ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
69d4ecbbd2
TenantAtlas/apps/platform/app/Services/TenantConfiguration/CoveragePayloadRedactor.php
ahmido 69d4ecbbd2 feat: complete spec 421 Entra comparable/renderable pack (#488) 
Implements the bounded Spec 421 Entra comparable/renderable pack on the existing Coverage v2 operator surface.

- Adds typed Conditional Access normalization, comparison, and render summaries
- Keeps Security Defaults and other optional Entra types deferred until evidence-backed
- Preserves the existing Coverage v2 surface with claim-guard and redaction hardening
- Includes focused unit, feature, and browser coverage already recorded in the implementation report

Validation is documented in `specs/421-entra-core-comparable-renderable-pack/implementation-report.md`.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #488
2026-06-27 22:12:01 +00:00

66 lines
1.5 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace App\Services\TenantConfiguration;
final class CoveragePayloadRedactor
{
/**
* @var list<string>
*/
private const SENSITIVE_KEY_PARTS = [
'access_token',
'authorization',
'assertion',
'bearer',
'certificate',
'client_secret',
'cookie',
'credential',
'id_token',
'password',
'private_key',
'refresh_token',
'secret',
'set-cookie',
'token',
];
public function redact(mixed $value): mixed
{
if (! is_array($value)) {
return $value;
}
if (array_is_list($value)) {
return array_map(fn (mixed $item): mixed => $this->redact($item), $value);
}
$redacted = [];
foreach ($value as $key => $nestedValue) {
$key = (string) $key;
$redacted[$key] = $this->isSensitiveKey($key) ? '[redacted]' : $this->redact($nestedValue);
}
return $redacted;
}
private function isSensitiveKey(string $key): bool
{
$normalized = strtolower($key);
$compact = str_replace(['_', '-', ' '], '', $normalized);
foreach (self::SENSITIVE_KEY_PARTS as $part) {
$compactPart = str_replace(['_', '-', ' '], '', $part);
if (str_contains($normalized, $part) || str_contains($compact, $compactPart)) {
return true;
}
}
return false;
}
}
Reference in New Issue View Git Blame Copy Permalink