Split security logging contracts
This commit is contained in:
@@ -41,7 +41,9 @@
|
|||||||
<file>tests/Architecture/PublicPageAdminContractTest.php</file>
|
<file>tests/Architecture/PublicPageAdminContractTest.php</file>
|
||||||
<file>tests/Architecture/PublicPageRoutingContractTest.php</file>
|
<file>tests/Architecture/PublicPageRoutingContractTest.php</file>
|
||||||
<file>tests/Architecture/SecurityCryptoContractTest.php</file>
|
<file>tests/Architecture/SecurityCryptoContractTest.php</file>
|
||||||
<file>tests/Architecture/SecurityLoggingContractTest.php</file>
|
<file>tests/Architecture/SecurityLoggingRedactionContractTest.php</file>
|
||||||
|
<file>tests/Architecture/SecurityLoggingRuntimeContractTest.php</file>
|
||||||
|
<file>tests/Architecture/SecurityLoggingTelemetryContractTest.php</file>
|
||||||
</testsuite>
|
</testsuite>
|
||||||
<testsuite name="ArchitectureUI">
|
<testsuite name="ArchitectureUI">
|
||||||
<file>tests/Architecture/AsideNavigationContractTest.php</file>
|
<file>tests/Architecture/AsideNavigationContractTest.php</file>
|
||||||
|
|||||||
@@ -1,91 +0,0 @@
|
|||||||
<?php
|
|
||||||
|
|
||||||
namespace MintyPHP\Tests\Architecture;
|
|
||||||
|
|
||||||
use PHPUnit\Framework\TestCase;
|
|
||||||
use RecursiveDirectoryIterator;
|
|
||||||
use RecursiveIteratorIterator;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* GR-SEC-002: No PII or secrets in error_log() calls.
|
|
||||||
* Scans for error_log() calls that interpolate variables likely containing
|
|
||||||
* personal data or credentials.
|
|
||||||
*/
|
|
||||||
class SecurityLoggingContractTest extends TestCase
|
|
||||||
{
|
|
||||||
use ProjectFileAssertionSupport;
|
|
||||||
|
|
||||||
/** Variable names that strongly suggest PII or secret content. */
|
|
||||||
private const PII_VARIABLE_PATTERNS = [
|
|
||||||
'/\$email\b/',
|
|
||||||
'/\$password\b/',
|
|
||||||
'/\$passwort\b/',
|
|
||||||
'/\$token\b/',
|
|
||||||
'/\$secret\b/',
|
|
||||||
'/\$apiKey\b/',
|
|
||||||
'/\$cryptoKey\b/',
|
|
||||||
'/\$creditCard\b/',
|
|
||||||
'/\$sessionId\b/',
|
|
||||||
'/\$firstName\b/',
|
|
||||||
'/\$lastName\b/',
|
|
||||||
'/\$phone\b/',
|
|
||||||
'/\$ssn\b/',
|
|
||||||
];
|
|
||||||
|
|
||||||
public function testNoErrorLogCallsContainPiiVariables(): void
|
|
||||||
{
|
|
||||||
$root = $this->projectRootPath();
|
|
||||||
$violations = [];
|
|
||||||
|
|
||||||
foreach (['lib', 'pages'] as $dir) {
|
|
||||||
$basePath = $root . '/' . $dir;
|
|
||||||
$iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($basePath));
|
|
||||||
|
|
||||||
/** @var \SplFileInfo $file */
|
|
||||||
foreach ($iterator as $file) {
|
|
||||||
if (!$file->isFile() || $file->getExtension() !== 'php') {
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
$content = (string) file_get_contents($file->getPathname());
|
|
||||||
$relativePath = str_replace($root . '/', '', $file->getPathname());
|
|
||||||
|
|
||||||
if (preg_match_all('/^.*\berror_log\s*\(.*$/m', $content, $matches)) {
|
|
||||||
foreach ($matches[0] as $line) {
|
|
||||||
foreach (self::PII_VARIABLE_PATTERNS as $piiPattern) {
|
|
||||||
if (preg_match($piiPattern, $line)) {
|
|
||||||
$violations[] = $relativePath . ': ' . trim($line);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
sort($violations);
|
|
||||||
|
|
||||||
$this->assertSame(
|
|
||||||
[],
|
|
||||||
$violations,
|
|
||||||
"error_log() calls with potential PII variables (GR-SEC-002):\n" . implode("\n", $violations)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
