GdprLogMiddleware
{
private const LOG_MESSAGE_HTTP_RESPONSE = 'HTTP Response';
protected GdprProcessor $processor;
public function __construct(GdprProcessor $processor)
{
$this->processor = $processor;
}
/**
* Handle an incoming request.
*
* @param Request $request
* @param Closure $next
* @return mixed
*/
public function handle(Request $request, Closure $next)
{
$startTime = microtime(true);
// Log the incoming request
$this->logRequest($request);
// Process the request
$response = $next($request);
// Log the response
$this->logResponse($request, $response, $startTime);
return $response;
}
/**
* Log the incoming request with GDPR filtering.
*/
protected function logRequest(Request $request): void
{
$requestData = [
'method' => $request->method(),
'url' => $request->fullUrl(),
'ip' => $request->ip(),
'user_agent' => $request->userAgent(),
'headers' => $this->filterHeaders($request->headers->all()),
'query' => $request->query(),
'body' => $this->getRequestBody($request),
];
// Apply GDPR filtering to the entire request data
$filteredData = $this->processor->recursiveMask($requestData);
Log::info('HTTP Request', $filteredData);
}
/**
* Log the response with GDPR filtering.
*
* @param \Illuminate\Http\Response|\Symfony\Component\HttpFoundation\Response $response
*/
protected function logResponse(Request $request, mixed $response, float $startTime): void
{
$duration = round((microtime(true) - $startTime) * 1000, 2);
$responseData = [
'status' => $response->getStatusCode(),
'duration_ms' => $duration,
'memory_mb' => round(memory_get_peak_usage(true) / 1024 / 1024, 2),
'content_length' => $response->headers->get('Content-Length'),
'response_headers' => $this->filterHeaders($response->headers->all()),
];
// Only log response body for errors or if specifically configured
if ($response->getStatusCode() >= 400 && config('gdpr.log_error_responses', false)) {
$responseData['body'] = $this->getResponseBody($response);
}
// Apply GDPR filtering
$filteredData = $this->processor->recursiveMask($responseData);
$level = $response->getStatusCode() >= 500 ? 'error' : ($response->getStatusCode() >= 400 ? 'warning' : 'info');
match ($level) {
'error' => Log::error(self::LOG_MESSAGE_HTTP_RESPONSE, array_merge(
['method' => $request->method(), 'url' => $request->fullUrl()],
$filteredData
)),
'warning' => Log::warning(self::LOG_MESSAGE_HTTP_RESPONSE, array_merge(
['method' => $request->method(), 'url' => $request->fullUrl()],
$filteredData
)),
default => Log::info(self::LOG_MESSAGE_HTTP_RESPONSE, array_merge(
['method' => $request->method(), 'url' => $request->fullUrl()],
$filteredData
))
};
}
/**
* Get request body safely.
*/
protected function getRequestBody(Request $request): mixed
{
// Only log body for specific content types and methods
if (!in_array($request->method(), ['POST', 'PUT', 'PATCH', 'DELETE'])) {
return null;
}
$contentType = $request->header('Content-Type', '');
if (str_contains($contentType, 'application/json')) {
return $request->json()->all();
}
if (str_contains($contentType, 'application/x-www-form-urlencoded')) {
return $request->all();
}
if (str_contains($contentType, 'multipart/form-data')) {
// Don't log file uploads, just the form fields
return $request->except(['_token']) + ['files' => array_keys($request->allFiles())];
}
return null;
}
/**
* Get response body safely.
*
* @param \Illuminate\Http\Response|\Symfony\Component\HttpFoundation\Response $response
*/
protected function getResponseBody(mixed $response): mixed
{
if (!method_exists($response, 'getContent')) {
return null;
}
$content = $response->getContent();
// Try to decode JSON responses
if (
is_object($response) && property_exists($response, 'headers') &&
$response->headers->get('Content-Type') &&
str_contains((string) $response->headers->get('Content-Type'), 'application/json')
) {
try {
return json_decode((string) $content, true, 512, JSON_THROW_ON_ERROR);
} catch (JsonException) {
return ['error' => 'Invalid JSON response'];
}
}
// For other content types, limit length to prevent massive logs
return strlen((string) $content) > 1000 ? substr((string) $content, 0, 1000) . '...' : $content;
}
/**
* Filter sensitive headers.
*
* @param array<string, mixed> $headers
* @return array<string, mixed>
*/
protected function filterHeaders(array $headers): array
{
$sensitiveHeaders = [
'authorization',
'x-api-key',
'x-auth-token',
'cookie',
'set-cookie',
'php-auth-user',
'php-auth-pw',
];
$filtered = [];
foreach ($headers as $name => $value) {
$filtered[$name] = in_array(strtolower($name), $sensitiveHeaders) ? [MaskConstants::MASK_FILTERED] : $value;
}
return $filtered;
}
}

90
src/MaskConstants.php Normal file
View File

@@ -0,0 +1,90 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter;
/**
* Constants for mask replacement values.
*
* This class provides standardized mask values to avoid duplication
* and ensure consistency across the codebase.
*/
final class MaskConstants
{
// Data type masks
public const MASK_INT = '***INT***';
public const MASK_FLOAT = '***FLOAT***';
public const MASK_STRING = '***STRING***';
public const MASK_BOOL = '***BOOL***';
public const MASK_NULL = '***NULL***';
public const MASK_ARRAY = '***ARRAY***';
public const MASK_OBJECT = '***OBJECT***';
public const MASK_RESOURCE = '***RESOURCE***';
// Generic masks
public const MASK_GENERIC = '***'; // Simple generic mask
public const MASK_MASKED = '***MASKED***';
public const MASK_REDACTED = '***REDACTED***';
public const MASK_FILTERED = '***FILTERED***';
public const MASK_BRACKETS = '[MASKED]';
// Personal identifiers
public const MASK_HETU = '***HETU***'; // Finnish SSN
public const MASK_SSN = '***SSN***'; // Generic SSN
public const MASK_USSSN = '***USSSN***'; // US SSN
public const MASK_UKNI = '***UKNI***'; // UK National Insurance
public const MASK_CASIN = '***CASIN***'; // Canadian SIN
public const MASK_PASSPORT = '***PASSPORT***';
// Financial information
public const MASK_IBAN = '***IBAN***';
public const MASK_CC = '***CC***'; // Credit Card
public const MASK_CARD = '***CARD***'; // Credit Card (alternative)
public const MASK_UKBANK = '***UKBANK***';
public const MASK_CABANK = '***CABANK***';
// Contact information
public const MASK_EMAIL = '***EMAIL***';
public const MASK_PHONE = '***PHONE***';
public const MASK_IP = '***IP***';
// Security tokens and keys
public const MASK_TOKEN = '***TOKEN***';
public const MASK_APIKEY = '***APIKEY***';
public const MASK_SECRET = '***SECRET***';
// Personal data
public const MASK_DOB = '***DOB***'; // Date of Birth
public const MASK_MAC = '***MAC***'; // MAC Address
// Vehicle and identification
public const MASK_VEHICLE = '***VEHICLE***';
// Healthcare
public const MASK_MEDICARE = '***MEDICARE***';
public const MASK_EHIC = '***EHIC***'; // European Health Insurance Card
// Custom/Internal
public const MASK_INTERNAL = '***INTERNAL***';
public const MASK_CUSTOMER = '***CUSTOMER***';
public const MASK_NUMBER = '***NUMBER***';
public const MASK_ITEM = '***ITEM***';
// Custom mask patterns for partial masking
public const MASK_SSN_PATTERN = '***-**-****'; // SSN with format preserved
public const MASK_EMAIL_PATTERN = '***@***.***'; // Email with format preserved
// Error states
public const MASK_INVALID = '***INVALID***';
public const MASK_TOOLONG = '***TOOLONG***';
public const MASK_ERROR = '***ERROR***';
/**
* Prevent instantiation.
*
* @psalm-suppress UnusedConstructor
*/
private function __construct()
{}
}

