TenantAtlas/apps/platform/tests/Feature/Intune/PolicySnapshotFingerprintIsolationTest.php

<?php

declare(strict_types=1);

use App\Models\Policy;
use App\Services\Intune\VersionService;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Tests\Support\ProtectedSnapshotAssertions;

uses(RefreshDatabase::class);

it('derives different secret fingerprints per workspace for the same protected value', function (): void {
    [$userA, $tenantA] = createUserWithTenant(role: 'owner');
    [$userB, $tenantB] = createUserWithTenant(role: 'owner');

    $policyA = Policy::factory()->create([
        'managed_environment_id' => (int) $tenantA->getKey(),
        'policy_type' => 'settingsCatalogPolicy',
    ]);

    $policyB = Policy::factory()->create([
        'managed_environment_id' => (int) $tenantB->getKey(),
        'policy_type' => 'settingsCatalogPolicy',
    ]);

    /** @var VersionService $service */
    $service = app(VersionService::class);

    $versionA = $service->captureVersion(
        policy: $policyA,
        payload: [
            'wifi' => [
                'password' => 'same-secret',
            ],
        ],
        createdBy: $userA->email,
    );

    $versionB = $service->captureVersion(
        policy: $policyB,
        payload: [
            'wifi' => [
                'password' => 'same-secret',
            ],
        ],
        createdBy: $userB->email,
    );

    ProtectedSnapshotAssertions::assertFingerprint($versionA->secret_fingerprints, 'snapshot', '/wifi/password');
    ProtectedSnapshotAssertions::assertFingerprint($versionB->secret_fingerprints, 'snapshot', '/wifi/password');

    expect($versionA->secret_fingerprints['snapshot']['/wifi/password'])
        ->not->toBe($versionB->secret_fingerprints['snapshot']['/wifi/password']);
});