ahmido
cd811cff4f
## Summary - replace broad substring-based masking with a shared exact/path-based secret classifier and workspace-scoped fingerprint hashing - persist protected snapshot metadata on `policy_versions` and keep secret-only changes visible in compare, drift, restore, review, verification, and ops surfaces - add Spec 120 artifacts, audit documentation, and focused Pest regression coverage for snapshot, audit, verification, review-pack, and notification behavior ## Validation - `vendor/bin/sail artisan test --compact tests/Feature/Intune/PolicySnapshotRedactionTest.php tests/Feature/Intune/PolicySnapshotFingerprintIsolationTest.php tests/Feature/ReviewPack/ReviewPackRedactionIntegrityTest.php tests/Feature/OpsUx/OperationRunNotificationRedactionTest.php tests/Feature/Verification/VerificationReportViewerDbOnlyTest.php` - `vendor/bin/sail bin pint --dirty --format agent` ## Spec / checklist status | Checklist | Total | Completed | Incomplete | Status | |-----------|-------|-----------|------------|--------| | requirements.md | 16 | 16 | 0 | ✓ PASS | - `tasks.md`: T001-T032 complete - `tasks.md`: T033 manual quickstart validation is still open and noted for follow-up ## Filament / platform notes - Livewire v4 compliance is unchanged - no panel provider changes; `bootstrap/providers.php` remains the registration location - no new globally searchable resources were introduced, so global search requirements are unchanged - no new destructive Filament actions were added - no new Filament assets were added; no `filament:assets` deployment change is required ## Testing coverage touched - snapshot persistence and fingerprint isolation - compare/drift protected-change evidence - audit, verification, review-pack, ops-failure, and notification sanitization - viewer/read-only Filament presentation updates Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #146
61 lines
2.0 KiB
PHP
61 lines
2.0 KiB
PHP
<?php
|
|
|
|
use App\Models\Tenant;
|
|
use App\Services\OperationRunService;
|
|
use Illuminate\Notifications\DatabaseNotification;
|
|
|
|
it('sanitizes persisted run failures and terminal notifications', function () {
|
|
$tenant = Tenant::factory()->create();
|
|
[$user, $tenant] = createUserWithTenant($tenant, role: 'owner');
|
|
|
|
/** @var OperationRunService $runs */
|
|
$runs = app(OperationRunService::class);
|
|
|
|
$run = $runs->ensureRun(
|
|
tenant: $tenant,
|
|
type: 'test.sanitize',
|
|
inputs: [],
|
|
initiator: $user,
|
|
);
|
|
|
|
$rawBearer = 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.'.str_repeat('A', 90);
|
|
|
|
$runs->updateRun(
|
|
$run,
|
|
status: 'completed',
|
|
outcome: 'failed',
|
|
failures: [[
|
|
'code' => 'graph_forbidden',
|
|
'message' => "Authorization: {$rawBearer} client_secret=supersecret passwordMinimumLength is still readable user=test.user@example.com",
|
|
]],
|
|
);
|
|
|
|
$run->refresh();
|
|
|
|
$failureSummaryJson = json_encode($run->failure_summary, JSON_THROW_ON_ERROR);
|
|
|
|
expect($failureSummaryJson)->not->toContain('client_secret=supersecret');
|
|
expect($failureSummaryJson)->not->toContain($rawBearer);
|
|
expect($failureSummaryJson)->not->toContain('test.user@example.com');
|
|
|
|
expect($run->failure_summary[0]['reason_code'] ?? null)->toBe('provider_permission_denied');
|
|
|
|
$notification = DatabaseNotification::query()
|
|
->where('notifiable_id', $user->getKey())
|
|
->latest('id')
|
|
->first();
|
|
|
|
expect($notification)->not->toBeNull();
|
|
|
|
$notificationJson = json_encode($notification?->data, JSON_THROW_ON_ERROR);
|
|
|
|
expect($notificationJson)->not->toContain('client_secret=supersecret');
|
|
expect($notificationJson)->not->toContain($rawBearer);
|
|
expect($notificationJson)->not->toContain('test.user@example.com');
|
|
expect($notificationJson)->toContain('passwordMinimumLength');
|
|
|
|
$this->actingAs($user)
|
|
->get(route('admin.operations.view', ['run' => (int) $run->getKey()]))
|
|
->assertSuccessful();
|
|
});
|