192
src/PatternValidator.php Normal file
View File

@@ -0,0 +1,192 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter;
use Error;
use Ivuorinen\MonologGdprFilter\Exceptions\InvalidRegexPatternException;
/**
* Validates regex patterns for safety and correctness.
*
* This class provides pattern validation with ReDoS (Regular Expression Denial of Service)
* protection and caching for improved performance.
*/
final class PatternValidator
{
/**
* Static cache for compiled regex patterns to improve performance.
* @var array<string, bool>
*/
private static array $validPatternCache = [];
/**
* Clear the pattern validation cache (useful for testing).
*/
public static function clearCache(): void
{
self::$validPatternCache = [];
}
/**
* Validate that a regex pattern is safe and well-formed.
* This helps prevent regex injection and ReDoS attacks.
*/
public static function isValid(string $pattern): bool
{
// Check cache first
if (isset(self::$validPatternCache[$pattern])) {
return self::$validPatternCache[$pattern];
}
$isValid = true;
// Check for basic regex structure
if (strlen($pattern) < 3) {
$isValid = false;
}
// Must start and end with delimiters
if ($isValid) {
$firstChar = $pattern[0];
$lastDelimPos = strrpos($pattern, $firstChar);
if ($lastDelimPos === false || $lastDelimPos === 0) {
$isValid = false;
}
}
// Enhanced ReDoS protection - check for potentially dangerous patterns
if ($isValid && self::hasDangerousPattern($pattern)) {
$isValid = false;
}
// Test if the pattern is valid by trying to compile it
if ($isValid) {
set_error_handler(
/**
* @return true
*/
static fn(): bool => true
);
try {
/** @psalm-suppress ArgumentTypeCoercion */
$result = preg_match($pattern, '');
$isValid = $result !== false;
} catch (Error) {
$isValid = false;
} finally {
restore_error_handler();
}
}
self::$validPatternCache[$pattern] = $isValid;
return $isValid;
}
/**
* Check if a pattern contains dangerous constructs that could cause ReDoS.
*/
private static function hasDangerousPattern(string $pattern): bool
{
$dangerousPatterns = [
// Nested quantifiers (classic ReDoS patterns)
'/\([^)]*\+[^)]*\)\+/', // (a+)+ pattern
'/\([^)]*\*[^)]*\)\*/', // (a*)* pattern
'/\([^)]*\+[^)]*\)\*/', // (a+)* pattern
'/\([^)]*\*[^)]*\)\+/', // (a*)+ pattern
// Alternation with overlapping patterns
'/\([^|)]*\|[^|)]*\)\*/', // (a|a)* pattern
'/\([^|)]*\|[^|)]*\)\+/', // (a|a)+ pattern
// Complex nested structures
'/\(\([^)]*\+[^)]*\)[^)]*\)\+/', // ((a+)...)+ pattern
// Character classes with nested quantifiers
'/\[[^\]]*\]\*\*/', // [a-z]** pattern
'/\[[^\]]*\]\+\+/', // [a-z]++ pattern
'/\([^)]*\[[^\]]*\][^)]*\)\*/', // ([a-z])* pattern
'/\([^)]*\[[^\]]*\][^)]*\)\+/', // ([a-z])+ pattern
// Lookahead/lookbehind with quantifiers
'/\(\?\=[^)]*\)\([^)]*\)\+/', // (?=...)(...)+
'/\(\?\<[^)]*\)\([^)]*\)\+/', // (?<...)(...)+
// Word boundaries with dangerous quantifiers
'/\\\\w\+\*/', // \w+* pattern
'/\\\\w\*\+/', // \w*+ pattern
// Dot with dangerous quantifiers
'/\.\*\*/', // .** pattern
'/\.\+\+/', // .++ pattern
'/\(\.\*\)\+/', // (.*)+ pattern
'/\(\.\+\)\*/', // (.+)* pattern
// Legacy dangerous patterns (keeping for backward compatibility)
'/\(\?.*\*.*\+/', // (?:...*...)+
'/\(.*\*.*\).*\*/', // (...*...).*
// Overlapping alternation patterns - catastrophic backtracking
'/\(\.\*\s*\|\s*\.\*\)/', // (.*|.*) pattern - identical alternations
'/\(\.\+\s*\|\s*\.\+\)/', // (.+|.+) pattern - identical alternations
// Multiple alternations with overlapping/expanding strings causing exponential backtracking
// Matches patterns like (a|ab|abc|abcd)* where alternatives overlap/extend each other
'/\([a-zA-Z0-9]+(\s*\|\s*[a-zA-Z0-9]+){2,}\)\*/',
'/\([a-zA-Z0-9]+(\s*\|\s*[a-zA-Z0-9]+){2,}\)\+/',
];
foreach ($dangerousPatterns as $dangerousPattern) {
if (preg_match($dangerousPattern, $pattern)) {
return true;
}
}
return false;
}
/**
* Pre-validate patterns during construction for better runtime performance.
*
* @param array<string, string> $patterns
*/
public static function cachePatterns(array $patterns): void
{
foreach (array_keys($patterns) as $pattern) {
if (!isset(self::$validPatternCache[$pattern])) {
self::$validPatternCache[$pattern] = self::isValid($pattern);
}
}
}
/**
* Validate all patterns for security before use.
* This method can be called to validate patterns before creating a processor.
*
* @param array<string, string> $patterns
* @throws InvalidRegexPatternException If any pattern is invalid or unsafe
*/
public static function validateAll(array $patterns): void
{
foreach (array_keys($patterns) as $pattern) {
if (!self::isValid($pattern)) {
throw InvalidRegexPatternException::forPattern(
$pattern,
'Pattern failed validation or is potentially unsafe'
);
}
}
}
/**
* Get the current pattern cache.
*
* @return array<string, bool>
*/
public static function getCache(): array
{
return self::$validPatternCache;
}
}

177
src/RateLimitedAuditLogger.php Normal file
View File

@@ -0,0 +1,177 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter;
/**
* Rate-limited wrapper for audit logging to prevent log flooding.
*
* This class wraps any audit logger callable and applies rate limiting
* to prevent overwhelming the audit system with too many log entries.
*
* @api
*/
class RateLimitedAuditLogger
{
private readonly RateLimiter $rateLimiter;
/**
* @param callable(string,mixed,mixed):void $auditLogger The underlying audit logger
* @param int $maxRequestsPerMinute Maximum audit log entries per minute (default: 100)
* @param int $windowSeconds Time window for rate limiting in seconds (default: 60)
*/
public function __construct(
private readonly mixed $auditLogger,
int $maxRequestsPerMinute = 100,
int $windowSeconds = 60
) {
$this->rateLimiter = new RateLimiter($maxRequestsPerMinute, $windowSeconds);
}
/**
* Log an audit entry if rate limiting allows it.
*
* @param string $path The path or operation being audited
* @param mixed $original The original value
* @param mixed $masked The masked value
*/
public function __invoke(string $path, mixed $original, mixed $masked): void
{
// Use a combination of path and operation type as the rate limiting key
$key = $this->generateRateLimitKey($path);
if ($this->rateLimiter->isAllowed($key)) {
// Rate limit allows this log entry
/** @psalm-suppress RedundantConditionGivenDocblockType - Runtime validation for defensive programming */
if (is_callable($this->auditLogger)) {
($this->auditLogger)($path, $original, $masked);
}
} else {
// Rate limit exceeded - optionally log a rate limit warning
$this->logRateLimitExceeded($path, $key);
}
}
public function isOperationAllowed(string $path): bool
{
// Use a combination of path and operation type as the rate limiting key
$key = $this->generateRateLimitKey($path);
return $this->rateLimiter->isAllowed($key);
}
/**
* Get rate limiting statistics for all active operation types.
*
* @return int[][]
*
* @psalm-return array{'audit:general_operations'?: array{current_requests: int<1, max>, remaining_requests: int<0, max>, time_until_reset: int<0, max>}, 'audit:error_operations'?: array{current_requests: int<1, max>, remaining_requests: int<0, max>, time_until_reset: int<0, max>}, 'audit:regex_operations'?: array{current_requests: int<1, max>, remaining_requests: int<0, max>, time_until_reset: int<0, max>}, 'audit:conditional_operations'?: array{current_requests: int<1, max>, remaining_requests: int<0, max>, time_until_reset: int<0, max>}, 'audit:json_operations'?: array{current_requests: int<1, max>, remaining_requests: int<0, max>, time_until_reset: int<0, max>}}
*/
public function getRateLimitStats(): array
{
// Get all possible operation types based on the classification logic
$operationTypes = [
'audit:json_operations',
'audit:conditional_operations',
'audit:regex_operations',
'audit:error_operations',
'audit:general_operations'
];
$stats = [];
foreach ($operationTypes as $type) {
$typeStats = $this->rateLimiter->getStats($type);
// Only include operation types that have been used
if ($typeStats['current_requests'] > 0) {
$stats[$type] = $typeStats;
}
}
return $stats;
}
/**
* Clear all rate limiting data.
*/
public function clearRateLimitData(): void
{
RateLimiter::clearAll();
}
/**
* Generate a rate limiting key based on the audit operation.
*
* This allows different types of operations to have separate rate limits.
*/
private function generateRateLimitKey(string $path): string
{
// Group similar operations together to prevent flooding of specific operation types
$operationType = $this->getOperationType($path);
// Use operation type as the primary key for rate limiting
return 'audit:' . $operationType;
}
/**
* Determine the operation type from the path.
*/
private function getOperationType(string $path): string
{
// Group different operations into categories for rate limiting
return match (true) {
str_contains($path, 'json_') => 'json_operations',
str_contains($path, 'conditional_') => 'conditional_operations',
str_contains($path, 'regex_') => 'regex_operations',
str_contains($path, 'preg_replace_') => 'regex_operations',
str_contains($path, 'error') => 'error_operations',
default => 'general_operations'
};
}
/**
* Log when rate limiting is exceeded (with its own rate limiting to prevent spam).
*/
private function logRateLimitExceeded(string $path, string $key): void
{
// Create a separate rate limiter for warnings to avoid interfering with main rate limiting
static $warningRateLimiter = null;
if ($warningRateLimiter === null) {
$warningRateLimiter = new RateLimiter(1, 60); // 1 warning per minute per operation type
}
$warningKey = 'warning:' . $key;
// Only log rate limit warnings once per minute per operation type to prevent warning spam
/** @psalm-suppress RedundantConditionGivenDocblockType - Runtime validation for defensive programming */
if ($warningRateLimiter->isAllowed($warningKey) === true && is_callable($this->auditLogger)) {
$statsJson = json_encode($this->rateLimiter->getStats($key));
($this->auditLogger)(
'rate_limit_exceeded',
$path,
sprintf(
'Audit logging rate limit exceeded for operation type: %s. Stats: %s',
$key,
$statsJson !== false ? $statsJson : 'N/A'
)
);
}
}
/**
* Create a factory method for common configurations.
*
* @psalm-param callable(string, mixed, mixed):void $auditLogger
*/
public static function create(
callable $auditLogger,
string $profile = 'default'
): self {
return match ($profile) {
'strict' => new self($auditLogger, 50, 60), // 50 per minute
'relaxed' => new self($auditLogger, 200, 60), // 200 per minute
'testing' => new self($auditLogger, 1000, 60), // 1000 per minute for testing
default => new self($auditLogger, 100, 60), // 100 per minute (default)
};
}
}

