Compare commits
12 Commits
145-tenant
...
dev
| Author | SHA1 | Date | |
|---|---|---|---|
| a4f2629493 | |||
| b1e1e06861 | |||
| a74ab12f04 | |||
| 5ec62cd117 | |||
| ec71c2d4e7 | |||
| 1f3619bd16 | |||
| 5bcb4f6ab8 | |||
| ede4cc363d | |||
| 417df4f9aa | |||
| 73a879d061 | |||
| 6ca496233b | |||
| 440e63edff |
21
.github/agents/copilot-instructions.md
vendored
21
.github/agents/copilot-instructions.md
vendored
@ -81,6 +81,21 @@ ## Active Technologies
|
||||
- PostgreSQL plus session-backed workspace and remembered tenant context (no schema changes) (144-canonical-operation-viewer-context-decoupling)
|
||||
- PHP 8.4.15 with Laravel 12, Filament v5, Livewire v4.0+ + Filament Actions/Tables/Infolists, Laravel Gates/Policies, `UiEnforcement`, `WorkspaceUiEnforcement`, `ActionSurfaceDeclaration`, `BadgeCatalog`, `TenantOperabilityService`, `OnboardingLifecycleService` (145-tenant-action-taxonomy-lifecycle-safe-visibility)
|
||||
- PostgreSQL for tenants, onboarding sessions, audit logs, operation runs, and workspace membership data (145-tenant-action-taxonomy-lifecycle-safe-visibility)
|
||||
- PostgreSQL (existing tenant and operation records only; no schema changes planned) (146-central-tenant-status-presentation)
|
||||
- PostgreSQL plus existing session-backed workspace and remembered-tenant context; no schema change planned (147-tenant-selector-remembered-context-enforcement)
|
||||
- PHP 8.4.15 + Laravel 12, Filament 5, Livewire 4, Pest 4, existing support-layer helpers such as `UiEnforcement`, `CapabilityResolver`, `WorkspaceContext`, `OperateHubShell`, `TenantOperabilityService`, and `TenantActionPolicySurface` (148-central-tenant-operability-policy)
|
||||
- PostgreSQL plus existing session-backed workspace and remembered-tenant context; no schema change planned for the first implementation slice (148-central-tenant-operability-policy)
|
||||
- PHP 8.4.15 + Laravel 12, Filament 5, Livewire 4, Pest 4, existing `OperationRunService`, `TrackOperationRun`, `ProviderOperationStartGate`, `TenantOperabilityService`, `CapabilityResolver`, and `WriteGateInterface` seams (149-queued-execution-reauthorization)
|
||||
- PostgreSQL-backed application data plus queue-serialized `OperationRun` context; no schema migration planned for the first implementation slice (149-queued-execution-reauthorization)
|
||||
- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, PostgreSQL, Pest 4 (150-tenant-owned-query-canon-and-wrong-tenant-guards)
|
||||
- PostgreSQL with existing `findings` and `audit_logs` tables; no new storage engine or external log store (151-findings-workflow-backstop)
|
||||
- PostgreSQL with existing workspace-, tenant-, onboarding-, and audit-related tables; no new persistent storage planned for the first slice (152-livewire-context-locking)
|
||||
- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `StoredReport`, `Finding`, `OperationRun`, and `AuditLog` infrastructure (153-evidence-domain-foundation)
|
||||
- PostgreSQL with JSONB-backed snapshot metadata; existing private storage remains a downstream-consumer concern, not a primary evidence-foundation store (153-evidence-domain-foundation)
|
||||
- PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing Finding, AuditLog, EvidenceSnapshot, CapabilityResolver, WorkspaceCapabilityResolver, and UiEnforcement patterns (001-finding-risk-acceptance)
|
||||
- PostgreSQL with new tenant-owned exception tables and JSONB-backed supporting metadata (001-finding-risk-acceptance)
|
||||
- PHP 8.4, Laravel 12, Livewire 4, Filament 5 + Filament resources/pages/actions, Eloquent models, queued Laravel jobs, existing `EvidenceSnapshotService`, existing `ReviewPackService`, capability registry, `OperationRunService` (155-tenant-review-layer)
|
||||
- PostgreSQL with JSONB-backed summary payloads and tenant/workspace ownership columns (155-tenant-review-layer)
|
||||
|
||||
- PHP 8.4.15 (feat/005-bulk-operations)
|
||||
|
||||
@ -100,8 +115,8 @@ ## Code Style
|
||||
PHP 8.4.15: Follow standard conventions
|
||||
|
||||
## Recent Changes
|
||||
- 145-tenant-action-taxonomy-lifecycle-safe-visibility: Added PHP 8.4.15 with Laravel 12, Filament v5, Livewire v4.0+ + Filament Actions/Tables/Infolists, Laravel Gates/Policies, `UiEnforcement`, `WorkspaceUiEnforcement`, `ActionSurfaceDeclaration`, `BadgeCatalog`, `TenantOperabilityService`, `OnboardingLifecycleService`
|
||||
- 144-canonical-operation-viewer-context-decoupling: Added PHP 8.4 (Laravel 12) + Filament v5, Livewire v4, Laravel Gates and Policies, `OperateHubShell`, `OperationRunLinks`
|
||||
- 143-tenant-lifecycle-operability-context-semantics: Added PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, Tailwind CSS v4
|
||||
- 155-tenant-review-layer: Added PHP 8.4, Laravel 12, Livewire 4, Filament 5 + Filament resources/pages/actions, Eloquent models, queued Laravel jobs, existing `EvidenceSnapshotService`, existing `ReviewPackService`, capability registry, `OperationRunService`
|
||||
- 001-finding-risk-acceptance: Added PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing Finding, AuditLog, EvidenceSnapshot, CapabilityResolver, WorkspaceCapabilityResolver, and UiEnforcement patterns
|
||||
- 153-evidence-domain-foundation: Added PHP 8.4.15 + Laravel 12, Filament v5, Livewire v4, Pest v4, existing `StoredReport`, `Finding`, `OperationRun`, and `AuditLog` infrastructure
|
||||
<!-- MANUAL ADDITIONS START -->
|
||||
<!-- MANUAL ADDITIONS END -->
|
||||
|
||||
27
app/Exceptions/ReviewPackEvidenceResolutionException.php
Normal file
27
app/Exceptions/ReviewPackEvidenceResolutionException.php
Normal file
@ -0,0 +1,27 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Exceptions;
|
||||
|
||||
use App\Services\Evidence\EvidenceResolutionResult;
|
||||
use RuntimeException;
|
||||
|
||||
class ReviewPackEvidenceResolutionException extends RuntimeException
|
||||
{
|
||||
public function __construct(
|
||||
public readonly EvidenceResolutionResult $result,
|
||||
?string $message = null,
|
||||
) {
|
||||
parent::__construct($message ?? self::defaultMessage($result));
|
||||
}
|
||||
|
||||
private static function defaultMessage(EvidenceResolutionResult $result): string
|
||||
{
|
||||
return match ($result->outcome) {
|
||||
'missing_snapshot' => 'No eligible evidence snapshot is available for this review pack.',
|
||||
'snapshot_ineligible' => 'The latest evidence snapshot is not eligible for review-pack generation.',
|
||||
default => 'Evidence snapshot resolution failed.',
|
||||
};
|
||||
}
|
||||
}
|
||||
72
app/Filament/Concerns/InteractsWithTenantOwnedRecords.php
Normal file
72
app/Filament/Concerns/InteractsWithTenantOwnedRecords.php
Normal file
@ -0,0 +1,72 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Filament\Concerns;
|
||||
|
||||
use App\Models\Tenant;
|
||||
use App\Support\WorkspaceIsolation\TenantOwnedQueryScope;
|
||||
use App\Support\WorkspaceIsolation\TenantOwnedRecordResolver;
|
||||
use Illuminate\Database\Eloquent\Builder;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
|
||||
trait InteractsWithTenantOwnedRecords
|
||||
{
|
||||
protected static function tenantOwnedRelationshipName(): string
|
||||
{
|
||||
$relationshipName = property_exists(static::class, 'tenantOwnershipRelationshipName')
|
||||
? static::$tenantOwnershipRelationshipName
|
||||
: null;
|
||||
|
||||
return is_string($relationshipName) && $relationshipName !== ''
|
||||
? $relationshipName
|
||||
: 'tenant';
|
||||
}
|
||||
|
||||
protected static function resolveTenantContextForTenantOwnedRecords(): ?Tenant
|
||||
{
|
||||
if (method_exists(static::class, 'resolveTenantContextForCurrentPanel')) {
|
||||
return static::resolveTenantContextForCurrentPanel();
|
||||
}
|
||||
|
||||
if (method_exists(static::class, 'panelTenantContext')) {
|
||||
return static::panelTenantContext();
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
public static function getTenantOwnedEloquentQuery(): Builder
|
||||
{
|
||||
return static::scopeTenantOwnedQuery(parent::getEloquentQuery());
|
||||
}
|
||||
|
||||
protected static function scopeTenantOwnedQuery(Builder $query, ?Tenant $tenant = null): Builder
|
||||
{
|
||||
return app(TenantOwnedQueryScope::class)->apply(
|
||||
$query,
|
||||
$tenant ?? static::resolveTenantContextForTenantOwnedRecords(),
|
||||
static::tenantOwnedRelationshipName(),
|
||||
);
|
||||
}
|
||||
|
||||
protected static function resolveTenantOwnedRecord(Model|int|string|null $record, ?Builder $query = null, ?Tenant $tenant = null): ?Model
|
||||
{
|
||||
$scopedQuery = static::scopeTenantOwnedQuery(
|
||||
$query ?? parent::getEloquentQuery(),
|
||||
$tenant,
|
||||
);
|
||||
|
||||
return app(TenantOwnedRecordResolver::class)->resolve($scopedQuery, $record);
|
||||
}
|
||||
|
||||
protected static function resolveTenantOwnedRecordOrFail(Model|int|string|null $record, ?Builder $query = null, ?Tenant $tenant = null): Model
|
||||
{
|
||||
$scopedQuery = static::scopeTenantOwnedQuery(
|
||||
$query ?? parent::getEloquentQuery(),
|
||||
$tenant,
|
||||
);
|
||||
|
||||
return app(TenantOwnedRecordResolver::class)->resolveOrFail($scopedQuery, $record);
|
||||
}
|
||||
}
|
||||
@ -14,7 +14,7 @@ trait ResolvesPanelTenantContext
|
||||
protected static function resolveTenantContextForCurrentPanel(): ?Tenant
|
||||
{
|
||||
if (Filament::getCurrentPanel()?->getId() === 'admin') {
|
||||
$tenant = app(OperateHubShell::class)->activeEntitledTenant(request());
|
||||
$tenant = app(OperateHubShell::class)->tenantOwnedPanelContext(request());
|
||||
|
||||
return $tenant instanceof Tenant ? $tenant : null;
|
||||
}
|
||||
@ -24,6 +24,16 @@ protected static function resolveTenantContextForCurrentPanel(): ?Tenant
|
||||
return $tenant instanceof Tenant ? $tenant : null;
|
||||
}
|
||||
|
||||
public static function panelTenantContext(): ?Tenant
|
||||
{
|
||||
return static::resolveTenantContextForCurrentPanel();
|
||||
}
|
||||
|
||||
public static function trustedPanelTenantContext(): ?Tenant
|
||||
{
|
||||
return static::panelTenantContext();
|
||||
}
|
||||
|
||||
protected static function resolveTenantContextForCurrentPanelOrFail(): Tenant
|
||||
{
|
||||
$tenant = static::resolveTenantContextForCurrentPanel();
|
||||
@ -34,4 +44,9 @@ protected static function resolveTenantContextForCurrentPanelOrFail(): Tenant
|
||||
|
||||
return $tenant;
|
||||
}
|
||||
|
||||
protected static function resolveTrustedPanelTenantContextOrFail(): Tenant
|
||||
{
|
||||
return static::resolveTenantContextForCurrentPanelOrFail();
|
||||
}
|
||||
}
|
||||
|
||||
@ -6,6 +6,7 @@
|
||||
|
||||
use App\Models\Tenant;
|
||||
use App\Support\OperateHub\OperateHubShell;
|
||||
use App\Support\WorkspaceIsolation\TenantOwnedModelFamilies;
|
||||
use Filament\Facades\Filament;
|
||||
use Illuminate\Database\Eloquent\Builder;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
@ -21,6 +22,10 @@ public static function getGlobalSearchEloquentQuery(): Builder
|
||||
{
|
||||
$query = static::getModel()::query();
|
||||
|
||||
if (! TenantOwnedModelFamilies::supportsScopedGlobalSearch(static::getModel())) {
|
||||
return $query->whereRaw('1 = 0');
|
||||
}
|
||||
|
||||
if (! static::isScopedToTenant()) {
|
||||
$panel = Filament::getCurrentOrDefaultPanel();
|
||||
|
||||
|
||||
@ -8,6 +8,9 @@
|
||||
use App\Models\User;
|
||||
use App\Models\UserTenantPreference;
|
||||
use App\Services\Tenants\TenantOperabilityService;
|
||||
use App\Support\Tenants\TenantInteractionLane;
|
||||
use App\Support\Tenants\TenantLifecyclePresentation;
|
||||
use App\Support\Tenants\TenantOperabilityQuestion;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Filament\Facades\Filament;
|
||||
use Filament\Pages\Page;
|
||||
@ -67,9 +70,35 @@ public function selectTenant(int $tenantId): void
|
||||
abort(403);
|
||||
}
|
||||
|
||||
$tenant = Tenant::query()
|
||||
->whereKey($tenantId)
|
||||
->first();
|
||||
$workspaceContext = app(WorkspaceContext::class);
|
||||
$workspaceId = $workspaceContext->currentWorkspaceId(request());
|
||||
$tenant = null;
|
||||
|
||||
if ($workspaceId === null) {
|
||||
$tenant = Tenant::query()->whereKey($tenantId)->first();
|
||||
|
||||
if ($tenant instanceof Tenant) {
|
||||
$workspace = $tenant->workspace;
|
||||
|
||||
if ($workspace !== null && $user->canAccessTenant($tenant)) {
|
||||
$workspaceContext->setCurrentWorkspace($workspace, $user, request());
|
||||
$workspaceId = (int) $workspace->getKey();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ($workspaceId === null) {
|
||||
$this->redirect(route('filament.admin.pages.choose-workspace'));
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
if (! $tenant instanceof Tenant || (int) $tenant->workspace_id !== $workspaceId) {
|
||||
$tenant = Tenant::query()
|
||||
->where('workspace_id', $workspaceId)
|
||||
->whereKey($tenantId)
|
||||
->first();
|
||||
}
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
abort(404);
|
||||
@ -79,17 +108,32 @@ public function selectTenant(int $tenantId): void
|
||||
abort(404);
|
||||
}
|
||||
|
||||
if (! app(TenantOperabilityService::class)->canSelectAsContext($tenant)) {
|
||||
$outcome = app(TenantOperabilityService::class)->outcomeFor(
|
||||
tenant: $tenant,
|
||||
question: TenantOperabilityQuestion::SelectorEligibility,
|
||||
actor: $user,
|
||||
workspaceId: $workspaceId,
|
||||
lane: TenantInteractionLane::StandardActiveOperating,
|
||||
);
|
||||
|
||||
if (! $outcome->allowed) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
$this->persistLastTenant($user, $tenant);
|
||||
|
||||
app(WorkspaceContext::class)->rememberTenantContext($tenant, request());
|
||||
if (! $workspaceContext->rememberTenantContext($tenant, request())) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
$this->redirect(TenantDashboard::getUrl(panel: 'tenant', tenant: $tenant));
|
||||
}
|
||||
|
||||
public function tenantLifecyclePresentation(Tenant $tenant): TenantLifecyclePresentation
|
||||
{
|
||||
return TenantLifecyclePresentation::fromTenant($tenant);
|
||||
}
|
||||
|
||||
private function persistLastTenant(User $user, Tenant $tenant): void
|
||||
{
|
||||
if (Schema::hasColumn('users', 'last_tenant_id')) {
|
||||
|
||||
116
app/Filament/Pages/Monitoring/EvidenceOverview.php
Normal file
116
app/Filament/Pages/Monitoring/EvidenceOverview.php
Normal file
@ -0,0 +1,116 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Filament\Pages\Monitoring;
|
||||
|
||||
use App\Filament\Resources\EvidenceSnapshotResource;
|
||||
use App\Models\EvidenceSnapshot;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use BackedEnum;
|
||||
use Filament\Actions\Action;
|
||||
use Filament\Pages\Page;
|
||||
use Illuminate\Auth\AuthenticationException;
|
||||
use UnitEnum;
|
||||
|
||||
class EvidenceOverview extends Page
|
||||
{
|
||||
protected static bool $isDiscovered = false;
|
||||
|
||||
protected static bool $shouldRegisterNavigation = false;
|
||||
|
||||
protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-shield-check';
|
||||
|
||||
protected static string|UnitEnum|null $navigationGroup = 'Monitoring';
|
||||
|
||||
protected static ?string $title = 'Evidence Overview';
|
||||
|
||||
protected string $view = 'filament.pages.monitoring.evidence-overview';
|
||||
|
||||
/**
|
||||
* @var list<array<string, mixed>>
|
||||
*/
|
||||
public array $rows = [];
|
||||
|
||||
public ?int $tenantFilter = null;
|
||||
|
||||
public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
|
||||
{
|
||||
return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::ListOnlyReadOnly)
|
||||
->satisfy(ActionSurfaceSlot::ListHeader, 'The overview header exposes a clear-filters action when a tenant prefilter is active.')
|
||||
->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
|
||||
->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'The overview exposes a single drill-down link per row without a More menu.')
|
||||
->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'The overview does not expose bulk actions.')
|
||||
->satisfy(ActionSurfaceSlot::ListEmptyState, 'The empty state explains the current scope and offers a clear-filters CTA.');
|
||||
}
|
||||
|
||||
public function mount(): void
|
||||
{
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $user instanceof User) {
|
||||
throw new AuthenticationException;
|
||||
}
|
||||
|
||||
$workspaceContext = app(WorkspaceContext::class);
|
||||
$workspace = $workspaceContext->currentWorkspaceForMemberOrFail($user, request());
|
||||
$workspaceId = (int) $workspace->getKey();
|
||||
|
||||
$accessibleTenants = $user->tenants()
|
||||
->where('tenants.workspace_id', $workspaceId)
|
||||
->orderBy('tenants.name')
|
||||
->get()
|
||||
->filter(fn (Tenant $tenant): bool => (int) $tenant->workspace_id === $workspaceId && $user->can('evidence.view', $tenant))
|
||||
->values();
|
||||
|
||||
$this->tenantFilter = is_numeric(request()->query('tenant_id')) ? (int) request()->query('tenant_id') : null;
|
||||
|
||||
$tenantIds = $accessibleTenants->pluck('id')->map(static fn (mixed $id): int => (int) $id)->all();
|
||||
|
||||
$query = EvidenceSnapshot::query()
|
||||
->with('tenant')
|
||||
->where('workspace_id', $workspaceId)
|
||||
->whereIn('tenant_id', $tenantIds)
|
||||
->where('status', 'active')
|
||||
->latest('generated_at');
|
||||
|
||||
if ($this->tenantFilter !== null) {
|
||||
$query->where('tenant_id', $this->tenantFilter);
|
||||
}
|
||||
|
||||
$snapshots = $query->get()->unique('tenant_id')->values();
|
||||
|
||||
$this->rows = $snapshots->map(function (EvidenceSnapshot $snapshot): array {
|
||||
return [
|
||||
'tenant_name' => $snapshot->tenant?->name ?? 'Unknown tenant',
|
||||
'tenant_id' => (int) $snapshot->tenant_id,
|
||||
'snapshot_id' => (int) $snapshot->getKey(),
|
||||
'completeness_state' => (string) $snapshot->completeness_state,
|
||||
'generated_at' => $snapshot->generated_at?->toDateTimeString(),
|
||||
'missing_dimensions' => (int) (($snapshot->summary['missing_dimensions'] ?? 0)),
|
||||
'stale_dimensions' => (int) (($snapshot->summary['stale_dimensions'] ?? 0)),
|
||||
'view_url' => EvidenceSnapshotResource::getUrl('index', tenant: $snapshot->tenant),
|
||||
];
|
||||
})->all();
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<Action>
|
||||
*/
|
||||
protected function getHeaderActions(): array
|
||||
{
|
||||
return [
|
||||
Action::make('clear_filters')
|
||||
->label('Clear filters')
|
||||
->color('gray')
|
||||
->visible(fn (): bool => $this->tenantFilter !== null)
|
||||
->url(route('admin.evidence.overview')),
|
||||
];
|
||||
}
|
||||
}
|
||||
503
app/Filament/Pages/Monitoring/FindingExceptionsQueue.php
Normal file
503
app/Filament/Pages/Monitoring/FindingExceptionsQueue.php
Normal file
@ -0,0 +1,503 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Filament\Pages\Monitoring;
|
||||
|
||||
use App\Filament\Resources\FindingExceptionResource;
|
||||
use App\Filament\Resources\FindingResource;
|
||||
use App\Models\FindingException;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Models\Workspace;
|
||||
use App\Services\Auth\WorkspaceCapabilityResolver;
|
||||
use App\Services\Findings\FindingExceptionService;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use App\Support\Badges\BadgeDomain;
|
||||
use App\Support\Badges\BadgeRenderer;
|
||||
use App\Support\Filament\FilterOptionCatalog;
|
||||
use App\Support\Filament\TablePaginationProfiles;
|
||||
use App\Support\OperateHub\OperateHubShell;
|
||||
use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
|
||||
use App\Support\Ui\ActionSurface\ActionSurfaceDefaults;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use BackedEnum;
|
||||
use Filament\Actions\Action;
|
||||
use Filament\Facades\Filament;
|
||||
use Filament\Forms\Components\DateTimePicker;
|
||||
use Filament\Forms\Components\Textarea;
|
||||
use Filament\Notifications\Notification;
|
||||
use Filament\Pages\Page;
|
||||
use Filament\Tables\Columns\TextColumn;
|
||||
use Filament\Tables\Concerns\InteractsWithTable;
|
||||
use Filament\Tables\Contracts\HasTable;
|
||||
use Filament\Tables\Filters\SelectFilter;
|
||||
use Filament\Tables\Table;
|
||||
use Illuminate\Database\Eloquent\Builder;
|
||||
use Illuminate\Support\Collection;
|
||||
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
||||
use UnitEnum;
|
||||
|
||||
class FindingExceptionsQueue extends Page implements HasTable
|
||||
{
|
||||
use InteractsWithTable;
|
||||
|
||||
public ?int $selectedFindingExceptionId = null;
|
||||
|
||||
protected static bool $isDiscovered = false;
|
||||
|
||||
protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-shield-exclamation';
|
||||
|
||||
protected static string|UnitEnum|null $navigationGroup = 'Monitoring';
|
||||
|
||||
protected static ?string $navigationLabel = 'Finding exceptions';
|
||||
|
||||
protected static ?string $slug = 'finding-exceptions/queue';
|
||||
|
||||
protected static ?string $title = 'Finding Exceptions Queue';
|
||||
|
||||
protected string $view = 'filament.pages.monitoring.finding-exceptions-queue';
|
||||
|
||||
/**
|
||||
* @var array<int, Tenant>|null
|
||||
*/
|
||||
private ?array $authorizedTenants = null;
|
||||
|
||||
public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
|
||||
{
|
||||
return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::RunLog)
|
||||
->withDefaults(new ActionSurfaceDefaults(
|
||||
moreGroupLabel: 'More',
|
||||
exportIsDefaultBulkActionForReadOnly: false,
|
||||
))
|
||||
->satisfy(ActionSurfaceSlot::ListHeader, 'Header actions keep workspace approval scope visible and expose selected exception review actions.')
|
||||
->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ViewAction->value)
|
||||
->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'Exception decisions are reviewed one record at a time in v1 and do not expose bulk actions.')
|
||||
->satisfy(ActionSurfaceSlot::ListEmptyState, 'Empty state explains when the approval queue is empty and keeps navigation back to tenant findings available.')
|
||||
->satisfy(ActionSurfaceSlot::DetailHeader, 'Selected exception detail exposes approve, reject, and related-record navigation actions in the page header.');
|
||||
}
|
||||
|
||||
public static function canAccess(): bool
|
||||
{
|
||||
if (Filament::getCurrentPanel()?->getId() !== 'admin') {
|
||||
return false;
|
||||
}
|
||||
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $user instanceof User) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
|
||||
|
||||
if (! is_int($workspaceId)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$workspace = Workspace::query()->whereKey($workspaceId)->first();
|
||||
|
||||
if (! $workspace instanceof Workspace) {
|
||||
return false;
|
||||
}
|
||||
|
||||
/** @var WorkspaceCapabilityResolver $resolver */
|
||||
$resolver = app(WorkspaceCapabilityResolver::class);
|
||||
|
||||
return $resolver->isMember($user, $workspace)
|
||||
&& $resolver->can($user, $workspace, Capabilities::FINDING_EXCEPTION_APPROVE);
|
||||
}
|
||||
|
||||
public function mount(): void
|
||||
{
|
||||
$this->selectedFindingExceptionId = is_numeric(request()->query('exception')) ? (int) request()->query('exception') : null;
|
||||
$this->mountInteractsWithTable();
|
||||
$this->applyRequestedTenantPrefilter();
|
||||
|
||||
if ($this->selectedFindingExceptionId !== null) {
|
||||
$this->selectedFindingException();
|
||||
}
|
||||
}
|
||||
|
||||
protected function getHeaderActions(): array
|
||||
{
|
||||
$actions = app(OperateHubShell::class)->headerActions(
|
||||
scopeActionName: 'operate_hub_scope_finding_exceptions',
|
||||
returnActionName: 'operate_hub_return_finding_exceptions',
|
||||
);
|
||||
|
||||
$actions[] = Action::make('clear_filters')
|
||||
->label('Clear filters')
|
||||
->icon('heroicon-o-x-mark')
|
||||
->color('gray')
|
||||
->visible(fn (): bool => $this->hasActiveQueueFilters())
|
||||
->action(function (): void {
|
||||
$this->removeTableFilter('tenant_id');
|
||||
$this->removeTableFilter('status');
|
||||
$this->removeTableFilter('current_validity_state');
|
||||
$this->selectedFindingExceptionId = null;
|
||||
$this->resetTable();
|
||||
});
|
||||
|
||||
$actions[] = Action::make('view_tenant_register')
|
||||
->label('View tenant register')
|
||||
->icon('heroicon-o-arrow-top-right-on-square')
|
||||
->color('gray')
|
||||
->visible(fn (): bool => $this->filteredTenant() instanceof Tenant)
|
||||
->url(function (): ?string {
|
||||
$tenant = $this->filteredTenant();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return FindingExceptionResource::getUrl('index', panel: 'tenant', tenant: $tenant);
|
||||
});
|
||||
|
||||
$actions[] = Action::make('clear_selected_exception')
|
||||
->label('Close details')
|
||||
->color('gray')
|
||||
->visible(fn (): bool => $this->selectedFindingExceptionId !== null)
|
||||
->action(function (): void {
|
||||
$this->selectedFindingExceptionId = null;
|
||||
});
|
||||
|
||||
$actions[] = Action::make('open_selected_exception')
|
||||
->label('Open tenant detail')
|
||||
->icon('heroicon-o-arrow-top-right-on-square')
|
||||
->color('gray')
|
||||
->visible(fn (): bool => $this->selectedFindingExceptionId !== null)
|
||||
->url(fn (): ?string => $this->selectedExceptionUrl());
|
||||
|
||||
$actions[] = Action::make('open_selected_finding')
|
||||
->label('Open finding')
|
||||
->icon('heroicon-o-arrow-top-right-on-square')
|
||||
->color('gray')
|
||||
->visible(fn (): bool => $this->selectedFindingExceptionId !== null)
|
||||
->url(fn (): ?string => $this->selectedFindingUrl());
|
||||
|
||||
$actions[] = Action::make('approve_selected_exception')
|
||||
->label('Approve exception')
|
||||
->color('success')
|
||||
->visible(fn (): bool => $this->selectedFindingException()?->isPending() ?? false)
|
||||
->requiresConfirmation()
|
||||
->form([
|
||||
DateTimePicker::make('effective_from')
|
||||
->label('Effective from')
|
||||
->required()
|
||||
->seconds(false),
|
||||
DateTimePicker::make('expires_at')
|
||||
->label('Expires at')
|
||||
->required()
|
||||
->seconds(false),
|
||||
Textarea::make('approval_reason')
|
||||
->label('Approval reason')
|
||||
->rows(3)
|
||||
->maxLength(2000),
|
||||
])
|
||||
->action(function (array $data, FindingExceptionService $service): void {
|
||||
$record = $this->selectedFindingException();
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $record instanceof FindingException || ! $user instanceof User) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
$wasRenewalRequest = $record->isPendingRenewal();
|
||||
$updated = $service->approve($record, $user, $data);
|
||||
$this->selectedFindingExceptionId = (int) $updated->getKey();
|
||||
$this->resetTable();
|
||||
|
||||
Notification::make()
|
||||
->title($wasRenewalRequest ? 'Exception renewed' : 'Exception approved')
|
||||
->success()
|
||||
->send();
|
||||
});
|
||||
|
||||
$actions[] = Action::make('reject_selected_exception')
|
||||
->label('Reject exception')
|
||||
->color('danger')
|
||||
->visible(fn (): bool => $this->selectedFindingException()?->isPending() ?? false)
|
||||
->requiresConfirmation()
|
||||
->form([
|
||||
Textarea::make('rejection_reason')
|
||||
->label('Rejection reason')
|
||||
->rows(3)
|
||||
->required()
|
||||
->maxLength(2000),
|
||||
])
|
||||
->action(function (array $data, FindingExceptionService $service): void {
|
||||
$record = $this->selectedFindingException();
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $record instanceof FindingException || ! $user instanceof User) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
$wasRenewalRequest = $record->isPendingRenewal();
|
||||
$updated = $service->reject($record, $user, $data);
|
||||
$this->selectedFindingExceptionId = (int) $updated->getKey();
|
||||
$this->resetTable();
|
||||
|
||||
Notification::make()
|
||||
->title($wasRenewalRequest ? 'Renewal rejected' : 'Exception rejected')
|
||||
->success()
|
||||
->send();
|
||||
});
|
||||
|
||||
return $actions;
|
||||
}
|
||||
|
||||
public function table(Table $table): Table
|
||||
{
|
||||
return $table
|
||||
->query(fn (): Builder => $this->queueBaseQuery())
|
||||
->defaultSort('requested_at', 'asc')
|
||||
->paginated(TablePaginationProfiles::customPage())
|
||||
->persistFiltersInSession()
|
||||
->persistSearchInSession()
|
||||
->persistSortInSession()
|
||||
->columns([
|
||||
TextColumn::make('status')
|
||||
->badge()
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::FindingExceptionStatus))
|
||||
->color(BadgeRenderer::color(BadgeDomain::FindingExceptionStatus))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::FindingExceptionStatus))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::FindingExceptionStatus)),
|
||||
TextColumn::make('current_validity_state')
|
||||
->label('Validity')
|
||||
->badge()
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::FindingRiskGovernanceValidity))
|
||||
->color(BadgeRenderer::color(BadgeDomain::FindingRiskGovernanceValidity))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::FindingRiskGovernanceValidity))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::FindingRiskGovernanceValidity)),
|
||||
TextColumn::make('tenant.name')
|
||||
->label('Tenant')
|
||||
->searchable(),
|
||||
TextColumn::make('finding_summary')
|
||||
->label('Finding')
|
||||
->state(fn (FindingException $record): string => $record->finding?->resolvedSubjectDisplayName() ?: 'Finding #'.$record->finding_id)
|
||||
->searchable(),
|
||||
TextColumn::make('requester.name')
|
||||
->label('Requested by')
|
||||
->placeholder('—'),
|
||||
TextColumn::make('owner.name')
|
||||
->label('Owner')
|
||||
->placeholder('—'),
|
||||
TextColumn::make('review_due_at')
|
||||
->label('Review due')
|
||||
->dateTime()
|
||||
->placeholder('—')
|
||||
->sortable(),
|
||||
TextColumn::make('expires_at')
|
||||
->label('Expires')
|
||||
->dateTime()
|
||||
->placeholder('—')
|
||||
->sortable(),
|
||||
TextColumn::make('requested_at')
|
||||
->label('Requested')
|
||||
->dateTime()
|
||||
->sortable(),
|
||||
])
|
||||
->filters([
|
||||
SelectFilter::make('tenant_id')
|
||||
->label('Tenant')
|
||||
->options(fn (): array => $this->tenantFilterOptions())
|
||||
->searchable(),
|
||||
SelectFilter::make('status')
|
||||
->options(FilterOptionCatalog::findingExceptionStatuses()),
|
||||
SelectFilter::make('current_validity_state')
|
||||
->label('Validity')
|
||||
->options(FilterOptionCatalog::findingExceptionValidityStates()),
|
||||
])
|
||||
->actions([
|
||||
Action::make('inspect_exception')
|
||||
->label('Inspect exception')
|
||||
->icon('heroicon-o-eye')
|
||||
->color('gray')
|
||||
->action(function (FindingException $record): void {
|
||||
$this->selectedFindingExceptionId = (int) $record->getKey();
|
||||
}),
|
||||
])
|
||||
->bulkActions([])
|
||||
->emptyStateHeading('No exceptions match this queue')
|
||||
->emptyStateDescription('Adjust the current tenant or lifecycle filters to review governed exceptions in this workspace.')
|
||||
->emptyStateIcon('heroicon-o-shield-check')
|
||||
->emptyStateActions([
|
||||
Action::make('clear_filters')
|
||||
->label('Clear filters')
|
||||
->icon('heroicon-o-x-mark')
|
||||
->color('gray')
|
||||
->action(function (): void {
|
||||
$this->removeTableFilter('tenant_id');
|
||||
$this->removeTableFilter('status');
|
||||
$this->removeTableFilter('current_validity_state');
|
||||
$this->selectedFindingExceptionId = null;
|
||||
$this->resetTable();
|
||||
}),
|
||||
]);
|
||||
}
|
||||
|
||||
public function selectedFindingException(): ?FindingException
|
||||
{
|
||||
if (! is_int($this->selectedFindingExceptionId)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$record = $this->queueBaseQuery()
|
||||
->whereKey($this->selectedFindingExceptionId)
|
||||
->first();
|
||||
|
||||
if (! $record instanceof FindingException) {
|
||||
throw new NotFoundHttpException;
|
||||
}
|
||||
|
||||
return $record;
|
||||
}
|
||||
|
||||
public function selectedExceptionUrl(): ?string
|
||||
{
|
||||
$record = $this->selectedFindingException();
|
||||
|
||||
if (! $record instanceof FindingException || ! $record->tenant) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return FindingExceptionResource::getUrl('view', ['record' => $record], panel: 'tenant', tenant: $record->tenant);
|
||||
}
|
||||
|
||||
public function selectedFindingUrl(): ?string
|
||||
{
|
||||
$record = $this->selectedFindingException();
|
||||
|
||||
if (! $record instanceof FindingException || ! $record->finding || ! $record->tenant) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return FindingResource::getUrl('view', ['record' => $record->finding], panel: 'tenant', tenant: $record->tenant);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<int, Tenant>
|
||||
*/
|
||||
public function authorizedTenants(): array
|
||||
{
|
||||
if ($this->authorizedTenants !== null) {
|
||||
return $this->authorizedTenants;
|
||||
}
|
||||
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $user instanceof User) {
|
||||
return $this->authorizedTenants = [];
|
||||
}
|
||||
|
||||
$workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
|
||||
|
||||
if (! is_int($workspaceId)) {
|
||||
return $this->authorizedTenants = [];
|
||||
}
|
||||
|
||||
$tenants = $user->tenants()
|
||||
->where('tenants.workspace_id', $workspaceId)
|
||||
->orderBy('tenants.name')
|
||||
->get();
|
||||
|
||||
return $this->authorizedTenants = $tenants
|
||||
->filter(fn (Tenant $tenant): bool => (int) $tenant->workspace_id === $workspaceId)
|
||||
->values()
|
||||
->all();
|
||||
}
|
||||
|
||||
private function queueBaseQuery(): Builder
|
||||
{
|
||||
$workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
|
||||
$tenantIds = array_values(array_map(
|
||||
static fn (Tenant $tenant): int => (int) $tenant->getKey(),
|
||||
$this->authorizedTenants(),
|
||||
));
|
||||
|
||||
return FindingException::query()
|
||||
->with([
|
||||
'tenant',
|
||||
'requester',
|
||||
'owner',
|
||||
'approver',
|
||||
'finding' => fn ($query) => $query->withSubjectDisplayName(),
|
||||
'decisions.actor',
|
||||
'evidenceReferences',
|
||||
])
|
||||
->where('workspace_id', (int) $workspaceId)
|
||||
->whereIn('tenant_id', $tenantIds === [] ? [-1] : $tenantIds);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, string>
|
||||
*/
|
||||
private function tenantFilterOptions(): array
|
||||
{
|
||||
return Collection::make($this->authorizedTenants())
|
||||
->mapWithKeys(static fn (Tenant $tenant): array => [
|
||||
(string) $tenant->getKey() => $tenant->name,
|
||||
])
|
||||
->all();
|
||||
}
|
||||
|
||||
private function applyRequestedTenantPrefilter(): void
|
||||
{
|
||||
$requestedTenant = request()->query('tenant');
|
||||
|
||||
if (! is_string($requestedTenant) && ! is_numeric($requestedTenant)) {
|
||||
return;
|
||||
}
|
||||
|
||||
foreach ($this->authorizedTenants() as $tenant) {
|
||||
if ((string) $tenant->getKey() !== (string) $requestedTenant && (string) $tenant->external_id !== (string) $requestedTenant) {
|
||||
continue;
|
||||
}
|
||||
|
||||
$this->tableFilters['tenant_id']['value'] = (string) $tenant->getKey();
|
||||
$this->tableDeferredFilters['tenant_id']['value'] = (string) $tenant->getKey();
|
||||
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
private function filteredTenant(): ?Tenant
|
||||
{
|
||||
$tenantId = $this->currentTenantFilterId();
|
||||
|
||||
if (! is_int($tenantId)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
foreach ($this->authorizedTenants() as $tenant) {
|
||||
if ((int) $tenant->getKey() === $tenantId) {
|
||||
return $tenant;
|
||||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
private function currentTenantFilterId(): ?int
|
||||
{
|
||||
$tenantFilter = data_get($this->tableFilters, 'tenant_id.value');
|
||||
|
||||
if (! is_numeric($tenantFilter)) {
|
||||
$tenantFilter = data_get(session()->get($this->getTableFiltersSessionKey(), []), 'tenant_id.value');
|
||||
}
|
||||
|
||||
return is_numeric($tenantFilter) ? (int) $tenantFilter : null;
|
||||
}
|
||||
|
||||
private function hasActiveQueueFilters(): bool
|
||||
{
|
||||
return $this->currentTenantFilterId() !== null
|
||||
|| is_string(data_get($this->tableFilters, 'status.value'))
|
||||
|| is_string(data_get($this->tableFilters, 'current_validity_state.value'));
|
||||
}
|
||||
}
|
||||
@ -20,6 +20,9 @@
|
||||
use App\Support\OpsUx\OpsUxBrowserEvents;
|
||||
use App\Support\OpsUx\RunDetailPolling;
|
||||
use App\Support\RedactionIntegrity;
|
||||
use App\Support\Tenants\ReferencedTenantLifecyclePresentation;
|
||||
use App\Support\Tenants\TenantInteractionLane;
|
||||
use App\Support\Tenants\TenantOperabilityQuestion;
|
||||
use Filament\Actions\Action;
|
||||
use Filament\Actions\ActionGroup;
|
||||
use Filament\Notifications\Notification;
|
||||
@ -103,14 +106,7 @@ protected function getHeaderActions(): array
|
||||
return $actions;
|
||||
}
|
||||
|
||||
$user = auth()->user();
|
||||
$tenant = $this->run->tenant;
|
||||
|
||||
if ($tenant instanceof Tenant && (! $user instanceof User || ! app(CapabilityResolver::class)->isMember($user, $tenant))) {
|
||||
$tenant = null;
|
||||
}
|
||||
|
||||
$related = OperationRunLinks::related($this->run, $tenant);
|
||||
$related = OperationRunLinks::related($this->run, $this->relatedLinksTenant());
|
||||
|
||||
$relatedActions = [];
|
||||
|
||||
@ -164,6 +160,33 @@ public function redactionIntegrityNote(): ?string
|
||||
return isset($this->run) ? RedactionIntegrity::noteForRun($this->run) : null;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{tone: string, title: string, body: string}|null
|
||||
*/
|
||||
public function blockedExecutionBanner(): ?array
|
||||
{
|
||||
if (! isset($this->run) || (string) $this->run->outcome !== 'blocked') {
|
||||
return null;
|
||||
}
|
||||
|
||||
$context = is_array($this->run->context) ? $this->run->context : [];
|
||||
$reasonCode = data_get($context, 'reason_code');
|
||||
|
||||
if (! is_string($reasonCode) || trim($reasonCode) === '') {
|
||||
$reasonCode = data_get($context, 'execution_legitimacy.reason_code');
|
||||
}
|
||||
|
||||
$reasonCode = is_string($reasonCode) && trim($reasonCode) !== '' ? trim($reasonCode) : 'unknown_error';
|
||||
$message = $this->run->failure_summary[0]['message'] ?? null;
|
||||
$message = is_string($message) && trim($message) !== '' ? trim($message) : 'The queued run was refused before side effects could begin.';
|
||||
|
||||
return [
|
||||
'tone' => 'amber',
|
||||
'title' => 'Execution blocked',
|
||||
'body' => sprintf('Reason code: %s. %s', $reasonCode, $message),
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{tone: string, title: string, body: string}|null
|
||||
*/
|
||||
@ -196,13 +219,16 @@ public function canonicalContextBanner(): ?array
|
||||
$messages[] = 'This canonical workspace view remains valid without switching tenant context.';
|
||||
}
|
||||
|
||||
$tenantOperability = app(TenantOperabilityService::class)->decisionFor($runTenant);
|
||||
$referencedTenant = ReferencedTenantLifecyclePresentation::forOperationRun($runTenant);
|
||||
|
||||
if (! $tenantOperability->canSelectAsContext) {
|
||||
if ($selectorAvailabilityMessage = $referencedTenant->selectorAvailabilityMessage()) {
|
||||
$title ??= 'Run tenant is not available in the current tenant selector';
|
||||
$tone = 'amber';
|
||||
$messages[] = 'This tenant is currently '.Str::lower($tenantOperability->lifecycle->label()).' and may not appear in the tenant selector.';
|
||||
$messages[] = 'Some tenant follow-up actions may be unavailable from this canonical workspace view.';
|
||||
$messages[] = $selectorAvailabilityMessage;
|
||||
|
||||
if ($referencedTenant->contextNote !== null) {
|
||||
$messages[] = $referencedTenant->contextNote;
|
||||
}
|
||||
} elseif (! $activeTenant instanceof Tenant) {
|
||||
$title ??= 'Canonical workspace view';
|
||||
$messages[] = 'No tenant context is currently selected.';
|
||||
@ -369,4 +395,30 @@ private function canResumeCapture(): bool
|
||||
return $resolver->isMember($user, $workspace)
|
||||
&& $resolver->can($user, $workspace, Capabilities::WORKSPACE_BASELINES_MANAGE);
|
||||
}
|
||||
|
||||
private function relatedLinksTenant(): ?Tenant
|
||||
{
|
||||
if (! isset($this->run)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$user = auth()->user();
|
||||
$tenant = $this->run->tenant;
|
||||
|
||||
if (! $tenant instanceof Tenant || ! $user instanceof User) {
|
||||
return null;
|
||||
}
|
||||
|
||||
if (! app(CapabilityResolver::class)->isMember($user, $tenant)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return app(TenantOperabilityService::class)->outcomeFor(
|
||||
tenant: $tenant,
|
||||
question: TenantOperabilityQuestion::SelectorEligibility,
|
||||
actor: $user,
|
||||
workspaceId: (int) ($this->run->workspace_id ?? 0),
|
||||
lane: TenantInteractionLane::StandardActiveOperating,
|
||||
)->allowed ? $tenant : null;
|
||||
}
|
||||
}
|
||||
|
||||
307
app/Filament/Pages/Reviews/ReviewRegister.php
Normal file
307
app/Filament/Pages/Reviews/ReviewRegister.php
Normal file
@ -0,0 +1,307 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Filament\Pages\Reviews;
|
||||
|
||||
use App\Filament\Resources\TenantReviewResource;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\TenantReview;
|
||||
use App\Models\User;
|
||||
use App\Models\Workspace;
|
||||
use App\Services\TenantReviews\TenantReviewRegisterService;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use App\Support\Badges\BadgeDomain;
|
||||
use App\Support\Badges\BadgeRenderer;
|
||||
use App\Support\Filament\CanonicalAdminTenantFilterState;
|
||||
use App\Support\Filament\FilterPresets;
|
||||
use App\Support\Filament\TablePaginationProfiles;
|
||||
use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use BackedEnum;
|
||||
use Filament\Actions\Action;
|
||||
use Filament\Pages\Page;
|
||||
use Filament\Tables\Columns\TextColumn;
|
||||
use Filament\Tables\Concerns\InteractsWithTable;
|
||||
use Filament\Tables\Contracts\HasTable;
|
||||
use Filament\Tables\Filters\SelectFilter;
|
||||
use Filament\Tables\Table;
|
||||
use Illuminate\Database\Eloquent\Builder;
|
||||
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
||||
use UnitEnum;
|
||||
|
||||
class ReviewRegister extends Page implements HasTable
|
||||
{
|
||||
use InteractsWithTable;
|
||||
|
||||
protected static bool $isDiscovered = false;
|
||||
|
||||
protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-document-magnifying-glass';
|
||||
|
||||
protected static string|UnitEnum|null $navigationGroup = 'Reporting';
|
||||
|
||||
protected static ?string $navigationLabel = 'Reviews';
|
||||
|
||||
protected static ?string $title = 'Review Register';
|
||||
|
||||
protected static ?string $slug = 'reviews';
|
||||
|
||||
protected string $view = 'filament.pages.reviews.review-register';
|
||||
|
||||
/**
|
||||
* @var array<int, Tenant>|null
|
||||
*/
|
||||
private ?array $authorizedTenants = null;
|
||||
|
||||
public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
|
||||
{
|
||||
return ActionSurfaceDeclaration::forPage(ActionSurfaceProfile::RunLog)
|
||||
->satisfy(ActionSurfaceSlot::ListHeader, 'Header actions provide a single Clear filters action for the canonical review register.')
|
||||
->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
|
||||
->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'The review register does not expose bulk actions in the first slice.')
|
||||
->satisfy(ActionSurfaceSlot::ListEmptyState, 'The empty state keeps exactly one Clear filters CTA.')
