ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects 1 Releases Wiki Activity

feat: spec 105 — Entra Admin Roles scan, reports, findings, widget + summary UX improvement

Browse Source 
- Entra admin roles scan job (ScanEntraAdminRolesJob)
- Report service with fingerprint deduplication
- Finding generator with high-privilege role catalog
- Admin roles summary widget on tenant view page
- Alert integration for entra.admin_roles findings
- Graph contracts for roleDefinitions + roleAssignments
- Entra permissions registry (config/entra_permissions.php)
- StoredReport fingerprint migration
- OperationCatalog label + duration for entra.admin_roles.scan
- SummaryCountsNormalizer: filter zeros, humanize keys globally
- 11 new test files (71+ tests, 286+ assertions)
- Spec + tasks + checklist updates
This commit is contained in:
Ahmed Darrazi 2026-02-22 03:35:46 +01:00
parent d25290d95e
commit 6b381e9517
46 changed files with 3641 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
app/Filament/Resources/AlertRuleResource.php
View File

@ -380,6 +380,7 @@ public static function eventTypeOptions(): array
AlertRule::EVENT_COMPARE_FAILED => 'Compare failed',
AlertRule::EVENT_SLA_DUE => 'SLA due',
AlertRule::EVENT_PERMISSION_MISSING => 'Permission missing',
AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH => 'Entra admin roles (high privilege)',
];
}

2
app/Filament/Resources/TenantResource/Pages/ViewTenant.php
View File

@ -4,6 +4,7 @@
use App\Filament\Resources\ProviderConnectionResource;
use App\Filament\Resources\TenantResource;
use App\Filament\Widgets\Tenant\AdminRolesSummaryWidget;
use App\Filament\Widgets\Tenant\RecentOperationsSummary;
use App\Filament\Widgets\Tenant\TenantArchivedBanner;
use App\Filament\Widgets\Tenant\TenantVerificationReport;
@ -33,6 +34,7 @@ protected function getHeaderWidgets(): array
TenantArchivedBanner::class,
RecentOperationsSummary::class,
TenantVerificationReport::class,
AdminRolesSummaryWidget::class,
];
}

134
app/Filament/Widgets/Tenant/AdminRolesSummaryWidget.php Normal file
View File

@ -0,0 +1,134 @@
<?php
declare(strict_types=1);
namespace App\Filament\Widgets\Tenant;
use App\Jobs\ScanEntraAdminRolesJob;
use App\Models\StoredReport;
use App\Models\Tenant;
use App\Models\User;
use App\Support\Auth\Capabilities;
use Filament\Facades\Filament;
use Filament\Notifications\Notification;
use Filament\Widgets\Widget;
class AdminRolesSummaryWidget extends Widget
{
protected static bool $isLazy = false;
protected string $view = 'filament.widgets.tenant.admin-roles-summary';
public ?Tenant $record = null;
private function resolveTenant(): ?Tenant
{
$tenant = Filament::getTenant();
if ($tenant instanceof Tenant) {
return $tenant;
}
return $this->record instanceof Tenant ? $this->record : null;
}
public function scanNow(): void
{
$user = auth()->user();
if (! $user instanceof User) {
abort(403);
}
$tenant = $this->resolveTenant();
if (! $tenant instanceof Tenant) {
abort(404);
}
if (! $user->canAccessTenant($tenant)) {
abort(404);
}
if (! $user->can(Capabilities::ENTRA_ROLES_MANAGE, $tenant)) {
abort(403);
}
ScanEntraAdminRolesJob::dispatch(
tenantId: (int) $tenant->getKey(),
workspaceId: (int) $tenant->workspace_id,
initiatorUserId: (int) $user->getKey(),
);
Notification::make()
->title('Entra admin roles scan queued')
->body('The scan will run in the background. Results appear once complete.')
->success()
->send();
}
/**
* @return array<string, mixed>
*/
protected function getViewData(): array
{
$tenant = $this->resolveTenant();
if (! $tenant instanceof Tenant) {
return $this->emptyState();
}
$user = auth()->user();
$isTenantMember = $user instanceof User && $user->canAccessTenant($tenant);
$canView = $isTenantMember && $user->can(Capabilities::ENTRA_ROLES_VIEW, $tenant);
$canManage = $isTenantMember && $user->can(Capabilities::ENTRA_ROLES_MANAGE, $tenant);
$report = StoredReport::query()
->where('tenant_id', (int) $tenant->getKey())
->where('report_type', StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES)
->orderByDesc('created_at')
->first();
if (! $report instanceof StoredReport) {
return [
'tenant' => $tenant,
'reportSummary' => null,
'lastScanAt' => null,
'highPrivilegeCount' => 0,
'canManage' => $canManage,
'canView' => $canView,
'viewReportUrl' => null,
];
}
$payload = is_array($report->payload) ? $report->payload : [];
$totals = is_array($payload['totals'] ?? null) ? $payload['totals'] : [];
$highPrivilegeCount = (int) ($totals['high_privilege_assignments'] ?? 0);
return [
'tenant' => $tenant,
'reportSummary' => $totals,
'lastScanAt' => $report->created_at?->diffForHumans() ?? '—',
'highPrivilegeCount' => $highPrivilegeCount,
'canManage' => $canManage,
'canView' => $canView,
'viewReportUrl' => null,
];
}
/**
* @return array<string, mixed>
*/
private function emptyState(): array
{
return [
'tenant' => null,
'reportSummary' => null,
'lastScanAt' => null,
'highPrivilegeCount' => 0,
'canManage' => false,
'canView' => false,
'viewReportUrl' => null,
];
}
}

43
app/Jobs/Alerts/EvaluateAlertsJob.php
View File

@ -60,6 +60,7 @@ public function handle(AlertDispatchService $dispatchService, OperationRunServic
...$this->highDriftEvents((int) $workspace->getKey(), $windowStart),
...$this->compareFailedEvents((int) $workspace->getKey(), $windowStart),
...$this->permissionMissingEvents((int) $workspace->getKey(), $windowStart),
...$this->entraAdminRolesHighEvents((int) $workspace->getKey(), $windowStart),
];
$createdDeliveries = 0;
@ -293,4 +294,46 @@ private function permissionMissingEvents(int $workspaceId, CarbonImmutable $wind
return $events;
}
/**
* @return array<int, array<string, mixed>>
*/
private function entraAdminRolesHighEvents(int $workspaceId, CarbonImmutable $windowStart): array
{
$findings = Finding::query()
->where('workspace_id', $workspaceId)
->where('finding_type', Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES)
->whereIn('severity', [Finding::SEVERITY_HIGH, Finding::SEVERITY_CRITICAL])
->where('status', Finding::STATUS_NEW)
->where('updated_at', '>', $windowStart)
->orderBy('id')
->get();
$events = [];
foreach ($findings as $finding) {
$evidence = is_array($finding->evidence_jsonb) ? $finding->evidence_jsonb : [];
$events[] = [
'event_type' => AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH,
'tenant_id' => (int) $finding->tenant_id,
'severity' => (string) $finding->severity,
'fingerprint_key' => 'finding:'.(int) $finding->getKey(),
'title' => 'High-privilege Entra admin role detected',
'body' => sprintf(
'Role "%s" assigned to %s (severity: %s).',
(string) ($evidence['role_display_name'] ?? 'unknown'),
(string) ($evidence['principal_display_name'] ?? $finding->subject_external_id ?? 'unknown'),
(string) $finding->severity,
),
'metadata' => [
'finding_id' => (int) $finding->getKey(),
'role_display_name' => (string) ($evidence['role_display_name'] ?? ''),
'principal_display_name' => (string) ($evidence['principal_display_name'] ?? ''),
],
];
}
return $events;
}
}

115
app/Jobs/ScanEntraAdminRolesJob.php Normal file
View File

@ -0,0 +1,115 @@
<?php
declare(strict_types=1);
namespace App\Jobs;
use App\Models\ProviderConnection;
use App\Models\Tenant;
use App\Models\User;
use App\Services\EntraAdminRoles\EntraAdminRolesFindingGenerator;
use App\Services\EntraAdminRoles\EntraAdminRolesReportService;
use App\Services\OperationRunService;
use App\Support\OperationRunOutcome;
use App\Support\OperationRunStatus;
use App\Support\OpsUx\RunFailureSanitizer;
use Illuminate\Bus\Queueable;
use Illuminate\Contracts\Queue\ShouldQueue;
use Illuminate\Foundation\Bus\Dispatchable;
use Illuminate\Queue\InteractsWithQueue;
use Illuminate\Queue\SerializesModels;
use Throwable;
class ScanEntraAdminRolesJob implements ShouldQueue
{
use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
public function __construct(
public readonly int $tenantId,
public readonly int $workspaceId,
public readonly ?int $initiatorUserId = null,
) {}
public function handle(
EntraAdminRolesReportService $reportService,
EntraAdminRolesFindingGenerator $findingGenerator,
OperationRunService $operationRuns,
): void {
$tenant = Tenant::query()->find($this->tenantId);
if (! $tenant instanceof Tenant) {
return;
}
// FR-018: Skip tenants without active provider connection
$hasConnection = ProviderConnection::query()
->where('tenant_id', $tenant->getKey())
->where('status', 'connected')
->exists();
if (! $hasConnection) {
return;
}
$initiator = $this->initiatorUserId !== null
? User::query()->find($this->initiatorUserId)
: null;
$operationRun = $operationRuns->ensureRunWithIdentity(
tenant: $tenant,
type: 'entra.admin_roles.scan',
identityInputs: [
'tenant_id' => $this->tenantId,
'trigger' => 'scan',
],
context: [
'workspace_id' => $this->workspaceId,
'initiator_user_id' => $this->initiatorUserId,
],
initiator: $initiator instanceof User ? $initiator : null,
);
$operationRuns->updateRun(
$operationRun,
status: OperationRunStatus::Running->value,
outcome: OperationRunOutcome::Pending->value,
);
try {
$reportResult = $reportService->generate($tenant, $operationRun);
$findingResult = $findingGenerator->generate($tenant, $reportResult->payload, $operationRun);
$operationRuns->updateRun(
$operationRun,
status: OperationRunStatus::Completed->value,
outcome: OperationRunOutcome::Succeeded->value,
summaryCounts: [
'report_created' => $reportResult->created ? 1 : 0,
'report_deduped' => $reportResult->created ? 0 : 1,
'findings_created' => $findingResult->created,
'findings_resolved' => $findingResult->resolved,
'findings_reopened' => $findingResult->reopened,
'findings_unchanged' => $findingResult->unchanged,
'alert_events_produced' => $findingResult->alertEventsProduced,
],
);
} catch (Throwable $e) {
$message = RunFailureSanitizer::sanitizeMessage($e->getMessage());
$reasonCode = RunFailureSanitizer::normalizeReasonCode($e->getMessage());
$operationRuns->updateRun(
$operationRun,
status: OperationRunStatus::Completed->value,
outcome: OperationRunOutcome::Failed->value,
failures: [[
'code' => 'entra.admin_roles.scan.failed',
'reason_code' => $reasonCode,
'message' => $message !== '' ? $message : 'Entra admin roles scan failed.',
]],
);
throw $e;
}
}
}

2
app/Models/AlertRule.php
View File

@ -22,6 +22,8 @@ class AlertRule extends Model
public const string EVENT_PERMISSION_MISSING = 'permission_missing';
public const string EVENT_ENTRA_ADMIN_ROLES_HIGH = 'entra.admin_roles.high';
public const string TENANT_SCOPE_ALL = 'all';
public const string TENANT_SCOPE_ALLOWLIST = 'allowlist';

2
app/Models/Finding.php
View File

@ -18,6 +18,8 @@ class Finding extends Model
public const string FINDING_TYPE_PERMISSION_POSTURE = 'permission_posture';
public const string FINDING_TYPE_ENTRA_ADMIN_ROLES = 'entra_admin_roles';
public const string SEVERITY_LOW = 'low';
public const string SEVERITY_MEDIUM = 'medium';

4
app/Models/StoredReport.php
View File

@ -16,11 +16,15 @@ class StoredReport extends Model
public const string REPORT_TYPE_PERMISSION_POSTURE = 'permission_posture';
public const string REPORT_TYPE_ENTRA_ADMIN_ROLES = 'entra.admin_roles';
protected $fillable = [
'workspace_id',
'tenant_id',
'report_type',
'payload',
'fingerprint',
'previous_fingerprint',
];
/**

10
app/Services/Auth/RoleCapabilityMap.php
View File

@ -37,6 +37,9 @@ class RoleCapabilityMap
Capabilities::PROVIDER_RUN,
Capabilities::AUDIT_VIEW,
Capabilities::ENTRA_ROLES_VIEW,
Capabilities::ENTRA_ROLES_MANAGE,
],
TenantRole::Manager->value => [
@ -59,6 +62,9 @@ class RoleCapabilityMap
Capabilities::PROVIDER_RUN,
Capabilities::AUDIT_VIEW,
Capabilities::ENTRA_ROLES_VIEW,
Capabilities::ENTRA_ROLES_MANAGE,
],
TenantRole::Operator->value => [
@ -76,6 +82,8 @@ class RoleCapabilityMap
Capabilities::PROVIDER_RUN,
Capabilities::AUDIT_VIEW,
Capabilities::ENTRA_ROLES_VIEW,
],
TenantRole::Readonly->value => [
@ -87,6 +95,8 @@ class RoleCapabilityMap
Capabilities::PROVIDER_VIEW,
Capabilities::AUDIT_VIEW,
Capabilities::ENTRA_ROLES_VIEW,
],
];

330
app/Services/EntraAdminRoles/EntraAdminRolesFindingGenerator.php Normal file
View File

@ -0,0 +1,330 @@
<?php
declare(strict_types=1);
namespace App\Services\EntraAdminRoles;
use App\Models\AlertRule;
use App\Models\Finding;
use App\Models\OperationRun;
use App\Models\Tenant;
use Carbon\CarbonImmutable;
final class EntraAdminRolesFindingGenerator
{
private const int GA_THRESHOLD = 5; // TODO: move to settings when configurable thresholds are implemented
/** @var array<int, array<string, mixed>> */
private array $alertEvents = [];
public function __construct(
private readonly HighPrivilegeRoleCatalog $catalog,
) {}
/**
* Generate/upsert/auto-resolve findings based on report payload data.
*/
public function generate(
Tenant $tenant,
array $reportPayload,
?OperationRun $operationRun = null,
): EntraAdminRolesFindingResult {
$this->alertEvents = [];
$created = 0;
$resolved = 0;
$reopened = 0;
$unchanged = 0;
$roleAssignments = is_array($reportPayload['role_assignments'] ?? null) ? $reportPayload['role_assignments'] : [];
$roleDefinitions = is_array($reportPayload['role_definitions'] ?? null) ? $reportPayload['role_definitions'] : [];
$measuredAt = (string) ($reportPayload['measured_at'] ?? CarbonImmutable::now('UTC')->toIso8601String());
$roleDefMap = $this->buildRoleDefMap($roleDefinitions);
$currentFingerprints = [];
$gaCount = 0;
$gaPrincipals = [];
foreach ($roleAssignments as $assignment) {
$roleDefId = (string) ($assignment['roleDefinitionId'] ?? '');
$roleDef = $roleDefMap[$roleDefId] ?? null;
$templateId = (string) ($roleDef['templateId'] ?? $roleDefId);
$displayName = $roleDef !== null ? (string) ($roleDef['displayName'] ?? '') : null;
$severity = $this->catalog->classify($templateId, $displayName);
if ($severity === null) {
continue;
}
$principalId = (string) ($assignment['principalId'] ?? '');
$scopeId = (string) ($assignment['directoryScopeId'] ?? '/');
$principal = $assignment['principal'] ?? [];
$fingerprint = $this->individualFingerprint($tenant, $templateId, $principalId, $scopeId);
$currentFingerprints[] = $fingerprint;
$evidence = $this->buildEvidence($assignment, $roleDef, $principal, $severity, $measuredAt);
$result = $this->upsertFinding($tenant, $fingerprint, $severity, $evidence, $principalId, $roleDefId, $operationRun);
match ($result) {
'created' => $created++,
'reopened' => $reopened++,
default => $unchanged++,
};
if (in_array($result, ['created', 'reopened'], true) && in_array($severity, [Finding::SEVERITY_HIGH, Finding::SEVERITY_CRITICAL], true)) {
$this->produceAlertEvent($tenant, $fingerprint, $evidence);
}
if ($this->catalog->isGlobalAdministrator($templateId, $displayName)) {
$gaCount++;
$gaPrincipals[] = [
'display_name' => (string) ($principal['displayName'] ?? 'Unknown'),
'type' => $this->resolvePrincipalType($principal),
'id' => $principalId,
];
}
}
// Aggregate "Too many Global Admins" finding
$resolved += $this->handleGaAggregate($tenant, $gaCount, $gaPrincipals, $currentFingerprints, $operationRun, $created, $reopened);
// Auto-resolve stale findings
$resolved += $this->resolveStaleFindings($tenant, $currentFingerprints);
return new EntraAdminRolesFindingResult(
created: $created,
resolved: $resolved,
reopened: $reopened,
unchanged: $unchanged,
alertEventsProduced: count($this->alertEvents),
);
}
/**
* @return array<int, array<string, mixed>>
*/
public function getAlertEvents(): array
{
return $this->alertEvents;
}
/**
* @return array<string, array<string, mixed>>
*/
private function buildRoleDefMap(array $roleDefinitions): array
{
$map = [];
foreach ($roleDefinitions as $def) {
$id = (string) ($def['id'] ?? '');
if ($id !== '') {
$map[$id] = $def;
}
}
return $map;
}
private function upsertFinding(
Tenant $tenant,
string $fingerprint,
string $severity,
array $evidence,
string $principalId,
string $roleDefId,
?OperationRun $operationRun,
): string {
$existing = Finding::query()
->where('tenant_id', $tenant->getKey())
->where('fingerprint', $fingerprint)
->first();
if ($existing instanceof Finding) {
if ($existing->status === Finding::STATUS_RESOLVED) {
$existing->reopen($evidence);
return 'reopened';
}
// Update evidence on existing open finding
$existing->update(['evidence_jsonb' => $evidence]);
return 'unchanged';
}
Finding::create([
'tenant_id' => (int) $tenant->getKey(),
'finding_type' => Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES,
'source' => 'entra.admin_roles',
'scope_key' => hash('sha256', 'entra_admin_roles:'.$tenant->getKey()),
'fingerprint' => $fingerprint,
'subject_type' => 'role_assignment',
'subject_external_id' => "{$principalId}:{$roleDefId}",
'severity' => $severity,
'status' => Finding::STATUS_NEW,
'evidence_jsonb' => $evidence,
'current_operation_run_id' => $operationRun?->getKey(),
]);
return 'created';
}
/**
* Handle aggregate "Too many Global Admins" finding.
*
* @return int Number of resolved findings (0 or 1)
*/
private function handleGaAggregate(
Tenant $tenant,
int $gaCount,
array $gaPrincipals,
array &$currentFingerprints,
?OperationRun $operationRun,
int &$created,
int &$reopened,
): int {
$gaFingerprint = $this->gaAggregateFingerprint($tenant);
$currentFingerprints[] = $gaFingerprint;
$resolved = 0;
if ($gaCount > self::GA_THRESHOLD) {
$evidence = [
'count' => $gaCount,
'threshold' => self::GA_THRESHOLD,
'principals' => $gaPrincipals,
];
$existing = Finding::query()
->where('tenant_id', $tenant->getKey())
->where('fingerprint', $gaFingerprint)
->first();
if ($existing instanceof Finding) {
if ($existing->status === Finding::STATUS_RESOLVED) {
$existing->reopen($evidence);
$reopened++;
$this->produceAlertEvent($tenant, $gaFingerprint, $evidence);
} else {
$existing->update(['evidence_jsonb' => $evidence]);
}
} else {
Finding::create([
'tenant_id' => (int) $tenant->getKey(),
'finding_type' => Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES,
'source' => 'entra.admin_roles',
'scope_key' => hash('sha256', 'entra_admin_roles_ga_count:'.$tenant->getKey()),
'fingerprint' => $gaFingerprint,
'subject_type' => 'role_assignment',
'subject_external_id' => 'ga_aggregate',
'severity' => Finding::SEVERITY_HIGH,
'status' => Finding::STATUS_NEW,
'evidence_jsonb' => $evidence,
'current_operation_run_id' => $operationRun?->getKey(),
]);
$created++;
$this->produceAlertEvent($tenant, $gaFingerprint, $evidence);
}
} else {
// Auto-resolve aggregate if threshold met
$existing = Finding::query()
->where('tenant_id', $tenant->getKey())
->where('fingerprint', $gaFingerprint)
->whereIn('status', [Finding::STATUS_NEW, Finding::STATUS_ACKNOWLEDGED])
->first();
if ($existing instanceof Finding) {
$existing->resolve('ga_count_within_threshold');
$resolved++;
}
}
return $resolved;
}
/**
* Resolve open findings whose fingerprint is not in the current scan.
*/
private function resolveStaleFindings(Tenant $tenant, array $currentFingerprints): int
{
$staleFindings = Finding::query()
->where('tenant_id', $tenant->getKey())
->where('finding_type', Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES)
->whereIn('status', [Finding::STATUS_NEW, Finding::STATUS_ACKNOWLEDGED])
->whereNotIn('fingerprint', $currentFingerprints)
->get();
$resolved = 0;
foreach ($staleFindings as $finding) {
$finding->resolve('role_assignment_removed');
$resolved++;
}
return $resolved;
}
private function produceAlertEvent(Tenant $tenant, string $fingerprint, array $evidence): void
{
$this->alertEvents[] = [
'event_type' => AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH,
'tenant_id' => (int) $tenant->getKey(),
'severity' => $evidence['severity'] ?? Finding::SEVERITY_HIGH,
'fingerprint_key' => 'entra_admin_role:'.$fingerprint,
'title' => 'High-privilege Entra admin role detected',
'body' => sprintf(
'Role "%s" assigned to %s on tenant %s.',
$evidence['role_display_name'] ?? 'Unknown',
$evidence['principal_display_name'] ?? 'Unknown',
$tenant->name ?? (string) $tenant->getKey(),
),
'metadata' => $evidence,
];
}
/**
* @return array<string, mixed>
*/
private function buildEvidence(array $assignment, ?array $roleDef, array $principal, string $severity, string $measuredAt): array
{
return [
'role_display_name' => (string) ($roleDef['displayName'] ?? 'Unknown'),
'principal_display_name' => (string) ($principal['displayName'] ?? 'Unknown'),
'principal_type' => $this->resolvePrincipalType($principal),
'principal_id' => (string) ($assignment['principalId'] ?? ''),
'role_definition_id' => (string) ($assignment['roleDefinitionId'] ?? ''),
'role_template_id' => (string) ($roleDef['templateId'] ?? ''),
'directory_scope_id' => (string) ($assignment['directoryScopeId'] ?? '/'),
'is_built_in' => (bool) ($roleDef['isBuiltIn'] ?? false),
'severity' => $severity,
'measured_at' => $measuredAt,
];
}
private function individualFingerprint(Tenant $tenant, string $templateId, string $principalId, string $scopeId): string
{
return substr(hash('sha256', "entra_admin_role:{$tenant->getKey()}:{$templateId}:{$principalId}:{$scopeId}"), 0, 64);
}
private function gaAggregateFingerprint(Tenant $tenant): string
{
return substr(hash('sha256', "entra_admin_role_ga_count:{$tenant->getKey()}"), 0, 64);
}
private function resolvePrincipalType(array $principal): string
{
$odataType = (string) ($principal['@odata.type'] ?? '');
return match (true) {
str_contains($odataType, 'user') => 'user',
str_contains($odataType, 'group') => 'group',
str_contains($odataType, 'servicePrincipal') => 'servicePrincipal',
default => 'unknown',
};
}
}