304
src/RateLimiter.php Normal file
View File

@@ -0,0 +1,304 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter;
use Ivuorinen\MonologGdprFilter\Exceptions\InvalidRateLimitConfigurationException;
/**
* Simple rate limiter to prevent audit log flooding.
*
* Uses a sliding window approach with memory-based storage.
* For production use, consider implementing persistent storage.
*
* @api
*/
class RateLimiter
{
/**
* Storage for request timestamps per key.
* @var array<string, array<int>>
*/
private static array $requests = [];
/**
* Last time global cleanup was performed.
*/
private static int $lastCleanup = 0;
/**
* How often to perform global cleanup (in seconds).
*/
private static int $cleanupInterval = 300; // 5 minutes
/**
* @param int $maxRequests Maximum number of requests allowed
* @param int $windowSeconds Time window in seconds
*
* @throws InvalidRateLimitConfigurationException When parameters are invalid
*/
public function __construct(
private readonly int $maxRequests,
private readonly int $windowSeconds
) {
// Validate maxRequests
if ($this->maxRequests <= 0) {
throw InvalidRateLimitConfigurationException::invalidMaxRequests($this->maxRequests);
}
if ($this->maxRequests > 1000000) {
throw InvalidRateLimitConfigurationException::forParameter(
'max_requests',
$this->maxRequests,
'Cannot exceed 1,000,000 for memory safety'
);
}
// Validate windowSeconds
if ($this->windowSeconds <= 0) {
throw InvalidRateLimitConfigurationException::invalidTimeWindow($this->windowSeconds);
}
if ($this->windowSeconds > 86400) { // 24 hours max
throw InvalidRateLimitConfigurationException::forParameter(
'window_seconds',
$this->windowSeconds,
'Cannot exceed 86,400 (24 hours) for practical reasons'
);
}
}
/**
* Check if a request is allowed for the given key.
*
* @throws InvalidRateLimitConfigurationException When key is invalid
*/
public function isAllowed(string $key): bool
{
$this->validateKey($key);
$now = time();
$windowStart = $now - $this->windowSeconds;
// Initialize key if not exists
if (!isset(self::$requests[$key])) {
self::$requests[$key] = [];
}
// Remove old requests outside the window
self::$requests[$key] = array_filter(
self::$requests[$key],
fn(int $timestamp): bool => $timestamp > $windowStart
);
// Perform global cleanup periodically to prevent memory leaks
$this->performGlobalCleanupIfNeeded($now);
// Check if we're under the limit
if (count(self::$requests[$key] ?? []) < $this->maxRequests) {
// Add current request
self::$requests[$key][] = $now;
return true;
}
return false;
}
/**
* Get time until next request is allowed (in seconds).
*
* @psalm-return int<0, max>
* @throws InvalidRateLimitConfigurationException When key is invalid
*/
public function getTimeUntilReset(string $key): int
{
$this->validateKey($key);
if (!isset(self::$requests[$key]) || empty(self::$requests[$key])) {
return 0;
}
$now = time();
$oldestRequest = min(self::$requests[$key]);
$resetTime = $oldestRequest + $this->windowSeconds;
return max(0, $resetTime - $now);
}
/**
* Get statistics for a specific key.
*
* @return int[]
*
* @psalm-return array{current_requests: int<0, max>, remaining_requests: int<0, max>, time_until_reset: int<0, max>}
* @throws InvalidRateLimitConfigurationException When key is invalid
*/
public function getStats(string $key): array
{
$this->validateKey($key);
$now = time();
$windowStart = $now - $this->windowSeconds;
$currentRequests = 0;
if (isset(self::$requests[$key])) {
$currentRequests = count(array_filter(
self::$requests[$key],
fn(int $timestamp): bool => $timestamp > $windowStart
));
}
return [
'current_requests' => $currentRequests,
'remaining_requests' => max(0, $this->maxRequests - $currentRequests),
'time_until_reset' => $this->getTimeUntilReset($key),
];
}
/**
* Get remaining requests for a specific key.
*
* @param string $key The rate limiting key
* @return int The number of remaining requests
*
* @psalm-return int<0, max>
* @throws InvalidRateLimitConfigurationException When key is invalid
*/
public function getRemainingRequests(string $key): int
{
$this->validateKey($key);
return $this->getStats($key)['remaining_requests'] ?? 0;
}
public static function clearAll(): void
{
self::$requests = [];
}
public static function clearKey(string $key): void
{
self::validateKeyStatic($key);
if (isset(self::$requests[$key])) {
unset(self::$requests[$key]);
}
}
/**
* Perform global cleanup if enough time has passed.
* This prevents memory leaks from accumulating unused keys.
*/
private function performGlobalCleanupIfNeeded(int $now): void
{
if ($now - self::$lastCleanup >= self::$cleanupInterval) {
$this->performGlobalCleanup($now);
self::$lastCleanup = $now;
}
}
/**
* Clean up all expired entries across all keys.
* This prevents memory leaks from accumulating old unused keys.
*/
private function performGlobalCleanup(int $now): void
{
$windowStart = $now - $this->windowSeconds;
foreach (self::$requests as $key => $timestamps) {
// Filter out old timestamps
$validTimestamps = array_filter(
$timestamps,
fn(int $timestamp): bool => $timestamp > $windowStart
);
if ($validTimestamps === []) {
// Remove keys with no valid timestamps
unset(self::$requests[$key]);
} else {
// Update with filtered timestamps
self::$requests[$key] = array_values($validTimestamps);
}
}
}
/**
* Get memory usage statistics for debugging.
*
* @return int[]
*
* @psalm-return array{total_keys: int<0, max>, total_timestamps: int, estimated_memory_bytes: int<min, max>, last_cleanup: int, cleanup_interval: int}
*/
public static function getMemoryStats(): array
{
$totalKeys = count(self::$requests);
$totalTimestamps = array_sum(array_map('count', self::$requests));
$estimatedMemory = $totalKeys * 50 + $totalTimestamps * 8; // Rough estimate
return [
'total_keys' => $totalKeys,
'total_timestamps' => $totalTimestamps,
'estimated_memory_bytes' => $estimatedMemory,
'last_cleanup' => self::$lastCleanup,
'cleanup_interval' => self::$cleanupInterval,
];
}
/**
* Configure the global cleanup interval.
*
* @param int $seconds Cleanup interval in seconds (minimum 60)
* @throws InvalidRateLimitConfigurationException When seconds is invalid
*/
public static function setCleanupInterval(int $seconds): void
{
if ($seconds <= 0) {
throw InvalidRateLimitConfigurationException::invalidCleanupInterval($seconds);
}
if ($seconds < 60) {
throw InvalidRateLimitConfigurationException::cleanupIntervalTooShort($seconds, 60);
}
if ($seconds > 604800) { // 1 week max
throw InvalidRateLimitConfigurationException::forParameter(
'cleanup_interval',
$seconds,
'Cannot exceed 604,800 seconds (1 week) for practical reasons'
);
}
self::$cleanupInterval = $seconds;
}
/**
* Validate a rate limiting key.
*
* @param string $key The key to validate
* @throws InvalidRateLimitConfigurationException When key is invalid
*/
private function validateKey(string $key): void
{
self::validateKeyStatic($key);
}
/**
* Static version of key validation for use in static methods.
*
* @param string $key The key to validate
* @throws InvalidRateLimitConfigurationException When key is invalid
*/
private static function validateKeyStatic(string $key): void
{
if (trim($key) === '') {
throw InvalidRateLimitConfigurationException::emptyKey();
}
if (strlen($key) > 250) {
throw InvalidRateLimitConfigurationException::keyTooLong($key, 250);
}
// Check for potential problematic characters that could cause issues
if (preg_match('/[\x00-\x1F\x7F]/', $key)) {
throw InvalidRateLimitConfigurationException::invalidKeyFormat(
'Rate limiting key cannot contain control characters'
);
}
}
}