|
||||
->exempt(ActionSurfaceSlot::DetailHeader, 'Row navigation returns to the tenant-scoped review detail rather than opening an inline canonical detail panel.');
|
||||
}
|
||||
|
||||
public function mount(): void
|
||||
{
|
||||
$this->authorizePageAccess();
|
||||
|
||||
app(CanonicalAdminTenantFilterState::class)->sync(
|
||||
$this->getTableFiltersSessionKey(),
|
||||
['status', 'published_state', 'completeness_state'],
|
||||
request(),
|
||||
);
|
||||
|
||||
$this->applyRequestedTenantPrefilter();
|
||||
$this->mountInteractsWithTable();
|
||||
}
|
||||
|
||||
protected function getHeaderActions(): array
|
||||
{
|
||||
return [
|
||||
Action::make('clear_filters')
|
||||
->label('Clear filters')
|
||||
->icon('heroicon-o-x-mark')
|
||||
->color('gray')
|
||||
->visible(fn (): bool => $this->hasActiveFilters())
|
||||
->action(function (): void {
|
||||
$this->resetTable();
|
||||
}),
|
||||
];
|
||||
}
|
||||
|
||||
public function table(Table $table): Table
|
||||
{
|
||||
return $table
|
||||
->query(fn (): Builder => $this->registerQuery())
|
||||
->defaultSort('generated_at', 'desc')
|
||||
->paginated(TablePaginationProfiles::customPage())
|
||||
->persistFiltersInSession()
|
||||
->persistSearchInSession()
|
||||
->persistSortInSession()
|
||||
->recordUrl(fn (TenantReview $record): string => TenantReviewResource::tenantScopedUrl('view', ['record' => $record], $record->tenant, 'tenant'))
|
||||
->columns([
|
||||
TextColumn::make('tenant.name')->label('Tenant')->searchable(),
|
||||
TextColumn::make('status')
|
||||
->badge()
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantReviewStatus))
|
||||
->color(BadgeRenderer::color(BadgeDomain::TenantReviewStatus))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::TenantReviewStatus))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantReviewStatus)),
|
||||
TextColumn::make('completeness_state')
|
||||
->label('Completeness')
|
||||
->badge()
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantReviewCompleteness))
|
||||
->color(BadgeRenderer::color(BadgeDomain::TenantReviewCompleteness))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::TenantReviewCompleteness))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantReviewCompleteness)),
|
||||
TextColumn::make('generated_at')->dateTime()->placeholder('—')->sortable(),
|
||||
TextColumn::make('published_at')->dateTime()->placeholder('—')->sortable(),
|
||||
TextColumn::make('summary.publish_blockers')
|
||||
->label('Publish blockers')
|
||||
->formatStateUsing(static function (mixed $state): string {
|
||||
if (! is_array($state) || $state === []) {
|
||||
return '0';
|
||||
}
|
||||
|
||||
return (string) count($state);
|
||||
}),
|
||||
])
|
||||
->filters([
|
||||
SelectFilter::make('tenant_id')
|
||||
->label('Tenant')
|
||||
->options(fn (): array => $this->tenantFilterOptions())
|
||||
->default(fn (): ?string => $this->defaultTenantFilter())
|
||||
->searchable(),
|
||||
SelectFilter::make('status')
|
||||
->options([
|
||||
'draft' => 'Draft',
|
||||
'ready' => 'Ready',
|
||||
'published' => 'Published',
|
||||
'archived' => 'Archived',
|
||||
'superseded' => 'Superseded',
|
||||
'failed' => 'Failed',
|
||||
]),
|
||||
SelectFilter::make('completeness_state')
|
||||
->label('Completeness')
|
||||
->options([
|
||||
'complete' => 'Complete',
|
||||
'partial' => 'Partial',
|
||||
'missing' => 'Missing',
|
||||
'stale' => 'Stale',
|
||||
]),
|
||||
SelectFilter::make('published_state')
|
||||
->label('Published state')
|
||||
->options([
|
||||
'published' => 'Published',
|
||||
'unpublished' => 'Not published',
|
||||
])
|
||||
->query(function (Builder $query, array $data): Builder {
|
||||
return match ($data['value'] ?? null) {
|
||||
'published' => $query->whereNotNull('published_at'),
|
||||
'unpublished' => $query->whereNull('published_at'),
|
||||
default => $query,
|
||||
};
|
||||
}),
|
||||
FilterPresets::dateRange('review_date', 'Review date', 'generated_at'),
|
||||
])
|
||||
->actions([
|
||||
Action::make('view_review')
|
||||
->label('View review')
|
||||
->url(fn (TenantReview $record): string => TenantReviewResource::tenantScopedUrl('view', ['record' => $record], $record->tenant, 'tenant')),
|
||||
Action::make('export_executive_pack')
|
||||
->label('Export executive pack')
|
||||
->icon('heroicon-o-arrow-down-tray')
|
||||
->visible(fn (TenantReview $record): bool => auth()->user() instanceof User
|
||||
&& auth()->user()->can(Capabilities::TENANT_REVIEW_MANAGE, $record->tenant)
|
||||
&& in_array($record->status, ['ready', 'published'], true))
|
||||
->action(fn (TenantReview $record): mixed => TenantReviewResource::executeExport($record)),
|
||||
])
|
||||
->bulkActions([])
|
||||
->emptyStateHeading('No review records match this view')
|
||||
->emptyStateDescription('Clear the current filters to return to the full review register for your entitled tenants.')
|
||||
->emptyStateActions([
|
||||
Action::make('clear_filters_empty')
|
||||
->label('Clear filters')
|
||||
->icon('heroicon-o-x-mark')
|
||||
->color('gray')
|
||||
->action(fn (): mixed => $this->resetTable()),
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<int, Tenant>
|
||||
*/
|
||||
public function authorizedTenants(): array
|
||||
{
|
||||
if ($this->authorizedTenants !== null) {
|
||||
return $this->authorizedTenants;
|
||||
}
|
||||
|
||||
$user = auth()->user();
|
||||
$workspace = $this->workspace();
|
||||
|
||||
if (! $user instanceof User || ! $workspace instanceof Workspace) {
|
||||
return $this->authorizedTenants = [];
|
||||
}
|
||||
|
||||
return $this->authorizedTenants = app(TenantReviewRegisterService::class)->authorizedTenants($user, $workspace);
|
||||
}
|
||||
|
||||
private function authorizePageAccess(): void
|
||||
{
|
||||
$user = auth()->user();
|
||||
$workspace = $this->workspace();
|
||||
|
||||
if (! $user instanceof User) {
|
||||
abort(403);
|
||||
}
|
||||
|
||||
if (! $workspace instanceof Workspace) {
|
||||
throw new NotFoundHttpException;
|
||||
}
|
||||
|
||||
$service = app(TenantReviewRegisterService::class);
|
||||
|
||||
if (! $service->canAccessWorkspace($user, $workspace)) {
|
||||
throw new NotFoundHttpException;
|
||||
}
|
||||
|
||||
if ($this->authorizedTenants() === []) {
|
||||
throw new NotFoundHttpException;
|
||||
}
|
||||
}
|
||||
|
||||
private function registerQuery(): Builder
|
||||
{
|
||||
$user = auth()->user();
|
||||
$workspace = $this->workspace();
|
||||
|
||||
if (! $user instanceof User || ! $workspace instanceof Workspace) {
|
||||
return TenantReview::query()->whereRaw('1 = 0');
|
||||
}
|
||||
|
||||
return app(TenantReviewRegisterService::class)->query($user, $workspace);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, string>
|
||||
*/
|
||||
private function tenantFilterOptions(): array
|
||||
{
|
||||
return collect($this->authorizedTenants())
|
||||
->mapWithKeys(static fn (Tenant $tenant): array => [
|
||||
(string) $tenant->getKey() => $tenant->name,
|
||||
])
|
||||
->all();
|
||||
}
|
||||
|
||||
private function defaultTenantFilter(): ?string
|
||||
{
|
||||
$tenantId = app(WorkspaceContext::class)->lastTenantId(request());
|
||||
|
||||
return is_int($tenantId) && array_key_exists($tenantId, $this->authorizedTenants())
|
||||
? (string) $tenantId
|
||||
: null;
|
||||
}
|
||||
|
||||
private function applyRequestedTenantPrefilter(): void
|
||||
{
|
||||
$requestedTenant = request()->query('tenant');
|
||||
|
||||
if (! is_string($requestedTenant) && ! is_numeric($requestedTenant)) {
|
||||
return;
|
||||
}
|
||||
|
||||
foreach ($this->authorizedTenants() as $tenant) {
|
||||
if ((string) $tenant->getKey() !== (string) $requestedTenant && (string) $tenant->external_id !== (string) $requestedTenant) {
|
||||
continue;
|
||||
}
|
||||
|
||||
$this->tableFilters['tenant_id']['value'] = (string) $tenant->getKey();
|
||||
$this->tableDeferredFilters['tenant_id']['value'] = (string) $tenant->getKey();
|
||||
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
private function hasActiveFilters(): bool
|
||||
{
|
||||
$filters = array_filter((array) $this->tableFilters);
|
||||
|
||||
return $filters !== [];
|
||||
}
|
||||
|
||||
private function workspace(): ?Workspace
|
||||
{
|
||||
$workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
|
||||
|
||||
return is_numeric($workspaceId)
|
||||
? Workspace::query()->whereKey((int) $workspaceId)->first()
|
||||
: null;
|
||||
}
|
||||
}
|
||||
@ -12,6 +12,8 @@
|
||||
use App\Services\Intune\TenantRequiredPermissionsViewModelBuilder;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Filament\Pages\Page;
|
||||
use Livewire\Attributes\Locked;
|
||||
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
||||
|
||||
class TenantRequiredPermissions extends Page
|
||||
{
|
||||
@ -41,7 +43,8 @@ class TenantRequiredPermissions extends Page
|
||||
*/
|
||||
public array $viewModel = [];
|
||||
|
||||
public ?Tenant $scopedTenant = null;
|
||||
#[Locked]
|
||||
public ?int $scopedTenantId = null;
|
||||
|
||||
public static function canAccess(): bool
|
||||
{
|
||||
@ -50,7 +53,7 @@ public static function canAccess(): bool
|
||||
|
||||
public function currentTenant(): ?Tenant
|
||||
{
|
||||
return $this->scopedTenant;
|
||||
return $this->trustedScopedTenant();
|
||||
}
|
||||
|
||||
public function mount(): void
|
||||
@ -61,7 +64,7 @@ public function mount(): void
|
||||
abort(404);
|
||||
}
|
||||
|
||||
$this->scopedTenant = $tenant;
|
||||
$this->scopedTenantId = (int) $tenant->getKey();
|
||||
$this->heading = $tenant->getFilamentName();
|
||||
$this->subheading = 'Required permissions';
|
||||
|
||||
@ -143,7 +146,7 @@ public function resetFilters(): void
|
||||
|
||||
private function refreshViewModel(): void
|
||||
{
|
||||
$tenant = $this->scopedTenant;
|
||||
$tenant = $this->trustedScopedTenant();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
$this->viewModel = [];
|
||||
@ -172,7 +175,7 @@ private function refreshViewModel(): void
|
||||
|
||||
public function reRunVerificationUrl(): string
|
||||
{
|
||||
$tenant = $this->scopedTenant;
|
||||
$tenant = $this->trustedScopedTenant();
|
||||
|
||||
if ($tenant instanceof Tenant) {
|
||||
return TenantResource::getUrl('view', ['record' => $tenant]);
|
||||
@ -183,7 +186,7 @@ public function reRunVerificationUrl(): string
|
||||
|
||||
public function manageProviderConnectionUrl(): ?string
|
||||
{
|
||||
$tenant = $this->scopedTenant;
|
||||
$tenant = $this->trustedScopedTenant();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return null;
|
||||
@ -234,4 +237,47 @@ private static function hasScopedTenantAccess(?Tenant $tenant): bool
|
||||
|
||||
return $user->canAccessTenant($tenant);
|
||||
}
|
||||
|
||||
private function trustedScopedTenant(): ?Tenant
|
||||
{
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $user instanceof User) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$workspaceContext = app(WorkspaceContext::class);
|
||||
|
||||
try {
|
||||
$workspace = $workspaceContext->currentWorkspaceForMemberOrFail($user, request());
|
||||
} catch (NotFoundHttpException) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$routeTenant = static::resolveScopedTenant();
|
||||
|
||||
if ($routeTenant instanceof Tenant) {
|
||||
try {
|
||||
return $workspaceContext->ensureTenantAccessibleInCurrentWorkspace($routeTenant, $user, request());
|
||||
} catch (NotFoundHttpException) {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
if ($this->scopedTenantId === null) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$tenant = Tenant::query()->withTrashed()->whereKey($this->scopedTenantId)->first();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return null;
|
||||
}
|
||||
|
||||
try {
|
||||
return $workspaceContext->ensureTenantAccessibleInCurrentWorkspace($tenant, $user, request());
|
||||
} catch (NotFoundHttpException) {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -39,6 +39,7 @@
|
||||
use App\Support\Auth\Capabilities;
|
||||
use App\Support\Badges\BadgeCatalog;
|
||||
use App\Support\Badges\BadgeDomain;
|
||||
use App\Support\Livewire\TrustedState\TrustedStateResolver;
|
||||
use App\Support\Onboarding\OnboardingCheckpoint;
|
||||
use App\Support\Onboarding\OnboardingDraftStage;
|
||||
use App\Support\Onboarding\OnboardingLifecycleState;
|
||||
@ -51,6 +52,9 @@
|
||||
use App\Support\Providers\ProviderConsentStatus;
|
||||
use App\Support\Providers\ProviderReasonCodes;
|
||||
use App\Support\Providers\ProviderVerificationStatus;
|
||||
use App\Support\Tenants\TenantInteractionLane;
|
||||
use App\Support\Tenants\TenantLifecyclePresentation;
|
||||
use App\Support\Tenants\TenantOperabilityQuestion;
|
||||
use App\Support\Verification\VerificationAssistViewModelBuilder;
|
||||
use App\Support\Verification\VerificationCheckStatus;
|
||||
use App\Support\Verification\VerificationReportOverall;
|
||||
@ -85,6 +89,7 @@
|
||||
use Illuminate\Support\Facades\DB;
|
||||
use Illuminate\Validation\ValidationException;
|
||||
use InvalidArgumentException;
|
||||
use Livewire\Attributes\Locked;
|
||||
use RuntimeException;
|
||||
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
||||
|
||||
@ -120,8 +125,14 @@ protected function getLayoutData(): array
|
||||
|
||||
public ?Tenant $managedTenant = null;
|
||||
|
||||
#[Locked]
|
||||
public ?int $managedTenantId = null;
|
||||
|
||||
public ?TenantOnboardingSession $onboardingSession = null;
|
||||
|
||||
#[Locked]
|
||||
public ?int $onboardingSessionId = null;
|
||||
|
||||
public ?int $onboardingSessionVersion = null;
|
||||
|
||||
public ?int $selectedProviderConnectionId = null;
|
||||
@ -148,6 +159,15 @@ protected function getLayoutData(): array
|
||||
protected function getHeaderActions(): array
|
||||
{
|
||||
$actions = [];
|
||||
$draft = $this->currentOnboardingSessionRecord();
|
||||
$tenant = $this->currentManagedTenantRecord();
|
||||
|
||||
if (isset($this->workspace)) {
|
||||
$actions[] = Action::make('back_to_workspace')
|
||||
->label('Back to workspace')
|
||||
->color('gray')
|
||||
->url(route('admin.home'));
|
||||
}
|
||||
|
||||
if ($this->shouldShowDraftLandingAction()) {
|
||||
$actions[] = Action::make('back_to_onboarding_landing')
|
||||
@ -158,12 +178,12 @@ protected function getHeaderActions(): array
|
||||
|
||||
if ($this->canViewLinkedTenant()) {
|
||||
$actions[] = Action::make('view_linked_tenant')
|
||||
->label('View tenant')
|
||||
->label($this->linkedTenantActionLabel())
|
||||
->color('gray')
|
||||
->url(TenantResource::getUrl('view', ['record' => $this->managedTenant]));
|
||||
->url($tenant instanceof Tenant ? TenantResource::getUrl('view', ['record' => $tenant]) : null);
|
||||
}
|
||||
|
||||
if ($this->canResumeDraft($this->onboardingSession)) {
|
||||
if ($this->canResumeDraft($draft)) {
|
||||
$actions[] = Action::make('cancel_onboarding_draft')
|
||||
->label('Cancel draft')
|
||||
->color('danger')
|
||||
@ -174,22 +194,55 @@ protected function getHeaderActions(): array
|
||||
->action(fn () => $this->cancelOnboardingDraft());
|
||||
}
|
||||
|
||||
if ($this->canDeleteDraft($draft)) {
|
||||
$actions[] = Action::make('delete_onboarding_draft_header')
|
||||
->label('Delete draft')
|
||||
->color('danger')
|
||||
->requiresConfirmation()
|
||||
->modalHeading('Delete onboarding draft')
|
||||
->modalDescription('This permanently deletes the onboarding draft record. The linked tenant record, if any, is not deleted.')
|
||||
->modalSubmitActionLabel('Delete draft')
|
||||
->visible(fn (): bool => $this->currentUserCan(Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CANCEL))
|
||||
->action(fn () => $this->deleteOnboardingDraft());
|
||||
}
|
||||
|
||||
return $actions;
|
||||
}
|
||||
|
||||
private function canViewLinkedTenant(): bool
|
||||
{
|
||||
$user = auth()->user();
|
||||
$tenant = $this->currentManagedTenantRecord();
|
||||
|
||||
if (! $user instanceof User || ! $this->managedTenant instanceof Tenant) {
|
||||
if (! $user instanceof User || ! $tenant instanceof Tenant) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (! $user->canAccessTenant($this->managedTenant)) {
|
||||
if (! $user->canAccessTenant($tenant)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return app(TenantOperabilityService::class)->canViewTenantSurface($this->managedTenant);
|
||||
return app(TenantOperabilityService::class)->outcomeFor(
|
||||
tenant: $tenant,
|
||||
question: TenantOperabilityQuestion::TenantBoundViewability,
|
||||
actor: $user,
|
||||
workspaceId: (int) $this->workspace->getKey(),
|
||||
lane: TenantInteractionLane::AdministrativeManagement,
|
||||
)->allowed;
|
||||
}
|
||||
|
||||
private function linkedTenantActionLabel(): string
|
||||
{
|
||||
$tenant = $this->currentManagedTenantRecord();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return 'View tenant';
|
||||
}
|
||||
|
||||
return sprintf(
|
||||
'View tenant (%s)',
|
||||
TenantLifecyclePresentation::fromTenant($tenant)->label,
|
||||
);
|
||||
}
|
||||
|
||||
public function mount(TenantOnboardingSession|int|string|null $onboardingDraft = null): void
|
||||
@ -672,7 +725,7 @@ private function loadOnboardingDraft(User $user, TenantOnboardingSession|int|str
|
||||
$tenant = $draft->tenant;
|
||||
|
||||
if ($tenant instanceof Tenant && (int) $tenant->workspace_id === (int) $this->workspace->getKey()) {
|
||||
$this->managedTenant = $tenant;
|
||||
$this->setManagedTenant($tenant);
|
||||
}
|
||||
|
||||
$providerConnectionId = $draft->state['provider_connection_id'] ?? null;
|
||||
@ -761,7 +814,9 @@ private function draftPickerSchema(): array
|
||||
*/
|
||||
private function resumeContextSchema(): array
|
||||
{
|
||||
if (! $this->onboardingSession instanceof TenantOnboardingSession) {
|
||||
$draft = $this->currentOnboardingSessionRecord();
|
||||
|
||||
if (! $draft instanceof TenantOnboardingSession) {
|
||||
return [];
|
||||
}
|
||||
|
||||
@ -774,19 +829,19 @@ private function resumeContextSchema(): array
|
||||
->schema([
|
||||
Text::make('Tenant')
|
||||
->color('gray'),
|
||||
Text::make(fn (): string => $this->draftTitle($this->onboardingSession))
|
||||
Text::make(fn () => $this->draftTitle($this->currentOnboardingSessionRecord() ?? $draft))
|
||||
->weight(FontWeight::SemiBold),
|
||||
Text::make('Current stage')
|
||||
->color('gray'),
|
||||
Text::make(fn (): string => $this->draftStageLabel($this->onboardingSession))
|
||||
Text::make(fn () => $this->draftStageLabel($this->currentOnboardingSessionRecord() ?? $draft))
|
||||
->badge()
|
||||
->color(fn (): string => $this->draftStageColor($this->onboardingSession)),
|
||||
->color(fn () => $this->draftStageColor($this->currentOnboardingSessionRecord() ?? $draft)),
|
||||
Text::make('Started by')
|
||||
->color('gray'),
|
||||
Text::make(fn (): string => $this->onboardingSession?->startedByUser?->name ?? 'Unknown'),
|
||||
Text::make(fn () => ($this->currentOnboardingSessionRecord() ?? $draft)?->startedByUser?->name ?? 'Unknown'),
|
||||
Text::make('Last updated by')
|
||||
->color('gray'),
|
||||
Text::make(fn (): string => $this->onboardingSession?->updatedByUser?->name ?? 'Unknown'),
|
||||
Text::make(fn () => ($this->currentOnboardingSessionRecord() ?? $draft)?->updatedByUser?->name ?? 'Unknown'),
|
||||
]),
|
||||
];
|
||||
}
|
||||
@ -796,11 +851,13 @@ private function resumeContextSchema(): array
|
||||
*/
|
||||
private function nonResumableSummarySchema(): array
|
||||
{
|
||||
if (! $this->onboardingSession instanceof TenantOnboardingSession) {
|
||||
$draft = $this->currentOnboardingSessionRecord();
|
||||
|
||||
if (! $draft instanceof TenantOnboardingSession) {
|
||||
return [];
|
||||
}
|
||||
|
||||
$statusLabel = $this->onboardingSession->status()->label();
|
||||
$statusLabel = $draft->status()->label();
|
||||
|
||||
return [
|
||||
Callout::make("This onboarding draft is {$statusLabel}.")
|
||||
@ -815,22 +872,35 @@ private function nonResumableSummarySchema(): array
|
||||
->color('gray'),
|
||||
Text::make(fn (): string => $statusLabel)
|
||||
->badge()
|
||||
->color(fn (): string => $this->draftStatusColor($this->onboardingSession)),
|
||||
->color(fn () => $this->draftStatusColor($this->currentOnboardingSessionRecord() ?? $draft)),
|
||||
Text::make('Primary domain')
|
||||
->color('gray'),
|
||||
Text::make(fn (): string => (string) (($this->onboardingSession?->state['primary_domain'] ?? null) ?: '—')),
|
||||
Text::make(fn () => (string) ((($this->currentOnboardingSessionRecord() ?? $draft)?->state['primary_domain'] ?? null) ?: '—')),
|
||||
Text::make('Environment')
|
||||
->color('gray'),
|
||||
Text::make(fn (): string => (string) (($this->onboardingSession?->state['environment'] ?? null) ?: '—')),
|
||||
Text::make(fn () => (string) ((($this->currentOnboardingSessionRecord() ?? $draft)?->state['environment'] ?? null) ?: '—')),
|
||||
Text::make('Notes')
|
||||
->color('gray'),
|
||||
Text::make(fn (): string => (string) (($this->onboardingSession?->state['notes'] ?? null) ?: '—')),
|
||||
Text::make(fn () => (string) ((($this->currentOnboardingSessionRecord() ?? $draft)?->state['notes'] ?? null) ?: '—')),
|
||||
]),
|
||||
SchemaActions::make([
|
||||
Action::make('back_to_workspace_summary')
|
||||
->label('Back to workspace')
|
||||
->color('gray')
|
||||
->url(route('admin.home')),
|
||||
Action::make('return_to_onboarding_landing')
|
||||
->label('Return to onboarding')
|
||||
->color('gray')
|
||||
->url(route('admin.onboarding')),
|
||||
Action::make('delete_onboarding_draft')
|
||||
->label('Delete draft')
|
||||
->color('danger')
|
||||
->requiresConfirmation()
|
||||
->modalHeading('Delete onboarding draft')
|
||||
->modalDescription('This permanently deletes the onboarding draft record. The linked tenant record, if any, is not deleted.')
|
||||
->modalSubmitActionLabel('Delete draft')
|
||||
->visible(fn (): bool => $this->canDeleteDraft($this->currentOnboardingSessionRecord() ?? $draft))
|
||||
->action(fn () => $this->deleteOnboardingDraft()),
|
||||
]),
|
||||
];
|
||||
}
|
||||
@ -839,7 +909,7 @@ private function startNewOnboardingDraft(): void
|
||||
{
|
||||
$this->showDraftPicker = false;
|
||||
$this->showStartState = true;
|
||||
$this->managedTenant = null;
|
||||
$this->setManagedTenant(null);
|
||||
$this->setOnboardingSession(null);
|
||||
$this->selectedProviderConnectionId = null;
|
||||
$this->selectedBootstrapOperationTypes = [];
|
||||
@ -891,9 +961,20 @@ private function cancelOnboardingDraft(): void
|
||||
abort(404);
|
||||
}
|
||||
|
||||
$this->authorize('cancel', $this->onboardingSession);
|
||||
$this->authorizeWorkspaceMember($user);
|
||||
|
||||
if (! $this->canResumeDraft($this->onboardingSession)) {
|
||||
$draft = app(TrustedStateResolver::class)->resolveOnboardingDraft(
|
||||
$this->onboardingSessionId ?? $this->onboardingSession,
|
||||
$user,
|
||||
$this->workspace,
|
||||
app(OnboardingDraftResolver::class),
|
||||
);
|
||||
|
||||
$this->setOnboardingSession($draft);
|
||||
|
||||
$this->authorize('cancel', $draft);
|
||||
|
||||
if (! $this->canResumeDraft($draft)) {
|
||||
Notification::make()
|
||||
->title('Draft is not resumable')
|
||||
->warning()
|
||||
@ -954,8 +1035,7 @@ private function cancelOnboardingDraft(): void
|
||||
],
|
||||
);
|
||||
|
||||
$this->managedTenant = $normalizedTenant;
|
||||
$this->onboardingSession->setRelation('tenant', $normalizedTenant);
|
||||
$this->setManagedTenant($normalizedTenant);
|
||||
}
|
||||
|
||||
Notification::make()
|
||||
@ -966,10 +1046,91 @@ private function cancelOnboardingDraft(): void
|
||||
$this->redirect(route('admin.onboarding.draft', ['onboardingDraft' => $this->onboardingSession]));
|
||||
}
|
||||
|
||||
private function deleteOnboardingDraft(): void
|
||||
{
|
||||
$user = $this->currentUser();
|
||||
|
||||
if (! $user instanceof User) {
|
||||
abort(403);
|
||||
}
|
||||
|
||||
if (! $this->onboardingSession instanceof TenantOnboardingSession) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
$this->authorizeWorkspaceMember($user);
|
||||
|
||||
$draft = app(TrustedStateResolver::class)->resolveOnboardingDraft(
|
||||
$this->onboardingSessionId ?? $this->onboardingSession,
|
||||
$user,
|
||||
$this->workspace,
|
||||
app(OnboardingDraftResolver::class),
|
||||
);
|
||||
|
||||
$this->setOnboardingSession($draft);
|
||||
|
||||
$this->authorize('cancel', $draft);
|
||||
|
||||
if (! $this->canDeleteDraft($draft)) {
|
||||
Notification::make()
|
||||
->title('Draft cannot be deleted')
|
||||
->warning()
|
||||
->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
$draftId = (int) $draft->getKey();
|
||||
$draftTitle = $this->draftTitle($draft);
|
||||
$draftStatus = $draft->status()->value;
|
||||
$draftLifecycle = $draft->lifecycleState()->value;
|
||||
$tenantId = $draft->tenant_id !== null ? (int) $draft->tenant_id : null;
|
||||
|
||||
$draft->delete();
|
||||
|
||||
app(WorkspaceAuditLogger::class)->log(
|
||||
workspace: $this->workspace,
|
||||
action: AuditActionId::ManagedTenantOnboardingDeleted->value,
|
||||
context: [
|
||||
'metadata' => [
|
||||
'workspace_id' => (int) $this->workspace->getKey(),
|
||||
'onboarding_session_id' => $draftId,
|
||||
'tenant_db_id' => $tenantId,
|
||||
'status' => $draftStatus,
|
||||
'lifecycle_state' => $draftLifecycle,
|
||||
],
|
||||
],
|
||||
actor: $user,
|
||||
status: 'success',
|
||||
resourceType: 'managed_tenant_onboarding_session',
|
||||
resourceId: (string) $draftId,
|
||||
targetLabel: $draftTitle,
|
||||
);
|
||||
|
||||
$this->setManagedTenant(null);
|
||||
$this->setOnboardingSession(null);
|
||||
|
||||
Notification::make()
|
||||
->title('Onboarding draft deleted')
|
||||
->success()
|
||||
->send();
|
||||
|
||||
$this->redirect(route('admin.onboarding'));
|
||||
}
|
||||
|
||||
private function showsNonResumableSummary(): bool
|
||||
{
|
||||
return $this->onboardingSession instanceof TenantOnboardingSession
|
||||
&& ! $this->canResumeDraft($this->onboardingSession);
|
||||
$draft = $this->currentOnboardingSessionRecord();
|
||||
|
||||
return $draft instanceof TenantOnboardingSession
|
||||
&& ! $this->canResumeDraft($draft);
|
||||
}
|
||||
|
||||
private function canDeleteDraft(?TenantOnboardingSession $draft): bool
|
||||
{
|
||||
return $draft instanceof TenantOnboardingSession
|
||||
&& ! $this->canResumeDraft($draft)
|
||||
&& $this->currentUserCan(Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CANCEL);
|
||||
}
|
||||
|
||||
private function onboardingDraftLandingActionLabel(): string
|
||||
@ -995,11 +1156,13 @@ private function onboardingEntryActionDescriptor(int $resumableDraftCount): \App
|
||||
|
||||
private function shouldShowDraftLandingAction(): bool
|
||||
{
|
||||
if (! $this->onboardingSession instanceof TenantOnboardingSession) {
|
||||
$draft = $this->currentOnboardingSessionRecord();
|
||||
|
||||
if (! $draft instanceof TenantOnboardingSession) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (! $this->canResumeDraft($this->onboardingSession)) {
|
||||
if (! $this->canResumeDraft($draft)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
@ -1097,14 +1260,95 @@ private function expectedDraftVersion(): ?int
|
||||
private function setOnboardingSession(?TenantOnboardingSession $draft): void
|
||||
{
|
||||
$this->onboardingSession = $draft;
|
||||
$this->onboardingSessionId = $draft instanceof TenantOnboardingSession
|
||||
? (int) $draft->getKey()
|
||||
: null;
|
||||
$this->onboardingSessionVersion = $draft instanceof TenantOnboardingSession
|
||||
? $draft->expectedVersion()
|
||||
: null;
|
||||
|
||||
if ($draft instanceof TenantOnboardingSession && $draft->tenant instanceof Tenant) {
|
||||
$this->setManagedTenant($draft->tenant);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
if ($draft instanceof TenantOnboardingSession && $draft->tenant_id !== null) {
|
||||
$this->managedTenantId = (int) $draft->tenant_id;
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
$this->setManagedTenant(null);
|
||||
}
|
||||
|
||||
private function setManagedTenant(?Tenant $tenant): void
|
||||
{
|
||||
$this->managedTenant = $tenant;
|
||||
$this->managedTenantId = $tenant instanceof Tenant
|
||||
? (int) $tenant->getKey()
|
||||
: null;
|
||||
|
||||
if ($this->onboardingSession instanceof TenantOnboardingSession && $tenant instanceof Tenant) {
|
||||
$this->onboardingSession->setRelation('tenant', $tenant);
|
||||
}
|
||||
}
|
||||
|
||||
private function currentOnboardingSessionRecord(): ?TenantOnboardingSession
|
||||
{
|
||||
if ($this->onboardingSession instanceof TenantOnboardingSession
|
||||
&& $this->onboardingSessionId !== null
|
||||
&& (int) $this->onboardingSession->getKey() === $this->onboardingSessionId) {
|
||||
return $this->onboardingSession;
|
||||
}
|
||||
|
||||
if ($this->onboardingSessionId === null) {
|
||||
return $this->onboardingSession;
|
||||
}
|
||||
|
||||
$query = TenantOnboardingSession::query()
|
||||
->with(['tenant', 'startedByUser', 'updatedByUser'])
|
||||
->whereKey($this->onboardingSessionId);
|
||||
|
||||
if (isset($this->workspace)) {
|
||||
$query->where('workspace_id', (int) $this->workspace->getKey());
|
||||
}
|
||||
|
||||
return $query->first();
|
||||
}
|
||||
|
||||
private function currentManagedTenantRecord(): ?Tenant
|
||||
{
|
||||
$draft = $this->currentOnboardingSessionRecord();
|
||||
|
||||
if ($draft instanceof TenantOnboardingSession && $draft->tenant instanceof Tenant) {
|
||||
return $draft->tenant;
|
||||
}
|
||||
|
||||
if ($this->managedTenant instanceof Tenant
|
||||
&& $this->managedTenantId !== null
|
||||
&& (int) $this->managedTenant->getKey() === $this->managedTenantId) {
|
||||
return $this->managedTenant;
|
||||
}
|
||||
|
||||
if ($this->managedTenantId === null) {
|
||||
return $this->managedTenant;
|
||||
}
|
||||
|
||||
$query = Tenant::query()->withTrashed()->whereKey($this->managedTenantId);
|
||||
|
||||
if (isset($this->workspace)) {
|
||||
$query->where('workspace_id', (int) $this->workspace->getKey());
|
||||
}
|
||||
|
||||
return $query->first();
|
||||
}
|
||||
|
||||
private function refreshOnboardingDraftFromBackend(): void
|
||||
{
|
||||
if (! $this->onboardingSession instanceof TenantOnboardingSession) {
|
||||
$draft = $this->currentOnboardingSessionRecord();
|
||||
|
||||
if (! $draft instanceof TenantOnboardingSession) {
|
||||
return;
|
||||
}
|
||||
|
||||
@ -1115,15 +1359,11 @@ private function refreshOnboardingDraftFromBackend(): void
|
||||
}
|
||||
|
||||
$this->setOnboardingSession(app(OnboardingDraftResolver::class)->resolve(
|
||||
$this->onboardingSession,
|
||||
$draft,
|
||||
$user,
|
||||
$this->workspace,
|
||||
));
|
||||
|
||||
if ($this->onboardingSession->tenant instanceof Tenant) {
|
||||
$this->managedTenant = $this->onboardingSession->tenant;
|
||||
}
|
||||
|
||||
$providerConnectionId = $this->onboardingSession->state['provider_connection_id'] ?? null;
|
||||
$this->selectedProviderConnectionId = $this->resolvePersistedProviderConnectionId($providerConnectionId);
|
||||
$this->initializeWizardData();
|
||||
@ -1153,11 +1393,13 @@ private function handleImmutableDraft(string $title = 'This onboarding draft is
|
||||
|
||||
private function lifecycleState(): OnboardingLifecycleState
|
||||
{
|
||||
if (! $this->onboardingSession instanceof TenantOnboardingSession) {
|
||||
$draft = $this->currentOnboardingSessionRecord();
|
||||
|
||||
if (! $draft instanceof TenantOnboardingSession) {
|
||||
return OnboardingLifecycleState::Draft;
|
||||
}
|
||||
|
||||
return $this->lifecycleService()->snapshot($this->onboardingSession)['lifecycle_state'];
|
||||
return $this->lifecycleService()->snapshot($draft)['lifecycle_state'];
|
||||
}
|
||||
|
||||
private function lifecycleStateLabel(): string
|
||||
@ -1180,30 +1422,38 @@ private function lifecycleStateColor(): string
|
||||
|
||||
private function currentCheckpointLabel(): string
|
||||
{
|
||||
if (! $this->onboardingSession instanceof TenantOnboardingSession) {
|
||||
$draft = $this->currentOnboardingSessionRecord();
|
||||
|
||||
if (! $draft instanceof TenantOnboardingSession) {
|
||||
return OnboardingCheckpoint::Identify->label();
|
||||
}
|
||||
|
||||
return ($this->lifecycleService()->snapshot($this->onboardingSession)['current_checkpoint'] ?? OnboardingCheckpoint::Identify)?->label()
|
||||
return ($this->lifecycleService()->snapshot($draft)['current_checkpoint'] ?? OnboardingCheckpoint::Identify)?->label()
|
||||
?? OnboardingCheckpoint::Identify->label();
|
||||
}
|
||||
|
||||
public function shouldPollCheckpointLifecycle(): bool
|
||||
{
|
||||
return $this->onboardingSession instanceof TenantOnboardingSession
|
||||
&& $this->lifecycleService()->hasActiveCheckpoint($this->onboardingSession);
|
||||
$draft = $this->currentOnboardingSessionRecord();
|
||||
|
||||
return $draft instanceof TenantOnboardingSession
|
||||
&& $this->lifecycleService()->hasActiveCheckpoint($draft);
|
||||
}
|
||||
|
||||
public function refreshCheckpointLifecycle(): void
|
||||
{
|
||||
if (! $this->onboardingSession instanceof TenantOnboardingSession) {
|
||||
$draft = $this->currentOnboardingSessionRecord();
|
||||
|
||||
if (! $draft instanceof TenantOnboardingSession) {
|
||||
return;
|
||||
}
|
||||
|
||||
$this->setOnboardingSession($this->lifecycleService()->syncPersistedLifecycle($this->onboardingSession));
|
||||
$this->setOnboardingSession($this->lifecycleService()->syncPersistedLifecycle($draft));
|
||||
|
||||
if ($this->managedTenant instanceof Tenant) {
|
||||
$this->managedTenant->refresh();
|
||||
$tenant = $this->currentManagedTenantRecord();
|
||||
|
||||
if ($tenant instanceof Tenant) {
|
||||
$this->setManagedTenant($tenant->fresh());
|
||||
}
|
||||
|
||||
$this->initializeWizardData();
|
||||
@ -1229,20 +1479,24 @@ private function initializeWizardData(): void
|
||||
$this->data['new_connection']['is_default'] ??= true;
|
||||
}
|
||||
|
||||
if ($this->managedTenant instanceof Tenant) {
|
||||
$this->data['entra_tenant_id'] ??= (string) $this->managedTenant->tenant_id;
|
||||
$this->data['environment'] ??= (string) ($this->managedTenant->environment ?? 'other');
|
||||
$this->data['name'] ??= (string) $this->managedTenant->name;
|
||||
$this->data['primary_domain'] ??= (string) ($this->managedTenant->domain ?? '');
|
||||
$tenant = $this->currentManagedTenantRecord();
|
||||
|
||||
$notes = is_array($this->managedTenant->metadata) ? ($this->managedTenant->metadata['notes'] ?? null) : null;
|
||||
if ($tenant instanceof Tenant) {
|
||||
$this->data['entra_tenant_id'] ??= (string) $tenant->tenant_id;
|
||||
$this->data['environment'] ??= (string) ($tenant->environment ?? 'other');
|
||||
$this->data['name'] ??= (string) $tenant->name;
|
||||
$this->data['primary_domain'] ??= (string) ($tenant->domain ?? '');
|
||||
|
||||
$notes = is_array($tenant->metadata) ? ($tenant->metadata['notes'] ?? null) : null;
|
||||
if (is_string($notes) && trim($notes) !== '') {
|
||||
$this->data['notes'] ??= trim($notes);
|
||||
}
|
||||
}
|
||||
|
||||
if ($this->onboardingSession instanceof TenantOnboardingSession) {
|
||||
$state = is_array($this->onboardingSession->state) ? $this->onboardingSession->state : [];
|
||||
$draft = $this->currentOnboardingSessionRecord();
|
||||
|
||||
if ($draft instanceof TenantOnboardingSession) {
|
||||
$state = is_array($draft->state) ? $draft->state : [];
|
||||
|
||||
if (isset($state['entra_tenant_id']) && is_string($state['entra_tenant_id']) && trim($state['entra_tenant_id']) !== '') {
|
||||
$this->data['entra_tenant_id'] ??= trim($state['entra_tenant_id']);
|
||||
@ -1272,13 +1526,13 @@ private function initializeWizardData(): void
|
||||
}
|
||||
}
|
||||
|
||||
$providerConnectionId = $this->resolvePersistedProviderConnectionId($this->onboardingSession->state['provider_connection_id'] ?? null);
|
||||
$providerConnectionId = $this->resolvePersistedProviderConnectionId($draft->state['provider_connection_id'] ?? null);
|
||||
if ($providerConnectionId !== null) {
|
||||
$this->data['provider_connection_id'] = $providerConnectionId;
|
||||
$this->selectedProviderConnectionId = $providerConnectionId;
|
||||
}
|
||||
|
||||
$types = $this->onboardingSession->state['bootstrap_operation_types'] ?? null;
|
||||
$types = $draft->state['bootstrap_operation_types'] ?? null;
|
||||
if (is_array($types)) {
|
||||
$this->data['bootstrap_operation_types'] = array_values(array_filter($types, static fn ($v): bool => is_string($v) && $v !== ''));
|
||||
}
|
||||
@ -1296,7 +1550,7 @@ private function initializeWizardData(): void
|
||||
private function computeWizardStartStep(): int
|
||||
{
|
||||
return app(OnboardingDraftStageResolver::class)
|
||||
->resolve($this->onboardingSession)
|
||||
->resolve($this->currentOnboardingSessionRecord())
|
||||
->wizardStep();
|
||||
}
|
||||
|
||||
@ -1305,13 +1559,15 @@ private function computeWizardStartStep(): int
|
||||
*/
|
||||
private function providerConnectionOptions(): array
|
||||
{
|
||||
if (! $this->managedTenant instanceof Tenant) {
|
||||
$tenant = $this->currentManagedTenantRecord();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return [];
|
||||
}
|
||||
|
||||
return ProviderConnection::query()
|
||||
->where('workspace_id', (int) $this->workspace->getKey())
|
||||
->where('tenant_id', $this->managedTenant->getKey())
|
||||
->where('tenant_id', $tenant->getKey())
|
||||
->orderByDesc('is_default')
|
||||
->orderBy('display_name')
|
||||
->pluck('display_name', 'id')
|
||||
@ -1328,11 +1584,13 @@ private function verificationStatusLabel(): string
|
||||
|
||||
private function verificationStatus(): string
|
||||
{
|
||||
if (! $this->onboardingSession instanceof TenantOnboardingSession) {
|
||||
$draft = $this->currentOnboardingSessionRecord();
|
||||
|
||||
if (! $draft instanceof TenantOnboardingSession) {
|
||||
return 'not_started';
|
||||
}
|
||||
|
||||
return $this->lifecycleService()->verificationStatus($this->onboardingSession, $this->selectedProviderConnectionId);
|
||||
return $this->lifecycleService()->verificationStatus($draft, $this->selectedProviderConnectionId);
|
||||
}
|
||||
|
||||
private function verificationStatusFromRunOutcome(OperationRun $run): string
|
||||
@ -1829,6 +2087,19 @@ private function authorizeEditableDraft(User $user): void
|
||||
return;
|
||||
}
|
||||
|
||||
$expectedVersion = $this->expectedDraftVersion();
|
||||
|
||||
$this->setOnboardingSession(app(TrustedStateResolver::class)->resolveOnboardingDraft(
|
||||
$this->onboardingSessionId ?? $this->onboardingSession,
|
||||
$user,
|
||||
$this->workspace,
|
||||
app(OnboardingDraftResolver::class),
|
||||
));
|
||||
|
||||
if ($expectedVersion !== null) {
|
||||
$this->onboardingSessionVersion = $expectedVersion;
|
||||
}
|
||||
|
||||
$this->authorize('update', $this->onboardingSession);
|
||||
|
||||
if (! $this->canResumeDraft($this->onboardingSession)) {
|
||||
@ -1836,17 +2107,56 @@ private function authorizeEditableDraft(User $user): void
|
||||
}
|
||||
}
|
||||
|
||||
private function trustedManagedTenantForUser(User $user): Tenant
|
||||
{
|
||||
$tenant = $this->currentManagedTenantRecord();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
$tenant = $tenant->fresh();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
$tenant = app(WorkspaceContext::class)->ensureTenantAccessibleInCurrentWorkspace($tenant, $user, request());
|
||||
|
||||
$this->setManagedTenant($tenant);
|
||||
|
||||
return $tenant;
|
||||
}
|
||||
|
||||
private function canResumeDraft(?TenantOnboardingSession $draft): bool
|
||||
{
|
||||
return $draft instanceof TenantOnboardingSession
|
||||
&& $this->lifecycleService()->canResumeDraft($draft);
|
||||
if (! $draft instanceof TenantOnboardingSession) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (! $draft->tenant instanceof Tenant) {
|
||||
return $this->lifecycleService()->canResumeDraft($draft);
|
||||
}
|
||||
|
||||
$user = $this->currentUser();
|
||||
|
||||
return app(TenantOperabilityService::class)->outcomeFor(
|
||||
tenant: $draft->tenant,
|
||||
question: TenantOperabilityQuestion::ResumeOnboardingEligibility,
|
||||
actor: $user instanceof User ? $user : null,
|
||||
workspaceId: isset($this->workspace) ? (int) $this->workspace->getKey() : null,
|
||||
lane: TenantInteractionLane::OnboardingWorkflow,
|
||||
onboardingDraft: $draft,
|
||||
)->allowed;
|
||||
}
|
||||
|
||||
private function authorizeWorkspaceMember(User $user): void
|
||||
{
|
||||
if (! app(WorkspaceContext::class)->isMember($user, $this->workspace)) {
|
||||
abort(404);
|
||||
}
|
||||
$this->workspace = app(TrustedStateResolver::class)->currentWorkspaceForMember(
|
||||
$user,
|
||||
app(WorkspaceContext::class),
|
||||
request(),
|
||||
);
|
||||
}
|
||||
|
||||
private function resolveWorkspaceIdForUnboundTenant(Tenant $tenant): ?int
|
||||
@ -2043,7 +2353,7 @@ public function identifyManagedTenant(array $data): void
|
||||
resourceId: (string) $tenant->getKey(),
|
||||
);
|
||||
|
||||
$this->managedTenant = $tenant;
|
||||
$this->setManagedTenant($tenant);
|
||||
$this->setOnboardingSession($session);
|
||||
});
|
||||
} catch (OnboardingDraftConflictException) {
|
||||
@ -2082,13 +2392,11 @@ public function selectProviderConnection(int $providerConnectionId): void
|
||||
$this->authorizeWorkspaceMutation($user, Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_VIEW);
|
||||
$this->authorizeEditableDraft($user);
|
||||
|
||||
if (! $this->managedTenant instanceof Tenant) {
|
||||
abort(404);
|
||||
}
|
||||
$tenant = $this->trustedManagedTenantForUser($user);
|
||||
|
||||
$connection = ProviderConnection::query()
|
||||
->where('workspace_id', (int) $this->workspace->getKey())
|
||||
->where('tenant_id', $this->managedTenant->getKey())
|
||||
->where('tenant_id', (int) $tenant->getKey())
|
||||
->whereKey($providerConnectionId)
|
||||
->first();
|
||||
|
||||
@ -2134,7 +2442,7 @@ public function selectProviderConnection(int $providerConnectionId): void
|
||||
context: [
|
||||
'metadata' => [
|
||||
'workspace_id' => (int) $this->workspace->getKey(),
|
||||
'tenant_db_id' => (int) $this->managedTenant->getKey(),
|
||||
'tenant_db_id' => (int) $tenant->getKey(),
|
||||
'provider_connection_id' => (int) $connection->getKey(),
|
||||
'onboarding_session_id' => $this->onboardingSession?->getKey(),
|
||||
],
|
||||
@ -2167,11 +2475,7 @@ public function createProviderConnection(array $data): void
|
||||
$this->authorizeWorkspaceMutation($user, Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_MANAGE);
|
||||
$this->authorizeEditableDraft($user);
|
||||
|
||||
if (! $this->managedTenant instanceof Tenant) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
$tenant = $this->managedTenant->fresh();
|
||||
$tenant = $this->trustedManagedTenantForUser($user)->fresh();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
abort(404);
|
||||
@ -2360,7 +2664,7 @@ public function createProviderConnection(array $data): void
|
||||
context: [
|
||||
'metadata' => [
|
||||
'workspace_id' => (int) $this->workspace->getKey(),
|
||||
'tenant_db_id' => (int) $this->managedTenant->getKey(),
|
||||
'tenant_db_id' => (int) $tenant->getKey(),
|
||||
'provider_connection_id' => (int) $connection->getKey(),
|
||||
'onboarding_session_id' => $this->onboardingSession?->getKey(),
|
||||
],
|
||||
@ -2402,7 +2706,9 @@ public function startVerification(): void
|
||||
$this->authorizeWorkspaceMutation($user, Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_VERIFICATION_START);
|
||||
$this->authorizeEditableDraft($user);
|
||||
|
||||
if (! $this->managedTenant instanceof Tenant) {
|
||||
try {
|
||||
$tenant = $this->trustedManagedTenantForUser($user)->fresh();
|
||||
} catch (\Symfony\Component\HttpKernel\Exception\NotFoundHttpException) {
|
||||
Notification::make()
|
||||
->title('Identify a managed tenant first')
|
||||
->warning()
|
||||
@ -2411,8 +2717,6 @@ public function startVerification(): void
|
||||
return;
|
||||
}
|
||||
|
||||
$tenant = $this->managedTenant->fresh();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
abort(404);
|
||||
}
|
||||
@ -2613,6 +2917,15 @@ public function startVerification(): void
|
||||
|
||||
public function refreshVerificationStatus(): void
|
||||
{
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $user instanceof User) {
|
||||
abort(403);
|
||||
}
|
||||
|
||||
$this->authorizeWorkspaceMember($user);
|
||||
$this->authorizeEditableDraft($user);
|
||||
|
||||
$this->refreshCheckpointLifecycle();
|
||||
|
||||
Notification::make()
|
||||
@ -2635,11 +2948,7 @@ public function startBootstrap(array $operationTypes): void
|
||||
$this->authorizeWorkspaceMember($user);
|
||||
$this->authorizeEditableDraft($user);
|
||||
|
||||
if (! $this->managedTenant instanceof Tenant) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
$tenant = $this->managedTenant->fresh();
|
||||
$tenant = $this->trustedManagedTenantForUser($user)->fresh();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
abort(404);
|
||||
@ -2940,6 +3249,19 @@ private function canCompleteOnboarding(): bool
|
||||
return false;
|
||||
}
|
||||
|
||||
$user = $this->currentUser();
|
||||
|
||||
if (! app(TenantOperabilityService::class)->outcomeFor(
|
||||
tenant: $this->managedTenant,
|
||||
question: TenantOperabilityQuestion::OnboardingCompletionEligibility,
|
||||
actor: $user instanceof User ? $user : null,
|
||||
workspaceId: isset($this->workspace) ? (int) $this->workspace->getKey() : null,
|
||||
lane: TenantInteractionLane::OnboardingWorkflow,
|
||||
onboardingDraft: $this->onboardingSession,
|
||||
)->allowed) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (! $this->resolveSelectedProviderConnection($this->managedTenant)) {
|
||||
return false;
|
||||
}
|
||||
@ -2961,23 +3283,27 @@ private function canCompleteOnboarding(): bool
|
||||
|
||||
private function completionSummaryTenantLine(): string
|
||||
{
|
||||
if (! $this->managedTenant instanceof Tenant) {
|
||||
$tenant = $this->currentManagedTenantRecord();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return '—';
|
||||
}
|
||||
|
||||
$name = $this->managedTenant->name ?? '—';
|
||||
$tenantId = $this->managedTenant->graphTenantId();
|
||||
$name = $tenant->name ?? '—';
|
||||
$tenantId = $tenant->graphTenantId();
|
||||
|
||||
return $tenantId !== null ? "{$name} ({$tenantId})" : $name;
|
||||
}
|
||||
|
||||
private function completionSummaryConnectionLabel(): string
|
||||
{
|
||||
if (! $this->managedTenant instanceof Tenant) {
|
||||
$tenant = $this->currentManagedTenantRecord();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return '—';
|
||||
}
|
||||
|
||||
$connection = $this->resolveSelectedProviderConnection($this->managedTenant);
|
||||
$connection = $this->resolveSelectedProviderConnection($tenant);
|
||||
|
||||
if (! $connection instanceof ProviderConnection) {
|
||||
return 'Not configured';
|
||||
@ -3105,12 +3431,29 @@ public function completeOnboarding(): void
|
||||
$this->authorizeWorkspaceMutation($user, Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_ACTIVATE);
|
||||
$this->authorizeEditableDraft($user);
|
||||
|
||||
if (! $this->managedTenant instanceof Tenant) {
|
||||
if (! $this->onboardingSession instanceof TenantOnboardingSession) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
if (! $this->onboardingSession instanceof TenantOnboardingSession) {
|
||||
abort(404);
|
||||
$tenant = $this->trustedManagedTenantForUser($user);
|
||||
|
||||
$completionOutcome = app(TenantOperabilityService::class)->outcomeFor(
|
||||
tenant: $tenant,
|
||||
question: TenantOperabilityQuestion::OnboardingCompletionEligibility,
|
||||
actor: $user,
|
||||
workspaceId: (int) $this->workspace->getKey(),
|
||||
lane: TenantInteractionLane::OnboardingWorkflow,
|
||||
onboardingDraft: $this->onboardingSession,
|
||||
);
|
||||
|
||||
if (! $completionOutcome->allowed) {
|
||||
Notification::make()
|
||||
->title('Onboarding unavailable')
|
||||
->body('This tenant can no longer be completed from the current onboarding workflow state.')