16
app/Services/EntraAdminRoles/EntraAdminRolesFindingResult.php Normal file
View File

@ -0,0 +1,16 @@
<?php
declare(strict_types=1);
namespace App\Services\EntraAdminRoles;
final readonly class EntraAdminRolesFindingResult
{
public function __construct(
public int $created,
public int $resolved,
public int $reopened,
public int $unchanged,
public int $alertEventsProduced,
) {}
}

15
app/Services/EntraAdminRoles/EntraAdminRolesReportResult.php Normal file
View File

@ -0,0 +1,15 @@
<?php
declare(strict_types=1);
namespace App\Services\EntraAdminRoles;
final readonly class EntraAdminRolesReportResult
{
public function __construct(
public bool $created,
public ?int $storedReportId,
public string $fingerprint,
public array $payload,
) {}
}

193
app/Services/EntraAdminRoles/EntraAdminRolesReportService.php Normal file
View File

@ -0,0 +1,193 @@
<?php
declare(strict_types=1);
namespace App\Services\EntraAdminRoles;
use App\Models\OperationRun;
use App\Models\StoredReport;
use App\Models\Tenant;
use App\Services\Graph\GraphClientInterface;
use App\Services\Providers\MicrosoftGraphOptionsResolver;
use Carbon\CarbonImmutable;
use RuntimeException;
final class EntraAdminRolesReportService
{
public function __construct(
private readonly GraphClientInterface $graphClient,
private readonly HighPrivilegeRoleCatalog $catalog,
private readonly MicrosoftGraphOptionsResolver $graphOptionsResolver,
) {}
/**
* Fetch Graph data and produce a stored report for the given tenant.
*/
public function generate(Tenant $tenant, ?OperationRun $operationRun = null): EntraAdminRolesReportResult
{
$graphOptions = $this->graphOptionsResolver->resolveForTenant($tenant);
$roleDefinitions = $this->fetchRoleDefinitions($graphOptions);
$roleAssignments = $this->fetchRoleAssignments($graphOptions);
$payload = $this->buildPayload($roleDefinitions, $roleAssignments);
$fingerprint = $this->computeFingerprint($roleDefinitions, $roleAssignments);
$latestReport = StoredReport::query()
->where('tenant_id', $tenant->getKey())
->where('report_type', StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES)
->orderByDesc('created_at')
->orderByDesc('id')
->first();
if ($latestReport instanceof StoredReport && $latestReport->fingerprint === $fingerprint) {
return new EntraAdminRolesReportResult(
created: false,
storedReportId: (int) $latestReport->getKey(),
fingerprint: $fingerprint,
payload: $payload,
);
}
$report = StoredReport::create([
'tenant_id' => (int) $tenant->getKey(),
'report_type' => StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES,
'payload' => $payload,
'fingerprint' => $fingerprint,
'previous_fingerprint' => $latestReport?->fingerprint,
]);
return new EntraAdminRolesReportResult(
created: true,
storedReportId: (int) $report->getKey(),
fingerprint: $fingerprint,
payload: $payload,
);
}
/**
* @return array<int, array<string, mixed>>
*/
private function fetchRoleDefinitions(array $graphOptions): array
{
$response = $this->graphClient->listPolicies('entraRoleDefinitions', $graphOptions);
if ($response->failed()) {
throw new RuntimeException('Failed to fetch Entra role definitions from Graph API.');
}
return $response->data;
}
/**
* @return array<int, array<string, mixed>>
*/
private function fetchRoleAssignments(array $graphOptions): array
{
$response = $this->graphClient->listPolicies('entraRoleAssignments', $graphOptions);
if ($response->failed()) {
throw new RuntimeException('Failed to fetch Entra role assignments from Graph API.');
}
return $response->data;
}
/**
* @return array<string, mixed>
*/
private function buildPayload(array $roleDefinitions, array $roleAssignments): array
{
$roleDefMap = [];
foreach ($roleDefinitions as $def) {
$id = (string) ($def['id'] ?? '');
if ($id !== '') {
$roleDefMap[$id] = $def;
}
}
$highPrivilegeAssignments = [];
foreach ($roleAssignments as $assignment) {
$roleDefId = (string) ($assignment['roleDefinitionId'] ?? '');
$roleDef = $roleDefMap[$roleDefId] ?? null;
$templateId = (string) ($roleDef['templateId'] ?? $roleDefId);
$displayName = $roleDef !== null ? (string) ($roleDef['displayName'] ?? '') : null;
$severity = $this->catalog->classify($templateId, $displayName);
if ($severity !== null) {
$principal = $assignment['principal'] ?? [];
$highPrivilegeAssignments[] = [
'role_definition_id' => $roleDefId,
'role_template_id' => (string) ($roleDef['templateId'] ?? ''),
'role_display_name' => (string) ($roleDef['displayName'] ?? 'Unknown'),
'is_built_in' => (bool) ($roleDef['isBuiltIn'] ?? false),
'principal_id' => (string) ($assignment['principalId'] ?? ''),
'principal_display_name' => (string) ($principal['displayName'] ?? 'Unknown'),
'principal_type' => $this->resolvePrincipalType($principal),
'directory_scope_id' => (string) ($assignment['directoryScopeId'] ?? '/'),
'severity' => $severity,
];
}
}
return [
'provider_key' => 'microsoft',
'domain' => 'entra.admin_roles',
'measured_at' => CarbonImmutable::now('UTC')->toIso8601String(),
'role_definitions' => $roleDefinitions,
'role_assignments' => $roleAssignments,
'totals' => [
'roles_total' => count($roleDefinitions),
'assignments_total' => count($roleAssignments),
'high_privilege_assignments' => count($highPrivilegeAssignments),
],
'high_privilege' => $highPrivilegeAssignments,
];
}
private function computeFingerprint(array $roleDefinitions, array $roleAssignments): string
{
$roleDefMap = [];
foreach ($roleDefinitions as $def) {
$id = (string) ($def['id'] ?? '');
if ($id !== '') {
$roleDefMap[$id] = $def;
}
}
$tuples = [];
foreach ($roleAssignments as $assignment) {
$roleDefId = (string) ($assignment['roleDefinitionId'] ?? '');
$roleDef = $roleDefMap[$roleDefId] ?? null;
$templateId = (string) ($roleDef['templateId'] ?? $roleDefId);
$principalId = (string) ($assignment['principalId'] ?? '');
$scopeId = (string) ($assignment['directoryScopeId'] ?? '/');
$tuples[] = "{$templateId}:{$principalId}:{$scopeId}";
}
sort($tuples);
return hash('sha256', implode("\n", $tuples));
}
private function resolvePrincipalType(array $principal): string
{
$odataType = (string) ($principal['@odata.type'] ?? '');
return match (true) {
str_contains($odataType, 'user') => 'user',
str_contains($odataType, 'group') => 'group',
str_contains($odataType, 'servicePrincipal') => 'servicePrincipal',
default => 'unknown',
};
}
}

76
app/Services/EntraAdminRoles/HighPrivilegeRoleCatalog.php Normal file
View File

@ -0,0 +1,76 @@
<?php
declare(strict_types=1);
namespace App\Services\EntraAdminRoles;
final class HighPrivilegeRoleCatalog
{
/**
* Template ID severity mapping.
*
* @var array<string, string>
*/
private const CATALOG = [
'62e90394-69f5-4237-9190-012177145e10' => 'critical', // Global Administrator
'e8611ab8-c189-46e8-94e1-60213ab1f814' => 'high', // Privileged Role Administrator
'194ae4cb-b126-40b2-bd5b-6091b380977d' => 'high', // Security Administrator
'b1be1c3e-b65d-4f19-8427-f6fa0d97feb9' => 'high', // Conditional Access Administrator
'29232cdf-9323-42fd-ade2-1d097af3e4de' => 'high', // Exchange Administrator
'c4e39bd9-1100-46d3-8c65-fb160da0071f' => 'high', // Authentication Administrator
];
/**
* Display name fallback (case-insensitive) for roles without template_id match.
*
* @var array<string, string>
*/
private const DISPLAY_NAME_FALLBACK = [
'global administrator' => 'critical',
'privileged role administrator' => 'high',
'security administrator' => 'high',
'conditional access administrator' => 'high',
'exchange administrator' => 'high',
'authentication administrator' => 'high',
];
/**
* Classify a role by template_id (preferred) or display_name (fallback).
*
* @return string|null Severity ('critical'|'high') or null if not high-privilege
*/
public function classify(string $templateIdOrId, ?string $displayName = null): ?string
{
if (isset(self::CATALOG[$templateIdOrId])) {
return self::CATALOG[$templateIdOrId];
}
if ($displayName !== null) {
$normalized = strtolower(trim($displayName));
if (isset(self::DISPLAY_NAME_FALLBACK[$normalized])) {
return self::DISPLAY_NAME_FALLBACK[$normalized];
}
}
return null;
}
public function isHighPrivilege(string $templateIdOrId, ?string $displayName = null): bool
{
return $this->classify($templateIdOrId, $displayName) !== null;
}
public function isGlobalAdministrator(string $templateIdOrId, ?string $displayName = null): bool
{
return $this->classify($templateIdOrId, $displayName) === 'critical';
}
/**
* @return array<string, string> All template_id severity mappings
*/
public function allTemplateIds(): array
{
return self::CATALOG;
}
}

5
app/Services/Intune/TenantPermissionService.php
View File

@ -21,7 +21,10 @@ public function __construct(
*/
public function getRequiredPermissions(): array
{
return config('intune_permissions.permissions', []);
return array_merge(
config('intune_permissions.permissions', []),
config('entra_permissions.permissions', []),
);
}
/**

5
app/Support/Auth/Capabilities.php
View File

@ -104,6 +104,11 @@ class Capabilities
// Audit
public const AUDIT_VIEW = 'audit.view';
// Entra admin roles
public const ENTRA_ROLES_VIEW = 'entra_roles.view';
public const ENTRA_ROLES_MANAGE = 'entra_roles.manage';
/**
* Get all capability constants
*

1
app/Support/Badges/Domains/FindingTypeBadge.php
View File

@ -18,6 +18,7 @@ public function spec(mixed $value): BadgeSpec
return match ($state) {
Finding::FINDING_TYPE_DRIFT => new BadgeSpec('Drift', 'info', 'heroicon-m-arrow-path'),
Finding::FINDING_TYPE_PERMISSION_POSTURE => new BadgeSpec('Permission posture', 'warning', 'heroicon-m-shield-exclamation'),
Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES => new BadgeSpec('Entra admin roles', 'danger', 'heroicon-m-identification'),
default => BadgeSpec::unknown(),
};
}

17
app/Support/Middleware/EnsureFilamentTenantSelected.php
View File

@ -54,6 +54,12 @@ public function handle(Request $request, Closure $next): Response
return $next($request);
}
if ($this->isWorkspaceScopedPageWithTenant($refererPath)) {
$this->configureNavigationForRequest($panel);
return $next($request);
}
}
if (preg_match('#^/admin/operations/[^/]+$#', $path) === 1) {
@ -124,6 +130,12 @@ public function handle(Request $request, Closure $next): Response
abort(404);
}
if ($this->isWorkspaceScopedPageWithTenant($path)) {
$this->configureNavigationForRequest($panel);
return $next($request);
}
Filament::setTenant($tenant, true);
app(WorkspaceContext::class)->rememberLastTenantId((int) $workspaceId, (int) $tenant->getKey(), $request);
@ -244,6 +256,11 @@ private function configureNavigationForRequest(\Filament\Panel $panel): void
});
}
private function isWorkspaceScopedPageWithTenant(string $path): bool
{
return preg_match('#^/admin/tenants/[^/]+/required-permissions$#', $path) === 1;
}
private function adminPathRequiresTenantSelection(string $path): bool
{
if (! str_starts_with($path, '/admin/')) {

2
app/Support/OperationCatalog.php
View File

@ -50,6 +50,7 @@ public static function labels(): array
'baseline_capture' => 'Baseline capture',
'baseline_compare' => 'Baseline compare',
'permission_posture_check' => 'Permission posture check',
'entra.admin_roles.scan' => 'Entra admin roles scan',
];
}
@ -80,6 +81,7 @@ public static function expectedDurationSeconds(string $operationType): ?int
'baseline_capture' => 120,
'baseline_compare' => 120,
'permission_posture_check' => 30,
'entra.admin_roles.scan' => 60,
default => null,
};
}

1
app/Support/OperationRunType.php
View File

@ -16,6 +16,7 @@ enum OperationRunType: string
case BackupSchedulePurge = 'backup_schedule_purge';
case DirectoryRoleDefinitionsSync = 'directory_role_definitions.sync';
case RestoreExecute = 'restore.execute';
case EntraAdminRolesScan = 'entra.admin_roles.scan';
public static function values(): array
{

3
app/Support/OpsUx/OperationSummaryKeys.php
View File

@ -33,6 +33,9 @@ public static function all(): array
'findings_unchanged',
'errors_recorded',
'posture_score',
'report_created',
'report_deduped',
'alert_events_produced',
];
}
}

16
app/Support/OpsUx/SummaryCountsNormalizer.php
View File

@ -57,13 +57,25 @@ public static function renderSummaryLine(array $summaryCounts): ?string
$parts = [];
foreach ($normalized as $key => $value) {
$parts[] = $key.': '.$value;
if ($value === 0) {
continue;
}
$parts[] = self::humanizeKey($key).': '.$value;
}
if ($parts === []) {
return null;
}
return 'Summary: '.implode(', ', $parts);
return implode(' · ', $parts);
}
/**
* Convert a snake_case summary key to a human-readable label.
*/
private static function humanizeKey(string $key): string
{
return ucfirst(str_replace('_', ' ', $key));
}
}

12
config/entra_permissions.php Normal file
View File

@ -0,0 +1,12 @@
<?php
return [
'permissions' => [
[
'key' => 'RoleManagement.Read.Directory',
'type' => 'application',
'description' => 'Read directory role definitions and assignments for Entra admin roles evidence.',
'features' => ['entra-admin-roles'],
],
],
];

10
config/graph_contracts.php
View File

@ -67,6 +67,16 @@
'allowed_select' => ['id', 'displayName', 'resourceScopes', 'members'],
'allowed_expand' => ['roleDefinition($select=id,displayName)'],
],
'entraRoleDefinitions' => [
'resource' => 'roleManagement/directory/roleDefinitions',
'allowed_select' => ['id', 'displayName', 'templateId', 'isBuiltIn'],
'allowed_expand' => [],
],
'entraRoleAssignments' => [
'resource' => 'roleManagement/directory/roleAssignments',
'allowed_select' => ['id', 'roleDefinitionId', 'principalId', 'directoryScopeId'],
'allowed_expand' => ['principal'],
],
'deviceConfiguration' => [
'resource' => 'deviceManagement/deviceConfigurations',
'allowed_select' => ['id', 'displayName', 'description', '@odata.type', 'version', 'lastModifiedDateTime'],