184
src/RecursiveProcessor.php Normal file
View File

@@ -0,0 +1,184 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter;
/**
* Handles recursive processing operations for GDPR masking.
*
* This class extracts recursive data processing logic from GdprProcessor
* to reduce the main class's method count and improve separation of concerns.
*
* @internal This class is for internal use within the GDPR processor
*/
class RecursiveProcessor
{
/**
* @param \Closure(string):string $regexProcessor Function to process strings with regex
* @param DataTypeMasker $dataTypeMasker Data type masker instance
* @param callable(string,mixed,mixed):void|null $auditLogger Optional audit logger callback
* @param int $maxDepth Maximum recursion depth for nested structures
*/
public function __construct(
private readonly \Closure $regexProcessor,
private readonly DataTypeMasker $dataTypeMasker,
private $auditLogger,
private readonly int $maxDepth
) {
}
/**
* Recursively mask all string values in an array using regex patterns with depth limiting
* and memory-efficient processing for large nested structures.
*
* @param array<mixed>|string $data
* @param int $currentDepth Current recursion depth
* @return array<mixed>|string
*/
public function recursiveMask(array|string $data, int $currentDepth = 0): array|string
{
if (is_string($data)) {
return ($this->regexProcessor)($data);
}
// At this point, we know it's an array due to the string check above
return $this->processArrayData($data, $currentDepth);
}
/**
* Process array data with depth and size checks.
*
* @param array<mixed> $data
* @return array<mixed>
*/
public function processArrayData(array $data, int $currentDepth): array
{
// Prevent excessive recursion depth
if ($currentDepth >= $this->maxDepth) {
if ($this->auditLogger !== null) {
($this->auditLogger)(
'max_depth_reached',
$currentDepth,
sprintf('Recursion depth limit (%d) reached', $this->maxDepth)
);
}
return $data; // Return unmodified data when depth limit is reached
}
// Early return for empty arrays to save processing
if ($data === []) {
return $data;
}
// Memory-efficient processing: process in chunks for very large arrays
$arraySize = count($data);
$chunkSize = 1000; // Process in chunks of 1000 items
return $arraySize > $chunkSize
? $this->processLargeArray($data, $currentDepth, $chunkSize)
: $this->processStandardArray($data, $currentDepth);
}
/**
* Process a large array in chunks to reduce memory pressure.
*
* @param array<mixed> $data
* @return array<mixed>
*/
public function processLargeArray(array $data, int $currentDepth, int $chunkSize): array
{
$result = [];
$chunks = array_chunk($data, $chunkSize, true);
$arraySize = count($data);
foreach ($chunks as $chunk) {
foreach ($chunk as $key => $value) {
$result[$key] = $this->processValue($value, $currentDepth);
}
// Optional: Force garbage collection after each chunk for memory management
if ($arraySize > 10000) {
gc_collect_cycles();
}
}
return $result;
}
/**
* Process a standard-sized array.
*
* @param array<mixed> $data
* @return array<mixed>
*/
public function processStandardArray(array $data, int $currentDepth): array
{
foreach ($data as $key => $value) {
$data[$key] = $this->processValue($value, $currentDepth);
}
return $data;
}
/**
* Process a single value (string, array, or other type).
*
* @param mixed $value
*
* @psalm-param mixed $value
*/
public function processValue(mixed $value, int $currentDepth): mixed
{
if (is_string($value)) {
return $this->processStringValue($value);
}
if (is_array($value)) {
return $this->processArrayValue($value, $currentDepth);
}
// For other non-strings: apply data type masking if configured
return $this->dataTypeMasker->applyMasking($value, $this->recursiveMask(...));
}
/**
* Process a string value with regex and data type masking.
*/
public function processStringValue(string $value): string
{
// For strings: apply regex patterns first, then data type masking if unchanged
$regexResult = ($this->regexProcessor)($value);
return $regexResult !== $value
? $regexResult // Regex patterns matched and changed the value
: $this->dataTypeMasker->applyMasking($value, $this->recursiveMask(...)); // Apply data type masking
}
/**
* Process an array value with masking and recursion.
*
* @param array<mixed> $value
* @return array<mixed>
*/
public function processArrayValue(array $value, int $currentDepth): array
{
// For arrays: apply data type masking if configured, otherwise recurse
$masked = $this->dataTypeMasker->applyMasking($value, $this->recursiveMask(...));
return $masked !== $value
? $masked // Data type masking was applied
: $this->recursiveMask($value, $currentDepth + 1); // Continue recursion
}
/**
* Set the audit logger callable.
*
* @param callable(string,mixed,mixed):void|null $auditLogger
*/
public function setAuditLogger(?callable $auditLogger): void
{
$this->auditLogger = $auditLogger;
}
}

88
src/SecuritySanitizer.php Normal file
View File

@@ -0,0 +1,88 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter;
use Ivuorinen\MonologGdprFilter\MaskConstants as Mask;
/**
* Sanitizes error messages to prevent information disclosure.
*
* This class removes sensitive information from error messages
* before they are logged to prevent security vulnerabilities.
*/
final class SecuritySanitizer
{
/**
* Sanitize error messages to prevent information disclosure.
*
* @param string $message The original error message
* @return string The sanitized error message
*/
public static function sanitizeErrorMessage(string $message): string
{
// List of sensitive patterns to remove or mask
$sensitivePatterns = [
// Database credentials
'/password=\S+/i' => 'password=***',
'/pwd=\S+/i' => 'pwd=***',
'/pass=\S+/i' => 'pass=***',
// Database hosts and connection strings
'/host=[\w\.-]+/i' => 'host=***',
'/server=[\w\.-]+/i' => 'server=***',
'/hostname=[\w\.-]+/i' => 'hostname=***',
// User credentials
'/user=\S+/i' => 'user=***',
'/username=\S+/i' => 'username=***',
'/uid=\S+/i' => 'uid=***',
// API keys and tokens
'/api[_-]?key[=:]\s*\S+/i' => 'api_key=***',
'/token[=:]\s*\S+/i' => 'token=***',
'/bearer\s+\S+/i' => 'bearer ***',
'/sk_\w+/i' => 'sk_***',
'/pk_\w+/i' => 'pk_***',
// File paths (potential information disclosure)
'/\/[\w\/\.-]*\/(config|secret|private|key)[\w\/\.-]*/i' => '/***/$1/***',
'/[a-zA-Z]:\\\\[\w\\\\.-]*\\\\(config|secret|private|key)[\w\\\\.-]*/i' => 'C:\\***\\$1\\***',
// Connection strings
'/redis:\/\/[^@]*@[\w\.-]+:\d+/i' => 'redis://***:***@***:***',
'/mysql:\/\/[^@]*@[\w\.-]+:\d+/i' => 'mysql://***:***@***:***',
'/postgresql:\/\/[^@]*@[\w\.-]+:\d+/i' => 'postgresql://***:***@***:***',
// JWT secrets and other secrets (enhanced to catch more patterns)
'/secret[_-]?key[=:\s]+\S+/i' => 'secret_key=***',
'/jwt[_-]?secret[=:\s]+\S+/i' => 'jwt_secret=***',
'/\bsuper_secret_\w+/i' => Mask::MASK_SECRET,
// Generic secret-like patterns (alphanumeric keys that look sensitive)
'/\b[a-z_]*secret[a-z_]*[=:\s]+[\w\d_-]{10,}/i' => 'secret=***',
'/\b[a-z_]*key[a-z_]*[=:\s]+[\w\d_-]{10,}/i' => 'key=***',
// IP addresses in internal ranges
'/\b(?:10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(?:1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})\b/' => '***.***.***',
];
$sanitized = $message;
foreach ($sensitivePatterns as $pattern => $replacement) {
$sanitized = preg_replace($pattern, $replacement, $sanitized) ?? $sanitized;
}
// Truncate very long messages to prevent log flooding
if (strlen($sanitized) > 500) {
return substr($sanitized, 0, 500) . '... (truncated for security)';
}
return $sanitized;
}
/** @psalm-suppress UnusedConstructor */
private function __construct()
{}
}

210
src/Strategies/AbstractMaskingStrategy.php Normal file
View File

@@ -0,0 +1,210 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter\Strategies;
use Monolog\LogRecord;
use Ivuorinen\MonologGdprFilter\Exceptions\MaskingOperationFailedException;
/**
* Abstract base class for masking strategies.
*
* Provides common functionality and utilities that most masking strategies
* will need, reducing code duplication and ensuring consistent behavior.
*
* @api
*/
abstract class AbstractMaskingStrategy implements MaskingStrategyInterface
{
/**
* Constructor.
*
* @param int $priority The priority of the strategy
* @param array<string, mixed> $configuration The configuration for the strategy
*/
public function __construct(
protected readonly int $priority = 50,
protected readonly array $configuration = []
) {
}
/**
* {@inheritdoc}
*/
#[\Override]
public function getPriority(): int
{
return $this->priority;
}
/**
* {@inheritdoc}
*/
#[\Override]
public function getConfiguration(): array
{
return $this->configuration;
}
/**
* {@inheritdoc}
*/
#[\Override]
public function validate(): bool
{
// Base validation - can be overridden by concrete implementations
return true;
}
/**
* Safely convert a value to string for processing.
*
* @param mixed $value The value to convert
* @return string The string representation
*
* @throws MaskingOperationFailedException If value cannot be converted to string
*/
protected function valueToString(mixed $value): string
{
if (is_string($value)) {
return $value;
}
if (is_numeric($value) || is_bool($value)) {
return (string) $value;
}
if (is_array($value) || is_object($value)) {
$json = json_encode($value, JSON_UNESCAPED_SLASHES);
if ($json === false) {
throw MaskingOperationFailedException::dataTypeMaskingFailed(
gettype($value),
$value,
'Cannot convert value to string for masking'
);
}
return $json;
}
if ($value === null) {
return '';
}
throw MaskingOperationFailedException::dataTypeMaskingFailed(
gettype($value),
$value,
'Unsupported value type for string conversion'
);
}
/**
* Check if a field path matches a given pattern.
*
* Supports simple wildcard matching with * and exact matches.
*
* @param string $path The field path to check
* @param string $pattern The pattern to match against (supports * wildcards)
* @return bool True if the path matches the pattern
*/
protected function pathMatches(string $path, string $pattern): bool
{
// Exact match
if ($path === $pattern) {
return true;
}
// Wildcard match
if (str_contains($pattern, '*')) {
// Escape dots and replace * with .*
$regexPattern = '/^' . str_replace(['\\', '.', '*'], ['\\\\', '\\.', '.*'], $pattern) . '$/';
return preg_match($regexPattern, $path) === 1;
}
return false;
}
/**
* Check if the log record matches specific conditions.
*
* @param LogRecord $logRecord The log record to check
* @param array<string, mixed> $conditions Conditions to check (level, channel, etc.)
* @return bool True if all conditions are met
*/
protected function recordMatches(LogRecord $logRecord, array $conditions): bool
{
foreach ($conditions as $field => $expectedValue) {
$actualValue = match ($field) {
'level' => $logRecord->level->name,
'channel' => $logRecord->channel,
'message' => $logRecord->message,
default => $logRecord->context[$field] ?? null,
};
if ($actualValue !== $expectedValue) {
return false;
}
}
return true;
}
/**
* Generate a preview of a value for error messages.
*
* @param mixed $value The value to preview
* @param int $maxLength Maximum length of the preview
* @return string Safe preview string
*/
protected function generateValuePreview(mixed $value, int $maxLength = 100): string
{
try {
$stringValue = $this->valueToString($value);
return strlen($stringValue) > $maxLength
? substr($stringValue, 0, $maxLength) . '...'
: $stringValue;
} catch (MaskingOperationFailedException) {
return '[' . gettype($value) . ']';
}
}
/**
* Create a masked value while preserving the original type when possible.
*
* @param mixed $originalValue The original value
* @param string $maskedString The masked string representation
* @return mixed The masked value with appropriate type
*/
protected function preserveValueType(mixed $originalValue, string $maskedString): mixed
{
// If original was a string, return string
if (is_string($originalValue)) {
return $maskedString;
}
// For arrays and objects, try to decode back if it was JSON
if (is_array($originalValue) || is_object($originalValue)) {
$decoded = json_decode($maskedString, true);
if ($decoded !== null && json_last_error() === JSON_ERROR_NONE) {
return is_object($originalValue) ? (object) $decoded : $decoded;
}
}
// For primitives, try to convert back
if (is_int($originalValue) && is_numeric($maskedString)) {
return (int) $maskedString;
}
if (is_float($originalValue) && is_numeric($maskedString)) {
return (float) $maskedString;
}
if (is_bool($originalValue)) {
return filter_var($maskedString, FILTER_VALIDATE_BOOLEAN);
}
// Default to returning the masked string
return $maskedString;
}
}