|
||||
->warning()
|
||||
->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
$run = $this->verificationRun();
|
||||
@ -3146,7 +3489,7 @@ public function completeOnboarding(): void
|
||||
}
|
||||
}
|
||||
|
||||
$tenant = $this->managedTenant->fresh();
|
||||
$tenant = $tenant->fresh();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
abort(404);
|
||||
|
||||
@ -10,6 +10,9 @@
|
||||
use App\Models\User;
|
||||
use App\Models\Workspace;
|
||||
use App\Services\Tenants\TenantOperabilityService;
|
||||
use App\Support\Tenants\TenantInteractionLane;
|
||||
use App\Support\Tenants\TenantOperabilityQuestion;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Filament\Pages\Page;
|
||||
use Illuminate\Database\Eloquent\Collection;
|
||||
|
||||
@ -64,7 +67,15 @@ public function getTenants(): Collection
|
||||
->where('workspace_id', $this->workspace->getKey())
|
||||
->orderBy('name')
|
||||
->get()
|
||||
->filter(fn (Tenant $tenant): bool => app(TenantOperabilityService::class)->canViewTenantSurface($tenant))
|
||||
->filter(function (Tenant $tenant) use ($user): bool {
|
||||
return app(TenantOperabilityService::class)->outcomeFor(
|
||||
tenant: $tenant,
|
||||
question: TenantOperabilityQuestion::AdministrativeDiscoverability,
|
||||
actor: $user,
|
||||
workspaceId: app(WorkspaceContext::class)->currentWorkspaceId(request()),
|
||||
lane: TenantInteractionLane::AdministrativeManagement,
|
||||
)->allowed;
|
||||
})
|
||||
->values();
|
||||
}
|
||||
|
||||
|
||||
@ -3,6 +3,7 @@
|
||||
namespace App\Filament\Resources;
|
||||
|
||||
use App\Exceptions\InvalidPolicyTypeException;
|
||||
use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
|
||||
use App\Filament\Concerns\ResolvesPanelTenantContext;
|
||||
use App\Filament\Resources\BackupScheduleResource\Pages;
|
||||
use App\Filament\Resources\BackupScheduleResource\RelationManagers\BackupScheduleOperationRunsRelationManager;
|
||||
@ -64,6 +65,7 @@
|
||||
|
||||
class BackupScheduleResource extends Resource
|
||||
{
|
||||
use InteractsWithTenantOwnedRecords;
|
||||
use ResolvesPanelTenantContext;
|
||||
|
||||
protected static ?string $model = BackupSchedule::class;
|
||||
@ -581,6 +583,8 @@ public static function table(Table $table): Table
|
||||
->color('danger')
|
||||
->visible(fn (BackupSchedule $record): bool => ! $record->trashed())
|
||||
->action(function (BackupSchedule $record, AuditLogger $auditLogger): void {
|
||||
$record = static::resolveProtectedScheduleRecordOrFail($record);
|
||||
|
||||
Gate::authorize('delete', $record);
|
||||
|
||||
if ($record->trashed()) {
|
||||
@ -622,6 +626,8 @@ public static function table(Table $table): Table
|
||||
->color('success')
|
||||
->visible(fn (BackupSchedule $record): bool => $record->trashed())
|
||||
->action(function (BackupSchedule $record, AuditLogger $auditLogger): void {
|
||||
$record = static::resolveProtectedScheduleRecordOrFail($record);
|
||||
|
||||
Gate::authorize('restore', $record);
|
||||
|
||||
if (! $record->trashed()) {
|
||||
@ -662,6 +668,8 @@ public static function table(Table $table): Table
|
||||
->color('danger')
|
||||
->visible(fn (BackupSchedule $record): bool => $record->trashed())
|
||||
->action(function (BackupSchedule $record, AuditLogger $auditLogger): void {
|
||||
$record = static::resolveProtectedScheduleRecordOrFail($record);
|
||||
|
||||
Gate::authorize('forceDelete', $record);
|
||||
|
||||
if (! $record->trashed()) {
|
||||
@ -919,17 +927,32 @@ public static function table(Table $table): Table
|
||||
|
||||
public static function getEloquentQuery(): Builder
|
||||
{
|
||||
$tenantId = static::resolveTenantContextForCurrentPanelOrFail()->getKey();
|
||||
|
||||
return parent::getEloquentQuery()
|
||||
->where('tenant_id', $tenantId)
|
||||
return static::getTenantOwnedEloquentQuery()
|
||||
->orderByDesc('is_enabled')
|
||||
->orderBy('next_run_at');
|
||||
}
|
||||
|
||||
public static function getRecordRouteBindingEloquentQuery(): Builder
|
||||
{
|
||||
return static::getEloquentQuery()->withTrashed();
|
||||
return static::scopeTenantOwnedQuery(parent::getEloquentQuery()->withTrashed())
|
||||
->orderByDesc('is_enabled')
|
||||
->orderBy('next_run_at');
|
||||
}
|
||||
|
||||
public static function resolveScopedRecordOrFail(int|string $key): Model
|
||||
{
|
||||
return static::resolveTenantOwnedRecordOrFail($key, parent::getEloquentQuery()->withTrashed());
|
||||
}
|
||||
|
||||
protected static function resolveProtectedScheduleRecordOrFail(BackupSchedule|int|string $record): BackupSchedule
|
||||
{
|
||||
$resolvedRecord = static::resolveScopedRecordOrFail($record instanceof Model ? $record->getKey() : $record);
|
||||
|
||||
if (! $resolvedRecord instanceof BackupSchedule) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
return $resolvedRecord;
|
||||
}
|
||||
|
||||
public static function getRelations(): array
|
||||
|
||||
@ -5,7 +5,6 @@
|
||||
use App\Filament\Resources\BackupScheduleResource;
|
||||
use Filament\Resources\Pages\EditRecord;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
use Illuminate\Database\Eloquent\ModelNotFoundException;
|
||||
|
||||
class EditBackupSchedule extends EditRecord
|
||||
{
|
||||
@ -13,15 +12,7 @@ class EditBackupSchedule extends EditRecord
|
||||
|
||||
protected function resolveRecord(int|string $key): Model
|
||||
{
|
||||
$record = BackupScheduleResource::getEloquentQuery()
|
||||
->withTrashed()
|
||||
->find($key);
|
||||
|
||||
if ($record === null) {
|
||||
throw (new ModelNotFoundException)->setModel(BackupScheduleResource::getModel(), [$key]);
|
||||
}
|
||||
|
||||
return $record;
|
||||
return BackupScheduleResource::resolveScopedRecordOrFail($key);
|
||||
}
|
||||
|
||||
protected function mutateFormDataBeforeSave(array $data): array
|
||||
|
||||
@ -5,18 +5,32 @@
|
||||
use App\Filament\Resources\BackupScheduleResource;
|
||||
use App\Support\Filament\CanonicalAdminTenantFilterState;
|
||||
use Filament\Resources\Pages\ListRecords;
|
||||
use Illuminate\Database\Eloquent\ModelNotFoundException;
|
||||
|
||||
class ListBackupSchedules extends ListRecords
|
||||
{
|
||||
protected static string $resource = BackupScheduleResource::class;
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $arguments
|
||||
* @param array<string, mixed> $context
|
||||
*/
|
||||
public function mountAction(string $name, array $arguments = [], array $context = []): mixed
|
||||
{
|
||||
if (($context['table'] ?? false) === true && filled($context['recordKey'] ?? null) && in_array($name, ['archive', 'restore', 'forceDelete'], true)) {
|
||||
try {
|
||||
BackupScheduleResource::resolveScopedRecordOrFail($context['recordKey']);
|
||||
} catch (ModelNotFoundException) {
|
||||
abort(404);
|
||||
}
|
||||
}
|
||||
|
||||
return parent::mountAction($name, $arguments, $context);
|
||||
}
|
||||
|
||||
public function mount(): void
|
||||
{
|
||||
app(CanonicalAdminTenantFilterState::class)->sync(
|
||||
$this->getTableFiltersSessionKey(),
|
||||
request: request(),
|
||||
tenantFilterName: null,
|
||||
);
|
||||
$this->syncCanonicalAdminTenantFilterState();
|
||||
|
||||
parent::mount();
|
||||
}
|
||||
@ -40,4 +54,14 @@ private function tableHasRecords(): bool
|
||||
{
|
||||
return $this->getTableRecords()->count() > 0;
|
||||
}
|
||||
|
||||
private function syncCanonicalAdminTenantFilterState(): void
|
||||
{
|
||||
app(CanonicalAdminTenantFilterState::class)->sync(
|
||||
$this->getTableFiltersSessionKey(),
|
||||
tenantSensitiveFilters: [],
|
||||
request: request(),
|
||||
tenantFilterName: null,
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
@ -12,6 +12,7 @@
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
|
||||
use Closure;
|
||||
use Filament\Actions;
|
||||
use Filament\Resources\RelationManagers\RelationManager;
|
||||
use Filament\Tables;
|
||||
@ -24,6 +25,19 @@ class BackupScheduleOperationRunsRelationManager extends RelationManager
|
||||
|
||||
protected static ?string $title = 'Executions';
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $arguments
|
||||
* @param array<string, mixed> $context
|
||||
*/
|
||||
public function mountAction(string $name, array $arguments = [], array $context = []): mixed
|
||||
{
|
||||
if (($context['table'] ?? false) === true && $name === 'view' && filled($context['recordKey'] ?? null)) {
|
||||
$this->resolveOwnerScopedOperationRun($context['recordKey']);
|
||||
}
|
||||
|
||||
return parent::mountAction($name, $arguments, $context);
|
||||
}
|
||||
|
||||
public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
|
||||
{
|
||||
return ActionSurfaceDeclaration::forRelationManager(ActionSurfaceProfile::RelationManager)
|
||||
@ -48,7 +62,7 @@ public function table(Table $table): Table
|
||||
|
||||
Tables\Columns\TextColumn::make('type')
|
||||
->label('Type')
|
||||
->formatStateUsing([OperationCatalog::class, 'label']),
|
||||
->formatStateUsing(Closure::fromCallable([self::class, 'formatOperationType'])),
|
||||
|
||||
Tables\Columns\TextColumn::make('status')
|
||||
->badge()
|
||||
@ -87,6 +101,7 @@ public function table(Table $table): Table
|
||||
->label('View')
|
||||
->icon('heroicon-o-eye')
|
||||
->url(function (OperationRun $record): string {
|
||||
$record = $this->resolveOwnerScopedOperationRun($record);
|
||||
$tenant = Tenant::currentOrFail();
|
||||
|
||||
return OperationRunLinks::view($record, $tenant);
|
||||
@ -97,4 +112,32 @@ public function table(Table $table): Table
|
||||
->emptyStateHeading('No schedule runs yet')
|
||||
->emptyStateDescription('Operation history will appear here after this schedule has been enqueued.');
|
||||
}
|
||||
|
||||
private function resolveOwnerScopedOperationRun(mixed $record): OperationRun
|
||||
{
|
||||
$recordId = $record instanceof OperationRun
|
||||
? (int) $record->getKey()
|
||||
: (is_numeric($record) ? (int) $record : 0);
|
||||
|
||||
if ($recordId <= 0) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
$resolvedRecord = $this->getOwnerRecord()
|
||||
->operationRuns()
|
||||
->where('tenant_id', Tenant::currentOrFail()->getKey())
|
||||
->whereKey($recordId)
|
||||
->first();
|
||||
|
||||
if (! $resolvedRecord instanceof OperationRun) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
return $resolvedRecord;
|
||||
}
|
||||
|
||||
public static function formatOperationType(?string $state): string
|
||||
{
|
||||
return OperationCatalog::label($state);
|
||||
}
|
||||
}
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
|
||||
namespace App\Filament\Resources;
|
||||
|
||||
use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
|
||||
use App\Filament\Concerns\ResolvesPanelTenantContext;
|
||||
use App\Filament\Resources\BackupSetResource\Pages;
|
||||
use App\Filament\Resources\BackupSetResource\RelationManagers\BackupItemsRelationManager;
|
||||
@ -56,6 +57,7 @@
|
||||
|
||||
class BackupSetResource extends Resource
|
||||
{
|
||||
use InteractsWithTenantOwnedRecords;
|
||||
use ResolvesPanelTenantContext;
|
||||
|
||||
protected static ?string $model = BackupSet::class;
|
||||
@ -120,13 +122,12 @@ public static function canCreate(): bool
|
||||
|
||||
public static function getEloquentQuery(): Builder
|
||||
{
|
||||
$tenant = static::resolveTenantContextForCurrentPanel();
|
||||
return static::getTenantOwnedEloquentQuery();
|
||||
}
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return parent::getEloquentQuery()->whereRaw('1 = 0');
|
||||
}
|
||||
|
||||
return parent::getEloquentQuery()->where('tenant_id', (int) $tenant->getKey());
|
||||
public static function resolveScopedRecordOrFail(int|string $key): \Illuminate\Database\Eloquent\Model
|
||||
{
|
||||
return static::resolveTenantOwnedRecordOrFail($key, parent::getEloquentQuery()->withTrashed());
|
||||
}
|
||||
|
||||
public static function form(Schema $schema): Schema
|
||||
|
||||
@ -17,6 +17,7 @@
|
||||
use Filament\Actions\ActionGroup;
|
||||
use Filament\Notifications\Notification;
|
||||
use Filament\Resources\Pages\ViewRecord;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
|
||||
class ViewBackupSet extends ViewRecord
|
||||
{
|
||||
@ -24,6 +25,11 @@ class ViewBackupSet extends ViewRecord
|
||||
|
||||
protected static string $resource = BackupSetResource::class;
|
||||
|
||||
protected function resolveRecord(int|string $key): Model
|
||||
{
|
||||
return BackupSetResource::resolveScopedRecordOrFail($key);
|
||||
}
|
||||
|
||||
protected function getHeaderActions(): array
|
||||
{
|
||||
$actions = [
|
||||
|
||||
@ -43,6 +43,27 @@ public function closeAddPoliciesModal(): void
|
||||
$this->unmountAction();
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $arguments
|
||||
* @param array<string, mixed> $context
|
||||
*/
|
||||
public function mountAction(string $name, array $arguments = [], array $context = []): mixed
|
||||
{
|
||||
if (($context['table'] ?? false) === true) {
|
||||
$backupSet = $this->getOwnerRecord();
|
||||
|
||||
if ($name === 'remove' && filled($context['recordKey'] ?? null)) {
|
||||
$this->resolveOwnerScopedBackupItemId($backupSet, $context['recordKey']);
|
||||
}
|
||||
|
||||
if ($name === 'bulk_remove' && ($context['bulk'] ?? false) === true) {
|
||||
$this->resolveOwnerScopedBackupItemIdsFromKeys($backupSet, $this->selectedTableRecords);
|
||||
}
|
||||
}
|
||||
|
||||
return parent::mountAction($name, $arguments, $context);
|
||||
}
|
||||
|
||||
public function table(Table $table): Table
|
||||
{
|
||||
$refreshTable = Actions\Action::make('refreshTable')
|
||||
@ -77,7 +98,7 @@ public function table(Table $table): Table
|
||||
->color('danger')
|
||||
->icon('heroicon-o-x-mark')
|
||||
->requiresConfirmation()
|
||||
->action(function (BackupItem $record): void {
|
||||
->action(function (mixed $record): void {
|
||||
$backupSet = $this->getOwnerRecord();
|
||||
|
||||
$user = auth()->user();
|
||||
@ -94,7 +115,7 @@ public function table(Table $table): Table
|
||||
abort(404);
|
||||
}
|
||||
|
||||
$backupItemIds = [(int) $record->getKey()];
|
||||
$backupItemIds = [$this->resolveOwnerScopedBackupItemId($backupSet, $record)];
|
||||
|
||||
/** @var OperationRunService $opService */
|
||||
$opService = app(OperationRunService::class);
|
||||
@ -173,14 +194,7 @@ public function table(Table $table): Table
|
||||
abort(404);
|
||||
}
|
||||
|
||||
$backupItemIds = $records
|
||||
->pluck('id')
|
||||
->map(fn (mixed $value): int => (int) $value)
|
||||
->filter(fn (int $value): bool => $value > 0)
|
||||
->unique()
|
||||
->sort()
|
||||
->values()
|
||||
->all();
|
||||
$backupItemIds = $this->resolveOwnerScopedBackupItemIdsFromKeys($backupSet, $this->selectedTableRecords);
|
||||
|
||||
if ($backupItemIds === []) {
|
||||
return;
|
||||
@ -434,4 +448,68 @@ private static function applyRestoreModeFilter(Builder $query, mixed $value): Bu
|
||||
|
||||
return $query->whereIn('policy_type', $types);
|
||||
}
|
||||
|
||||
private function resolveOwnerScopedBackupItemId(\App\Models\BackupSet $backupSet, mixed $record): int
|
||||
{
|
||||
$recordId = $this->normalizeBackupItemKey($record);
|
||||
|
||||
if ($recordId <= 0) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
$resolvedId = $backupSet->items()
|
||||
->where('tenant_id', (int) $backupSet->tenant_id)
|
||||
->whereKey($recordId)
|
||||
->value('id');
|
||||
|
||||
if (! is_numeric($resolvedId) || (int) $resolvedId <= 0) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
return (int) $resolvedId;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<int, int>
|
||||
*/
|
||||
private function resolveOwnerScopedBackupItemIdsFromKeys(\App\Models\BackupSet $backupSet, array $recordKeys): array
|
||||
{
|
||||
$requestedIds = collect($recordKeys)
|
||||
->map(fn (mixed $record): int => $this->normalizeBackupItemKey($record))
|
||||
->filter(fn (int $value): bool => $value > 0)
|
||||
->unique()
|
||||
->sort()
|
||||
->values()
|
||||
->all();
|
||||
|
||||
if ($requestedIds === []) {
|
||||
return [];
|
||||
}
|
||||
|
||||
$resolvedIds = $backupSet->items()
|
||||
->where('tenant_id', (int) $backupSet->tenant_id)
|
||||
->whereIn('id', $requestedIds)
|
||||
->pluck('id')
|
||||
->map(fn (mixed $value): int => (int) $value)
|
||||
->filter(fn (int $value): bool => $value > 0)
|
||||
->unique()
|
||||
->sort()
|
||||
->values()
|
||||
->all();
|
||||
|
||||
if (count($resolvedIds) !== count($requestedIds)) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
return $resolvedIds;
|
||||
}
|
||||
|
||||
private function normalizeBackupItemKey(mixed $record): int
|
||||
{
|
||||
if ($record instanceof BackupItem) {
|
||||
return (int) $record->getKey();
|
||||
}
|
||||
|
||||
return is_numeric($record) ? (int) $record : 0;
|
||||
}
|
||||
}
|
||||
|
||||
@ -2,6 +2,8 @@
|
||||
|
||||
namespace App\Filament\Resources;
|
||||
|
||||
use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
|
||||
use App\Filament\Concerns\ResolvesPanelTenantContext;
|
||||
use App\Filament\Concerns\ScopesGlobalSearchToTenant;
|
||||
use App\Filament\Resources\EntraGroupResource\Pages;
|
||||
use App\Models\EntraGroup;
|
||||
@ -9,7 +11,6 @@
|
||||
use App\Support\Badges\BadgeDomain;
|
||||
use App\Support\Badges\BadgeRenderer;
|
||||
use App\Support\Filament\TablePaginationProfiles;
|
||||
use App\Support\OperateHub\OperateHubShell;
|
||||
use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
|
||||
@ -33,12 +34,16 @@
|
||||
|
||||
class EntraGroupResource extends Resource
|
||||
{
|
||||
use InteractsWithTenantOwnedRecords;
|
||||
use ResolvesPanelTenantContext;
|
||||
use ScopesGlobalSearchToTenant;
|
||||
|
||||
protected static bool $isScopedToTenant = false;
|
||||
|
||||
protected static ?string $model = EntraGroup::class;
|
||||
|
||||
protected static ?string $tenantOwnershipRelationshipName = 'tenant';
|
||||
|
||||
protected static ?string $recordTitleAttribute = 'display_name';
|
||||
|
||||
protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-user-group';
|
||||
@ -188,17 +193,15 @@ public static function table(Table $table): Table
|
||||
|
||||
public static function getEloquentQuery(): Builder
|
||||
{
|
||||
$tenant = static::panelTenantContext();
|
||||
|
||||
return parent::getEloquentQuery()
|
||||
->when(
|
||||
$tenant instanceof Tenant,
|
||||
fn (Builder $query): Builder => $query->where('tenant_id', (int) $tenant->getKey()),
|
||||
fn (Builder $query): Builder => $query->whereRaw('1 = 0'),
|
||||
)
|
||||
return static::getTenantOwnedEloquentQuery()
|
||||
->latest('id');
|
||||
}
|
||||
|
||||
public static function resolveScopedRecordOrFail(int|string $key): Model
|
||||
{
|
||||
return static::resolveTenantOwnedRecordOrFail($key);
|
||||
}
|
||||
|
||||
public static function getGlobalSearchResultUrl(Model $record): string
|
||||
{
|
||||
$tenant = $record instanceof EntraGroup && $record->tenant instanceof Tenant
|
||||
@ -216,19 +219,6 @@ public static function getPages(): array
|
||||
];
|
||||
}
|
||||
|
||||
public static function panelTenantContext(): ?Tenant
|
||||
{
|
||||
if (Filament::getCurrentPanel()?->getId() === 'admin') {
|
||||
$tenant = app(OperateHubShell::class)->activeEntitledTenant(request());
|
||||
|
||||
return $tenant instanceof Tenant ? $tenant : null;
|
||||
}
|
||||
|
||||
$tenant = Tenant::current();
|
||||
|
||||
return $tenant instanceof Tenant ? $tenant : null;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $parameters
|
||||
*/
|
||||
|
||||
@ -8,11 +8,17 @@
|
||||
use App\Models\User;
|
||||
use Filament\Facades\Filament;
|
||||
use Filament\Resources\Pages\ViewRecord;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
|
||||
class ViewEntraGroup extends ViewRecord
|
||||
{
|
||||
protected static string $resource = EntraGroupResource::class;
|
||||
|
||||
protected function resolveRecord(int|string $key): Model
|
||||
{
|
||||
return EntraGroupResource::resolveScopedRecordOrFail($key);
|
||||
}
|
||||
|
||||
protected function authorizeAccess(): void
|
||||
{
|
||||
$tenant = EntraGroupResource::panelTenantContext();
|
||||
|
||||
637
app/Filament/Resources/EvidenceSnapshotResource.php
Normal file
637
app/Filament/Resources/EvidenceSnapshotResource.php
Normal file
@ -0,0 +1,637 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Filament\Resources;
|
||||
|
||||
use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
|
||||
use App\Filament\Concerns\ResolvesPanelTenantContext;
|
||||
use App\Filament\Resources\EvidenceSnapshotResource\Pages;
|
||||
use App\Models\EvidenceSnapshot;
|
||||
use App\Models\EvidenceSnapshotItem;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Services\Evidence\EvidenceSnapshotService;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use App\Support\Badges\BadgeDomain;
|
||||
use App\Support\Badges\BadgeRenderer;
|
||||
use App\Support\Evidence\EvidenceSnapshotStatus;
|
||||
use App\Support\OperationCatalog;
|
||||
use App\Support\OperationRunLinks;
|
||||
use App\Support\OperationRunOutcome;
|
||||
use App\Support\OperationRunStatus;
|
||||
use App\Support\Rbac\UiEnforcement;
|
||||
use App\Support\Rbac\UiTooltips;
|
||||
use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
|
||||
use BackedEnum;
|
||||
use Filament\Actions;
|
||||
use Filament\Facades\Filament;
|
||||
use Filament\Infolists\Components\RepeatableEntry;
|
||||
use Filament\Infolists\Components\TextEntry;
|
||||
use Filament\Infolists\Components\ViewEntry;
|
||||
use Filament\Notifications\Notification;
|
||||
use Filament\Panel;
|
||||
use Filament\Resources\Pages\PageRegistration;
|
||||
use Filament\Resources\Resource;
|
||||
use Filament\Schemas\Components\Section;
|
||||
use Filament\Schemas\Schema;
|
||||
use Filament\Tables;
|
||||
use Filament\Tables\Table;
|
||||
use Illuminate\Database\Eloquent\Builder;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
use Illuminate\Routing\Route;
|
||||
use Illuminate\Support\Arr;
|
||||
use Illuminate\Support\Facades\Route as RouteFacade;
|
||||
use Illuminate\Support\Str;
|
||||
use UnitEnum;
|
||||
|
||||
class EvidenceSnapshotResource extends Resource
|
||||
{
|
||||
use InteractsWithTenantOwnedRecords;
|
||||
use ResolvesPanelTenantContext;
|
||||
|
||||
protected static ?string $model = EvidenceSnapshot::class;
|
||||
|
||||
protected static ?string $slug = 'evidence';
|
||||
|
||||
protected static ?string $tenantOwnershipRelationshipName = 'tenant';
|
||||
|
||||
protected static bool $isGloballySearchable = false;
|
||||
|
||||
protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-shield-check';
|
||||
|
||||
protected static string|UnitEnum|null $navigationGroup = 'Governance';
|
||||
|
||||
protected static ?string $navigationLabel = 'Evidence';
|
||||
|
||||
protected static ?int $navigationSort = 55;
|
||||
|
||||
public static function canViewAny(): bool
|
||||
{
|
||||
$tenant = static::resolveTenantContextForCurrentPanel();
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $tenant instanceof Tenant || ! $user instanceof User) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (! $user->canAccessTenant($tenant)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return $user->can(Capabilities::EVIDENCE_VIEW, $tenant);
|
||||
}
|
||||
|
||||
public static function canView(Model $record): bool
|
||||
{
|
||||
$tenant = static::resolveTenantContextForCurrentPanel();
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $tenant instanceof Tenant || ! $user instanceof User) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (! $user->canAccessTenant($tenant) || ! $user->can(Capabilities::EVIDENCE_VIEW, $tenant)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return ! $record instanceof EvidenceSnapshot
|
||||
|| ((int) $record->tenant_id === (int) $tenant->getKey() && (int) $record->workspace_id === (int) $tenant->workspace_id);
|
||||
}
|
||||
|
||||
public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
|
||||
{
|
||||
return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndView)
|
||||
->satisfy(ActionSurfaceSlot::ListHeader, 'Create snapshot is available from the list header.')
|
||||
->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
|
||||
->satisfy(ActionSurfaceSlot::ListEmptyState, 'Empty state includes a Create snapshot CTA.')
|
||||
->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'Evidence snapshots keep only primary View and Expire row actions.')
|
||||
->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'Evidence snapshots do not support bulk actions.')
|
||||
->satisfy(ActionSurfaceSlot::DetailHeader, 'View page exposes Refresh evidence and Expire snapshot actions.');
|
||||
}
|
||||
|
||||
public static function getEloquentQuery(): Builder
|
||||
{
|
||||
return static::getTenantOwnedEloquentQuery()->with(['tenant', 'initiator', 'operationRun', 'items']);
|
||||
}
|
||||
|
||||
public static function resolveScopedRecordOrFail(int|string|null $record): Model
|
||||
{
|
||||
return static::resolveTenantOwnedRecordOrFail($record);
|
||||
}
|
||||
|
||||
public static function form(Schema $schema): Schema
|
||||
{
|
||||
return $schema;
|
||||
}
|
||||
|
||||
public static function infolist(Schema $schema): Schema
|
||||
{
|
||||
return $schema->schema([
|
||||
Section::make('Snapshot')
|
||||
->schema([
|
||||
TextEntry::make('status')
|
||||
->badge()
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::EvidenceSnapshotStatus))
|
||||
->color(BadgeRenderer::color(BadgeDomain::EvidenceSnapshotStatus))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::EvidenceSnapshotStatus))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::EvidenceSnapshotStatus)),
|
||||
TextEntry::make('completeness_state')
|
||||
->label('Completeness')
|
||||
->badge()
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::EvidenceCompleteness))
|
||||
->color(BadgeRenderer::color(BadgeDomain::EvidenceCompleteness))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::EvidenceCompleteness))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::EvidenceCompleteness)),
|
||||
TextEntry::make('tenant.name')->label('Tenant'),
|
||||
TextEntry::make('generated_at')->dateTime()->placeholder('—'),
|
||||
TextEntry::make('expires_at')->dateTime()->placeholder('—'),
|
||||
TextEntry::make('operationRun.id')
|
||||
->label('Operation run')
|
||||
->formatStateUsing(fn (?int $state): string => $state ? '#'.$state : '—')
|
||||
->url(fn (EvidenceSnapshot $record): ?string => $record->operation_run_id ? OperationRunLinks::tenantlessView((int) $record->operation_run_id) : null)
|
||||
->openUrlInNewTab(),
|
||||
TextEntry::make('fingerprint')->copyable()->placeholder('—')->columnSpanFull()->fontFamily('mono'),
|
||||
TextEntry::make('previous_fingerprint')->copyable()->placeholder('—')->columnSpanFull()->fontFamily('mono'),
|
||||
])
|
||||
->columns(2),
|
||||
Section::make('Summary')
|
||||
->schema([
|
||||
TextEntry::make('summary.finding_count')->label('Findings')->placeholder('—'),
|
||||
TextEntry::make('summary.report_count')->label('Reports')->placeholder('—'),
|
||||
TextEntry::make('summary.operation_count')->label('Operations')->placeholder('—'),
|
||||
TextEntry::make('summary.missing_dimensions')->label('Missing dimensions')->placeholder('—'),
|
||||
TextEntry::make('summary.stale_dimensions')->label('Stale dimensions')->placeholder('—'),
|
||||
])
|
||||
->columns(2),
|
||||
Section::make('Evidence dimensions')
|
||||
->schema([
|
||||
RepeatableEntry::make('items')
|
||||
->hiddenLabel()
|
||||
->schema([
|
||||
TextEntry::make('dimension_key')->label('Dimension')
|
||||
->formatStateUsing(fn (string $state): string => Str::headline($state)),
|
||||
TextEntry::make('state')
|
||||
->badge()
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::EvidenceCompleteness))
|
||||
->color(BadgeRenderer::color(BadgeDomain::EvidenceCompleteness))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::EvidenceCompleteness))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::EvidenceCompleteness)),
|
||||
TextEntry::make('source_kind')->label('Source')
|
||||
->formatStateUsing(fn (string $state): string => Str::headline($state)),
|
||||
TextEntry::make('freshness_at')->dateTime()->placeholder('—'),
|
||||
ViewEntry::make('summary_payload_highlights')
|
||||
->label('Summary')
|
||||
->view('filament.infolists.entries.evidence-dimension-summary')
|
||||
->state(fn (EvidenceSnapshotItem $record): array => static::dimensionSummaryPresentation($record))
|
||||
->columnSpanFull(),
|
||||
ViewEntry::make('summary_payload_raw')
|
||||
->label('Raw summary JSON')
|
||||
->view('filament.infolists.entries.snapshot-json')
|
||||
->state(fn (EvidenceSnapshotItem $record): array => is_array($record->summary_payload) ? $record->summary_payload : [])
|
||||
->columnSpanFull(),
|
||||
])
|
||||
->columns(4),
|
||||
]),
|
||||
]);
|
||||
}
|
||||
|
||||
public static function table(Table $table): Table
|
||||
{
|
||||
return $table
|
||||
->defaultSort('created_at', 'desc')
|
||||
->recordUrl(fn (EvidenceSnapshot $record): string => static::getUrl('view', ['record' => $record]))
|
||||
->columns([
|
||||
Tables\Columns\TextColumn::make('status')
|
||||
->badge()
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::EvidenceSnapshotStatus))
|
||||
->color(BadgeRenderer::color(BadgeDomain::EvidenceSnapshotStatus))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::EvidenceSnapshotStatus))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::EvidenceSnapshotStatus))
|
||||
->sortable(),
|
||||
Tables\Columns\TextColumn::make('completeness_state')
|
||||
->label('Completeness')
|
||||
->badge()
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::EvidenceCompleteness))
|
||||
->color(BadgeRenderer::color(BadgeDomain::EvidenceCompleteness))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::EvidenceCompleteness))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::EvidenceCompleteness))
|
||||
->sortable(),
|
||||
Tables\Columns\TextColumn::make('generated_at')->dateTime()->sortable()->placeholder('—'),
|
||||
Tables\Columns\TextColumn::make('summary.finding_count')->label('Findings'),
|
||||
Tables\Columns\TextColumn::make('summary.missing_dimensions')->label('Missing'),
|
||||
])
|
||||
->filters([
|
||||
Tables\Filters\SelectFilter::make('status')
|
||||
->options([
|
||||
'queued' => 'Queued',
|
||||
'generating' => 'Generating',
|
||||
'active' => 'Active',
|
||||
'superseded' => 'Superseded',
|
||||
'expired' => 'Expired',
|
||||
'failed' => 'Failed',
|
||||
]),
|
||||
Tables\Filters\SelectFilter::make('completeness_state')
|
||||
->options([
|
||||
'complete' => 'Complete',
|
||||
'partial' => 'Partial',
|
||||
'missing' => 'Missing',
|
||||
'stale' => 'Stale',
|
||||
]),
|
||||
])
|
||||
->actions([
|
||||
Actions\Action::make('view_snapshot')
|
||||
->label('View snapshot')
|
||||
->url(fn (EvidenceSnapshot $record): string => static::getUrl('view', ['record' => $record])),
|
||||
UiEnforcement::forTableAction(
|
||||
Actions\Action::make('expire')
|
||||
->label('Expire snapshot')
|
||||
->color('danger')
|
||||
->hidden(fn (EvidenceSnapshot $record): bool => ! static::canExpireRecord($record))
|
||||
->requiresConfirmation()
|
||||
->action(function (EvidenceSnapshot $record): void {
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $user instanceof User) {
|
||||
abort(403);
|
||||
}
|
||||
|
||||
app(EvidenceSnapshotService::class)->expire($record, $user);
|
||||
|
||||
Notification::make()->success()->title('Snapshot expired')->send();
|
||||
}),
|
||||
fn (EvidenceSnapshot $record): EvidenceSnapshot => $record,
|
||||
)
|
||||
->preserveVisibility()
|
||||
->requireCapability(Capabilities::EVIDENCE_MANAGE)
|
||||
->tooltip(UiTooltips::INSUFFICIENT_PERMISSION)
|
||||
->apply(),
|
||||
])
|
||||
->bulkActions([])
|
||||
->emptyStateHeading('No evidence snapshots yet')
|
||||
->emptyStateDescription('Create the first snapshot to capture immutable evidence for this tenant.')
|
||||
->emptyStateActions([
|
||||
UiEnforcement::forAction(
|
||||
Actions\Action::make('create_first_snapshot')
|
||||
->label('Create first snapshot')
|
||||
->icon('heroicon-o-plus')
|
||||
->action(fn (): mixed => static::executeGeneration([])),
|
||||
)
|
||||
->requireCapability(Capabilities::EVIDENCE_MANAGE)
|
||||
->tooltip(UiTooltips::INSUFFICIENT_PERMISSION)
|
||||
->apply(),
|
||||
]);
|
||||
}
|
||||
|
||||
public static function getPages(): array
|
||||
{
|
||||
return [
|
||||
'index' => Pages\ListEvidenceSnapshots::route('/'),
|
||||
'view' => new PageRegistration(
|
||||
page: Pages\ViewEvidenceSnapshot::class,
|
||||
route: fn (Panel $panel): Route => RouteFacade::get('/{record}', Pages\ViewEvidenceSnapshot::class)
|
||||
->whereNumber('record')
|
||||
->middleware(Pages\ViewEvidenceSnapshot::getRouteMiddleware($panel))
|
||||
->withoutMiddleware(Pages\ViewEvidenceSnapshot::getWithoutRouteMiddleware($panel)),
|
||||
),
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array{summary:?string,highlights:list<array{label:string,value:string}>,items:list<string>}
|
||||
*/
|
||||
private static function dimensionSummaryPresentation(EvidenceSnapshotItem $item): array
|
||||
{
|
||||
$payload = is_array($item->summary_payload) ? $item->summary_payload : [];
|
||||
|
||||
return match ($item->dimension_key) {
|
||||
'findings_summary' => static::findingsSummaryPresentation($payload),
|
||||
'permission_posture' => static::permissionPosturePresentation($payload),
|
||||
'entra_admin_roles' => static::entraAdminRolesPresentation($payload),
|
||||
'baseline_drift_posture' => static::baselineDriftPosturePresentation($payload),
|
||||
'operations_summary' => static::operationsSummaryPresentation($payload),
|
||||
default => static::genericSummaryPresentation($payload),
|
||||
};
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $payload
|
||||
* @return array{summary:?string,highlights:list<array{label:string,value:string}>,items:list<string>}
|
||||
*/
|
||||
private static function findingsSummaryPresentation(array $payload): array
|
||||
{
|
||||
$count = (int) ($payload['count'] ?? 0);
|
||||
$openCount = (int) ($payload['open_count'] ?? 0);
|
||||
$severityCounts = is_array($payload['severity_counts'] ?? null) ? $payload['severity_counts'] : [];
|
||||
$entries = is_array($payload['entries'] ?? null) ? $payload['entries'] : [];
|
||||
|
||||
return [
|
||||
'summary' => sprintf('%d findings, %d open.', $count, $openCount),
|
||||
'highlights' => [
|
||||
['label' => 'Findings', 'value' => (string) $count],
|
||||
['label' => 'Open findings', 'value' => (string) $openCount],
|
||||
['label' => 'Critical', 'value' => (string) ((int) ($severityCounts['critical'] ?? 0))],
|
||||
['label' => 'High', 'value' => (string) ((int) ($severityCounts['high'] ?? 0))],
|
||||
['label' => 'Medium', 'value' => (string) ((int) ($severityCounts['medium'] ?? 0))],
|
||||
['label' => 'Low', 'value' => (string) ((int) ($severityCounts['low'] ?? 0))],
|
||||
],
|
||||
'items' => collect($entries)
|
||||
->map(fn (mixed $entry): ?string => is_array($entry) ? static::findingEntryLabel($entry) : null)
|
||||
->filter()
|
||||
->take(5)
|
||||
->values()
|
||||
->all(),
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $payload
|
||||
* @return array{summary:?string,highlights:list<array{label:string,value:string}>,items:list<string>}
|
||||
*/
|
||||
private static function permissionPosturePresentation(array $payload): array
|
||||
{
|
||||
$requiredCount = (int) ($payload['required_count'] ?? 0);
|
||||
$grantedCount = (int) ($payload['granted_count'] ?? 0);
|
||||
$postureScore = $payload['posture_score'] ?? null;
|
||||
$reportPayload = is_array($payload['payload'] ?? null) ? $payload['payload'] : [];
|
||||
|
||||
return [
|
||||
'summary' => sprintf('%d of %d required permissions granted.', $grantedCount, $requiredCount),
|
||||
'highlights' => [
|
||||
['label' => 'Granted permissions', 'value' => (string) $grantedCount],
|
||||
['label' => 'Required permissions', 'value' => (string) $requiredCount],
|
||||
['label' => 'Posture score', 'value' => $postureScore === null ? '—' : (string) $postureScore],
|
||||
],
|
||||
'items' => static::namedItemsFromArray(
|
||||
Arr::get($reportPayload, 'missing_permissions', Arr::get($reportPayload, 'missing', [])),
|
||||
'No missing permission details captured.'
|
||||
),
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $payload
|
||||
* @return array{summary:?string,highlights:list<array{label:string,value:string}>,items:list<string>}
|
||||
*/
|
||||
private static function entraAdminRolesPresentation(array $payload): array
|
||||
{
|
||||
$roleCount = (int) ($payload['role_count'] ?? 0);
|
||||
|
||||
return [
|
||||
'summary' => sprintf('%d privileged Entra roles captured.', $roleCount),
|
||||
'highlights' => [
|
||||
['label' => 'Role count', 'value' => (string) $roleCount],
|
||||
],
|
||||
'items' => static::namedItemsFromArray($payload['roles'] ?? [], 'No role details captured.'),
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $payload
|
||||
* @return array{summary:?string,highlights:list<array{label:string,value:string}>,items:list<string>}
|
||||
*/
|
||||
private static function baselineDriftPosturePresentation(array $payload): array
|
||||
{
|
||||
$driftCount = (int) ($payload['drift_count'] ?? 0);
|
||||
$openDriftCount = (int) ($payload['open_drift_count'] ?? 0);
|
||||
|
||||
return [
|
||||
'summary' => sprintf('%d drift findings, %d still open.', $driftCount, $openDriftCount),
|
||||
'highlights' => [
|
||||
['label' => 'Drift findings', 'value' => (string) $driftCount],
|
||||
['label' => 'Open drift findings', 'value' => (string) $openDriftCount],
|
||||
],
|
||||
'items' => [],
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $payload
|
||||
* @return array{summary:?string,highlights:list<array{label:string,value:string}>,items:list<string>}
|
||||
*/
|
||||
private static function operationsSummaryPresentation(array $payload): array
|
||||
{
|
||||
$operationCount = (int) ($payload['operation_count'] ?? 0);
|
||||
$failedCount = (int) ($payload['failed_count'] ?? 0);
|
||||
$partialCount = (int) ($payload['partial_count'] ?? 0);
|
||||
$entries = is_array($payload['entries'] ?? null) ? $payload['entries'] : [];
|
||||
|
||||
return [
|
||||
'summary' => sprintf('%d operations in the last 30 days, %d failed, %d partial.', $operationCount, $failedCount, $partialCount),
|
||||
'highlights' => [
|
||||
['label' => 'Operations', 'value' => (string) $operationCount],
|
||||
['label' => 'Failed operations', 'value' => (string) $failedCount],
|
||||
['label' => 'Partial operations', 'value' => (string) $partialCount],
|
||||
],
|
||||
'items' => collect($entries)
|
||||
->map(fn (mixed $entry): ?string => is_array($entry) ? static::operationEntryLabel($entry) : null)
|
||||
->filter()
|
||||
->take(5)
|
||||
->values()
|
||||
->all(),
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $payload
|
||||
* @return array{summary:?string,highlights:list<array{label:string,value:string}>,items:list<string>}
|
||||
*/
|
||||
private static function genericSummaryPresentation(array $payload): array
|
||||
{
|
||||
$highlights = collect($payload)
|
||||
->reject(fn (mixed $value, string|int $key): bool => in_array((string) $key, ['entries', 'payload', 'roles'], true) || is_array($value))
|
||||
->take(6)
|
||||
->map(fn (mixed $value, string|int $key): array => [
|
||||
'label' => Str::headline((string) $key),
|
||||
'value' => static::stringifySummaryValue($value),
|
||||
])
|
||||
->values()
|
||||
->all();
|
||||
|
||||
return [
|
||||
'summary' => empty($highlights) ? 'No summary details captured.' : null,
|
||||
'highlights' => $highlights,
|
||||
'items' => [],
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return list<string>
|
||||
*/
|
||||
private static function namedItemsFromArray(mixed $items, string $emptyFallback): array
|
||||
{
|
||||
if (! is_array($items) || $items === []) {
|
||||
return [$emptyFallback];
|
||||
}
|
||||
|
||||
$labels = collect($items)
|
||||
->map(function (mixed $item): ?string {
|
||||
if (is_string($item)) {
|
||||
return trim($item) !== '' ? $item : null;
|
||||
}
|
||||
|
||||
if (! is_array($item)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
foreach (['display_name', 'displayName', 'name', 'title', 'id'] as $key) {
|
||||
$value = $item[$key] ?? null;
|
||||
|
||||
if (is_string($value) && trim($value) !== '') {
|
||||
return $value;
|
||||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
})
|
||||
->filter()
|
||||
->take(5)
|
||||
->values()
|
||||
->all();
|
||||
|
||||
return $labels === [] ? [$emptyFallback] : $labels;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $entry
|
||||
*/
|
||||
private static function findingEntryLabel(array $entry): ?string
|
||||
{
|
||||
$title = $entry['title'] ?? null;
|
||||
$severity = $entry['severity'] ?? null;
|
||||
$status = $entry['status'] ?? null;
|
||||
|
||||
if (! is_string($title) || trim($title) === '') {
|
||||
return null;
|
||||
}
|
||||
|
||||
$parts = [trim($title)];
|
||||
|
||||
if (is_string($severity) && trim($severity) !== '') {
|
||||
$parts[] = Str::headline($severity);
|
||||
}
|
||||
|
||||
if (is_string($status) && trim($status) !== '') {
|
||||
$parts[] = Str::headline($status);
|
||||
}
|
||||
|
||||
return implode(' · ', $parts);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $entry
|
||||
*/
|
||||
private static function operationEntryLabel(array $entry): ?string
|
||||
{
|
||||
$type = $entry['type'] ?? null;
|
||||
|
||||
if (! is_string($type) || trim($type) === '') {
|
||||
return null;
|
||||
}
|
||||
|
||||
$parts = [static::operationTypeLabel($type)];
|
||||
|
||||
$stateLabel = static::operationEntryStateLabel($entry);
|
||||
|
||||
if ($stateLabel !== null) {
|
||||
$parts[] = $stateLabel;
|
||||
}
|
||||
|
||||
return implode(' · ', $parts);
|
||||
}
|
||||
|
||||
public static function canExpireRecord(EvidenceSnapshot $record): bool
|
||||
{
|
||||
return (string) $record->status !== EvidenceSnapshotStatus::Expired->value;
|
||||
}
|
||||
|
||||
private static function operationTypeLabel(string $type): string
|
||||
{
|
||||
$label = OperationCatalog::label($type);
|
||||
|
||||
return $label === 'Unknown operation' ? 'Operation' : $label;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $entry
|
||||
*/
|
||||
private static function operationEntryStateLabel(array $entry): ?string
|
||||
{
|
||||
$status = is_string($entry['status'] ?? null) ? trim((string) $entry['status']) : null;
|
||||
$outcome = is_string($entry['outcome'] ?? null) ? trim((string) $entry['outcome']) : null;
|
||||
|
||||
return match ($status) {
|
||||
OperationRunStatus::Queued->value => 'Queued',
|
||||
OperationRunStatus::Running->value => 'Running',
|
||||
OperationRunStatus::Completed->value => match ($outcome) {
|
||||
OperationRunOutcome::Succeeded->value => 'Completed',
|
||||
OperationRunOutcome::PartiallySucceeded->value => OperationRunOutcome::uiLabels(true)[OperationRunOutcome::PartiallySucceeded->value],
|
||||
OperationRunOutcome::Blocked->value => OperationRunOutcome::uiLabels(true)[OperationRunOutcome::Blocked->value],
|
||||
OperationRunOutcome::Failed->value => OperationRunOutcome::uiLabels(true)[OperationRunOutcome::Failed->value],
|
||||
OperationRunOutcome::Cancelled->value => OperationRunOutcome::uiLabels(true)[OperationRunOutcome::Cancelled->value],
|
||||
default => 'Completed',
|
||||
},
|
||||
default => $outcome !== null ? (OperationRunOutcome::uiLabels(true)[$outcome] ?? null) : null,
|
||||
};
|
||||
}
|
||||
|
||||
private static function stringifySummaryValue(mixed $value): string
|
||||
{
|
||||
return match (true) {
|
||||
$value === null => '—',
|
||||
is_bool($value) => $value ? 'Yes' : 'No',
|
||||
is_scalar($value) => (string) $value,
|
||||
default => '—',
|
||||
};
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $data
|
||||
*/
|
||||
public static function executeGeneration(array $data): void
|
||||
{
|
||||
$tenant = Filament::getTenant();
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $tenant instanceof Tenant || ! $user instanceof User) {
|
||||
Notification::make()->danger()->title('Unable to create snapshot — missing context.')->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
$snapshot = app(EvidenceSnapshotService::class)->generate(
|
||||
tenant: $tenant,
|
||||
user: $user,
|
||||
allowStale: (bool) ($data['allow_stale'] ?? false),
|
||||
);
|
||||
|
||||
if (! $snapshot->wasRecentlyCreated) {
|
||||
Notification::make()
|
||||
->success()
|
||||
->title('Snapshot already available')
|
||||
->body('A matching active snapshot already exists. No new run was started.')
