ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
69d4ecbbd2
TenantAtlas/apps/platform/tests/Unit/Support/TenantConfiguration/Spec421EntraRedactionTest.php
ahmido 69d4ecbbd2 feat: complete spec 421 Entra comparable/renderable pack (#488) 
Implements the bounded Spec 421 Entra comparable/renderable pack on the existing Coverage v2 operator surface.

- Adds typed Conditional Access normalization, comparison, and render summaries
- Keeps Security Defaults and other optional Entra types deferred until evidence-backed
- Preserves the existing Coverage v2 surface with claim-guard and redaction hardening
- Includes focused unit, feature, and browser coverage already recorded in the implementation report

Validation is documented in `specs/421-entra-core-comparable-renderable-pack/implementation-report.md`.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #488
2026-06-27 22:12:01 +00:00

38 lines
1.8 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
use App\Services\TenantConfiguration\EntraCoverageComparator;
use App\Services\TenantConfiguration\EntraRenderableSummaryBuilder;
it('Spec421 keeps secret-bearing values out of render and compare output', function (): void {
$payload = [
'id' => 'cap-1',
'displayName' => 'Require MFA',
'state' => 'enabled',
'conditions' => ['users' => ['includeUsers' => ['All']]],
'grantControls' => ['builtInControls' => ['mfa']],
'clientSecret' => 'spec421-client-secret',
'privateKey' => 'spec421-private-key',
'headers' => ['Authorization' => 'Bearer spec421-token'],
'cookies' => ['set-cookie' => 'spec421-cookie'],
'auditMetadata' => ['raw_payload' => ['secret' => 'spec421-audit-secret']],
'operationRunContext' => ['access_token' => 'spec421-run-token'],
];
$summary = app(EntraRenderableSummaryBuilder::class)->build('conditionalAccessPolicy', $payload);
$compare = app(EntraCoverageComparator::class)->compare('conditionalAccessPolicy', $payload, [
...$payload,
'modifiedDateTime' => '2026-06-27T12:00:00Z',
]);
$encoded = json_encode([$summary, $compare], JSON_THROW_ON_ERROR);
expect($encoded)->not->toContain('spec421-client-secret')
->and($encoded)->not->toContain('spec421-private-key')
->and($encoded)->not->toContain('spec421-token')
->and($encoded)->not->toContain('spec421-cookie')
->and($encoded)->not->toContain('spec421-audit-secret')
->and($encoded)->not->toContain('spec421-run-token')
->and($summary['redacted_fields'])->toContain('clientSecret', 'privateKey', 'headers.Authorization', 'cookies', 'auditMetadata.raw_payload.secret', 'operationRunContext.access_token');
});
Reference in New Issue View Git Blame Copy Permalink