Align structured logging grammar

gildesmarais · gildesmarais · commit 996fa53765a6 · 2026-03-22T10:15:23.000+01:00
diff --git a/app/web/config/environment_validator.rb b/app/web/config/environment_validator.rb
@@ -49,12 +49,17 @@ def auto_source_enabled?
 
         def set_development_key
           ENV['HTML2RSS_SECRET_KEY'] = 'development-default-key-not-for-production'
-          puts '⚠️  WARNING: Using default secret key for development/testing only!'
-          puts '   Set HTML2RSS_SECRET_KEY environment variable for production use.'
+          log_development_default_secret_key_warning
+          warn_lines(
+            'WARNING: Using default secret key for development/testing only!',
+            'Set HTML2RSS_SECRET_KEY environment variable for production use.'
+          )
+          nil
         end
 
         def show_production_error
-          puts production_error_message
+          SecurityLogger.log_config_validation_failure('secret_key', 'Missing required secret key')
+          warn_lines(*production_error_message.lines(chomp: true))
           exit 1
         end
 
@@ -79,9 +84,11 @@ def validate_secret_key!
           return unless secret == 'your-generated-secret-key-here' || secret.length < 32
 
           SecurityLogger.log_config_validation_failure('secret_key', 'Invalid or weak secret key')
-          puts '❌ CRITICAL: Invalid secret key for production deployment!'
-          puts '   Secret key must be at least 32 characters and not the default placeholder.'
-          puts '   Generate a secure key: openssl rand -hex 32'
+          warn_lines(
+            'CRITICAL: Invalid secret key for production deployment!',
+            'Secret key must be at least 32 characters and not the default placeholder.',
+            'Generate a secure key: openssl rand -hex 32'
+          )
           exit 1
         end
 
@@ -90,11 +97,35 @@ def validate_account_configuration!
           weak_tokens = accounts.select { |acc| acc[:token].length < 16 }
           return unless weak_tokens.any?
 
+          handle_weak_account_tokens!(weak_tokens)
+        end
+
+        # @param lines [Array<String>]
+        # @return [void]
+        def warn_lines(*lines)
+          lines.each { |line| Kernel.warn(line) }
+          nil
+        end
+
+        # @return [void]
+        def log_development_default_secret_key_warning
+          SecurityLogger.log_config_validation_failure(
+            'secret_key',
+            'Using development default secret key',
+            severity: :warn
+          )
+        end
+
+        # @param weak_tokens [Array<Hash{Symbol=>String}>]
+        # @return [void]
+        def handle_weak_account_tokens!(weak_tokens)
           weak_usernames = weak_tokens.map { |acc| acc[:username] }.join(', ')
           SecurityLogger.log_config_validation_failure('account_tokens', "Weak tokens for users: #{weak_usernames}")
-          puts '❌ CRITICAL: Weak authentication tokens detected in production!'
-          puts '   All tokens must be at least 16 characters long.'
-          puts "   Weak tokens found for users: #{weak_usernames}"
+          warn_lines(
+            'CRITICAL: Weak authentication tokens detected in production!',
+            'All tokens must be at least 16 characters long.',
+            "Weak tokens found for users: #{weak_usernames}"
+          )
           exit 1
         end
       end
diff --git a/app/web/security/security_logger.rb b/app/web/security/security_logger.rb
@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'digest'
-require 'time'
 module Html2rss
   module Web
     ##
@@ -103,12 +102,13 @@ def log_blocked_request(ip, reason, endpoint)
         # Log configuration validation failure
         # @param component [String] component that failed validation
         # @param details [String] validation failure details
+        # @param severity [Symbol]
         # @return [void]
-        def log_config_validation_failure(component, details)
+        def log_config_validation_failure(component, details, severity: :error)
           log_event('config_validation_failure', {
                       component: component,
                       details: details
-                    }, severity: :error)
+                    }, severity: severity)
         end
 
         # Log lifecycle events for in-memory config/cache snapshots
@@ -135,7 +135,7 @@ def log_event(event_type, data, severity: :warn)
             level: severity,
             payload: {
               security_event: event_type,
-              **data
+              details: data
             }
           )
         rescue StandardError => error
@@ -148,8 +148,8 @@ def log_event(event_type, data, severity: :warn)
         # @param event_type [String] type of security event
         # @param data [Hash] event data
         def handle_logging_error(error, event_type, data)
-          Kernel.warn("Security logging error: #{error.message}")
-          Kernel.warn("Security event: #{event_type} - #{data}")
+          Kernel.warn("Structured logging fallback: #{error.class}: #{error.message}")
+          Kernel.warn("component=security_logger security_event=#{event_type} details=#{data}")
         end
       end
     end
diff --git a/app/web/telemetry/observability.rb b/app/web/telemetry/observability.rb
@@ -26,8 +26,8 @@ def emit(event_name:, outcome:, details: {}, level: :info)
         # @param outcome [String]
         # @return [void]
         def handle_emit_error(error, event_name, outcome)
-          Kernel.warn("Observability emit error: #{error.message}")
-          Kernel.warn("event_name=#{event_name} outcome=#{outcome}")
+          Kernel.warn("Structured logging fallback: #{error.class}: #{error.message}")
+          Kernel.warn("component=observability event_name=#{event_name} outcome=#{outcome}")
         end
 
