feat(tests): automate 5 remaining guards as contract tests
Extract findPatternMatchesIn*Files() to ProjectFileAssertionSupport trait for reuse. Add contract tests for: - GR-SEC-005: Encryption centralized in Crypto.php - GR-SEC-006: File storage in storage/, not web/ - GR-SEC-002: No PII in error_log() calls - GR-CORE-012: POST-Redirect-GET pattern enforcement - GR-UI-015: i18n key completeness de ↔ en Brings automated guard coverage from 24 to 29 test files. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -3,8 +3,6 @@
|
||||
namespace MintyPHP\Tests\Architecture;
|
||||
|
||||
use PHPUnit\Framework\TestCase;
|
||||
use RecursiveDirectoryIterator;
|
||||
use RecursiveIteratorIterator;
|
||||
|
||||
class CoreStarterkitContractTest extends TestCase
|
||||
{
|
||||
@@ -140,45 +138,4 @@ class CoreStarterkitContractTest extends TestCase
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @return list<string>
|
||||
*/
|
||||
private function findPatternMatchesInPhpFiles(string $relativeDirectory, string $pattern): array
|
||||
{
|
||||
return $this->findPatternMatchesInFiles($relativeDirectory, $pattern, ['php']);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param list<string> $extensions
|
||||
* @return list<string>
|
||||
*/
|
||||
private function findPatternMatchesInFiles(string $relativeDirectory, string $pattern, array $extensions): array
|
||||
{
|
||||
$root = $this->projectRootPath();
|
||||
$basePath = $root . '/' . $relativeDirectory;
|
||||
$this->assertDirectoryExists($basePath, 'Directory not found: ' . $relativeDirectory);
|
||||
|
||||
$iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($basePath));
|
||||
$violations = [];
|
||||
|
||||
/** @var \SplFileInfo $file */
|
||||
foreach ($iterator as $file) {
|
||||
if (!$file->isFile() || !in_array($file->getExtension(), $extensions, true)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
$content = file_get_contents($file->getPathname());
|
||||
$this->assertNotFalse($content, 'Could not read file: ' . $file->getPathname());
|
||||
|
||||
if (!preg_match($pattern, $content)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
$relativePath = str_replace($root . '/', '', $file->getPathname());
|
||||
$violations[] = $relativePath;
|
||||
}
|
||||
|
||||
sort($violations);
|
||||
return $violations;
|
||||
}
|
||||
}
|
||||
|
||||
85
tests/Architecture/FileStorageContractTest.php
Normal file
85
tests/Architecture/FileStorageContractTest.php
Normal file
@@ -0,0 +1,85 @@
|
||||
<?php
|
||||
|
||||
namespace MintyPHP\Tests\Architecture;
|
||||
|
||||
use PHPUnit\Framework\TestCase;
|
||||
use RecursiveDirectoryIterator;
|
||||
use RecursiveIteratorIterator;
|
||||
|
||||
/**
|
||||
* GR-SEC-006: User-uploaded files MUST go to storage/, never web/.
|
||||
* Exception: Favicon services write derived images to web/favicon/ because
|
||||
* favicons must be publicly accessible by browsers.
