TenantAtlas/apps/platform/tests/Unit/Support/TenantConfiguration/ConditionalAccessCertifiedCompareTest.php
ahmido 33e496c182 feat: complete spec 425 enta certified compare pack (#492)
Implements spec 425 with Entra certified compare pack support, coverage, guards, evaluator, fixtures, and tests.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #492
2026-07-01 23:27:16 +00:00

63 lines
3.2 KiB
PHP

<?php
declare(strict_types=1);
use App\Services\TenantConfiguration\EntraCoverageComparator;
use Tests\Support\TenantConfiguration\Spec425Fixtures as Spec425;
it('Spec425 proves Conditional Access material certified compare dimensions', function (string $fixture, string $field, string $importance): void {
$result = app(EntraCoverageComparator::class)->compare(
'conditionalAccessPolicy',
Spec425::fixture('conditional-access', 'no-change'),
Spec425::fixture('conditional-access', $fixture),
);
$change = collect($result['changes'])->firstWhere('field', $field);
expect($result['changed'])->toBeTrue()
->and($result['classification'])->toBe('changed')
->and($change)->not->toBeNull()
->and($change['importance'])->toBe($importance);
})->with([
'state' => ['state-change', 'state', 'critical'],
'grant controls' => ['grant-controls-change', 'grant_controls.built_in_controls', 'important'],
'included actors' => ['included-actor-change', 'targets.users.include_groups', 'important'],
'excluded actors' => ['excluded-actor-change', 'targets.users.exclude_groups', 'important'],
'app targeting' => ['app-targeting-change', 'targets.applications.exclude_applications', 'important'],
'conditions' => ['condition-change', 'conditions.sign_in_risk_levels', 'important'],
'device conditions' => ['device-condition-change', 'conditions.devices.device_filter.rule', 'important'],
'session controls' => ['session-control-change', 'session_controls.persistentBrowser', 'important'],
]);
it('Spec425 treats Conditional Access volatile-only differences as non-material', function (): void {
$result = app(EntraCoverageComparator::class)->compare(
'conditionalAccessPolicy',
Spec425::fixture('conditional-access', 'no-change'),
Spec425::fixture('conditional-access', 'volatile-only-change'),
);
expect($result['changed'])->toBeFalse()
->and($result['classification'])->toBe('unchanged')
->and(collect($result['changes'])->pluck('classification'))->toContain('ignored_volatile');
});
it('Spec425 keeps Conditional Access unsupported and redacted fields diagnostic and secret-free', function (): void {
$unsupported = app(EntraCoverageComparator::class)->compare(
'conditionalAccessPolicy',
Spec425::fixture('conditional-access', 'no-change'),
Spec425::fixture('conditional-access', 'unsupported-field'),
);
$redacted = app(EntraCoverageComparator::class)->compare(
'conditionalAccessPolicy',
Spec425::fixture('conditional-access', 'no-change'),
Spec425::fixture('conditional-access', 'redaction'),
);
expect(collect($unsupported['changes'])->pluck('classification'))->toContain('unsupported_field')
->and(collect($unsupported['changes'])->pluck('field'))->toContain('conditions.devices.deviceFilter.previewRuleId')
->and($unsupported['changed'])->toBeFalse()
->and(collect($redacted['changes'])->pluck('classification'))->toContain('redacted', 'unsupported_field')
->and(json_encode($redacted, JSON_THROW_ON_ERROR))
->not->toContain('spec425-ca-secret')
->not->toContain('spec425-ca-token');
});