public function testErrorLogUsageIsMinimal(): void
|
|
||||||
{
|
|
||||||
$violations = array_merge(
|
|
||||||
$this->findPatternMatchesInPhpFiles('lib', '/\berror_log\s*\(/'),
|
|
||||||
$this->findPatternMatchesInPhpFiles('pages', '/\berror_log\s*\(/')
|
|
||||||
);
|
|
||||||
$violations = array_values(array_unique($violations));
|
|
||||||
sort($violations);
|
|
||||||
|
|
||||||
$this->assertLessThanOrEqual(
|
|
||||||
3,
|
|
||||||
count($violations),
|
|
||||||
"error_log() usage growing — consider structured logging (GR-SEC-002). Found in:\n"
|
|
||||||
. implode("\n", $violations)
|
|
||||||
);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
63
tests/Architecture/SecurityLoggingRedactionContractTest.php
Normal file
63
tests/Architecture/SecurityLoggingRedactionContractTest.php
Normal file
@@ -0,0 +1,63 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace MintyPHP\Tests\Architecture;
|
||||||
|
|
||||||
|
use PHPUnit\Framework\TestCase;
|
||||||
|
|
||||||
|
final class SecurityLoggingRedactionContractTest extends TestCase
|
||||||
|
{
|
||||||
|
use ProjectFileAssertionSupport;
|
||||||
|
|
||||||
|
public function testSystemAuditRedactionCoversCredentialsTokensAndEmailFields(): void
|
||||||
|
{
|
||||||
|
$content = $this->readProjectFile('lib/Service/Audit/SystemAuditRedactionService.php');
|
||||||
|
|
||||||
|
foreach ([
|
||||||
|
"'password'",
|
||||||
|
"'access_token'",
|
||||||
|
"'refresh_token'",
|
||||||
|
"'id_token'",
|
||||||
|
"'authorization'",
|
||||||
|
"'api_key'",
|
||||||
|
"'client_secret'",
|
||||||
|
"'smtp_password'",
|
||||||
|
"'microsoft_shared_client_secret'",
|
||||||
|
"'email'",
|
||||||
|
"'to_email'",
|
||||||
|
] as $needle) {
|
||||||
|
self::assertStringContainsString($needle, $content);
|
||||||
|
}
|
||||||
|
|
||||||
|
self::assertStringContainsString("return str_contains(\$key, 'password')", $content);
|
||||||
|
self::assertStringContainsString("|| str_contains(\$key, 'secret')", $content);
|
||||||
|
self::assertStringContainsString("|| str_contains(\$key, 'token')", $content);
|
||||||
|
self::assertStringContainsString("|| str_contains(\$key, 'authorization')", $content);
|
||||||
|
self::assertStringContainsString("|| str_ends_with(\$key, '_key');", $content);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function testApiAuditRedactionCoversCredentialsAndAuthorizationFields(): void
|
||||||
|
{
|
||||||
|
$content = $this->readProjectFile('lib/Service/Audit/ApiAuditService.php');
|
||||||
|
|
||||||
|
foreach ([
|
||||||
|
"'token'",
|
||||||
|
"'access_token'",
|
||||||
|
"'refresh_token'",
|
||||||
|
"'id_token'",
|
||||||
|
"'secret'",
|
||||||
|
"'password'",
|
||||||
|
"'authorization'",
|
||||||
|
"'api_key'",
|
||||||
|
"'client_secret'",
|
||||||
|
"'key'",
|
||||||
|
] as $needle) {
|
||||||
|
self::assertStringContainsString($needle, $content);
|
||||||
|
}
|
||||||
|
|
||||||
|
self::assertStringContainsString("return str_contains(\$key, 'token')", $content);
|
||||||
|
self::assertStringContainsString("|| str_contains(\$key, 'secret')", $content);
|
||||||
|
self::assertStringContainsString("|| str_contains(\$key, 'password')", $content);
|
||||||
|
self::assertStringContainsString("|| str_contains(\$key, 'authorization')", $content);
|
||||||
|
self::assertStringContainsString("|| str_ends_with(\$key, '_key');", $content);
|
||||||
|
}
|
||||||
|
}
|
||||||
39
tests/Architecture/SecurityLoggingRuntimeContractTest.php
Normal file
39
tests/Architecture/SecurityLoggingRuntimeContractTest.php
Normal file
