ahmido
cd811cff4f
## Summary - replace broad substring-based masking with a shared exact/path-based secret classifier and workspace-scoped fingerprint hashing - persist protected snapshot metadata on `policy_versions` and keep secret-only changes visible in compare, drift, restore, review, verification, and ops surfaces - add Spec 120 artifacts, audit documentation, and focused Pest regression coverage for snapshot, audit, verification, review-pack, and notification behavior ## Validation - `vendor/bin/sail artisan test --compact tests/Feature/Intune/PolicySnapshotRedactionTest.php tests/Feature/Intune/PolicySnapshotFingerprintIsolationTest.php tests/Feature/ReviewPack/ReviewPackRedactionIntegrityTest.php tests/Feature/OpsUx/OperationRunNotificationRedactionTest.php tests/Feature/Verification/VerificationReportViewerDbOnlyTest.php` - `vendor/bin/sail bin pint --dirty --format agent` ## Spec / checklist status | Checklist | Total | Completed | Incomplete | Status | |-----------|-------|-----------|------------|--------| | requirements.md | 16 | 16 | 0 | ✓ PASS | - `tasks.md`: T001-T032 complete - `tasks.md`: T033 manual quickstart validation is still open and noted for follow-up ## Filament / platform notes - Livewire v4 compliance is unchanged - no panel provider changes; `bootstrap/providers.php` remains the registration location - no new globally searchable resources were introduced, so global search requirements are unchanged - no new destructive Filament actions were added - no new Filament assets were added; no `filament:assets` deployment change is required ## Testing coverage touched - snapshot persistence and fingerprint isolation - compare/drift protected-change evidence - audit, verification, review-pack, ops-failure, and notification sanitization - viewer/read-only Filament presentation updates Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #146
72 lines
1.9 KiB
PHP
72 lines
1.9 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Services\Intune;
|
|
|
|
use Illuminate\Support\Str;
|
|
use RuntimeException;
|
|
|
|
final class SecretFingerprintHasher
|
|
{
|
|
public function fingerprint(int $workspaceId, string $sourceBucket, string $jsonPointer, mixed $secretValue): string
|
|
{
|
|
if ($workspaceId <= 0) {
|
|
throw new RuntimeException('Workspace-scoped secret fingerprinting requires a valid workspace ID.');
|
|
}
|
|
|
|
$payload = implode('|', [
|
|
trim($sourceBucket),
|
|
trim($jsonPointer),
|
|
$this->normalizeSecretValue($secretValue),
|
|
]);
|
|
|
|
return hash_hmac('sha256', $payload, $this->workspaceKey($workspaceId));
|
|
}
|
|
|
|
private function workspaceKey(int $workspaceId): string
|
|
{
|
|
$appKey = (string) config('app.key', '');
|
|
|
|
if ($appKey === '') {
|
|
throw new RuntimeException('App key is required for secret fingerprinting.');
|
|
}
|
|
|
|
if (Str::startsWith($appKey, 'base64:')) {
|
|
$decoded = base64_decode(Str::after($appKey, 'base64:'), true);
|
|
|
|
if ($decoded !== false) {
|
|
$appKey = $decoded;
|
|
}
|
|
}
|
|
|
|
return hash_hmac('sha256', 'policy-version-secret-fingerprints|'.$workspaceId, $appKey, true);
|
|
}
|
|
|
|
private function normalizeSecretValue(mixed $secretValue): string
|
|
{
|
|
$normalized = $this->normalizeValue($secretValue);
|
|
|
|
return json_encode($normalized, JSON_THROW_ON_ERROR | JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
|
|
}
|
|
|
|
private function normalizeValue(mixed $value): mixed
|
|
{
|
|
if (! is_array($value)) {
|
|
return $value;
|
|
}
|
|
|
|
if (array_is_list($value)) {
|
|
return array_map(fn (mixed $item): mixed => $this->normalizeValue($item), $value);
|
|
}
|
|
|
|
ksort($value);
|
|
|
|
foreach ($value as $key => $item) {
|
|
$value[$key] = $this->normalizeValue($item);
|
|
}
|
|
|
|
return $value;
|
|
}
|
|
}
|