Roukmoute/Classeo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d3c6773be5e70aa6a2452d9d4cffd229f756a210
Classeo/backend/src/Shared/Infrastructure/Monitoring/SentryBeforeSendCallback.php
Mathias STRASSER d3c6773be5 feat: Observabilité et monitoring complet 
Implémentation complète de la stack d'observabilité pour le monitoring
de la plateforme multi-tenant Classeo.

## Error Tracking (GlitchTip)
- Intégration Sentry SDK avec GlitchTip auto-hébergé
- Scrubber PII avant envoi (RGPD: emails, tokens JWT, NIR français)
- Contexte enrichi: tenant_id, user_id, correlation_id
- Configuration backend (sentry.yaml) et frontend (sentry.ts)

## Metrics (Prometheus)
- Endpoint /metrics avec restriction IP en production
- Métriques HTTP: requests_total, request_duration_seconds (histogramme)
- Métriques sécurité: login_failures_total par tenant
- Métriques santé: health_check_status (postgres, redis, rabbitmq)
- Storage Redis pour persistance entre requêtes

## Logs (Loki)
- Processors Monolog: CorrelationIdLogProcessor, PiiScrubberLogProcessor
- Détection PII: emails, téléphones FR, tokens JWT, NIR français
- Labels structurés: tenant_id, correlation_id, level

## Dashboards (Grafana)
- Dashboard principal: latence P50/P95/P99, error rate, RPS
- Dashboard par tenant: métriques isolées par sous-domaine
- Dashboard infrastructure: santé postgres/redis/rabbitmq
- Datasources avec UIDs fixes pour portabilité

## Alertes (Alertmanager)
- HighApiLatencyP95/P99: SLA monitoring (200ms/500ms)
- HighErrorRate: error rate > 1% pendant 2 min
- ExcessiveLoginFailures: détection brute force
- ApplicationUnhealthy: health check failures

## Infrastructure
- InfrastructureHealthChecker: service partagé (DRY)
- HealthCheckController: endpoint /health pour load balancers
- Pre-push hook: make ci && make e2e avant push
2026-02-04 12:59:12 +01:00

107 lines
2.8 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace App\Shared\Infrastructure\Monitoring;
use const FILTER_VALIDATE_EMAIL;
use function is_array;
use function is_string;
use Sentry\Event;
use Sentry\EventHint;
/**
* Scrubs PII from Sentry events before sending to GlitchTip.
*
* Critical for RGPD compliance (NFR-S3): No personal data in error reports.
* This callback runs as the last step before sending to the error tracking service.
*
* @see Story 1.8 - T1.4: Filter PII before send (scrubber)
*/
final class SentryBeforeSendCallback
{
public function __invoke(Event $event, ?EventHint $hint): Event
{
// Scrub request data
$request = $event->getRequest();
if (!empty($request)) {
$this->scrubArray($request);
$event->setRequest($request);
}
// Scrub extra context
$extra = $event->getExtra();
if (!empty($extra)) {
$this->scrubArray($extra);
$event->setExtra($extra);
}
// Scrub tags that might contain PII
$tags = $event->getTags();
if (!empty($tags)) {
$this->scrubStringArray($tags);
$event->setTags($tags);
}
// Never drop the event - we want all errors tracked
return $event;
}
/**
* Recursively scrub PII from an array.
*
* @param array<array-key, mixed> $data
*/
private function scrubArray(array &$data): void
{
foreach ($data as $key => &$value) {
if (is_string($key) && $this->isPiiKey($key)) {
$value = '[FILTERED]';
} elseif (is_array($value)) {
$this->scrubArray($value);
} elseif (is_string($value) && $this->looksLikePii($value)) {
$value = '[FILTERED]';
}
}
}
/**
* Scrub PII from a string-only array (tags).
*
* @param array<string, string> $data
*/
private function scrubStringArray(array &$data): void
{
foreach ($data as $key => &$value) {
if ($this->isPiiKey($key) || $this->looksLikePii($value)) {
$value = '[FILTERED]';
}
}
}
private function isPiiKey(string $key): bool
{
return PiiPatterns::isSensitiveKey($key);
}
private function looksLikePii(string $value): bool
{
// Filter email-like patterns
if (filter_var($value, FILTER_VALIDATE_EMAIL) !== false) {
return true;
}
// Filter JWT tokens
if (preg_match('/^eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+$/', $value)) {
return true;
}
// Filter UUIDs in specific contexts (but not all - some are legitimate IDs)
// We keep UUIDs as they're often needed for debugging
return false;
}
}
Reference in New Issue View Git Blame Copy Permalink