56 lines
2.4 KiB
PHP
56 lines
2.4 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Services\TenantConfiguration\EntraCoverageComparator;
|
|
use Tests\Support\TenantConfiguration\Spec425Fixtures as Spec425;
|
|
|
|
it('Spec425 proves Security Defaults enabled state changes are critical material changes', function (): void {
|
|
$result = app(EntraCoverageComparator::class)->compare(
|
|
'securityDefaults',
|
|
Spec425::fixture('security-defaults', 'enabled-false'),
|
|
Spec425::fixture('security-defaults', 'enabled-true'),
|
|
);
|
|
$fields = collect($result['changes'])->keyBy('field');
|
|
|
|
expect($result['changed'])->toBeTrue()
|
|
->and($result['classification'])->toBe('changed')
|
|
->and($fields['enabled']['importance'])->toBe('critical')
|
|
->and($fields['enabled_state']['importance'])->toBe('critical');
|
|
});
|
|
|
|
it('Spec425 treats Security Defaults no-change and volatile-only changes as non-material', function (): void {
|
|
$unchanged = app(EntraCoverageComparator::class)->compare(
|
|
'securityDefaults',
|
|
Spec425::fixture('security-defaults', 'no-change'),
|
|
Spec425::fixture('security-defaults', 'no-change'),
|
|
);
|
|
$volatile = app(EntraCoverageComparator::class)->compare(
|
|
'securityDefaults',
|
|
Spec425::fixture('security-defaults', 'no-change'),
|
|
Spec425::fixture('security-defaults', 'volatile-only-change'),
|
|
);
|
|
|
|
expect($unchanged['changed'])->toBeFalse()
|
|
->and($unchanged['classification'])->toBe('unchanged')
|
|
->and($volatile['changed'])->toBeFalse()
|
|
->and(collect($volatile['changes'])->pluck('classification'))->toContain('ignored_volatile');
|
|
});
|
|
|
|
it('Spec425 keeps Security Defaults redaction diagnostic and secret-free', function (): void {
|
|
$result = app(EntraCoverageComparator::class)->compare(
|
|
'securityDefaults',
|
|
Spec425::fixture('security-defaults', 'no-change'),
|
|
Spec425::fixture('security-defaults', 'redaction'),
|
|
);
|
|
|
|
expect($result['changed'])->toBeFalse()
|
|
->and(collect($result['changes'])->pluck('classification'))->toContain('redacted', 'unsupported_field')
|
|
->and(json_encode($result, JSON_THROW_ON_ERROR))
|
|
->not->toContain('spec425-security-defaults-secret')
|
|
->not->toContain('spec425-security-defaults-token')
|
|
->not->toContain('spec425-cookie')
|
|
->not->toContain('spec425-private-key')
|
|
->not->toContain('spec425-certificate');
|
|
});
|