ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
1f3619bd16
TenantAtlas/tests/Feature/Drift/DriftFindingDetailTest.php
ahmido cd811cff4f Spec 120: harden secret redaction integrity (#146) 
## Summary
- replace broad substring-based masking with a shared exact/path-based secret classifier and workspace-scoped fingerprint hashing
- persist protected snapshot metadata on `policy_versions` and keep secret-only changes visible in compare, drift, restore, review, verification, and ops surfaces
- add Spec 120 artifacts, audit documentation, and focused Pest regression coverage for snapshot, audit, verification, review-pack, and notification behavior

## Validation
- `vendor/bin/sail artisan test --compact tests/Feature/Intune/PolicySnapshotRedactionTest.php tests/Feature/Intune/PolicySnapshotFingerprintIsolationTest.php tests/Feature/ReviewPack/ReviewPackRedactionIntegrityTest.php tests/Feature/OpsUx/OperationRunNotificationRedactionTest.php tests/Feature/Verification/VerificationReportViewerDbOnlyTest.php`
- `vendor/bin/sail bin pint --dirty --format agent`

## Spec / checklist status
| Checklist | Total | Completed | Incomplete | Status |
|-----------|-------|-----------|------------|--------|
| requirements.md | 16 | 16 | 0 | ✓ PASS |

- `tasks.md`: T001-T032 complete
- `tasks.md`: T033 manual quickstart validation is still open and noted for follow-up

## Filament / platform notes
- Livewire v4 compliance is unchanged
- no panel provider changes; `bootstrap/providers.php` remains the registration location
- no new globally searchable resources were introduced, so global search requirements are unchanged
- no new destructive Filament actions were added
- no new Filament assets were added; no `filament:assets` deployment change is required

## Testing coverage touched
- snapshot persistence and fingerprint isolation
- compare/drift protected-change evidence
- audit, verification, review-pack, ops-failure, and notification sanitization
- viewer/read-only Filament presentation updates

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #146
2026-03-07 16:43:01 +00:00

145 lines
5.0 KiB
PHP
Raw Blame History

<?php
use App\Filament\Resources\FindingResource;
use App\Models\Finding;
use App\Models\InventoryItem;
use App\Models\Policy;
use App\Models\PolicyVersion;
test('finding detail renders without Graph calls', function () {
bindFailHardGraphClient();
[$user, $tenant] = createUserWithTenant(role: 'manager');
$baseline = createInventorySyncOperationRun($tenant, [
'selection_hash' => hash('sha256', 'scope-detail'),
'status' => 'success',
'finished_at' => now()->subDays(2),
]);
$current = createInventorySyncOperationRun($tenant, [
'selection_hash' => $baseline->selection_hash,
'status' => 'success',
'finished_at' => now()->subDay(),
]);
$finding = Finding::factory()->for($tenant)->create([
'finding_type' => Finding::FINDING_TYPE_DRIFT,
'scope_key' => (string) $current->selection_hash,
'baseline_operation_run_id' => $baseline->getKey(),
'current_operation_run_id' => $current->getKey(),
'subject_type' => 'deviceConfiguration',
'subject_external_id' => 'policy-123',
'evidence_jsonb' => [
'change_type' => 'modified',
'summary' => ['changed_fields' => ['assignments_hash']],
],
]);
$inventoryItem = InventoryItem::factory()->for($tenant)->create([
'external_id' => $finding->subject_external_id,
'display_name' => 'My Policy 123',
]);
$this->actingAs($user)
->get(FindingResource::getUrl('view', ['record' => $finding], tenant: $tenant))
->assertOk()
->assertSee($finding->fingerprint)
->assertSee($inventoryItem->display_name);
});
test('finding detail explains protected changes without exposing hidden values', function () {
bindFailHardGraphClient();
[$user, $tenant] = createUserWithTenant(role: 'manager');
$policy = Policy::query()->create([
'tenant_id' => (int) $tenant->getKey(),
'external_id' => 'policy-redaction-note',
'policy_type' => 'settingsCatalogPolicy',
'display_name' => 'Policy redaction note',
'platform' => 'windows',
]);
$baseline = PolicyVersion::query()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'policy_id' => (int) $policy->getKey(),
'version_number' => 1,
'policy_type' => 'settingsCatalogPolicy',
'platform' => 'windows',
'created_by' => 'spec120@example.com',
'captured_at' => now()->subMinute(),
'snapshot' => [
'passwordMinimumLength' => 14,
],
'assignments' => [],
'scope_tags' => [],
'metadata' => ['source' => 'spec120_capture'],
'redaction_version' => 1,
'secret_fingerprints' => [
'snapshot' => [],
'assignments' => [],
'scope_tags' => [],
],
]);
$protectedCurrent = PolicyVersion::query()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'policy_id' => (int) $policy->getKey(),
'version_number' => 2,
'policy_type' => 'settingsCatalogPolicy',
'platform' => 'windows',
'created_by' => 'spec120@example.com',
'captured_at' => now(),
'snapshot' => [
'passwordMinimumLength' => 14,
'clientSecret' => '[REDACTED]',
],
'assignments' => [],
'scope_tags' => [],
'metadata' => ['source' => 'spec120_capture'],
'redaction_version' => 1,
'secret_fingerprints' => [
'snapshot' => ['/clientSecret' => 'abc123'],
'assignments' => [],
'scope_tags' => [],
],
]);
$finding = Finding::factory()->for($tenant)->create([
'finding_type' => Finding::FINDING_TYPE_DRIFT,
'subject_type' => 'deviceConfiguration',
'subject_external_id' => 'policy-redaction-note',
'evidence_jsonb' => [
'change_type' => 'modified',
'summary' => ['kind' => 'policy_snapshot'],
'baseline' => [
'policy_version_id' => (int) $baseline->getKey(),
'redaction_version' => 1,
'secret_fingerprints' => [
'snapshot' => [],
'assignments' => [],
'scope_tags' => [],
],
],
'current' => [
'policy_version_id' => (int) $protectedCurrent->getKey(),
'redaction_version' => 1,
'secret_fingerprints' => $protectedCurrent->secret_fingerprints,
],
],
]);
InventoryItem::factory()->for($tenant)->create([
'external_id' => $finding->subject_external_id,
'display_name' => 'Policy redaction note',
]);
$this->actingAs($user)
->get(FindingResource::getUrl('view', ['record' => $finding], tenant: $tenant))
->assertOk()
->assertSee('Protected values are intentionally hidden as [REDACTED]. Secret-only changes remain detectable without revealing the value.');
});
Reference in New Issue View Git Blame Copy Permalink