|
||||
*/
|
||||
class FileStorageContractTest extends TestCase
|
||||
{
|
||||
use ProjectFileAssertionSupport;
|
||||
|
||||
/** Services that legitimately write to web/ for favicon delivery. */
|
||||
private const WEB_WRITE_EXEMPT_FILES = [
|
||||
'lib/Service/Branding/BrandingFaviconService.php',
|
||||
'lib/Service/Tenant/TenantFaviconService.php',
|
||||
];
|
||||
|
||||
public function testNoServiceWritesFilesToWebDirectory(): void
|
||||
{
|
||||
$root = $this->projectRootPath();
|
||||
$serviceDir = $root . '/lib/Service';
|
||||
$iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($serviceDir));
|
||||
|
||||
$violations = [];
|
||||
|
||||
/** @var \SplFileInfo $file */
|
||||
foreach ($iterator as $file) {
|
||||
if (!$file->isFile() || $file->getExtension() !== 'php') {
|
||||
continue;
|
||||
}
|
||||
|
||||
$relativePath = str_replace($root . '/', '', $file->getPathname());
|
||||
|
||||
if (in_array($relativePath, self::WEB_WRITE_EXEMPT_FILES, true)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
$content = (string) file_get_contents($file->getPathname());
|
||||
|
||||
$hasFileWrite = preg_match('/\bmove_uploaded_file\s*\(/', $content)
|
||||
|| preg_match('/\bfile_put_contents\s*\(/', $content);
|
||||
|
||||
if (!$hasFileWrite) {
|
||||
continue;
|
||||
}
|
||||
|
||||
$hasWebPath = preg_match('/[\'"]web\//', $content)
|
||||
|| preg_match('/\/web\/[a-z]/', $content);
|
||||
|
||||
if ($hasWebPath) {
|
||||
$violations[] = $relativePath;
|
||||
}
|
||||
}
|
||||
|
||||
sort($violations);
|
||||
|
||||
$this->assertSame(
|
||||
[],
|
||||
$violations,
|
||||
"Service files writing to web/ directory (GR-SEC-006):\n" . implode("\n", $violations)
|
||||
);
|
||||
}
|
||||
|
||||
public function testNoPagesWriteFilesToFilesystem(): void
|
||||
{
|
||||
$violations = array_merge(
|
||||
$this->findPatternMatchesInPhpFiles('pages', '/\bmove_uploaded_file\s*\(/'),
|
||||
$this->findPatternMatchesInPhpFiles('pages', '/\bfile_put_contents\s*\(/')
|
||||
);
|
||||
$violations = array_values(array_unique($violations));
|
||||
sort($violations);
|
||||
|
||||
$this->assertSame(
|
||||
[],
|
||||
$violations,
|
||||
"Pages must not write files directly — delegate to Service layer (GR-SEC-006):\n" . implode("\n", $violations)
|
||||
);
|
||||
}
|
||||
}
|
||||
86
tests/Architecture/I18nKeyCompletenessContractTest.php
Normal file
86
tests/Architecture/I18nKeyCompletenessContractTest.php
Normal file
@@ -0,0 +1,86 @@
|
||||
<?php
|
||||
|
||||
namespace MintyPHP\Tests\Architecture;
|
||||
|
||||
use PHPUnit\Framework\TestCase;
|
||||
|
||||
/**
|
||||
* GR-UI-015: Every key in i18n/default_de.json MUST exist in
|
||||
* i18n/default_en.json and vice versa.
|
||||
*/
|
||||
class I18nKeyCompletenessContractTest extends TestCase
|
||||
{
|
||||
use ProjectFileAssertionSupport;
|
||||
|
||||
public function testTranslationFilesAreValidJson(): void
|
||||
{
|
||||
$deContent = $this->readProjectFile('i18n/default_de.json');
|
||||
$enContent = $this->readProjectFile('i18n/default_en.json');
|
||||
|
||||
$this->assertIsArray(json_decode($deContent, true), 'i18n/default_de.json is not valid JSON');
|
||||
$this->assertIsArray(json_decode($enContent, true), 'i18n/default_en.json is not valid JSON');
|
||||
}
|
||||
|
||||
public function testAllGermanKeysExistInEnglish(): void
|
||||
{
|
||||
$de = $this->loadTranslationKeys('i18n/default_de.json');
|
||||
$en = $this->loadTranslationKeys('i18n/default_en.json');
|
||||
|
||||
$missingInEn = array_values(array_diff($de, $en));
|
||||
|
||||
$this->assertSame(
|
||||
[],
|
||||
$missingInEn,
|
||||
