TenantAtlas/apps/platform/tests/Unit/Support/TenantConfiguration/SecurityDefaultsCertifiedCompareTest.php
ahmido 33e496c182 feat: complete spec 425 enta certified compare pack (#492)
Implements spec 425 with Entra certified compare pack support, coverage, guards, evaluator, fixtures, and tests.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #492
2026-07-01 23:27:16 +00:00

56 lines
2.4 KiB
PHP

<?php
declare(strict_types=1);
use App\Services\TenantConfiguration\EntraCoverageComparator;
use Tests\Support\TenantConfiguration\Spec425Fixtures as Spec425;
it('Spec425 proves Security Defaults enabled state changes are critical material changes', function (): void {
$result = app(EntraCoverageComparator::class)->compare(
'securityDefaults',
Spec425::fixture('security-defaults', 'enabled-false'),
Spec425::fixture('security-defaults', 'enabled-true'),
);
$fields = collect($result['changes'])->keyBy('field');
expect($result['changed'])->toBeTrue()
->and($result['classification'])->toBe('changed')
->and($fields['enabled']['importance'])->toBe('critical')
->and($fields['enabled_state']['importance'])->toBe('critical');
});
it('Spec425 treats Security Defaults no-change and volatile-only changes as non-material', function (): void {
$unchanged = app(EntraCoverageComparator::class)->compare(
'securityDefaults',
Spec425::fixture('security-defaults', 'no-change'),
Spec425::fixture('security-defaults', 'no-change'),
);
$volatile = app(EntraCoverageComparator::class)->compare(
'securityDefaults',
Spec425::fixture('security-defaults', 'no-change'),
Spec425::fixture('security-defaults', 'volatile-only-change'),
);
expect($unchanged['changed'])->toBeFalse()
->and($unchanged['classification'])->toBe('unchanged')
->and($volatile['changed'])->toBeFalse()
->and(collect($volatile['changes'])->pluck('classification'))->toContain('ignored_volatile');
});
it('Spec425 keeps Security Defaults redaction diagnostic and secret-free', function (): void {
$result = app(EntraCoverageComparator::class)->compare(
'securityDefaults',
Spec425::fixture('security-defaults', 'no-change'),
Spec425::fixture('security-defaults', 'redaction'),
);
expect($result['changed'])->toBeFalse()
->and(collect($result['changes'])->pluck('classification'))->toContain('redacted', 'unsupported_field')
->and(json_encode($result, JSON_THROW_ON_ERROR))
->not->toContain('spec425-security-defaults-secret')
->not->toContain('spec425-security-defaults-token')
->not->toContain('spec425-cookie')
->not->toContain('spec425-private-key')
->not->toContain('spec425-certificate');
});