Files
breadcrumb-the-shire/tests/Architecture/SecurityCryptoContractTest.php
fs f403a6704f feat(tests): automate 5 remaining guards as contract tests
Extract findPatternMatchesIn*Files() to ProjectFileAssertionSupport
trait for reuse. Add contract tests for:
- GR-SEC-005: Encryption centralized in Crypto.php
- GR-SEC-006: File storage in storage/, not web/
- GR-SEC-002: No PII in error_log() calls
- GR-CORE-012: POST-Redirect-GET pattern enforcement
- GR-UI-015: i18n key completeness de ↔ en

Brings automated guard coverage from 24 to 29 test files.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 21:20:08 +01:00

55 lines
1.6 KiB
PHP

<?php
namespace MintyPHP\Tests\Architecture;
use PHPUnit\Framework\TestCase;
/**
* GR-SEC-005: All encryption/decryption MUST use lib/Support/Crypto.php.
* No raw openssl_encrypt/decrypt calls outside that single file.
*/
class SecurityCryptoContractTest extends TestCase
{
use ProjectFileAssertionSupport;
private const CRYPTO_FILE = 'lib/Support/Crypto.php';
public function testNoRawOpensslEncryptOutsideCrypto(): void
{
$violations = array_merge(
$this->findPatternMatchesInPhpFiles('lib', '/\bopenssl_encrypt\s*\(/'),
$this->findPatternMatchesInPhpFiles('pages', '/\bopenssl_encrypt\s*\(/')
);
$violations = array_values(array_filter(
$violations,
static fn (string $path): bool => $path !== self::CRYPTO_FILE
));
$this->assertSame(
[],
$violations,
"Raw openssl_encrypt() found outside Crypto.php (GR-SEC-005):\n" . implode("\n", $violations)
);
}
public function testNoRawOpensslDecryptOutsideCrypto(): void
{
$violations = array_merge(
$this->findPatternMatchesInPhpFiles('lib', '/\bopenssl_decrypt\s*\(/'),
$this->findPatternMatchesInPhpFiles('pages', '/\bopenssl_decrypt\s*\(/')
);
$violations = array_values(array_filter(
$violations,
static fn (string $path): bool => $path !== self::CRYPTO_FILE
));
$this->assertSame(
[],
$violations,
"Raw openssl_decrypt() found outside Crypto.php (GR-SEC-005):\n" . implode("\n", $violations)
);
}
}