ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

fix: harden Graph endpoint resolution

Browse Source
This commit is contained in:
Ahmed Darrazi 2026-01-03 20:52:27 +01:00
parent f23cf8a83f
commit 5595bb52b6
5 changed files with 173 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
app/Services/Graph/MicrosoftGraphClient.php
View File

@ -781,8 +781,17 @@ private function endpointFor(string $policyType): string
return $contractResource; return $contractResource;
} }
$supported = config('tenantpilot.supported_policy_types', []); $builtinEndpoint = $this->builtinEndpointFor($policyType);
foreach ($supported as $type) { if ($builtinEndpoint !== null) {
return $builtinEndpoint;
}
$types = array_merge(
config('tenantpilot.supported_policy_types', []),
config('tenantpilot.foundation_types', []),
);
foreach ($types as $type) {
if (($type['type'] ?? null) === $policyType && ! empty($type['endpoint'])) { if (($type['type'] ?? null) === $policyType && ! empty($type['endpoint'])) {
return $type['endpoint']; return $type['endpoint'];
} }
@ -791,6 +800,16 @@ private function endpointFor(string $policyType): string
return 'deviceManagement/'.$policyType; return 'deviceManagement/'.$policyType;
} }
private function builtinEndpointFor(string $policyType): ?string
{
return match ($policyType) {
'settingsCatalogPolicy',
'endpointSecurityPolicy',
'securityBaselinePolicy' => 'deviceManagement/configurationPolicies',
default => null,
};
}
private function getAccessToken(array $context): string private function getAccessToken(array $context): string
{ {
$tenant = $context['tenant'] ?? $this->tenantId; $tenant = $context['tenant'] ?? $this->tenantId;

6
app/Services/Intune/RestoreService.php
View File

@ -676,6 +676,8 @@ public function execute(
'graph_error_code' => $response->meta['error_code'] ?? null, 'graph_error_code' => $response->meta['error_code'] ?? null,
'graph_request_id' => $response->meta['request_id'] ?? null, 'graph_request_id' => $response->meta['request_id'] ?? null,
'graph_client_request_id' => $response->meta['client_request_id'] ?? null, 'graph_client_request_id' => $response->meta['client_request_id'] ?? null,
'graph_method' => $response->meta['method'] ?? null,
'graph_path' => $response->meta['path'] ?? null,
]; ];
$hardFailures++; $hardFailures++;
@ -982,6 +984,10 @@ private function isNotFoundResponse(object $response): bool
$code = strtolower((string) ($response->meta['error_code'] ?? '')); $code = strtolower((string) ($response->meta['error_code'] ?? ''));
$message = strtolower((string) ($response->meta['error_message'] ?? '')); $message = strtolower((string) ($response->meta['error_message'] ?? ''));
if ($message !== '' && str_contains($message, 'resource not found for the segment')) {
return false;
}
if ($code !== '' && (str_contains($code, 'notfound') || str_contains($code, 'resource'))) { if ($code !== '' && (str_contains($code, 'notfound') || str_contains($code, 'resource'))) {
return true; return true;
} }

8
resources/views/filament/infolists/entries/restore-results.blade.php
View File

@ -268,10 +268,16 @@
@if (! empty($item['graph_error_code'])) @if (! empty($item['graph_error_code']))
<div class="mt-1 text-[11px] text-amber-800">Code: {{ $item['graph_error_code'] }}</div> <div class="mt-1 text-[11px] text-amber-800">Code: {{ $item['graph_error_code'] }}</div>
@endif @endif
@if (! empty($item['graph_request_id']) || ! empty($item['graph_client_request_id'])) @if (! empty($item['graph_request_id']) || ! empty($item['graph_client_request_id']) || ! empty($item['graph_method']) || ! empty($item['graph_path']))
<details class="mt-1"> <details class="mt-1">
<summary class="cursor-pointer text-[11px] font-semibold text-amber-800">Details</summary> <summary class="cursor-pointer text-[11px] font-semibold text-amber-800">Details</summary>
<div class="mt-1 space-y-0.5 text-[11px] text-amber-800"> <div class="mt-1 space-y-0.5 text-[11px] text-amber-800">
@if (! empty($item['graph_method']))
<div>method: {{ $item['graph_method'] }}</div>
@endif
@if (! empty($item['graph_path']))
<div>path: {{ $item['graph_path'] }}</div>
@endif
@if (! empty($item['graph_request_id'])) @if (! empty($item['graph_request_id']))
<div>request-id: {{ $item['graph_request_id'] }}</div> <div>request-id: {{ $item['graph_request_id'] }}</div>
@endif @endif