232
src/Strategies/ConditionalMaskingStrategy.php Normal file
View File

@@ -0,0 +1,232 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter\Strategies;
use Throwable;
use Monolog\LogRecord;
use Ivuorinen\MonologGdprFilter\Exceptions\MaskingOperationFailedException;
/**
* Conditional masking strategy.
*
* Applies masking only when specific conditions are met, such as log level,
* channel, or custom context-based rules. This allows for fine-grained
* control over when masking should occur.
*
* @api
*/
class ConditionalMaskingStrategy extends AbstractMaskingStrategy
{
/**
* @param MaskingStrategyInterface $wrappedStrategy The strategy to apply when conditions are met
* @param array<string, callable(LogRecord): bool> $conditions Named conditions that must be satisfied
* @param bool $requireAllConditions Whether all conditions must be true (AND) or just one (OR)
* @param int $priority Strategy priority (default: 70)
*/
public function __construct(
private readonly MaskingStrategyInterface $wrappedStrategy,
private readonly array $conditions,
private readonly bool $requireAllConditions = true,
int $priority = 70
) {
parent::__construct($priority, [
'wrapped_strategy' => $wrappedStrategy->getName(),
'conditions' => array_keys($conditions),
'require_all_conditions' => $requireAllConditions,
]);
}
/**
* {@inheritdoc}
*/
#[\Override]
public function mask(mixed $value, string $path, LogRecord $logRecord): mixed
{
// This should only be called if shouldApply returned true
try {
return $this->wrappedStrategy->mask($value, $path, $logRecord);
} catch (Throwable $throwable) {
throw MaskingOperationFailedException::customCallbackFailed(
$path,
$value,
'Conditional masking failed: ' . $throwable->getMessage(),
$throwable
);
}
}
/**
* {@inheritdoc}
*/
#[\Override]
public function shouldApply(mixed $value, string $path, LogRecord $logRecord): bool
{
// First check if conditions are met
if (!$this->conditionsAreMet($logRecord)) {
return false;
}
// Then check if the wrapped strategy should apply
return $this->wrappedStrategy->shouldApply($value, $path, $logRecord);
}
/**
* {@inheritdoc}
*/
#[\Override]
public function getName(): string
{
$conditionCount = count($this->conditions);
$logic = $this->requireAllConditions ? 'AND' : 'OR';
return sprintf('Conditional Masking (%d conditions, %s logic) -> %s', $conditionCount, $logic, $this->wrappedStrategy->getName());
}
/**
* {@inheritdoc}
*/
#[\Override]
public function validate(): bool
{
if ($this->conditions === []) {
return false;
}
// Validate that all conditions are callable
foreach ($this->conditions as $condition) {
if (!is_callable($condition)) {
return false;
}
}
// Validate the wrapped strategy
return $this->wrappedStrategy->validate();
}
/**
* Get the wrapped strategy.
*
* @return MaskingStrategyInterface The wrapped strategy
*/
public function getWrappedStrategy(): MaskingStrategyInterface
{
return $this->wrappedStrategy;
}
/**
* Get the condition names.
*
* @return string[] The condition names
*
* @psalm-return list<string>
*/
public function getConditionNames(): array
{
return array_keys($this->conditions);
}
/**
* Check if all conditions are met for the given log record.
*
* @param LogRecord $logRecord The log record to evaluate
* @return bool True if conditions are satisfied
*/
private function conditionsAreMet(LogRecord $logRecord): bool
{
if ($this->conditions === []) {
return true;
}
$satisfiedConditions = 0;
foreach ($this->conditions as $condition) {
try {
$result = $condition($logRecord);
if ($result === true) {
$satisfiedConditions++;
// For OR logic, one satisfied condition is enough
if (!$this->requireAllConditions) {
return true;
}
}
} catch (Throwable) {
// If condition evaluation fails, treat as not satisfied
if ($this->requireAllConditions) {
return false; // For AND logic, any failure means failure
}
// For OR logic, continue checking other conditions
}
}
// For AND logic, all conditions must be satisfied
if ($this->requireAllConditions) {
return $satisfiedConditions === count($this->conditions);
}
// For OR logic, at least one condition must be satisfied
return $satisfiedConditions > 0;
}
/**
* Create a level-based conditional strategy.
*
* @param MaskingStrategyInterface $strategy The strategy to wrap
* @param array<string> $levels The log levels that should trigger masking
* @param int $priority Strategy priority
*/
public static function forLevels(
MaskingStrategyInterface $strategy,
array $levels,
int $priority = 70
): self {
$condition = (static fn(LogRecord $logRecord): bool => in_array($logRecord->level->name, $levels, true));
return new self($strategy, ['level' => $condition], true, $priority);
}
/**
* Create a channel-based conditional strategy.
*
* @param MaskingStrategyInterface $strategy The strategy to wrap
* @param array<string> $channels The channels that should trigger masking
* @param int $priority Strategy priority
*/
public static function forChannels(
MaskingStrategyInterface $strategy,
array $channels,
int $priority = 70
): self {
$condition = (static fn(LogRecord $logRecord): bool => in_array($logRecord->channel, $channels, true));
return new self($strategy, ['channel' => $condition], true, $priority);
}
/**
* Create a context-based conditional strategy.
*
* @param MaskingStrategyInterface $strategy The strategy to wrap
* @param array<string, mixed> $requiredContext Context key-value pairs that must be present
* @param int $priority Strategy priority
*/
public static function forContext(
MaskingStrategyInterface $strategy,
array $requiredContext,
int $priority = 70
): self {
$condition = static function (LogRecord $logRecord) use ($requiredContext): bool {
foreach ($requiredContext as $key => $expectedValue) {
$actualValue = $logRecord->context[$key] ?? null;
if ($actualValue !== $expectedValue) {
return false;
}
}
return true;
};
return new self($strategy, ['context' => $condition], true, $priority);
}
}