"Keys in default_de.json missing from default_en.json (GR-UI-015):\n"
|
||||
. implode("\n", $missingInEn)
|
||||
);
|
||||
}
|
||||
|
||||
public function testAllEnglishKeysExistInGerman(): void
|
||||
{
|
||||
$de = $this->loadTranslationKeys('i18n/default_de.json');
|
||||
$en = $this->loadTranslationKeys('i18n/default_en.json');
|
||||
|
||||
$missingInDe = array_values(array_diff($en, $de));
|
||||
|
||||
$this->assertSame(
|
||||
[],
|
||||
$missingInDe,
|
||||
"Keys in default_en.json missing from default_de.json (GR-UI-015):\n"
|
||||
. implode("\n", $missingInDe)
|
||||
);
|
||||
}
|
||||
|
||||
public function testTranslationValuesAreNonEmpty(): void
|
||||
{
|
||||
$deContent = $this->readProjectFile('i18n/default_de.json');
|
||||
$enContent = $this->readProjectFile('i18n/default_en.json');
|
||||
|
||||
$de = json_decode($deContent, true);
|
||||
$en = json_decode($enContent, true);
|
||||
|
||||
$this->assertIsArray($de);
|
||||
$this->assertIsArray($en);
|
||||
|
||||
$emptyDe = array_keys(array_filter($de, static fn ($v): bool => trim((string) $v) === ''));
|
||||
$emptyEn = array_keys(array_filter($en, static fn ($v): bool => trim((string) $v) === ''));
|
||||
|
||||
$this->assertSame([], $emptyDe, "Empty values in default_de.json:\n" . implode("\n", $emptyDe));
|
||||
$this->assertSame([], $emptyEn, "Empty values in default_en.json:\n" . implode("\n", $emptyEn));
|
||||
}
|
||||
|
||||
/**
|
||||
* @return list<string>
|
||||
*/
|
||||
private function loadTranslationKeys(string $path): array
|
||||
{
|
||||
$content = $this->readProjectFile($path);
|
||||
$data = json_decode($content, true);
|
||||
$this->assertIsArray($data, $path . ' is not valid JSON');
|
||||
|
||||
$keys = array_keys($data);
|
||||
sort($keys, SORT_STRING);
|
||||
|
||||
return $keys;
|
||||
}
|
||||
}
|
||||
83
tests/Architecture/PostRedirectGetContractTest.php
Normal file
83
tests/Architecture/PostRedirectGetContractTest.php
Normal file
@@ -0,0 +1,83 @@
|
||||
<?php
|
||||
|
||||
namespace MintyPHP\Tests\Architecture;
|
||||
|
||||
use PHPUnit\Framework\TestCase;
|
||||
use RecursiveDirectoryIterator;
|
||||
use RecursiveIteratorIterator;
|
||||
|
||||
/**
|
||||
* GR-CORE-012: POST handlers that mutate state MUST redirect (PRG pattern)
|
||||
* or return JSON. API/data endpoints and multi-step wizards are exempt.
|
||||
*/
|
||||
class PostRedirectGetContractTest extends TestCase
|
||||
{
|
||||
use ProjectFileAssertionSupport;
|
||||
|
||||
/** Patterns for endpoints exempt from PRG (JSON, data, wizards). */
|
||||
private const PRG_EXEMPT_PATTERNS = [
|
||||
'#/api/v1/#',
|
||||
'#/data\(\)\.php$#',
|
||||
'#/ingest\(\)\.php$#',
|
||||
'#/imports/index\(\)\.php$#', // multi-step import wizard renders stages inline
|
||||
];
|
||||
|
||||
public function testAllPostHandlersUseRedirectAfterMutation(): void
|
||||
{
|
||||
$pagesDir = $this->projectRootPath() . '/pages';
|
||||
$iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($pagesDir));
|
||||
|
||||
$missing = [];
|
||||
|
||||
/** @var \SplFileInfo $file */
|
||||
foreach ($iterator as $file) {
|
||||
if (!$file->isFile() || $file->getExtension() !== 'php') {
|
||||
continue;
|
||||
}
|
||||
|
||||
$relativePath = 'pages/' . ltrim(str_replace($pagesDir, '', $file->getPathname()), '/');
|
||||
|
||||
if ($this->isPrgExempt($relativePath)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
$content = (string) file_get_contents($file->getPathname());
|
||||
|
||||
if (!$this->handlesPostData($content)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
// Router::redirect (PRG) or Router::json (AJAX) are both valid responses.