102
tests/Feature/RestoreGraphErrorMetadataTest.php Normal file
View File

@ -0,0 +1,102 @@
<?php
use App\Models\BackupItem;
use App\Models\BackupSet;
use App\Models\Tenant;
use App\Services\Graph\GraphClientInterface;
use App\Services\Graph\GraphResponse;
use App\Services\Intune\RestoreService;
use Illuminate\Foundation\Testing\RefreshDatabase;
uses(RefreshDatabase::class);
class RestoreGraphErrorMetadataGraphClient implements GraphClientInterface
{
/** @var array<int, array{policyType:string,policyId:string,payload:array,options:array<string,mixed>}> */
public array $applyPolicyCalls = [];
public function listPolicies(string $policyType, array $options = []): GraphResponse
{
return new GraphResponse(true, []);
}
public function getPolicy(string $policyType, string $policyId, array $options = []): GraphResponse
{
return new GraphResponse(true, ['payload' => []]);
}
public function getOrganization(array $options = []): GraphResponse
{
return new GraphResponse(true, []);
}
public function applyPolicy(string $policyType, string $policyId, array $payload, array $options = []): GraphResponse
{
$this->applyPolicyCalls[] = [
'policyType' => $policyType,
'policyId' => $policyId,
'payload' => $payload,
'options' => $options,
];
return new GraphResponse(false, ['error' => ['message' => 'Bad request']], 400, [], [], [
'error_code' => 'BadRequest',
'error_message' => "Resource not found for the segment 'endpointSecurityPolicy'.",
'request_id' => 'req-1',
'client_request_id' => 'client-1',
'method' => 'PATCH',
'path' => 'deviceManagement/endpointSecurityPolicy/esp-1',
]);
}
public function getServicePrincipalPermissions(array $options = []): GraphResponse
{
return new GraphResponse(true, []);
}
public function request(string $method, string $path, array $options = []): GraphResponse
{
return new GraphResponse(true, []);
}
}
test('restore results include graph path and method on Graph failures', function () {
$client = new RestoreGraphErrorMetadataGraphClient;
app()->instance(GraphClientInterface::class, $client);
$tenant = Tenant::factory()->create();
$backupSet = BackupSet::factory()->for($tenant)->create([
'status' => 'completed',
'item_count' => 1,
]);
$backupItem = BackupItem::factory()->for($tenant)->for($backupSet)->create([
'policy_id' => null,
'policy_identifier' => 'esp-1',
'policy_type' => 'endpointSecurityPolicy',
'platform' => 'windows',
'payload' => [
'id' => 'esp-1',
'@odata.type' => '#microsoft.graph.deviceManagementConfigurationPolicy',
'name' => 'Endpoint Security Policy',
'settings' => [],
],
'assignments' => null,
]);
$service = app(RestoreService::class);
$run = $service->execute(
tenant: $tenant,
backupSet: $backupSet,
selectedItemIds: [$backupItem->id],
dryRun: false,
);
expect($client->applyPolicyCalls)->toHaveCount(1);
expect($run->status)->toBe('failed');
$result = $run->results[0] ?? null;
expect($result)->toBeArray();
expect($result['graph_method'] ?? null)->toBe('PATCH');
expect($result['graph_path'] ?? null)->toBe('deviceManagement/endpointSecurityPolicy/esp-1');
});

37
tests/Unit/GraphClientEndpointResolutionTest.php
View File

@ -61,3 +61,40 @@
return str_contains($request->url(), '/beta/deviceAppManagement/targetedManagedAppConfigurations/A_1'); return str_contains($request->url(), '/beta/deviceAppManagement/targetedManagedAppConfigurations/A_1');
}); });
}); });
it('uses built-in endpoint mapping for endpoint security policies when config is missing', function () {
config()->set('graph_contracts.types.endpointSecurityPolicy', []);
config()->set('tenantpilot.foundation_types', []);
Http::fake([
'https://login.microsoftonline.com/*' => Http::response([
'access_token' => 'fake-token',
'expires_in' => 3600,
], 200),
'https://graph.microsoft.com/*' => Http::response(['id' => 'E_1'], 200),
]);
$client = new MicrosoftGraphClient(
logger: app(GraphLogger::class),
contracts: app(GraphContractRegistry::class),
);
$client->applyPolicy(
policyType: 'endpointSecurityPolicy',
policyId: 'E_1',
payload: ['name' => 'Test'],
options: ['tenant' => 'tenant', 'client_id' => 'client', 'client_secret' => 'secret'],
);
Http::assertSent(function (Request $request) {
if (! str_contains($request->url(), 'graph.microsoft.com')) {
return false;
}
if (! str_contains($request->url(), '/beta/deviceManagement/configurationPolicies/E_1')) {
return false;
}
return ! str_contains($request->url(), '/beta/deviceManagement/endpointSecurityPolicy/E_1');
});
});