         # @param event_name [String]
diff --git a/spec/html2rss/web/environment_validator_spec.rb b/spec/html2rss/web/environment_validator_spec.rb
@@ -4,8 +4,60 @@
 require 'climate_control'
 
 require_relative '../../../app/web/config/environment_validator'
+require_relative '../../../app/web/config/flags'
+require_relative '../../../app/web/security/security_logger'
 
 RSpec.describe Html2rss::Web::EnvironmentValidator do
+  describe '.validate_environment!' do
+    it 'sets a development default secret key without exiting' do
+      allow(Html2rss::Web::SecurityLogger).to receive(:log_config_validation_failure)
+      allow(Kernel).to receive(:warn)
+
+      ClimateControl.modify('RACK_ENV' => 'development', 'HTML2RSS_SECRET_KEY' => nil) do
+        described_class.validate_environment!
+        expect(ENV.fetch('HTML2RSS_SECRET_KEY')).to eq('development-default-key-not-for-production')
+      end
+    end
+
+    it 'logs development default secret key warnings' do
+      allow(Html2rss::Web::SecurityLogger).to receive(:log_config_validation_failure)
+      allow(Kernel).to receive(:warn)
+
+      ClimateControl.modify('RACK_ENV' => 'development', 'HTML2RSS_SECRET_KEY' => nil) do
+        described_class.validate_environment!
+      end
+
+      expect(Html2rss::Web::SecurityLogger).to have_received(:log_config_validation_failure)
+        .with('secret_key', 'Using development default secret key', severity: :warn)
+    end
+
+    it 'logs missing production secret key failures before exiting' do
+      allow(Html2rss::Web::SecurityLogger).to receive(:log_config_validation_failure)
+      allow(Kernel).to receive(:warn)
+
+      ClimateControl.modify('RACK_ENV' => 'production', 'HTML2RSS_SECRET_KEY' => nil) do
+        expect { described_class.validate_environment! }.to raise_error(SystemExit)
+      end
+
+      expect(Html2rss::Web::SecurityLogger).to have_received(:log_config_validation_failure)
+        .with('secret_key', 'Missing required secret key')
+    end
+  end
+
+  describe '.validate_production_security!' do
+    it 'logs weak production secret keys before exiting' do
+      allow(Html2rss::Web::SecurityLogger).to receive(:log_config_validation_failure)
+      allow(Kernel).to receive(:warn)
+
+      ClimateControl.modify('RACK_ENV' => 'production', 'HTML2RSS_SECRET_KEY' => 'short-secret') do
+        expect { described_class.validate_production_security! }.to raise_error(SystemExit)
+      end
+
+      expect(Html2rss::Web::SecurityLogger).to have_received(:log_config_validation_failure)
+        .with('secret_key', 'Invalid or weak secret key')
+    end
+  end
+
   describe '.auto_source_enabled?' do
     context 'when in development' do
       it 'defaults to enabled when flag is not set' do
diff --git a/spec/html2rss/web/log_sanitizer_spec.rb b/spec/html2rss/web/log_sanitizer_spec.rb
@@ -13,6 +13,13 @@
 RSpec.describe Html2rss::Web::LogSanitizer do
   let(:io) { StringIO.new }
   let(:logger) { Logger.new(io).tap { |log| log.formatter = Html2rss::Web::AppLogger.send(:method, :format_entry) } }
+  let(:sanitized_url) do
+    {
+      host: 'news.ycombinator.com',
+      scheme: 'https',
+      hash: Digest::SHA256.hexdigest('https://news.ycombinator.com')[0..11]
+    }
+  end
   let(:context) do
     Html2rss::Web::RequestContext::Context.new(
       request_id: 'req-123',
@@ -45,13 +52,7 @@
   end
 
   it 'replaces logged urls with hashed host metadata' do
-    expected_url = {
-      host: 'news.ycombinator.com',
-      scheme: 'https',
-      hash: url_hash('https://news.ycombinator.com')
-    }
-
-    expect(described_class.sanitize_details(url: 'https://news.ycombinator.com')).to eq(url: expected_url)
+    expect(described_class.sanitize_details(url: 'https://news.ycombinator.com')).to eq(url: sanitized_url)
   end
 
   it 'falls back to a hash for malformed urls' do
@@ -72,14 +73,13 @@
     Html2rss::Web::SecurityLogger.log_token_usage('very-secret-token', 'https://news.ycombinator.com', true)
     payload = JSON.parse(io.string.lines.last, symbolize_names: true)
 
-    expect(payload.slice(:path, :url, :token_hash)).to eq(
+    expect(payload.slice(:path, :details)).to eq(
       path: '/api/v1/feeds/[REDACTED]',
-      url: {
-        host: 'news.ycombinator.com',
-        scheme: 'https',
-        hash: url_hash('https://news.ycombinator.com')
-      },
-      token_hash: Digest::SHA256.hexdigest('very-secret-token')[0..7]
+      details: {
+        url: sanitized_url,
+        token_hash: Digest::SHA256.hexdigest('very-secret-token')[0..7],
+        success: true
+      }
     )
   end
 
@@ -93,11 +93,7 @@
     lines = io.string.lines.map { |line| JSON.parse(line, symbolize_names: true) }
     observability_payload = lines.first
 
-    expect(observability_payload.dig(:details, :url)).to eq(
-      host: 'news.ycombinator.com',
-      scheme: 'https',
-      hash: url_hash('https://news.ycombinator.com')
-    )
+    expect(observability_payload.dig(:details, :url)).to eq(sanitized_url)
   end
 
   it 'formats rack-timeout logfmt as json' do