289
src/Strategies/DataTypeMaskingStrategy.php Normal file
View File

@@ -0,0 +1,289 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter\Strategies;
use Throwable;
use Monolog\LogRecord;
use Ivuorinen\MonologGdprFilter\Exceptions\MaskingOperationFailedException;
use Ivuorinen\MonologGdprFilter\MaskConstants as Mask;
/**
* Data type-based masking strategy.
*
* Applies different masking based on the PHP data type of values.
* Useful for applying consistent masking patterns across all values
* of specific types (e.g., all integers, all strings).
*
* @api
*/
class DataTypeMaskingStrategy extends AbstractMaskingStrategy
{
/**
* @param array<string, string> $typeMasks Map of PHP type names to their mask values
* @param array<string> $includePaths Optional field paths to include (empty = all paths)
* @param array<string> $excludePaths Optional field paths to exclude
* @param int $priority Strategy priority (default: 40)
*/
public function __construct(
private readonly array $typeMasks,
private readonly array $includePaths = [],
private readonly array $excludePaths = [],
int $priority = 40
) {
parent::__construct($priority, [
'type_masks' => $typeMasks,
'include_paths' => $includePaths,
'exclude_paths' => $excludePaths,
]);
}
/**
* {@inheritdoc}
*/
#[\Override]
public function mask(mixed $value, string $path, LogRecord $logRecord): mixed
{
$type = $this->getValueType($value);
$mask = $this->typeMasks[$type] ?? null;
if ($mask === null) {
return $value; // Should not happen if shouldApply was called first
}
try {
return $this->applyTypeMask($value, $mask, $type);
} catch (Throwable $throwable) {
throw MaskingOperationFailedException::dataTypeMaskingFailed(
$type,
$value,
$throwable->getMessage(),
$throwable
);
}
}
/**
* {@inheritdoc}
*/
#[\Override]
public function shouldApply(mixed $value, string $path, LogRecord $logRecord): bool
{
// Check exclude paths first
foreach ($this->excludePaths as $excludePath) {
if ($this->pathMatches($path, $excludePath)) {
return false;
}
}
// If include paths are specified, check them
if ($this->includePaths !== []) {
$included = false;
foreach ($this->includePaths as $includePath) {
if ($this->pathMatches($path, $includePath)) {
$included = true;
break;
}
}
if (!$included) {
return false;
}
}
// Check if we have a mask for this value's type
$type = $this->getValueType($value);
return isset($this->typeMasks[$type]);
}
/**
* {@inheritdoc}
*/
#[\Override]
public function getName(): string
{
$typeCount = count($this->typeMasks);
$types = implode(', ', array_keys($this->typeMasks));
return sprintf('Data Type Masking (%d types: %s)', $typeCount, $types);
}
/**
* {@inheritdoc}
*/
#[\Override]
public function validate(): bool
{
if ($this->typeMasks === []) {
return false;
}
$validTypes = ['string', 'integer', 'double', 'boolean', 'array', 'object', 'NULL', 'resource'];
foreach ($this->typeMasks as $type => $mask) {
if (!in_array($type, $validTypes, true)) {
return false;
}
/** @psalm-suppress DocblockTypeContradiction - Runtime validation for defensive programming */
if (!is_string($mask)) {
return false;
}
}
return true;
}
/**
* Create a strategy for common data types.
*
* @param array<string, string> $customMasks Additional or override masks
* @param int $priority Strategy priority
*/
public static function createDefault(array $customMasks = [], int $priority = 40): self
{
$defaultMasks = [
'string' => Mask::MASK_STRING,
'integer' => '999',
'double' => '99.99',
'boolean' => 'false',
'array' => '[]',
'object' => '{}',
'NULL' => '',
];
$masks = array_merge($defaultMasks, $customMasks);
return new self($masks, [], [], $priority);
}
/**
* Create a strategy that only masks sensitive data types.
*
* @param array<string, string> $customMasks Additional or override masks
* @param int $priority Strategy priority
*/
public static function createSensitiveOnly(array $customMasks = [], int $priority = 40): self
{
$sensitiveMasks = [
'string' => Mask::MASK_MASKED, // Strings often contain sensitive data
'array' => '[]', // Arrays might contain sensitive structured data
'object' => '{}', // Objects might contain sensitive data
];
$masks = array_merge($sensitiveMasks, $customMasks);
return new self($masks, [], [], $priority);
}
/**
* Get a normalized type name for a value.
*
* @param mixed $value The value to get the type for
* @return string The normalized type name
*/
private function getValueType(mixed $value): string
{
$type = gettype($value);
// Normalize some type names to match common usage
return match ($type) {
'double' => 'double', // Keep as 'double' for consistency with gettype()
'boolean' => 'boolean',
'integer' => 'integer',
default => $type,
};
}
/**
* Apply type-specific masking to a value.
*
* @param mixed $value The original value
* @param string $mask The mask to apply
* @param string $type The value type for error context
* @return mixed The masked value
*
* @throws MaskingOperationFailedException
*/
private function applyTypeMask(mixed $value, string $mask, string $type): mixed
{
// For null values, mask should also be null or empty
if ($value === null) {
return $mask === '' ? null : $mask;
}
// Try to convert mask to appropriate type
try {
return match ($type) {
'integer' => is_numeric($mask) ? (int) $mask : $mask,
'double' => is_numeric($mask) ? (float) $mask : $mask,
'boolean' => filter_var($mask, FILTER_VALIDATE_BOOLEAN),
'array' => $this->parseArrayMask($mask),
'object' => $this->parseObjectMask($mask),
'string' => $mask,
default => $mask,
};
} catch (Throwable $throwable) {
throw MaskingOperationFailedException::dataTypeMaskingFailed(
$type,
$value,
'Failed to apply type mask: ' . $throwable->getMessage(),
$throwable
);
}
}
/**
* Parse an array mask from string representation.
*
* @param string $mask The mask string
* @return array<mixed> The parsed array
*
* @throws MaskingOperationFailedException
*/
private function parseArrayMask(string $mask): array
{
// Handle JSON array representation
if (str_starts_with($mask, '[') && str_ends_with($mask, ']')) {
$decoded = json_decode($mask, true);
if ($decoded !== null && is_array($decoded)) {
return $decoded;
}
}
// Handle simple cases
if ($mask === '[]' || $mask === '') {
return [];
}
// Try to split on commas for simple arrays
return explode(',', trim($mask, '[]'));
}
/**
* Parse an object mask from string representation.
*
* @param string $mask The mask string
* @return object The parsed object
*
* @throws MaskingOperationFailedException
*/
private function parseObjectMask(string $mask): object
{
// Handle JSON object representation
if (str_starts_with($mask, '{') && str_ends_with($mask, '}')) {
$decoded = json_decode($mask, false);
if ($decoded !== null && is_object($decoded)) {
return $decoded;
}
}
// Handle simple cases
if ($mask === '{}' || $mask === '') {
return (object) [];
}
// Create a simple object with the mask as a property
return (object) ['masked' => $mask];
}
}

294
src/Strategies/FieldPathMaskingStrategy.php Normal file
View File

@@ -0,0 +1,294 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter\Strategies;
use Throwable;
use Monolog\LogRecord;
use Ivuorinen\MonologGdprFilter\FieldMaskConfig;
use Ivuorinen\MonologGdprFilter\Exceptions\MaskingOperationFailedException;
use Ivuorinen\MonologGdprFilter\MaskConstants as Mask;
/**
* Field path-based masking strategy.
*
* Applies masking based on specific field paths using dot notation.
* Supports static replacements, regex patterns, and removal of fields.
*
* @api
*/
class FieldPathMaskingStrategy extends AbstractMaskingStrategy
{
/**
* @param array<string, FieldMaskConfig|string> $fieldConfigs Field path => config mappings
* @param int $priority Strategy priority (default: 80)
*/
public function __construct(
private readonly array $fieldConfigs,
int $priority = 80
) {
parent::__construct($priority, [
'field_configs' => array_map(
/**
* @return (null|string)[]|string
*
* @psalm-return array{type: string, replacement: null|string}|string
*/
fn(FieldMaskConfig|string $config): array|string => $config instanceof FieldMaskConfig
? $config->toArray() : $config,
$fieldConfigs
),
]);
}
/**
* {@inheritdoc}
*/
#[\Override]
public function mask(mixed $value, string $path, LogRecord $logRecord): mixed
{
$config = $this->getConfigForPath($path);
if ($config === null) {
return $value; // Should not happen if shouldApply was called first
}
try {
return $this->applyFieldConfig($value, $config, $path);
} catch (Throwable $throwable) {
throw MaskingOperationFailedException::fieldPathMaskingFailed(
$path,
$value,
$throwable->getMessage(),
$throwable
);
}
}
/**
* {@inheritdoc}
*/
#[\Override]
public function shouldApply(mixed $value, string $path, LogRecord $logRecord): bool
{
return $this->getConfigForPath($path) !== null;
}
/**
* {@inheritdoc}
*/
#[\Override]
public function getName(): string
{
$configCount = count($this->fieldConfigs);
return sprintf('Field Path Masking (%d fields)', $configCount);
}
/**
* {@inheritdoc}
*/
#[\Override]
public function validate(): bool
{
if ($this->fieldConfigs === []) {
return false;
}
// Validate each configuration
foreach ($this->fieldConfigs as $path => $config) {
if (!$this->validateFieldPath($path) || !$this->validateFieldConfig($config)) {
return false;
}
}
return true;
}
/**
* Validate a field path.
*
* Intentionally accepts mixed type to validate any input during configuration validation.
*
* @param mixed $path
*/
private function validateFieldPath(mixed $path): bool
{
return is_string($path) && $path !== '' && $path !== '0';
}
/**
* Validate a field configuration.
*
* @param mixed $config
*/
private function validateFieldConfig(mixed $config): bool
{
if (!($config instanceof FieldMaskConfig) && !is_string($config)) {
return false;
}
// Validate regex patterns in FieldMaskConfig
if ($config instanceof FieldMaskConfig && $config->hasRegexPattern()) {
return $this->validateRegexPattern($config->getRegexPattern());
}
return true;
}
/**
* Validate a regex pattern.
*/
private function validateRegexPattern(?string $pattern): bool
{
if ($pattern === null) {
return false;
}
try {
/** @psalm-suppress ArgumentTypeCoercion - Pattern checked for null above */
$testResult = @preg_match($pattern, '');
return $testResult !== false;
} catch (Throwable) {
return false;
}
}
/**
* Get the configuration that applies to a given field path.
*
* @param string $path The field path to check
* @return FieldMaskConfig|string|null The configuration or null if no match
*/
private function getConfigForPath(string $path): FieldMaskConfig|string|null
{
// First try exact matches
if (isset($this->fieldConfigs[$path])) {
return $this->fieldConfigs[$path];
}
// Then try pattern matches
foreach ($this->fieldConfigs as $configPath => $config) {
if ($this->pathMatches($path, $configPath)) {
return $config;
}
}
return null;
}
/**
* Apply field configuration to a value.
*
* @param mixed $value The value to mask
* @param FieldMaskConfig|string $config The masking configuration
* @param string $path The field path for error context
* @return mixed The masked value
*
* @throws MaskingOperationFailedException
*/
private function applyFieldConfig(mixed $value, FieldMaskConfig|string $config, string $path): mixed
{
// Simple string replacement
if (is_string($config)) {
return $config;
}
// FieldMaskConfig handling
return $this->applyFieldMaskConfig($value, $config, $path);
}
/**
* Apply a FieldMaskConfig to a value.
*
* @param mixed $value The value to mask
* @param FieldMaskConfig $config The mask configuration
* @param string $path The field path for error context
* @return mixed The masked value
*
* @throws MaskingOperationFailedException
*/
private function applyFieldMaskConfig(mixed $value, FieldMaskConfig $config, string $path): mixed
{
// Handle removal
if ($config->shouldRemove()) {
return null; // This will be handled by the processor to remove the field
}
// Handle regex masking
if ($config->hasRegexPattern()) {
return $this->applyRegexMasking($value, $config, $path);
}
// Handle static replacement
return $this->applyStaticReplacement($value, $config);
}
/**
* Apply regex masking to a value.
*
* @throws MaskingOperationFailedException
*/
private function applyRegexMasking(mixed $value, FieldMaskConfig $config, string $path): mixed
{
try {
$stringValue = $this->valueToString($value);
$pattern = $config->getRegexPattern();
if ($pattern === null) {
throw MaskingOperationFailedException::fieldPathMaskingFailed(
$path,
$value,
'Regex pattern is null'
);
}
$replacement = $config->getReplacement() ?? Mask::MASK_MASKED;
/** @psalm-suppress ArgumentTypeCoercion - Pattern validated during construction */
$result = preg_replace($pattern, $replacement, $stringValue);
if ($result === null) {
throw MaskingOperationFailedException::fieldPathMaskingFailed(
$path,
$value,
'Regex replacement failed'
);
}
return $this->preserveValueType($value, $result);
} catch (MaskingOperationFailedException $e) {
throw $e;
} catch (Throwable $e) {
throw MaskingOperationFailedException::fieldPathMaskingFailed(
$path,
$value,
'Regex processing failed: ' . $e->getMessage(),
$e
);
}
}
/**
* Apply static replacement to a value, preserving type when possible.
*/
private function applyStaticReplacement(mixed $value, FieldMaskConfig $config): mixed
{
$replacement = $config->getReplacement();
if ($replacement === null) {
return $value;
}
// Try to preserve type if the replacement can be converted
$result = $replacement;
if (is_int($value) && is_numeric($replacement)) {
$result = (int) $replacement;
} elseif (is_float($value) && is_numeric($replacement)) {
$result = (float) $replacement;
} elseif (is_bool($value)) {
$result = filter_var($replacement, FILTER_VALIDATE_BOOLEAN);
}
return $result;
}
}