|
||||
->actions([
|
||||
Actions\Action::make('view_snapshot')
|
||||
->label('View snapshot')
|
||||
->url(static::getUrl('view', ['record' => $snapshot], tenant: $tenant)),
|
||||
])
|
||||
->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
Notification::make()
|
||||
->success()
|
||||
->title('Create snapshot queued')
|
||||
->body('The snapshot is being generated in the background.')
|
||||
->actions([
|
||||
Actions\Action::make('view_run')
|
||||
->label('View run')
|
||||
->url($snapshot->operation_run_id ? OperationRunLinks::tenantlessView((int) $snapshot->operation_run_id) : static::getUrl('view', ['record' => $snapshot], tenant: $tenant)),
|
||||
])
|
||||
->send();
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,40 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Filament\Resources\EvidenceSnapshotResource\Pages;
|
||||
|
||||
use App\Filament\Resources\EvidenceSnapshotResource;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use App\Support\Rbac\UiEnforcement;
|
||||
use Filament\Actions;
|
||||
use Filament\Forms\Components\Toggle;
|
||||
use Filament\Resources\Pages\ListRecords;
|
||||
use Filament\Schemas\Components\Section;
|
||||
|
||||
class ListEvidenceSnapshots extends ListRecords
|
||||
{
|
||||
protected static string $resource = EvidenceSnapshotResource::class;
|
||||
|
||||
protected function getHeaderActions(): array
|
||||
{
|
||||
return [
|
||||
UiEnforcement::forAction(
|
||||
Actions\Action::make('create_snapshot')
|
||||
->label('Create snapshot')
|
||||
->icon('heroicon-o-plus')
|
||||
->action(fn (array $data): mixed => EvidenceSnapshotResource::executeGeneration($data))
|
||||
->form([
|
||||
Section::make('Snapshot options')
|
||||
->schema([
|
||||
Toggle::make('allow_stale')
|
||||
->label('Allow stale dimensions')
|
||||
->default(false),
|
||||
]),
|
||||
]),
|
||||
)
|
||||
->requireCapability(Capabilities::EVIDENCE_MANAGE)
|
||||
->apply(),
|
||||
];
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,102 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Filament\Resources\EvidenceSnapshotResource\Pages;
|
||||
|
||||
use App\Filament\Resources\EvidenceSnapshotResource;
|
||||
use App\Filament\Resources\ReviewPackResource;
|
||||
use App\Models\ReviewPack;
|
||||
use App\Models\User;
|
||||
use App\Services\Evidence\EvidenceSnapshotService;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use App\Support\OperationRunLinks;
|
||||
use App\Support\Rbac\UiEnforcement;
|
||||
use Filament\Actions;
|
||||
use Filament\Notifications\Notification;
|
||||
use Filament\Resources\Pages\ViewRecord;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
|
||||
class ViewEvidenceSnapshot extends ViewRecord
|
||||
{
|
||||
protected static string $resource = EvidenceSnapshotResource::class;
|
||||
|
||||
protected function resolveRecord(int|string $key): Model
|
||||
{
|
||||
return EvidenceSnapshotResource::resolveScopedRecordOrFail($key);
|
||||
}
|
||||
|
||||
protected function getHeaderActions(): array
|
||||
{
|
||||
return [
|
||||
Actions\Action::make('view_run')
|
||||
->label('View run')
|
||||
->icon('heroicon-o-eye')
|
||||
->color('gray')
|
||||
->url(fn (): ?string => $this->record->operation_run_id ? OperationRunLinks::tenantlessView((int) $this->record->operation_run_id) : null)
|
||||
->hidden(fn (): bool => ! is_numeric($this->record->operation_run_id)),
|
||||
Actions\Action::make('view_review_pack')
|
||||
->label('View review pack')
|
||||
->icon('heroicon-o-document-text')
|
||||
->color('gray')
|
||||
->url(function (): ?string {
|
||||
$pack = $this->latestReviewPack();
|
||||
|
||||
if (! $pack instanceof ReviewPack || ! $pack->tenant) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return ReviewPackResource::getUrl('view', ['record' => $pack], tenant: $pack->tenant);
|
||||
})
|
||||
->hidden(fn (): bool => ! $this->latestReviewPack() instanceof ReviewPack),
|
||||
UiEnforcement::forAction(
|
||||
Actions\Action::make('refresh_snapshot')
|
||||
->label('Refresh evidence')
|
||||
->icon('heroicon-o-arrow-path')
|
||||
->requiresConfirmation()
|
||||
->action(function (): void {
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $user instanceof User) {
|
||||
abort(403);
|
||||
}
|
||||
|
||||
app(EvidenceSnapshotService::class)->refresh($this->record, $user);
|
||||
|
||||
Notification::make()->success()->title('Refresh evidence queued')->send();
|
||||
}),
|
||||
)
|
||||
->requireCapability(Capabilities::EVIDENCE_MANAGE)
|
||||
->apply(),
|
||||
UiEnforcement::forAction(
|
||||
Actions\Action::make('expire_snapshot')
|
||||
->label('Expire snapshot')
|
||||
->icon('heroicon-o-x-circle')
|
||||
->color('danger')
|
||||
->hidden(fn (): bool => ! EvidenceSnapshotResource::canExpireRecord($this->record))
|
||||
->requiresConfirmation()
|
||||
->action(function (): void {
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $user instanceof User) {
|
||||
abort(403);
|
||||
}
|
||||
|
||||
app(EvidenceSnapshotService::class)->expire($this->record, $user);
|
||||
$this->refreshFormData(['status', 'expires_at']);
|
||||
|
||||
Notification::make()->success()->title('Snapshot expired')->send();
|
||||
}),
|
||||
)
|
||||
->requireCapability(Capabilities::EVIDENCE_MANAGE)
|
||||
->apply(),
|
||||
];
|
||||
}
|
||||
|
||||
private function latestReviewPack(): ?ReviewPack
|
||||
{
|
||||
return $this->record->reviewPacks()
|
||||
->latest('created_at')
|
||||
->first();
|
||||
}
|
||||
}
|
||||
488
app/Filament/Resources/FindingExceptionResource.php
Normal file
488
app/Filament/Resources/FindingExceptionResource.php
Normal file
@ -0,0 +1,488 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Filament\Resources;
|
||||
|
||||
use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
|
||||
use App\Filament\Concerns\ResolvesPanelTenantContext;
|
||||
use App\Filament\Resources\FindingExceptionResource\Pages;
|
||||
use App\Models\FindingException;
|
||||
use App\Models\FindingExceptionEvidenceReference;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Services\Findings\FindingExceptionService;
|
||||
use App\Services\Findings\FindingRiskGovernanceResolver;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use App\Support\Badges\BadgeDomain;
|
||||
use App\Support\Badges\BadgeRenderer;
|
||||
use App\Support\Filament\FilterOptionCatalog;
|
||||
use App\Support\Filament\TablePaginationProfiles;
|
||||
use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
|
||||
use BackedEnum;
|
||||
use Filament\Actions\Action;
|
||||
use Filament\Facades\Filament;
|
||||
use Filament\Forms\Components\DateTimePicker;
|
||||
use Filament\Forms\Components\Repeater;
|
||||
use Filament\Forms\Components\Select;
|
||||
use Filament\Forms\Components\Textarea;
|
||||
use Filament\Forms\Components\TextInput;
|
||||
use Filament\Infolists\Components\RepeatableEntry;
|
||||
use Filament\Infolists\Components\TextEntry;
|
||||
use Filament\Notifications\Notification;
|
||||
use Filament\Resources\Resource;
|
||||
use Filament\Schemas\Components\Section;
|
||||
use Filament\Schemas\Schema;
|
||||
use Filament\Tables;
|
||||
use Filament\Tables\Filters\SelectFilter;
|
||||
use Filament\Tables\Table;
|
||||
use Illuminate\Database\Eloquent\Builder;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
use InvalidArgumentException;
|
||||
use UnitEnum;
|
||||
|
||||
class FindingExceptionResource extends Resource
|
||||
{
|
||||
use InteractsWithTenantOwnedRecords;
|
||||
use ResolvesPanelTenantContext;
|
||||
|
||||
protected static ?string $model = FindingException::class;
|
||||
|
||||
protected static ?string $tenantOwnershipRelationshipName = 'tenant';
|
||||
|
||||
protected static bool $isGloballySearchable = false;
|
||||
|
||||
protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-shield-exclamation';
|
||||
|
||||
protected static string|UnitEnum|null $navigationGroup = 'Governance';
|
||||
|
||||
protected static ?string $navigationLabel = 'Risk exceptions';
|
||||
|
||||
protected static ?int $navigationSort = 60;
|
||||
|
||||
public static function shouldRegisterNavigation(): bool
|
||||
{
|
||||
if (Filament::getCurrentPanel()?->getId() === 'admin') {
|
||||
return false;
|
||||
}
|
||||
|
||||
return parent::shouldRegisterNavigation();
|
||||
}
|
||||
|
||||
public static function canViewAny(): bool
|
||||
{
|
||||
$tenant = static::resolveTenantContextForCurrentPanel();
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $tenant instanceof Tenant || ! $user instanceof User) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (! $user->canAccessTenant($tenant)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return $user->can(Capabilities::FINDING_EXCEPTION_VIEW, $tenant);
|
||||
}
|
||||
|
||||
public static function canView(Model $record): bool
|
||||
{
|
||||
$tenant = static::resolveTenantContextForCurrentPanel();
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $tenant instanceof Tenant || ! $user instanceof User) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (! $user->canAccessTenant($tenant) || ! $user->can(Capabilities::FINDING_EXCEPTION_VIEW, $tenant)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return ! $record instanceof FindingException
|
||||
|| ((int) $record->tenant_id === (int) $tenant->getKey() && (int) $record->workspace_id === (int) $tenant->workspace_id);
|
||||
}
|
||||
|
||||
public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
|
||||
{
|
||||
return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndView)
|
||||
->satisfy(ActionSurfaceSlot::ListHeader, 'List header links back to findings where exception requests originate.')
|
||||
->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
|
||||
->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'v1 keeps exception mutations direct and avoids a More menu.')
|
||||
->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'Exception decisions require per-record review and intentionally omit bulk actions in v1.')
|
||||
->satisfy(ActionSurfaceSlot::ListEmptyState, 'Empty state explains that new requests start from finding detail.')
|
||||
->satisfy(ActionSurfaceSlot::DetailHeader, 'Detail header exposes linked finding navigation plus state-aware renewal and revocation actions.');
|
||||
}
|
||||
|
||||
public static function getEloquentQuery(): Builder
|
||||
{
|
||||
return static::getTenantOwnedEloquentQuery()
|
||||
->with(static::relationshipsForView());
|
||||
}
|
||||
|
||||
public static function resolveScopedRecordOrFail(int|string|null $record): Model
|
||||
{
|
||||
return static::resolveTenantOwnedRecordOrFail($record, parent::getEloquentQuery()->with(static::relationshipsForView()));
|
||||
}
|
||||
|
||||
public static function form(Schema $schema): Schema
|
||||
{
|
||||
return $schema;
|
||||
}
|
||||
|
||||
public static function infolist(Schema $schema): Schema
|
||||
{
|
||||
return $schema->schema([
|
||||
Section::make('Exception')
|
||||
->schema([
|
||||
TextEntry::make('status')
|
||||
->badge()
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::FindingExceptionStatus))
|
||||
->color(BadgeRenderer::color(BadgeDomain::FindingExceptionStatus))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::FindingExceptionStatus))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::FindingExceptionStatus)),
|
||||
TextEntry::make('current_validity_state')
|
||||
->label('Validity')
|
||||
->badge()
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::FindingRiskGovernanceValidity))
|
||||
->color(BadgeRenderer::color(BadgeDomain::FindingRiskGovernanceValidity))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::FindingRiskGovernanceValidity))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::FindingRiskGovernanceValidity)),
|
||||
TextEntry::make('governance_warning')
|
||||
->label('Governance warning')
|
||||
->state(fn (FindingException $record): ?string => static::governanceWarning($record))
|
||||
->color(fn (FindingException $record): string => static::governanceWarningColor($record))
|
||||
->columnSpanFull()
|
||||
->visible(fn (FindingException $record): bool => static::governanceWarning($record) !== null),
|
||||
TextEntry::make('tenant.name')->label('Tenant'),
|
||||
TextEntry::make('finding_summary')
|
||||
->label('Finding')
|
||||
->state(fn (FindingException $record): string => static::findingSummary($record)),
|
||||
TextEntry::make('requester.name')->label('Requested by')->placeholder('—'),
|
||||
TextEntry::make('owner.name')->label('Owner')->placeholder('—'),
|
||||
TextEntry::make('approver.name')->label('Approved by')->placeholder('—'),
|
||||
TextEntry::make('requested_at')->label('Requested')->dateTime()->placeholder('—'),
|
||||
TextEntry::make('approved_at')->label('Approved')->dateTime()->placeholder('—'),
|
||||
TextEntry::make('review_due_at')->label('Review due')->dateTime()->placeholder('—'),
|
||||
TextEntry::make('effective_from')->label('Effective from')->dateTime()->placeholder('—'),
|
||||
TextEntry::make('expires_at')->label('Expires')->dateTime()->placeholder('—'),
|
||||
TextEntry::make('request_reason')->label('Request reason')->columnSpanFull(),
|
||||
TextEntry::make('approval_reason')->label('Approval reason')->placeholder('—')->columnSpanFull(),
|
||||
TextEntry::make('rejection_reason')->label('Rejection reason')->placeholder('—')->columnSpanFull(),
|
||||
])
|
||||
->columns(2),
|
||||
Section::make('Decision history')
|
||||
->schema([
|
||||
RepeatableEntry::make('decisions')
|
||||
->hiddenLabel()
|
||||
->schema([
|
||||
TextEntry::make('decision_type')->label('Decision'),
|
||||
TextEntry::make('actor.name')->label('Actor')->placeholder('—'),
|
||||
TextEntry::make('decided_at')->label('Decided')->dateTime()->placeholder('—'),
|
||||
TextEntry::make('reason')->label('Reason')->placeholder('—')->columnSpanFull(),
|
||||
])
|
||||
->columns(3),
|
||||
]),
|
||||
Section::make('Evidence references')
|
||||
->schema([
|
||||
RepeatableEntry::make('evidenceReferences')
|
||||
->hiddenLabel()
|
||||
->schema([
|
||||
TextEntry::make('label')->label('Label'),
|
||||
TextEntry::make('source_type')->label('Source'),
|
||||
TextEntry::make('source_id')->label('Source ID')->placeholder('—'),
|
||||
TextEntry::make('source_fingerprint')->label('Fingerprint')->placeholder('—'),
|
||||
TextEntry::make('measured_at')->label('Measured')->dateTime()->placeholder('—'),
|
||||
TextEntry::make('summary_payload')
|
||||
->label('Summary')
|
||||
->state(function (FindingExceptionEvidenceReference $record): ?string {
|
||||
if ($record->summary_payload === [] || $record->summary_payload === null) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return json_encode($record->summary_payload, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE) ?: null;
|
||||
})
|
||||
->placeholder('—')
|
||||
->columnSpanFull(),
|
||||
])
|
||||
->columns(2),
|
||||
])
|
||||
->visible(fn (FindingException $record): bool => $record->evidenceReferences->isNotEmpty()),
|
||||
]);
|
||||
}
|
||||
|
||||
public static function table(Table $table): Table
|
||||
{
|
||||
return $table
|
||||
->defaultSort('requested_at', 'desc')
|
||||
->paginated(TablePaginationProfiles::resource())
|
||||
->persistFiltersInSession()
|
||||
->persistSearchInSession()
|
||||
->persistSortInSession()
|
||||
->recordUrl(fn (FindingException $record): string => static::getUrl('view', ['record' => $record]))
|
||||
->columns([
|
||||
Tables\Columns\TextColumn::make('status')
|
||||
->badge()
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::FindingExceptionStatus))
|
||||
->color(BadgeRenderer::color(BadgeDomain::FindingExceptionStatus))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::FindingExceptionStatus))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::FindingExceptionStatus))
|
||||
->sortable(),
|
||||
Tables\Columns\TextColumn::make('current_validity_state')
|
||||
->label('Validity')
|
||||
->badge()
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::FindingRiskGovernanceValidity))
|
||||
->color(BadgeRenderer::color(BadgeDomain::FindingRiskGovernanceValidity))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::FindingRiskGovernanceValidity))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::FindingRiskGovernanceValidity))
|
||||
->sortable(),
|
||||
Tables\Columns\TextColumn::make('finding_summary')
|
||||
->label('Finding')
|
||||
->state(fn (FindingException $record): string => static::findingSummary($record))
|
||||
->searchable(),
|
||||
Tables\Columns\TextColumn::make('governance_warning')
|
||||
->label('Governance warning')
|
||||
->state(fn (FindingException $record): ?string => static::governanceWarning($record))
|
||||
->color(fn (FindingException $record): string => static::governanceWarningColor($record))
|
||||
->wrap(),
|
||||
Tables\Columns\TextColumn::make('requester.name')
|
||||
->label('Requested by')
|
||||
->placeholder('—'),
|
||||
Tables\Columns\TextColumn::make('owner.name')
|
||||
->label('Owner')
|
||||
->placeholder('—'),
|
||||
Tables\Columns\TextColumn::make('review_due_at')
|
||||
->label('Review due')
|
||||
->dateTime()
|
||||
->placeholder('—')
|
||||
->sortable(),
|
||||
Tables\Columns\TextColumn::make('requested_at')
|
||||
->label('Requested')
|
||||
->dateTime()
|
||||
->sortable(),
|
||||
])
|
||||
->filters([
|
||||
SelectFilter::make('status')
|
||||
->options(FilterOptionCatalog::findingExceptionStatuses()),
|
||||
SelectFilter::make('current_validity_state')
|
||||
->label('Validity')
|
||||
->options(FilterOptionCatalog::findingExceptionValidityStates()),
|
||||
])
|
||||
->actions([
|
||||
Action::make('renew_exception')
|
||||
->label('Renew exception')
|
||||
->icon('heroicon-o-arrow-path')
|
||||
->color('warning')
|
||||
->visible(fn (FindingException $record): bool => static::canManageRecord($record) && $record->canBeRenewed())
|
||||
->requiresConfirmation()
|
||||
->form([
|
||||
Select::make('owner_user_id')
|
||||
->label('Owner')
|
||||
->required()
|
||||
->options(fn (): array => static::tenantMemberOptions())
|
||||
->searchable(),
|
||||
Textarea::make('request_reason')
|
||||
->label('Renewal reason')
|
||||
->rows(4)
|
||||
->required()
|
||||
->maxLength(2000),
|
||||
DateTimePicker::make('review_due_at')
|
||||
->label('Review due at')
|
||||
->required()
|
||||
->seconds(false),
|
||||
DateTimePicker::make('expires_at')
|
||||
->label('Requested expiry')
|
||||
->seconds(false),
|
||||
Repeater::make('evidence_references')
|
||||
->label('Evidence references')
|
||||
->schema([
|
||||
TextInput::make('label')
|
||||
->label('Label')
|
||||
->required()
|
||||
->maxLength(255),
|
||||
TextInput::make('source_type')
|
||||
->label('Source type')
|
||||
->required()
|
||||
->maxLength(255),
|
||||
TextInput::make('source_id')
|
||||
->label('Source ID')
|
||||
->maxLength(255),
|
||||
TextInput::make('source_fingerprint')
|
||||
->label('Fingerprint')
|
||||
->maxLength(255),
|
||||
DateTimePicker::make('measured_at')
|
||||
->label('Measured at')
|
||||
->seconds(false),
|
||||
])
|
||||
->defaultItems(0)
|
||||
->collapsed(),
|
||||
])
|
||||
->action(function (FindingException $record, array $data, FindingExceptionService $service): void {
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $user instanceof User || ! $record->tenant instanceof Tenant) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
try {
|
||||
$service->renew($record, $user, $data);
|
||||
} catch (InvalidArgumentException $exception) {
|
||||
Notification::make()
|
||||
->title('Renewal request failed')
|
||||
->body($exception->getMessage())
|
||||
->danger()
|
||||
->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
Notification::make()
|
||||
->title('Renewal request submitted')
|
||||
->success()
|
||||
->send();
|
||||
}),
|
||||
Action::make('revoke_exception')
|
||||
->label('Revoke exception')
|
||||
->icon('heroicon-o-no-symbol')
|
||||
->color('danger')
|
||||
->visible(fn (FindingException $record): bool => static::canManageRecord($record) && $record->canBeRevoked())
|
||||
->requiresConfirmation()
|
||||
->form([
|
||||
Textarea::make('revocation_reason')
|
||||
->label('Revocation reason')
|
||||
->rows(4)
|
||||
->required()
|
||||
->maxLength(2000),
|
||||
])
|
||||
->action(function (FindingException $record, array $data, FindingExceptionService $service): void {
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $user instanceof User) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
try {
|
||||
$service->revoke($record, $user, $data);
|
||||
} catch (InvalidArgumentException $exception) {
|
||||
Notification::make()
|
||||
->title('Exception revocation failed')
|
||||
->body($exception->getMessage())
|
||||
->danger()
|
||||
->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
Notification::make()
|
||||
->title('Exception revoked')
|
||||
->success()
|
||||
->send();
|
||||
}),
|
||||
])
|
||||
->bulkActions([])
|
||||
->emptyStateHeading('No exceptions match this view')
|
||||
->emptyStateDescription('Exception requests are created from finding detail when a governed risk acceptance review is needed.')
|
||||
->emptyStateIcon('heroicon-o-shield-exclamation')
|
||||
->emptyStateActions([
|
||||
Action::make('open_findings')
|
||||
->label('Open findings')
|
||||
->icon('heroicon-o-arrow-top-right-on-square')
|
||||
->color('gray')
|
||||
->url(fn (): string => FindingResource::getUrl('index')),
|
||||
]);
|
||||
}
|
||||
|
||||
public static function getPages(): array
|
||||
{
|
||||
return [
|
||||
'index' => Pages\ListFindingExceptions::route('/'),
|
||||
'view' => Pages\ViewFindingException::route('/{record}'),
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<int, string|array<int|string, mixed>>
|
||||
*/
|
||||
private static function relationshipsForView(): array
|
||||
{
|
||||
return [
|
||||
'tenant',
|
||||
'requester',
|
||||
'owner',
|
||||
'approver',
|
||||
'currentDecision',
|
||||
'decisions.actor',
|
||||
'evidenceReferences',
|
||||
'finding' => fn ($query) => $query->withSubjectDisplayName(),
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<int, string>
|
||||
*/
|
||||
private static function tenantMemberOptions(): array
|
||||
{
|
||||
$tenant = static::resolveTenantContextForCurrentPanel();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return [];
|
||||
}
|
||||
|
||||
return \App\Models\TenantMembership::query()
|
||||
->where('tenant_id', (int) $tenant->getKey())
|
||||
->join('users', 'users.id', '=', 'tenant_memberships.user_id')
|
||||
->orderBy('users.name')
|
||||
->pluck('users.name', 'users.id')
|
||||
->mapWithKeys(fn (string $name, int|string $id): array => [(int) $id => $name])
|
||||
->all();
|
||||
}
|
||||
|
||||
private static function findingSummary(FindingException $record): string
|
||||
{
|
||||
$summary = $record->finding?->resolvedSubjectDisplayName();
|
||||
|
||||
if (is_string($summary) && trim($summary) !== '') {
|
||||
return trim($summary);
|
||||
}
|
||||
|
||||
return 'Finding #'.$record->finding_id;
|
||||
}
|
||||
|
||||
private static function canManageRecord(FindingException $record): bool
|
||||
{
|
||||
$user = auth()->user();
|
||||
|
||||
return $user instanceof User
|
||||
&& $record->tenant instanceof Tenant
|
||||
&& $user->canAccessTenant($record->tenant)
|
||||
&& $user->can(Capabilities::FINDING_EXCEPTION_MANAGE, $record->tenant);
|
||||
}
|
||||
|
||||
private static function governanceWarning(FindingException $record): ?string
|
||||
{
|
||||
$finding = $record->relationLoaded('finding')
|
||||
? $record->finding
|
||||
: $record->finding()->withSubjectDisplayName()->first();
|
||||
|
||||
if (! $finding instanceof \App\Models\Finding) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return app(FindingRiskGovernanceResolver::class)->resolveWarningMessage($finding, $record);
|
||||
}
|
||||
|
||||
private static function governanceWarningColor(FindingException $record): string
|
||||
{
|
||||
$finding = $record->relationLoaded('finding')
|
||||
? $record->finding
|
||||
: $record->finding()->withSubjectDisplayName()->first();
|
||||
|
||||
if ($finding instanceof \App\Models\Finding && $record->requiresFreshDecisionForFinding($finding)) {
|
||||
return 'warning';
|
||||
}
|
||||
|
||||
return 'danger';
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,26 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Filament\Resources\FindingExceptionResource\Pages;
|
||||
|
||||
use App\Filament\Resources\FindingExceptionResource;
|
||||
use App\Filament\Resources\FindingResource;
|
||||
use Filament\Actions\Action;
|
||||
use Filament\Resources\Pages\ListRecords;
|
||||
|
||||
class ListFindingExceptions extends ListRecords
|
||||
{
|
||||
protected static string $resource = FindingExceptionResource::class;
|
||||
|
||||
protected function getHeaderActions(): array
|
||||
{
|
||||
return [
|
||||
Action::make('open_findings')
|
||||
->label('Open findings')
|
||||
->icon('heroicon-o-arrow-top-right-on-square')
|
||||
->color('gray')
|
||||
->url(FindingResource::getUrl('index')),
|
||||
];
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,208 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Filament\Resources\FindingExceptionResource\Pages;
|
||||
|
||||
use App\Filament\Resources\FindingExceptionResource;
|
||||
use App\Filament\Resources\FindingResource;
|
||||
use App\Models\FindingException;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Services\Findings\FindingExceptionService;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use Filament\Actions\Action;
|
||||
use Filament\Forms\Components\DateTimePicker;
|
||||
use Filament\Forms\Components\Repeater;
|
||||
use Filament\Forms\Components\Select;
|
||||
use Filament\Forms\Components\Textarea;
|
||||
use Filament\Forms\Components\TextInput;
|
||||
use Filament\Notifications\Notification;
|
||||
use Filament\Resources\Pages\ViewRecord;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
use InvalidArgumentException;
|
||||
|
||||
class ViewFindingException extends ViewRecord
|
||||
{
|
||||
protected static string $resource = FindingExceptionResource::class;
|
||||
|
||||
protected function resolveRecord(int|string $key): Model
|
||||
{
|
||||
return FindingExceptionResource::resolveScopedRecordOrFail($key);
|
||||
}
|
||||
|
||||
protected function getHeaderActions(): array
|
||||
{
|
||||
return [
|
||||
Action::make('open_finding')
|
||||
->label('Open finding')
|
||||
->icon('heroicon-o-arrow-top-right-on-square')
|
||||
->color('gray')
|
||||
->url(function (): ?string {
|
||||
$record = $this->getRecord();
|
||||
|
||||
if (! $record instanceof FindingException || ! $record->finding || ! $record->tenant) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return FindingResource::getUrl('view', ['record' => $record->finding], panel: 'tenant', tenant: $record->tenant);
|
||||
}),
|
||||
Action::make('renew_exception')
|
||||
->label('Renew exception')
|
||||
->icon('heroicon-o-arrow-path')
|
||||
->color('warning')
|
||||
->visible(fn (): bool => $this->canManageRecord() && $this->getRecord() instanceof FindingException && $this->getRecord()->canBeRenewed())
|
||||
->fillForm(fn (): array => [
|
||||
'owner_user_id' => $this->getRecord() instanceof FindingException ? $this->getRecord()->owner_user_id : null,
|
||||
])
|
||||
->requiresConfirmation()
|
||||
->form([
|
||||
Select::make('owner_user_id')
|
||||
->label('Owner')
|
||||
->required()
|
||||
->options(fn (): array => FindingExceptionResource::canViewAny() ? $this->tenantMemberOptions() : [])
|
||||
->searchable(),
|
||||
Textarea::make('request_reason')
|
||||
->label('Renewal reason')
|
||||
->rows(4)
|
||||
->required()
|
||||
->maxLength(2000),
|
||||
DateTimePicker::make('review_due_at')
|
||||
->label('Review due at')
|
||||
->required()
|
||||
->seconds(false),
|
||||
DateTimePicker::make('expires_at')
|
||||
->label('Requested expiry')
|
||||
->seconds(false),
|
||||
Repeater::make('evidence_references')
|
||||
->label('Evidence references')
|
||||
->schema([
|
||||
TextInput::make('label')
|
||||
->label('Label')
|
||||
->required()
|
||||
->maxLength(255),
|
||||
TextInput::make('source_type')
|
||||
->label('Source type')
|
||||
->required()
|
||||
->maxLength(255),
|
||||
TextInput::make('source_id')
|
||||
->label('Source ID')
|
||||
->maxLength(255),
|
||||
TextInput::make('source_fingerprint')
|
||||
->label('Fingerprint')
|
||||
->maxLength(255),
|
||||
DateTimePicker::make('measured_at')
|
||||
->label('Measured at')
|
||||
->seconds(false),
|
||||
])
|
||||
->defaultItems(0)
|
||||
->collapsed(),
|
||||
])
|
||||
->action(function (array $data, FindingExceptionService $service): void {
|
||||
$record = $this->getRecord();
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $record instanceof FindingException || ! $user instanceof User) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
try {
|
||||
$service->renew($record, $user, $data);
|
||||
} catch (InvalidArgumentException $exception) {
|
||||
Notification::make()
|
||||
->title('Renewal request failed')
|
||||
->body($exception->getMessage())
|
||||
->danger()
|
||||
->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
Notification::make()
|
||||
->title('Renewal request submitted')
|
||||
->success()
|
||||
->send();
|
||||
|
||||
$this->refreshFormData(['status', 'current_validity_state', 'review_due_at']);
|
||||
}),
|
||||
Action::make('revoke_exception')
|
||||
->label('Revoke exception')
|
||||
->icon('heroicon-o-no-symbol')
|
||||
->color('danger')
|
||||
->visible(fn (): bool => $this->canManageRecord() && $this->getRecord() instanceof FindingException && $this->getRecord()->canBeRevoked())
|
||||
->requiresConfirmation()
|
||||
->form([
|
||||
Textarea::make('revocation_reason')
|
||||
->label('Revocation reason')
|
||||
->rows(4)
|
||||
->required()
|
||||
->maxLength(2000),
|
||||
])
|
||||
->action(function (array $data, FindingExceptionService $service): void {
|
||||
$record = $this->getRecord();
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $record instanceof FindingException || ! $user instanceof User) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
try {
|
||||
$service->revoke($record, $user, $data);
|
||||
} catch (InvalidArgumentException $exception) {
|
||||
Notification::make()
|
||||
->title('Exception revocation failed')
|
||||
->body($exception->getMessage())
|
||||
->danger()
|
||||
->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
Notification::make()
|
||||
->title('Exception revoked')
|
||||
->success()
|
||||
->send();
|
||||
|
||||
$this->refreshFormData(['status', 'current_validity_state', 'revocation_reason', 'revoked_at']);
|
||||
}),
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<int, string>
|
||||
*/
|
||||
private function tenantMemberOptions(): array
|
||||
{
|
||||
$record = $this->getRecord();
|
||||
|
||||
if (! $record instanceof FindingException) {
|
||||
return [];
|
||||
}
|
||||
|
||||
$tenant = $record->tenant;
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return [];
|
||||
}
|
||||
|
||||
return \App\Models\TenantMembership::query()
|
||||
->where('tenant_id', (int) $tenant->getKey())
|
||||
->join('users', 'users.id', '=', 'tenant_memberships.user_id')
|
||||
->orderBy('users.name')
|
||||
->pluck('users.name', 'users.id')
|
||||
->mapWithKeys(fn (string $name, int|string $id): array => [(int) $id => $name])
|
||||
->all();
|
||||
}
|
||||
|
||||
private function canManageRecord(): bool
|
||||
{
|
||||
$record = $this->getRecord();
|
||||
$user = auth()->user();
|
||||
|
||||
return $record instanceof FindingException
|
||||
&& $record->tenant instanceof Tenant
|
||||
&& $user instanceof User
|
||||
&& $user->canAccessTenant($record->tenant)
|
||||
&& $user->can(Capabilities::FINDING_EXCEPTION_MANAGE, $record->tenant);
|
||||
}
|
||||
}
|
||||
@ -2,15 +2,18 @@
|
||||
|
||||
namespace App\Filament\Resources;
|
||||
|
||||
use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
|
||||
use App\Filament\Concerns\ResolvesPanelTenantContext;
|
||||
use App\Filament\Resources\FindingResource\Pages;
|
||||
use App\Models\Finding;
|
||||
use App\Models\InventoryItem;
|
||||
use App\Models\FindingException;
|
||||
use App\Models\PolicyVersion;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\TenantMembership;
|
||||
use App\Models\User;
|
||||
use App\Services\Drift\DriftFindingDiffBuilder;
|
||||
use App\Services\Findings\FindingExceptionService;
|
||||
use App\Services\Findings\FindingRiskGovernanceResolver;
|
||||
use App\Services\Findings\FindingWorkflowService;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use App\Support\Badges\BadgeDomain;
|
||||
@ -35,6 +38,8 @@
|
||||
use Filament\Actions\BulkAction;
|
||||
use Filament\Actions\BulkActionGroup;
|
||||
use Filament\Facades\Filament;
|
||||
use Filament\Forms\Components\DateTimePicker;
|
||||
use Filament\Forms\Components\Repeater;
|
||||
use Filament\Forms\Components\Select;
|
||||
use Filament\Forms\Components\Textarea;
|
||||
use Filament\Forms\Components\TextInput;
|
||||
@ -56,6 +61,7 @@
|
||||
|
||||
class FindingResource extends Resource
|
||||
{
|
||||
use InteractsWithTenantOwnedRecords;
|
||||
use ResolvesPanelTenantContext;
|
||||
|
||||
protected static ?string $model = Finding::class;
|
||||
@ -113,7 +119,8 @@ public static function canView(Model $record): bool
|
||||
}
|
||||
|
||||
if ($record instanceof Finding) {
|
||||
return (int) $record->tenant_id === (int) $tenant->getKey();
|
||||
return (int) $record->tenant_id === (int) $tenant->getKey()
|
||||
&& (int) $record->workspace_id === (int) $tenant->workspace_id;
|
||||
}
|
||||
|
||||
return true;
|
||||
@ -174,17 +181,7 @@ public static function infolist(Schema $schema): Schema
|
||||
TextEntry::make('subject_display_name')
|
||||
->label('Subject')
|
||||
->placeholder('—')
|
||||
->state(function (Finding $record): ?string {
|
||||
$state = $record->subject_display_name;
|
||||
if (is_string($state) && trim($state) !== '') {
|
||||
return $state;
|
||||
}
|
||||
|
||||
$fallback = Arr::get($record->evidence_jsonb ?? [], 'display_name');
|
||||
$fallback = is_string($fallback) ? trim($fallback) : null;
|
||||
|
||||
return $fallback !== '' ? $fallback : null;
|
||||
}),
|
||||
->state(fn (Finding $record): ?string => $record->resolvedSubjectDisplayName()),
|
||||
TextEntry::make('subject_type')
|
||||
->label('Subject type')
|
||||
->formatStateUsing(fn (mixed $state, Finding $record): string => static::subjectTypeLabel($record, $state)),
|
||||
@ -231,6 +228,62 @@ public static function infolist(Schema $schema): Schema
|
||||
->columns(2)
|
||||
->columnSpanFull(),
|
||||
|
||||
Section::make('Risk governance')
|
||||
->schema([
|
||||
TextEntry::make('finding_governance_status')
|
||||
->label('Exception status')
|
||||
->badge()
|
||||
->state(fn (Finding $record): ?string => $record->findingException?->status)
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::FindingExceptionStatus))
|
||||
->color(BadgeRenderer::color(BadgeDomain::FindingExceptionStatus))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::FindingExceptionStatus))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::FindingExceptionStatus))
|
||||
->placeholder('—'),
|
||||
TextEntry::make('finding_governance_validity')
|
||||
->label('Validity')
|
||||
->badge()
|
||||
->state(function (Finding $record): ?string {
|
||||
if ($record->findingException instanceof FindingException) {
|
||||
return $record->findingException->current_validity_state;
|
||||
}
|
||||
|
||||
return (string) $record->status === Finding::STATUS_RISK_ACCEPTED
|
||||
? FindingException::VALIDITY_MISSING_SUPPORT
|
||||
: null;
|
||||
})
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::FindingRiskGovernanceValidity))
|
||||
->color(BadgeRenderer::color(BadgeDomain::FindingRiskGovernanceValidity))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::FindingRiskGovernanceValidity))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::FindingRiskGovernanceValidity))
|
||||
->placeholder('—'),
|
||||
TextEntry::make('finding_governance_warning')
|
||||
->label('Governance warning')
|
||||
->state(fn (Finding $record): ?string => static::governanceWarning($record))
|
||||
->color(fn (Finding $record): string => static::governanceWarningColor($record))
|
||||
->columnSpanFull()
|
||||
->visible(fn (Finding $record): bool => static::governanceWarning($record) !== null),
|
||||
TextEntry::make('finding_governance_owner')
|
||||
->label('Exception owner')
|
||||
->state(fn (Finding $record): ?string => $record->findingException?->owner?->name)
|
||||
->placeholder('—'),
|
||||
TextEntry::make('finding_governance_approver')
|
||||
->label('Approver')
|
||||
->state(fn (Finding $record): ?string => $record->findingException?->approver?->name)
|
||||
->placeholder('—'),
|
||||
TextEntry::make('finding_governance_review_due')
|
||||
->label('Review due')
|
||||
->state(fn (Finding $record): mixed => $record->findingException?->review_due_at)
|
||||
->dateTime()
|
||||
->placeholder('—'),
|
||||
TextEntry::make('finding_governance_expires')
|
||||
->label('Expires')
|
||||
->state(fn (Finding $record): mixed => $record->findingException?->expires_at)
|
||||
->dateTime()
|
||||
->placeholder('—'),
|
||||
])
|
||||
->columns(2)
|
||||
->visible(fn (Finding $record): bool => $record->findingException instanceof FindingException || (string) $record->status === Finding::STATUS_RISK_ACCEPTED),
|
||||
|
||||
Section::make('Evidence')
|
||||
->schema([
|
||||
TextEntry::make('redaction_integrity_note')
|
||||
@ -603,16 +656,7 @@ public static function table(Table $table): Table
|
||||
->label('Subject')
|
||||
->placeholder('—')
|
||||
->searchable()
|
||||
->formatStateUsing(function (?string $state, Finding $record): ?string {
|
||||
if (is_string($state) && trim($state) !== '') {
|
||||
return $state;
|
||||
}
|
||||
|
||||
$fallback = Arr::get($record->evidence_jsonb ?? [], 'display_name');
|
||||
$fallback = is_string($fallback) ? trim($fallback) : null;
|
||||
|
||||
return $fallback !== '' ? $fallback : null;
|
||||
})
|
||||
->state(fn (Finding $record): ?string => $record->resolvedSubjectDisplayName())
|
||||
->description(fn (Finding $record): ?string => static::driftContextDescription($record)),
|
||||
Tables\Columns\TextColumn::make('subject_type')
|
||||
->label('Subject type')
|
||||
@ -772,6 +816,7 @@ public static function table(Table $table): Table
|
||||
}
|
||||
|
||||
try {
|
||||
$record = static::resolveProtectedFindingRecordOrFail($record);
|
||||
$workflow->triage($record, $tenant, $user);
|
||||
$triagedCount++;
|
||||
} catch (Throwable) {
|
||||
@ -852,6 +897,7 @@ public static function table(Table $table): Table
|
||||
}
|
||||
|
||||
try {
|
||||
$record = static::resolveProtectedFindingRecordOrFail($record);
|
||||
$workflow->assign($record, $tenant, $user, $assigneeUserId, $ownerUserId);
|
||||
$assignedCount++;
|
||||
} catch (Throwable) {
|
||||
@ -926,6 +972,7 @@ public static function table(Table $table): Table
|
||||
}
|
||||
|
||||
try {
|
||||
$record = static::resolveProtectedFindingRecordOrFail($record);
|
||||
$workflow->resolve($record, $tenant, $user, $reason);
|
||||
$resolvedCount++;
|
||||
} catch (Throwable) {
|
||||
@ -1000,6 +1047,7 @@ public static function table(Table $table): Table
|
||||
}
|
||||
|
||||
try {
|
||||
$record = static::resolveProtectedFindingRecordOrFail($record);
|
||||
$workflow->close($record, $tenant, $user, $reason);
|
||||
$closedCount++;
|
||||
} catch (Throwable) {
|
||||
@ -1027,79 +1075,6 @@ public static function table(Table $table): Table
|
||||
->tooltip(UiTooltips::INSUFFICIENT_PERMISSION)
|
||||
->apply(),
|
||||
|
||||
UiEnforcement::forBulkAction(
|
||||
BulkAction::make('risk_accept_selected')
|
||||
->label('Risk accept selected')
|
||||
->icon('heroicon-o-shield-check')
|
||||
->color('warning')
|
||||
->requiresConfirmation()
|
||||
->form([
|
||||
Textarea::make('closed_reason')
|
||||
->label('Risk acceptance reason')
|
||||
->rows(3)
|
||||
->required()
|
||||
->maxLength(255),
|
||||
])
|
||||
->action(function (Collection $records, array $data, FindingWorkflowService $workflow): void {
|
||||
$tenant = static::resolveTenantContextForCurrentPanel();
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $tenant instanceof Tenant || ! $user instanceof User) {
|
||||
return;
|
||||
}
|
||||
|
||||
$reason = (string) ($data['closed_reason'] ?? '');
|
||||
|
||||
$acceptedCount = 0;
|
||||
$skippedCount = 0;
|
||||
$failedCount = 0;
|
||||
|
||||
foreach ($records as $record) {
|
||||
if (! $record instanceof Finding) {
|
||||
$skippedCount++;
|
||||
|
||||
continue;
|
||||
}
|
||||
|
||||
if ((int) $record->tenant_id !== (int) $tenant->getKey()) {
|
||||
$skippedCount++;
|
||||
|
||||
continue;
|
||||
}
|
||||
|
||||
if (! $record->hasOpenStatus()) {
|
||||
$skippedCount++;
|
||||
|
||||
continue;
|
||||
}
|
||||
|
||||
try {
|
||||
$workflow->riskAccept($record, $tenant, $user, $reason);
|
||||
$acceptedCount++;
|
||||
} catch (Throwable) {
|
||||
$failedCount++;
|
||||
}
|
||||
}
|
||||
|
||||
$body = "Risk accepted {$acceptedCount} finding".($acceptedCount === 1 ? '' : 's').'.';
|
||||
if ($skippedCount > 0) {
|
||||
$body .= " Skipped {$skippedCount}.";
|
||||
}
|
||||
if ($failedCount > 0) {
|
||||
$body .= " Failed {$failedCount}.";
|
||||
}
|
||||
|
||||
Notification::make()
|
||||
->title('Bulk risk accept completed')
|
||||
->body($body)
|
||||
->status($failedCount > 0 ? 'warning' : 'success')
|
||||
->send();
|
||||
})
|
||||
->deselectRecordsAfterCompletion(),
|
||||
)
|
||||
->requireCapability(Capabilities::TENANT_FINDINGS_RISK_ACCEPT)
|
||||
->tooltip(UiTooltips::INSUFFICIENT_PERMISSION)
|
||||
->apply(),
|
||||
])->label('More'),
|
||||
])
|
||||
->emptyStateHeading('No findings match this view')
|
||||
@ -1109,18 +1084,19 @@ public static function table(Table $table): Table
|
||||
|
||||
public static function getEloquentQuery(): Builder
|
||||
{
|
||||
$tenantId = static::resolveTenantContextForCurrentPanel()?->getKey();
|
||||
return static::getTenantOwnedEloquentQuery()
|
||||
->with(['assigneeUser', 'ownerUser', 'closedByUser', 'findingException.owner', 'findingException.approver', 'findingException.currentDecision'])
|
||||
->withSubjectDisplayName();
|
||||
}
|
||||
|
||||
return parent::getEloquentQuery()
|
||||
->with(['assigneeUser', 'ownerUser', 'closedByUser'])
|
||||
->addSelect([
|
||||
'subject_display_name' => InventoryItem::query()
|
||||
->select('display_name')
|
||||
->whereColumn('inventory_items.tenant_id', 'findings.tenant_id')
|
||||
->whereColumn('inventory_items.external_id', 'findings.subject_external_id')
|
||||
->limit(1),
|
||||
])
|
||||
->when($tenantId, fn (Builder $query) => $query->where('tenant_id', $tenantId));
|
||||
public static function resolveScopedRecordOrFail(int|string $key): Model
|
||||
{
|
||||
return static::resolveTenantOwnedRecordOrFail(
|
||||
$key,
|
||||
parent::getEloquentQuery()
|
||||
->with(['assigneeUser', 'ownerUser', 'closedByUser', 'findingException.owner', 'findingException.approver', 'findingException.currentDecision'])
|
||||
->withSubjectDisplayName(),
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
@ -1196,7 +1172,9 @@ public static function workflowActions(): array
|
||||
static::assignAction(),
|
||||
static::resolveAction(),
|
||||
static::closeAction(),
|
||||
static::riskAcceptAction(),
|
||||
static::requestExceptionAction(),
|
||||
static::renewExceptionAction(),
|
||||
static::revokeExceptionAction(),
|
||||
static::reopenAction(),
|
||||
];
|
||||
}
|
||||
@ -1208,7 +1186,7 @@ public static function triageAction(): Actions\Action
|
||||
->label('Triage')
|
||||
->icon('heroicon-o-check')
|
||||
->color('gray')
|
||||
->visible(fn (Finding $record): bool => in_array((string) $record->status, [
|
||||
->visible(fn (Finding $record): bool => in_array(static::freshWorkflowStatus($record), [
|
||||
Finding::STATUS_NEW,
|
||||
Finding::STATUS_REOPENED,
|
||||
Finding::STATUS_ACKNOWLEDGED,
|
||||
@ -1234,7 +1212,7 @@ public static function startProgressAction(): Actions\Action
|
||||
->label('Start progress')
|
||||