24
database/factories/FindingFactory.php
View File

@ -68,4 +68,28 @@ public function resolved(): static
'resolved_reason' => 'permission_granted',
]);
}
/**
* State for Entra admin roles findings.
*/
public function entraAdminRoles(): static
{
return $this->state(fn (array $attributes): array => [
'finding_type' => Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES,
'source' => 'entra.admin_roles',
'severity' => Finding::SEVERITY_CRITICAL,
'subject_type' => 'role_assignment',
'evidence_jsonb' => [
'role_display_name' => 'Global Administrator',
'principal_display_name' => 'Admin User',
'principal_type' => 'user',
'principal_id' => fake()->uuid(),
'role_definition_id' => fake()->uuid(),
'role_template_id' => '62e90394-69f5-4237-9190-012177145e10',
'directory_scope_id' => '/',
'is_built_in' => true,
'measured_at' => now()->toIso8601String(),
],
]);
}
}

34
database/migrations/2026_02_22_000259_add_fingerprint_to_stored_reports_table.php Normal file
View File

@ -0,0 +1,34 @@
<?php
use Illuminate\Database\Migrations\Migration;
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Support\Facades\Schema;
return new class extends Migration
{
/**
* Run the migrations.
*/
public function up(): void
{
Schema::table('stored_reports', function (Blueprint $table) {
$table->string('fingerprint', 64)->nullable()->after('payload');
$table->string('previous_fingerprint', 64)->nullable()->after('fingerprint');
$table->unique(['tenant_id', 'report_type', 'fingerprint']);
$table->index(['tenant_id', 'report_type', 'created_at']);
});
}
/**
* Reverse the migrations.
*/
public function down(): void
{
Schema::table('stored_reports', function (Blueprint $table) {
$table->dropIndex(['tenant_id', 'report_type', 'created_at']);
$table->dropUnique(['tenant_id', 'report_type', 'fingerprint']);
$table->dropColumn(['fingerprint', 'previous_fingerprint']);
});
}
};

62
resources/views/filament/widgets/tenant/admin-roles-summary.blade.php Normal file
View File

@ -0,0 +1,62 @@
@php
/** @var ?\App\Models\Tenant $tenant */
/** @var ?array $reportSummary */
/** @var ?string $lastScanAt */
/** @var int $highPrivilegeCount */
/** @var bool $canManage */
/** @var bool $canView */
/** @var ?string $viewReportUrl */
@endphp
<x-filament::section heading="Entra admin roles">
<x-slot name="afterHeader">
@if ($canView && $viewReportUrl)
<a
href="{{ $viewReportUrl }}"
class="text-sm font-medium text-primary-600 hover:text-primary-500 dark:text-primary-400 dark:hover:text-primary-300"
>
View latest report
</a>
@endif
</x-slot>
@if ($reportSummary === null)
<div class="text-sm text-gray-500 dark:text-gray-400">
No scan performed yet.
</div>
@else
<div class="space-y-3">
<div class="flex items-center justify-between gap-3">
<div class="text-sm text-gray-500 dark:text-gray-400">
Last scan
</div>
<div class="text-sm font-medium">
{{ $lastScanAt }}
</div>
</div>
<div class="flex items-center justify-between gap-3">
<div class="text-sm text-gray-500 dark:text-gray-400">
High-privilege assignments
</div>
<div class="text-sm font-medium {{ $highPrivilegeCount > 0 ? 'text-danger-600 dark:text-danger-400' : 'text-success-600 dark:text-success-400' }}">
{{ $highPrivilegeCount }}
</div>
</div>
</div>
@endif
@if ($canManage)
<div class="mt-4">
<x-filament::button
wire:click="scanNow"
size="sm"
color="primary"
wire:loading.attr="disabled"
>
<span wire:loading.remove wire:target="scanNow">Scan now</span>
<span wire:loading wire:target="scanNow">Scanning…</span>
</x-filament::button>
</div>
@endif
</x-filament::section>

21
routes/console.php
View File

@ -2,6 +2,8 @@
use App\Jobs\PruneOldOperationRunsJob;
use App\Jobs\ReconcileAdapterRunsJob;
use App\Jobs\ScanEntraAdminRolesJob;
use App\Models\Tenant;
use Illuminate\Foundation\Inspiring;
use Illuminate\Support\Facades\Artisan;
use Illuminate\Support\Facades\Schedule;
@ -31,3 +33,22 @@
->daily()
->name('stored-reports:prune')
->withoutOverlapping();
Schedule::call(function (): void {
$tenants = Tenant::query()
->whereHas('providerConnections', function ($q): void {
$q->where('status', 'connected');
})
->whereNotNull('workspace_id')
->get();
foreach ($tenants as $tenant) {
ScanEntraAdminRolesJob::dispatch(
tenantId: (int) $tenant->getKey(),
workspaceId: (int) $tenant->workspace_id,
);
}
})
->daily()
->name('entra-admin-roles:scan')
->withoutOverlapping();

28
specs/105-entra-admin-roles-evidence-findings/checklists/requirements.md
View File

@ -1,7 +1,8 @@
# Specification Quality Checklist: Entra Admin Roles Evidence + Findings
**Purpose**: Validate specification completeness and quality before proceeding to planning
**Purpose**: Validate specification completeness and quality before proceeding to implementation
**Created**: 2026-02-21
**Last Validated**: 2026-02-22 (post-analysis remediation)
**Feature**: [spec.md](../spec.md)
## Content Quality
@ -18,9 +19,9 @@ ## Requirement Completeness
- [x] Success criteria are measurable (SC-001 through SC-008 with quantitative metrics)
- [x] Success criteria are technology-agnostic (no framework/language references)
- [x] All acceptance scenarios are defined (6 user stories with 18 total acceptance scenarios)
- [x] Edge cases are identified (7 documented: partial data, service principals, scoped assignments, missing template_id, zero assignments, concurrent scans, threshold hardcode)
- [x] Edge cases are identified (8 documented: partial data, service principals, group-assigned roles, scoped assignments, missing template_id, zero assignments, concurrent scans, threshold hardcode)
- [x] Scope is clearly bounded (Non-Goals section: no PIM, no remediation, no EvidenceItems, no RBAC refactor)
- [x] Dependencies and assumptions identified (Spec 104, Spec 099, Findings model, Graph RBAC API, no PIM)
- [x] Dependencies and assumptions identified (Spec 104, Spec 099, Findings model, Graph RBAC API, no PIM, StoredReports retention)
## Feature Readiness
@ -29,18 +30,31 @@ ## Feature Readiness
- [x] Feature meets measurable outcomes defined in Success Criteria
- [x] No implementation details leak into specification (entities section describes domain concepts, not code)
## Spec ↔ Plan ↔ Tasks Consistency (post-analysis)
- [x] No stale clarifications contradict plan/tasks (I1 remediated: migration Q&A corrected)
- [x] All 21 FRs have ≥1 implementation task (FR-021 is test-only; T035 confirms viewer rendering assumption first)
- [x] All success criteria are testable by ≥1 task (SC-005 now covered by T028(5); SC-006 backed by retention assumption; SC-008 deferred to staging)
- [x] Edge case: scoped assignments tested (T025(15) added)
- [x] Edge case: group = 1 principal tested (T025(11) covers principal types including group)
- [x] Posture score impact tested (T028(5) added)
- [x] Phase dependency D1 noted as advisory — US4 can start after Phase 2 (not blocked on Phase 4)
## Constitution Alignment
- [x] Constitution alignment (required) — Graph contracts, safety gates, tenant isolation, run observability, tests
- [x] Constitution alignment (RBAC-UX) — authorization planes, 404/403 semantics, capability registry, authorization tests
- [x] Constitution alignment (OPS-EX-AUTH-001) — N/A documented
- [x] Constitution alignment (BADGE-001) — new finding type badge documented
- [x] Constitution alignment (Filament Action Surfaces) — UI Action Matrix completed
- [x] Constitution alignment (BADGE-001) — new finding type badge documented with test (T014)
- [x] Constitution alignment (Filament Action Surfaces) — UI Action Matrix completed; widget exemption documented
- [x] Constitution alignment (UX-001) — Exemption for no new Create/Edit pages documented
## Notes
- All items pass. Spec is ready for `/speckit.plan` or implementation.
- Plan.md has been written alongside the spec.
- All items pass. Spec + plan + tasks are consistent and ready for `/speckit.implement`.
- Plan.md and tasks.md have been written and validated against spec.
- High-Privilege Role Catalog includes Microsoft well-known template IDs for v1 classification.
- "Too many Global Admins" threshold is hardcoded at 5 with documented TODO for settings migration.
- SC-008 (scan performance ≤30s / 200 assignments) is not testable in standard Pest suite — validate on staging.
- FR-021 (report viewer) assumes existing viewer handles `entra.admin_roles` payload; T035 confirms this first.
- StoredReports retention (default 90 days) is assumed to be handled by existing infrastructure (documented in Assumptions).

6
specs/105-entra-admin-roles-evidence-findings/spec.md
View File

@ -29,6 +29,7 @@ ## Spec Scope Fields *(mandatory)*
## Assumptions and Dependencies
- **Spec 104 (Provider Permission Posture)** established the `stored_reports` table, `StoredReport` model, fingerprint-based dedupe, and the posture report pattern. This spec reuses that infrastructure with a new `report_type`.
- **StoredReports retention** is handled by existing infrastructure and defaults to 90 days.
- **Alerts v1 (Spec 099)** provides the generic `AlertDispatchService`, `EvaluateAlertsJob` framework, and `AlertRule` model. This spec adds a new event type constant; no structural changes to alerting.
- **Findings model** already supports `finding_type`, `source`, `subject_type`, `subject_external_id`, severity, status (including `resolved`), and fingerprint-based idempotent upsert (established by drift findings + Spec 104).
- **`config/intune_permissions.php`** is the existing registry for Intune-specific Graph permissions. A new `config/entra_permissions.php` will be created for Entra Directory permissions. The registry loader (`TenantPermissionService` or equivalent) must merge both sources.
@ -329,7 +330,8 @@ ## Clarifications
### Session 2026-02-21
- Q: Does this spec introduce new database tables? → A: No. Reuses `stored_reports` (Spec 104) and `findings` (existing). No migration needed beyond OperationRunType enum case.
- Q: Does this spec introduce new database tables? → A: No. Reuses `stored_reports` (Spec 104) and `findings` (existing).
- Q: Does this spec require database migrations? → A: Yes — one migration adds `fingerprint` and `previous_fingerprint` (plus indexes) to `stored_reports` for report dedupe and chaining, and `OperationRunType` gains the `entra.admin_roles.scan` case.
- Q: Is `$expand=principal` reliable for all principal types? → A: Yes — Graph returns principal details for users, groups, and service principals. If expansion fails for a specific principal, the assignment is still recorded with `principal.display_name = null` (evidence captures this gap).
- Q: Why two capabilities (VIEW/MANAGE) instead of reusing existing findings capabilities? → A: The scan action is domain-specific (Entra roles) and should be independently gatable. Viewing the resulting findings still uses existing findings capabilities, but triggering the scan and viewing the admin roles report card uses the new capabilities.
- Q: How is daily scheduling implemented? → A: Same pattern as existing scheduled scans — workspace dispatcher iterates tenants with active connections and dispatches `ScanEntraAdminRolesJob` per tenant.
@ -345,6 +347,6 @@ ### Measurable Outcomes
- **SC-003 (Auto-resolve latency)**: When a high-privilege role assignment is removed, the corresponding finding is resolved within the next scan cycle.
- **SC-004 (Alert delivery)**: When a new high-privilege finding is created and an active alert rule matches, a delivery is queued within 2 minutes.
- **SC-005 (Posture integration)**: After deploying this spec, the permission posture score for tenants missing `RoleManagement.Read.Directory` reflects the gap (score decreases proportionally).
- **SC-006 (Temporal audit)**: An operator can query stored reports to see a tenant's admin role posture at any point within the retention window (default 90 days).
- **SC-006 (Temporal audit)**: An operator can query stored reports to see a tenant's admin role posture at any point within the configured retention window (default 90 days).
- **SC-007 (No duplicates)**: Repeated scans with identical data produce no duplicate findings or stored reports.
- **SC-008 (Scan performance)**: A single tenant scan completes within 30 seconds for tenants with up to 200 role assignments.