82
src/Strategies/MaskingStrategyInterface.php Normal file
View File

@@ -0,0 +1,82 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter\Strategies;
use Ivuorinen\MonologGdprFilter\Exceptions\MaskingOperationFailedException;
use Ivuorinen\MonologGdprFilter\Exceptions\GdprProcessorException;
use Monolog\LogRecord;
/**
* Interface for implementing custom masking strategies.
*
* This interface allows for pluggable masking approaches, enabling users to
* create custom masking logic while maintaining consistency with the library's
* architecture.
*
* @api
*/
interface MaskingStrategyInterface
{
/**
* Apply masking to a given value.
*
* @param mixed $value The value to be masked
* @param string $path The field path (dot notation) where the value was found
* @param LogRecord $logRecord The complete log record for context
* @return mixed The masked value
*
* @throws MaskingOperationFailedException
*/
public function mask(mixed $value, string $path, LogRecord $logRecord): mixed;
/**
* Determine if this strategy should be applied to the given value/context.
*
* @param mixed $value The value to potentially mask
* @param string $path The field path (dot notation) where the value was found
* @param LogRecord $logRecord The complete log record for context
* @return bool True if this strategy should be applied, false otherwise
*/
public function shouldApply(mixed $value, string $path, LogRecord $logRecord): bool;
/**
* Get a human-readable name for this masking strategy.
*
* @return string The strategy name (e.g., "Regex Pattern", "Credit Card", "Email")
*/
public function getName(): string;
/**
* Get the priority of this strategy (higher number = higher priority).
*
* When multiple strategies match, the one with highest priority is used.
* Built-in strategies use priorities in the range 0-100.
*
* @return int The priority level (0-1000, where 1000 is highest priority)
*/
public function getPriority(): int;
/**
* Get configuration options for this strategy.
*
* This can be used by management interfaces to display strategy settings
* or for serialization/deserialization of strategy configurations.
*
* @return array<string, mixed> Configuration options as key-value pairs
*/
public function getConfiguration(): array;
/**
* Validate the strategy configuration and dependencies.
*
* This method should check that the strategy is properly configured
* and can function correctly with the current environment.
*
* @return bool True if the strategy is valid and ready to use
*
* @throws GdprProcessorException
*/
public function validate(): bool;
}

257
src/Strategies/RegexMaskingStrategy.php Normal file
View File

@@ -0,0 +1,257 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter\Strategies;
use Throwable;
use Error;
use Monolog\LogRecord;
use Ivuorinen\MonologGdprFilter\Exceptions\MaskingOperationFailedException;
use Ivuorinen\MonologGdprFilter\Exceptions\InvalidRegexPatternException;
/**
* Regex-based masking strategy.
*
* Applies regex pattern matching to mask sensitive data based on patterns.
* Supports multiple patterns with corresponding replacements.
*
* @api
*/
class RegexMaskingStrategy extends AbstractMaskingStrategy
{
/**
* @param array<string, string> $patterns Array of regex pattern => replacement pairs
* @param array<string> $includePaths Optional field paths to include (empty = all paths)
* @param array<string> $excludePaths Optional field paths to exclude
* @param int $priority Strategy priority (default: 60)
*/
public function __construct(
private readonly array $patterns,
private readonly array $includePaths = [],
private readonly array $excludePaths = [],
int $priority = 60
) {
parent::__construct($priority, [
'patterns' => $patterns,
'include_paths' => $includePaths,
'exclude_paths' => $excludePaths,
]);
$this->validatePatterns();
}
/**
* {@inheritdoc}
*/
#[\Override]
public function mask(mixed $value, string $path, LogRecord $logRecord): mixed
{
try {
$stringValue = $this->valueToString($value);
$maskedString = $this->applyPatterns($stringValue);
return $this->preserveValueType($value, $maskedString);
} catch (Throwable $throwable) {
throw MaskingOperationFailedException::regexMaskingFailed(
implode(', ', array_keys($this->patterns)),
$this->generateValuePreview($value),
$throwable->getMessage(),
$throwable
);
}
}
/**
* {@inheritdoc}
*/
#[\Override]
public function shouldApply(mixed $value, string $path, LogRecord $logRecord): bool
{
// Check exclude paths first
foreach ($this->excludePaths as $excludePath) {
if ($this->pathMatches($path, $excludePath)) {
return false;
}
}
// If include paths are specified, check them
if ($this->includePaths !== []) {
$included = false;
foreach ($this->includePaths as $includePath) {
if ($this->pathMatches($path, $includePath)) {
$included = true;
break;
}
}
if (!$included) {
return false;
}
}
// Check if value contains any pattern matches
try {
$stringValue = $this->valueToString($value);
return $this->hasPatternMatches($stringValue);
} catch (MaskingOperationFailedException) {
return false;
}
}
/**
* {@inheritdoc}
*/
#[\Override]
public function getName(): string
{
$patternCount = count($this->patterns);
return sprintf('Regex Pattern Masking (%d patterns)', $patternCount);
}
/**
* {@inheritdoc}
*/
#[\Override]
public function validate(): bool
{
if ($this->patterns === []) {
return false;
}
try {
$this->validatePatterns();
return true;
} catch (InvalidRegexPatternException) {
return false;
}
}
/**
* Apply all regex patterns to a string value.
*
* @param string $value The string to process
* @return string The processed string with patterns applied
* @throws MaskingOperationFailedException
*/
private function applyPatterns(string $value): string
{
$result = $value;
foreach ($this->patterns as $pattern => $replacement) {
try {
/** @psalm-suppress ArgumentTypeCoercion - Pattern validated during construction */
$processedResult = preg_replace($pattern, $replacement, $result);
if ($processedResult === null) {
throw MaskingOperationFailedException::regexMaskingFailed(
$pattern,
$value,
'preg_replace returned null - possible PCRE error'
);
}
$result = $processedResult;
} catch (Error $e) {
throw MaskingOperationFailedException::regexMaskingFailed(
$pattern,
$value,
'Pattern execution failed: ' . $e->getMessage(),
$e
);
}
}
return $result;
}
/**
* Check if a string contains any pattern matches.
*
* @param string $value The string to check
* @return bool True if any patterns match
*/
private function hasPatternMatches(string $value): bool
{
foreach (array_keys($this->patterns) as $pattern) {
try {
/** @psalm-suppress ArgumentTypeCoercion - Pattern validated during construction */
if (preg_match($pattern, $value) === 1) {
return true;
}
} catch (Error) {
// Skip invalid patterns during matching
continue;
}
}
return false;
}
/**
* Validate all regex patterns.
*
* @throws InvalidRegexPatternException
*/
private function validatePatterns(): void
{
foreach (array_keys($this->patterns) as $pattern) {
$this->validateSinglePattern($pattern);
}
}
/**
* Validate a single regex pattern.
*
* @param string $pattern The pattern to validate
*
* @throws InvalidRegexPatternException
*/
private function validateSinglePattern(string $pattern): void
{
// Test pattern compilation by attempting a match
/** @psalm-suppress ArgumentTypeCoercion - Pattern validated during construction */
$testResult = @preg_match($pattern, '');
if ($testResult === false) {
$error = preg_last_error();
throw InvalidRegexPatternException::compilationFailed($pattern, $error);
}
// Basic ReDoS detection - look for potentially dangerous patterns
if ($this->detectReDoSRisk($pattern)) {
throw InvalidRegexPatternException::redosVulnerable(
$pattern,
'Pattern contains potentially catastrophic backtracking sequences'
);
}
}
/**
* Basic ReDoS (Regular Expression Denial of Service) risk detection.
*
* @param string $pattern The pattern to analyze
* @return bool True if pattern appears to have ReDoS risk
*/
private function detectReDoSRisk(string $pattern): bool
{
// Look for common ReDoS patterns
$riskyPatterns = [
'/\([^)]*\+[^)]*\)[*+]/', // (x+)+ or (x+)*
'/\([^)]*\*[^)]*\)[*+]/', // (x*)+ or (x*)*
'/\([^)]*\+[^)]*\)\{[0-9,]+\}/', // (x+){n,m}
'/\([^)]*\*[^)]*\)\{[0-9,]+\}/', // (x*){n,m}
'/\(\.\*\s*\|\s*\.\*\)/', // (.*|.*) - identical alternations
'/\(\.\+\s*\|\s*\.\+\)/', // (.+|.+) - identical alternations
'/\([a-zA-Z0-9]+(\s*\|\s*[a-zA-Z0-9]+){2,}\)\*/', // Multiple overlapping alternations with *
'/\([a-zA-Z0-9]+(\s*\|\s*[a-zA-Z0-9]+){2,}\)\+/', // Multiple overlapping alternations with +
];
foreach ($riskyPatterns as $riskyPattern) {
if (preg_match($riskyPattern, $pattern) === 1) {
return true;
}
}
return false;
}
}

