feat: Allow some paths to be redacted and some to be removed

[ConradLang]

Purpose

Pino has a limitation where you can either redact or remove specified redact.paths by setting redact.remove to true or false.

In some cases, it's reasonable to want to redact some properties e.g. headers.authorization so you know that you have an authorization header but in other cases, the header, e.g. x-envoy-peer-metadata only contributes to increasing the log message size and therefore cost.

To reduce costs, we should be able to remove the properties that are not relevant for diagnostic purposes.

Approach

A removePaths logger option has been added to allow you to redact some paths and remove other paths.

Example:

const logger = createLogger({
  name: 'my-app',
  redact: {
    paths: ['req.headers["x-redact-this"]'],
    removePaths: ['req.headers["x-remove-this"]'],
  },
});

Default paths can be added for removal if needed (currently an empty list):

logger/src/redact/index.ts

Line 6 in 9c16ede

export const defaultRemovePaths: string[] = [];

If you'd prefer not to remove the default paths, you can opt out by setting ignoreDefaultRemovePaths to true.

Example:

const logger = createLogger({
  name: 'my-app',
  redact: {
    paths: ['req.headers["x-redact-this"]'],
    removePaths: ['req.headers["x-remove-this"]'],
    ignoreDefaultRemovePaths: true,
  },
});

Notes

1. Reverted Vendor redactOptions #42 to allow redactOptions to be extended.
   Running yarn build succeeds without errors.
2. Added an expectation in the test for properties not to be present.

Issues

Resolves #83

[72636c]

?

[ConradLang]

Would a better name be configureCensor?

[72636c]

I'm a bit sceptical of this chaining of two standalone redaction functions. Is it obvious how they both modify opts.redact, and what guarantees that they evolve in a compatible, non-conflicting manner?

At minimum we will want tests that cover combinations of both, especially if we ponder adding default redaction config.

[ConradLang]

I've exported a configureRedact function that ensures the default redact paths are added before the censor is configured.

[72636c]

Are there sensible defaults that we should be thinking of bundling into this package, rather than expecting each team to manually review and add removePaths?

[ConradLang]

There are some x-envoy-* headers likely related to internal routing but I'm not sure if these should be blanket added for all services.

Also, being OSS, should we add default headers for removal or is it ok since it's a SEEK opinionated logger?

[72636c]

It's SEEK opinionated so I'd be fine with any configuration that is not sensitive, and I reckon headers for an OSS project like Envoy would be fine.

Do we have an example of a SEEK application that would be impaired by having x-envoy-* removed by default? We'd presumably allow them to override/disable the defaults if needed.

[ConradLang]

I've asked cloud platform about the x-envoy-* headers so we'll have to wait for an answer.

[72636c]

Ah apologies if I was vague here; I meant adding logic here to remove the headers from logs by default, not changing our infra to stop attaching the headers.

[ConradLang]

@72636c : I've just pushed a change that allows us to add default paths for removal.

Caveat: Since the defaultRemovePaths is empty, it isn't really tested, but you can pull this branch, add a path e.g. req.headers["x-envoy-peer-metadata"] and see the should remove default paths when ignoreDefaultRemovePaths is missing test result.
You might need to console.log({input, log}) in the testLog function to observe.

You can also ignoreDefaultRemovePaths if you don't want the default remove paths to be added.

I had to refactor the addDefaultRedactPathStrings (and rename to appendDefaultRedactAndRemove) to get this working.

Something I'm wondering is should we only override the censor when it is undefined with the caveat that the remove may not work proper?

[ConradLang]

Something I'm wondering is should we only override the censor when it is undefined with the caveat that the remove may not work proper?

I've updated this so that the input censor is used for redaction but removePaths properties are still removed.

[72636c]

This seems a bit dicey. How does the redaction package handle the difference between e.g.

{ a: { b: 'pii' } }

{ 'a.b': 'pii' }

[ConradLang]

I've resolved this issue by refactoring out the key builder and putting in a comprehensive test.

I've used a regular expression as I'm not sure of a better way to work out if the identifier name is out-of-spec.

[ConradLang]

@72636c , @etaoins : Seems like the default redact paths aren't added when redact is an object.

I feel like this may be an issue separate to this PR.

[ConradLang]

I've fixed this in Feat: Enable configuring default remove paths

[kosanna]

Will convert to draft while discussions are in progress

[ConradLang]

Closing this PR as #92 was more appropriate and the concensus from the upstream repo (pinojs/pino#1815) was that a custom serializer was the best option.

To address #83, we could consider adding guidance to the readme around usage of redact and the option to use a custom serializer to remove specific properties with some examples.