332
specs/105-entra-admin-roles-evidence-findings/tasks.md Normal file
View File

@ -0,0 +1,332 @@
# Tasks: Entra Admin Roles Evidence + Findings
**Input**: Design documents from `/specs/105-entra-admin-roles-evidence-findings/`
**Prerequisites**: plan.md (required), spec.md (required), research.md, data-model.md, contracts/internal-services.md, quickstart.md
**Tests**: For runtime behavior changes in this repo, tests are REQUIRED (Pest). All user stories include test tasks.
**Operations**: This feature introduces queued work (`ScanEntraAdminRolesJob`). Tasks include `OperationRun` creation via `OperationRunService::ensureRunWithIdentity()` with type `entra.admin_roles.scan`, and outcome tracking per constitution.
**RBAC**: New capabilities introduced: `ENTRA_ROLES_VIEW` and `ENTRA_ROLES_MANAGE`. Tasks include:
- Capability constants in `App\Support\Auth\Capabilities` (no raw strings)
- `RoleCapabilityMap` mapping: Readonly/Operator → VIEW; Manager/Owner → MANAGE
- Widget `canView()` gated by `ENTRA_ROLES_VIEW`; "Scan now" action gated by `ENTRA_ROLES_MANAGE` server-side
- 404 vs 403 semantics: non-member/not entitled → 404; member missing capability → 403
- Authorization plane: tenant-context (`/admin/t/{tenant}/...`)
- No new globally searchable resources. Existing search behavior unchanged.
- No destructive actions — scan is read-only, no `->requiresConfirmation()` needed
- Positive + negative authorization tests in widget test (US5)
**Filament UI Action Surfaces**: **Partial exemption** — no new Resources/Pages/RelationManagers. Only changes: (1) new tenant card widget with "Scan now" header action, (2) new option added to `AlertRuleResource` event type dropdown. Widget is not a full Resource — Action Surface Contract does not apply to simple stat/card widgets (documented in spec UI Action Matrix).
**Filament UI UX-001**: **Exemption** — no new Create/Edit/View pages. Widget follows existing card conventions. Report viewer reuses existing stored reports viewer.
**Badges**: Adds `entra_admin_roles` finding type to `FindingTypeBadge` per BADGE-001 (`BadgeSpec('Entra admin roles', 'danger', 'heroicon-m-identification')`). Tests included.
**Organization**: Tasks are grouped by user story to enable independent implementation and testing of each story.
## Format: `[ID] [P?] [Story] Description`
- **[P]**: Can run in parallel (different files, no dependencies on incomplete tasks)
- **[Story]**: Which user story this task belongs to (US1, US2, US3, US4, US5, US6)
- Include exact file paths in descriptions
---
## Phase 1: Setup
**Purpose**: No project setup needed — existing Laravel project with all framework dependencies.
*Phase skipped.*
---
## Phase 2: Foundation (Blocking Prerequisites)
**Purpose**: Migration, config files, model constants, enum cases, capability registry, badge mappings, and factory states that ALL user stories depend on. Maps to plan Phase A.
**⚠️ CRITICAL**: No user story work can begin until this phase is complete.
### Migration
- [X] T001 Create migration for adding `fingerprint` (string(64), nullable) and `previous_fingerprint` (string(64), nullable) columns to `stored_reports` table via `vendor/bin/sail artisan make:migration add_fingerprint_to_stored_reports_table --no-interaction`. Add unique index on `[tenant_id, report_type, fingerprint]` and index on `[tenant_id, report_type, created_at DESC]`. Columns are nullable because existing `permission_posture` reports (Spec 104) don't use fingerprinting. See `specs/105-entra-admin-roles-evidence-findings/data-model.md` migration section.
### Config Files
- [X] T002 [P] Create `config/entra_permissions.php` with permissions array containing `RoleManagement.Read.Directory` (type: application, features: `['entra-admin-roles']`). Follow exact schema of existing `config/intune_permissions.php`. See `specs/105-entra-admin-roles-evidence-findings/data-model.md` config section.
- [X] T003 [P] Add `entraRoleDefinitions` and `entraRoleAssignments` entries to `config/graph_contracts.php`. `entraRoleDefinitions`: resource `roleManagement/directory/roleDefinitions`, allowed_select `[id, displayName, templateId, isBuiltIn]`. `entraRoleAssignments`: resource `roleManagement/directory/roleAssignments`, allowed_select `[id, roleDefinitionId, principalId, directoryScopeId]`, allowed_expand `[principal]`. See `specs/105-entra-admin-roles-evidence-findings/data-model.md` graph contracts section.
### Model & Enum Constants
- [X] T004 [P] Extend `StoredReport` model in `app/Models/StoredReport.php`: add `REPORT_TYPE_ENTRA_ADMIN_ROLES = 'entra.admin_roles'` constant, add `fingerprint` and `previous_fingerprint` to `$fillable` array. See `specs/105-entra-admin-roles-evidence-findings/data-model.md` StoredReport section.
- [X] T005 [P] Extend `Finding` model in `app/Models/Finding.php`: add `FINDING_TYPE_ENTRA_ADMIN_ROLES = 'entra_admin_roles'` constant. No method changes — existing `resolve()`, `reopen()`, and fingerprint-based lookup are reused from Spec 104.
- [X] T006 [P] Extend `AlertRule` model in `app/Models/AlertRule.php`: add `EVENT_ENTRA_ADMIN_ROLES_HIGH = 'entra.admin_roles.high'` constant.
- [X] T007 [P] Add `EntraAdminRolesScan = 'entra.admin_roles.scan'` case to `app/Support/OperationRunType.php` enum.
### Capability Registry
- [X] T008 [P] Add `ENTRA_ROLES_VIEW = 'entra_roles.view'` and `ENTRA_ROLES_MANAGE = 'entra_roles.manage'` constants to `app/Support/Auth/Capabilities.php`.
- [X] T009 [P] Update `app/Support/Auth/RoleCapabilityMap.php` to map new capabilities: Readonly/Operator → `ENTRA_ROLES_VIEW`; Manager/Owner → `ENTRA_ROLES_VIEW` + `ENTRA_ROLES_MANAGE`. Follow existing mapping patterns in the file.
### Badge Mapping
- [X] T010 [P] Add `entra_admin_roles` mapping to `app/Support/Badges/Domains/FindingTypeBadge.php`: `Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES => new BadgeSpec('Entra admin roles', 'danger', 'heroicon-m-identification')`. Follow existing pattern from `permission_posture` and `drift` mappings.
### Factory State
- [X] T011 [P] Add `entraAdminRoles()` factory state to `database/factories/FindingFactory.php`: sets `finding_type → Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES`, `source → 'entra.admin_roles'`, `severity → Finding::SEVERITY_CRITICAL`, `subject_type → 'role_assignment'`, sample evidence in `evidence_jsonb` with `role_display_name`, `principal_display_name`, `principal_type`, `principal_id`, `role_definition_id`, `directory_scope_id`, `is_built_in`, `measured_at`.
### Verify & Test Foundation
- [X] T012 Run migration via `vendor/bin/sail artisan migrate` and verify `stored_reports` table has `fingerprint` and `previous_fingerprint` columns, unique index on `[tenant_id, report_type, fingerprint]`, and index on `[tenant_id, report_type, created_at DESC]`.
- [X] T013 [P] Write StoredReport fingerprint tests in `tests/Feature/EntraAdminRoles/StoredReportFingerprintTest.php`: (1) `fingerprint` and `previous_fingerprint` columns are fillable and persist correctly, (2) unique index prevents duplicate `(tenant_id, report_type, fingerprint)` combinations, (3) nullable columns allow null values for existing reports without fingerprints.
- [X] T014 [P] Write badge rendering test for `entra_admin_roles` type in `tests/Feature/EntraAdminRoles/FindingTypeBadgeTest.php` (or extend existing badge test file): `entra_admin_roles` renders with `danger` color and `heroicon-m-identification` icon.
- [X] T015 [P] Write capabilities registry test in `tests/Feature/EntraAdminRoles/EntraPermissionsRegistryTest.php`: (1) `Capabilities::ENTRA_ROLES_VIEW` and `Capabilities::ENTRA_ROLES_MANAGE` constants exist, (2) `RoleCapabilityMap` maps VIEW to Readonly/Operator, MANAGE to Manager/Owner.
**Checkpoint**: Foundation ready — migration, config, constants, capabilities, badge, and factory in place. User story implementation can begin.
---
## Phase 3: User Story 1 — Scan & Evidence Snapshot (Priority: P1) 🎯 MVP
**Goal**: Fetch Entra directory role data from Graph, classify high-privilege roles, and persist as a fingerprinted stored report with deduplication. Maps to plan Phase B.
**Independent Test**: Trigger report generation for a tenant; confirm a `stored_report` exists with `report_type=entra.admin_roles`, valid payload (role_definitions, role_assignments, totals, high_privilege), and content-based fingerprint.
### Implementation for User Story 1
- [X] T016 [P] [US1] Create `HighPrivilegeRoleCatalog` in `app/Services/EntraAdminRoles/HighPrivilegeRoleCatalog.php` with static `CATALOG` map (6 template_id → severity pairs) and `DISPLAY_NAME_FALLBACK` map (case-insensitive). Methods: `classify(string $templateIdOrId, ?string $displayName): ?string` (returns severity or null), `isHighPrivilege(...)`: bool, `isGlobalAdministrator(...)`: bool, `allTemplateIds(): array`. Classification prefers `template_id`, falls back to `display_name`. See `specs/105-entra-admin-roles-evidence-findings/data-model.md` HighPrivilegeRoleCatalog section and spec FR-006.
- [X] T017 [P] [US1] Create `EntraAdminRolesReportResult` value object in `app/Services/EntraAdminRoles/EntraAdminRolesReportResult.php` with `readonly` properties: `bool $created`, `?int $storedReportId`, `string $fingerprint`, `array $payload`. See `specs/105-entra-admin-roles-evidence-findings/data-model.md`.
- [X] T018 [US1] Create `EntraAdminRolesReportService` in `app/Services/EntraAdminRoles/EntraAdminRolesReportService.php` with constructor injecting `GraphClientInterface` and `HighPrivilegeRoleCatalog`. Method `generate(Tenant $tenant, ?OperationRun $operationRun = null): EntraAdminRolesReportResult` must: (1) fetch `roleDefinitions` via Graph contract `entraRoleDefinitions`, (2) fetch `roleAssignments` with `$expand=principal` via contract `entraRoleAssignments`, (3) build payload per FR-005 schema (provider_key, domain, measured_at, role_definitions, role_assignments, totals, high_privilege), (4) compute fingerprint: SHA-256 of sorted `"{role_template_or_id}:{principal_id}:{scope_id}"` tuples joined by `\n`, (5) check if latest report for `(tenant_id, report_type=entra.admin_roles)` has same fingerprint → return `created=false` if match, (6) create `StoredReport` with `previous_fingerprint` from latest existing report. All-or-nothing: if either Graph call fails, throw (no partial report). See `specs/105-entra-admin-roles-evidence-findings/contracts/internal-services.md` Service 1.
### Tests for User Story 1
- [X] T019 [P] [US1] Write HighPrivilegeRoleCatalog tests in `tests/Feature/EntraAdminRoles/HighPrivilegeRoleCatalogTest.php`: (1) classify Global Administrator template_id → `critical`, (2) classify all 5 other high-privilege template_ids → `high`, (3) display_name fallback for role without template_id match, (4) unknown template_id + unknown display_name → null, (5) null display_name with unknown template_id → null, (6) `isGlobalAdministrator()` returns true only for GA template_id, (7) `allTemplateIds()` returns all 6 entries, (8) display_name matching is case-insensitive.
- [X] T020 [US1] Write EntraAdminRolesReportService tests in `tests/Feature/EntraAdminRoles/EntraAdminRolesReportServiceTest.php`: (1) new report created with correct `report_type=entra.admin_roles`, payload schema per FR-005, and fingerprint, (2) dedup on identical fingerprint — second call returns `created=false` with existing report ID, (3) changed data → new report with different fingerprint and `previous_fingerprint` chain, (4) Graph roleDefinitions failure → exception thrown, no partial report (all-or-nothing), (5) Graph roleAssignments failure → exception thrown, no partial report, (6) payload contains role_definitions, role_assignments, totals (roles_total, assignments_total, high_privilege_assignments), and high_privilege section, (7) fingerprint is deterministic regardless of Graph response ordering, (8) tenant with zero role assignments → valid report with empty assignments and totals.
**Checkpoint**: US1 complete — Entra admin role data is fetched from Graph, classified, fingerprinted, and persisted as stored reports with deduplication. This is the evidence pipeline.
---
## Phase 4: User Story 2 — Generate Findings for High-Privilege Assignments (Priority: P1)
**Goal**: Generate, upsert, auto-resolve, and re-open findings based on report data. Create aggregate "Too many Global Admins" finding when threshold exceeded. Wire everything via the scan job with OperationRun tracking and scheduling. Maps to plan Phases C + D.
**Independent Test**: Run the finding generator for a tenant with a Global Administrator assignment; confirm a finding with `finding_type=entra_admin_roles`, `severity=critical`, correct fingerprint and evidence exists.
### Implementation for User Story 2
- [X] T021 [P] [US2] Create `EntraAdminRolesFindingResult` value object in `app/Services/EntraAdminRoles/EntraAdminRolesFindingResult.php` with `readonly` properties: `int $created`, `int $resolved`, `int $reopened`, `int $unchanged`, `int $alertEventsProduced`. See `specs/105-entra-admin-roles-evidence-findings/data-model.md`.
- [X] T022 [US2] Create `EntraAdminRolesFindingGenerator` in `app/Services/EntraAdminRoles/EntraAdminRolesFindingGenerator.php` with constructor injecting `HighPrivilegeRoleCatalog`. Method `generate(Tenant $tenant, array $reportPayload, ?OperationRun $operationRun = null): EntraAdminRolesFindingResult` must: (1) iterate `role_assignments` from payload, classify each via catalog, (2) for each high-privilege assignment: create finding via fingerprint upsert (`firstOrNew` on `[tenant_id, fingerprint]`), fingerprint = `substr(hash('sha256', "entra_admin_role:{tenant_id}:{role_template_or_id}:{principal_id}:{scope_id}"), 0, 64)`, (3) set severity: `critical` for Global Admin, `high` for others, (4) set evidence per FR-009 schema, `subject_type='role_assignment'`, `subject_external_id="{principal_id}:{role_definition_id}"`, (5) auto-resolve stale findings: query open `entra_admin_roles` findings whose fingerprint NOT in current scan → `resolve('role_assignment_removed')`, (6) re-open resolved findings when fingerprint matches current scan, (7) aggregate finding: when GA count > 5 → create "Too many Global Admins" finding with fingerprint `substr(hash('sha256', "entra_admin_role_ga_count:{tenant_id}"), 0, 64)`, severity=high, auto-resolve when ≤ 5, (8) produce alert events for new/re-opened findings with severity ≥ high. Method `getAlertEvents(): array` returns collected events. See `specs/105-entra-admin-roles-evidence-findings/contracts/internal-services.md` Service 2.
- [X] T023 [US2] Create `ScanEntraAdminRolesJob` in `app/Jobs/ScanEntraAdminRolesJob.php` implementing `ShouldQueue`. Constructor: `int $tenantId`, `int $workspaceId`, `?int $initiatorUserId = null`. `handle()` must: (1) resolve Tenant, check for active provider connection → return early if none (no OperationRun, no error per FR-018), (2) create OperationRun via `OperationRunService::ensureRunWithIdentity()` with type `entra.admin_roles.scan`, (3) call `EntraAdminRolesReportService::generate()`, (4) call `EntraAdminRolesFindingGenerator::generate()` with report payload (regardless of whether report was new or deduped — finding generator handles auto-resolve for stale findings from removed assignments), (5) record success on OperationRun with counts from both results, (6) on Graph error → record failure with sanitized error message, re-throw for retry. See `specs/105-entra-admin-roles-evidence-findings/contracts/internal-services.md` Job section.
- [X] T024 [US2] Register daily scan schedule in `routes/console.php`: iterate workspaces → tenants with active provider connections → dispatch `ScanEntraAdminRolesJob` per tenant. Follow existing scheduled scan patterns in the file. See plan Phase D (scheduling) and FR-016.
### Tests for User Story 2
- [X] T025 [US2] Write EntraAdminRolesFindingGenerator tests in `tests/Feature/EntraAdminRoles/EntraAdminRolesFindingGeneratorTest.php`: (1) creates individual findings for high-privilege assignments with correct type/severity/fingerprint/evidence/source, (2) severity mapping: Global Admin → critical, others → high, (3) idempotent upsert — same data across scans → no duplicates, `times_seen` and `last_seen_at` updated, (4) auto-resolve on removed assignment (finding status → resolved, resolved_reason = `role_assignment_removed`), (5) re-open resolved finding when role re-assigned (status → new, resolved_at/resolved_reason cleared, evidence updated), (6) aggregate "Too many Global Admins" finding created when GA count > 5 with correct fingerprint/severity/evidence, (7) aggregate finding auto-resolved when GA count ≤ 5, (8) alert events produced for new/re-opened findings with severity ≥ high, (9) no alert events for unchanged or resolved findings, (10) evidence schema includes role_display_name, principal_display_name, principal_type, principal_id, role_definition_id, directory_scope_id, is_built_in, measured_at, (11) handles all principal types (user, group, servicePrincipal), (12) subject_type='role_assignment' and subject_external_id='{principal_id}:{role_definition_id}' set on every finding, (13) stale findings for assignments no longer in scan are auto-resolved (catches removed assignments), (14) auto-resolve applies to both `new` and `acknowledged` findings (acknowledged metadata preserved), (15) scoped assignments (`directory_scope_id != '/'`) do not downgrade severity and the scope is captured in evidence.
- [X] T026 [US2] Write ScanEntraAdminRolesJob tests in `tests/Feature/EntraAdminRoles/ScanEntraAdminRolesJobTest.php`: (1) successful run creates OperationRun with type=entra.admin_roles.scan and records success with counts, (2) skips tenant without active provider connection — no OperationRun, no findings, no report, (3) Graph failure → OperationRun marked failed with sanitized error, job re-thrown for retry, (4) finding generator called even when report was deduped (handles auto-resolve), (5) OperationRun uniqueness enforced per (workspace_id, tenant_id, run_type).
**Checkpoint**: US1 + US2 complete — full scan pipeline operational: Graph fetch → stored report → findings → auto-resolve → re-open → aggregate. This is the core MVP.
---
## Phase 5: User Story 4 — Entra Permissions in Permission Posture (Priority: P2)
**Goal**: Integrate Entra-specific Graph permissions into the existing permission posture pipeline so posture scores reflect whether tenants can run admin role scans. Maps to plan Phase D (TenantPermissionService merge).
**Independent Test**: Verify that after loading the merged registry (Intune + Entra), `RoleManagement.Read.Directory` appears in the required permissions list. Verify posture score computation includes it.
### Implementation for User Story 4
- [X] T027 [US4] Modify `app/Services/Intune/TenantPermissionService.php` method `getRequiredPermissions()` to merge `config('entra_permissions.permissions', [])` alongside existing `config('intune_permissions.permissions', [])`. The merge must be non-breaking (existing Intune posture flows unchanged). See `specs/105-entra-admin-roles-evidence-findings/contracts/internal-services.md` Modified: TenantPermissionService section.
### Tests for User Story 4
- [X] T028 [US4] Extend or create tests in `tests/Feature/EntraAdminRoles/EntraPermissionsRegistryTest.php`: (1) merged required permissions list includes both Intune and Entra entries, (2) `RoleManagement.Read.Directory` appears in merged list with correct type and features, (3) existing Intune permissions unchanged after merge, (4) empty `entra_permissions.permissions` config → merge returns only Intune entries (non-breaking fallback), (5) posture score reflects the Entra permission gap (missing `RoleManagement.Read.Directory` results in score < 100).
**Checkpoint**: US4 complete — posture scores accurately reflect Entra permission gaps.
---
## Phase 6: User Story 3 — Alert on High-Privilege Admin Role Events (Priority: P2)
**Goal**: Connect admin roles findings to the existing alert pipeline so operators receive notifications for new high-privilege assignments. Maps to plan Phase E.
**Independent Test**: Create an alert rule for `entra.admin_roles.high` with min severity = high, run the finding generator with a new Global Admin assignment, and confirm a delivery is queued.
### Implementation for User Story 3
- [X] T029 [US3] Add `entraAdminRolesHighEvents(int $workspaceId, CarbonImmutable $windowStart): array` method to `app/Jobs/Alerts/EvaluateAlertsJob.php` — queries `Finding` where `finding_type='entra_admin_roles'`, `status IN ('new')`, `severity IN ('high', 'critical')`, `updated_at > $windowStart`. Returns event arrays matching existing event schema (`event_type=entra.admin_roles.high`, `fingerprint_key=finding:{id}`). Wire the method into `handle()` event collection alongside existing `highDriftEvents()`, `compareFailedEvents()`, and `permissionMissingEvents()`. Follow same pattern as existing event methods.
- [X] T030 [P] [US3] Add `EVENT_ENTRA_ADMIN_ROLES_HIGH` option to event type dropdown in `app/Filament/Resources/AlertRuleResource.php`: `AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH => 'Entra admin roles (high privilege)'`.
### Tests for User Story 3
- [X] T031 [US3] Write alert integration tests in `tests/Feature/EntraAdminRoles/AdminRolesAlertIntegrationTest.php`: (1) alert rule for EVENT_ENTRA_ADMIN_ROLES_HIGH with min severity = high + new finding of severity = critical → delivery queued, (2) alert rule with min severity = critical + finding of severity = high → no delivery queued, (3) cooldown/dedupe prevents duplicate notifications for same finding across scans (fingerprint_key-based suppression), (4) resolved findings do not produce alert events, (5) new event type appears in AlertRuleResource event type options.
**Checkpoint**: US3 complete — operators receive alerts for high-privilege admin role events via existing alert channels.
---
## Phase 7: User Story 5 — Dashboard Widget (Priority: P3) + User Story 6 — Report Viewer (Priority: P3)
**Goal (US5)**: Provide a tenant dashboard card showing admin roles posture at-a-glance with "Scan now" CTA and "View latest report" link.
**Goal (US6)**: Ensure existing stored reports viewer supports filtering by `entra.admin_roles` report type.
Maps to plan Phase F.
**Independent Test (US5)**: Navigate to a tenant dashboard after a scan; confirm the card shows correct timestamp and high-privilege count.
**Independent Test (US6)**: Navigate to stored reports viewer filtered by `entra.admin_roles`; confirm report displays summary and high-privilege assignments table.
### Implementation for User Story 5
- [X] T032 [P] [US5] Create `admin-roles-summary.blade.php` in `resources/views/filament/widgets/tenant/admin-roles-summary.blade.php` — card template with: summary stats (last scan timestamp, high-privilege count), empty state ("No scan performed"), "Scan now" CTA (gated by `ENTRA_ROLES_MANAGE`), "View latest report" link (gated by `ENTRA_ROLES_VIEW`). Follow existing tenant card widget templates.
- [X] T033 [US5] Create `AdminRolesSummaryWidget` in `app/Filament/Widgets/Tenant/AdminRolesSummaryWidget.php` extending `Widget`. Must: (1) resolve tenant via `Filament::getTenant()`, (2) query latest `StoredReport` where `report_type=entra.admin_roles` and `tenant_id` matches, (3) extract last scan timestamp + high-privilege count from payload, (4) implement `canView()` gated by `ENTRA_ROLES_VIEW` capability via `Gate::check()` (server-side enforcement, not just UI hiding), (5) "Scan now" action dispatches `ScanEntraAdminRolesJob` after checking `ENTRA_ROLES_MANAGE` server-side, (6) render empty state when no report exists. Follow existing tenant dashboard widget patterns.
### Tests for User Story 5
- [X] T034 [US5] Write widget tests in `tests/Feature/EntraAdminRoles/AdminRolesSummaryWidgetTest.php` (Livewire component test): (1) widget renders with report data — shows timestamp and high-privilege count, (2) empty state renders "No scan performed" when no report exists, (3) "Scan now" dispatches `ScanEntraAdminRolesJob` for user with `ENTRA_ROLES_MANAGE`, (4) "Scan now" not visible / returns 403 for user with `ENTRA_ROLES_VIEW` but without `ENTRA_ROLES_MANAGE`, (5) widget hidden (canView returns false) for user without `ENTRA_ROLES_VIEW`, (6) non-member → 404.
### Tests for User Story 6
- [X] T035 [US6] Write report viewer integration test in `tests/Feature/EntraAdminRoles/AdminRolesReportViewerTest.php`: first confirm the existing stored reports viewer can render the `entra.admin_roles` payload as a summary + high-privilege assignments table; then assert: (1) stored reports viewer shows reports with `report_type=entra.admin_roles`, (2) report displays summary totals and high-privilege assignments table from payload, (3) multiple reports ordered by creation date descending.
**Checkpoint**: US5 + US6 complete — tenant dashboard shows admin roles posture card, and stored reports viewer supports the new report type.
---
## Phase 8: Polish & Cross-Cutting Concerns
**Purpose**: Code quality, full test pass, and end-to-end validation.
- [X] T036 Run `vendor/bin/sail bin pint --dirty` to fix formatting across all modified/created files.
- [X] T037 Run full Spec 105 test suite: `vendor/bin/sail artisan test --compact --filter=EntraAdminRoles` and verify all tests pass.
- [X] T038 Run quickstart.md validation: verify all files listed in quickstart.md "New Files Created" and "Modified Files Summary" tables exist and match the implementation.
---
## Dependencies & Execution Order
### Phase Dependencies
```
Phase 2 (Foundation) ─────┬──> Phase 3 (US1 - P1) ──> Phase 4 (US2 - P1) 🎯 MVP
│ │
│ ├──> Phase 5 (US4 - P2)
│ ├──> Phase 6 (US3 - P2)
│ └──> Phase 7 (US5+US6 - P3)
└── BLOCKS all user story work
Phase 5, Phase 6, Phase 7 can proceed in parallel after Phase 4
Phase 8 (Polish) depends on all phases complete
```
- **Foundation (Phase 2)**: No dependencies — start immediately. BLOCKS all user stories.
- **US1 (Phase 3)**: Depends on Phase 2 completion. Report service is prerequisite for finding generator.
- **US2 (Phase 4)**: Depends on Phase 3 (finding generator uses report payload structure; scan job calls report service). **Completing Phase 4 delivers the core MVP.**
- **US4 (Phase 5)**: Depends on Phase 4 (posture score context requires scan to be operational). Can run in parallel with Phase 6 and Phase 7.
- **US3 (Phase 6)**: Depends on Phase 4 (finding generator produces alert events). Can run in parallel with Phase 5 and Phase 7.
- **US5+US6 (Phase 7)**: Depends on Phase 4 (widget displays report data from completed scans). Can run in parallel with Phase 5 and Phase 6.
- **Polish (Phase 8)**: Depends on all user stories being complete.
### User Story Dependencies
- **User Story 1 (P1)**: Can start after Foundation — no dependencies on other stories
- **User Story 2 (P1)**: Depends on US1 (finding generator uses catalog + report payload structure)
- **User Story 4 (P2)**: Independent of other stories after Phase 4 — only requires Foundation config
- **User Story 3 (P2)**: Independent after Phase 4 — only requires finding generator to produce events
- **User Story 5 (P3)**: Independent after Phase 4 — widget queries stored reports
- **User Story 6 (P3)**: Independent after Phase 4 — tests existing viewer with new report type
### Within Each User Story
- Value objects before services
- Services before jobs
- Jobs before schedule registration
- Implementation before tests
- Core logic before integration points
### Parallel Opportunities
**Phase 2 (Foundation)**:
- T002 + T003 (config files, independent)
- T004 + T005 + T006 + T007 (model/enum constants, independent files)
- T008 + T009 (capabilities, can be done together logically but different files)
- T010 + T011 (badge + factory, independent files)
- T013 + T014 + T015 (tests, independent test files)
**Phase 3 (US1)**:
- T016 + T017 (HighPrivilegeRoleCatalog + ReportResult VO, independent files)
- T019 can start after T016 (tests catalog)
**Phase 4 (US2)**:
- T021 can run in parallel with T016/T017 if started early (VO, no dependencies)
**Phases 5 + 6 + 7** (after Phase 4 complete):
- T027 (US4) + T029 (US3) + T032+T033 (US5) — all independent of each other
- T030 (US3 AlertRuleResource change) can run in parallel with T029
---
## Parallel Example: Foundation Phase
```bash
# Batch 1: Migration + Config (parallel)
T001: Create fingerprint migration
T002: Create config/entra_permissions.php
T003: Add Graph contract entries
# Batch 2: Constants + Capabilities + Badge + Factory (parallel, after migration written)
T004: StoredReport constant + fillables
T005: Finding constant
T006: AlertRule constant
T007: OperationRunType enum case
T008: Capabilities constants
T009: RoleCapabilityMap update
T010: FindingTypeBadge mapping
T011: FindingFactory state
# Batch 3: Run migration
T012: vendor/bin/sail artisan migrate
# Batch 4: Foundation tests (parallel)
T013: StoredReport fingerprint test
T014: Badge rendering test
T015: Capabilities registry test
```
---
## Implementation Strategy
### MVP First (User Story 1 + 2)
1. Complete Phase 2: Foundation
2. Complete Phase 3: User Story 1 (catalog + report service)
3. Complete Phase 4: User Story 2 (finding generator + scan job + scheduling)
4. **STOP and VALIDATE**: Run `vendor/bin/sail artisan test --compact --filter=EntraAdminRoles`
5. Full scan pipeline operational: Graph → report → findings → auto-resolve → aggregate
### Incremental Delivery
1. Foundation → ready
2. US1 (P1) → evidence pipeline: reports created from Graph data ✅
3. US2 (P1) → findings + job: full scan pipeline with findings lifecycle ✅ **MVP!**
4. US4 (P2) → posture: Entra permissions in posture scores ✅
5. US3 (P2) → alerts: push notifications for high-privilege events ✅
6. US5+US6 (P3) → UI: dashboard card + report viewer ✅
7. Polish → formatting, full test pass, quickstart validation ✅
Each phase adds value without breaking previous phases.
---
## Notes
- [P] tasks = different files, no dependencies on incomplete tasks
- [Story] label maps task to specific user story for traceability
- Fingerprint for individual findings: `sha256("entra_admin_role:{tenant_id}:{role_template_or_id}:{principal_id}:{scope_id}")`
- Fingerprint for aggregate finding: `sha256("entra_admin_role_ga_count:{tenant_id}")`
- Report fingerprint: SHA-256 of sorted `"{role_template_or_id}:{principal_id}:{scope_id}"` tuples
- Severity: `critical` for Global Administrator, `high` for all other high-privilege roles
- Threshold for "Too many Global Admins": 5 (hardcoded v1, TODO for future settings)
- RBAC boundary: `ENTRA_ROLES_VIEW` gates card + report only; findings use existing `FINDINGS_VIEW`
- All Graph calls go through `GraphClientInterface` via registered contracts
- Scan is non-destructive (read-only) — no `->requiresConfirmation()` needed
- Commit after each task or logical group
- Stop at any checkpoint to validate story independently

