38 lines
1.8 KiB
PHP
38 lines
1.8 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Services\TenantConfiguration\EntraCoverageComparator;
|
|
use App\Services\TenantConfiguration\EntraRenderableSummaryBuilder;
|
|
|
|
it('Spec421 keeps secret-bearing values out of render and compare output', function (): void {
|
|
$payload = [
|
|
'id' => 'cap-1',
|
|
'displayName' => 'Require MFA',
|
|
'state' => 'enabled',
|
|
'conditions' => ['users' => ['includeUsers' => ['All']]],
|
|
'grantControls' => ['builtInControls' => ['mfa']],
|
|
'clientSecret' => 'spec421-client-secret',
|
|
'privateKey' => 'spec421-private-key',
|
|
'headers' => ['Authorization' => 'Bearer spec421-token'],
|
|
'cookies' => ['set-cookie' => 'spec421-cookie'],
|
|
'auditMetadata' => ['raw_payload' => ['secret' => 'spec421-audit-secret']],
|
|
'operationRunContext' => ['access_token' => 'spec421-run-token'],
|
|
];
|
|
|
|
$summary = app(EntraRenderableSummaryBuilder::class)->build('conditionalAccessPolicy', $payload);
|
|
$compare = app(EntraCoverageComparator::class)->compare('conditionalAccessPolicy', $payload, [
|
|
...$payload,
|
|
'modifiedDateTime' => '2026-06-27T12:00:00Z',
|
|
]);
|
|
$encoded = json_encode([$summary, $compare], JSON_THROW_ON_ERROR);
|
|
|
|
expect($encoded)->not->toContain('spec421-client-secret')
|
|
->and($encoded)->not->toContain('spec421-private-key')
|
|
->and($encoded)->not->toContain('spec421-token')
|
|
->and($encoded)->not->toContain('spec421-cookie')
|
|
->and($encoded)->not->toContain('spec421-audit-secret')
|
|
->and($encoded)->not->toContain('spec421-run-token')
|
|
->and($summary['redacted_fields'])->toContain('clientSecret', 'privateKey', 'headers.Authorization', 'cookies', 'auditMetadata.raw_payload.secret', 'operationRunContext.access_token');
|
|
});
|