75 lines
3.4 KiB
PHP
75 lines
3.4 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Support\Governance\Controls\CanonicalControlCatalog;
|
|
use App\Support\Governance\Controls\DetectabilityClass;
|
|
use App\Support\Governance\Controls\EvaluationStrategy;
|
|
|
|
it('loads stable provider-neutral seed definitions with complete metadata', function (): void {
|
|
$catalog = app(CanonicalControlCatalog::class);
|
|
|
|
expect($catalog->all())->toHaveCount(7);
|
|
|
|
foreach ($catalog->all() as $definition) {
|
|
expect($definition->controlKey)->toMatch('/^[a-z][a-z0-9_]*$/')
|
|
->and($definition->name)->not->toBeEmpty()
|
|
->and($definition->domainKey)->not->toContain('microsoft')
|
|
->and($definition->domainKey)->not->toContain('intune')
|
|
->and($definition->subdomainKey)->not->toBeEmpty()
|
|
->and($definition->controlClass)->not->toBeEmpty()
|
|
->and($definition->summary)->not->toBeEmpty()
|
|
->and($definition->operatorDescription)->not->toBeEmpty()
|
|
->and($definition->detectabilityClass)->toBeInstanceOf(DetectabilityClass::class)
|
|
->and($definition->evaluationStrategy)->toBeInstanceOf(EvaluationStrategy::class)
|
|
->and($definition->evidenceArchetypes)->not->toBeEmpty()
|
|
->and(array_keys($definition->artifactSuitability->toArray()))->toBe([
|
|
'baseline',
|
|
'drift',
|
|
'finding',
|
|
'exception',
|
|
'evidence',
|
|
'review',
|
|
'report',
|
|
])
|
|
->and($definition->historicalStatus)->toBeIn(['active', 'retired']);
|
|
}
|
|
});
|
|
|
|
it('seeds the first-slice high-value control families', function (): void {
|
|
$keys = array_map(
|
|
static fn ($definition): string => $definition->controlKey,
|
|
app(CanonicalControlCatalog::class)->all(),
|
|
);
|
|
|
|
expect($keys)->toEqualCanonicalizing([
|
|
'audit_log_retention',
|
|
'conditional_access_enforcement',
|
|
'delegated_admin_boundaries',
|
|
'endpoint_hardening_compliance',
|
|
'external_sharing_boundaries',
|
|
'privileged_access_governance',
|
|
'strong_authentication',
|
|
]);
|
|
});
|
|
|
|
it('keeps Microsoft bindings secondary to the definition payload', function (): void {
|
|
$catalog = app(CanonicalControlCatalog::class);
|
|
$definition = $catalog->find('endpoint_hardening_compliance');
|
|
|
|
expect($definition?->toArray())->not->toHaveKey('microsoft_bindings')
|
|
->and($catalog->microsoftBindingsForControl('endpoint_hardening_compliance'))->not->toBeEmpty()
|
|
->and($catalog->microsoftBindingsForControl('endpoint_hardening_compliance')[0]->toArray()['provider'])->toBe('microsoft');
|
|
});
|
|
|
|
it('preserves honest detectability, evaluation, and suitability distinctions', function (): void {
|
|
$catalog = app(CanonicalControlCatalog::class);
|
|
|
|
expect($catalog->find('endpoint_hardening_compliance')?->detectabilityClass)->toBe(DetectabilityClass::DirectTechnical)
|
|
->and($catalog->find('endpoint_hardening_compliance')?->evaluationStrategy)->toBe(EvaluationStrategy::StateEvaluated)
|
|
->and($catalog->find('audit_log_retention')?->detectabilityClass)->toBe(DetectabilityClass::ExternalEvidenceOnly)
|
|
->and($catalog->find('audit_log_retention')?->evaluationStrategy)->toBe(EvaluationStrategy::ExternallyAttested)
|
|
->and($catalog->find('audit_log_retention')?->artifactSuitability->baseline)->toBeFalse()
|
|
->and($catalog->find('audit_log_retention')?->artifactSuitability->review)->toBeTrue();
|
|
});
|