->icon('heroicon-o-play')
|
||||
->color('info')
|
||||
->visible(fn (Finding $record): bool => in_array((string) $record->status, [
|
||||
->visible(fn (Finding $record): bool => in_array(static::freshWorkflowStatus($record), [
|
||||
Finding::STATUS_TRIAGED,
|
||||
Finding::STATUS_ACKNOWLEDGED,
|
||||
], true))
|
||||
@ -1259,7 +1237,7 @@ public static function assignAction(): Actions\Action
|
||||
->label('Assign')
|
||||
->icon('heroicon-o-user-plus')
|
||||
->color('gray')
|
||||
->visible(fn (Finding $record): bool => $record->hasOpenStatus())
|
||||
->visible(fn (Finding $record): bool => static::freshWorkflowRecord($record)->hasOpenStatus())
|
||||
->fillForm(fn (Finding $record): array => [
|
||||
'assignee_user_id' => $record->assignee_user_id,
|
||||
'owner_user_id' => $record->owner_user_id,
|
||||
@ -1303,7 +1281,7 @@ public static function resolveAction(): Actions\Action
|
||||
->label('Resolve')
|
||||
->icon('heroicon-o-check-badge')
|
||||
->color('success')
|
||||
->visible(fn (Finding $record): bool => $record->hasOpenStatus())
|
||||
->visible(fn (Finding $record): bool => static::freshWorkflowRecord($record)->hasOpenStatus())
|
||||
->requiresConfirmation()
|
||||
->form([
|
||||
Textarea::make('resolved_reason')
|
||||
@ -1338,6 +1316,7 @@ public static function closeAction(): Actions\Action
|
||||
->label('Close')
|
||||
->icon('heroicon-o-x-circle')
|
||||
->color('danger')
|
||||
->visible(fn (Finding $record): bool => static::freshWorkflowRecord($record)->hasOpenStatus())
|
||||
->requiresConfirmation()
|
||||
->form([
|
||||
Textarea::make('closed_reason')
|
||||
@ -1365,36 +1344,153 @@ public static function closeAction(): Actions\Action
|
||||
->apply();
|
||||
}
|
||||
|
||||
public static function riskAcceptAction(): Actions\Action
|
||||
public static function requestExceptionAction(): Actions\Action
|
||||
{
|
||||
return UiEnforcement::forAction(
|
||||
Actions\Action::make('risk_accept')
|
||||
->label('Risk accept')
|
||||
->icon('heroicon-o-shield-check')
|
||||
Actions\Action::make('request_exception')
|
||||
->label('Request exception')
|
||||
->icon('heroicon-o-shield-exclamation')
|
||||
->color('warning')
|
||||
->visible(fn (Finding $record): bool => static::freshWorkflowRecord($record)->hasOpenStatus())
|
||||
->requiresConfirmation()
|
||||
->form([
|
||||
Textarea::make('closed_reason')
|
||||
->label('Risk acceptance reason')
|
||||
->rows(3)
|
||||
Select::make('owner_user_id')
|
||||
->label('Owner')
|
||||
->required()
|
||||
->maxLength(255),
|
||||
->options(fn (): array => static::tenantMemberOptions())
|
||||
->searchable(),
|
||||
Textarea::make('request_reason')
|
||||
->label('Request reason')
|
||||
->rows(4)
|
||||
->required()
|
||||
->maxLength(2000),
|
||||
DateTimePicker::make('review_due_at')
|
||||
->label('Review due at')
|
||||
->required()
|
||||
->seconds(false),
|
||||
DateTimePicker::make('expires_at')
|
||||
->label('Expires at')
|
||||
->seconds(false),
|
||||
Repeater::make('evidence_references')
|
||||
->label('Evidence references')
|
||||
->schema([
|
||||
TextInput::make('label')
|
||||
->label('Label')
|
||||
->required()
|
||||
->maxLength(255),
|
||||
TextInput::make('source_type')
|
||||
->label('Source type')
|
||||
->required()
|
||||
->maxLength(255),
|
||||
TextInput::make('source_id')
|
||||
->label('Source ID')
|
||||
->maxLength(255),
|
||||
TextInput::make('source_fingerprint')
|
||||
->label('Fingerprint')
|
||||
->maxLength(255),
|
||||
DateTimePicker::make('measured_at')
|
||||
->label('Measured at')
|
||||
->seconds(false),
|
||||
])
|
||||
->defaultItems(0)
|
||||
->collapsed(),
|
||||
])
|
||||
->action(function (Finding $record, array $data, FindingWorkflowService $workflow): void {
|
||||
static::runWorkflowMutation(
|
||||
record: $record,
|
||||
successTitle: 'Finding marked as risk accepted',
|
||||
callback: fn (Finding $finding, Tenant $tenant, User $user): Finding => $workflow->riskAccept(
|
||||
$finding,
|
||||
$tenant,
|
||||
$user,
|
||||
(string) ($data['closed_reason'] ?? ''),
|
||||
),
|
||||
);
|
||||
->action(function (Finding $record, array $data, FindingExceptionService $service): void {
|
||||
static::runExceptionRequestMutation($record, $data, $service);
|
||||
})
|
||||
)
|
||||
->preserveVisibility()
|
||||
->requireCapability(Capabilities::TENANT_FINDINGS_RISK_ACCEPT)
|
||||
->requireCapability(Capabilities::FINDING_EXCEPTION_MANAGE)
|
||||
->tooltip(UiTooltips::INSUFFICIENT_PERMISSION)
|
||||
->apply();
|
||||
}
|
||||
|
||||
public static function renewExceptionAction(): Actions\Action
|
||||
{
|
||||
return UiEnforcement::forAction(
|
||||
Actions\Action::make('renew_exception')
|
||||
->label('Renew exception')
|
||||
->icon('heroicon-o-arrow-path')
|
||||
->color('warning')
|
||||
->visible(fn (Finding $record): bool => static::currentFindingException($record)?->canBeRenewed() ?? false)
|
||||
->fillForm(fn (Finding $record): array => [
|
||||
'owner_user_id' => static::currentFindingException($record)?->owner_user_id,
|
||||
])
|
||||
->requiresConfirmation()
|
||||
->form([
|
||||
Select::make('owner_user_id')
|
||||
->label('Owner')
|
||||
->required()
|
||||
->options(fn (): array => static::tenantMemberOptions())
|
||||
->searchable(),
|
||||
Textarea::make('request_reason')
|
||||
->label('Renewal reason')
|
||||
->rows(4)
|
||||
->required()
|
||||
->maxLength(2000),
|
||||
DateTimePicker::make('review_due_at')
|
||||
->label('Review due at')
|
||||
->required()
|
||||
->seconds(false),
|
||||
DateTimePicker::make('expires_at')
|
||||
->label('Requested expiry')
|
||||
->seconds(false),
|
||||
Repeater::make('evidence_references')
|
||||
->label('Evidence references')
|
||||
->schema([
|
||||
TextInput::make('label')
|
||||
->label('Label')
|
||||
->required()
|
||||
->maxLength(255),
|
||||
TextInput::make('source_type')
|
||||
->label('Source type')
|
||||
->required()
|
||||
->maxLength(255),
|
||||
TextInput::make('source_id')
|
||||
->label('Source ID')
|
||||
->maxLength(255),
|
||||
TextInput::make('source_fingerprint')
|
||||
->label('Fingerprint')
|
||||
->maxLength(255),
|
||||
DateTimePicker::make('measured_at')
|
||||
->label('Measured at')
|
||||
->seconds(false),
|
||||
])
|
||||
->defaultItems(0)
|
||||
->collapsed(),
|
||||
])
|
||||
->action(function (Finding $record, array $data, FindingExceptionService $service): void {
|
||||
static::runExceptionRenewalMutation($record, $data, $service);
|
||||
})
|
||||
)
|
||||
->preserveVisibility()
|
||||
->requireCapability(Capabilities::FINDING_EXCEPTION_MANAGE)
|
||||
->tooltip(UiTooltips::INSUFFICIENT_PERMISSION)
|
||||
->apply();
|
||||
}
|
||||
|
||||
public static function revokeExceptionAction(): Actions\Action
|
||||
{
|
||||
return UiEnforcement::forAction(
|
||||
Actions\Action::make('revoke_exception')
|
||||
->label('Revoke exception')
|
||||
->icon('heroicon-o-no-symbol')
|
||||
->color('danger')
|
||||
->visible(fn (Finding $record): bool => static::currentFindingException($record)?->canBeRevoked() ?? false)
|
||||
->requiresConfirmation()
|
||||
->form([
|
||||
Textarea::make('revocation_reason')
|
||||
->label('Revocation reason')
|
||||
->rows(4)
|
||||
->required()
|
||||
->maxLength(2000),
|
||||
])
|
||||
->action(function (Finding $record, array $data, FindingExceptionService $service): void {
|
||||
static::runExceptionRevocationMutation($record, $data, $service);
|
||||
})
|
||||
)
|
||||
->preserveVisibility()
|
||||
->requireCapability(Capabilities::FINDING_EXCEPTION_MANAGE)
|
||||
->tooltip(UiTooltips::INSUFFICIENT_PERMISSION)
|
||||
->apply();
|
||||
}
|
||||
@ -1407,7 +1503,7 @@ public static function reopenAction(): Actions\Action
|
||||
->icon('heroicon-o-arrow-uturn-left')
|
||||
->color('warning')
|
||||
->requiresConfirmation()
|
||||
->visible(fn (Finding $record): bool => Finding::isTerminalStatus((string) $record->status))
|
||||
->visible(fn (Finding $record): bool => Finding::isTerminalStatus(static::freshWorkflowStatus($record)))
|
||||
->action(function (Finding $record, FindingWorkflowService $workflow): void {
|
||||
static::runWorkflowMutation(
|
||||
record: $record,
|
||||
@ -1427,6 +1523,7 @@ public static function reopenAction(): Actions\Action
|
||||
*/
|
||||
private static function runWorkflowMutation(Finding $record, string $successTitle, callable $callback): void
|
||||
{
|
||||
$record = static::resolveProtectedFindingRecordOrFail($record);
|
||||
$tenant = static::resolveTenantContextForCurrentPanel();
|
||||
$user = auth()->user();
|
||||
|
||||
@ -1443,6 +1540,15 @@ private static function runWorkflowMutation(Finding $record, string $successTitl
|
||||
return;
|
||||
}
|
||||
|
||||
if ((int) $record->workspace_id !== (int) $tenant->workspace_id) {
|
||||
Notification::make()
|
||||
->title('Finding belongs to a different workspace')
|
||||
->danger()
|
||||
->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
$callback($record, $tenant, $user);
|
||||
} catch (InvalidArgumentException $e) {
|
||||
@ -1461,6 +1567,194 @@ private static function runWorkflowMutation(Finding $record, string $successTitl
|
||||
->send();
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $data
|
||||
*/
|
||||
private static function runExceptionRequestMutation(Finding $record, array $data, FindingExceptionService $service): void
|
||||
{
|
||||
$record = static::resolveProtectedFindingRecordOrFail($record);
|
||||
$tenant = static::resolveTenantContextForCurrentPanel();
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $tenant instanceof Tenant || ! $user instanceof User) {
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
$createdException = $service->request($record, $tenant, $user, $data);
|
||||
} catch (InvalidArgumentException $exception) {
|
||||
Notification::make()
|
||||
->title('Exception request failed')
|
||||
->body($exception->getMessage())
|
||||
->danger()
|
||||
->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
Notification::make()
|
||||
->title('Exception request submitted')
|
||||
->success()
|
||||
->actions([
|
||||
Actions\Action::make('view_exception')
|
||||
->label('View exception')
|
||||
->url(static::findingExceptionViewUrl($createdException, $tenant)),
|
||||
])
|
||||
->send();
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $data
|
||||
*/
|
||||
private static function runExceptionRenewalMutation(Finding $record, array $data, FindingExceptionService $service): void
|
||||
{
|
||||
$tenant = static::resolveTenantContextForCurrentPanel();
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $tenant instanceof Tenant || ! $user instanceof User) {
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
$renewedException = $service->renew(static::resolveCurrentFindingExceptionOrFail($record), $user, $data);
|
||||
} catch (InvalidArgumentException $exception) {
|
||||
Notification::make()
|
||||
->title('Renewal request failed')
|
||||
->body($exception->getMessage())
|
||||
->danger()
|
||||
->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
Notification::make()
|
||||
->title('Renewal request submitted')
|
||||
->success()
|
||||
->actions([
|
||||
Actions\Action::make('view_exception')
|
||||
->label('View exception')
|
||||
->url(static::findingExceptionViewUrl($renewedException, $tenant)),
|
||||
])
|
||||
->send();
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $data
|
||||
*/
|
||||
private static function runExceptionRevocationMutation(Finding $record, array $data, FindingExceptionService $service): void
|
||||
{
|
||||
$tenant = static::resolveTenantContextForCurrentPanel();
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $tenant instanceof Tenant || ! $user instanceof User) {
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
$revokedException = $service->revoke(static::resolveCurrentFindingExceptionOrFail($record), $user, $data);
|
||||
} catch (InvalidArgumentException $exception) {
|
||||
Notification::make()
|
||||
->title('Exception revocation failed')
|
||||
->body($exception->getMessage())
|
||||
->danger()
|
||||
->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
Notification::make()
|
||||
->title('Exception revoked')
|
||||
->success()
|
||||
->actions([
|
||||
Actions\Action::make('view_exception')
|
||||
->label('View exception')
|
||||
->url(static::findingExceptionViewUrl($revokedException, $tenant)),
|
||||
])
|
||||
->send();
|
||||
}
|
||||
|
||||
private static function freshWorkflowRecord(Finding $record): Finding
|
||||
{
|
||||
return static::resolveProtectedFindingRecordOrFail($record);
|
||||
}
|
||||
|
||||
private static function freshWorkflowStatus(Finding $record): string
|
||||
{
|
||||
return (string) static::freshWorkflowRecord($record)->status;
|
||||
}
|
||||
|
||||
private static function resolveProtectedFindingRecordOrFail(Finding|int|string $record): Finding
|
||||
{
|
||||
$resolvedRecord = static::resolveScopedRecordOrFail($record instanceof Model ? $record->getKey() : $record);
|
||||
|
||||
if (! $resolvedRecord instanceof Finding) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
return $resolvedRecord;
|
||||
}
|
||||
|
||||
private static function currentFindingException(Finding $record): ?FindingException
|
||||
{
|
||||
$finding = static::resolveProtectedFindingRecordOrFail($record);
|
||||
|
||||
return static::resolvedFindingException($finding);
|
||||
}
|
||||
|
||||
private static function resolvedFindingException(Finding $finding): ?FindingException
|
||||
{
|
||||
$exception = $finding->relationLoaded('findingException')
|
||||
? $finding->findingException
|
||||
: $finding->findingException()->with('currentDecision')->first();
|
||||
|
||||
if (! $exception instanceof FindingException) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$exception->loadMissing('currentDecision');
|
||||
|
||||
return $exception;
|
||||
}
|
||||
|
||||
private static function resolveCurrentFindingExceptionOrFail(Finding $record): FindingException
|
||||
{
|
||||
$exception = static::currentFindingException($record);
|
||||
|
||||
if (! $exception instanceof FindingException) {
|
||||
throw new InvalidArgumentException('This finding does not have an exception to manage.');
|
||||
}
|
||||
|
||||
return $exception;
|
||||
}
|
||||
|
||||
private static function findingExceptionViewUrl(\App\Models\FindingException $exception, Tenant $tenant): string
|
||||
{
|
||||
$panelId = Filament::getCurrentPanel()?->getId();
|
||||
|
||||
if ($panelId === 'admin') {
|
||||
return FindingExceptionResource::getUrl('view', ['record' => $exception], panel: 'admin');
|
||||
}
|
||||
|
||||
return FindingExceptionResource::getUrl('view', ['record' => $exception], panel: 'tenant', tenant: $tenant);
|
||||
}
|
||||
|
||||
private static function governanceWarning(Finding $finding): ?string
|
||||
{
|
||||
return app(FindingRiskGovernanceResolver::class)
|
||||
->resolveWarningMessage($finding, static::resolvedFindingException($finding));
|
||||
}
|
||||
|
||||
private static function governanceWarningColor(Finding $finding): string
|
||||
{
|
||||
$exception = static::resolvedFindingException($finding);
|
||||
|
||||
if ($exception instanceof FindingException && $exception->requiresFreshDecisionForFinding($finding)) {
|
||||
return 'warning';
|
||||
}
|
||||
|
||||
return 'danger';
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<int, string>
|
||||
*/
|
||||
|
||||
@ -23,6 +23,7 @@
|
||||
use Filament\Notifications\Notification;
|
||||
use Filament\Resources\Pages\ListRecords;
|
||||
use Illuminate\Database\Eloquent\Builder;
|
||||
use Illuminate\Database\Eloquent\ModelNotFoundException;
|
||||
use Illuminate\Support\Arr;
|
||||
use Throwable;
|
||||
|
||||
@ -32,14 +33,26 @@ class ListFindings extends ListRecords
|
||||
|
||||
protected static string $resource = FindingResource::class;
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $arguments
|
||||
* @param array<string, mixed> $context
|
||||
*/
|
||||
public function mountAction(string $name, array $arguments = [], array $context = []): mixed
|
||||
{
|
||||
if (($context['table'] ?? false) === true && filled($context['recordKey'] ?? null) && in_array($name, ['triage', 'start_progress', 'assign', 'resolve', 'close', 'request_exception', 'reopen'], true)) {
|
||||
try {
|
||||
FindingResource::resolveScopedRecordOrFail($context['recordKey']);
|
||||
} catch (ModelNotFoundException) {
|
||||
abort(404);
|
||||
}
|
||||
}
|
||||
|
||||
return parent::mountAction($name, $arguments, $context);
|
||||
}
|
||||
|
||||
public function mount(): void
|
||||
{
|
||||
app(CanonicalAdminTenantFilterState::class)->sync(
|
||||
$this->getTableFiltersSessionKey(),
|
||||
tenantSensitiveFilters: ['scope_key', 'run_ids'],
|
||||
request: request(),
|
||||
tenantFilterName: null,
|
||||
);
|
||||
$this->syncCanonicalAdminTenantFilterState();
|
||||
|
||||
parent::mount();
|
||||
}
|
||||
@ -246,15 +259,7 @@ protected function getHeaderActions(): array
|
||||
|
||||
protected function buildAllMatchingQuery(): Builder
|
||||
{
|
||||
$query = Finding::query();
|
||||
|
||||
$tenantId = static::resolveTenantContextForCurrentPanel()?->getKey();
|
||||
|
||||
if (! is_numeric($tenantId)) {
|
||||
return $query->whereRaw('1 = 0');
|
||||
}
|
||||
|
||||
$query->where('tenant_id', (int) $tenantId);
|
||||
$query = FindingResource::getEloquentQuery();
|
||||
|
||||
$query->where('status', Finding::STATUS_NEW);
|
||||
|
||||
@ -304,6 +309,16 @@ protected function buildAllMatchingQuery(): Builder
|
||||
return $query;
|
||||
}
|
||||
|
||||
private function syncCanonicalAdminTenantFilterState(): void
|
||||
{
|
||||
app(CanonicalAdminTenantFilterState::class)->sync(
|
||||
$this->getTableFiltersSessionKey(),
|
||||
tenantSensitiveFilters: ['scope_key', 'run_ids'],
|
||||
request: request(),
|
||||
tenantFilterName: null,
|
||||
);
|
||||
}
|
||||
|
||||
private function filterIsActive(string $filterName): bool
|
||||
{
|
||||
$state = $this->getTableFilterState($filterName);
|
||||
|
||||
@ -8,11 +8,17 @@
|
||||
use Filament\Actions;
|
||||
use Filament\Resources\Pages\ViewRecord;
|
||||
use Illuminate\Contracts\Support\Htmlable;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
|
||||
class ViewFinding extends ViewRecord
|
||||
{
|
||||
protected static string $resource = FindingResource::class;
|
||||
|
||||
protected function resolveRecord(int|string $key): Model
|
||||
{
|
||||
return FindingResource::resolveScopedRecordOrFail($key);
|
||||
}
|
||||
|
||||
protected function getHeaderActions(): array
|
||||
{
|
||||
return [
|
||||
|
||||
@ -3,6 +3,7 @@
|
||||
namespace App\Filament\Resources;
|
||||
|
||||
use App\Filament\Clusters\Inventory\InventoryCluster;
|
||||
use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
|
||||
use App\Filament\Concerns\ResolvesPanelTenantContext;
|
||||
use App\Filament\Resources\InventoryItemResource\Pages;
|
||||
use App\Models\InventoryItem;
|
||||
@ -38,6 +39,7 @@
|
||||
|
||||
class InventoryItemResource extends Resource
|
||||
{
|
||||
use InteractsWithTenantOwnedRecords;
|
||||
use ResolvesPanelTenantContext;
|
||||
|
||||
protected static ?string $model = InventoryItem::class;
|
||||
@ -334,13 +336,15 @@ public static function table(Table $table): Table
|
||||
|
||||
public static function getEloquentQuery(): Builder
|
||||
{
|
||||
$tenantId = static::resolveTenantContextForCurrentPanel()?->getKey();
|
||||
|
||||
return parent::getEloquentQuery()
|
||||
->when($tenantId, fn (Builder $query) => $query->where('tenant_id', $tenantId))
|
||||
return static::getTenantOwnedEloquentQuery()
|
||||
->with('lastSeenRun');
|
||||
}
|
||||
|
||||
public static function resolveScopedRecordOrFail(int|string $key): Model
|
||||
{
|
||||
return static::resolveTenantOwnedRecordOrFail($key, parent::getEloquentQuery()->with('lastSeenRun'));
|
||||
}
|
||||
|
||||
public static function getPages(): array
|
||||
{
|
||||
return [
|
||||
|
||||
@ -174,6 +174,8 @@ protected function getHeaderActions(): array
|
||||
],
|
||||
context: array_merge($computed['selection'], [
|
||||
'selection_hash' => $computed['selection_hash'],
|
||||
'execution_authority_mode' => 'actor_bound',
|
||||
'required_capability' => Capabilities::TENANT_INVENTORY_SYNC_RUN,
|
||||
'target_scope' => [
|
||||
'entra_tenant_id' => $tenant->graphTenantId(),
|
||||
],
|
||||
|
||||
@ -4,8 +4,14 @@
|
||||
|
||||
use App\Filament\Resources\InventoryItemResource;
|
||||
use Filament\Resources\Pages\ViewRecord;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
|
||||
class ViewInventoryItem extends ViewRecord
|
||||
{
|
||||
protected static string $resource = InventoryItemResource::class;
|
||||
|
||||
protected function resolveRecord(int|string $key): Model
|
||||
{
|
||||
return InventoryItemResource::resolveScopedRecordOrFail($key);
|
||||
}
|
||||
}
|
||||
|
||||
@ -22,6 +22,7 @@
|
||||
use App\Support\OperationRunOutcome;
|
||||
use App\Support\OperationRunStatus;
|
||||
use App\Support\OpsUx\RunDurationInsights;
|
||||
use App\Support\Tenants\ReferencedTenantLifecyclePresentation;
|
||||
use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
|
||||
use App\Support\Ui\ActionSurface\ActionSurfaceDefaults;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
|
||||
@ -254,6 +255,9 @@ private static function enterpriseDetailPage(OperationRun $record): \App\Support
|
||||
$outcomeSpec = BadgeRenderer::spec(BadgeDomain::OperationRunOutcome, $record->outcome);
|
||||
$targetScope = static::targetScopeDisplay($record);
|
||||
$summaryLine = \App\Support\OpsUx\SummaryCountsNormalizer::renderSummaryLine(is_array($record->summary_counts) ? $record->summary_counts : []);
|
||||
$referencedTenantLifecycle = $record->tenant instanceof Tenant
|
||||
? ReferencedTenantLifecyclePresentation::forOperationRun($record->tenant)
|
||||
: null;
|
||||
|
||||
$builder = \App\Support\Ui\EnterpriseDetail\EnterpriseDetailBuilder::make('operation_run', 'workspace-context')
|
||||
->header(new \App\Support\Ui\EnterpriseDetail\SummaryHeaderData(
|
||||
@ -300,7 +304,34 @@ private static function enterpriseDetailPage(OperationRun $record): \App\Support
|
||||
items: array_values(array_filter([
|
||||
$factory->keyFact('Status', $statusSpec->label, badge: $factory->statusBadge($statusSpec->label, $statusSpec->color, $statusSpec->icon, $statusSpec->iconColor)),
|
||||
$factory->keyFact('Outcome', $outcomeSpec->label, badge: $factory->statusBadge($outcomeSpec->label, $outcomeSpec->color, $outcomeSpec->icon, $outcomeSpec->iconColor)),
|
||||
$referencedTenantLifecycle !== null
|
||||
? $factory->keyFact(
|
||||
'Tenant lifecycle',
|
||||
$referencedTenantLifecycle->presentation->label,
|
||||
badge: $factory->statusBadge(
|
||||
$referencedTenantLifecycle->presentation->label,
|
||||
$referencedTenantLifecycle->presentation->badgeColor,
|
||||
$referencedTenantLifecycle->presentation->badgeIcon,
|
||||
$referencedTenantLifecycle->presentation->badgeIconColor,
|
||||
),
|
||||
)
|
||||
: null,
|
||||
$referencedTenantLifecycle?->selectorAvailabilityMessage() !== null
|
||||
? $factory->keyFact('Tenant selector context', $referencedTenantLifecycle->selectorAvailabilityMessage())
|
||||
: null,
|
||||
$referencedTenantLifecycle?->contextNote !== null
|
||||
? $factory->keyFact('Viewer context', $referencedTenantLifecycle->contextNote)
|
||||
: null,
|
||||
$summaryLine !== null ? $factory->keyFact('Counts', $summaryLine) : null,
|
||||
static::blockedExecutionReasonCode($record) !== null
|
||||
? $factory->keyFact('Blocked reason', static::blockedExecutionReasonCode($record))
|
||||
: null,
|
||||
static::blockedExecutionDetail($record) !== null
|
||||
? $factory->keyFact('Blocked detail', static::blockedExecutionDetail($record))
|
||||
: null,
|
||||
static::blockedExecutionSource($record) !== null
|
||||
? $factory->keyFact('Blocked by', static::blockedExecutionSource($record))
|
||||
: null,
|
||||
RunDurationInsights::stuckGuidance($record) !== null ? $factory->keyFact('Guidance', RunDurationInsights::stuckGuidance($record)) : null,
|
||||
])),
|
||||
),
|
||||
@ -347,7 +378,7 @@ private static function enterpriseDetailPage(OperationRun $record): \App\Support
|
||||
$factory->viewSection(
|
||||
id: 'failures',
|
||||
kind: 'operational_context',
|
||||
title: 'Failures',
|
||||
title: (string) $record->outcome === OperationRunOutcome::Blocked->value ? 'Blocked execution details' : 'Failures',
|
||||
view: 'filament.infolists.entries.snapshot-json',
|
||||
viewData: ['payload' => $record->failure_summary ?? []],
|
||||
),
|
||||
@ -429,6 +460,51 @@ private static function summaryCountFacts(
|
||||
);
|
||||
}
|
||||
|
||||
private static function blockedExecutionReasonCode(OperationRun $record): ?string
|
||||
{
|
||||
if ((string) $record->outcome !== OperationRunOutcome::Blocked->value) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$context = is_array($record->context) ? $record->context : [];
|
||||
|
||||
$reasonCode = data_get($context, 'execution_legitimacy.reason_code')
|
||||
?? data_get($context, 'reason_code')
|
||||
?? data_get($record->failure_summary, '0.reason_code');
|
||||
|
||||
return is_string($reasonCode) && trim($reasonCode) !== '' ? trim($reasonCode) : null;
|
||||
}
|
||||
|
||||
private static function blockedExecutionDetail(OperationRun $record): ?string
|
||||
{
|
||||
if ((string) $record->outcome !== OperationRunOutcome::Blocked->value) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$message = data_get($record->failure_summary, '0.message');
|
||||
|
||||
return is_string($message) && trim($message) !== '' ? trim($message) : 'Execution was refused before work began.';
|
||||
}
|
||||
|
||||
private static function blockedExecutionSource(OperationRun $record): ?string
|
||||
{
|
||||
if ((string) $record->outcome !== OperationRunOutcome::Blocked->value) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$context = is_array($record->context) ? $record->context : [];
|
||||
$blockedBy = $context['blocked_by'] ?? null;
|
||||
|
||||
if (! is_string($blockedBy) || trim($blockedBy) === '') {
|
||||
return null;
|
||||
}
|
||||
|
||||
return match (trim($blockedBy)) {
|
||||
'queued_execution_legitimacy' => 'Execution legitimacy revalidation',
|
||||
default => ucfirst(str_replace('_', ' ', trim($blockedBy))),
|
||||
};
|
||||
}
|
||||
|
||||
/**
|
||||
* @return list<array<string, mixed>>
|
||||
*/
|
||||
|
||||
@ -2,7 +2,9 @@
|
||||
|
||||
namespace App\Filament\Resources;
|
||||
|
||||
use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
|
||||
use App\Filament\Concerns\ResolvesPanelTenantContext;
|
||||
use App\Filament\Concerns\ScopesGlobalSearchToTenant;
|
||||
use App\Filament\Resources\PolicyResource\Pages;
|
||||
use App\Filament\Resources\PolicyResource\RelationManagers\VersionsRelationManager;
|
||||
use App\Jobs\BulkPolicyDeleteJob;
|
||||
@ -54,7 +56,9 @@
|
||||
|
||||
class PolicyResource extends Resource
|
||||
{
|
||||
use InteractsWithTenantOwnedRecords;
|
||||
use ResolvesPanelTenantContext;
|
||||
use ScopesGlobalSearchToTenant;
|
||||
|
||||
protected static ?string $model = Policy::class;
|
||||
|
||||
@ -1010,16 +1014,25 @@ public static function table(Table $table): Table
|
||||
|
||||
public static function getEloquentQuery(): Builder
|
||||
{
|
||||
$tenantId = static::resolveTenantContextForCurrentPanelOrFail()->getKey();
|
||||
|
||||
return parent::getEloquentQuery()
|
||||
->when($tenantId, fn (Builder $query) => $query->where('tenant_id', $tenantId))
|
||||
return static::getTenantOwnedEloquentQuery()
|
||||
->withCount('versions')
|
||||
->with([
|
||||
'versions' => fn ($query) => $query->orderByDesc('captured_at')->limit(1),
|
||||
]);
|
||||
}
|
||||
|
||||
public static function resolveScopedRecordOrFail(int|string $key): \Illuminate\Database\Eloquent\Model
|
||||
{
|
||||
return static::resolveTenantOwnedRecordOrFail(
|
||||
$key,
|
||||
parent::getEloquentQuery()
|
||||
->withCount('versions')
|
||||
->with([
|
||||
'versions' => fn ($query) => $query->orderByDesc('captured_at')->limit(1),
|
||||
]),
|
||||
);
|
||||
}
|
||||
|
||||
public static function getRelations(): array
|
||||
{
|
||||
return [
|
||||
|
||||
@ -3,12 +3,20 @@
|
||||
namespace App\Filament\Resources\PolicyResource\Pages;
|
||||
|
||||
use App\Filament\Resources\PolicyResource;
|
||||
use App\Support\Filament\CanonicalAdminTenantFilterState;
|
||||
use Filament\Resources\Pages\ListRecords;
|
||||
|
||||
class ListPolicies extends ListRecords
|
||||
{
|
||||
protected static string $resource = PolicyResource::class;
|
||||
|
||||
public function mount(): void
|
||||
{
|
||||
$this->syncCanonicalAdminTenantFilterState();
|
||||
|
||||
parent::mount();
|
||||
}
|
||||
|
||||
protected function getHeaderActions(): array
|
||||
{
|
||||
return [
|
||||
@ -22,4 +30,14 @@ protected function getTableEmptyStateActions(): array
|
||||
PolicyResource::makeSyncAction(),
|
||||
];
|
||||
}
|
||||
|
||||
private function syncCanonicalAdminTenantFilterState(): void
|
||||
{
|
||||
app(CanonicalAdminTenantFilterState::class)->sync(
|
||||
$this->getTableFiltersSessionKey(),
|
||||
tenantSensitiveFilters: [],
|
||||
request: request(),
|
||||
tenantFilterName: null,
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
@ -16,6 +16,7 @@
|
||||
use Filament\Notifications\Notification;
|
||||
use Filament\Resources\Pages\ViewRecord;
|
||||
use Filament\Support\Enums\Width;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
use Illuminate\Support\Str;
|
||||
|
||||
class ViewPolicy extends ViewRecord
|
||||
@ -24,6 +25,11 @@ class ViewPolicy extends ViewRecord
|
||||
|
||||
protected Width|string|null $maxContentWidth = Width::Full;
|
||||
|
||||
protected function resolveRecord(int|string $key): Model
|
||||
{
|
||||
return PolicyResource::resolveScopedRecordOrFail($key);
|
||||
}
|
||||
|
||||
protected function getActions(): array
|
||||
{
|
||||
return [$this->makeCaptureSnapshotAction()];
|
||||
|
||||
@ -4,6 +4,7 @@
|
||||
|
||||
use App\Filament\Concerns\ResolvesPanelTenantContext;
|
||||
use App\Filament\Resources\RestoreRunResource;
|
||||
use App\Models\Policy;
|
||||
use App\Models\PolicyVersion;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
@ -31,6 +32,19 @@ class VersionsRelationManager extends RelationManager
|
||||
|
||||
protected static string $relationship = 'versions';
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $arguments
|
||||
* @param array<string, mixed> $context
|
||||
*/
|
||||
public function mountAction(string $name, array $arguments = [], array $context = []): mixed
|
||||
{
|
||||
if (($context['table'] ?? false) === true && $name === 'restore_to_intune' && filled($context['recordKey'] ?? null)) {
|
||||
$this->resolveOwnerScopedVersionRecord($this->getOwnerRecord(), $context['recordKey']);
|
||||
}
|
||||
|
||||
return parent::mountAction($name, $arguments, $context);
|
||||
}
|
||||
|
||||
public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
|
||||
{
|
||||
return ActionSurfaceDeclaration::forRelationManager(ActionSurfaceProfile::RelationManager)
|
||||
@ -55,7 +69,8 @@ public function table(Table $table): Table
|
||||
->label('Preview only (dry-run)')
|
||||
->default(true),
|
||||
])
|
||||
->action(function (PolicyVersion $record, array $data, RestoreService $restoreService) {
|
||||
->action(function (mixed $record, array $data, RestoreService $restoreService) {
|
||||
$record = $this->resolveOwnerScopedVersionRecord($this->getOwnerRecord(), $record);
|
||||
$tenant = static::resolveTenantContextForCurrentPanel();
|
||||
$user = auth()->user();
|
||||
|
||||
@ -178,4 +193,26 @@ public function table(Table $table): Table
|
||||
->emptyStateHeading('No versions captured')
|
||||
->emptyStateDescription('Capture or sync this policy again to create version history entries.');
|
||||
}
|
||||
|
||||
private function resolveOwnerScopedVersionRecord(Policy $policy, mixed $record): PolicyVersion
|
||||
{
|
||||
$recordId = $record instanceof PolicyVersion
|
||||
? (int) $record->getKey()
|
||||
: (is_numeric($record) ? (int) $record : 0);
|
||||
|
||||
if ($recordId <= 0) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
$resolvedRecord = $policy->versions()
|
||||
->where('tenant_id', (int) $policy->tenant_id)
|
||||
->whereKey($recordId)
|
||||
->first();
|
||||
|
||||
if (! $resolvedRecord instanceof PolicyVersion) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
return $resolvedRecord;
|
||||
}
|
||||
}
|
||||
|
||||
@ -2,7 +2,9 @@
|
||||
|
||||
namespace App\Filament\Resources;
|
||||
|
||||
use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
|
||||
use App\Filament\Concerns\ResolvesPanelTenantContext;
|
||||
use App\Filament\Concerns\ScopesGlobalSearchToTenant;
|
||||
use App\Filament\Resources\PolicyVersionResource\Pages;
|
||||
use App\Jobs\BulkPolicyVersionForceDeleteJob;
|
||||
use App\Jobs\BulkPolicyVersionPruneJob;
|
||||
@ -59,7 +61,9 @@
|
||||
|
||||
class PolicyVersionResource extends Resource
|
||||
{
|
||||
use InteractsWithTenantOwnedRecords;
|
||||
use ResolvesPanelTenantContext;
|
||||
use ScopesGlobalSearchToTenant;
|
||||
|
||||
protected static ?string $model = PolicyVersion::class;
|
||||
|
||||
@ -893,7 +897,6 @@ public static function table(Table $table): Table
|
||||
public static function getEloquentQuery(): Builder
|
||||
{
|
||||
$tenant = static::resolveTenantContextForCurrentPanelOrFail();
|
||||
$tenantId = $tenant->getKey();
|
||||
$user = auth()->user();
|
||||
|
||||
$resolver = app(CapabilityResolver::class);
|
||||
@ -903,8 +906,7 @@ public static function getEloquentQuery(): Builder
|
||||
|| $resolver->can($user, $tenant, Capabilities::TENANT_FINDINGS_VIEW)
|
||||
);
|
||||
|
||||
return parent::getEloquentQuery()
|
||||
->when($tenantId, fn (Builder $query) => $query->where('tenant_id', $tenantId))
|
||||
return static::getTenantOwnedEloquentQuery()
|
||||
->when(! $canSeeBaselinePurposeEvidence, function (Builder $query): Builder {
|
||||
return $query->where(function (Builder $query): void {
|
||||
$query
|
||||
@ -918,6 +920,36 @@ public static function getEloquentQuery(): Builder
|
||||
->with('policy');
|
||||
}
|
||||
|
||||
public static function resolveScopedRecordOrFail(int|string $key): \Illuminate\Database\Eloquent\Model
|
||||
{
|
||||
$tenant = static::resolveTenantContextForCurrentPanelOrFail();
|
||||
$user = auth()->user();
|
||||
|
||||
$resolver = app(CapabilityResolver::class);
|
||||
$canSeeBaselinePurposeEvidence = $user instanceof User
|
||||
&& (
|
||||
$resolver->can($user, $tenant, Capabilities::TENANT_SYNC)
|
||||
|| $resolver->can($user, $tenant, Capabilities::TENANT_FINDINGS_VIEW)
|
||||
);
|
||||
|
||||
return static::resolveTenantOwnedRecordOrFail(
|
||||
$key,
|
||||
parent::getEloquentQuery()
|
||||
->withTrashed()
|
||||
->when(! $canSeeBaselinePurposeEvidence, function (Builder $query): Builder {
|
||||
return $query->where(function (Builder $query): void {
|
||||
$query
|
||||
->whereNull('capture_purpose')
|
||||
->orWhereNotIn('capture_purpose', [
|
||||
PolicyVersionCapturePurpose::BaselineCapture->value,
|
||||
PolicyVersionCapturePurpose::BaselineCompare->value,
|
||||
]);
|
||||
});
|
||||
})
|
||||
->with('policy'),
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return list<array{
|
||||
* key: string,
|
||||
|
||||
@ -9,6 +9,7 @@
|
||||
use Filament\Resources\Pages\ViewRecord;
|
||||
use Filament\Support\Enums\Width;
|
||||
use Illuminate\Contracts\View\View;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
|
||||
class ViewPolicyVersion extends ViewRecord
|
||||
{
|
||||
@ -16,6 +17,11 @@ class ViewPolicyVersion extends ViewRecord
|
||||
|
||||
protected Width|string|null $maxContentWidth = Width::Full;
|
||||
|
||||
protected function resolveRecord(int|string $key): Model
|
||||
{
|
||||
return PolicyVersionResource::resolveScopedRecordOrFail($key);
|
||||
}
|
||||
|
||||
protected function getHeaderActions(): array
|
||||
{
|
||||
return [
|
||||
|
||||
@ -4,6 +4,7 @@
|
||||
|
||||
use App\Contracts\Hardening\WriteGateInterface;
|
||||
use App\Exceptions\Hardening\ProviderAccessHardeningRequired;
|
||||
use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
|
||||
use App\Filament\Concerns\ResolvesPanelTenantContext;
|
||||
use App\Filament\Resources\RestoreRunResource\Pages;
|
||||
use App\Jobs\BulkRestoreRunDeleteJob;
|
||||
@ -66,6 +67,7 @@
|
||||
|
||||
class RestoreRunResource extends Resource
|
||||
{
|
||||
use InteractsWithTenantOwnedRecords;
|
||||
use ResolvesPanelTenantContext;
|
||||
|
||||
protected static ?string $model = RestoreRun::class;
|
||||
@ -242,18 +244,44 @@ public static function makeCreateAction(): Actions\CreateAction
|
||||
|
||||
public static function getEloquentQuery(): Builder
|
||||
{
|
||||
$tenantId = static::resolveTenantContextForCurrentPanel()?->getKey();
|
||||
return static::scopeTenantOwnedQuery(parent::getEloquentQuery())
|
||||
->with('backupSet');
|
||||
}
|
||||
|
||||
return parent::getEloquentQuery()
|
||||
->with('backupSet')
|
||||
->when(
|
||||
$tenantId !== null,
|
||||
fn (Builder $query): Builder => $query->where('tenant_id', (int) $tenantId),
|
||||
)
|
||||
->when(
|
||||
$tenantId === null,
|
||||
fn (Builder $query): Builder => $query->whereRaw('1 = 0'),
|
||||
);
|
||||
public static function resolveScopedRecordOrFail(int|string $key): Model
|
||||
{
|
||||
return static::resolveTenantOwnedRecordOrFail(
|
||||
$key,
|
||||
parent::getEloquentQuery()->withTrashed()->with('backupSet'),
|
||||
);
|
||||
}
|
||||
|
||||
protected static function resolveProtectedRestoreRunRecordOrFail(RestoreRun|int|string $record): RestoreRun
|
||||
{
|
||||
$resolvedRecord = static::resolveScopedRecordOrFail($record instanceof Model ? $record->getKey() : $record);
|
||||
|
||||
if (! $resolvedRecord instanceof RestoreRun) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
return $resolvedRecord;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<int, int>
|
||||
*/
|
||||
protected static function resolveProtectedRestoreRunIds(Collection $records): array
|
||||
{
|
||||
return $records
|
||||
->map(function (mixed $record): int {
|
||||
$resolvedRecord = static::resolveProtectedRestoreRunRecordOrFail($record instanceof RestoreRun ? $record : (is_numeric($record) ? (int) $record : 0));
|
||||
|
||||
return (int) $resolvedRecord->getKey();
|
||||
})
|
||||
->filter(fn (int $value): bool => $value > 0)
|
||||
->unique()
|
||||
->values()
|
||||
->all();
|
||||
}
|
||||
|
||||
/**
|
||||
@ -846,6 +874,8 @@ public static function table(Table $table): Table
|
||||
->requiresConfirmation()
|
||||
->visible(fn (RestoreRun $record): bool => $record->trashed())
|
||||
->action(function (RestoreRun $record, \App\Services\Intune\AuditLogger $auditLogger) {
|
||||
$record = static::resolveProtectedRestoreRunRecordOrFail($record);
|
||||
|
||||
$record->restore();
|
||||
|
||||
if ($record->tenant) {
|
||||
@ -877,6 +907,8 @@ public static function table(Table $table): Table
|
||||
->requiresConfirmation()
|
||||
->visible(fn (RestoreRun $record): bool => ! $record->trashed())
|
||||
->action(function (RestoreRun $record, \App\Services\Intune\AuditLogger $auditLogger) {
|
||||
$record = static::resolveProtectedRestoreRunRecordOrFail($record);
|
||||
|
||||
if (! $record->isDeletable()) {
|
||||
Notification::make()
|
||||
->title('Restore run cannot be archived')
|
||||
@ -918,6 +950,8 @@ public static function table(Table $table): Table
|
||||
->requiresConfirmation()
|
||||
->visible(fn (RestoreRun $record): bool => $record->trashed())
|
||||
->action(function (RestoreRun $record, \App\Services\Intune\AuditLogger $auditLogger) {
|
||||
$record = static::resolveProtectedRestoreRunRecordOrFail($record);
|
||||
|
||||
if ($record->tenant) {
|
||||
$auditLogger->log(
|
||||
tenant: $record->tenant,
|
||||
@ -978,7 +1012,7 @@ public static function table(Table $table): Table
|
||||
$tenant = static::resolveTenantContextForCurrentPanel();
|
||||
$user = auth()->user();
|
||||
$count = $records->count();
|
||||
$ids = $records->pluck('id')->toArray();
|
||||
$ids = static::resolveProtectedRestoreRunIds($records);
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return;
|
||||
@ -1048,7 +1082,7 @@ public static function table(Table $table): Table
|
||||
$tenant = static::resolveTenantContextForCurrentPanel();
|
||||
$user = auth()->user();
|
||||
$count = $records->count();
|
||||
$ids = $records->pluck('id')->toArray();
|
||||
$ids = static::resolveProtectedRestoreRunIds($records);
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return;
|
||||
@ -1138,7 +1172,7 @@ public static function table(Table $table): Table
|
||||
$tenant = static::resolveTenantContextForCurrentPanel();
|
||||
$user = auth()->user();
|
||||
$count = $records->count();
|
||||
$ids = $records->pluck('id')->toArray();
|
||||
$ids = static::resolveProtectedRestoreRunIds($records);
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return;
|
||||
@ -1694,6 +1728,8 @@ public static function createRestoreRun(array $data): RestoreRun
|
||||
'restore_run_id' => (int) $restoreRun->getKey(),
|
||||
'backup_set_id' => (int) $backupSet->getKey(),
|
||||
'is_dry_run' => (bool) ($restoreRun->is_dry_run ?? false),
|
||||
'execution_authority_mode' => 'actor_bound',
|
||||
'required_capability' => Capabilities::TENANT_MANAGE,
|
||||
],
|
||||
initiator: $initiator,
|
||||
);
|
||||
@ -1925,6 +1961,7 @@ private static function rerunActionWithGate(): Actions\Action|BulkAction
|
||||
\App\Services\Intune\AuditLogger $auditLogger,
|
||||
HasTable $livewire
|
||||
) {
|
||||
$record = static::resolveProtectedRestoreRunRecordOrFail($record);
|
||||
$tenant = $record->tenant;
|
||||
$backupSet = $record->backupSet;
|
||||
|
||||
@ -2092,6 +2129,8 @@ private static function rerunActionWithGate(): Actions\Action|BulkAction
|
||||
'restore_run_id' => (int) $newRun->getKey(),
|
||||
'backup_set_id' => (int) $backupSet->getKey(),
|
||||
'is_dry_run' => (bool) ($newRun->is_dry_run ?? false),
|
||||
'execution_authority_mode' => 'actor_bound',
|
||||
'required_capability' => Capabilities::TENANT_MANAGE,
|
||||
],
|
||||
initiator: $initiator,
|
||||
);
|
||||
|
||||
@ -3,12 +3,42 @@
|
||||
namespace App\Filament\Resources\RestoreRunResource\Pages;
|
||||
|
||||
use App\Filament\Resources\RestoreRunResource;
|
||||
use App\Support\Filament\CanonicalAdminTenantFilterState;
|
||||
use Filament\Resources\Pages\ListRecords;
|
||||
use Illuminate\Database\Eloquent\ModelNotFoundException;
|
||||
|
||||
class ListRestoreRuns extends ListRecords
|
||||
{
|
||||
protected static string $resource = RestoreRunResource::class;
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $arguments
|
||||
* @param array<string, mixed> $context
|
||||
*/
|
||||
public function mountAction(string $name, array $arguments = [], array $context = []): mixed
|
||||
{
|
||||
if (($context['table'] ?? false) === true && filled($context['recordKey'] ?? null) && in_array($name, ['archive', 'forceDelete', 'rerun'], true)) {
|
||||
try {
|
||||
RestoreRunResource::resolveScopedRecordOrFail($context['recordKey']);
|
||||
} catch (ModelNotFoundException) {
|
||||
abort(404);
|
||||
}
|
||||
}
|
||||
|
||||
return parent::mountAction($name, $arguments, $context);
|
||||
}
|
||||
|
||||
public function mount(): void
|
||||
{
|
||||
app(CanonicalAdminTenantFilterState::class)->sync(
|
||||
$this->getTableFiltersSessionKey(),
|
||||
request: request(),
|
||||
tenantFilterName: null,
|
||||
);
|
||||
|
||||
parent::mount();
|
||||
}
|
||||
|
||||
private function tableHasRecords(): bool
|
||||
{
|
||||
return $this->getTableRecords()->count() > 0;
|
||||
|
||||
@ -4,8 +4,14 @@
|
||||
|
||||
use App\Filament\Resources\RestoreRunResource;
|
||||
use Filament\Resources\Pages\ViewRecord;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
|
||||
class ViewRestoreRun extends ViewRecord
|
||||
{
|
||||
protected static string $resource = RestoreRunResource::class;
|
||||
|
||||
protected function resolveRecord(int|string $key): Model
|
||||
{
|
||||
return RestoreRunResource::resolveScopedRecordOrFail($key);
|
||||
}
|
||||
}
|
||||
|
||||
@ -2,6 +2,8 @@
|
||||
|
||||
namespace App\Filament\Resources;
|
||||
|
||||
use App\Exceptions\ReviewPackEvidenceResolutionException;
|
||||
use App\Filament\Resources\EvidenceSnapshotResource as TenantEvidenceSnapshotResource;
|
||||
use App\Filament\Resources\ReviewPackResource\Pages;
|
||||
use App\Models\ReviewPack;
|
||||
use App\Models\Tenant;
|
||||
@ -164,6 +166,21 @@ public static function infolist(Schema $schema): Schema
|
||||
Section::make('Metadata')
|
||||
->schema([
|
||||
TextEntry::make('initiator.name')->label('Initiated by')->placeholder('—'),
|
||||
TextEntry::make('tenantReview.id')
|
||||
->label('Tenant review')
|
||||
->formatStateUsing(fn (?int $state): string => $state ? '#'.$state : '—')
|
||||
->url(fn (ReviewPack $record): ?string => $record->tenantReview && $record->tenant
|
||||
? TenantReviewResource::tenantScopedUrl('view', ['record' => $record->tenantReview], $record->tenant)
|
||||
: null)
|
||||
->placeholder('—'),
|
||||
TextEntry::make('summary.review_status')
|
||||
->label('Review status')
|
||||
->badge()
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantReviewStatus))
|
||||
->color(BadgeRenderer::color(BadgeDomain::TenantReviewStatus))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::TenantReviewStatus))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantReviewStatus))
|
||||
->placeholder('—'),
|
||||
TextEntry::make('operationRun.id')
|
||||
->label('Operation run')
|
||||
->url(fn (ReviewPack $record): ?string => $record->operation_run_id
|
||||
@ -177,6 +194,33 @@ public static function infolist(Schema $schema): Schema
|
||||
])
|
||||
->columns(2)
|
||||
->columnSpanFull(),
|
||||
|
||||
Section::make('Evidence snapshot')
|
||||
->schema([
|
||||
TextEntry::make('summary.evidence_resolution.outcome')
|
||||
->label('Resolution')
|
||||
->placeholder('—'),
|
||||
TextEntry::make('evidenceSnapshot.id')
|
||||
->label('Snapshot')
|
||||
->formatStateUsing(fn (?int $state): string => $state ? '#'.$state : '—')
|
||||
->url(fn (ReviewPack $record): ?string => $record->evidenceSnapshot
|
||||
? TenantEvidenceSnapshotResource::getUrl('view', ['record' => $record->evidenceSnapshot], tenant: $record->tenant)
|
||||
: null),
|
||||
TextEntry::make('evidenceSnapshot.completeness_state')
|
||||
->label('Snapshot completeness')
|
||||
->badge()
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::EvidenceCompleteness))
|
||||
->color(BadgeRenderer::color(BadgeDomain::EvidenceCompleteness))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::EvidenceCompleteness))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::EvidenceCompleteness))
|
||||
->placeholder('—'),
|
||||
TextEntry::make('summary.evidence_resolution.snapshot_fingerprint')
|
||||
->label('Snapshot fingerprint')
|
||||
->copyable()
|
||||
->placeholder('—'),
|
||||
])
|
||||
->columns(2)
|
||||
->columnSpanFull(),
|
||||
]);
|
||||
}
|
||||
|
||||
@ -201,6 +245,10 @@ public static function table(Table $table): Table
|
||||
->dateTime()
|
||||
->sortable()
|
||||
->placeholder('—'),
|
||||
Tables\Columns\TextColumn::make('tenantReview.id')
|
||||
->label('Review')
|
||||
->formatStateUsing(fn (?int $state): string => $state ? '#'.$state : '—')
|
||||
->toggleable(isToggledHiddenByDefault: true),
|
||||
Tables\Columns\TextColumn::make('expires_at')
|
||||
->dateTime()
|
||||
->sortable()
|
||||
@ -331,7 +379,23 @@ public static function executeGeneration(array $data): void
|
||||
'include_operations' => (bool) ($data['include_operations'] ?? true),
|
||||
];
|
||||
|
||||
$reviewPack = $service->generate($tenant, $user, $options);
|
||||
try {
|
||||
$reviewPack = $service->generate($tenant, $user, $options);
|
||||
} catch (ReviewPackEvidenceResolutionException $exception) {
|
||||
$reasons = $exception->result->reasons;
|
||||
|
||||
Notification::make()
|
||||
->danger()
|
||||
->title(match ($exception->result->outcome) {
|
||||
'missing_snapshot' => 'Create snapshot required',
|
||||
'snapshot_ineligible' => 'Snapshot is not eligible',
|
||||
default => 'Unable to generate review pack',
|
||||
})
|
||||
->body($reasons === [] ? $exception->getMessage() : implode(' ', $reasons))
|
||||
->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
if (! $reviewPack->wasRecentlyCreated) {
|
||||
Notification::make()
|
||||
|
||||
@ -41,6 +41,10 @@
|
||||
use App\Support\Rbac\UiEnforcement;
|
||||
use App\Support\Tenants\TenantActionDescriptor;
|
||||
use App\Support\Tenants\TenantActionSurface;
|
||||
use App\Support\Tenants\TenantInteractionLane;
|
||||
use App\Support\Tenants\TenantLifecyclePresentation;
|
||||
use App\Support\Tenants\TenantOperabilityOutcome;
|
||||
use App\Support\Tenants\TenantOperabilityQuestion;
|
||||
use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
|
||||
@ -223,7 +227,11 @@ public static function getEloquentQuery(): Builder
|
||||
|
||||
public static function getGlobalSearchEloquentQuery(): Builder
|
||||
{
|
||||
return static::tenantOperability()->applySelectableScope(
|
||||
if (app(WorkspaceContext::class)->currentWorkspaceId(request()) === null) {
|
||||
return static::getEloquentQuery()->whereRaw('1 = 0');
|
||||
}
|
||||
|
||||
return static::tenantOperability()->applyAdministrativeDiscoverabilityScope(
|
||||
static::getEloquentQuery(),
|
||||
(new Tenant)->getTable(),
|
||||
);
|
||||
@ -264,20 +272,23 @@ public static function table(Table $table): Table
|
||||
->toggleable(isToggledHiddenByDefault: true),
|
||||
Tables\Columns\IconColumn::make('is_current')
|
||||
->label('Current')
|
||||
->boolean(),
|
||||
->boolean()
|
||||
->toggleable(isToggledHiddenByDefault: true),
|
||||
Tables\Columns\TextColumn::make('status')
|
||||
->badge()
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantStatus))
|
||||
->color(BadgeRenderer::color(BadgeDomain::TenantStatus))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::TenantStatus))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantStatus))
|
||||
->description(fn (Tenant $record): string => static::tenantLifecyclePresentation($record)->shortDescription)
|
||||
->sortable(),
|
||||
Tables\Columns\TextColumn::make('app_status')
|
||||
->badge()
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantAppStatus))
|
||||
->color(BadgeRenderer::color(BadgeDomain::TenantAppStatus))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::TenantAppStatus))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantAppStatus)),
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantAppStatus))
|
||||
->toggleable(isToggledHiddenByDefault: true),
|
||||
Tables\Columns\TextColumn::make('created_at')
|
||||
->dateTime()
|
||||
->since()
|
||||
@ -505,7 +516,7 @@ public static function table(Table $table): Table
|
||||
->icon('heroicon-o-check-badge')
|
||||
->color('primary')
|
||||
->requiresConfirmation()
|
||||
->visible(fn (Tenant $record): bool => $record->isActive())
|
||||
->visible(fn (Tenant $record): bool => static::verificationActionVisible($record))
|
||||
->action(function (
|
||||
Tenant $record,
|
||||
StartVerification $verification,
|
||||
@ -826,6 +837,10 @@ public static function infolist(Schema $schema): Schema
|
||||
->color(BadgeRenderer::color(BadgeDomain::TenantStatus))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::TenantStatus))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantStatus)),
|
||||
Infolists\Components\TextEntry::make('lifecycle_summary')
|
||||
->label('Lifecycle summary')
|
||||
->state(fn (Tenant $record): string => static::tenantLifecyclePresentation($record)->longDescription)
|
||||
->columnSpanFull(),
|
||||
Infolists\Components\TextEntry::make('app_status')
|
||||
->badge()
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantAppStatus))
|
||||
@ -1001,6 +1016,11 @@ protected static function storedPermissionSnapshot(Tenant $tenant): array
|
||||
return $snapshot;
|
||||
}
|
||||
|
||||
protected static function tenantLifecyclePresentation(Tenant $tenant): TenantLifecyclePresentation
|
||||
{
|
||||
return TenantLifecyclePresentation::fromTenant($tenant);
|
||||
}
|
||||
|
||||
public static function tenantOperability(): TenantOperabilityService
|
||||
{
|
||||
return app(TenantOperabilityService::class);
|
||||
@ -1064,6 +1084,26 @@ public static function relatedOnboardingDraftUrl(Tenant $tenant): ?string
|
||||
return route('admin.onboarding.draft', ['onboardingDraft' => (int) $draft->getKey()]);
|
||||
}
|
||||
|
||||
public static function verificationActionVisible(Tenant $tenant): bool
|
||||
{
|
||||
$outcome = static::verificationReadinessOutcome($tenant);
|
||||
|
||||
return $outcome->allowed || $outcome->isDeniedForCapability();
|
||||
}
|
||||
|
||||
public static function verificationReadinessOutcome(Tenant $tenant): TenantOperabilityOutcome
|
||||
{
|
||||
$user = auth()->user();
|
||||
|
||||
return static::tenantOperability()->outcomeFor(
|
||||
tenant: $tenant,
|
||||
question: TenantOperabilityQuestion::VerificationReadinessEligibility,
|
||||
actor: $user instanceof User ? $user : null,
|
||||
workspaceId: app(WorkspaceContext::class)->currentWorkspaceId(request()),
|
||||
lane: TenantInteractionLane::AdministrativeManagement,
|
||||
);
|
||||
}
|
||||
|
||||
private static function tenantActionDescriptorForSurface(Tenant $tenant, TenantActionSurface $surface, string $key): ?TenantActionDescriptor
|
||||
{
|
||||
$descriptor = static::tenantActionCatalog($tenant, $surface)
|
||||
|
||||
@ -87,7 +87,7 @@ protected function getHeaderActions(): array
|
||||
->icon('heroicon-o-check-badge')
|
||||
->color('primary')
|
||||
->requiresConfirmation()
|
||||
->visible(fn (Tenant $record): bool => $record->isActive())
|
||||
->visible(fn (Tenant $record): bool => TenantResource::verificationActionVisible($record))
|
||||
->action(function (
|
||||
Tenant $record,
|
||||
StartVerification $verification,
|
||||
|
||||
562
app/Filament/Resources/TenantReviewResource.php
Normal file
562
app/Filament/Resources/TenantReviewResource.php
Normal file
@ -0,0 +1,562 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Filament\Resources;
|
||||
|
||||
use App\Filament\Concerns\InteractsWithTenantOwnedRecords;
|
||||
use App\Filament\Concerns\ResolvesPanelTenantContext;
|
||||
use App\Filament\Resources\TenantReviewResource\Pages;
|
||||
use App\Models\EvidenceSnapshot;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\TenantReview;
|
||||
use App\Models\TenantReviewSection;
|
||||
use App\Models\User;
|
||||
use App\Services\ReviewPackService;
|
||||
use App\Services\TenantReviews\TenantReviewService;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use App\Support\Badges\BadgeDomain;
|
||||
use App\Support\Badges\BadgeRenderer;
|
||||
use App\Support\OperationRunLinks;
|
||||
use App\Support\OperationRunType;
|
||||
use App\Support\OpsUx\OperationUxPresenter;
|
||||
use App\Support\Rbac\UiEnforcement;
|
||||
use App\Support\TenantReviewStatus;
|
||||
use App\Support\Ui\ActionSurface\ActionSurfaceDeclaration;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceInspectAffordance;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceProfile;
|
||||
use App\Support\Ui\ActionSurface\Enums\ActionSurfaceSlot;
|
||||
use BackedEnum;
|
||||
use Filament\Actions;
|
||||
use Filament\Facades\Filament;
|
||||
use Filament\Forms\Components\Select;
|
||||
use Filament\Infolists\Components\RepeatableEntry;
|
||||
use Filament\Infolists\Components\TextEntry;
|
||||
use Filament\Infolists\Components\ViewEntry;
|
||||
use Filament\Notifications\Notification;
|
||||
use Filament\Resources\Resource;
|
||||
use Filament\Schemas\Components\Section;
|
||||
use Filament\Schemas\Schema;
|
||||
use Filament\Support\Enums\TextSize;
|
||||
use Filament\Tables;
|
||||
use Filament\Tables\Table;
|
||||
use Illuminate\Database\Eloquent\Builder;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
use Illuminate\Support\Str;
|
||||
use UnitEnum;
|
||||
|
||||
class TenantReviewResource extends Resource
|
||||
{
|
||||
use InteractsWithTenantOwnedRecords;
|
||||
use ResolvesPanelTenantContext;
|
||||
|
||||
protected static bool $isDiscovered = false;
|
||||
|
||||
protected static ?string $model = TenantReview::class;
|
||||
|
||||
protected static ?string $slug = 'reviews';
|
||||
|
||||
protected static ?string $tenantOwnershipRelationshipName = 'tenant';
|
||||
|
||||
protected static bool $isGloballySearchable = false;
|
||||
|
||||
protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-document-magnifying-glass';
|
||||
|
||||
protected static string|UnitEnum|null $navigationGroup = 'Reporting';
|
||||
|
||||
protected static ?string $navigationLabel = 'Reviews';
|
||||
|
||||
protected static ?int $navigationSort = 45;
|
||||
|
||||
public static function shouldRegisterNavigation(): bool
|
||||
{
|
||||
return Filament::getCurrentPanel()?->getId() === 'tenant';
|
||||
}
|
||||
|
||||
public static function canViewAny(): bool
|
||||
{
|
||||
$tenant = static::resolveTenantContextForCurrentPanel();
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $tenant instanceof Tenant || ! $user instanceof User) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (! $user->canAccessTenant($tenant)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return $user->can(Capabilities::TENANT_REVIEW_VIEW, $tenant);
|
||||
}
|
||||
|
||||
public static function canView(Model $record): bool
|
||||
{
|
||||
$tenant = static::resolveTenantContextForCurrentPanel();
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $tenant instanceof Tenant || ! $user instanceof User || ! $record instanceof TenantReview) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (! $user->canAccessTenant($tenant)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if ((int) $record->tenant_id !== (int) $tenant->getKey()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return $user->can('view', $record);
|
||||
}
|
||||
|
||||
public static function actionSurfaceDeclaration(): ActionSurfaceDeclaration
|
||||
{
|
||||
return ActionSurfaceDeclaration::forResource(ActionSurfaceProfile::CrudListAndView)
|
||||
->satisfy(ActionSurfaceSlot::ListHeader, 'Create review is available from the review library header.')
|
||||
->satisfy(ActionSurfaceSlot::InspectAffordance, ActionSurfaceInspectAffordance::ClickableRow->value)
|
||||
->satisfy(ActionSurfaceSlot::ListEmptyState, 'Empty state includes exactly one Create first review CTA.')
|
||||
->exempt(ActionSurfaceSlot::ListBulkMoreGroup, 'Tenant reviews do not expose bulk actions in the first slice.')
|
||||
->exempt(ActionSurfaceSlot::ListRowMoreMenu, 'Primary row actions stay limited to View review and Export executive pack.')
|
||||
->satisfy(ActionSurfaceSlot::DetailHeader, 'Detail exposes Refresh review, Publish review, Export executive pack, Archive review, and Create next review as applicable.');
|
||||
}
|
||||
|
||||
public static function getEloquentQuery(): Builder
|
||||
{
|
||||
return static::getTenantOwnedEloquentQuery()
|
||||
->with(['tenant', 'evidenceSnapshot', 'operationRun', 'initiator', 'publisher', 'currentExportReviewPack', 'sections'])
|
||||
->latest('generated_at')
|
||||
->latest('id');
|
||||
}
|
||||
|
||||
public static function resolveScopedRecordOrFail(int|string|null $record): Model
|
||||
{
|
||||
return static::resolveTenantOwnedRecordOrFail($record);
|
||||
}
|
||||
|
||||
public static function form(Schema $schema): Schema
|
||||
{
|
||||
return $schema;
|
||||
}
|
||||
|
||||
public static function infolist(Schema $schema): Schema
|
||||
{
|
||||
return $schema->schema([
|
||||
Section::make('Review')
|
||||
->schema([
|
||||
TextEntry::make('status')
|
||||
->badge()
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantReviewStatus))
|
||||
->color(BadgeRenderer::color(BadgeDomain::TenantReviewStatus))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::TenantReviewStatus))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantReviewStatus)),
|
||||
TextEntry::make('completeness_state')
|
||||
->label('Completeness')
|
||||
->badge()
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantReviewCompleteness))
|
||||
->color(BadgeRenderer::color(BadgeDomain::TenantReviewCompleteness))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::TenantReviewCompleteness))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantReviewCompleteness)),
|
||||
TextEntry::make('tenant.name')->label('Tenant'),
|
||||
TextEntry::make('generated_at')->dateTime()->placeholder('—'),
|
||||
TextEntry::make('published_at')->dateTime()->placeholder('—'),
|
||||
TextEntry::make('evidenceSnapshot.id')
|
||||
->label('Evidence snapshot')
|
||||
->formatStateUsing(fn (?int $state): string => $state ? '#'.$state : '—')
|
||||
->url(fn (TenantReview $record): ?string => $record->evidenceSnapshot
|
||||
? EvidenceSnapshotResource::getUrl('view', ['record' => $record->evidenceSnapshot], tenant: $record->tenant)
|
||||
: null),
|
||||
TextEntry::make('currentExportReviewPack.id')
|
||||
->label('Current export')
|
||||
->formatStateUsing(fn (?int $state): string => $state ? '#'.$state : '—')
|
||||
->url(fn (TenantReview $record): ?string => $record->currentExportReviewPack
|
||||
? ReviewPackResource::getUrl('view', ['record' => $record->currentExportReviewPack], tenant: $record->tenant)
|
||||
: null),
|
||||
TextEntry::make('fingerprint')
|
||||
->copyable()
|
||||
->placeholder('—')
|
||||
->columnSpanFull()
|
||||
->fontFamily('mono')
|
||||
->size(TextSize::ExtraSmall),
|
||||
])
|
||||
->columns(2)
|
||||
->columnSpanFull(),
|
||||
Section::make('Executive posture')
|
||||
->schema([
|
||||
ViewEntry::make('review_summary')
|
||||
->hiddenLabel()
|
||||
->view('filament.infolists.entries.tenant-review-summary')
|
||||
->state(fn (TenantReview $record): array => static::summaryPresentation($record))
|
||||
->columnSpanFull(),
|
||||
])
|
||||
->columnSpanFull(),
|
||||
Section::make('Sections')
|
||||
->schema([
|
||||
RepeatableEntry::make('sections')
|
||||
->hiddenLabel()
|
||||
->schema([
|
||||
TextEntry::make('title'),
|
||||
TextEntry::make('completeness_state')
|
||||
->label('Completeness')
|
||||
->badge()
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantReviewCompleteness))
|
||||
->color(BadgeRenderer::color(BadgeDomain::TenantReviewCompleteness))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::TenantReviewCompleteness))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantReviewCompleteness)),
|
||||
TextEntry::make('measured_at')->dateTime()->placeholder('—'),
|
||||
Section::make('Details')
|
||||
->schema([
|
||||
ViewEntry::make('section_payload')
|
||||
->hiddenLabel()
|
||||
->view('filament.infolists.entries.tenant-review-section')
|
||||
->state(fn (TenantReviewSection $record): array => static::sectionPresentation($record))
|
||||
->columnSpanFull(),
|
||||
])
|
||||
->collapsible()
|
||||
->collapsed()
|
||||
->columnSpanFull(),
|
||||
])
|
||||
->columns(3),
|
||||
])
|
||||
->columnSpanFull(),
|
||||
]);
|
||||
}
|
||||
|
||||
public static function table(Table $table): Table
|
||||
{
|
||||
return $table
|
||||
->defaultSort('generated_at', 'desc')
|
||||
->persistFiltersInSession()
|
||||
->persistSearchInSession()
|
||||
->persistSortInSession()
|
||||
->recordUrl(fn (TenantReview $record): string => static::tenantScopedUrl('view', ['record' => $record], $record->tenant))
|
||||
->columns([
|
||||
Tables\Columns\TextColumn::make('status')
|
||||
->badge()
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantReviewStatus))
|
||||
->color(BadgeRenderer::color(BadgeDomain::TenantReviewStatus))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::TenantReviewStatus))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantReviewStatus))
|
||||
->sortable(),
|
||||
Tables\Columns\TextColumn::make('completeness_state')
|
||||
->label('Completeness')
|
||||
->badge()
|
||||
->formatStateUsing(BadgeRenderer::label(BadgeDomain::TenantReviewCompleteness))
|
||||
->color(BadgeRenderer::color(BadgeDomain::TenantReviewCompleteness))
|
||||
->icon(BadgeRenderer::icon(BadgeDomain::TenantReviewCompleteness))
|
||||
->iconColor(BadgeRenderer::iconColor(BadgeDomain::TenantReviewCompleteness))
|
||||
->sortable(),
|
||||
Tables\Columns\TextColumn::make('generated_at')->dateTime()->placeholder('—')->sortable(),
|
||||
Tables\Columns\TextColumn::make('published_at')->dateTime()->placeholder('—')->sortable(),
|
||||
Tables\Columns\TextColumn::make('summary.finding_count')->label('Findings'),
|
||||
Tables\Columns\TextColumn::make('summary.section_state_counts.missing')->label('Missing'),
|
||||
Tables\Columns\IconColumn::make('summary.has_ready_export')
|
||||
->label('Export')
|
||||
->boolean(),
|
||||
Tables\Columns\TextColumn::make('fingerprint')
|
||||
->toggleable(isToggledHiddenByDefault: true)
|
||||
->searchable(),
|
||||
])
|
||||
->filters([
|
||||
Tables\Filters\SelectFilter::make('status')
|
||||
->options(collect(TenantReviewStatus::cases())
|
||||
->mapWithKeys(fn (TenantReviewStatus $status): array => [$status->value => Str::headline($status->value)])
|
||||
->all()),
|
||||
Tables\Filters\SelectFilter::make('completeness_state')
|
||||
->options([
|
||||
'complete' => 'Complete',
|
||||
'partial' => 'Partial',
|
||||
'missing' => 'Missing',
|
||||
'stale' => 'Stale',
|
||||
]),
|
||||
\App\Support\Filament\FilterPresets::dateRange('review_date', 'Review date', 'generated_at'),
|
||||
])
|
||||
->actions([
|
||||
Actions\Action::make('view_review')
|
||||
->label('View review')
|
||||
->url(fn (TenantReview $record): string => static::tenantScopedUrl('view', ['record' => $record], $record->tenant)),
|
||||
UiEnforcement::forTableAction(
|
||||
Actions\Action::make('export_executive_pack')
|
||||
->label('Export executive pack')
|
||||
->icon('heroicon-o-arrow-down-tray')
|
||||
->visible(fn (TenantReview $record): bool => in_array($record->status, [
|
||||
TenantReviewStatus::Ready->value,
|
||||
TenantReviewStatus::Published->value,
|
||||
], true))
|
||||
->action(fn (TenantReview $record): mixed => static::executeExport($record)),
|
||||
fn (TenantReview $record): TenantReview => $record,
|
||||
)
|
||||
->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
|
||||
->preserveVisibility()
|
||||
->apply(),
|
||||
])
|
||||
->bulkActions([])
|
||||
->emptyStateHeading('No tenant reviews yet')
|
||||
->emptyStateDescription('Create the first review from an anchored evidence snapshot to start the recurring review history for this tenant.')
|
||||
->emptyStateActions([
|
||||
static::makeCreateReviewAction(
|
||||
name: 'create_first_review',
|
||||
label: 'Create first review',
|
||||
icon: 'heroicon-o-plus',
|
||||
),
|
||||
]);
|
||||
}
|
||||
|
||||
public static function getPages(): array
|
||||
{
|
||||
return [
|
||||
'index' => Pages\ListTenantReviews::route('/'),
|
||||
'view' => Pages\ViewTenantReview::route('/{record}'),
|
||||
];
|
||||
}
|
||||
|
||||
public static function makeCreateReviewAction(
|
||||
string $name = 'create_review',
|
||||
string $label = 'Create review',
|
||||
string $icon = 'heroicon-o-plus',
|
||||
): Actions\Action {
|
||||
return UiEnforcement::forAction(
|
||||
Actions\Action::make($name)
|
||||
->label($label)
|
||||
->icon($icon)
|
||||
->form([
|
||||
Section::make('Evidence basis')
|
||||
->schema([
|
||||
Select::make('evidence_snapshot_id')
|
||||
->label('Evidence snapshot')
|
||||
->required()
|
||||
->options(fn (): array => static::evidenceSnapshotOptions())
|
||||
->searchable()
|
||||
->helperText('Choose the anchored evidence snapshot for this review.'),
|
||||
]),
|
||||
])
|
||||
->action(fn (array $data): mixed => static::executeCreateReview($data)),
|
||||
)
|
||||
->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
|
||||
->apply();
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $data
|
||||
*/
|
||||
public static function executeCreateReview(array $data): void
|
||||
{
|
||||
$tenant = Filament::getTenant();
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $tenant instanceof Tenant || ! $user instanceof User) {
|
||||
Notification::make()->danger()->title('Unable to create review — missing context.')->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
if (! $user->canAccessTenant($tenant)) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
if (! $user->can(Capabilities::TENANT_REVIEW_MANAGE, $tenant)) {
|
||||
abort(403);
|
||||
}
|
||||
|
||||
$snapshotId = $data['evidence_snapshot_id'] ?? null;
|
||||
$snapshot = is_numeric($snapshotId)
|
||||
? EvidenceSnapshot::query()
|
||||
->whereKey((int) $snapshotId)
|
||||
->where('tenant_id', (int) $tenant->getKey())
|
||||
->first()
|
||||
: null;
|
||||
|
||||
if (! $snapshot instanceof EvidenceSnapshot) {
|
||||
Notification::make()->danger()->title('Select a valid evidence snapshot.')->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
$review = app(TenantReviewService::class)->create($tenant, $snapshot, $user);
|
||||
} catch (\Throwable $throwable) {
|
||||
Notification::make()->danger()->title('Unable to create review')->body($throwable->getMessage())->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
if (! $review->wasRecentlyCreated) {
|
||||
Notification::make()
|
||||
->success()
|
||||
->title('Review already available')
|
||||
->body('A matching mutable review already exists for this evidence basis.')
|
||||
->actions([
|
||||
Actions\Action::make('view_review')
|
||||
->label('View review')
|
||||
->url(static::tenantScopedUrl('view', ['record' => $review], $tenant)),
|
||||
])
|
||||
->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
$toast = OperationUxPresenter::queuedToast(OperationRunType::TenantReviewCompose->value)
|
||||
->body('The review is being composed in the background.');
|
||||
|
||||
if ($review->operation_run_id) {
|
||||
$toast->actions([
|
||||
Actions\Action::make('view_run')
|
||||
->label('View run')
|
||||
->url(OperationRunLinks::tenantlessView((int) $review->operation_run_id)),
|
||||
]);
|
||||
}
|
||||
|
||||
$toast->send();
|
||||
}
|
||||
|
||||
public static function executeExport(TenantReview $review): void
|
||||
{
|
||||
$review->loadMissing(['tenant', 'currentExportReviewPack']);
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $user instanceof User || ! $review->tenant instanceof Tenant) {
|
||||
Notification::make()->danger()->title('Unable to export review — missing context.')->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
if (! $user->canAccessTenant($review->tenant)) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
if (! $user->can('export', $review)) {
|
||||
abort(403);
|
||||
}
|
||||
|
||||
$service = app(ReviewPackService::class);
|
||||
|
||||
if ($service->checkActiveRunForReview($review)) {
|
||||
OperationUxPresenter::alreadyQueuedToast(OperationRunType::ReviewPackGenerate->value)
|
||||
->body('An executive pack export is already queued or running for this review.')
|
||||
->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
$pack = $service->generateFromReview($review, $user, [
|
||||
'include_pii' => true,
|
||||
'include_operations' => true,
|
||||
]);
|
||||
} catch (\Throwable $throwable) {
|
||||
Notification::make()->danger()->title('Unable to export executive pack')->body($throwable->getMessage())->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
if (! $pack->wasRecentlyCreated) {
|
||||
Notification::make()
|
||||
->success()
|
||||
->title('Executive pack already available')
|
||||
->body('A matching executive pack already exists for this review.')
|
||||
->actions([
|
||||
Actions\Action::make('view_pack')
|
||||
->label('View pack')
|
||||
->url(ReviewPackResource::getUrl('view', ['record' => $pack], tenant: $review->tenant)),
|
||||
])
|
||||
->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
OperationUxPresenter::queuedToast(OperationRunType::ReviewPackGenerate->value)
|
||||
->body('The executive pack is being generated in the background.')
|
||||
->send();
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $parameters
|
||||
*/
|
||||
public static function tenantScopedUrl(
|
||||
string $page = 'index',
|
||||
array $parameters = [],
|
||||
?Tenant $tenant = null,
|
||||
?string $panel = null,
|
||||
): string {
|
||||
$panelId = $panel ?? 'tenant';
|
||||
|
||||
return static::getUrl($page, $parameters, panel: $panelId, tenant: $tenant);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, string>
|
||||
*/
|
||||
private static function evidenceSnapshotOptions(): array
|
||||
{
|
||||
$tenant = Filament::getTenant();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return [];
|
||||
}
|
||||
|
||||
return EvidenceSnapshot::query()
|
||||
->where('tenant_id', (int) $tenant->getKey())
|
||||
->whereNotNull('generated_at')
|
||||
->orderByDesc('generated_at')
|
||||
->orderByDesc('id')
|
||||
->get()
|
||||
->mapWithKeys(static fn (EvidenceSnapshot $snapshot): array => [
|
||||
(string) $snapshot->getKey() => sprintf(
|
||||
'#%d · %s · %s',
|
||||
(int) $snapshot->getKey(),
|
||||
Str::headline((string) $snapshot->completeness_state),
|
||||
$snapshot->generated_at?->format('Y-m-d H:i') ?? 'Pending'
|
||||
),
|
||||
])
|
||||
->all();
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, mixed>
|
||||
*/
|
||||
private static function summaryPresentation(TenantReview $record): array
|
||||
{
|
||||
$summary = is_array($record->summary) ? $record->summary : [];
|
||||
|
||||
return [
|
||||
'highlights' => is_array($summary['highlights'] ?? null) ? $summary['highlights'] : [],
|
||||
'next_actions' => is_array($summary['recommended_next_actions'] ?? null) ? $summary['recommended_next_actions'] : [],
|
||||
'publish_blockers' => is_array($summary['publish_blockers'] ?? null) ? $summary['publish_blockers'] : [],
|
||||
'metrics' => [
|
||||
['label' => 'Findings', 'value' => (string) ($summary['finding_count'] ?? 0)],
|
||||
['label' => 'Reports', 'value' => (string) ($summary['report_count'] ?? 0)],
|
||||
['label' => 'Operations', 'value' => (string) ($summary['operation_count'] ?? 0)],
|
||||
['label' => 'Sections', 'value' => (string) ($summary['section_count'] ?? 0)],
|
||||
],
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, mixed>
|
||||
*/
|
||||
private static function sectionPresentation(TenantReviewSection $section): array
|
||||
{
|
||||
$summary = is_array($section->summary_payload) ? $section->summary_payload : [];
|
||||
$render = is_array($section->render_payload) ? $section->render_payload : [];
|
||||
$review = $section->tenantReview;
|
||||
$tenant = $section->tenant;
|
||||
|
||||
return [
|
||||
'summary' => collect($summary)->map(function (mixed $value, string $key): ?array {
|
||||
if (is_array($value) || $value === null || $value === '') {
|
||||
return null;
|
||||
}
|
||||
|
||||
return [
|
||||
'label' => Str::headline($key),
|
||||
'value' => (string) $value,
|
||||
];
|
||||
})->filter()->values()->all(),
|
||||
'highlights' => is_array($render['highlights'] ?? null) ? $render['highlights'] : [],
|
||||
'entries' => is_array($render['entries'] ?? null) ? $render['entries'] : [],
|
||||
'disclosure' => is_string($render['disclosure'] ?? null) ? $render['disclosure'] : null,
|
||||
'next_actions' => is_array($render['next_actions'] ?? null) ? $render['next_actions'] : [],
|
||||
'empty_state' => is_string($render['empty_state'] ?? null) ? $render['empty_state'] : null,
|
||||
'links' => [],
|
||||
];
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,20 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Filament\Resources\TenantReviewResource\Pages;
|
||||
|
||||
use App\Filament\Resources\TenantReviewResource;
|
||||
use Filament\Resources\Pages\ListRecords;
|
||||
|
||||
class ListTenantReviews extends ListRecords
|
||||
{
|
||||
protected static string $resource = TenantReviewResource::class;
|
||||
|
||||
protected function getHeaderActions(): array
|
||||
{
|
||||
return [
|
||||
TenantReviewResource::makeCreateReviewAction(),
|
||||
];
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,205 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Filament\Resources\TenantReviewResource\Pages;
|
||||
|
||||
use App\Filament\Resources\TenantReviewResource;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\TenantReview;
|
||||
use App\Models\User;
|
||||
use App\Services\TenantReviews\TenantReviewLifecycleService;
|
||||
use App\Services\TenantReviews\TenantReviewService;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use App\Support\OperationRunLinks;
|
||||
use App\Support\Rbac\UiEnforcement;
|
||||
use App\Support\TenantReviewStatus;
|
||||
use Filament\Actions;
|
||||
use Filament\Notifications\Notification;
|
||||
use Filament\Resources\Pages\ViewRecord;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
|
||||
class ViewTenantReview extends ViewRecord
|
||||
{
|
||||
protected static string $resource = TenantReviewResource::class;
|
||||
|
||||
protected function resolveRecord(int|string $key): Model
|
||||
{
|
||||
return TenantReviewResource::resolveScopedRecordOrFail($key);
|
||||
}
|
||||
|
||||
protected function authorizeAccess(): void
|
||||
{
|
||||
$tenant = TenantReviewResource::panelTenantContext();
|
||||
$record = $this->getRecord();
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $user instanceof User || ! $tenant instanceof Tenant || ! $record instanceof TenantReview) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
if ((int) $record->tenant_id !== (int) $tenant->getKey()) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
if (! $user->canAccessTenant($tenant)) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
if (! $user->can('view', $record)) {
|
||||
abort(403);
|
||||
}
|
||||
}
|
||||
|
||||
protected function getHeaderActions(): array
|
||||
{
|
||||
return [
|
||||
Actions\Action::make('view_run')
|
||||
->label('View run')
|
||||
->icon('heroicon-o-eye')
|
||||
->color('gray')
|
||||
->hidden(fn (): bool => ! is_numeric($this->record->operation_run_id))
|
||||
->url(fn (): ?string => $this->record->operation_run_id
|
||||
? OperationRunLinks::tenantlessView((int) $this->record->operation_run_id)
|
||||
: null),
|
||||
Actions\Action::make('view_export')
|
||||
->label('View executive pack')
|
||||
->icon('heroicon-o-document-arrow-down')
|
||||
->color('gray')
|
||||
->hidden(fn (): bool => ! $this->record->currentExportReviewPack)
|
||||
->url(fn (): ?string => $this->record->currentExportReviewPack
|
||||
? \App\Filament\Resources\ReviewPackResource::getUrl('view', ['record' => $this->record->currentExportReviewPack], tenant: $this->record->tenant)
|
||||
: null),
|
||||
Actions\Action::make('view_evidence')
|
||||
->label('View evidence snapshot')
|
||||
->icon('heroicon-o-shield-check')
|
||||
->color('gray')
|
||||
->hidden(fn (): bool => ! $this->record->evidenceSnapshot)
|
||||
->url(fn (): ?string => $this->record->evidenceSnapshot
|
||||
? \App\Filament\Resources\EvidenceSnapshotResource::getUrl('view', ['record' => $this->record->evidenceSnapshot], tenant: $this->record->tenant)
|
||||
: null),
|
||||
UiEnforcement::forAction(
|
||||
Actions\Action::make('refresh_review')
|
||||
->label('Refresh review')
|
||||
->icon('heroicon-o-arrow-path')
|
||||
->hidden(fn (): bool => ! $this->record->isMutable())
|
||||
->requiresConfirmation()
|
||||
->action(function (): void {
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $user instanceof User) {
|
||||
abort(403);
|
||||
}
|
||||
|
||||
try {
|
||||
app(TenantReviewService::class)->refresh($this->record, $user);
|
||||
} catch (\Throwable $throwable) {
|
||||
Notification::make()->danger()->title('Unable to refresh review')->body($throwable->getMessage())->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
Notification::make()->success()->title('Refresh review queued')->send();
|
||||
}),
|
||||
)
|
||||
->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
|
||||
->preserveVisibility()
|
||||
->apply(),
|
||||
UiEnforcement::forAction(
|
||||
Actions\Action::make('publish_review')
|
||||
->label('Publish review')
|
||||
->icon('heroicon-o-check-badge')
|
||||
->hidden(fn (): bool => ! $this->record->isMutable())
|
||||
->requiresConfirmation()
|
||||
->action(function (): void {
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $user instanceof User) {
|
||||
abort(403);
|
||||
}
|
||||
|
||||
try {
|
||||
app(TenantReviewLifecycleService::class)->publish($this->record, $user);
|
||||
} catch (\Throwable $throwable) {
|
||||
Notification::make()->danger()->title('Unable to publish review')->body($throwable->getMessage())->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
$this->refreshFormData(['status', 'published_at', 'published_by_user_id', 'summary']);
|
||||
Notification::make()->success()->title('Review published')->send();
|
||||
}),
|
||||
)
|
||||
->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
|
||||
->preserveVisibility()
|
||||
->apply(),
|
||||
UiEnforcement::forAction(
|
||||
Actions\Action::make('export_executive_pack')
|
||||
->label('Export executive pack')
|
||||
->icon('heroicon-o-arrow-down-tray')
|
||||
->hidden(fn (): bool => ! in_array($this->record->status, [
|
||||
TenantReviewStatus::Ready->value,
|
||||
TenantReviewStatus::Published->value,
|
||||
], true))
|
||||
->action(fn (): mixed => TenantReviewResource::executeExport($this->record)),
|
||||
)
|
||||
->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
|
||||
->preserveVisibility()
|
||||
->apply(),
|
||||
Actions\ActionGroup::make([
|
||||
UiEnforcement::forAction(
|
||||
Actions\Action::make('create_next_review')
|
||||
->label('Create next review')
|
||||
->icon('heroicon-o-document-duplicate')
|
||||
->hidden(fn (): bool => ! $this->record->isPublished())
|
||||
->action(function (): void {
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $user instanceof User) {
|
||||
abort(403);
|
||||
}
|
||||
|
||||
try {
|
||||
$nextReview = app(TenantReviewLifecycleService::class)->createNextReview($this->record, $user);
|
||||
} catch (\Throwable $throwable) {
|
||||
Notification::make()->danger()->title('Unable to create next review')->body($throwable->getMessage())->send();
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
$this->redirect(TenantReviewResource::tenantScopedUrl('view', ['record' => $nextReview], $nextReview->tenant));
|
||||
}),
|
||||
)
|
||||
->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
|
||||
->preserveVisibility()
|
||||
->apply(),
|
||||
UiEnforcement::forAction(
|
||||
Actions\Action::make('archive_review')
|
||||
->label('Archive review')
|
||||
->icon('heroicon-o-archive-box')
|
||||
->color('danger')
|
||||
->hidden(fn (): bool => $this->record->statusEnum()->isTerminal())
|
||||
->requiresConfirmation()
|
||||
->action(function (): void {
|
||||
$user = auth()->user();
|
||||
|
||||
if (! $user instanceof User) {
|
||||
abort(403);
|
||||
}
|
||||
|
||||
app(TenantReviewLifecycleService::class)->archive($this->record, $user);
|
||||
$this->refreshFormData(['status', 'archived_at']);
|
||||
|
||||
Notification::make()->success()->title('Review archived')->send();
|
||||
}),
|
||||
)
|
||||
->requireCapability(Capabilities::TENANT_REVIEW_MANAGE)
|
||||
->preserveVisibility()
|
||||
->apply(),
|
||||
])
|
||||
->label('More')
|
||||
->icon('heroicon-m-ellipsis-vertical')
|
||||
->color('gray'),
|
||||
];
|
||||
}
|
||||
}
|
||||
@ -107,10 +107,7 @@ protected function getHeaderActions(): array
|
||||
->icon('heroicon-o-magnifying-glass')
|
||||
->form($this->findingsScopeForm())
|
||||
->action(function (array $data, FindingsLifecycleBackfillRunbookService $runbookService): void {
|
||||
$scope = FindingsLifecycleBackfillScope::fromArray([
|
||||
'mode' => $data['scope_mode'] ?? null,
|
||||
'tenant_id' => $data['tenant_id'] ?? null,
|
||||
]);
|
||||
$scope = $this->trustedFindingsScopeFromFormData($data, app(AllowedTenantUniverse::class));
|
||||
|
||||
$this->findingsScopeMode = $scope->mode;
|
||||
$this->findingsTenantId = $scope->tenantId;
|
||||
@ -142,9 +139,7 @@ protected function getHeaderActions(): array
|
||||
]);
|
||||
}
|
||||
|
||||
$scope = $this->findingsScopeMode === FindingsLifecycleBackfillScope::MODE_SINGLE_TENANT
|
||||
? FindingsLifecycleBackfillScope::singleTenant((int) $this->findingsTenantId)
|
||||
: FindingsLifecycleBackfillScope::allTenants();
|
||||
$scope = $this->trustedFindingsScopeFromState(app(AllowedTenantUniverse::class));
|
||||
|
||||
$user = auth('platform')->user();
|
||||
|
||||
@ -286,4 +281,34 @@ private function lastRunForType(string $type): ?OperationRun
|
||||
->latest('id')
|
||||
->first();
|
||||
}
|
||||
|
||||
/**
|
||||
* @param array<string, mixed> $data
|
||||
*/
|
||||
private function trustedFindingsScopeFromFormData(array $data, AllowedTenantUniverse $allowedTenantUniverse): FindingsLifecycleBackfillScope
|
||||
{
|
||||
$scope = FindingsLifecycleBackfillScope::fromArray([
|
||||
'mode' => $data['scope_mode'] ?? null,
|
||||
'tenant_id' => $data['tenant_id'] ?? null,
|
||||
]);
|
||||
|
||||
if (! $scope->isSingleTenant()) {
|
||||
return $scope;
|
||||
}
|
||||
|
||||
$tenant = $allowedTenantUniverse->resolveAllowedOrFail($scope->tenantId);
|
||||
|
||||
return FindingsLifecycleBackfillScope::singleTenant((int) $tenant->getKey());
|
||||
}
|
||||
|
||||
private function trustedFindingsScopeFromState(AllowedTenantUniverse $allowedTenantUniverse): FindingsLifecycleBackfillScope
|
||||
{
|
||||
if ($this->findingsScopeMode !== FindingsLifecycleBackfillScope::MODE_SINGLE_TENANT) {
|
||||
return FindingsLifecycleBackfillScope::allTenants();
|
||||
}
|
||||
|
||||
$tenant = $allowedTenantUniverse->resolveAllowedOrFail($this->findingsTenantId);
|
||||
|
||||
return FindingsLifecycleBackfillScope::singleTenant((int) $tenant->getKey());
|
||||
}
|
||||
}
|
||||
|
||||
@ -6,7 +6,6 @@
|
||||
|
||||
use App\Filament\Resources\FindingResource;
|
||||
use App\Models\Finding;
|
||||
use App\Models\InventoryItem;
|
||||
use App\Models\Tenant;
|
||||
use App\Support\Badges\BadgeDomain;
|
||||
use App\Support\Badges\BadgeRenderer;
|
||||
@ -42,16 +41,7 @@ public function table(Table $table): Table
|
||||
->label('Subject')
|
||||
->placeholder('—')
|
||||
->limit(40)
|
||||
->formatStateUsing(function (?string $state, Finding $record): ?string {
|
||||
if (is_string($state) && trim($state) !== '') {
|
||||
return $state;
|
||||
}
|
||||
|
||||
$fallback = Arr::get($record->evidence_jsonb ?? [], 'display_name');
|
||||
$fallback = is_string($fallback) ? trim($fallback) : null;
|
||||
|
||||
return $fallback !== '' ? $fallback : null;
|
||||
})
|
||||
->state(fn (Finding $record): ?string => $record->resolvedSubjectDisplayName())
|
||||
->description(function (Finding $record): ?string {
|
||||
if (Arr::get($record->evidence_jsonb ?? [], 'summary.kind') !== 'rbac_role_definition') {
|
||||
return null;
|
||||
@ -59,17 +49,7 @@ public function table(Table $table): Table
|
||||
|
||||
return __('findings.drift.rbac_role_definition');
|
||||
})
|
||||
->tooltip(function (Finding $record): ?string {
|
||||
$displayName = $record->subject_display_name;
|
||||
|
||||
if (is_string($displayName) && trim($displayName) !== '') {
|
||||
return $displayName;
|
||||
}
|
||||
|
||||
$fallback = Arr::get($record->evidence_jsonb ?? [], 'display_name');
|
||||
|
||||
return is_string($fallback) && trim($fallback) !== '' ? trim($fallback) : null;
|
||||
}),
|
||||
->tooltip(fn (Finding $record): ?string => $record->resolvedSubjectDisplayName()),
|
||||
TextColumn::make('severity')
|
||||
->badge()
|
||||
->sortable()
|
||||
@ -106,13 +86,7 @@ private function getQuery(): Builder
|
||||
$tenantId = $tenant instanceof Tenant ? $tenant->getKey() : null;
|
||||
|
||||
return Finding::query()
|
||||
->addSelect([
|
||||
'subject_display_name' => InventoryItem::query()
|
||||
->select('display_name')
|
||||
->whereColumn('inventory_items.tenant_id', 'findings.tenant_id')
|
||||
->whereColumn('inventory_items.external_id', 'findings.subject_external_id')
|
||||
->limit(1),
|
||||
])
|
||||
->withSubjectDisplayName()
|
||||
->when($tenantId, fn (Builder $query) => $query->where('tenant_id', $tenantId))
|
||||
->where('finding_type', Finding::FINDING_TYPE_DRIFT)
|
||||
->latest('created_at');
|
||||
|