347
src/Strategies/StrategyManager.php Normal file
View File

@@ -0,0 +1,347 @@
<?php
declare(strict_types=1);
namespace Ivuorinen\MonologGdprFilter\Strategies;
use Throwable;
use Monolog\LogRecord;
use Ivuorinen\MonologGdprFilter\Exceptions\MaskingOperationFailedException;
use Ivuorinen\MonologGdprFilter\Exceptions\GdprProcessorException;
/**
* Strategy manager for coordinating multiple masking strategies.
*
* Manages a collection of masking strategies, applies them in priority order,
* and provides utilities for strategy validation and introspection.
*
* @api
*/
class StrategyManager
{
/** @var array<MaskingStrategyInterface> */
private array $strategies = [];
/** @var array<MaskingStrategyInterface> */
private array $sortedStrategies = [];
private bool $needsSorting = false;
/**
* @param array<MaskingStrategyInterface> $strategies Initial strategies to register
*/
public function __construct(array $strategies = [])
{
foreach ($strategies as $strategy) {
$this->addStrategy($strategy);
}
}
/**
* Add a masking strategy.
*
* @param MaskingStrategyInterface $strategy The strategy to add
*
* @throws GdprProcessorException If strategy validation fails
*/
public function addStrategy(MaskingStrategyInterface $strategy): static
{
if (!$strategy->validate()) {
throw GdprProcessorException::withContext(
'Invalid masking strategy',
[
'strategy_name' => $strategy->getName(),
'strategy_class' => $strategy::class,
'configuration' => $strategy->getConfiguration(),
]
);
}
$this->strategies[] = $strategy;
$this->needsSorting = true;
return $this;
}
/**
* Remove a strategy by instance.
*
* @param MaskingStrategyInterface $strategy The strategy to remove
* @return bool True if the strategy was found and removed
*/
public function removeStrategy(MaskingStrategyInterface $strategy): bool
{
$key = array_search($strategy, $this->strategies, true);
if ($key !== false) {
unset($this->strategies[$key]);
$this->strategies = array_values($this->strategies);
$this->needsSorting = true;
return true;
}
return false;
}
/**
* Remove all strategies of a specific class.
*
* @param string $className The class name to remove
*
* @return int The number of strategies removed
*
* @psalm-return int<0, max>
*/
public function removeStrategiesByClass(string $className): int
{
/** @var int<0, max> $removed */
$removed = 0;
$this->strategies = array_filter(
$this->strategies,
function (MaskingStrategyInterface $strategy) use ($className, &$removed): bool {
if ($strategy instanceof $className) {
$removed++;
return false;
}
return true;
}
);
if ($removed > 0) {
$this->strategies = array_values($this->strategies);
$this->needsSorting = true;
}
return $removed;
}
/**
* Clear all strategies.
*/
public function clearStrategies(): static
{
$this->strategies = [];
$this->sortedStrategies = [];
$this->needsSorting = false;
return $this;
}
/**
* Apply masking strategies to a value.
*
* @param mixed $value The value to mask
* @param string $path The field path where the value was found
* @param LogRecord $logRecord The complete log record for context
* @return mixed The masked value
*
* @throws MaskingOperationFailedException
*/
public function maskValue(mixed $value, string $path, LogRecord $logRecord): mixed
{
$strategies = $this->getSortedStrategies();
if ($strategies === []) {
return $value; // No strategies configured
}
// Find the first applicable strategy (highest priority)
foreach ($strategies as $strategy) {
if ($strategy->shouldApply($value, $path, $logRecord)) {
try {
return $strategy->mask($value, $path, $logRecord);
} catch (Throwable $e) {
throw MaskingOperationFailedException::customCallbackFailed(
$path,
$value,
sprintf(
"Strategy '%s' failed: %s",
$strategy->getName(),
$e->getMessage()
),
$e
);
}
}
}
// No applicable strategy found
return $value;
}
/**
* Check if any strategy would apply to a given value/context.
*
* @param mixed $value The value to check
* @param string $path The field path where the value was found
* @param LogRecord $logRecord The complete log record for context
* @return bool True if at least one strategy would apply
*/
public function hasApplicableStrategy(mixed $value, string $path, LogRecord $logRecord): bool
{
foreach ($this->getSortedStrategies() as $strategy) {
if ($strategy->shouldApply($value, $path, $logRecord)) {
return true;
}
}
return false;
}
/**
* Get all applicable strategies for a given value/context.
*
* @param mixed $value The value to check
* @param string $path The field path where the value was found
* @param LogRecord $logRecord The complete log record for context
*
* @return MaskingStrategyInterface[] Applicable strategies in priority order
*
* @psalm-return list<MaskingStrategyInterface>
*/
public function getApplicableStrategies(mixed $value, string $path, LogRecord $logRecord): array
{
$applicable = [];
foreach ($this->getSortedStrategies() as $strategy) {
if ($strategy->shouldApply($value, $path, $logRecord)) {
$applicable[] = $strategy;
}
}
return $applicable;
}
/**
* Get all registered strategies.
*
* @return array<MaskingStrategyInterface> All strategies
*/
public function getAllStrategies(): array
{
return $this->strategies;
}
/**
* Get strategies sorted by priority (highest first).
*
* @return MaskingStrategyInterface[] Sorted strategies
*
* @psalm-return list<MaskingStrategyInterface>
*/
public function getSortedStrategies(): array
{
if ($this->needsSorting || $this->sortedStrategies === []) {
$this->sortedStrategies = $this->strategies;
usort($this->sortedStrategies, fn($a, $b): int => $b->getPriority() <=> $a->getPriority());
$this->needsSorting = false;
}
return $this->sortedStrategies;
}
/**
* Get strategy statistics.
*
* @return (((array|int|string)[]|int)[]|int)[]
*
* @psalm-return array{total_strategies: int<0, max>, strategy_types: array<string, 1|2>, priority_distribution: array{'90-100 (Critical)'?: 1|2, '80-89 (High)'?: 1|2, '60-79 (Medium-High)'?: 1|2, '40-59 (Medium)'?: 1|2, '20-39 (Low-Medium)'?: 1|2, '0-19 (Low)'?: 1|2}, strategies: list{0?: array{name: string, class: string, priority: int<min, max>, configuration: array<string, mixed>},...}}
*/
public function getStatistics(): array
{
$strategies = $this->getAllStrategies();
$stats = [
'total_strategies' => count($strategies),
'strategy_types' => [],
'priority_distribution' => [],
'strategies' => [],
];
foreach ($strategies as $strategy) {
$className = $strategy::class;
$lastBackslashPos = strrpos($className, '\\');
$shortName = $lastBackslashPos !== false ? substr($className, $lastBackslashPos + 1) : $className;
// Count by type
$stats['strategy_types'][$shortName] = ($stats['strategy_types'][$shortName] ?? 0) + 1;
// Priority distribution
$priority = $strategy->getPriority();
$priorityRange = match (true) {
$priority >= 90 => '90-100 (Critical)',
$priority >= 80 => '80-89 (High)',
$priority >= 60 => '60-79 (Medium-High)',
$priority >= 40 => '40-59 (Medium)',
$priority >= 20 => '20-39 (Low-Medium)',
default => '0-19 (Low)',
};
$stats['priority_distribution'][$priorityRange] = (
$stats['priority_distribution'][$priorityRange] ?? 0
) + 1;
// Individual strategy info
$stats['strategies'][] = [
'name' => $strategy->getName(),
'class' => $shortName,
'priority' => $priority,
'configuration' => $strategy->getConfiguration(),
];
}
return $stats;
}
/**
* Validate all registered strategies.
*
* @return string[]
*
* @psalm-return array<string, string>
*/
public function validateAllStrategies(): array
{
$errors = [];
foreach ($this->strategies as $strategy) {
try {
if (!$strategy->validate()) {
$errors[$strategy->getName()] = 'Strategy validation failed';
}
} catch (Throwable $e) {
$errors[$strategy->getName()] = 'Validation error: ' . $e->getMessage();
}
}
return $errors;
}
/**
* Create a default strategy manager with common strategies.
*
* @param array<string, string> $regexPatterns Regex patterns for RegexMaskingStrategy
* @param array<string, mixed> $fieldConfigs Field configurations for FieldPathMaskingStrategy
* @param array<string, string> $typeMasks Type masks for DataTypeMaskingStrategy
*/
public static function createDefault(
array $regexPatterns = [],
array $fieldConfigs = [],
array $typeMasks = []
): self {
$manager = new self();
// Add regex strategy if patterns provided
if ($regexPatterns !== []) {
$manager->addStrategy(new RegexMaskingStrategy($regexPatterns));
}
// Add field path strategy if configs provided
if ($fieldConfigs !== []) {
$manager->addStrategy(new FieldPathMaskingStrategy($fieldConfigs));
}
// Add data type strategy if masks provided
if ($typeMasks !== []) {
$manager->addStrategy(new DataTypeMaskingStrategy($typeMasks));
}
return $manager;
}
}