184
tests/Feature/EntraAdminRoles/AdminRolesAlertIntegrationTest.php Normal file
View File

@ -0,0 +1,184 @@
<?php
declare(strict_types=1);
use App\Filament\Resources\AlertRuleResource;
use App\Models\AlertDelivery;
use App\Models\AlertDestination;
use App\Models\AlertRule;
use App\Models\Finding;
use App\Services\Alerts\AlertDispatchService;
use App\Support\Workspaces\WorkspaceContext;
use Carbon\CarbonImmutable;
use Illuminate\Foundation\Testing\RefreshDatabase;
uses(RefreshDatabase::class);
// ---------------------------------------------------------------------------
// Helpers
// ---------------------------------------------------------------------------
function createEntraAlertRuleWithDestination(int $workspaceId, string $minSeverity, int $cooldownSeconds = 0): array
{
$destination = AlertDestination::factory()->create([
'workspace_id' => $workspaceId,
'is_enabled' => true,
]);
$rule = AlertRule::factory()->create([
'workspace_id' => $workspaceId,
'event_type' => AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH,
'minimum_severity' => $minSeverity,
'is_enabled' => true,
'cooldown_seconds' => $cooldownSeconds,
]);
$rule->destinations()->attach($destination->getKey(), [
'workspace_id' => $workspaceId,
]);
return [$rule, $destination];
}
// ---------------------------------------------------------------------------
// Tests
// ---------------------------------------------------------------------------
it('queues delivery when entra admin role finding matches alert rule severity', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$workspaceId = (int) session()->get(WorkspaceContext::SESSION_KEY);
[$rule, $destination] = createEntraAlertRuleWithDestination($workspaceId, 'high');
$finding = Finding::factory()->entraAdminRoles()->create([
'workspace_id' => $workspaceId,
'tenant_id' => $tenant->getKey(),
'severity' => Finding::SEVERITY_CRITICAL,
'status' => Finding::STATUS_NEW,
]);
$event = [
'event_type' => AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH,
'tenant_id' => (int) $tenant->getKey(),
'severity' => Finding::SEVERITY_CRITICAL,
'fingerprint_key' => 'finding:'.(int) $finding->getKey(),
'title' => 'High-privilege Entra admin role detected',
'body' => 'Role "Global Administrator" assigned to Alice Admin (severity: critical).',
'metadata' => ['finding_id' => (int) $finding->getKey()],
];
$dispatchService = app(AlertDispatchService::class);
$workspace = \App\Models\Workspace::query()->find($workspaceId);
$created = $dispatchService->dispatchEvent($workspace, $event);
expect($created)->toBe(1);
$delivery = AlertDelivery::query()
->where('workspace_id', $workspaceId)
->where('event_type', AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH)
->first();
expect($delivery)->not->toBeNull()
->and($delivery->status)->toBe(AlertDelivery::STATUS_QUEUED)
->and($delivery->severity)->toBe(Finding::SEVERITY_CRITICAL);
});
it('does not queue delivery when finding severity is below minimum', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$workspaceId = (int) session()->get(WorkspaceContext::SESSION_KEY);
[$rule, $destination] = createEntraAlertRuleWithDestination($workspaceId, 'critical');
$event = [
'event_type' => AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH,
'tenant_id' => (int) $tenant->getKey(),
'severity' => Finding::SEVERITY_HIGH,
'fingerprint_key' => 'finding:999',
'title' => 'High-privilege Entra admin role detected',
'body' => 'Role "Privileged Role Administrator" assigned to Bob (severity: high).',
'metadata' => [],
];
$dispatchService = app(AlertDispatchService::class);
$workspace = \App\Models\Workspace::query()->find($workspaceId);
$created = $dispatchService->dispatchEvent($workspace, $event);
expect($created)->toBe(0);
});
it('suppresses duplicate delivery via fingerprint cooldown', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$workspaceId = (int) session()->get(WorkspaceContext::SESSION_KEY);
[$rule, $destination] = createEntraAlertRuleWithDestination($workspaceId, 'high', cooldownSeconds: 3600);
$finding = Finding::factory()->entraAdminRoles()->create([
'workspace_id' => $workspaceId,
'tenant_id' => $tenant->getKey(),
'severity' => Finding::SEVERITY_CRITICAL,
'status' => Finding::STATUS_NEW,
]);
$event = [
'event_type' => AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH,
'tenant_id' => (int) $tenant->getKey(),
'severity' => Finding::SEVERITY_CRITICAL,
'fingerprint_key' => 'finding:'.(int) $finding->getKey(),
'title' => 'High-privilege Entra admin role detected',
'body' => 'Role "Global Administrator" assigned to Alice Admin.',
'metadata' => ['finding_id' => (int) $finding->getKey()],
];
$dispatchService = app(AlertDispatchService::class);
$workspace = \App\Models\Workspace::query()->find($workspaceId);
// First dispatch — should create a QUEUED delivery
$firstCreated = $dispatchService->dispatchEvent($workspace, $event);
expect($firstCreated)->toBe(1);
// Second dispatch — same fingerprint within cooldown → SUPPRESSED
$secondCreated = $dispatchService->dispatchEvent($workspace, $event);
expect($secondCreated)->toBe(1);
$deliveries = AlertDelivery::query()
->where('workspace_id', $workspaceId)
->where('event_type', AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH)
->orderBy('id')
->get();
expect($deliveries)->toHaveCount(2)
->and($deliveries[0]->status)->toBe(AlertDelivery::STATUS_QUEUED)
->and($deliveries[1]->status)->toBe(AlertDelivery::STATUS_SUPPRESSED);
});
it('resolved findings are excluded from entraAdminRolesHighEvents', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$workspaceId = (int) session()->get(WorkspaceContext::SESSION_KEY);
// Create a resolved finding — should not appear in events
Finding::factory()->entraAdminRoles()->resolved()->create([
'workspace_id' => $workspaceId,
'tenant_id' => $tenant->getKey(),
'severity' => Finding::SEVERITY_CRITICAL,
]);
$job = new \App\Jobs\Alerts\EvaluateAlertsJob($workspaceId);
$reflection = new ReflectionMethod($job, 'entraAdminRolesHighEvents');
$events = $reflection->invoke(
$job,
$workspaceId,
CarbonImmutable::now('UTC')->subHours(1),
);
expect($events)->toBe([]);
});
it('new event type appears in AlertRuleResource event type options', function (): void {
$options = AlertRuleResource::eventTypeOptions();
expect($options)->toHaveKey(AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH)
->and($options[AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH])->toBe('Entra admin roles (high privilege)');
});

140
tests/Feature/EntraAdminRoles/AdminRolesReportViewerTest.php Normal file
View File

@ -0,0 +1,140 @@
<?php
declare(strict_types=1);
use App\Models\StoredReport;
use App\Models\Tenant;
use Illuminate\Foundation\Testing\RefreshDatabase;
uses(RefreshDatabase::class);
// ---------------------------------------------------------------------------
// Helpers
// ---------------------------------------------------------------------------
function createEntraReport(Tenant $tenant, array $summaryOverrides = [], ?string $fingerprint = null): StoredReport
{
$totals = array_merge([
'roles_total' => 8,
'assignments_total' => 12,
'high_privilege_assignments' => 5,
], $summaryOverrides);
return StoredReport::query()->create([
'workspace_id' => (int) $tenant->workspace_id,
'tenant_id' => (int) $tenant->getKey(),
'report_type' => StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES,
'fingerprint' => $fingerprint ?? hash('sha256', (string) now()->timestamp.random_int(0, 99999)),
'payload' => [
'provider_key' => 'microsoft',
'domain' => 'entra.admin_roles',
'measured_at' => now()->toIso8601String(),
'role_definitions' => [],
'role_assignments' => [],
'totals' => $totals,
'high_privilege' => [
[
'role_display_name' => 'Global Administrator',
'role_template_id' => '62e90394-69f5-4237-9190-012177145e10',
'principal_id' => 'user-ga-1',
'principal_display_name' => 'Admin User',
'assignment_scope' => '/',
'severity' => 'critical',
],
],
],
]);
}
// ---------------------------------------------------------------------------
// StoredReport query by report type
// ---------------------------------------------------------------------------
it('returns stored reports with report_type entra.admin_roles', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$report = createEntraReport($tenant);
// Also create a report of a different type to ensure filtering works
StoredReport::query()->create([
'workspace_id' => (int) $tenant->workspace_id,
'tenant_id' => (int) $tenant->getKey(),
'report_type' => 'permission_posture',
'fingerprint' => hash('sha256', 'other-report'),
'payload' => ['summary' => ['score' => 85]],
]);
$results = StoredReport::query()
->where('tenant_id', (int) $tenant->getKey())
->where('report_type', StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES)
->get();
expect($results)
->toHaveCount(1)
->and((int) $results->first()->getKey())->toBe((int) $report->getKey());
});
// ---------------------------------------------------------------------------
// Report payload contains summary and high-privilege assignments table
// ---------------------------------------------------------------------------
it('report payload contains summary totals and high-privilege assignments', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$report = createEntraReport($tenant, [
'roles_total' => 10,
'assignments_total' => 20,
'high_privilege_assignments' => 8,
]);
$report->refresh();
$payload = $report->payload;
expect($payload)
->toBeArray()
->toHaveKey('totals')
->toHaveKey('high_privilege');
$totals = $payload['totals'];
expect($totals)
->toHaveKey('roles_total', 10)
->toHaveKey('assignments_total', 20)
->toHaveKey('high_privilege_assignments', 8);
$assignments = $payload['high_privilege'];
expect($assignments)
->toBeArray()
->toHaveCount(1);
expect($assignments[0])
->toHaveKey('role_display_name', 'Global Administrator')
->toHaveKey('severity', 'critical')
->toHaveKey('principal_display_name', 'Admin User');
});
// ---------------------------------------------------------------------------
// Multiple reports ordered by creation date descending
// ---------------------------------------------------------------------------
it('orders multiple reports by creation date descending', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$older = createEntraReport($tenant, ['high_privilege_assignments' => 3], 'fp-older');
$older->forceFill(['created_at' => now()->subHours(2)])->save();
$newer = createEntraReport($tenant, ['high_privilege_assignments' => 7], 'fp-newer');
$newer->forceFill(['created_at' => now()->subHour()])->save();
$latest = createEntraReport($tenant, ['high_privilege_assignments' => 1], 'fp-latest');
$results = StoredReport::query()
->where('tenant_id', (int) $tenant->getKey())
->where('report_type', StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES)
->orderByDesc('created_at')
->get();
expect($results)->toHaveCount(3);
expect((int) $results[0]->getKey())->toBe((int) $latest->getKey());
expect((int) $results[1]->getKey())->toBe((int) $newer->getKey());
expect((int) $results[2]->getKey())->toBe((int) $older->getKey());
});

197
tests/Feature/EntraAdminRoles/AdminRolesSummaryWidgetTest.php Normal file
View File

@ -0,0 +1,197 @@
<?php
declare(strict_types=1);
use App\Filament\Widgets\Tenant\AdminRolesSummaryWidget;
use App\Jobs\ScanEntraAdminRolesJob;
use App\Models\StoredReport;
use App\Models\Tenant;
use Filament\Facades\Filament;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Queue;
use Livewire\Livewire;
uses(RefreshDatabase::class);
// ---------------------------------------------------------------------------
// Helpers
// ---------------------------------------------------------------------------
function createAdminRolesReport(Tenant $tenant, ?array $summaryOverrides = null): StoredReport
{
$totals = array_merge([
'roles_total' => 8,
'assignments_total' => 12,
'high_privilege_assignments' => 5,
], $summaryOverrides ?? []);
return StoredReport::query()->create([
'workspace_id' => (int) $tenant->workspace_id,
'tenant_id' => (int) $tenant->getKey(),
'report_type' => StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES,
'fingerprint' => hash('sha256', (string) now()->timestamp),
'payload' => [
'provider_key' => 'microsoft',
'domain' => 'entra.admin_roles',
'measured_at' => now()->toIso8601String(),
'role_definitions' => [],
'role_assignments' => [],
'totals' => $totals,
'high_privilege' => [
[
'role_display_name' => 'Global Administrator',
'role_template_id' => '62e90394-69f5-4237-9190-012177145e10',
'principal_id' => 'user-1',
'principal_display_name' => 'Admin User',
'assignment_scope' => '/',
'severity' => 'critical',
],
],
],
]);
}
// ---------------------------------------------------------------------------
// Widget renders with report data
// ---------------------------------------------------------------------------
it('renders with report data showing timestamp and high-privilege count', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
Filament::setTenant($tenant, true);
createAdminRolesReport($tenant, [
'high_privilege_assignments' => 7,
]);
Livewire::actingAs($user)
->test(AdminRolesSummaryWidget::class, ['record' => $tenant])
->assertSee('Entra admin roles')
->assertSee('High-privilege assignments')
->assertSee('7')
->assertSee('Last scan')
->assertSuccessful();
});
// ---------------------------------------------------------------------------
// Empty state
// ---------------------------------------------------------------------------
it('renders empty state when no report exists', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
Filament::setTenant($tenant, true);
Livewire::actingAs($user)
->test(AdminRolesSummaryWidget::class, ['record' => $tenant])
->assertSee('No scan performed yet.')
->assertDontSee('Last scan')
->assertSuccessful();
});
// ---------------------------------------------------------------------------
// Scan now — dispatches job
// ---------------------------------------------------------------------------
it('dispatches ScanEntraAdminRolesJob when user has ENTRA_ROLES_MANAGE', function (): void {
Queue::fake();
[$user, $tenant] = createUserWithTenant(role: 'owner');
Filament::setTenant($tenant, true);
Livewire::actingAs($user)
->test(AdminRolesSummaryWidget::class, ['record' => $tenant])
->call('scanNow')
->assertSuccessful();
Queue::assertPushed(ScanEntraAdminRolesJob::class, function (ScanEntraAdminRolesJob $job) use ($tenant, $user): bool {
return $job->tenantId === (int) $tenant->getKey()
&& $job->workspaceId === (int) $tenant->workspace_id
&& $job->initiatorUserId === (int) $user->getKey();
});
});
// ---------------------------------------------------------------------------
// Scan now — RBAC enforcement (readonly cannot scan)
// ---------------------------------------------------------------------------
it('returns 403 when readonly user tries to scan', function (): void {
Queue::fake();
[$user, $tenant] = createUserWithTenant(role: 'readonly');
Filament::setTenant($tenant, true);
Livewire::actingAs($user)
->test(AdminRolesSummaryWidget::class, ['record' => $tenant])
->call('scanNow')
->assertForbidden();
Queue::assertNotPushed(ScanEntraAdminRolesJob::class);
});
// ---------------------------------------------------------------------------
// Non-member user sees empty state (no tenant data exposed)
// ---------------------------------------------------------------------------
it('renders empty state for non-member user', function (): void {
$user = \App\Models\User::factory()->create();
$tenant = Tenant::factory()->create();
Filament::setTenant($tenant, true);
Livewire::actingAs($user)
->test(AdminRolesSummaryWidget::class, ['record' => $tenant])
->assertSee('No scan performed yet.')
->assertDontSee('Scan now')
->assertSuccessful();
});
// ---------------------------------------------------------------------------
// Widget shows scan button only for users with manage capability
// ---------------------------------------------------------------------------
it('does not show scan button for readonly users', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'readonly');
Filament::setTenant($tenant, true);
Livewire::actingAs($user)
->test(AdminRolesSummaryWidget::class, ['record' => $tenant])
->assertDontSee('Scan now')
->assertSuccessful();
});
it('shows scan button for owner users', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
Filament::setTenant($tenant, true);
Livewire::actingAs($user)
->test(AdminRolesSummaryWidget::class, ['record' => $tenant])
->assertSee('Scan now')
->assertSuccessful();
});
// ---------------------------------------------------------------------------
// Notification on successful scan dispatch
// ---------------------------------------------------------------------------
it('sends success notification after scan dispatch', function (): void {
Queue::fake();
[$user, $tenant] = createUserWithTenant(role: 'owner');
Filament::setTenant($tenant, true);
Livewire::actingAs($user)
->test(AdminRolesSummaryWidget::class, ['record' => $tenant])
->call('scanNow')
->assertSuccessful();
$notifications = collect(session('filament.notifications', []));
$titles = $notifications->pluck('title')->filter()->values()->all();
expect($titles)->toContain('Entra admin roles scan queued');
});

