Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Request to Add Logging for Configuration Events #110157

Open
OlzhabaevSh opened this issue Nov 25, 2024 · 1 comment
Open

Request to Add Logging for Configuration Events #110157

OlzhabaevSh opened this issue Nov 25, 2024 · 1 comment

Comments

@OlzhabaevSh
Copy link
Contributor

Issue

In many applications, it is crucial to have visibility into the configuration system, especially when debugging issues related to configuration loading and changes.
Currently, the .NET Configuration system does not provide built-in logging for when a new ConfigurationProvider is added or when a configuration provider reads configurations from.

Details

Not having this feature can mislead the debugging process because configurations often come from various sources such as environment variables, initialization files, multiple appsettings files, etc.
By default, there is no built-in mechanism to get a list of all configuration providers and the order in which they are registered in the Dependency Injection (DI) container during runtime.
This can be particularly tricky as different configuration values might override each other without clear visibility into the source and order of these configurations.

Additionally, most of the time, configuration setup can be obtained from a library, and you may not have direct access to the source code to see how the configurations are set up.
This lack of visibility can make it challenging to debug and understand the configuration hierarchy and precedence.

Feature description

Adding built-in logs for next events:

Event Fields
IConfigurationProvider added ConfigProviderName
A config item was read ConfigProviderName, KeyName, Value

Benifits

Adding these logs will help developers:

  • Debug configuration-related issues more effectively.
  • Gain insights into the configuration loading process.
  • Ensure that configuration changes are tracked and monitored.
  • Identify and resolve issues related to configuration value overrides.
  • Understand the configuration setup when using third-party libraries without direct access to their source code.

Risks

During the implementation of this feature, we should consider that some configuration keys may contain sensitive or restricted values.
These values could include passwords, connection strings, API keys, and other confidential information that should not be exposed in logs.
Logging such sensitive information could lead to security vulnerabilities and data breaches.

Mitigation Strategies

  1. Do Not Log Actual Values
  2. Sanitize Values

Do Not Log Actual Values

Avoid logging the actual values of configuration keys. Instead, log only the key names and the source of the configuration. This approach ensures that no sensitive information is exposed in the logs.

Sanitize Values

Implement logic to sanitize certain values before logging. For example, you can mask or redact values that contain sensitive information.
Specifically, you can:

  • Sanitize all values from keys that contain "connectionstring" or "secret" in their names.
  • Apply a general sanitization rule to mask any value that matches a pattern commonly used for sensitive data (e.g., passwords, API keys).
@dotnet-policy-service dotnet-policy-service bot added the untriaged New issue has not been triaged by the area owner label Nov 25, 2024
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-extensions-configuration
See info in area-owners.md if you want to be subscribed.

@tarekgh tarekgh added this to the Future milestone Nov 25, 2024
@tarekgh tarekgh removed the untriaged New issue has not been triaged by the area owner label Nov 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants