From fbd9010088dfc194fae67f84a5cce3cc7086994d Mon Sep 17 00:00:00 2001
From: Brandt Kurowski <bkurowski@uceap.universityofcalifornia.edu>
Date: Wed, 5 Nov 2025 16:27:30 +0000
Subject: [PATCH] configure sensitive fields

---
 README.md                                 | 27 +++++---
 config/install/uceap_logging.settings.yml |  2 +
 config/schema/uceap_logging.schema.yml    | 10 +++
 src/Form/LoggingSettingsForm.php          | 82 +++++++++++++++++++++++
 uceap_logging.links.task.yml              | 13 ++++
 uceap_logging.module                      |  8 +--
 uceap_logging.routing.yml                 |  7 ++
 7 files changed, 134 insertions(+), 15 deletions(-)
 create mode 100644 config/install/uceap_logging.settings.yml
 create mode 100644 config/schema/uceap_logging.schema.yml
 create mode 100644 src/Form/LoggingSettingsForm.php
 create mode 100644 uceap_logging.links.task.yml
 create mode 100644 uceap_logging.routing.yml

diff --git a/README.md b/README.md
index 7f83770..6fd4c54 100644
--- a/README.md
+++ b/README.md
@@ -135,19 +135,28 @@ When integrated with Monolog and CloudWatch, logs are automatically sent to Clou
 
 ### Sensitive Field Masking
 
-By default, the following sensitive fields have their values masked in logs:
+The module provides configurable masking of sensitive field values in entity change logs. When sensitive fields are modified, they appear in logs with masked values (e.g., `***MASKED***`) instead of actual values, providing an audit trail while protecting sensitive data.
+
+#### Default Sensitive Fields
+
+By default, the following field has its value masked:
 - `pass` - User passwords
-- `uuid` - Entity UUIDs
-- `revision_timestamp` - Revision timestamps
-- `revision_uid` - Revision authors
-- `revision_log` - Revision log messages
-- `changed` - Changed timestamps
 
-When these fields are modified, they appear in the logs with masked values (e.g., `***MASKED***`) instead of actual values, providing an audit trail while protecting sensitive data.
+#### Configuring Sensitive Fields
+
+You can customize which fields are masked through the administrative interface:
+
+1. Navigate to **Configuration** > **Development** > **Logging and errors** (`/admin/config/development/logging`)
+2. Click on the **UCEAP Logging** tab
+3. Enter field machine names (one per line) in the "Sensitive Fields" textarea
+4. Click "Save configuration"
 
-Additionally, computed and internal fields are automatically excluded from logging as they are derived values.
+#### Automatically Excluded Fields
 
-To customize which fields are masked, modify the `$sensitive_fields` array in `_uceap_logging_get_entity_field_changes()`.
+In addition to user-configured sensitive fields, the following field types are automatically excluded from change tracking entirely:
+- Computed fields (derived values)
+- Internal fields (system-managed)
+- Specific metadata fields: `changed`, `revision_timestamp`, `revision_uid`, `revision_log`
 
 ### Logger Channels
 
diff --git a/config/install/uceap_logging.settings.yml b/config/install/uceap_logging.settings.yml
new file mode 100644
index 0000000..8f412ae
--- /dev/null
+++ b/config/install/uceap_logging.settings.yml
@@ -0,0 +1,2 @@
+sensitive_fields:
+  - pass
diff --git a/config/schema/uceap_logging.schema.yml b/config/schema/uceap_logging.schema.yml
new file mode 100644
index 0000000..5d8b974
--- /dev/null
+++ b/config/schema/uceap_logging.schema.yml
@@ -0,0 +1,10 @@
+uceap_logging.settings:
+  type: config_object
+  label: 'UCEAP Logging Settings'
+  mapping:
+    sensitive_fields:
+      type: sequence
+      label: 'Sensitive fields'
+      sequence:
+        type: string
+        label: 'Field name'
diff --git a/src/Form/LoggingSettingsForm.php b/src/Form/LoggingSettingsForm.php
new file mode 100644
index 0000000..f3de946
--- /dev/null
+++ b/src/Form/LoggingSettingsForm.php
@@ -0,0 +1,82 @@
+<?php
+
+namespace Drupal\uceap_logging\Form;
+
+use Drupal\Core\Form\ConfigFormBase;
+use Drupal\Core\Form\FormStateInterface;
+
+/**
+ * Configure UCEAP Logging settings.
+ */
+class LoggingSettingsForm extends ConfigFormBase {
+
+  /**
+   * {@inheritdoc}
+   */
+  public function getFormId() {
+    return 'uceap_logging_settings';
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function getEditableConfigNames() {
+    return ['uceap_logging.settings'];
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function buildForm(array $form, FormStateInterface $form_state) {
+    $config = $this->config('uceap_logging.settings');
+
+    $form['sensitive_fields'] = [
+      '#type' => 'textarea',
+      '#title' => $this->t('Sensitive Fields'),
+      '#description' => $this->t('Enter field machine names (one per line) that should have their values masked in entity change logs. When these fields are modified, they will appear in logs with masked values (e.g., ***MASKED***) instead of actual values.'),
+      '#default_value' => implode("\n", $config->get('sensitive_fields') ?? []),
+      '#rows' => 10,
+    ];
+
+    $form['help'] = [
+      '#type' => 'details',
+      '#title' => $this->t('Examples'),
+      '#open' => FALSE,
+    ];
+
+    $form['help']['examples'] = [
+      '#markup' => $this->t('<p>Common sensitive fields include:</p>
+        <ul>
+          <li><code>field_ssn</code> - Social Security Numbers</li>
+          <li><code>pass</code> - User passwords</li>
+          <li><code>field_bank_account</code> - Banking information</li>
+          <li><code>field_credit_card</code> - Payment information</li>
+          <li><code>field_api_key</code> - API keys or tokens</li>
+        </ul>
+        <p><strong>Note:</strong> The following fields are automatically excluded from logging: <code>changed</code>, <code>revision_timestamp</code>, <code>revision_uid</code>, <code>revision_log</code>. Additionally, computed and internal fields are never logged.</p>'),
+    ];
+
+    return parent::buildForm($form, $form_state);
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function submitForm(array &$form, FormStateInterface $form_state) {
+    // Convert textarea input to array.
+    $sensitive_fields_raw = $form_state->getValue('sensitive_fields');
+    $sensitive_fields = array_filter(
+      array_map('trim', explode("\n", $sensitive_fields_raw)),
+      function ($field) {
+        return !empty($field);
+      }
+    );
+
+    $this->config('uceap_logging.settings')
+      ->set('sensitive_fields', array_values($sensitive_fields))
+      ->save();
+
+    parent::submitForm($form, $form_state);
+  }
+
+}
diff --git a/uceap_logging.links.task.yml b/uceap_logging.links.task.yml
new file mode 100644
index 0000000..d14e9d6
--- /dev/null
+++ b/uceap_logging.links.task.yml
@@ -0,0 +1,13 @@
+# Create a default tab for the system logging page
+system.logging_settings_default:
+  title: 'Settings'
+  route_name: system.logging_settings
+  base_route: system.logging_settings
+  weight: 0
+
+# Add our custom tab
+uceap_logging.settings:
+  title: 'UCEAP Logging'
+  route_name: uceap_logging.settings
+  base_route: system.logging_settings
+  weight: 10
diff --git a/uceap_logging.module b/uceap_logging.module
index bbf5914..52cbbe6 100644
--- a/uceap_logging.module
+++ b/uceap_logging.module
@@ -115,12 +115,8 @@ function _uceap_logging_get_entity_field_changes(ContentEntityInterface $entity,
   ];
 
   // Sensitive fields that should have values masked in logs.
-  // TODO make this configurable.
-  $sensitive_fields = [
-    'field_ssn',
-    'field_confirm_ssn',
-    'pass',
-  ];
+  $config = \Drupal::config('uceap_logging.settings');
+  $sensitive_fields = $config->get('sensitive_fields') ?? [];
 
   $changes = [];
   $field_definitions = $entity->getFieldDefinitions();
diff --git a/uceap_logging.routing.yml b/uceap_logging.routing.yml
new file mode 100644
index 0000000..b361612
--- /dev/null
+++ b/uceap_logging.routing.yml
@@ -0,0 +1,7 @@
+uceap_logging.settings:
+  path: '/admin/config/development/logging/uceap'
+  defaults:
+    _form: '\Drupal\uceap_logging\Form\LoggingSettingsForm'
+    _title: 'Logging Settings'
+  requirements:
+    _permission: 'administer site configuration'