||||
@ -5,6 +5,7 @@
|
||||
namespace App\Filament\Widgets\Tenant;
|
||||
|
||||
use App\Models\Tenant;
|
||||
use App\Support\Tenants\TenantLifecyclePresentation;
|
||||
use Filament\Facades\Filament;
|
||||
use Filament\Widgets\Widget;
|
||||
|
||||
@ -23,6 +24,7 @@ protected function getViewData(): array
|
||||
|
||||
return [
|
||||
'tenant' => $tenant instanceof Tenant ? $tenant : null,
|
||||
'presentation' => $tenant instanceof Tenant ? TenantLifecyclePresentation::fromTenant($tenant) : null,
|
||||
];
|
||||
}
|
||||
}
|
||||
|
||||
@ -131,6 +131,7 @@ protected function getViewData(): array
|
||||
$canManage = $isTenantMember && $user->can(Capabilities::REVIEW_PACK_MANAGE, $tenant);
|
||||
|
||||
$latestPack = ReviewPack::query()
|
||||
->with('tenantReview')
|
||||
->where('tenant_id', (int) $tenant->getKey())
|
||||
->orderByDesc('created_at')
|
||||
->orderByDesc('id')
|
||||
@ -146,6 +147,7 @@ protected function getViewData(): array
|
||||
'canManage' => $canManage,
|
||||
'downloadUrl' => null,
|
||||
'failedReason' => null,
|
||||
'reviewUrl' => null,
|
||||
];
|
||||
}
|
||||
|
||||
@ -158,6 +160,11 @@ protected function getViewData(): array
|
||||
$downloadUrl = $service->generateDownloadUrl($latestPack);
|
||||
}
|
||||
|
||||
$reviewUrl = null;
|
||||
if ($latestPack->tenantReview && $canView) {
|
||||
$reviewUrl = \App\Filament\Resources\TenantReviewResource::tenantScopedUrl('view', ['record' => $latestPack->tenantReview], $tenant);
|
||||
}
|
||||
|
||||
$failedReason = null;
|
||||
if ($statusEnum === ReviewPackStatus::Failed && $latestPack->operationRun) {
|
||||
$opContext = is_array($latestPack->operationRun->context) ? $latestPack->operationRun->context : [];
|
||||
@ -173,6 +180,7 @@ protected function getViewData(): array
|
||||
'canManage' => $canManage,
|
||||
'downloadUrl' => $downloadUrl,
|
||||
'failedReason' => $failedReason,
|
||||
'reviewUrl' => $reviewUrl,
|
||||
];
|
||||
}
|
||||
|
||||
@ -200,6 +208,7 @@ private function emptyState(): array
|
||||
'canManage' => false,
|
||||
'downloadUrl' => null,
|
||||
'failedReason' => null,
|
||||
'reviewUrl' => null,
|
||||
];
|
||||
}
|
||||
}
|
||||
|
||||
@ -4,6 +4,7 @@
|
||||
|
||||
namespace App\Http\Controllers;
|
||||
|
||||
use App\Support\Tenants\TenantPageCategory;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Filament\Facades\Filament;
|
||||
use Illuminate\Http\RedirectResponse;
|
||||
@ -15,14 +16,31 @@ public function __invoke(Request $request): RedirectResponse
|
||||
{
|
||||
Filament::setTenant(null, true);
|
||||
|
||||
app(WorkspaceContext::class)->clearLastTenantId($request);
|
||||
$workspaceContext = app(WorkspaceContext::class);
|
||||
|
||||
$workspaceContext->clearRememberedTenantContext($request);
|
||||
|
||||
$previousUrl = url()->previous();
|
||||
|
||||
$previousHost = parse_url((string) $previousUrl, PHP_URL_HOST);
|
||||
$previousPath = (string) (parse_url((string) $previousUrl, PHP_URL_PATH) ?? '');
|
||||
|
||||
if ($previousHost !== null && $previousHost !== $request->getHost()) {
|
||||
return redirect()->to('/admin/operations');
|
||||
return redirect()->route('admin.operations.index');
|
||||
}
|
||||
|
||||
if (TenantPageCategory::fromPath($previousPath) === TenantPageCategory::TenantBound) {
|
||||
$workspace = $workspaceContext->currentWorkspace($request);
|
||||
|
||||
if ($workspace !== null) {
|
||||
return redirect()->route('admin.workspace.managed-tenants.index', ['workspace' => $workspace]);
|
||||
}
|
||||
|
||||
return redirect()->route('admin.home');
|
||||
}
|
||||
|
||||
if ($previousPath === '' || $previousPath === '/admin/clear-tenant-context') {
|
||||
return redirect()->route('admin.operations.index');
|
||||
}
|
||||
|
||||
return redirect()->to((string) $previousUrl);
|
||||
|
||||
@ -9,6 +9,8 @@
|
||||
use App\Models\User;
|
||||
use App\Models\UserTenantPreference;
|
||||
use App\Services\Tenants\TenantOperabilityService;
|
||||
use App\Support\Tenants\TenantInteractionLane;
|
||||
use App\Support\Tenants\TenantOperabilityQuestion;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Illuminate\Http\RedirectResponse;
|
||||
use Illuminate\Http\Request;
|
||||
@ -47,13 +49,23 @@ public function __invoke(Request $request): RedirectResponse
|
||||
abort(404);
|
||||
}
|
||||
|
||||
if (! app(TenantOperabilityService::class)->canSelectAsContext($tenant)) {
|
||||
$outcome = app(TenantOperabilityService::class)->outcomeFor(
|
||||
tenant: $tenant,
|
||||
question: TenantOperabilityQuestion::SelectorEligibility,
|
||||
actor: $user,
|
||||
workspaceId: $workspaceId,
|
||||
lane: TenantInteractionLane::StandardActiveOperating,
|
||||
);
|
||||
|
||||
if (! $outcome->allowed) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
$this->persistLastTenant($user, $tenant);
|
||||
|
||||
app(WorkspaceContext::class)->rememberTenantContext($tenant, $request);
|
||||
if (! app(WorkspaceContext::class)->rememberTenantContext($tenant, $request)) {
|
||||
abort(404);
|
||||
}
|
||||
|
||||
return redirect()->to(TenantDashboard::getUrl(panel: 'tenant', tenant: $tenant));
|
||||
}
|
||||
|
||||
@ -11,6 +11,7 @@
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use App\Support\Workspaces\WorkspaceIntendedUrl;
|
||||
use App\Support\Workspaces\WorkspaceRedirectResolver;
|
||||
use Filament\Facades\Filament;
|
||||
use Illuminate\Http\RedirectResponse;
|
||||
use Illuminate\Http\Request;
|
||||
|
||||
@ -47,6 +48,8 @@ public function __invoke(Request $request): RedirectResponse
|
||||
$prevWorkspaceId = $context->currentWorkspaceId($request);
|
||||
|
||||
$context->setCurrentWorkspace($workspace, $user, $request);
|
||||
$context->rememberedTenant($request);
|
||||
Filament::setTenant(null, true);
|
||||
|
||||
/** @var WorkspaceAuditLogger $auditLogger */
|
||||
$auditLogger = app(WorkspaceAuditLogger::class);
|
||||
|
||||
@ -177,7 +177,7 @@ private function isWorkspaceOptionalPath(Request $request, string $path): bool
|
||||
return true;
|
||||
}
|
||||
|
||||
if ($path === '/livewire/update') {
|
||||
if ($this->isLivewireUpdatePath($path)) {
|
||||
$refererPath = parse_url((string) $request->headers->get('referer', ''), PHP_URL_PATH) ?? '';
|
||||
$refererPath = '/'.ltrim((string) $refererPath, '/');
|
||||
|
||||
@ -193,6 +193,11 @@ private function isWorkspaceOptionalPath(Request $request, string $path): bool
|
||||
return preg_match('#^/admin/operations/[^/]+$#', $path) === 1;
|
||||
}
|
||||
|
||||
private function isLivewireUpdatePath(string $path): bool
|
||||
{
|
||||
return preg_match('#^/livewire(?:-[^/]+)?/update$#', $path) === 1;
|
||||
}
|
||||
|
||||
private function isChooserFirstPath(string $path): bool
|
||||
{
|
||||
return in_array($path, ['/admin', '/admin/choose-tenant'], true);
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
|
||||
namespace App\Jobs;
|
||||
|
||||
use App\Jobs\Middleware\EnsureQueuedExecutionLegitimate;
|
||||
use App\Jobs\Operations\PolicyBulkDeleteWorkerJob;
|
||||
use App\Models\OperationRun;
|
||||
use App\Services\OperationRunService;
|
||||
@ -32,6 +33,11 @@ public function __construct(
|
||||
$this->operationRun = $operationRun;
|
||||
}
|
||||
|
||||
public function middleware(): array
|
||||
{
|
||||
return [new EnsureQueuedExecutionLegitimate];
|
||||
}
|
||||
|
||||
public function handle(OperationRunService $runs): void
|
||||
{
|
||||
if (! $this->operationRun instanceof OperationRun) {
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
|
||||
namespace App\Jobs;
|
||||
|
||||
use App\Jobs\Middleware\EnsureQueuedExecutionLegitimate;
|
||||
use App\Jobs\Operations\TenantSyncWorkerJob;
|
||||
use App\Models\OperationRun;
|
||||
use App\Services\OperationRunService;
|
||||
@ -32,6 +33,11 @@ public function __construct(
|
||||
$this->operationRun = $operationRun;
|
||||
}
|
||||
|
||||
public function middleware(): array
|
||||
{
|
||||
return [new EnsureQueuedExecutionLegitimate];
|
||||
}
|
||||
|
||||
public function handle(OperationRunService $runs): void
|
||||
{
|
||||
if (! $this->operationRun instanceof OperationRun) {
|
||||
|
||||
@ -29,6 +29,7 @@
|
||||
use App\Services\Drift\Normalizers\ScopeTagsNormalizer;
|
||||
use App\Services\Drift\Normalizers\SettingsNormalizer;
|
||||
use App\Services\Findings\FindingSlaPolicy;
|
||||
use App\Services\Findings\FindingWorkflowService;
|
||||
use App\Services\Intune\AuditLogger;
|
||||
use App\Services\Intune\IntuneRoleDefinitionNormalizer;
|
||||
use App\Services\OperationRunService;
|
||||
@ -2130,20 +2131,14 @@ private function upsertFindings(
|
||||
: null;
|
||||
|
||||
if ($resolvedAt === null || $observedAt->greaterThan($resolvedAt)) {
|
||||
$severity = (string) $driftItem['severity'];
|
||||
$slaDays = $slaPolicy->daysForSeverity($severity, $tenant);
|
||||
$finding->save();
|
||||
|
||||
$finding->forceFill([
|
||||
'status' => Finding::STATUS_REOPENED,
|
||||
'reopened_at' => $observedAt,
|
||||
'resolved_at' => null,
|
||||
'resolved_reason' => null,
|
||||
'closed_at' => null,
|
||||
'closed_reason' => null,
|
||||
'closed_by_user_id' => null,
|
||||
'sla_days' => $slaDays,
|
||||
'due_at' => $slaPolicy->dueAtForSeverity($severity, $tenant, $observedAt),
|
||||
]);
|
||||
app(FindingWorkflowService::class)->reopenBySystem(
|
||||
finding: $finding,
|
||||
tenant: $tenant,
|
||||
reopenedAt: $observedAt,
|
||||
operationRunId: (int) $this->operationRun->getKey(),
|
||||
);
|
||||
|
||||
$reopenedCount++;
|
||||
} else {
|
||||
|
||||
79
app/Jobs/ComposeTenantReviewJob.php
Normal file
79
app/Jobs/ComposeTenantReviewJob.php
Normal file
@ -0,0 +1,79 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Jobs;
|
||||
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\TenantReview;
|
||||
use App\Services\OperationRunService;
|
||||
use App\Services\TenantReviews\TenantReviewService;
|
||||
use App\Support\OperationRunOutcome;
|
||||
use App\Support\OperationRunStatus;
|
||||
use App\Support\TenantReviewStatus;
|
||||
use Illuminate\Contracts\Queue\ShouldQueue;
|
||||
use Illuminate\Foundation\Queue\Queueable;
|
||||
use Throwable;
|
||||
|
||||
class ComposeTenantReviewJob implements ShouldQueue
|
||||
{
|
||||
use Queueable;
|
||||
|
||||
public function __construct(
|
||||
public int $tenantReviewId,
|
||||
public int $operationRunId,
|
||||
) {}
|
||||
|
||||
public function handle(TenantReviewService $service, OperationRunService $operationRuns): void
|
||||
{
|
||||
$review = TenantReview::query()->with(['tenant', 'evidenceSnapshot.items'])->find($this->tenantReviewId);
|
||||
$operationRun = OperationRun::query()->find($this->operationRunId);
|
||||
|
||||
if (! $review instanceof TenantReview || ! $operationRun instanceof OperationRun || ! $review->tenant) {
|
||||
return;
|
||||
}
|
||||
|
||||
$operationRuns->updateRun($operationRun, OperationRunStatus::Running->value, OperationRunOutcome::Pending->value);
|
||||
$review->update(['status' => TenantReviewStatus::Draft->value]);
|
||||
|
||||
try {
|
||||
$review = $service->compose($review);
|
||||
|
||||
$summary = is_array($review->summary) ? $review->summary : [];
|
||||
|
||||
$operationRuns->updateRun(
|
||||
$operationRun,
|
||||
status: OperationRunStatus::Completed->value,
|
||||
outcome: OperationRunOutcome::Succeeded->value,
|
||||
summaryCounts: [
|
||||
'created' => 1,
|
||||
'finding_count' => (int) ($summary['finding_count'] ?? 0),
|
||||
'report_count' => (int) ($summary['report_count'] ?? 0),
|
||||
'operation_count' => (int) ($summary['operation_count'] ?? 0),
|
||||
'errors_recorded' => 0,
|
||||
],
|
||||
);
|
||||
} catch (Throwable $throwable) {
|
||||
$review->update([
|
||||
'status' => TenantReviewStatus::Failed->value,
|
||||
'summary' => array_merge(is_array($review->summary) ? $review->summary : [], [
|
||||
'error' => $throwable->getMessage(),
|
||||
]),
|
||||
]);
|
||||
|
||||
$operationRuns->updateRun(
|
||||
$operationRun,
|
||||
status: OperationRunStatus::Completed->value,
|
||||
outcome: OperationRunOutcome::Failed->value,
|
||||
failures: [
|
||||
[
|
||||
'code' => 'tenant_review_compose.failed',
|
||||
'message' => $throwable->getMessage(),
|
||||
],
|
||||
],
|
||||
);
|
||||
|
||||
throw $throwable;
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -4,6 +4,8 @@
|
||||
|
||||
use App\Contracts\Hardening\WriteGateInterface;
|
||||
use App\Exceptions\Hardening\ProviderAccessHardeningRequired;
|
||||
use App\Jobs\Middleware\EnsureQueuedExecutionLegitimate;
|
||||
use App\Jobs\Middleware\TrackOperationRun;
|
||||
use App\Listeners\SyncRestoreRunToOperationRun;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\RestoreRun;
|
||||
@ -34,6 +36,14 @@ public function __construct(
|
||||
$this->operationRun = $operationRun;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<int, object>
|
||||
*/
|
||||
public function middleware(): array
|
||||
{
|
||||
return [new EnsureQueuedExecutionLegitimate, new TrackOperationRun];
|
||||
}
|
||||
|
||||
public function handle(RestoreService $restoreService, AuditLogger $auditLogger): void
|
||||
{
|
||||
if (! $this->operationRun) {
|
||||
|
||||
118
app/Jobs/GenerateEvidenceSnapshotJob.php
Normal file
118
app/Jobs/GenerateEvidenceSnapshotJob.php
Normal file
@ -0,0 +1,118 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Jobs;
|
||||
|
||||
use App\Models\EvidenceSnapshot;
|
||||
use App\Models\OperationRun;
|
||||
use App\Services\Evidence\EvidenceSnapshotService;
|
||||
use App\Services\OperationRunService;
|
||||
use App\Support\Evidence\EvidenceSnapshotStatus;
|
||||
use App\Support\OperationRunOutcome;
|
||||
use App\Support\OperationRunStatus;
|
||||
use Illuminate\Contracts\Queue\ShouldQueue;
|
||||
use Illuminate\Foundation\Queue\Queueable;
|
||||
use Throwable;
|
||||
|
||||
class GenerateEvidenceSnapshotJob implements ShouldQueue
|
||||
{
|
||||
use Queueable;
|
||||
|
||||
public function __construct(
|
||||
public int $snapshotId,
|
||||
public int $operationRunId,
|
||||
) {}
|
||||
|
||||
public function handle(EvidenceSnapshotService $service, OperationRunService $operationRuns): void
|
||||
{
|
||||
$snapshot = EvidenceSnapshot::query()->with('tenant')->find($this->snapshotId);
|
||||
$operationRun = OperationRun::query()->find($this->operationRunId);
|
||||
|
||||
if (! $snapshot instanceof EvidenceSnapshot || ! $operationRun instanceof OperationRun || ! $snapshot->tenant) {
|
||||
return;
|
||||
}
|
||||
|
||||
$operationRuns->updateRun($operationRun, OperationRunStatus::Running->value, OperationRunOutcome::Pending->value);
|
||||
$snapshot->update(['status' => EvidenceSnapshotStatus::Generating->value]);
|
||||
|
||||
try {
|
||||
$payload = $service->buildSnapshotPayload($snapshot->tenant);
|
||||
$previousActive = EvidenceSnapshot::query()
|
||||
->where('tenant_id', (int) $snapshot->tenant_id)
|
||||
->where('workspace_id', (int) $snapshot->workspace_id)
|
||||
->where('status', EvidenceSnapshotStatus::Active->value)
|
||||
->whereKeyNot((int) $snapshot->getKey())
|
||||
->first();
|
||||
|
||||
$snapshot->items()->delete();
|
||||
|
||||
foreach ($payload['items'] as $item) {
|
||||
$snapshot->items()->create([
|
||||
'tenant_id' => (int) $snapshot->tenant_id,
|
||||
'workspace_id' => (int) $snapshot->workspace_id,
|
||||
'dimension_key' => $item['dimension_key'],
|
||||
'state' => $item['state'],
|
||||
'required' => $item['required'],
|
||||
'source_kind' => $item['source_kind'],
|
||||
'source_record_type' => $item['source_record_type'],
|
||||
'source_record_id' => $item['source_record_id'],
|
||||
'source_fingerprint' => $item['source_fingerprint'],
|
||||
'measured_at' => $item['measured_at'],
|
||||
'freshness_at' => $item['freshness_at'],
|
||||
'summary_payload' => $item['summary_payload'],
|
||||
'sort_order' => $item['sort_order'],
|
||||
]);
|
||||
}
|
||||
|
||||
if ($previousActive instanceof EvidenceSnapshot && $previousActive->fingerprint !== $payload['fingerprint']) {
|
||||
$previousActive->update([
|
||||
'status' => EvidenceSnapshotStatus::Superseded->value,
|
||||
]);
|
||||
}
|
||||
|
||||
$snapshot->update([
|
||||
'fingerprint' => $payload['fingerprint'],
|
||||
'previous_fingerprint' => $previousActive?->fingerprint,
|
||||
'status' => EvidenceSnapshotStatus::Active->value,
|
||||
'completeness_state' => $payload['completeness'],
|
||||
'generated_at' => now(),
|
||||
'summary' => $payload['summary'],
|
||||
]);
|
||||
|
||||
$operationRuns->updateRun(
|
||||
$operationRun,
|
||||
status: OperationRunStatus::Completed->value,
|
||||
outcome: OperationRunOutcome::Succeeded->value,
|
||||
summaryCounts: [
|
||||
'created' => 1,
|
||||
'finding_count' => (int) ($payload['summary']['finding_count'] ?? 0),
|
||||
'report_count' => (int) ($payload['summary']['report_count'] ?? 0),
|
||||
'operation_count' => (int) ($payload['summary']['operation_count'] ?? 0),
|
||||
'errors_recorded' => 0,
|
||||
],
|
||||
);
|
||||
} catch (Throwable $throwable) {
|
||||
$snapshot->update([
|
||||
'status' => EvidenceSnapshotStatus::Failed->value,
|
||||
'summary' => [
|
||||
'error' => $throwable->getMessage(),
|
||||
],
|
||||
]);
|
||||
|
||||
$operationRuns->updateRun(
|
||||
$operationRun,
|
||||
status: OperationRunStatus::Completed->value,
|
||||
outcome: OperationRunOutcome::Failed->value,
|
||||
failures: [
|
||||
[
|
||||
'code' => 'evidence_snapshot_generation.failed',
|
||||
'message' => $throwable->getMessage(),
|
||||
],
|
||||
],
|
||||
);
|
||||
|
||||
throw $throwable;
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -4,11 +4,12 @@
|
||||
|
||||
namespace App\Jobs;
|
||||
|
||||
use App\Models\EvidenceSnapshot;
|
||||
use App\Models\Finding;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\ReviewPack;
|
||||
use App\Models\StoredReport;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\TenantReview;
|
||||
use App\Services\Intune\SecretClassificationService;
|
||||
use App\Services\OperationRunService;
|
||||
use App\Services\ReviewPackService;
|
||||
@ -34,7 +35,7 @@ public function __construct(
|
||||
|
||||
public function handle(OperationRunService $operationRunService): void
|
||||
{
|
||||
$reviewPack = ReviewPack::query()->find($this->reviewPackId);
|
||||
$reviewPack = ReviewPack::query()->with(['tenant', 'evidenceSnapshot.items', 'tenantReview.sections'])->find($this->reviewPackId);
|
||||
$operationRun = OperationRun::query()->find($this->operationRunId);
|
||||
|
||||
if (! $reviewPack instanceof ReviewPack || ! $operationRun instanceof OperationRun) {
|
||||
@ -54,12 +55,20 @@ public function handle(OperationRunService $operationRunService): void
|
||||
return;
|
||||
}
|
||||
|
||||
$snapshot = $reviewPack->evidenceSnapshot;
|
||||
|
||||
if (! $snapshot instanceof EvidenceSnapshot) {
|
||||
$this->markFailed($reviewPack, $operationRun, $operationRunService, 'missing_snapshot', 'Evidence snapshot not found');
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
// Mark running via OperationRunService (auto-sets started_at)
|
||||
$operationRunService->updateRun($operationRun, OperationRunStatus::Running->value);
|
||||
$reviewPack->update(['status' => ReviewPackStatus::Generating->value]);
|
||||
|
||||
try {
|
||||
$this->executeGeneration($reviewPack, $operationRun, $tenant, $operationRunService);
|
||||
$this->executeGeneration($reviewPack, $operationRun, $tenant, $snapshot, $operationRunService);
|
||||
} catch (Throwable $e) {
|
||||
$this->markFailed($reviewPack, $operationRun, $operationRunService, 'generation_error', $e->getMessage());
|
||||
|
||||
@ -67,60 +76,44 @@ public function handle(OperationRunService $operationRunService): void
|
||||
}
|
||||
}
|
||||
|
||||
private function executeGeneration(ReviewPack $reviewPack, OperationRun $operationRun, Tenant $tenant, OperationRunService $operationRunService): void
|
||||
private function executeGeneration(ReviewPack $reviewPack, OperationRun $operationRun, Tenant $tenant, EvidenceSnapshot $snapshot, OperationRunService $operationRunService): void
|
||||
{
|
||||
$review = $reviewPack->tenantReview;
|
||||
|
||||
if ($review instanceof TenantReview) {
|
||||
$this->executeReviewDerivedGeneration($reviewPack, $review, $operationRun, $tenant, $snapshot, $operationRunService);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
$options = $reviewPack->options ?? [];
|
||||
$includePii = (bool) ($options['include_pii'] ?? true);
|
||||
$includeOperations = (bool) ($options['include_operations'] ?? true);
|
||||
$tenantId = (int) $tenant->getKey();
|
||||
$items = $snapshot->items->keyBy('dimension_key');
|
||||
$findingsPayload = $this->itemSummaryPayload($items->get('findings_summary'));
|
||||
$permissionPosturePayload = $this->itemSummaryPayload($items->get('permission_posture'));
|
||||
$entraRolesPayload = $this->itemSummaryPayload($items->get('entra_admin_roles'));
|
||||
$operationsPayload = $this->itemSummaryPayload($items->get('operations_summary'));
|
||||
$riskAcceptance = is_array($snapshot->summary['risk_acceptance'] ?? null)
|
||||
? $snapshot->summary['risk_acceptance']
|
||||
: (is_array($findingsPayload['risk_acceptance'] ?? null) ? $findingsPayload['risk_acceptance'] : []);
|
||||
|
||||
// 1. Collect StoredReports
|
||||
$storedReports = StoredReport::query()
|
||||
->where('tenant_id', $tenantId)
|
||||
->whereIn('report_type', [
|
||||
StoredReport::REPORT_TYPE_PERMISSION_POSTURE,
|
||||
StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES,
|
||||
])
|
||||
->get()
|
||||
->keyBy('report_type');
|
||||
|
||||
// 2. Collect open findings
|
||||
$findings = Finding::query()
|
||||
->where('tenant_id', $tenantId)
|
||||
->whereIn('status', Finding::openStatusesForQuery())
|
||||
->orderBy('severity')
|
||||
->orderBy('created_at')
|
||||
->get();
|
||||
|
||||
// 3. Collect tenant hardening fields
|
||||
$hardening = [
|
||||
'rbac_last_checked_at' => $tenant->rbac_last_checked_at?->toIso8601String(),
|
||||
'rbac_last_setup_at' => $tenant->rbac_last_setup_at?->toIso8601String(),
|
||||
'rbac_canary_results' => $tenant->rbac_canary_results,
|
||||
'rbac_last_warnings' => $tenant->rbac_last_warnings,
|
||||
'rbac_scope_mode' => $tenant->rbac_scope_mode,
|
||||
];
|
||||
|
||||
// 4. Collect recent OperationRuns (30 days)
|
||||
$recentOperations = $includeOperations
|
||||
? OperationRun::query()
|
||||
->where('tenant_id', $tenantId)
|
||||
->where('created_at', '>=', now()->subDays(30))
|
||||
->orderByDesc('created_at')
|
||||
->get()
|
||||
: collect();
|
||||
|
||||
// 5. Data freshness
|
||||
$dataFreshness = $this->computeDataFreshness($storedReports, $findings, $tenant);
|
||||
$findings = collect(is_array($findingsPayload['entries'] ?? null) ? $findingsPayload['entries'] : []);
|
||||
$recentOperations = collect($includeOperations && is_array($operationsPayload['entries'] ?? null) ? $operationsPayload['entries'] : []);
|
||||
$hardening = is_array($snapshot->summary['hardening'] ?? null) ? $snapshot->summary['hardening'] : [];
|
||||
$dataFreshness = $this->computeDataFreshness($items);
|
||||
|
||||
// 6. Build file map
|
||||
$fileMap = $this->buildFileMap(
|
||||
storedReports: $storedReports,
|
||||
findings: $findings,
|
||||
hardening: $hardening,
|
||||
permissionPosture: is_array($permissionPosturePayload['payload'] ?? null) ? $permissionPosturePayload['payload'] : [],
|
||||
entraAdminRoles: ['roles' => is_array($entraRolesPayload['roles'] ?? null) ? $entraRolesPayload['roles'] : []],
|
||||
recentOperations: $recentOperations,
|
||||
tenant: $tenant,
|
||||
snapshot: $snapshot,
|
||||
dataFreshness: $dataFreshness,
|
||||
riskAcceptance: $riskAcceptance,
|
||||
includePii: $includePii,
|
||||
includeOperations: $includeOperations,
|
||||
);
|
||||
@ -154,16 +147,24 @@ private function executeGeneration(ReviewPack $reviewPack, OperationRun $operati
|
||||
|
||||
// 11. Compute summary
|
||||
$summary = [
|
||||
'finding_count' => $findings->count(),
|
||||
'report_count' => $storedReports->count(),
|
||||
'finding_count' => (int) ($snapshot->summary['finding_count'] ?? $findings->count()),
|
||||
'report_count' => (int) ($snapshot->summary['report_count'] ?? 0),
|
||||
'operation_count' => $recentOperations->count(),
|
||||
'data_freshness' => $dataFreshness,
|
||||
'risk_acceptance' => $riskAcceptance,
|
||||
'evidence_resolution' => [
|
||||
'outcome' => 'resolved',
|
||||
'snapshot_id' => (int) $snapshot->getKey(),
|
||||
'snapshot_fingerprint' => (string) $snapshot->fingerprint,
|
||||
'completeness_state' => (string) $snapshot->completeness_state,
|
||||
],
|
||||
];
|
||||
|
||||
// 12. Update ReviewPack
|
||||
$retentionDays = (int) config('tenantpilot.review_pack.retention_days', 90);
|
||||
$reviewPack->update([
|
||||
'status' => ReviewPackStatus::Ready->value,
|
||||
'evidence_snapshot_id' => (int) $snapshot->getKey(),
|
||||
'fingerprint' => $fingerprint,
|
||||
'sha256' => $sha256,
|
||||
'file_size' => $fileSize,
|
||||
@ -183,18 +184,113 @@ private function executeGeneration(ReviewPack $reviewPack, OperationRun $operati
|
||||
);
|
||||
}
|
||||
|
||||
private function executeReviewDerivedGeneration(
|
||||
ReviewPack $reviewPack,
|
||||
TenantReview $review,
|
||||
OperationRun $operationRun,
|
||||
Tenant $tenant,
|
||||
EvidenceSnapshot $snapshot,
|
||||
OperationRunService $operationRunService,
|
||||
): void {
|
||||
$options = $reviewPack->options ?? [];
|
||||
$includePii = (bool) ($options['include_pii'] ?? true);
|
||||
$includeOperations = (bool) ($options['include_operations'] ?? true);
|
||||
|
||||
$fileMap = $this->buildReviewDerivedFileMap(
|
||||
review: $review,
|
||||
tenant: $tenant,
|
||||
snapshot: $snapshot,
|
||||
includePii: $includePii,
|
||||
includeOperations: $includeOperations,
|
||||
);
|
||||
|
||||
$tempFile = tempnam(sys_get_temp_dir(), 'review-pack-');
|
||||
|
||||
try {
|
||||
$this->assembleZip($tempFile, $fileMap);
|
||||
|
||||
$sha256 = hash_file('sha256', $tempFile);
|
||||
$fileSize = filesize($tempFile);
|
||||
$filePath = sprintf(
|
||||
'review-packs/%s/review-%d-%s.zip',
|
||||
$tenant->external_id,
|
||||
(int) $review->getKey(),
|
||||
now()->format('Y-m-d-His'),
|
||||
);
|
||||
|
||||
Storage::disk('exports')->put($filePath, file_get_contents($tempFile));
|
||||
} finally {
|
||||
if (file_exists($tempFile)) {
|
||||
unlink($tempFile);
|
||||
}
|
||||
}
|
||||
|
||||
$fingerprint = app(ReviewPackService::class)->computeFingerprintForReview($review, $options);
|
||||
$reviewSummary = is_array($review->summary) ? $review->summary : [];
|
||||
$summary = [
|
||||
'tenant_review_id' => (int) $review->getKey(),
|
||||
'review_status' => (string) $review->status,
|
||||
'review_completeness_state' => (string) $review->completeness_state,
|
||||
'section_count' => $review->sections->count(),
|
||||
'finding_count' => (int) ($reviewSummary['finding_count'] ?? 0),
|
||||
'report_count' => (int) ($reviewSummary['report_count'] ?? 0),
|
||||
'operation_count' => $includeOperations ? (int) ($reviewSummary['operation_count'] ?? 0) : 0,
|
||||
'highlights' => is_array($reviewSummary['highlights'] ?? null) ? $reviewSummary['highlights'] : [],
|
||||
'publish_blockers' => is_array($reviewSummary['publish_blockers'] ?? null) ? $reviewSummary['publish_blockers'] : [],
|
||||
'evidence_resolution' => [
|
||||
'outcome' => 'resolved',
|
||||
'snapshot_id' => (int) $snapshot->getKey(),
|
||||
'snapshot_fingerprint' => (string) $snapshot->fingerprint,
|
||||
'completeness_state' => (string) $snapshot->completeness_state,
|
||||
],
|
||||
];
|
||||
|
||||
$retentionDays = (int) config('tenantpilot.review_pack.retention_days', 90);
|
||||
$reviewPack->update([
|
||||
'status' => ReviewPackStatus::Ready->value,
|
||||
'evidence_snapshot_id' => (int) $snapshot->getKey(),
|
||||
'fingerprint' => $fingerprint,
|
||||
'sha256' => $sha256,
|
||||
'file_size' => $fileSize,
|
||||
'file_path' => $filePath,
|
||||
'file_disk' => 'exports',
|
||||
'generated_at' => now(),
|
||||
'expires_at' => now()->addDays($retentionDays),
|
||||
'summary' => $summary,
|
||||
]);
|
||||
|
||||
$review->update([
|
||||
'current_export_review_pack_id' => (int) $reviewPack->getKey(),
|
||||
'summary' => array_merge($reviewSummary, [
|
||||
'has_ready_export' => true,
|
||||
'current_export_review_pack_id' => (int) $reviewPack->getKey(),
|
||||
]),
|
||||
]);
|
||||
|
||||
$operationRunService->updateRun(
|
||||
$operationRun,
|
||||
status: OperationRunStatus::Completed->value,
|
||||
outcome: OperationRunOutcome::Succeeded->value,
|
||||
summaryCounts: [
|
||||
'created' => 1,
|
||||
'finding_count' => (int) ($summary['finding_count'] ?? 0),
|
||||
'report_count' => (int) ($summary['report_count'] ?? 0),
|
||||
'operation_count' => (int) ($summary['operation_count'] ?? 0),
|
||||
'errors_recorded' => 0,
|
||||
],
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param \Illuminate\Support\Collection<string, StoredReport> $storedReports
|
||||
* @param \Illuminate\Database\Eloquent\Collection<int, Finding> $findings
|
||||
* @return array<string, ?string>
|
||||
*/
|
||||
private function computeDataFreshness($storedReports, $findings, Tenant $tenant): array
|
||||
private function computeDataFreshness($items): array
|
||||
{
|
||||
return [
|
||||
'permission_posture' => $storedReports->get(StoredReport::REPORT_TYPE_PERMISSION_POSTURE)?->updated_at?->toIso8601String(),
|
||||
'entra_admin_roles' => $storedReports->get(StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES)?->updated_at?->toIso8601String(),
|
||||
'findings' => $findings->max('updated_at')?->toIso8601String() ?? $findings->max('created_at')?->toIso8601String(),
|
||||
'hardening' => $tenant->rbac_last_checked_at?->toIso8601String(),
|
||||
'permission_posture' => $items->get('permission_posture')?->freshness_at?->toIso8601String(),
|
||||
'entra_admin_roles' => $items->get('entra_admin_roles')?->freshness_at?->toIso8601String(),
|
||||
'findings' => $items->get('findings_summary')?->freshness_at?->toIso8601String(),
|
||||
'hardening' => $items->get('baseline_drift_posture')?->freshness_at?->toIso8601String(),
|
||||
];
|
||||
}
|
||||
|
||||
@ -204,12 +300,15 @@ private function computeDataFreshness($storedReports, $findings, Tenant $tenant)
|
||||
* @return array<string, string>
|
||||
*/
|
||||
private function buildFileMap(
|
||||
$storedReports,
|
||||
$findings,
|
||||
array $hardening,
|
||||
array $permissionPosture,
|
||||
array $entraAdminRoles,
|
||||
$recentOperations,
|
||||
Tenant $tenant,
|
||||
EvidenceSnapshot $snapshot,
|
||||
array $dataFreshness,
|
||||
array $riskAcceptance,
|
||||
bool $includePii,
|
||||
bool $includeOperations,
|
||||
): array {
|
||||
@ -227,6 +326,12 @@ private function buildFileMap(
|
||||
'tenant_id' => $tenant->external_id,
|
||||
'tenant_name' => $includePii ? $tenant->name : '[REDACTED]',
|
||||
'generated_at' => now()->toIso8601String(),
|
||||
'evidence_snapshot' => [
|
||||
'id' => (int) $snapshot->getKey(),
|
||||
'fingerprint' => (string) $snapshot->fingerprint,
|
||||
'completeness_state' => (string) $snapshot->completeness_state,
|
||||
'generated_at' => $snapshot->generated_at?->toIso8601String(),
|
||||
],
|
||||
'redaction_integrity' => [
|
||||
'protected_values_hidden' => true,
|
||||
'note' => RedactionIntegrity::protectedValueNote(),
|
||||
@ -241,16 +346,14 @@ private function buildFileMap(
|
||||
$files['operations.csv'] = $this->buildOperationsCsv($recentOperations, $includePii);
|
||||
|
||||
// reports/entra_admin_roles.json
|
||||
$entraReport = $storedReports->get(StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES);
|
||||
$files['reports/entra_admin_roles.json'] = json_encode(
|
||||
$entraReport ? $this->redactReportPayload($entraReport->payload ?? [], $includePii) : [],
|
||||
$this->redactReportPayload($entraAdminRoles, $includePii),
|
||||
JSON_PRETTY_PRINT | JSON_THROW_ON_ERROR,
|
||||
);
|
||||
|
||||
// reports/permission_posture.json
|
||||
$postureReport = $storedReports->get(StoredReport::REPORT_TYPE_PERMISSION_POSTURE);
|
||||
$files['reports/permission_posture.json'] = json_encode(
|
||||
$postureReport ? $this->redactReportPayload($postureReport->payload ?? [], $includePii) : [],
|
||||
$this->redactReportPayload($permissionPosture, $includePii),
|
||||
JSON_PRETTY_PRINT | JSON_THROW_ON_ERROR,
|
||||
);
|
||||
|
||||
@ -258,8 +361,10 @@ private function buildFileMap(
|
||||
$files['summary.json'] = json_encode([
|
||||
'data_freshness' => $dataFreshness,
|
||||
'finding_count' => $findings->count(),
|
||||
'report_count' => $storedReports->count(),
|
||||
'report_count' => count(array_filter([$permissionPosture, $entraAdminRoles], static fn (array $payload): bool => $payload !== [])),
|
||||
'operation_count' => $recentOperations->count(),
|
||||
'risk_acceptance' => $riskAcceptance,
|
||||
'snapshot_id' => (int) $snapshot->getKey(),
|
||||
], JSON_PRETTY_PRINT | JSON_THROW_ON_ERROR);
|
||||
|
||||
return $files;
|
||||
@ -273,18 +378,33 @@ private function buildFileMap(
|
||||
private function buildFindingsCsv($findings, bool $includePii): string
|
||||
{
|
||||
$handle = fopen('php://temp', 'r+');
|
||||
fputcsv($handle, ['id', 'finding_type', 'severity', 'status', 'title', 'description', 'created_at', 'updated_at']);
|
||||
$this->writeCsvRow($handle, ['id', 'finding_type', 'severity', 'status', 'title', 'description', 'created_at', 'updated_at']);
|
||||
|
||||
foreach ($findings as $finding) {
|
||||
fputcsv($handle, [
|
||||
$finding->id,
|
||||
$finding->finding_type,
|
||||
$finding->severity,
|
||||
$finding->status,
|
||||
$includePii ? ($finding->title ?? '') : '[REDACTED]',
|
||||
$includePii ? ($finding->description ?? '') : '[REDACTED]',
|
||||
$finding->created_at?->toIso8601String(),
|
||||
$finding->updated_at?->toIso8601String(),
|
||||
$row = $finding instanceof Finding
|
||||
? [
|
||||
$finding->id,
|
||||
$finding->finding_type,
|
||||
$finding->severity,
|
||||
$finding->status,
|
||||
$includePii ? ($finding->title ?? '') : '[REDACTED]',
|
||||
$includePii ? ($finding->description ?? '') : '[REDACTED]',
|
||||
$finding->created_at?->toIso8601String(),
|
||||
$finding->updated_at?->toIso8601String(),
|
||||
]
|
||||
: [
|
||||
$finding['id'] ?? '',
|
||||
$finding['finding_type'] ?? '',
|
||||
$finding['severity'] ?? '',
|
||||
$finding['status'] ?? '',
|
||||
$includePii ? ($finding['title'] ?? '') : '[REDACTED]',
|
||||
$includePii ? ($finding['description'] ?? '') : '[REDACTED]',
|
||||
$finding['created_at'] ?? '',
|
||||
$finding['updated_at'] ?? '',
|
||||
];
|
||||
|
||||
$this->writeCsvRow($handle, [
|
||||
...$row,
|
||||
]);
|
||||
}
|
||||
|
||||
@ -301,17 +421,31 @@ private function buildFindingsCsv($findings, bool $includePii): string
|
||||
private function buildOperationsCsv($operations, bool $includePii): string
|
||||
{
|
||||
$handle = fopen('php://temp', 'r+');
|
||||
fputcsv($handle, ['id', 'type', 'status', 'outcome', 'initiator', 'started_at', 'completed_at']);
|
||||
$this->writeCsvRow($handle, ['id', 'type', 'status', 'outcome', 'initiator', 'started_at', 'completed_at']);
|
||||
|
||||
foreach ($operations as $operation) {
|
||||
fputcsv($handle, [
|
||||
$operation->id,
|
||||
$operation->type,
|
||||
$operation->status,
|
||||
$operation->outcome,
|
||||
$includePii ? ($operation->user?->name ?? '') : '[REDACTED]',
|
||||
$operation->started_at?->toIso8601String(),
|
||||
$operation->completed_at?->toIso8601String(),
|
||||
$row = $operation instanceof OperationRun
|
||||
? [
|
||||
$operation->id,
|
||||
$operation->type,
|
||||
$operation->status,
|
||||
$operation->outcome,
|
||||
$includePii ? ($operation->user?->name ?? '') : '[REDACTED]',
|
||||
$operation->started_at?->toIso8601String(),
|
||||
$operation->completed_at?->toIso8601String(),
|
||||
]
|
||||
: [
|
||||
$operation['id'] ?? '',
|
||||
$operation['type'] ?? '',
|
||||
$operation['status'] ?? '',
|
||||
$operation['outcome'] ?? '',
|
||||
$includePii ? ($operation['initiator_name'] ?? '') : '[REDACTED]',
|
||||
$operation['started_at'] ?? '',
|
||||
$operation['completed_at'] ?? '',
|
||||
];
|
||||
|
||||
$this->writeCsvRow($handle, [
|
||||
...$row,
|
||||
]);
|
||||
}
|
||||
|
||||
@ -322,6 +456,15 @@ private function buildOperationsCsv($operations, bool $includePii): string
|
||||
return $content;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param resource $handle
|
||||
* @param array<int, mixed> $row
|
||||
*/
|
||||
private function writeCsvRow($handle, array $row): void
|
||||
{
|
||||
fputcsv($handle, $row, ',', '"', '\\');
|
||||
}
|
||||
|
||||
/**
|
||||
* Redact PII from a report payload.
|
||||
*
|
||||
@ -431,9 +574,98 @@ private function assembleZip(string $tempFile, array $fileMap): void
|
||||
$zip->close();
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<string, string>
|
||||
*/
|
||||
private function buildReviewDerivedFileMap(
|
||||
TenantReview $review,
|
||||
Tenant $tenant,
|
||||
EvidenceSnapshot $snapshot,
|
||||
bool $includePii,
|
||||
bool $includeOperations,
|
||||
): array {
|
||||
$reviewSummary = is_array($review->summary) ? $review->summary : [];
|
||||
|
||||
$sections = $review->sections
|
||||
->filter(fn (mixed $section): bool => $includeOperations || $section->section_key !== 'operations_health')
|
||||
->values();
|
||||
|
||||
$files = [
|
||||
'metadata.json' => json_encode([
|
||||
'version' => '1.0',
|
||||
'tenant_id' => $tenant->external_id,
|
||||
'tenant_name' => $includePii ? $tenant->name : '[REDACTED]',
|
||||
'generated_at' => now()->toIso8601String(),
|
||||
'tenant_review' => [
|
||||
'id' => (int) $review->getKey(),
|
||||
'status' => (string) $review->status,
|
||||
'completeness_state' => (string) $review->completeness_state,
|
||||
'published_at' => $review->published_at?->toIso8601String(),
|
||||
'fingerprint' => (string) $review->fingerprint,
|
||||
],
|
||||
'evidence_snapshot' => [
|
||||
'id' => (int) $snapshot->getKey(),
|
||||
'fingerprint' => (string) $snapshot->fingerprint,
|
||||
'completeness_state' => (string) $snapshot->completeness_state,
|
||||
'generated_at' => $snapshot->generated_at?->toIso8601String(),
|
||||
],
|
||||
'options' => [
|
||||
'include_pii' => $includePii,
|
||||
'include_operations' => $includeOperations,
|
||||
],
|
||||
'redaction_integrity' => [
|
||||
'protected_values_hidden' => true,
|
||||
'note' => RedactionIntegrity::protectedValueNote(),
|
||||
],
|
||||
], JSON_PRETTY_PRINT | JSON_THROW_ON_ERROR),
|
||||
'summary.json' => json_encode($this->redactReportPayload(array_merge([
|
||||
'tenant_review_id' => (int) $review->getKey(),
|
||||
'review_status' => (string) $review->status,
|
||||
'review_completeness_state' => (string) $review->completeness_state,
|
||||
], $reviewSummary), $includePii), JSON_PRETTY_PRINT | JSON_THROW_ON_ERROR),
|
||||
'sections.json' => json_encode($sections->map(function ($section) use ($includePii): array {
|
||||
$summaryPayload = is_array($section->summary_payload) ? $section->summary_payload : [];
|
||||
$renderPayload = is_array($section->render_payload) ? $section->render_payload : [];
|
||||
|
||||
return [
|
||||
'section_key' => (string) $section->section_key,
|
||||
'title' => (string) $section->title,
|
||||
'sort_order' => (int) $section->sort_order,
|
||||
'required' => (bool) $section->required,
|
||||
'completeness_state' => (string) $section->completeness_state,
|
||||
'summary_payload' => $this->redactReportPayload($summaryPayload, $includePii),
|
||||
'render_payload' => $this->redactReportPayload($renderPayload, $includePii),
|
||||
];
|
||||
})->all(), JSON_PRETTY_PRINT | JSON_THROW_ON_ERROR),
|
||||
];
|
||||
|
||||
foreach ($sections as $section) {
|
||||
$renderPayload = is_array($section->render_payload) ? $section->render_payload : [];
|
||||
$summaryPayload = is_array($section->summary_payload) ? $section->summary_payload : [];
|
||||
$filename = sprintf('sections/%02d-%s.json', (int) $section->sort_order, (string) $section->section_key);
|
||||
|
||||
$files[$filename] = json_encode([
|
||||
'title' => (string) $section->title,
|
||||
'completeness_state' => (string) $section->completeness_state,
|
||||
'summary_payload' => $this->redactReportPayload($summaryPayload, $includePii),
|
||||
'render_payload' => $this->redactReportPayload($renderPayload, $includePii),
|
||||
], JSON_PRETTY_PRINT | JSON_THROW_ON_ERROR);
|
||||
}
|
||||
|
||||
return $files;
|
||||
}
|
||||
|
||||
private function markFailed(ReviewPack $reviewPack, OperationRun $operationRun, OperationRunService $operationRunService, string $reasonCode, string $errorMessage): void
|
||||
{
|
||||
$reviewPack->update(['status' => ReviewPackStatus::Failed->value]);
|
||||
$reviewPack->update([
|
||||
'status' => ReviewPackStatus::Failed->value,
|
||||
'summary' => array_merge($reviewPack->summary ?? [], [
|
||||
'evidence_resolution' => array_merge($reviewPack->summary['evidence_resolution'] ?? [], [
|
||||
'outcome' => $reasonCode,
|
||||
'reasons' => [mb_substr($errorMessage, 0, 500)],
|
||||
]),
|
||||
]),
|
||||
]);
|
||||
|
||||
$operationRunService->updateRun(
|
||||
$operationRun,
|
||||
@ -444,4 +676,13 @@ private function markFailed(ReviewPack $reviewPack, OperationRun $operationRun,
|
||||
],
|
||||
);
|
||||
}
|
||||
|
||||
private function itemSummaryPayload(mixed $item): array
|
||||
{
|
||||
if (! $item instanceof \App\Models\EvidenceSnapshotItem || ! is_array($item->summary_payload)) {
|
||||
return [];
|
||||
}
|
||||
|
||||
return $item->summary_payload;
|
||||
}
|
||||
}
|
||||
|
||||
57
app/Jobs/Middleware/EnsureQueuedExecutionLegitimate.php
Normal file
57
app/Jobs/Middleware/EnsureQueuedExecutionLegitimate.php
Normal file
@ -0,0 +1,57 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Jobs\Middleware;
|
||||
|
||||
use App\Models\OperationRun;
|
||||
use App\Services\OperationRunService;
|
||||
use App\Services\Operations\QueuedExecutionLegitimacyGate;
|
||||
use Closure;
|
||||
|
||||
class EnsureQueuedExecutionLegitimate
|
||||
{
|
||||
/**
|
||||
* @param mixed $job
|
||||
* @param callable $next
|
||||
* @return mixed
|
||||
*/
|
||||
public function handle($job, Closure $next)
|
||||
{
|
||||
$run = $this->resolveRun($job);
|
||||
|
||||
if (! $run instanceof OperationRun) {
|
||||
return $next($job);
|
||||
}
|
||||
|
||||
$decision = app(QueuedExecutionLegitimacyGate::class)->evaluate($run);
|
||||
|
||||
if (! $decision->allowed) {
|
||||
app(OperationRunService::class)->finalizeExecutionLegitimacyBlockedRun($run, $decision);
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
return $next($job);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param mixed $job
|
||||
*/
|
||||
private function resolveRun($job): ?OperationRun
|
||||
{
|
||||
if (method_exists($job, 'getOperationRun')) {
|
||||
$run = $job->getOperationRun();
|
||||
|
||||
return $run instanceof OperationRun ? $run : null;
|
||||
}
|
||||
|
||||
if (property_exists($job, 'operationRun')) {
|
||||
$run = $job->operationRun;
|
||||
|
||||
return $run instanceof OperationRun ? $run : null;
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
}
|
||||
@ -17,14 +17,7 @@ class TrackOperationRun
|
||||
*/
|
||||
public function handle($job, Closure $next)
|
||||
{
|
||||
// Check if the job has an 'operationRun' property or method
|
||||
$run = null;
|
||||
|
||||
if (method_exists($job, 'getOperationRun')) {
|
||||
$run = $job->getOperationRun();
|
||||
} elseif (property_exists($job, 'operationRun')) {
|
||||
$run = $job->operationRun;
|
||||
}
|
||||
$run = $this->resolveRun($job);
|
||||
|
||||
if (! $run instanceof OperationRun) {
|
||||
return $next($job);
|
||||
@ -33,19 +26,23 @@ public function handle($job, Closure $next)
|
||||
/** @var OperationRunService $service */
|
||||
$service = app(OperationRunService::class);
|
||||
|
||||
// Mark as running
|
||||
$service->updateRun($run, 'running');
|
||||
$run->refresh();
|
||||
|
||||
if ($run->status === 'completed') {
|
||||
return null;
|
||||
}
|
||||
|
||||
if ($run->status !== 'running') {
|
||||
$service->updateRun($run, 'running');
|
||||
}
|
||||
|
||||
try {
|
||||
$response = $next($job);
|
||||
|
||||
// If the job was released back onto the queue (retry / delay), do not mark the run as completed.