@@ -0,0 +1,39 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace MintyPHP\Tests\Architecture;
|
||||||
|
|
||||||
|
use PHPUnit\Framework\TestCase;
|
||||||
|
|
||||||
|
final class SecurityLoggingRuntimeContractTest extends TestCase
|
||||||
|
{
|
||||||
|
use ProjectFileAssertionSupport;
|
||||||
|
|
||||||
|
public function testFrontendTelemetryIngestUsesOnlyRequestScopedErrorLogFallback(): void
|
||||||
|
{
|
||||||
|
$violations = array_merge(
|
||||||
|
$this->findPatternMatchesInPhpFiles('lib', '/\berror_log\s*\(/'),
|
||||||
|
$this->findPatternMatchesInPhpFiles('pages', '/\berror_log\s*\(/')
|
||||||
|
);
|
||||||
|
sort($violations);
|
||||||
|
|
||||||
|
self::assertSame(
|
||||||
|
['pages/admin/frontend-telemetry/ingest().php'],
|
||||||
|
$violations,
|
||||||
|
"Unexpected error_log() usage outside the telemetry ingest fallback:\n" . implode("\n", $violations)
|
||||||
|
);
|
||||||
|
|
||||||
|
$content = $this->readProjectFile('pages/admin/frontend-telemetry/ingest().php');
|
||||||
|
self::assertStringContainsString(
|
||||||
|
"error_log('[frontend-telemetry] ingest record_failed request_id=' . RequestContext::id());",
|
||||||
|
$content
|
||||||
|
);
|
||||||
|
|
||||||
|
preg_match('/^.*\berror_log\s*\(.*$/m', $content, $matches);
|
||||||
|
$errorLogLine = $matches[0] ?? '';
|
||||||
|
|
||||||
|
self::assertNotSame('', $errorLogLine, 'Expected a dedicated telemetry error_log() fallback line.');
|
||||||
|
self::assertStringNotContainsString('$payload', $errorLogLine);
|
||||||
|
self::assertStringNotContainsString('$record', $errorLogLine);
|
||||||
|
self::assertStringNotContainsString('$events', $errorLogLine);
|
||||||
|
}
|
||||||
|
}
|
||||||
21
tests/Architecture/SecurityLoggingTelemetryContractTest.php
Normal file
21
tests/Architecture/SecurityLoggingTelemetryContractTest.php
Normal file
@@ -0,0 +1,21 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace MintyPHP\Tests\Architecture;
|
||||||
|
|
||||||
|
use PHPUnit\Framework\TestCase;
|
||||||
|
|
||||||
|
final class SecurityLoggingTelemetryContractTest extends TestCase
|
||||||
|
{
|
||||||
|
use ProjectFileAssertionSupport;
|
||||||
|
|
||||||
|
public function testFrontendTelemetrySanitizesSecretsAndPiiMarkers(): void
|
||||||
|
{
|
||||||
|
$content = $this->readProjectFile('lib/Service/Audit/FrontendTelemetryIngestService.php');
|
||||||
|
|
||||||
|
self::assertStringContainsString('[REDACTED]', $content);
|
||||||
|
self::assertStringContainsString('[REDACTED_EMAIL]', $content);
|
||||||
|
self::assertStringContainsString('[UUID]', $content);
|
||||||
|
self::assertStringContainsString('[TOKEN]', $content);
|
||||||
|
self::assertStringContainsString('(token|access_token|refresh_token|id_token|authorization|api_key|secret)', $content);
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -33,6 +33,6 @@ ohne dass jede Aenderung immer die komplette Suite im Kopf behalten muss.
|
|||||||
## Naechste Refactor-Kandidaten
|
## Naechste Refactor-Kandidaten
|
||||||
|
|
||||||
- `tests/Architecture/ContainerFactoryContractTest.php`
|
- `tests/Architecture/ContainerFactoryContractTest.php`
|
||||||
- `tests/Architecture/SecurityLoggingContractTest.php`
|
|
||||||
- `tests/Architecture/StatusTaxonomyContractTest.php`
|
- `tests/Architecture/StatusTaxonomyContractTest.php`
|
||||||
- `tests/Architecture/AuthLoginAccessibilityContractTest.php`
|
- `tests/Architecture/AuthLoginAccessibilityContractTest.php`
|
||||||
|
- `tests/Architecture/SecurityCryptoContractTest.php`
|
||||||
|
|||||||
Reference in New Issue
Block a user