feat(audit): harden API audit log redaction and schema
- Change query_json column from TEXT to JSON, ip/user_agent to CHAR(64) for PII redaction compliance - Update repository, service, and views for hardened schema - Add architecture contract test for security logging redaction - Add search resource provider test coverage - Include DB migration script for existing installs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -35,7 +35,7 @@ final class SecurityLoggingRedactionContractTest extends TestCase
|
||||
self::assertStringContainsString("|| str_ends_with(\$key, '_key');", $content);
|
||||
}
|
||||
|
||||
public function testApiAuditRedactionCoversCredentialsAndAuthorizationFields(): void
|
||||
public function testApiAuditRedactionCoversSensitiveKeysAndPersistsOnlyMetadataHashes(): void
|
||||
{
|
||||
$content = $this->readProjectFile('modules/audit/lib/Module/Audit/Service/ApiAuditService.php');
|
||||
|
||||
@@ -50,14 +50,25 @@ final class SecurityLoggingRedactionContractTest extends TestCase
|
||||
"'api_key'",
|
||||
"'client_secret'",
|
||||
"'key'",
|
||||
"'email'",
|
||||
"'to_email'",
|
||||
"'uuid'",
|
||||
] as $needle) {
|
||||
self::assertStringContainsString($needle, $content);
|
||||
}
|
||||
|
||||
self::assertStringContainsString("'query_json' => \$this->buildQueryMetadataJson(", $content);
|
||||
self::assertStringContainsString("['keys' => \$keys]", $content);
|
||||
self::assertStringContainsString('private const ALLOWED_QUERY_KEYS = [', $content);
|
||||
self::assertStringContainsString("RequestContext::hashValue(\$ip)", $content);
|
||||
self::assertStringContainsString("RequestContext::hashValue(\$userAgent)", $content);
|
||||
self::assertStringNotContainsString('normalizeValue(', $content);
|
||||
self::assertStringContainsString("return str_contains(\$key, 'token')", $content);
|
||||
self::assertStringContainsString("|| str_contains(\$key, 'secret')", $content);
|
||||
self::assertStringContainsString("|| str_contains(\$key, 'password')", $content);
|
||||
self::assertStringContainsString("|| str_contains(\$key, 'authorization')", $content);
|
||||
self::assertStringContainsString("|| str_contains(\$key, 'email')", $content);
|
||||
self::assertStringContainsString("|| str_contains(\$key, 'uuid')", $content);
|
||||
self::assertStringContainsString("|| str_ends_with(\$key, '_key');", $content);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user