|
||||
if (!str_contains($content, 'Router::redirect') && !str_contains($content, 'Router::json')) {
|
||||
$missing[] = $relativePath;
|
||||
}
|
||||
}
|
||||
|
||||
sort($missing);
|
||||
|
||||
$this->assertSame(
|
||||
[],
|
||||
$missing,
|
||||
"POST handlers missing Router::redirect() — PRG pattern required (GR-CORE-012):\n" . implode("\n", $missing)
|
||||
);
|
||||
}
|
||||
|
||||
private function isPrgExempt(string $path): bool
|
||||
{
|
||||
foreach (self::PRG_EXEMPT_PATTERNS as $pattern) {
|
||||
if (preg_match($pattern, $path)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
private function handlesPostData(string $content): bool
|
||||
{
|
||||
return str_contains($content, "isMethod('POST')")
|
||||
|| str_contains($content, 'hasBody(')
|
||||
|| str_contains($content, 'bodyAll()')
|
||||
|| preg_match('/->body\(/', $content) === 1;
|
||||
}
|
||||
}
|
||||
@@ -23,4 +23,46 @@ trait ProjectFileAssertionSupport
|
||||
|
||||
return $content;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return list<string>
|
||||
*/
|
||||
private function findPatternMatchesInPhpFiles(string $relativeDirectory, string $pattern): array
|
||||
{
|
||||
return $this->findPatternMatchesInFiles($relativeDirectory, $pattern, ['php']);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param list<string> $extensions
|
||||
* @return list<string>
|
||||
*/
|
||||
private function findPatternMatchesInFiles(string $relativeDirectory, string $pattern, array $extensions): array
|
||||
{
|
||||
$root = $this->projectRootPath();
|
||||
$basePath = $root . '/' . $relativeDirectory;
|
||||
$this->assertDirectoryExists($basePath, 'Directory not found: ' . $relativeDirectory);
|
||||
|
||||
$iterator = new \RecursiveIteratorIterator(new \RecursiveDirectoryIterator($basePath));
|
||||
$violations = [];
|
||||
|
||||
/** @var \SplFileInfo $file */
|
||||
foreach ($iterator as $file) {
|
||||
if (!$file->isFile() || !in_array($file->getExtension(), $extensions, true)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
$content = file_get_contents($file->getPathname());
|
||||
$this->assertNotFalse($content, 'Could not read file: ' . $file->getPathname());
|
||||
|
||||
if (!preg_match($pattern, $content)) {
|
||||
continue;
|
||||
}
|
||||
|
||||
$relativePath = str_replace($root . '/', '', $file->getPathname());
|
||||
$violations[] = $relativePath;
|
||||
}
|
||||
|
||||
sort($violations);
|
||||
return $violations;
|
||||
}
|
||||
}
|
||||
|
||||
54
tests/Architecture/SecurityCryptoContractTest.php
Normal file
54
tests/Architecture/SecurityCryptoContractTest.php
Normal file
@@ -0,0 +1,54 @@
|
||||
<?php
|
||||
|
||||
namespace MintyPHP\Tests\Architecture;
|
||||
|
||||
use PHPUnit\Framework\TestCase;
|
||||
|
||||
/**
|
||||
* GR-SEC-005: All encryption/decryption MUST use lib/Support/Crypto.php.
|
||||
* No raw openssl_encrypt/decrypt calls outside that single file.
|
||||
*/
|
||||
class SecurityCryptoContractTest extends TestCase
|
||||
{
|
||||
use ProjectFileAssertionSupport;
|
||||
|
||||
private const CRYPTO_FILE = 'lib/Support/Crypto.php';
|
||||
|
||||
public function testNoRawOpensslEncryptOutsideCrypto(): void
|
||||
{
|
||||
$violations = array_merge(
|
||||
$this->findPatternMatchesInPhpFiles('lib', '/\bopenssl_encrypt\s*\(/'),
|
||||
$this->findPatternMatchesInPhpFiles('pages', '/\bopenssl_encrypt\s*\(/')
|
||||
);
|
||||
|
||||
$violations = array_values(array_filter(
|
||||
$violations,
|
||||
static fn (string $path): bool => $path !== self::CRYPTO_FILE
|
||||
));
|
||||
|
||||
$this->assertSame(
|
||||
[],
|
||||
$violations,
|
||||
"Raw openssl_encrypt() found outside Crypto.php (GR-SEC-005):\n" . implode("\n", $violations)
|
||||
);
|
||||
}
|
||||
|
||||
public function testNoRawOpensslDecryptOutsideCrypto(): void
|
||||
{
|
||||
$violations = array_merge(
|
||||
$this->findPatternMatchesInPhpFiles('lib', '/\bopenssl_decrypt\s*\(/'),
|
||||
$this->findPatternMatchesInPhpFiles('pages', '/\bopenssl_decrypt\s*\(/')
|
||||
);
|
||||
|
||||
$violations = array_values(array_filter(
|
||||
$violations,
|
||||
static fn (string $path): bool => $path !== self::CRYPTO_FILE
|
||||
));
|
||||
|
||||
$this->assertSame(
|
||||
[],
|
||||
$violations,
|
||||
"Raw openssl_decrypt() found outside Crypto.php (GR-SEC-005):\n" . implode("\n", $violations)
|
||||
);
|
||||
}
|
||||
}
|
||||
91
tests/Architecture/SecurityLoggingContractTest.php
Normal file
91
tests/Architecture/SecurityLoggingContractTest.php
Normal file
@@ -0,0 +1,91 @@
|
||||
<?php
|
||||
|
||||
namespace MintyPHP\Tests\Architecture;
|
||||
|
||||
use PHPUnit\Framework\TestCase;
|
||||
use RecursiveDirectoryIterator;
|
||||
use RecursiveIteratorIterator;
|
||||
|
||||
/**
|
||||
* GR-SEC-002: No PII or secrets in error_log() calls.