489
tests/Feature/EntraAdminRoles/EntraAdminRolesFindingGeneratorTest.php Normal file
View File

@ -0,0 +1,489 @@
<?php
declare(strict_types=1);
use App\Models\AlertRule;
use App\Models\Finding;
use App\Services\EntraAdminRoles\EntraAdminRolesFindingGenerator;
use App\Services\EntraAdminRoles\HighPrivilegeRoleCatalog;
use Carbon\CarbonImmutable;
use Illuminate\Foundation\Testing\RefreshDatabase;
uses(RefreshDatabase::class);
// ---------------------------------------------------------------------------
// Helpers
// ---------------------------------------------------------------------------
function gaRoleDef(): array
{
return [
'id' => 'def-ga',
'displayName' => 'Global Administrator',
'templateId' => '62e90394-69f5-4237-9190-012177145e10',
'isBuiltIn' => true,
];
}
function secAdminRoleDef(): array
{
return [
'id' => 'def-secadmin',
'displayName' => 'Security Administrator',
'templateId' => '194ae4cb-b126-40b2-bd5b-6091b380977d',
'isBuiltIn' => true,
];
}
function readerRoleDef(): array
{
return [
'id' => 'def-reader',
'displayName' => 'Directory Readers',
'templateId' => '88d8e3e3-8f55-4a1e-953a-9b9898b87601',
'isBuiltIn' => true,
];
}
function makeAssignment(string $id, string $roleDefId, string $principalId, string $odataType = '#microsoft.graph.user', string $displayName = 'User', string $scopeId = '/'): array
{
return [
'id' => $id,
'roleDefinitionId' => $roleDefId,
'principalId' => $principalId,
'directoryScopeId' => $scopeId,
'principal' => [
'@odata.type' => $odataType,
'displayName' => $displayName,
],
];
}
function buildPayload(array $roleDefinitions, array $roleAssignments, ?string $measuredAt = null): array
{
return [
'provider_key' => 'microsoft',
'domain' => 'entra.admin_roles',
'measured_at' => $measuredAt ?? CarbonImmutable::now('UTC')->toIso8601String(),
'role_definitions' => $roleDefinitions,
'role_assignments' => $roleAssignments,
'totals' => [
'roles_total' => count($roleDefinitions),
'assignments_total' => count($roleAssignments),
'high_privilege_assignments' => 0,
],
'high_privilege' => [],
];
}
function makeGenerator(): EntraAdminRolesFindingGenerator
{
return new EntraAdminRolesFindingGenerator(new HighPrivilegeRoleCatalog);
}
// ---------------------------------------------------------------------------
// Tests
// ---------------------------------------------------------------------------
it('creates findings for high-privilege assignments with correct attributes', function (): void {
[$user, $tenant] = createUserWithTenant();
$payload = buildPayload(
[gaRoleDef(), secAdminRoleDef()],
[
makeAssignment('a1', 'def-ga', 'user-1', '#microsoft.graph.user', 'Alice Admin'),
makeAssignment('a2', 'def-secadmin', 'user-2', '#microsoft.graph.user', 'Bob SecAdmin'),
],
);
$result = makeGenerator()->generate($tenant, $payload);
expect($result->created)->toBe(2)
->and($result->resolved)->toBe(0)
->and($result->reopened)->toBe(0)
->and($result->unchanged)->toBe(0);
$findings = Finding::query()
->where('tenant_id', $tenant->getKey())
->where('finding_type', Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES)
->get();
expect($findings)->toHaveCount(2);
$gaFinding = $findings->firstWhere('severity', Finding::SEVERITY_CRITICAL);
expect($gaFinding)->not->toBeNull()
->and($gaFinding->source)->toBe('entra.admin_roles')
->and($gaFinding->subject_type)->toBe('role_assignment')
->and($gaFinding->subject_external_id)->toBe('user-1:def-ga')
->and($gaFinding->status)->toBe(Finding::STATUS_NEW);
$secFinding = $findings->firstWhere('severity', Finding::SEVERITY_HIGH);
expect($secFinding)->not->toBeNull()
->and($secFinding->subject_external_id)->toBe('user-2:def-secadmin');
});
it('maps severity: GA is critical, others are high', function (): void {
[$user, $tenant] = createUserWithTenant();
$payload = buildPayload(
[gaRoleDef(), secAdminRoleDef()],
[
makeAssignment('a1', 'def-ga', 'user-1'),
makeAssignment('a2', 'def-secadmin', 'user-2'),
],
);
makeGenerator()->generate($tenant, $payload);
$findings = Finding::query()
->where('tenant_id', $tenant->getKey())
->where('finding_type', Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES)
->orderBy('severity')
->get();
$severities = $findings->pluck('severity')->toArray();
expect($severities)->toContain(Finding::SEVERITY_CRITICAL)
->and($severities)->toContain(Finding::SEVERITY_HIGH);
});
it('is idempotent — same data produces no duplicates', function (): void {
[$user, $tenant] = createUserWithTenant();
$payload = buildPayload(
[gaRoleDef()],
[makeAssignment('a1', 'def-ga', 'user-1')],
);
$generator = makeGenerator();
$first = $generator->generate($tenant, $payload);
$second = $generator->generate($tenant, $payload);
expect($first->created)->toBe(1)
->and($second->created)->toBe(0)
->and($second->unchanged)->toBe(1);
$count = Finding::query()
->where('tenant_id', $tenant->getKey())
->where('finding_type', Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES)
->count();
expect($count)->toBe(1);
});
it('auto-resolves when assignment is removed', function (): void {
[$user, $tenant] = createUserWithTenant();
$generator = makeGenerator();
// First scan: user-1 has GA
$payload1 = buildPayload(
[gaRoleDef()],
[makeAssignment('a1', 'def-ga', 'user-1')],
);
$generator->generate($tenant, $payload1);
// Second scan: user-1 GA removed
$payload2 = buildPayload([gaRoleDef()], []);
$result2 = $generator->generate($tenant, $payload2);
expect($result2->resolved)->toBeGreaterThanOrEqual(1);
$finding = Finding::query()
->where('tenant_id', $tenant->getKey())
->where('finding_type', Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES)
->where('subject_external_id', 'user-1:def-ga')
->first();
expect($finding->status)->toBe(Finding::STATUS_RESOLVED)
->and($finding->resolved_reason)->toBe('role_assignment_removed');
});
it('re-opens resolved finding when role is re-assigned', function (): void {
[$user, $tenant] = createUserWithTenant();
$generator = makeGenerator();
// Scan 1: create
$payload1 = buildPayload(
[gaRoleDef()],
[makeAssignment('a1', 'def-ga', 'user-1', '#microsoft.graph.user', 'Alice')],
);
$generator->generate($tenant, $payload1);
// Scan 2: remove → auto-resolve
$payload2 = buildPayload([gaRoleDef()], []);
$generator->generate($tenant, $payload2);
// Scan 3: re-assign → re-open
$payload3 = buildPayload(
[gaRoleDef()],
[makeAssignment('a1', 'def-ga', 'user-1', '#microsoft.graph.user', 'Alice Reactivated')],
);
$result3 = $generator->generate($tenant, $payload3);
expect($result3->reopened)->toBe(1);
$finding = Finding::query()
->where('tenant_id', $tenant->getKey())
->where('finding_type', Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES)
->where('subject_external_id', 'user-1:def-ga')
->first();
expect($finding->status)->toBe(Finding::STATUS_NEW)
->and($finding->resolved_at)->toBeNull()
->and($finding->resolved_reason)->toBeNull()
->and($finding->evidence_jsonb['principal_display_name'])->toBe('Alice Reactivated');
});
it('creates aggregate finding when GA count exceeds threshold', function (): void {
[$user, $tenant] = createUserWithTenant();
$assignments = [];
for ($i = 1; $i <= 6; $i++) {
$assignments[] = makeAssignment("a{$i}", 'def-ga', "user-{$i}", '#microsoft.graph.user', "GA User {$i}");
}
$payload = buildPayload([gaRoleDef()], $assignments);
$result = makeGenerator()->generate($tenant, $payload);
// 6 individual + 1 aggregate = 7 findings
$findings = Finding::query()
->where('tenant_id', $tenant->getKey())
->where('finding_type', Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES)
->get();
expect($findings)->toHaveCount(7);
$aggregate = $findings->firstWhere('subject_external_id', 'ga_aggregate');
expect($aggregate)->not->toBeNull()
->and($aggregate->severity)->toBe(Finding::SEVERITY_HIGH)
->and($aggregate->evidence_jsonb['count'])->toBe(6)
->and($aggregate->evidence_jsonb['threshold'])->toBe(5)
->and($aggregate->evidence_jsonb['principals'])->toHaveCount(6);
});
it('auto-resolves aggregate finding when GA count drops within threshold', function (): void {
[$user, $tenant] = createUserWithTenant();
$generator = makeGenerator();
// Scan 1: 6 GAs → aggregate created
$assignments = [];
for ($i = 1; $i <= 6; $i++) {
$assignments[] = makeAssignment("a{$i}", 'def-ga', "user-{$i}");
}
$generator->generate($tenant, buildPayload([gaRoleDef()], $assignments));
// Scan 2: 5 GAs → aggregate auto-resolved
$smallerAssignments = array_slice($assignments, 0, 5);
$result2 = $generator->generate($tenant, buildPayload([gaRoleDef()], $smallerAssignments));
expect($result2->resolved)->toBeGreaterThanOrEqual(1);
$aggregate = Finding::query()
->where('tenant_id', $tenant->getKey())
->where('subject_external_id', 'ga_aggregate')
->first();
expect($aggregate->status)->toBe(Finding::STATUS_RESOLVED)
->and($aggregate->resolved_reason)->toBe('ga_count_within_threshold');
});
it('produces alert events for new and re-opened findings with severity >= high', function (): void {
[$user, $tenant] = createUserWithTenant();
$generator = makeGenerator();
$payload = buildPayload(
[gaRoleDef()],
[makeAssignment('a1', 'def-ga', 'user-1')],
);
$generator->generate($tenant, $payload);
$events = $generator->getAlertEvents();
expect($events)->not->toBeEmpty();
$event = $events[0];
expect($event['event_type'])->toBe(AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH)
->and($event['tenant_id'])->toBe((int) $tenant->getKey());
});
it('produces no alert events for unchanged or resolved findings', function (): void {
[$user, $tenant] = createUserWithTenant();
$generator = makeGenerator();
$payload = buildPayload(
[gaRoleDef()],
[makeAssignment('a1', 'def-ga', 'user-1')],
);
// Scan 1: alert events produced for new finding
$generator->generate($tenant, $payload);
// Scan 2: unchanged — no new alert events
$generator2 = makeGenerator();
$generator2->generate($tenant, $payload);
$events = $generator2->getAlertEvents();
expect($events)->toBeEmpty();
});
it('evidence contains all required fields', function (): void {
[$user, $tenant] = createUserWithTenant();
$payload = buildPayload(
[gaRoleDef()],
[makeAssignment('a1', 'def-ga', 'user-1', '#microsoft.graph.user', 'Alice Admin')],
);
makeGenerator()->generate($tenant, $payload);
$finding = Finding::query()
->where('tenant_id', $tenant->getKey())
->where('finding_type', Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES)
->where('subject_external_id', 'user-1:def-ga')
->first();
$evidence = $finding->evidence_jsonb;
expect($evidence)->toHaveKeys([
'role_display_name',
'principal_display_name',
'principal_type',
'principal_id',
'role_definition_id',
'role_template_id',
'directory_scope_id',
'is_built_in',
'measured_at',
])
->and($evidence['role_display_name'])->toBe('Global Administrator')
->and($evidence['principal_display_name'])->toBe('Alice Admin')
->and($evidence['principal_type'])->toBe('user')
->and($evidence['principal_id'])->toBe('user-1')
->and($evidence['role_definition_id'])->toBe('def-ga')
->and($evidence['is_built_in'])->toBeTrue();
});
it('handles all principal types correctly', function (): void {
[$user, $tenant] = createUserWithTenant();
$payload = buildPayload(
[gaRoleDef()],
[
makeAssignment('a1', 'def-ga', 'p-user', '#microsoft.graph.user', 'User'),
makeAssignment('a2', 'def-ga', 'p-group', '#microsoft.graph.group', 'Group'),
makeAssignment('a3', 'def-ga', 'p-sp', '#microsoft.graph.servicePrincipal', 'SP'),
],
);
makeGenerator()->generate($tenant, $payload);
$findings = Finding::query()
->where('tenant_id', $tenant->getKey())
->where('finding_type', Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES)
->get();
$types = $findings->pluck('evidence_jsonb.principal_type')->sort()->values()->toArray();
expect($types)->toContain('user')
->toContain('group')
->toContain('servicePrincipal');
});
it('subject_type and subject_external_id set on every finding', function (): void {
[$user, $tenant] = createUserWithTenant();
$payload = buildPayload(
[gaRoleDef()],
[makeAssignment('a1', 'def-ga', 'user-1')],
);
makeGenerator()->generate($tenant, $payload);
$finding = Finding::query()
->where('tenant_id', $tenant->getKey())
->where('finding_type', Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES)
->first();
expect($finding->subject_type)->toBe('role_assignment')
->and($finding->subject_external_id)->toBe('user-1:def-ga');
});
it('auto-resolve applies to acknowledged findings too', function (): void {
[$user, $tenant] = createUserWithTenant();
$generator = makeGenerator();
// Scan 1: create
$payload = buildPayload(
[gaRoleDef()],
[makeAssignment('a1', 'def-ga', 'user-1')],
);
$generator->generate($tenant, $payload);
// Acknowledge the finding
$finding = Finding::query()
->where('tenant_id', $tenant->getKey())
->where('subject_external_id', 'user-1:def-ga')
->first();
$finding->acknowledge($user);
expect($finding->fresh()->status)->toBe(Finding::STATUS_ACKNOWLEDGED);
// Scan 2: remove → should auto-resolve even though acknowledged
$payload2 = buildPayload([gaRoleDef()], []);
$result = $generator->generate($tenant, $payload2);
expect($result->resolved)->toBeGreaterThanOrEqual(1);
$resolved = $finding->fresh();
expect($resolved->status)->toBe(Finding::STATUS_RESOLVED)
->and($resolved->resolved_reason)->toBe('role_assignment_removed');
});
it('scoped assignments do not downgrade severity', function (): void {
[$user, $tenant] = createUserWithTenant();
$payload = buildPayload(
[gaRoleDef()],
[makeAssignment('a1', 'def-ga', 'user-1', '#microsoft.graph.user', 'Alice', '/administrativeUnits/au-123')],
);
makeGenerator()->generate($tenant, $payload);
$finding = Finding::query()
->where('tenant_id', $tenant->getKey())
->where('finding_type', Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES)
->first();
expect($finding->severity)->toBe(Finding::SEVERITY_CRITICAL)
->and($finding->evidence_jsonb['directory_scope_id'])->toBe('/administrativeUnits/au-123');
});
it('does not create findings for non-high-privilege roles', function (): void {
[$user, $tenant] = createUserWithTenant();
$payload = buildPayload(
[readerRoleDef()],
[makeAssignment('a1', 'def-reader', 'user-1')],
);
$result = makeGenerator()->generate($tenant, $payload);
expect($result->created)->toBe(0);
$count = Finding::query()
->where('tenant_id', $tenant->getKey())
->where('finding_type', Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES)
->count();
expect($count)->toBe(0);
});

350
tests/Feature/EntraAdminRoles/EntraAdminRolesReportServiceTest.php Normal file
View File

