ExcludeClassifiedMarkerFilter.java

package org.owasp.security.logging.filter;

import java.util.ArrayList;
import java.util.List;

import org.owasp.security.logging.SecurityMarkers;
import org.slf4j.Marker;

import ch.qos.logback.classic.spi.ILoggingEvent;
import ch.qos.logback.core.filter.AbstractMatcherFilter;
import ch.qos.logback.core.spi.FilterReply;

/**
 * Filters logging for information classification markers. If a logging event
 * has a an information classification marker (RESTRICTED, CONFIDENTIAL, SECRET,
 * TOP_SECRET) attached to it, it will fail the filter.
 *
 * This is useful to <i>exclude</i> classified information from a general log
 * file.
 *
 * @author August Detlefsen [augustd@codemagi.com]
 */
public class ExcludeClassifiedMarkerFilter extends
		AbstractMatcherFilter<ILoggingEvent> {

	public static final List<Marker> markersToMatch = new ArrayList<Marker>(4);

	static {
		markersToMatch.add(SecurityMarkers.RESTRICTED);
		markersToMatch.add(SecurityMarkers.CONFIDENTIAL);
		markersToMatch.add(SecurityMarkers.SECRET);
		markersToMatch.add(SecurityMarkers.TOP_SECRET);
	}

	public FilterReply decide(ILoggingEvent event) {
		if (!isStarted()) {
			return FilterReply.NEUTRAL;
		}

		// make sure the event has a marker
		Marker eventMarker = event.getMarker();
		if (eventMarker == null) {
			return FilterReply.NEUTRAL;
		}

		if (eventMarker.hasReferences()) {
			// check for events with multiple markers
			for (Marker marker : markersToMatch) {
				if (eventMarker.contains(marker)) {
					return FilterReply.DENY;
				}
			}
		} else {
			// handle simple case of an event with a single marker
			if (markersToMatch.contains(eventMarker)) {
				return FilterReply.DENY;
			}
		}

		// no classified markers found
		return FilterReply.NEUTRAL;
	}

}