|
||||
* Scans for error_log() calls that interpolate variables likely containing
|
||||
* personal data or credentials.
|
||||
*/
|
||||
class SecurityLoggingContractTest extends TestCase
|
||||
{
|
||||
use ProjectFileAssertionSupport;
|
||||
|
||||
/** Variable names that strongly suggest PII or secret content. */
|
||||
private const PII_VARIABLE_PATTERNS = [
|
||||
'/\$email\b/',
|
||||
'/\$password\b/',
|
||||
'/\$passwort\b/',
|
||||
'/\$token\b/',
|
||||
'/\$secret\b/',
|
||||
'/\$apiKey\b/',
|
||||
'/\$cryptoKey\b/',
|
||||
'/\$creditCard\b/',
|
||||
'/\$sessionId\b/',
|
||||
'/\$firstName\b/',
|
||||
'/\$lastName\b/',
|
||||
'/\$phone\b/',
|
||||
'/\$ssn\b/',
|
||||
];
|
||||
|
||||
public function testNoErrorLogCallsContainPiiVariables(): void
|
||||
{
|
||||
$root = $this->projectRootPath();
|
||||
$violations = [];
|
||||
|
||||
foreach (['lib', 'pages'] as $dir) {
|
||||
$basePath = $root . '/' . $dir;
|
||||
$iterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($basePath));
|
||||
|
||||
/** @var \SplFileInfo $file */
|
||||
foreach ($iterator as $file) {
|
||||
if (!$file->isFile() || $file->getExtension() !== 'php') {
|
||||
continue;
|
||||
}
|
||||
|
||||
$content = (string) file_get_contents($file->getPathname());
|
||||
$relativePath = str_replace($root . '/', '', $file->getPathname());
|
||||
|
||||
if (preg_match_all('/^.*\berror_log\s*\(.*$/m', $content, $matches)) {
|
||||
foreach ($matches[0] as $line) {
|
||||
foreach (self::PII_VARIABLE_PATTERNS as $piiPattern) {
|
||||
if (preg_match($piiPattern, $line)) {
|
||||
$violations[] = $relativePath . ': ' . trim($line);
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sort($violations);
|
||||
|
||||
$this->assertSame(
|
||||
[],
|
||||
$violations,
|
||||
"error_log() calls with potential PII variables (GR-SEC-002):\n" . implode("\n", $violations)
|
||||
);
|
||||
}
|
||||
|
||||
public function testErrorLogUsageIsMinimal(): void
|
||||
{
|
||||
$violations = array_merge(
|
||||
$this->findPatternMatchesInPhpFiles('lib', '/\berror_log\s*\(/'),
|
||||
$this->findPatternMatchesInPhpFiles('pages', '/\berror_log\s*\(/')
|
||||
);
|
||||
$violations = array_values(array_unique($violations));
|
||||
sort($violations);
|
||||
|
||||
$this->assertLessThanOrEqual(
|
||||
3,
|
||||
count($violations),
|
||||
"error_log() usage growing — consider structured logging (GR-SEC-002). Found in:\n"
|
||||
. implode("\n", $violations)
|
||||
);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user