@ -0,0 +1,350 @@
<?php
declare(strict_types=1);
use App\Models\StoredReport;
use App\Services\EntraAdminRoles\EntraAdminRolesReportService;
use App\Services\EntraAdminRoles\HighPrivilegeRoleCatalog;
use App\Services\Graph\GraphClientInterface;
use App\Services\Graph\GraphResponse;
use App\Services\Providers\MicrosoftGraphOptionsResolver;
use Illuminate\Foundation\Testing\RefreshDatabase;
uses(RefreshDatabase::class);
// ---------------------------------------------------------------------------
// Helpers
// ---------------------------------------------------------------------------
function sampleRoleDefinitions(): array
{
return [
[
'id' => 'def-ga-001',
'displayName' => 'Global Administrator',
'templateId' => '62e90394-69f5-4237-9190-012177145e10',
'isBuiltIn' => true,
],
[
'id' => 'def-ua-002',
'displayName' => 'User Administrator',
'templateId' => 'fe930be7-5e62-47db-91af-98c3a49a38b1',
'isBuiltIn' => true,
],
[
'id' => 'def-reader-003',
'displayName' => 'Directory Readers',
'templateId' => '88d8e3e3-8f55-4a1e-953a-9b9898b87601',
'isBuiltIn' => true,
],
];
}
function sampleRoleAssignments(): array
{
return [
[
'id' => 'assign-1',
'roleDefinitionId' => 'def-ga-001',
'principalId' => 'user-aaa',
'directoryScopeId' => '/',
'principal' => [
'@odata.type' => '#microsoft.graph.user',
'displayName' => 'Alice Admin',
],
],
[
'id' => 'assign-2',
'roleDefinitionId' => 'def-ua-002',
'principalId' => 'user-bbb',
'directoryScopeId' => '/',
'principal' => [
'@odata.type' => '#microsoft.graph.user',
'displayName' => 'Bob Useradmin',
],
],
[
'id' => 'assign-3',
'roleDefinitionId' => 'def-reader-003',
'principalId' => 'group-ccc',
'directoryScopeId' => '/',
'principal' => [
'@odata.type' => '#microsoft.graph.group',
'displayName' => 'Readers Group',
],
],
];
}
/**
* Build a mock GraphClientInterface that returns specific data for entra types.
*/
function buildGraphMock(
array $roleDefinitions,
array $roleAssignments,
bool $failDefinitions = false,
bool $failAssignments = false,
): GraphClientInterface {
return new class($roleDefinitions, $roleAssignments, $failDefinitions, $failAssignments) implements GraphClientInterface
{
public function __construct(
private readonly array $roleDefinitions,
private readonly array $roleAssignments,
private readonly bool $failDefinitions,
private readonly bool $failAssignments,
) {}
public function listPolicies(string $policyType, array $options = []): GraphResponse
{
return match ($policyType) {
'entraRoleDefinitions' => new GraphResponse(
success: ! $this->failDefinitions,
data: $this->failDefinitions ? [] : $this->roleDefinitions,
status: $this->failDefinitions ? 403 : 200,
errors: $this->failDefinitions ? ['Forbidden'] : [],
),
'entraRoleAssignments' => new GraphResponse(
success: ! $this->failAssignments,
data: $this->failAssignments ? [] : $this->roleAssignments,
status: $this->failAssignments ? 403 : 200,
errors: $this->failAssignments ? ['Forbidden'] : [],
),
default => new GraphResponse(success: false, status: 404, errors: ['Unknown type']),
};
}
public function getPolicy(string $policyType, string $policyId, array $options = []): GraphResponse
{
return new GraphResponse(success: false, status: 501);
}
public function getOrganization(array $options = []): GraphResponse
{
return new GraphResponse(success: false, status: 501);
}
public function applyPolicy(string $policyType, string $policyId, array $payload, array $options = []): GraphResponse
{
return new GraphResponse(success: false, status: 501);
}
public function getServicePrincipalPermissions(array $options = []): GraphResponse
{
return new GraphResponse(success: false, status: 501);
}
public function request(string $method, string $path, array $options = []): GraphResponse
{
return new GraphResponse(success: false, status: 501);
}
};
}
function buildReportService(GraphClientInterface $graphMock): EntraAdminRolesReportService
{
return new EntraAdminRolesReportService(
graphClient: $graphMock,
catalog: new HighPrivilegeRoleCatalog,
graphOptionsResolver: app(MicrosoftGraphOptionsResolver::class),
);
}
// ---------------------------------------------------------------------------
// Tests
// ---------------------------------------------------------------------------
it('creates a new report with correct attributes', function (): void {
[$user, $tenant] = createUserWithTenant();
ensureDefaultProviderConnection($tenant);
$service = buildReportService(buildGraphMock(sampleRoleDefinitions(), sampleRoleAssignments()));
$result = $service->generate($tenant);
expect($result->created)->toBeTrue()
->and($result->storedReportId)->toBeInt()
->and($result->fingerprint)->toBeString()->toHaveLength(64)
->and($result->payload)->toBeArray();
$report = StoredReport::find($result->storedReportId);
expect($report)->not->toBeNull()
->and($report->report_type)->toBe(StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES)
->and($report->tenant_id)->toBe((int) $tenant->getKey())
->and($report->fingerprint)->toBe($result->fingerprint)
->and($report->previous_fingerprint)->toBeNull();
});
it('deduplicates when fingerprint matches latest report', function (): void {
[$user, $tenant] = createUserWithTenant();
ensureDefaultProviderConnection($tenant);
$service = buildReportService(buildGraphMock(sampleRoleDefinitions(), sampleRoleAssignments()));
$first = $service->generate($tenant);
expect($first->created)->toBeTrue();
$second = $service->generate($tenant);
expect($second->created)->toBeFalse()
->and($second->storedReportId)->toBe($first->storedReportId)
->and($second->fingerprint)->toBe($first->fingerprint);
$count = StoredReport::query()
->where('tenant_id', $tenant->getKey())
->where('report_type', StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES)
->count();
expect($count)->toBe(1);
});
it('chains previous_fingerprint when data changes', function (): void {
[$user, $tenant] = createUserWithTenant();
ensureDefaultProviderConnection($tenant);
$originalAssignments = sampleRoleAssignments();
$service1 = buildReportService(buildGraphMock(sampleRoleDefinitions(), $originalAssignments));
$first = $service1->generate($tenant);
// Add a new assignment to produce a different fingerprint
$changedAssignments = array_merge($originalAssignments, [[
'id' => 'assign-new',
'roleDefinitionId' => 'def-ga-001',
'principalId' => 'user-zzz',
'directoryScopeId' => '/',
'principal' => [
'@odata.type' => '#microsoft.graph.user',
'displayName' => 'Zach New',
],
]]);
$service2 = buildReportService(buildGraphMock(sampleRoleDefinitions(), $changedAssignments));
$second = $service2->generate($tenant);
expect($second->created)->toBeTrue()
->and($second->fingerprint)->not->toBe($first->fingerprint)
->and(StoredReport::find($second->storedReportId)->previous_fingerprint)->toBe($first->fingerprint);
});
it('throws when role definitions fetch fails', function (): void {
[$user, $tenant] = createUserWithTenant();
ensureDefaultProviderConnection($tenant);
$service = buildReportService(buildGraphMock([], [], failDefinitions: true));
$service->generate($tenant);
})->throws(RuntimeException::class, 'Failed to fetch Entra role definitions');
it('throws when role assignments fetch fails', function (): void {
[$user, $tenant] = createUserWithTenant();
ensureDefaultProviderConnection($tenant);
$service = buildReportService(buildGraphMock(sampleRoleDefinitions(), [], failAssignments: true));
$service->generate($tenant);
})->throws(RuntimeException::class, 'Failed to fetch Entra role assignments');
it('produces expected payload structure', function (): void {
[$user, $tenant] = createUserWithTenant();
ensureDefaultProviderConnection($tenant);
$service = buildReportService(buildGraphMock(sampleRoleDefinitions(), sampleRoleAssignments()));
$result = $service->generate($tenant);
$payload = $result->payload;
expect($payload)
->toHaveKeys(['provider_key', 'domain', 'measured_at', 'role_definitions', 'role_assignments', 'totals', 'high_privilege'])
->and($payload['provider_key'])->toBe('microsoft')
->and($payload['domain'])->toBe('entra.admin_roles')
->and($payload['role_definitions'])->toHaveCount(3)
->and($payload['role_assignments'])->toHaveCount(3)
->and($payload['totals']['roles_total'])->toBe(3)
->and($payload['totals']['assignments_total'])->toBe(3)
// Only GA is in the high-privilege catalog
->and($payload['totals']['high_privilege_assignments'])->toBe(1)
->and($payload['high_privilege'])->toHaveCount(1);
// Verify first high-privilege entry shape
$ga = collect($payload['high_privilege'])->firstWhere('role_template_id', '62e90394-69f5-4237-9190-012177145e10');
expect($ga)->not->toBeNull()
->and($ga['role_display_name'])->toBe('Global Administrator')
->and($ga['principal_id'])->toBe('user-aaa')
->and($ga['principal_type'])->toBe('user')
->and($ga['severity'])->toBe('critical');
});
it('computes deterministic fingerprint regardless of assignment order', function (): void {
[$user, $tenant] = createUserWithTenant();
ensureDefaultProviderConnection($tenant);
$assignments = sampleRoleAssignments();
$reversedAssignments = array_reverse($assignments);
$service1 = buildReportService(buildGraphMock(sampleRoleDefinitions(), $assignments));
$result1 = $service1->generate($tenant);
// Delete the report to allow re-creation
StoredReport::query()->where('id', $result1->storedReportId)->delete();
$service2 = buildReportService(buildGraphMock(sampleRoleDefinitions(), $reversedAssignments));
$result2 = $service2->generate($tenant);
expect($result2->fingerprint)->toBe($result1->fingerprint);
});
it('handles zero assignments gracefully', function (): void {
[$user, $tenant] = createUserWithTenant();
ensureDefaultProviderConnection($tenant);
$service = buildReportService(buildGraphMock(sampleRoleDefinitions(), []));
$result = $service->generate($tenant);
expect($result->created)->toBeTrue()
->and($result->payload['totals']['assignments_total'])->toBe(0)
->and($result->payload['totals']['high_privilege_assignments'])->toBe(0)
->and($result->payload['high_privilege'])->toBeEmpty();
});
it('resolves principal types correctly', function (): void {
[$user, $tenant] = createUserWithTenant();
ensureDefaultProviderConnection($tenant);
$assignments = [
[
'id' => 'a1',
'roleDefinitionId' => 'def-ga-001',
'principalId' => 'p-user',
'directoryScopeId' => '/',
'principal' => ['@odata.type' => '#microsoft.graph.user', 'displayName' => 'User'],
],
[
'id' => 'a2',
'roleDefinitionId' => 'def-ga-001',
'principalId' => 'p-group',
'directoryScopeId' => '/',
'principal' => ['@odata.type' => '#microsoft.graph.group', 'displayName' => 'Group'],
],
[
'id' => 'a3',
'roleDefinitionId' => 'def-ga-001',
'principalId' => 'p-sp',
'directoryScopeId' => '/',
'principal' => ['@odata.type' => '#microsoft.graph.servicePrincipal', 'displayName' => 'SP'],
],
[
'id' => 'a4',
'roleDefinitionId' => 'def-ga-001',
'principalId' => 'p-unknown',
'directoryScopeId' => '/',
'principal' => ['displayName' => 'NoType'],
],
];
$service = buildReportService(buildGraphMock(sampleRoleDefinitions(), $assignments));
$result = $service->generate($tenant);
$types = collect($result->payload['high_privilege'])->pluck('principal_type')->toArray();
expect($types)->toBe(['user', 'group', 'servicePrincipal', 'unknown']);
});

95
tests/Feature/EntraAdminRoles/EntraPermissionsRegistryTest.php Normal file
View File

@ -0,0 +1,95 @@
<?php
declare(strict_types=1);
use App\Services\Auth\RoleCapabilityMap;
use App\Services\Intune\TenantPermissionService;
use App\Support\Auth\Capabilities;
use App\Support\TenantRole;
it('has ENTRA_ROLES_VIEW and ENTRA_ROLES_MANAGE capability constants', function (): void {
expect(Capabilities::ENTRA_ROLES_VIEW)->toBe('entra_roles.view')
->and(Capabilities::ENTRA_ROLES_MANAGE)->toBe('entra_roles.manage');
});
it('includes ENTRA_ROLES_VIEW in all() capability registry', function (): void {
$all = Capabilities::all();
expect($all)->toContain(Capabilities::ENTRA_ROLES_VIEW)
->and($all)->toContain(Capabilities::ENTRA_ROLES_MANAGE);
});
it('maps ENTRA_ROLES_VIEW to Readonly and Operator roles', function (): void {
expect(RoleCapabilityMap::hasCapability(TenantRole::Readonly, Capabilities::ENTRA_ROLES_VIEW))->toBeTrue()
->and(RoleCapabilityMap::hasCapability(TenantRole::Operator, Capabilities::ENTRA_ROLES_VIEW))->toBeTrue();
});
it('maps ENTRA_ROLES_MANAGE to Manager and Owner roles only', function (): void {
expect(RoleCapabilityMap::hasCapability(TenantRole::Owner, Capabilities::ENTRA_ROLES_MANAGE))->toBeTrue()
->and(RoleCapabilityMap::hasCapability(TenantRole::Manager, Capabilities::ENTRA_ROLES_MANAGE))->toBeTrue()
->and(RoleCapabilityMap::hasCapability(TenantRole::Operator, Capabilities::ENTRA_ROLES_MANAGE))->toBeFalse()
->and(RoleCapabilityMap::hasCapability(TenantRole::Readonly, Capabilities::ENTRA_ROLES_MANAGE))->toBeFalse();
});
it('maps ENTRA_ROLES_VIEW to Manager and Owner roles', function (): void {
expect(RoleCapabilityMap::hasCapability(TenantRole::Owner, Capabilities::ENTRA_ROLES_VIEW))->toBeTrue()
->and(RoleCapabilityMap::hasCapability(TenantRole::Manager, Capabilities::ENTRA_ROLES_VIEW))->toBeTrue();
});
// ---------------------------------------------------------------------------
// T028 — TenantPermissionService merge tests
// ---------------------------------------------------------------------------
it('merged required permissions include both Intune and Entra entries', function (): void {
$service = app(TenantPermissionService::class);
$permissions = $service->getRequiredPermissions();
$keys = array_column($permissions, 'key');
// At least one Intune permission
expect($keys)->toContain('DeviceManagementConfiguration.ReadWrite.All')
// And the Entra permission
->and($keys)->toContain('RoleManagement.Read.Directory');
});
it('RoleManagement.Read.Directory has correct type and features in merged list', function (): void {
$service = app(TenantPermissionService::class);
$permissions = $service->getRequiredPermissions();
$entraPermission = collect($permissions)->firstWhere('key', 'RoleManagement.Read.Directory');
expect($entraPermission)->not->toBeNull()
->and($entraPermission['type'])->toBe('application')
->and($entraPermission['features'])->toContain('entra-admin-roles');
});
it('existing Intune permissions unchanged after Entra merge', function (): void {
$service = app(TenantPermissionService::class);
$merged = $service->getRequiredPermissions();
$intuneOnly = config('intune_permissions.permissions', []);
$intuneKeys = array_column($intuneOnly, 'key');
foreach ($intuneKeys as $key) {
$original = collect($intuneOnly)->firstWhere('key', $key);
$inMerged = collect($merged)->firstWhere('key', $key);
expect($inMerged)->not->toBeNull()
->and($inMerged['key'])->toBe($original['key'])
->and($inMerged['type'])->toBe($original['type']);
}
});
it('empty entra_permissions config returns only Intune entries', function (): void {
config()->set('entra_permissions.permissions', []);
$service = app(TenantPermissionService::class);
$permissions = $service->getRequiredPermissions();
$intuneOnly = config('intune_permissions.permissions', []);
expect($permissions)->toHaveCount(count($intuneOnly));
$keys = array_column($permissions, 'key');
expect($keys)->not->toContain('RoleManagement.Read.Directory');
});

31
tests/Feature/EntraAdminRoles/FindingTypeBadgeTest.php Normal file
View File

@ -0,0 +1,31 @@
<?php
declare(strict_types=1);
use App\Models\Finding;
use App\Support\Badges\Domains\FindingTypeBadge;
it('renders entra_admin_roles badge with danger color and identification icon', function (): void {
$badge = new FindingTypeBadge;
$spec = $badge->spec(Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES);
expect($spec->label)->toBe('Entra admin roles')
->and($spec->color)->toBe('danger')
->and($spec->icon)->toBe('heroicon-m-identification');
});
it('still renders drift badge correctly after adding entra_admin_roles', function (): void {
$badge = new FindingTypeBadge;
$spec = $badge->spec(Finding::FINDING_TYPE_DRIFT);
expect($spec->label)->toBe('Drift')
->and($spec->color)->toBe('info');
});
it('still renders permission_posture badge correctly after adding entra_admin_roles', function (): void {
$badge = new FindingTypeBadge;
$spec = $badge->spec(Finding::FINDING_TYPE_PERMISSION_POSTURE);
expect($spec->label)->toBe('Permission posture')
->and($spec->color)->toBe('warning');
});

64
tests/Feature/EntraAdminRoles/HighPrivilegeRoleCatalogTest.php Normal file
View File

@ -0,0 +1,64 @@
<?php
declare(strict_types=1);
use App\Services\EntraAdminRoles\HighPrivilegeRoleCatalog;
it('classifies Global Administrator template_id as critical', function (): void {
$catalog = new HighPrivilegeRoleCatalog;
expect($catalog->classify('62e90394-69f5-4237-9190-012177145e10', null))->toBe('critical');
});
it('classifies all 5 other high-privilege template_ids as high', function (string $templateId): void {
$catalog = new HighPrivilegeRoleCatalog;
expect($catalog->classify($templateId, null))->toBe('high');
})->with([
'Privileged Role Administrator' => 'e8611ab8-c189-46e8-94e1-60213ab1f814',
'Security Administrator' => '194ae4cb-b126-40b2-bd5b-6091b380977d',
'Conditional Access Administrator' => 'b1be1c3e-b65d-4f19-8427-f6fa0d97feb9',
'Exchange Administrator' => '29232cdf-9323-42fd-ade2-1d097af3e4de',
'Authentication Administrator' => 'c4e39bd9-1100-46d3-8c65-fb160da0071f',
]);
it('falls back to display_name when template_id does not match', function (): void {
$catalog = new HighPrivilegeRoleCatalog;
expect($catalog->classify('unknown-template-id', 'Security Administrator'))->toBe('high');
});
it('returns null for unknown template_id and unknown display_name', function (): void {
$catalog = new HighPrivilegeRoleCatalog;
expect($catalog->classify('unknown-template-id', 'Custom Role'))->toBeNull();
});
it('returns null for unknown template_id with null display_name', function (): void {
$catalog = new HighPrivilegeRoleCatalog;
expect($catalog->classify('unknown-template-id', null))->toBeNull();
});
it('identifies Global Administrator via isGlobalAdministrator', function (): void {
$catalog = new HighPrivilegeRoleCatalog;
expect($catalog->isGlobalAdministrator('62e90394-69f5-4237-9190-012177145e10', null))->toBeTrue()
->and($catalog->isGlobalAdministrator('e8611ab8-c189-46e8-94e1-60213ab1f814', null))->toBeFalse();
});
it('returns all 6 entries from allTemplateIds', function (): void {
$catalog = new HighPrivilegeRoleCatalog;
$all = $catalog->allTemplateIds();
expect($all)->toHaveCount(6)
->and($all)->toHaveKey('62e90394-69f5-4237-9190-012177145e10');
});
it('matches display_name case-insensitively', function (): void {
$catalog = new HighPrivilegeRoleCatalog;
expect($catalog->classify('unknown-id', 'GLOBAL ADMINISTRATOR'))->toBe('critical')
->and($catalog->classify('unknown-id', 'global administrator'))->toBe('critical')
->and($catalog->classify('unknown-id', 'Global Administrator'))->toBe('critical');
});

288
tests/Feature/EntraAdminRoles/ScanEntraAdminRolesJobTest.php Normal file
View File

