feat(audit): harden API audit log redaction and schema

- Change query_json column from TEXT to JSON, ip/user_agent to CHAR(64)
  for PII redaction compliance
- Update repository, service, and views for hardened schema
- Add architecture contract test for security logging redaction
- Add search resource provider test coverage
- Include DB migration script for existing installs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-04-05 23:20:55 +02:00
parent c2a7d6b789
commit c6c5d06936
14 changed files with 255 additions and 77 deletions

View File

@@ -42,6 +42,16 @@ class AuditSearchResourceProviderTest extends TestCase
$this->assertSame('audit.system.view', $resources['system-audit']['permission']);
}
public function testApiAuditSearchSqlIncludesUserAgentHashField(): void
{
$resources = $this->provider->resources();
$apiAudit = $resources['api-audit'];
$this->assertStringContainsString('user_agent like ?', $apiAudit['count_sql']);
$this->assertStringContainsString('user_agent like ?', $apiAudit['preview_sql']);
$this->assertStringContainsString('user_agent like ?', $apiAudit['result_sql']);
}
public function testMapApiAuditItem(): void
{
$row = [

View File

@@ -2,6 +2,7 @@
namespace MintyPHP\Tests\Module\Audit\Service;
use MintyPHP\Http\ApiAuth;
use MintyPHP\Http\RequestContext;
use MintyPHP\Http\RequestRuntime;
use MintyPHP\Module\Audit\Repository\ApiAuditLogRepository;
@@ -18,6 +19,7 @@ class ApiAuditServiceTest extends TestCase
$this->serverBackup = $_SERVER;
$this->getBackup = $_GET;
RequestContext::resetForTests();
ApiAuth::authenticate();
}
protected function tearDown(): void
@@ -25,6 +27,7 @@ class ApiAuditServiceTest extends TestCase
$_SERVER = $this->serverBackup;
$_GET = $this->getBackup;
RequestContext::resetForTests();
ApiAuth::authenticate();
}
public function testCurrentRequestIdIsNullBeforeStart(): void
@@ -73,4 +76,67 @@ class ApiAuditServiceTest extends TestCase
$this->assertNull($service->currentRequestId());
}
public function testFinishStoresOnlyAllowlistedQueryKeysAndHashedNetworkMetadata(): void
{
$_SERVER['REQUEST_METHOD'] = 'GET';
$_SERVER['REQUEST_URI'] = '/api/v1/users?active=1&email=user@example.com&token=secret&search=max';
$_SERVER['REMOTE_ADDR'] = '203.0.113.10';
$_SERVER['HTTP_USER_AGENT'] = 'TestAgent/1.0';
$_GET = [
'active' => '1',
'email' => 'user@example.com',
'token' => 'secret',
'search' => 'max',
];
$captured = null;
$repository = $this->createMock(ApiAuditLogRepository::class);
$repository->expects($this->once())
->method('create')
->willReturnCallback(static function (array $payload) use (&$captured): int {
$captured = $payload;
return 1;
});
$service = new ApiAuditService($repository, new RequestRuntime());
$service->startRequestContext();
$service->finish(204);
$this->assertIsArray($captured);
$decodedQuery = json_decode((string) ($captured['query_json'] ?? ''), true);
$this->assertSame(['keys' => ['active', 'search']], $decodedQuery);
$this->assertSame(RequestContext::hashValue('203.0.113.10'), $captured['ip']);
$this->assertSame(RequestContext::hashValue('TestAgent/1.0'), $captured['user_agent']);
$this->assertNotSame('203.0.113.10', $captured['ip']);
$this->assertNotSame('TestAgent/1.0', $captured['user_agent']);
}
public function testFinishSkipsQueryMetadataWhenNoAllowlistedKeyExists(): void
{
$_SERVER['REQUEST_METHOD'] = 'GET';
$_SERVER['REQUEST_URI'] = '/api/v1/users?email=user@example.com&token=secret';
$_SERVER['REMOTE_ADDR'] = '203.0.113.20';
$_SERVER['HTTP_USER_AGENT'] = 'NoAllowlistAgent/1.0';
$_GET = [
'email' => 'user@example.com',
'token' => 'secret',
];
$captured = null;
$repository = $this->createMock(ApiAuditLogRepository::class);
$repository->expects($this->once())
->method('create')
->willReturnCallback(static function (array $payload) use (&$captured): int {
$captured = $payload;
return 1;
});
$service = new ApiAuditService($repository, new RequestRuntime());
$service->startRequestContext();
$service->finish(200);
$this->assertIsArray($captured);
$this->assertNull($captured['query_json'] ?? null);
}
}