1
0
Files
breadcrumb-the-shire/tests/Architecture/SecurityLoggingRedactionContractTest.php
fs c6c5d06936 feat(audit): harden API audit log redaction and schema
- Change query_json column from TEXT to JSON, ip/user_agent to CHAR(64)
  for PII redaction compliance
- Update repository, service, and views for hardened schema
- Add architecture contract test for security logging redaction
- Add search resource provider test coverage
- Include DB migration script for existing installs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 23:20:55 +02:00

75 lines
3.1 KiB
PHP

<?php
namespace MintyPHP\Tests\Architecture;
use PHPUnit\Framework\TestCase;
final class SecurityLoggingRedactionContractTest extends TestCase
{
use ProjectFileAssertionSupport;
public function testSystemAuditRedactionCoversCredentialsTokensAndEmailFields(): void
{
$content = $this->readProjectFile('modules/audit/lib/Module/Audit/Service/SystemAuditRedactionService.php');
foreach ([
"'password'",
"'access_token'",
"'refresh_token'",
"'id_token'",
"'authorization'",
"'api_key'",
"'client_secret'",
"'smtp_password'",
"'microsoft_shared_client_secret'",
"'email'",
"'to_email'",
] as $needle) {
self::assertStringContainsString($needle, $content);
}
self::assertStringContainsString("return str_contains(\$key, 'password')", $content);
self::assertStringContainsString("|| str_contains(\$key, 'secret')", $content);
self::assertStringContainsString("|| str_contains(\$key, 'token')", $content);
self::assertStringContainsString("|| str_contains(\$key, 'authorization')", $content);
self::assertStringContainsString("|| str_ends_with(\$key, '_key');", $content);
}
public function testApiAuditRedactionCoversSensitiveKeysAndPersistsOnlyMetadataHashes(): void
{
$content = $this->readProjectFile('modules/audit/lib/Module/Audit/Service/ApiAuditService.php');
foreach ([
"'token'",
"'access_token'",
"'refresh_token'",
"'id_token'",
"'secret'",
"'password'",
"'authorization'",
"'api_key'",
"'client_secret'",
"'key'",
"'email'",
"'to_email'",
"'uuid'",
] as $needle) {
self::assertStringContainsString($needle, $content);
}
self::assertStringContainsString("'query_json' => \$this->buildQueryMetadataJson(", $content);
self::assertStringContainsString("['keys' => \$keys]", $content);
self::assertStringContainsString('private const ALLOWED_QUERY_KEYS = [', $content);
self::assertStringContainsString("RequestContext::hashValue(\$ip)", $content);
self::assertStringContainsString("RequestContext::hashValue(\$userAgent)", $content);
self::assertStringNotContainsString('normalizeValue(', $content);
self::assertStringContainsString("return str_contains(\$key, 'token')", $content);
self::assertStringContainsString("|| str_contains(\$key, 'secret')", $content);
self::assertStringContainsString("|| str_contains(\$key, 'password')", $content);
self::assertStringContainsString("|| str_contains(\$key, 'authorization')", $content);
self::assertStringContainsString("|| str_contains(\$key, 'email')", $content);
self::assertStringContainsString("|| str_contains(\$key, 'uuid')", $content);
self::assertStringContainsString("|| str_ends_with(\$key, '_key');", $content);
}
}