@ -0,0 +1,288 @@
<?php
declare(strict_types=1);
use App\Jobs\ScanEntraAdminRolesJob;
use App\Models\Finding;
use App\Models\OperationRun;
use App\Models\StoredReport;
use App\Services\EntraAdminRoles\EntraAdminRolesFindingGenerator;
use App\Services\EntraAdminRoles\EntraAdminRolesReportService;
use App\Services\EntraAdminRoles\HighPrivilegeRoleCatalog;
use App\Services\Graph\GraphClientInterface;
use App\Services\Graph\GraphResponse;
use App\Services\Providers\MicrosoftGraphOptionsResolver;
use App\Support\OperationRunOutcome;
use App\Support\OperationRunStatus;
use Illuminate\Foundation\Testing\RefreshDatabase;
uses(RefreshDatabase::class);
// ---------------------------------------------------------------------------
// Helpers
// ---------------------------------------------------------------------------
function buildScanReportService(GraphClientInterface $graphClient): EntraAdminRolesReportService
{
return new EntraAdminRolesReportService(
$graphClient,
new HighPrivilegeRoleCatalog,
app(MicrosoftGraphOptionsResolver::class),
);
}
function scanJobRoleDefs(): array
{
return [
[
'id' => 'def-ga',
'displayName' => 'Global Administrator',
'templateId' => '62e90394-69f5-4237-9190-012177145e10',
'isBuiltIn' => true,
],
];
}
function scanJobAssignments(): array
{
return [
[
'id' => 'assign-1',
'roleDefinitionId' => 'def-ga',
'principalId' => 'user-aaa',
'directoryScopeId' => '/',
'principal' => [
'@odata.type' => '#microsoft.graph.user',
'displayName' => 'Alice Admin',
],
],
];
}
function scanJobGraphMock(bool $failDefinitions = false, bool $failAssignments = false): GraphClientInterface
{
return new class(scanJobRoleDefs(), scanJobAssignments(), $failDefinitions, $failAssignments) implements GraphClientInterface
{
public function __construct(
private readonly array $roleDefs,
private readonly array $assignments,
private readonly bool $failDefs,
private readonly bool $failAssigns,
) {}
public function listPolicies(string $policyType, array $options = []): GraphResponse
{
return match ($policyType) {
'entraRoleDefinitions' => new GraphResponse(
success: ! $this->failDefs,
data: $this->failDefs ? [] : $this->roleDefs,
status: $this->failDefs ? 403 : 200,
errors: $this->failDefs ? ['Forbidden'] : [],
),
'entraRoleAssignments' => new GraphResponse(
success: ! $this->failAssigns,
data: $this->failAssigns ? [] : $this->assignments,
status: $this->failAssigns ? 403 : 200,
errors: $this->failAssigns ? ['Forbidden'] : [],
),
default => new GraphResponse(success: false, status: 404),
};
}
public function getPolicy(string $policyType, string $policyId, array $options = []): GraphResponse
{
return new GraphResponse(success: false, status: 501);
}
public function getOrganization(array $options = []): GraphResponse
{
return new GraphResponse(success: false, status: 501);
}
public function applyPolicy(string $policyType, string $policyId, array $payload, array $options = []): GraphResponse
{
return new GraphResponse(success: false, status: 501);
}
public function getServicePrincipalPermissions(array $options = []): GraphResponse
{
return new GraphResponse(success: false, status: 501);
}
public function request(string $method, string $path, array $options = []): GraphResponse
{
return new GraphResponse(success: false, status: 501);
}
};
}
// ---------------------------------------------------------------------------
// Tests
// ---------------------------------------------------------------------------
it('successful run creates OperationRun and records success with counts', function (): void {
[$user, $tenant] = createUserWithTenant();
ensureDefaultProviderConnection($tenant);
$mock = scanJobGraphMock();
$job = new ScanEntraAdminRolesJob(
tenantId: (int) $tenant->getKey(),
workspaceId: (int) $tenant->workspace_id,
);
$job->handle(
buildScanReportService($mock),
new EntraAdminRolesFindingGenerator(new HighPrivilegeRoleCatalog),
app(\App\Services\OperationRunService::class),
);
$run = OperationRun::query()
->where('tenant_id', $tenant->getKey())
->where('type', 'entra.admin_roles.scan')
->first();
expect($run)->not->toBeNull()
->and($run->status)->toBe(OperationRunStatus::Completed->value)
->and($run->outcome)->toBe(OperationRunOutcome::Succeeded->value)
->and($run->summary_counts)->toBeArray()
->and($run->summary_counts['report_created'])->toBe(1)
->and($run->summary_counts['findings_created'])->toBeGreaterThanOrEqual(1);
// Verify report and findings also exist
$report = StoredReport::query()
->where('tenant_id', $tenant->getKey())
->where('report_type', StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES)
->first();
expect($report)->not->toBeNull();
$findingsCount = Finding::query()
->where('tenant_id', $tenant->getKey())
->where('finding_type', Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES)
->count();
expect($findingsCount)->toBeGreaterThanOrEqual(1);
});
it('skips tenant without active provider connection', function (): void {
[$user, $tenant] = createUserWithTenant(ensureDefaultMicrosoftProviderConnection: false);
// Deliberately NOT creating a provider connection
$job = new ScanEntraAdminRolesJob(
tenantId: (int) $tenant->getKey(),
workspaceId: (int) $tenant->workspace_id,
);
$job->handle(
buildScanReportService(scanJobGraphMock()),
new EntraAdminRolesFindingGenerator(new HighPrivilegeRoleCatalog),
app(\App\Services\OperationRunService::class),
);
$runCount = OperationRun::query()
->where('tenant_id', $tenant->getKey())
->where('type', 'entra.admin_roles.scan')
->count();
expect($runCount)->toBe(0);
$reportCount = StoredReport::query()
->where('tenant_id', $tenant->getKey())
->where('report_type', StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES)
->count();
expect($reportCount)->toBe(0);
});
it('Graph failure marks OperationRun as failed and re-throws', function (): void {
[$user, $tenant] = createUserWithTenant();
ensureDefaultProviderConnection($tenant);
$mock = scanJobGraphMock(failDefinitions: true);
$job = new ScanEntraAdminRolesJob(
tenantId: (int) $tenant->getKey(),
workspaceId: (int) $tenant->workspace_id,
);
$thrown = false;
try {
$job->handle(
buildScanReportService($mock),
new EntraAdminRolesFindingGenerator(new HighPrivilegeRoleCatalog),
app(\App\Services\OperationRunService::class),
);
} catch (RuntimeException) {
$thrown = true;
}
expect($thrown)->toBeTrue();
$run = OperationRun::query()
->where('tenant_id', $tenant->getKey())
->where('type', 'entra.admin_roles.scan')
->first();
expect($run)->not->toBeNull()
->and($run->status)->toBe(OperationRunStatus::Completed->value)
->and($run->outcome)->toBe(OperationRunOutcome::Failed->value)
->and($run->failure_summary)->toBeArray()
->and($run->failure_summary[0]['code'])->toBe('entra.admin_roles.scan.failed');
});
it('finding generator runs even when report is deduped', function (): void {
[$user, $tenant] = createUserWithTenant();
ensureDefaultProviderConnection($tenant);
$mock = scanJobGraphMock();
$reportService = buildScanReportService($mock);
$findingGenerator = new EntraAdminRolesFindingGenerator(new HighPrivilegeRoleCatalog);
$runService = app(\App\Services\OperationRunService::class);
// Run 1: creates report
$job1 = new ScanEntraAdminRolesJob(
tenantId: (int) $tenant->getKey(),
workspaceId: (int) $tenant->workspace_id,
);
$job1->handle($reportService, $findingGenerator, $runService);
$reportCount = StoredReport::query()
->where('tenant_id', $tenant->getKey())
->where('report_type', StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES)
->count();
expect($reportCount)->toBe(1);
// Mark existing OperationRun as completed so a new one can be created
OperationRun::query()
->where('tenant_id', $tenant->getKey())
->where('type', 'entra.admin_roles.scan')
->update(['status' => OperationRunStatus::Completed->value]);
// Run 2: report deduped, but findings still processed
$job2 = new ScanEntraAdminRolesJob(
tenantId: (int) $tenant->getKey(),
workspaceId: (int) $tenant->workspace_id,
);
$job2->handle($reportService, $findingGenerator, $runService);
// Still only 1 report (deduped)
$reportCount2 = StoredReport::query()
->where('tenant_id', $tenant->getKey())
->where('report_type', StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES)
->count();
expect($reportCount2)->toBe(1);
// But the run completed successfully with deduped count
$latestRun = OperationRun::query()
->where('tenant_id', $tenant->getKey())
->where('type', 'entra.admin_roles.scan')
->where('outcome', OperationRunOutcome::Succeeded->value)
->latest()
->first();
expect($latestRun)->not->toBeNull()
->and($latestRun->summary_counts['report_deduped'])->toBe(1);
});

57
tests/Feature/EntraAdminRoles/StoredReportFingerprintTest.php Normal file
View File

@ -0,0 +1,57 @@
<?php
declare(strict_types=1);
use App\Models\StoredReport;
use Illuminate\Foundation\Testing\RefreshDatabase;
uses(RefreshDatabase::class);
it('persists fingerprint and previous_fingerprint columns', function (): void {
[$user, $tenant] = createUserWithTenant();
$report = StoredReport::factory()->create([
'tenant_id' => $tenant->getKey(),
'report_type' => StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES,
'fingerprint' => str_repeat('a', 64),
'previous_fingerprint' => str_repeat('b', 64),
]);
$fresh = StoredReport::query()->find($report->getKey());
expect($fresh->fingerprint)->toBe(str_repeat('a', 64))
->and($fresh->previous_fingerprint)->toBe(str_repeat('b', 64));
});
it('prevents duplicate (tenant_id, report_type, fingerprint) via unique index', function (): void {
[$user, $tenant] = createUserWithTenant();
$fingerprint = hash('sha256', 'test-content');
StoredReport::factory()->create([
'tenant_id' => $tenant->getKey(),
'report_type' => StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES,
'fingerprint' => $fingerprint,
]);
expect(fn () => StoredReport::factory()->create([
'tenant_id' => $tenant->getKey(),
'report_type' => StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES,
'fingerprint' => $fingerprint,
]))->toThrow(\Illuminate\Database\QueryException::class);
});
it('allows null fingerprint for existing reports without fingerprinting', function (): void {
[$user, $tenant] = createUserWithTenant();
$report = StoredReport::factory()->create([
'tenant_id' => $tenant->getKey(),
'report_type' => StoredReport::REPORT_TYPE_PERMISSION_POSTURE,
'fingerprint' => null,
'previous_fingerprint' => null,
]);
$fresh = StoredReport::query()->find($report->getKey());
expect($fresh->fingerprint)->toBeNull()
->and($fresh->previous_fingerprint)->toBeNull();
});

6
tests/Feature/RequiredPermissions/RequiredPermissionsEmptyStateTest.php
View File

@ -2,13 +2,17 @@
declare(strict_types=1);
use App\Filament\Resources\TenantResource;
it('renders the no-data state with a canonical start verification link when no stored permission data exists', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'readonly');
$expectedUrl = TenantResource::getUrl('view', ['record' => $tenant]);
$this->actingAs($user)
->get("/admin/tenants/{$tenant->external_id}/required-permissions")
->assertSuccessful()
->assertSee('Keine Daten verfügbar')
->assertSee('/admin/onboarding', false)
->assertSee($expectedUrl, false)
->assertSee('Start verification');
});

1
tests/Feature/RequiredPermissions/RequiredPermissionsFiltersTest.php
View File

@ -25,6 +25,7 @@
'features' => ['backup', 'restore'],
],
]);
config()->set('entra_permissions.permissions', []);
TenantPermission::create([
'tenant_id' => (int) $tenant->getKey(),

8
tests/Feature/RequiredPermissions/RequiredPermissionsLinksTest.php
View File

@ -2,14 +2,18 @@
declare(strict_types=1);
use App\Filament\Resources\TenantResource;
it('renders re-run verification and next-step links using canonical manage surfaces only', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'readonly');
$expectedUrl = TenantResource::getUrl('view', ['record' => $tenant]);
$this->actingAs($user)
->get("/admin/tenants/{$tenant->external_id}/required-permissions")
->assertSuccessful()
->assertSee('Re-run verification')
->assertSee('/admin/onboarding', false)
->assertSee($expectedUrl, false)
->assertDontSee('/admin/t/', false);
});
@ -20,6 +24,6 @@
->get("/admin/tenants/{$tenant->external_id}/required-permissions")
->assertSuccessful()
->assertSeeInOrder(['Summary', 'Issues', 'Passed', 'Technical details'])
->assertSee('<details data-testid="technical-details"', false)
->assertSee('data-testid="technical-details"', false)
->assertDontSee('data-testid="technical-details" open', false);
});

160
tests/Feature/RequiredPermissions/RequiredPermissionsSidebarTest.php Normal file
View File

@ -0,0 +1,160 @@
<?php
declare(strict_types=1);
use App\Models\Tenant;
use App\Models\User;
use App\Models\Workspace;
use App\Models\WorkspaceMembership;
use App\Support\Workspaces\WorkspaceContext;
/*
|--------------------------------------------------------------------------
| T001 Sidebar context tests for Required Permissions page
|--------------------------------------------------------------------------
|
| Verifies that the Required Permissions page (a workspace-scoped page
| that uses {tenant} for data display only) always renders the workspace
| sidebar never the tenant sidebar. Also verifies FR-002: authorization
| (404 for non-members) still works after the middleware change.
|
*/
it('renders workspace navigation items on the required permissions page', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'readonly');
$response = $this->actingAs($user)
->get("/admin/tenants/{$tenant->external_id}/required-permissions");
$response->assertOk();
// Workspace nav items from configureNavigationForRequest() workspace builder
$response->assertSee('Operations', false);
$response->assertSee('Audit Log', false);
});
it('does not render tenant navigation items on the required permissions page', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'readonly');
$response = $this->actingAs($user)
->get("/admin/tenants/{$tenant->external_id}/required-permissions");
$response->assertOk();
// Tenant-scoped nav groups/items must NOT appear
$response->assertDontSee('>Inventory</span>', false);
$response->assertDontSee('>Backups &amp; Restore</span>', false);
});
it('shows workspace sidebar when navigating directly via URL', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'readonly');
$response = $this->actingAs($user)
->get("/admin/tenants/{$tenant->external_id}/required-permissions");
$response->assertOk();
// Workspace nav present (Operations is always visible in workspace nav)
$response->assertSee('Operations', false);
$response->assertSee('Audit Log', false);
// Tenant nav absent
$response->assertDontSee('>Directory</span>', false);
$response->assertDontSee('>Governance</span>', false);
});
it('returns 404 for non-workspace-members after middleware change (FR-002 regression guard)', function (): void {
$user = User::factory()->create();
$workspace = Workspace::factory()->create();
$tenant = Tenant::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
]);
// User is NOT a workspace member — no WorkspaceMembership created
$this->actingAs($user)
->withSession([
WorkspaceContext::SESSION_KEY => (int) $workspace->getKey(),
])
->get("/admin/tenants/{$tenant->external_id}/required-permissions")
->assertNotFound();
});
it('returns 404 for workspace members without tenant entitlement after middleware change (FR-002 regression guard)', function (): void {
$user = User::factory()->create();
$workspace = Workspace::factory()->create();
$tenant = Tenant::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
]);
WorkspaceMembership::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'user_id' => (int) $user->getKey(),
'role' => 'owner',
]);
// User IS a workspace member but NOT entitled to this tenant
$this->actingAs($user)
->withSession([
WorkspaceContext::SESSION_KEY => (int) $workspace->getKey(),
])
->get("/admin/tenants/{$tenant->external_id}/required-permissions")
->assertNotFound();
});
/*
|--------------------------------------------------------------------------
| T002 Regression: tenant-scoped pages still show tenant sidebar
|--------------------------------------------------------------------------
|
| Verifies that the middleware change does NOT affect tenant-scoped pages.
| Pages under /admin/t/{tenant}/ must continue to show tenant sidebar.
|
*/
it('still renders tenant sidebar on tenant-scoped pages (regression guard)', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
// Use the tenant dashboard — a known tenant-scoped URL
$response = $this->actingAs($user)
->get("/admin/t/{$tenant->external_id}");
$response->assertOk();
// Tenant-scoped nav groups MUST be present on tenant pages (Inventory group)
$response->assertSee('Inventory', false);
});
/*
|--------------------------------------------------------------------------
| T007 Context bar: tenant name is visible on the page
|--------------------------------------------------------------------------
|
| The page's $scopedTenant is resolved from the route param via
| resolveScopedTenant() NOT from Filament::getTenant(). So the tenant
| data is available even though Filament::setTenant() is skipped.
| Verify the page renders successfully and that the tenant's data is used.
|
*/
it('resolves scoped tenant correctly with workspace sidebar (context bar / US2)', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'readonly');
$response = $this->actingAs($user)
->get("/admin/tenants/{$tenant->external_id}/required-permissions");
$response->assertOk();
// The page resolves $scopedTenant from route param and uses it for data display.
// Verify the page title is present (static title: "Required permissions")
$response->assertSee('Required permissions', false);
// The page uses $scopedTenant for links (e.g., "Re-run verification" links back to TenantResource)
// If $scopedTenant were null, the page would abort(404) in mount().
// The fact that we get 200 proves $scopedTenant resolved correctly despite setTenant() being skipped.
// Workspace nav present (sidebar fix working)
$response->assertSee('Operations', false);
// Tenant nav absent (sidebar fix working)
$response->assertDontSee('>Inventory</span>', false);
});

64
tests/Unit/OpsUx/SummaryCountsNormalizerTest.php Normal file
View File

@ -0,0 +1,64 @@
<?php
declare(strict_types=1);
use App\Support\OpsUx\SummaryCountsNormalizer;
it('normalizes allowed keys and casts to int', function () {
$result = SummaryCountsNormalizer::normalize([
'total' => 5,
'processed' => '3',
'failed' => 0,
'bogus_key' => 99,
]);
expect($result)->toBe([
'total' => 5,
'processed' => 3,
'failed' => 0,
]);
});
it('strips empty string keys and non-numeric values', function () {
$result = SummaryCountsNormalizer::normalize([
'' => 1,
'total' => 'not-a-number',
'succeeded' => 10,
]);
expect($result)->toBe(['succeeded' => 10]);
});
it('renders summary line with only non-zero values', function () {
$line = SummaryCountsNormalizer::renderSummaryLine([
'report_created' => 0,
'report_deduped' => 1,
'findings_created' => 0,
'findings_unchanged' => 10,
'alert_events_produced' => 0,
]);
expect($line)->toBe('Report deduped: 1 · Findings unchanged: 10');
});
it('returns null when all values are zero', function () {
$line = SummaryCountsNormalizer::renderSummaryLine([
'report_created' => 0,
'findings_created' => 0,
]);
expect($line)->toBeNull();
});
it('returns null for empty array', function () {
expect(SummaryCountsNormalizer::renderSummaryLine([]))->toBeNull();
});
it('humanizes snake_case keys to Title case', function () {
$line = SummaryCountsNormalizer::renderSummaryLine([
'high' => 3,
'alert_events_produced' => 2,
]);
expect($line)->toBe('High: 3 · Alert events produced: 2');
});