|
||||
if (property_exists($job, 'job') && $job->job && method_exists($job->job, 'isReleased') && $job->job->isReleased()) {
|
||||
return $response;
|
||||
}
|
||||
|
||||
// If the job didn't already mark it as completed/failed, we do it here.
|
||||
// Re-fetch to check current status
|
||||
$run->refresh();
|
||||
|
||||
if ($run->status === 'running') {
|
||||
@ -58,4 +55,24 @@ public function handle($job, Closure $next)
|
||||
throw $e;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @param mixed $job
|
||||
*/
|
||||
private function resolveRun($job): ?OperationRun
|
||||
{
|
||||
if (method_exists($job, 'getOperationRun')) {
|
||||
$run = $job->getOperationRun();
|
||||
|
||||
return $run instanceof OperationRun ? $run : null;
|
||||
}
|
||||
|
||||
if (property_exists($job, 'operationRun')) {
|
||||
$run = $job->operationRun;
|
||||
|
||||
return $run instanceof OperationRun ? $run : null;
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
|
||||
namespace App\Jobs\Operations;
|
||||
|
||||
use App\Jobs\Middleware\EnsureQueuedExecutionLegitimate;
|
||||
use App\Models\OperationRun;
|
||||
use App\Services\OperationRunService;
|
||||
use Illuminate\Bus\Queueable;
|
||||
@ -37,7 +38,7 @@ public function __construct(
|
||||
*/
|
||||
public function middleware(): array
|
||||
{
|
||||
return [];
|
||||
return [new EnsureQueuedExecutionLegitimate];
|
||||
}
|
||||
|
||||
public function handle(OperationRunService $runs): void
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
|
||||
namespace App\Jobs\Operations;
|
||||
|
||||
use App\Jobs\Middleware\EnsureQueuedExecutionLegitimate;
|
||||
use App\Models\OperationRun;
|
||||
use App\Services\OperationRunService;
|
||||
use Illuminate\Bus\Queueable;
|
||||
@ -38,7 +39,7 @@ public function __construct(
|
||||
*/
|
||||
public function middleware(): array
|
||||
{
|
||||
return [];
|
||||
return [new EnsureQueuedExecutionLegitimate];
|
||||
}
|
||||
|
||||
public function handle(OperationRunService $runs): void
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
|
||||
namespace App\Jobs\Operations;
|
||||
|
||||
use App\Jobs\Middleware\EnsureQueuedExecutionLegitimate;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\Policy;
|
||||
use App\Services\OperationRunService;
|
||||
@ -33,6 +34,11 @@ public function __construct(
|
||||
$this->operationRun = $operationRun;
|
||||
}
|
||||
|
||||
public function middleware(): array
|
||||
{
|
||||
return [new EnsureQueuedExecutionLegitimate];
|
||||
}
|
||||
|
||||
public function handle(OperationRunService $runs, TargetScopeConcurrencyLimiter $limiter): void
|
||||
{
|
||||
if (! $this->operationRun instanceof OperationRun) {
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
|
||||
namespace App\Jobs\Operations;
|
||||
|
||||
use App\Jobs\Middleware\EnsureQueuedExecutionLegitimate;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
@ -36,6 +37,11 @@ public function __construct(
|
||||
$this->operationRun = $operationRun;
|
||||
}
|
||||
|
||||
public function middleware(): array
|
||||
{
|
||||
return [new EnsureQueuedExecutionLegitimate];
|
||||
}
|
||||
|
||||
public function handle(
|
||||
OperationRunService $runs,
|
||||
TargetScopeConcurrencyLimiter $limiter,
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
|
||||
namespace App\Jobs;
|
||||
|
||||
use App\Jobs\Middleware\EnsureQueuedExecutionLegitimate;
|
||||
use App\Jobs\Middleware\TrackOperationRun;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\ProviderConnection;
|
||||
@ -41,7 +42,7 @@ public function __construct(
|
||||
*/
|
||||
public function middleware(): array
|
||||
{
|
||||
return [new TrackOperationRun];
|
||||
return [new EnsureQueuedExecutionLegitimate, new TrackOperationRun];
|
||||
}
|
||||
|
||||
public function handle(
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
|
||||
namespace App\Jobs;
|
||||
|
||||
use App\Jobs\Middleware\EnsureQueuedExecutionLegitimate;
|
||||
use App\Jobs\Middleware\TrackOperationRun;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\ProviderConnection;
|
||||
@ -52,7 +53,7 @@ public function __construct(
|
||||
*/
|
||||
public function middleware(): array
|
||||
{
|
||||
return [new TrackOperationRun];
|
||||
return [new EnsureQueuedExecutionLegitimate, new TrackOperationRun];
|
||||
}
|
||||
|
||||
public function handle(
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
|
||||
namespace App\Jobs;
|
||||
|
||||
use App\Jobs\Middleware\EnsureQueuedExecutionLegitimate;
|
||||
use App\Jobs\Middleware\TrackOperationRun;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\ProviderConnection;
|
||||
@ -41,7 +42,7 @@ public function __construct(
|
||||
*/
|
||||
public function middleware(): array
|
||||
{
|
||||
return [new TrackOperationRun];
|
||||
return [new EnsureQueuedExecutionLegitimate, new TrackOperationRun];
|
||||
}
|
||||
|
||||
public function handle(
|
||||
|
||||
@ -4,6 +4,8 @@
|
||||
|
||||
use App\Contracts\Hardening\WriteGateInterface;
|
||||
use App\Exceptions\Hardening\ProviderAccessHardeningRequired;
|
||||
use App\Jobs\Middleware\EnsureQueuedExecutionLegitimate;
|
||||
use App\Jobs\Middleware\TrackOperationRun;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\RestoreRun;
|
||||
use App\Models\Tenant;
|
||||
@ -12,6 +14,7 @@
|
||||
use App\Services\OperationRunService;
|
||||
use App\Support\OperationRunOutcome;
|
||||
use App\Support\OperationRunStatus;
|
||||
use App\Support\Operations\ExecutionAuthorityMode;
|
||||
use App\Support\OpsUx\AssignmentJobFingerprint;
|
||||
use App\Support\OpsUx\RunFailureSanitizer;
|
||||
use Illuminate\Bus\Queueable;
|
||||
@ -39,6 +42,14 @@ class RestoreAssignmentsJob implements ShouldQueue
|
||||
|
||||
public int $backoff = 0;
|
||||
|
||||
/**
|
||||
* @return array<int, object>
|
||||
*/
|
||||
public function middleware(): array
|
||||
{
|
||||
return [new EnsureQueuedExecutionLegitimate, new TrackOperationRun];
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a new job instance.
|
||||
*/
|
||||
@ -403,6 +414,8 @@ private static function operationRunContext(
|
||||
'policy_type' => trim($policyType),
|
||||
'policy_id' => trim($policyId),
|
||||
'assignment_item_count' => count($assignments),
|
||||
'execution_authority_mode' => ExecutionAuthorityMode::ActorBound->value,
|
||||
'required_capability' => 'tenant.manage',
|
||||
];
|
||||
}
|
||||
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
|
||||
namespace App\Jobs;
|
||||
|
||||
use App\Jobs\Middleware\EnsureQueuedExecutionLegitimate;
|
||||
use App\Jobs\Middleware\TrackOperationRun;
|
||||
use App\Models\BackupSchedule;
|
||||
use App\Models\OperationRun;
|
||||
@ -58,7 +59,7 @@ public function __construct(
|
||||
|
||||
public function middleware(): array
|
||||
{
|
||||
return [new TrackOperationRun];
|
||||
return [new EnsureQueuedExecutionLegitimate, new TrackOperationRun];
|
||||
}
|
||||
|
||||
public function handle(
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
|
||||
namespace App\Jobs;
|
||||
|
||||
use App\Jobs\Middleware\EnsureQueuedExecutionLegitimate;
|
||||
use App\Jobs\Middleware\TrackOperationRun;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\Tenant;
|
||||
@ -45,7 +46,7 @@ public function __construct(
|
||||
*/
|
||||
public function middleware(): array
|
||||
{
|
||||
return [new TrackOperationRun];
|
||||
return [new EnsureQueuedExecutionLegitimate, new TrackOperationRun];
|
||||
}
|
||||
|
||||
/**
|
||||
@ -89,11 +90,6 @@ public function handle(InventorySyncService $inventorySyncService, AuditLogger $
|
||||
$successCount = 0;
|
||||
$failedCount = 0;
|
||||
|
||||
// Note: The TrackOperationRun middleware will automatically set status to 'running' at start.
|
||||
// It will also handle success completion if no exceptions thrown.
|
||||
// However, InventorySyncService execution logic might be complex with partial failures.
|
||||
// We might want to explicitly update the OperationRun if partial failures occur.
|
||||
|
||||
$result = $inventorySyncService->executeSelection(
|
||||
$this->operationRun,
|
||||
$tenant,
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
|
||||
namespace App\Jobs;
|
||||
|
||||
use App\Jobs\Middleware\EnsureQueuedExecutionLegitimate;
|
||||
use App\Jobs\Middleware\TrackOperationRun;
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\Policy;
|
||||
@ -39,7 +40,7 @@ public function __construct(
|
||||
|
||||
public function middleware(): array
|
||||
{
|
||||
return [new TrackOperationRun];
|
||||
return [new EnsureQueuedExecutionLegitimate, new TrackOperationRun];
|
||||
}
|
||||
|
||||
public function handle(PolicySyncService $service, OperationRunService $operationRunService): void
|
||||
|
||||
@ -18,6 +18,14 @@ class AuditLog extends Model
|
||||
{
|
||||
use HasFactory;
|
||||
|
||||
/**
|
||||
* @var array<int, string>
|
||||
*/
|
||||
private const INTERNAL_METADATA_KEYS = [
|
||||
'_actor_type',
|
||||
'_dedupe_key',
|
||||
];
|
||||
|
||||
protected $guarded = [];
|
||||
|
||||
protected $casts = [
|
||||
@ -202,7 +210,12 @@ public function contextItems(): array
|
||||
}
|
||||
|
||||
foreach ($metadata as $key => $value) {
|
||||
if (in_array($key, $seen, true) || in_array($key, ['before', 'after'], true)) {
|
||||
if (
|
||||
in_array($key, $seen, true)
|
||||
|| in_array($key, ['before', 'after'], true)
|
||||
|| str_starts_with((string) $key, '_')
|
||||
|| in_array((string) $key, self::INTERNAL_METADATA_KEYS, true)
|
||||
) {
|
||||
continue;
|
||||
}
|
||||
|
||||
|
||||
137
app/Models/EvidenceSnapshot.php
Normal file
137
app/Models/EvidenceSnapshot.php
Normal file
@ -0,0 +1,137 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Models;
|
||||
|
||||
use App\Support\Concerns\DerivesWorkspaceIdFromTenant;
|
||||
use App\Support\Evidence\EvidenceCompletenessState;
|
||||
use App\Support\Evidence\EvidenceSnapshotStatus;
|
||||
use Illuminate\Database\Eloquent\Builder;
|
||||
use Illuminate\Database\Eloquent\Factories\HasFactory;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
use Illuminate\Database\Eloquent\Relations\BelongsTo;
|
||||
use Illuminate\Database\Eloquent\Relations\HasMany;
|
||||
|
||||
class EvidenceSnapshot extends Model
|
||||
{
|
||||
use DerivesWorkspaceIdFromTenant;
|
||||
use HasFactory;
|
||||
|
||||
protected $guarded = [];
|
||||
|
||||
/**
|
||||
* @return array<string, string>
|
||||
*/
|
||||
protected function casts(): array
|
||||
{
|
||||
return [
|
||||
'summary' => 'array',
|
||||
'generated_at' => 'datetime',
|
||||
'expires_at' => 'datetime',
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<Workspace, $this>
|
||||
*/
|
||||
public function workspace(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(Workspace::class);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<Tenant, $this>
|
||||
*/
|
||||
public function tenant(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(Tenant::class);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<OperationRun, $this>
|
||||
*/
|
||||
public function operationRun(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(OperationRun::class);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<User, $this>
|
||||
*/
|
||||
public function initiator(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(User::class, 'initiated_by_user_id');
|
||||
}
|
||||
|
||||
/**
|
||||
* @return HasMany<EvidenceSnapshotItem, $this>
|
||||
*/
|
||||
public function items(): HasMany
|
||||
{
|
||||
return $this->hasMany(EvidenceSnapshotItem::class)->orderBy('sort_order')->orderBy('id');
|
||||
}
|
||||
|
||||
/**
|
||||
* @return HasMany<ReviewPack, $this>
|
||||
*/
|
||||
public function reviewPacks(): HasMany
|
||||
{
|
||||
return $this->hasMany(ReviewPack::class);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return HasMany<TenantReview, $this>
|
||||
*/
|
||||
public function tenantReviews(): HasMany
|
||||
{
|
||||
return $this->hasMany(TenantReview::class);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param Builder<self> $query
|
||||
* @return Builder<self>
|
||||
*/
|
||||
public function scopeForTenant(Builder $query, int $tenantId): Builder
|
||||
{
|
||||
return $query->where('tenant_id', $tenantId);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param Builder<self> $query
|
||||
* @return Builder<self>
|
||||
*/
|
||||
public function scopeActive(Builder $query): Builder
|
||||
{
|
||||
return $query->where('status', EvidenceSnapshotStatus::Active->value);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param Builder<self> $query
|
||||
* @return Builder<self>
|
||||
*/
|
||||
public function scopeCurrent(Builder $query): Builder
|
||||
{
|
||||
return $query
|
||||
->whereIn('status', [
|
||||
EvidenceSnapshotStatus::Queued->value,
|
||||
EvidenceSnapshotStatus::Generating->value,
|
||||
EvidenceSnapshotStatus::Active->value,
|
||||
]);
|
||||
}
|
||||
|
||||
public function isCurrent(): bool
|
||||
{
|
||||
return in_array((string) $this->status, [
|
||||
EvidenceSnapshotStatus::Queued->value,
|
||||
EvidenceSnapshotStatus::Generating->value,
|
||||
EvidenceSnapshotStatus::Active->value,
|
||||
], true);
|
||||
}
|
||||
|
||||
public function completenessState(): EvidenceCompletenessState
|
||||
{
|
||||
return EvidenceCompletenessState::tryFrom((string) $this->completeness_state)
|
||||
?? EvidenceCompletenessState::Missing;
|
||||
}
|
||||
}
|
||||
48
app/Models/EvidenceSnapshotItem.php
Normal file
48
app/Models/EvidenceSnapshotItem.php
Normal file
@ -0,0 +1,48 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Models;
|
||||
|
||||
use App\Support\Concerns\DerivesWorkspaceIdFromTenant;
|
||||
use Illuminate\Database\Eloquent\Factories\HasFactory;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
use Illuminate\Database\Eloquent\Relations\BelongsTo;
|
||||
|
||||
class EvidenceSnapshotItem extends Model
|
||||
{
|
||||
use DerivesWorkspaceIdFromTenant;
|
||||
use HasFactory;
|
||||
|
||||
protected $guarded = [];
|
||||
|
||||
/**
|
||||
* @return array<string, string>
|
||||
*/
|
||||
protected function casts(): array
|
||||
{
|
||||
return [
|
||||
'required' => 'boolean',
|
||||
'measured_at' => 'datetime',
|
||||
'freshness_at' => 'datetime',
|
||||
'summary_payload' => 'array',
|
||||
'sort_order' => 'integer',
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<EvidenceSnapshot, $this>
|
||||
*/
|
||||
public function snapshot(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(EvidenceSnapshot::class, 'evidence_snapshot_id');
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<Tenant, $this>
|
||||
*/
|
||||
public function tenant(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(Tenant::class);
|
||||
}
|
||||
}
|
||||
@ -3,9 +3,12 @@
|
||||
namespace App\Models;
|
||||
|
||||
use App\Support\Concerns\DerivesWorkspaceIdFromTenant;
|
||||
use Illuminate\Database\Eloquent\Builder;
|
||||
use Illuminate\Database\Eloquent\Factories\HasFactory;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
use Illuminate\Database\Eloquent\Relations\BelongsTo;
|
||||
use Illuminate\Database\Eloquent\Relations\HasOne;
|
||||
use Illuminate\Support\Arr;
|
||||
|
||||
class Finding extends Model
|
||||
{
|
||||
@ -96,6 +99,14 @@ public function closedByUser(): BelongsTo
|
||||
return $this->belongsTo(User::class, 'closed_by_user_id');
|
||||
}
|
||||
|
||||
/**
|
||||
* @return HasOne<FindingException, $this>
|
||||
*/
|
||||
public function findingException(): HasOne
|
||||
{
|
||||
return $this->hasOne(FindingException::class);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array<int, string>
|
||||
*/
|
||||
@ -158,10 +169,15 @@ public function hasOpenStatus(): bool
|
||||
return self::isOpenStatus($this->status);
|
||||
}
|
||||
|
||||
public function acknowledge(User $user): void
|
||||
public function isRiskAccepted(): bool
|
||||
{
|
||||
return (string) $this->status === self::STATUS_RISK_ACCEPTED;
|
||||
}
|
||||
|
||||
public function acknowledge(User $user): self
|
||||
{
|
||||
if ($this->status === self::STATUS_ACKNOWLEDGED) {
|
||||
return;
|
||||
return $this;
|
||||
}
|
||||
|
||||
$this->forceFill([
|
||||
@ -171,28 +187,62 @@ public function acknowledge(User $user): void
|
||||
]);
|
||||
|
||||
$this->save();
|
||||
|
||||
return $this;
|
||||
}
|
||||
|
||||
public function resolve(string $reason): self
|
||||
{
|
||||
$this->forceFill([
|
||||
'status' => self::STATUS_RESOLVED,
|
||||
'resolved_at' => now(),
|
||||
'resolved_reason' => $reason,
|
||||
]);
|
||||
|
||||
$this->save();
|
||||
|
||||
return $this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Auto-resolve the finding.
|
||||
* @param array<string, mixed> $evidence
|
||||
*/
|
||||
public function resolve(string $reason): void
|
||||
public function reopen(array $evidence): self
|
||||
{
|
||||
$this->status = self::STATUS_RESOLVED;
|
||||
$this->resolved_at = now();
|
||||
$this->resolved_reason = $reason;
|
||||
$this->forceFill([
|
||||
'status' => self::STATUS_NEW,
|
||||
'resolved_at' => null,
|
||||
'resolved_reason' => null,
|
||||
'evidence_jsonb' => $evidence,
|
||||
]);
|
||||
|
||||
$this->save();
|
||||
|
||||
return $this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Re-open a resolved finding.
|
||||
*/
|
||||
public function reopen(array $evidence): void
|
||||
public function resolvedSubjectDisplayName(): ?string
|
||||
{
|
||||
$this->status = self::STATUS_NEW;
|
||||
$this->resolved_at = null;
|
||||
$this->resolved_reason = null;
|
||||
$this->evidence_jsonb = $evidence;
|
||||
$this->save();
|
||||
$displayName = $this->getAttribute('subject_display_name');
|
||||
|
||||
if (is_string($displayName) && trim($displayName) !== '') {
|
||||
return trim($displayName);
|
||||
}
|
||||
|
||||
$fallback = Arr::get($this->evidence_jsonb ?? [], 'display_name');
|
||||
$fallback = is_string($fallback) ? trim($fallback) : null;
|
||||
|
||||
return $fallback !== '' ? $fallback : null;
|
||||
}
|
||||
|
||||
public function scopeWithSubjectDisplayName(Builder $query): Builder
|
||||
{
|
||||
return $query->addSelect([
|
||||
'subject_display_name' => InventoryItem::query()
|
||||
->select('display_name')
|
||||
->whereColumn('inventory_items.tenant_id', 'findings.tenant_id')
|
||||
->whereColumn('inventory_items.external_id', 'findings.subject_external_id')
|
||||
->limit(1),
|
||||
]);
|
||||
}
|
||||
}
|
||||
|
||||
243
app/Models/FindingException.php
Normal file
243
app/Models/FindingException.php
Normal file
@ -0,0 +1,243 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Models;
|
||||
|
||||
use App\Support\Concerns\DerivesWorkspaceIdFromTenant;
|
||||
use Illuminate\Database\Eloquent\Builder;
|
||||
use Illuminate\Database\Eloquent\Factories\HasFactory;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
use Illuminate\Database\Eloquent\Relations\BelongsTo;
|
||||
use Illuminate\Database\Eloquent\Relations\HasMany;
|
||||
|
||||
class FindingException extends Model
|
||||
{
|
||||
use DerivesWorkspaceIdFromTenant;
|
||||
use HasFactory;
|
||||
|
||||
public const string STATUS_PENDING = 'pending';
|
||||
|
||||
public const string STATUS_ACTIVE = 'active';
|
||||
|
||||
public const string STATUS_EXPIRING = 'expiring';
|
||||
|
||||
public const string STATUS_EXPIRED = 'expired';
|
||||
|
||||
public const string STATUS_REJECTED = 'rejected';
|
||||
|
||||
public const string STATUS_REVOKED = 'revoked';
|
||||
|
||||
public const string STATUS_SUPERSEDED = 'superseded';
|
||||
|
||||
public const string VALIDITY_VALID = 'valid';
|
||||
|
||||
public const string VALIDITY_EXPIRING = 'expiring';
|
||||
|
||||
public const string VALIDITY_EXPIRED = 'expired';
|
||||
|
||||
public const string VALIDITY_REVOKED = 'revoked';
|
||||
|
||||
public const string VALIDITY_REJECTED = 'rejected';
|
||||
|
||||
public const string VALIDITY_MISSING_SUPPORT = 'missing_support';
|
||||
|
||||
protected $guarded = [];
|
||||
|
||||
/**
|
||||
* @return array<string, string>
|
||||
*/
|
||||
protected function casts(): array
|
||||
{
|
||||
return [
|
||||
'requested_at' => 'datetime',
|
||||
'approved_at' => 'datetime',
|
||||
'rejected_at' => 'datetime',
|
||||
'revoked_at' => 'datetime',
|
||||
'effective_from' => 'datetime',
|
||||
'expires_at' => 'datetime',
|
||||
'review_due_at' => 'datetime',
|
||||
'evidence_summary' => 'array',
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<Workspace, $this>
|
||||
*/
|
||||
public function workspace(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(Workspace::class);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<Tenant, $this>
|
||||
*/
|
||||
public function tenant(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(Tenant::class);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<Finding, $this>
|
||||
*/
|
||||
public function finding(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(Finding::class);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<User, $this>
|
||||
*/
|
||||
public function requester(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(User::class, 'requested_by_user_id');
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<User, $this>
|
||||
*/
|
||||
public function owner(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(User::class, 'owner_user_id');
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<User, $this>
|
||||
*/
|
||||
public function approver(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(User::class, 'approved_by_user_id');
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<FindingExceptionDecision, $this>
|
||||
*/
|
||||
public function currentDecision(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(FindingExceptionDecision::class, 'current_decision_id');
|
||||
}
|
||||
|
||||
/**
|
||||
* @return HasMany<FindingExceptionDecision, $this>
|
||||
*/
|
||||
public function decisions(): HasMany
|
||||
{
|
||||
return $this->hasMany(FindingExceptionDecision::class)
|
||||
->orderBy('decided_at')
|
||||
->orderBy('id');
|
||||
}
|
||||
|
||||
/**
|
||||
* @return HasMany<FindingExceptionEvidenceReference, $this>
|
||||
*/
|
||||
public function evidenceReferences(): HasMany
|
||||
{
|
||||
return $this->hasMany(FindingExceptionEvidenceReference::class)
|
||||
->orderBy('id');
|
||||
}
|
||||
|
||||
/**
|
||||
* @param Builder<self> $query
|
||||
* @return Builder<self>
|
||||
*/
|
||||
public function scopeForFinding(Builder $query, Finding $finding): Builder
|
||||
{
|
||||
return $query->where('finding_id', (int) $finding->getKey());
|
||||
}
|
||||
|
||||
/**
|
||||
* @param Builder<self> $query
|
||||
* @return Builder<self>
|
||||
*/
|
||||
public function scopePending(Builder $query): Builder
|
||||
{
|
||||
return $query->where('status', self::STATUS_PENDING);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param Builder<self> $query
|
||||
* @return Builder<self>
|
||||
*/
|
||||
public function scopeCurrent(Builder $query): Builder
|
||||
{
|
||||
return $query->whereIn('status', [
|
||||
self::STATUS_PENDING,
|
||||
self::STATUS_ACTIVE,
|
||||
self::STATUS_EXPIRING,
|
||||
]);
|
||||
}
|
||||
|
||||
public function isPending(): bool
|
||||
{
|
||||
return (string) $this->status === self::STATUS_PENDING;
|
||||
}
|
||||
|
||||
public function isActiveLike(): bool
|
||||
{
|
||||
return in_array((string) $this->status, [
|
||||
self::STATUS_ACTIVE,
|
||||
self::STATUS_EXPIRING,
|
||||
], true);
|
||||
}
|
||||
|
||||
public function hasPriorApproval(): bool
|
||||
{
|
||||
return $this->approved_at !== null
|
||||
&& $this->effective_from !== null
|
||||
&& is_numeric($this->approved_by_user_id);
|
||||
}
|
||||
|
||||
public function hasValidGovernance(): bool
|
||||
{
|
||||
return in_array((string) $this->current_validity_state, [
|
||||
self::VALIDITY_VALID,
|
||||
self::VALIDITY_EXPIRING,
|
||||
], true);
|
||||
}
|
||||
|
||||
public function currentDecisionType(): ?string
|
||||
{
|
||||
$decision = $this->relationLoaded('currentDecision')
|
||||
? $this->currentDecision
|
||||
: $this->currentDecision()->first();
|
||||
|
||||
return $decision instanceof FindingExceptionDecision
|
||||
? (string) $decision->decision_type
|
||||
: null;
|
||||
}
|
||||
|
||||
public function isPendingRenewal(): bool
|
||||
{
|
||||
return $this->isPending()
|
||||
&& $this->hasPriorApproval()
|
||||
&& $this->currentDecisionType() === FindingExceptionDecision::TYPE_RENEWAL_REQUESTED;
|
||||
}
|
||||
|
||||
public function requiresFreshDecisionForFinding(Finding $finding): bool
|
||||
{
|
||||
return ! $finding->isRiskAccepted()
|
||||
&& ! $this->isPending()
|
||||
&& $this->hasValidGovernance();
|
||||
}
|
||||
|
||||
public function canBeRenewed(): bool
|
||||
{
|
||||
return in_array((string) $this->status, [
|
||||
self::STATUS_ACTIVE,
|
||||
self::STATUS_EXPIRING,
|
||||
self::STATUS_EXPIRED,
|
||||
], true);
|
||||
}
|
||||
|
||||
public function canBeRevoked(): bool
|
||||
{
|
||||
if ($this->isPendingRenewal()) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return in_array((string) $this->status, [
|
||||
self::STATUS_ACTIVE,
|
||||
self::STATUS_EXPIRING,
|
||||
], true);
|
||||
}
|
||||
}
|
||||
71
app/Models/FindingExceptionDecision.php
Normal file
71
app/Models/FindingExceptionDecision.php
Normal file
@ -0,0 +1,71 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Models;
|
||||
|
||||
use App\Support\Concerns\DerivesWorkspaceIdFromTenant;
|
||||
use Illuminate\Database\Eloquent\Factories\HasFactory;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
use Illuminate\Database\Eloquent\Relations\BelongsTo;
|
||||
use LogicException;
|
||||
|
||||
class FindingExceptionDecision extends Model
|
||||
{
|
||||
use DerivesWorkspaceIdFromTenant;
|
||||
use HasFactory;
|
||||
|
||||
public const string TYPE_REQUESTED = 'requested';
|
||||
|
||||
public const string TYPE_APPROVED = 'approved';
|
||||
|
||||
public const string TYPE_REJECTED = 'rejected';
|
||||
|
||||
public const string TYPE_RENEWAL_REQUESTED = 'renewal_requested';
|
||||
|
||||
public const string TYPE_RENEWED = 'renewed';
|
||||
|
||||
public const string TYPE_REVOKED = 'revoked';
|
||||
|
||||
protected $guarded = [];
|
||||
|
||||
/**
|
||||
* @return array<string, string>
|
||||
*/
|
||||
protected function casts(): array
|
||||
{
|
||||
return [
|
||||
'effective_from' => 'datetime',
|
||||
'expires_at' => 'datetime',
|
||||
'metadata' => 'array',
|
||||
'decided_at' => 'datetime',
|
||||
];
|
||||
}
|
||||
|
||||
protected static function booted(): void
|
||||
{
|
||||
static::updating(static function (): void {
|
||||
throw new LogicException('Finding exception decisions are append-only.');
|
||||
});
|
||||
|
||||
static::deleting(static function (): void {
|
||||
throw new LogicException('Finding exception decisions are append-only.');
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<FindingException, $this>
|
||||
*/
|
||||
public function exception(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(FindingException::class, 'finding_exception_id');
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<User, $this>
|
||||
*/
|
||||
public function actor(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(User::class, 'actor_user_id');
|
||||
}
|
||||
}
|
||||
45
app/Models/FindingExceptionEvidenceReference.php
Normal file
45
app/Models/FindingExceptionEvidenceReference.php
Normal file
@ -0,0 +1,45 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Models;
|
||||
|
||||
use App\Support\Concerns\DerivesWorkspaceIdFromTenant;
|
||||
use Illuminate\Database\Eloquent\Factories\HasFactory;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
use Illuminate\Database\Eloquent\Relations\BelongsTo;
|
||||
|
||||
class FindingExceptionEvidenceReference extends Model
|
||||
{
|
||||
use DerivesWorkspaceIdFromTenant;
|
||||
use HasFactory;
|
||||
|
||||
protected $guarded = [];
|
||||
|
||||
/**
|
||||
* @return array<string, string>
|
||||
*/
|
||||
protected function casts(): array
|
||||
{
|
||||
return [
|
||||
'summary_payload' => 'array',
|
||||
'measured_at' => 'datetime',
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<FindingException, $this>
|
||||
*/
|
||||
public function exception(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(FindingException::class, 'finding_exception_id');
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<Tenant, $this>
|
||||
*/
|
||||
public function tenant(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(Tenant::class);
|
||||
}
|
||||
}
|
||||
@ -71,6 +71,22 @@ public function initiator(): BelongsTo
|
||||
return $this->belongsTo(User::class, 'initiated_by_user_id');
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<EvidenceSnapshot, $this>
|
||||
*/
|
||||
public function evidenceSnapshot(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(EvidenceSnapshot::class);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<TenantReview, $this>
|
||||
*/
|
||||
public function tenantReview(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(TenantReview::class);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param Builder<self> $query
|
||||
* @return Builder<self>
|
||||
|
||||
@ -261,6 +261,21 @@ public function auditLogs(): HasMany
|
||||
return $this->hasMany(AuditLog::class);
|
||||
}
|
||||
|
||||
public function findingExceptions(): HasMany
|
||||
{
|
||||
return $this->hasMany(FindingException::class);
|
||||
}
|
||||
|
||||
public function evidenceSnapshots(): HasMany
|
||||
{
|
||||
return $this->hasMany(EvidenceSnapshot::class);
|
||||
}
|
||||
|
||||
public function tenantReviews(): HasMany
|
||||
{
|
||||
return $this->hasMany(TenantReview::class);
|
||||
}
|
||||
|
||||
public function settings(): HasMany
|
||||
{
|
||||
return $this->hasMany(TenantSetting::class);
|
||||
|
||||
195
app/Models/TenantReview.php
Normal file
195
app/Models/TenantReview.php
Normal file
@ -0,0 +1,195 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Models;
|
||||
|
||||
use App\Support\Concerns\DerivesWorkspaceIdFromTenant;
|
||||
use App\Support\TenantReviewCompletenessState;
|
||||
use App\Support\TenantReviewStatus;
|
||||
use Illuminate\Database\Eloquent\Builder;
|
||||
use Illuminate\Database\Eloquent\Factories\HasFactory;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
use Illuminate\Database\Eloquent\Relations\BelongsTo;
|
||||
use Illuminate\Database\Eloquent\Relations\HasMany;
|
||||
|
||||
class TenantReview extends Model
|
||||
{
|
||||
use DerivesWorkspaceIdFromTenant;
|
||||
use HasFactory;
|
||||
|
||||
protected $guarded = [];
|
||||
|
||||
/**
|
||||
* @return array<string, string>
|
||||
*/
|
||||
protected function casts(): array
|
||||
{
|
||||
return [
|
||||
'summary' => 'array',
|
||||
'generated_at' => 'datetime',
|
||||
'published_at' => 'datetime',
|
||||
'archived_at' => 'datetime',
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<Workspace, $this>
|
||||
*/
|
||||
public function workspace(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(Workspace::class);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<Tenant, $this>
|
||||
*/
|
||||
public function tenant(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(Tenant::class);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<EvidenceSnapshot, $this>
|
||||
*/
|
||||
public function evidenceSnapshot(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(EvidenceSnapshot::class);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<OperationRun, $this>
|
||||
*/
|
||||
public function operationRun(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(OperationRun::class);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<User, $this>
|
||||
*/
|
||||
public function initiator(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(User::class, 'initiated_by_user_id');
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<User, $this>
|
||||
*/
|
||||
public function publisher(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(User::class, 'published_by_user_id');
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<ReviewPack, $this>
|
||||
*/
|
||||
public function currentExportReviewPack(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(ReviewPack::class, 'current_export_review_pack_id');
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<self, $this>
|
||||
*/
|
||||
public function supersededByReview(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(self::class, 'superseded_by_review_id');
|
||||
}
|
||||
|
||||
/**
|
||||
* @return HasMany<self, $this>
|
||||
*/
|
||||
public function supersededReviews(): HasMany
|
||||
{
|
||||
return $this->hasMany(self::class, 'superseded_by_review_id');
|
||||
}
|
||||
|
||||
/**
|
||||
* @return HasMany<TenantReviewSection, $this>
|
||||
*/
|
||||
public function sections(): HasMany
|
||||
{
|
||||
return $this->hasMany(TenantReviewSection::class)->orderBy('sort_order')->orderBy('id');
|
||||
}
|
||||
|
||||
/**
|
||||
* @return HasMany<ReviewPack, $this>
|
||||
*/
|
||||
public function reviewPacks(): HasMany
|
||||
{
|
||||
return $this->hasMany(ReviewPack::class)->latest('generated_at');
|
||||
}
|
||||
|
||||
/**
|
||||
* @param Builder<self> $query
|
||||
* @return Builder<self>
|
||||
*/
|
||||
public function scopeForTenant(Builder $query, int $tenantId): Builder
|
||||
{
|
||||
return $query->where('tenant_id', $tenantId);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param Builder<self> $query
|
||||
* @return Builder<self>
|
||||
*/
|
||||
public function scopeForWorkspace(Builder $query, int $workspaceId): Builder
|
||||
{
|
||||
return $query->where('workspace_id', $workspaceId);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param Builder<self> $query
|
||||
* @return Builder<self>
|
||||
*/
|
||||
public function scopePublished(Builder $query): Builder
|
||||
{
|
||||
return $query->where('status', TenantReviewStatus::Published->value);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param Builder<self> $query
|
||||
* @return Builder<self>
|
||||
*/
|
||||
public function scopeMutable(Builder $query): Builder
|
||||
{
|
||||
return $query->whereIn('status', [
|
||||
TenantReviewStatus::Draft->value,
|
||||
TenantReviewStatus::Ready->value,
|
||||
TenantReviewStatus::Failed->value,
|
||||
]);
|
||||
}
|
||||
|
||||
public function statusEnum(): TenantReviewStatus
|
||||
{
|
||||
return TenantReviewStatus::from((string) $this->status);
|
||||
}
|
||||
|
||||
public function completenessEnum(): TenantReviewCompletenessState
|
||||
{
|
||||
return TenantReviewCompletenessState::tryFrom((string) $this->completeness_state)
|
||||
?? TenantReviewCompletenessState::Missing;
|
||||
}
|
||||
|
||||
public function isPublished(): bool
|
||||
{
|
||||
return $this->statusEnum()->isPublished();
|
||||
}
|
||||
|
||||
public function isMutable(): bool
|
||||
{
|
||||
return $this->statusEnum()->isMutable();
|
||||
}
|
||||
|
||||
/**
|
||||
* @return list<string>
|
||||
*/
|
||||
public function publishBlockers(): array
|
||||
{
|
||||
$summary = is_array($this->summary) ? $this->summary : [];
|
||||
$blockers = $summary['publish_blockers'] ?? [];
|
||||
|
||||
return is_array($blockers) ? array_values(array_map('strval', $blockers)) : [];
|
||||
}
|
||||
}
|
||||
70
app/Models/TenantReviewSection.php
Normal file
70
app/Models/TenantReviewSection.php
Normal file
@ -0,0 +1,70 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Models;
|
||||
|
||||
use App\Support\TenantReviewCompletenessState;
|
||||
use Illuminate\Database\Eloquent\Builder;
|
||||
use Illuminate\Database\Eloquent\Factories\HasFactory;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
use Illuminate\Database\Eloquent\Relations\BelongsTo;
|
||||
|
||||
class TenantReviewSection extends Model
|
||||
{
|
||||
use HasFactory;
|
||||
|
||||
protected $guarded = [];
|
||||
|
||||
/**
|
||||
* @return array<string, string>
|
||||
*/
|
||||
protected function casts(): array
|
||||
{
|
||||
return [
|
||||
'required' => 'boolean',
|
||||
'summary_payload' => 'array',
|
||||
'render_payload' => 'array',
|
||||
'measured_at' => 'datetime',
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<TenantReview, $this>
|
||||
*/
|
||||
public function tenantReview(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(TenantReview::class);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<Workspace, $this>
|
||||
*/
|
||||
public function workspace(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(Workspace::class);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return BelongsTo<Tenant, $this>
|
||||
*/
|
||||
public function tenant(): BelongsTo
|
||||
{
|
||||
return $this->belongsTo(Tenant::class);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param Builder<self> $query
|
||||
* @return Builder<self>
|
||||
*/
|
||||
public function scopeRequired(Builder $query): Builder
|
||||
{
|
||||
return $query->where('required', true);
|
||||
}
|
||||
|
||||
public function completenessEnum(): TenantReviewCompletenessState
|
||||
{
|
||||
return TenantReviewCompletenessState::tryFrom((string) $this->completeness_state)
|
||||
?? TenantReviewCompletenessState::Missing;
|
||||
}
|
||||
}
|
||||
@ -171,9 +171,16 @@ public function getDefaultTenant(Panel $panel): ?Model
|
||||
return null;
|
||||
}
|
||||
|
||||
$workspaceId = app(WorkspaceContext::class)->currentWorkspaceId();
|
||||
$workspaceContext = app(WorkspaceContext::class);
|
||||
$workspaceId = $workspaceContext->currentWorkspaceId();
|
||||
$operability = app(TenantOperabilityService::class);
|
||||
|
||||
$rememberedTenant = $workspaceContext->rememberedTenant(request());
|
||||
|
||||
if ($rememberedTenant instanceof Tenant && $this->canAccessTenant($rememberedTenant)) {
|
||||
return $rememberedTenant;
|
||||
}
|
||||
|
||||
$tenantId = null;
|
||||
|
||||
if ($this->tenantPreferencesTableExists()) {
|
||||
|
||||
@ -5,6 +5,7 @@
|
||||
use App\Models\OperationRun;
|
||||
use App\Models\PlatformUser;
|
||||
use App\Models\Tenant;
|
||||
use App\Support\OperationRunLinks;
|
||||
use App\Support\OpsUx\OperationUxPresenter;
|
||||
use App\Support\System\SystemOperationRunLinks;
|
||||
use Illuminate\Bus\Queueable;
|
||||
@ -26,19 +27,22 @@ public function via(object $notifiable): array
|
||||
public function toDatabase(object $notifiable): array
|
||||
{
|
||||
$tenant = $this->run->tenant;
|
||||
$runUrl = match (true) {
|
||||
$notifiable instanceof PlatformUser => SystemOperationRunLinks::view($this->run),
|
||||
$tenant instanceof Tenant => OperationRunLinks::view($this->run, $tenant),
|
||||
default => OperationRunLinks::tenantlessView($this->run),
|
||||
};
|
||||
|
||||
$notification = OperationUxPresenter::terminalDatabaseNotification(
|
||||
run: $this->run,
|
||||
tenant: $tenant instanceof Tenant ? $tenant : null,
|
||||
);
|
||||
|
||||
if ($notifiable instanceof PlatformUser) {
|
||||
$notification->actions([
|
||||
\Filament\Actions\Action::make('view_run')
|
||||
->label('View run')
|
||||
->url(SystemOperationRunLinks::view($this->run)),
|
||||
]);
|
||||
}
|
||||
$notification->actions([
|
||||
\Filament\Actions\Action::make('view_run')
|
||||
->label('View run')
|
||||
->url($runUrl),
|
||||
]);
|
||||
|
||||
return $notification->getDatabaseMessage();
|
||||
}
|
||||
|
||||
@ -6,7 +6,10 @@
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use App\Support\OperateHub\OperateHubShell;
|
||||
use Filament\Facades\Filament;
|
||||
use Illuminate\Auth\Access\HandlesAuthorization;
|
||||
use Illuminate\Auth\Access\Response;
|
||||
use Illuminate\Support\Facades\Gate;
|
||||
|
||||
class BackupSchedulePolicy
|
||||
@ -15,7 +18,7 @@ class BackupSchedulePolicy
|
||||
|
||||
protected function isTenantMember(User $user, ?Tenant $tenant = null): bool
|
||||
{
|
||||
$tenant ??= Tenant::current();
|
||||
$tenant ??= $this->resolvedTenant();
|
||||
|
||||
return $tenant instanceof Tenant
|
||||
&& Gate::forUser($user)->allows(Capabilities::TENANT_VIEW, $tenant);
|
||||
@ -26,58 +29,74 @@ public function viewAny(User $user): bool
|
||||
return $this->isTenantMember($user);
|
||||
}
|
||||
|
||||
public function view(User $user, BackupSchedule $schedule): bool
|
||||
public function view(User $user, BackupSchedule $schedule): Response|bool
|
||||
{
|
||||
$tenant = Tenant::current();
|
||||
$tenant = $this->resolvedTenant();
|
||||
|
||||
if (! $this->isTenantMember($user, $tenant)) {
|
||||
return false;
|
||||
return Response::denyAsNotFound();
|
||||
}
|
||||
|
||||
return (int) $schedule->tenant_id === (int) $tenant->getKey();
|
||||
return (int) $schedule->tenant_id === (int) $tenant->getKey()
|
||||
? true
|
||||
: Response::denyAsNotFound();
|
||||
}
|
||||
|
||||
public function create(User $user): bool
|
||||
{
|
||||
$tenant = Tenant::current();
|
||||
$tenant = $this->resolvedTenant();
|
||||
|
||||
return $tenant instanceof Tenant
|
||||
&& Gate::forUser($user)->allows(Capabilities::TENANT_BACKUP_SCHEDULES_MANAGE, $tenant);
|
||||
}
|
||||
|
||||
public function update(User $user, BackupSchedule $schedule): bool
|
||||
public function update(User $user, BackupSchedule $schedule): Response|bool
|
||||
{
|
||||
$tenant = Tenant::current();
|
||||
|
||||
return $tenant instanceof Tenant
|
||||
&& (int) $schedule->tenant_id === (int) $tenant->getKey()
|
||||
&& Gate::forUser($user)->allows(Capabilities::TENANT_BACKUP_SCHEDULES_MANAGE, $tenant);
|
||||
return $this->authorizeScheduleAction($user, $schedule, Capabilities::TENANT_BACKUP_SCHEDULES_MANAGE);
|
||||
}
|
||||
|
||||
public function delete(User $user, BackupSchedule $schedule): bool
|
||||
public function delete(User $user, BackupSchedule $schedule): Response|bool
|
||||
{
|
||||
$tenant = Tenant::current();
|
||||
|
||||
return $tenant instanceof Tenant
|
||||
&& (int) $schedule->tenant_id === (int) $tenant->getKey()
|
||||
&& Gate::forUser($user)->allows(Capabilities::TENANT_BACKUP_SCHEDULES_MANAGE, $tenant);
|
||||
return $this->authorizeScheduleAction($user, $schedule, Capabilities::TENANT_BACKUP_SCHEDULES_MANAGE);
|
||||
}
|
||||
|
||||
public function restore(User $user, BackupSchedule $schedule): bool
|
||||
public function restore(User $user, BackupSchedule $schedule): Response|bool
|
||||
{
|
||||
$tenant = Tenant::current();
|
||||
|
||||
return $tenant instanceof Tenant
|
||||
&& (int) $schedule->tenant_id === (int) $tenant->getKey()
|
||||
&& Gate::forUser($user)->allows(Capabilities::TENANT_BACKUP_SCHEDULES_MANAGE, $tenant);
|
||||
return $this->authorizeScheduleAction($user, $schedule, Capabilities::TENANT_BACKUP_SCHEDULES_MANAGE);
|
||||
}
|
||||
|
||||
public function forceDelete(User $user, BackupSchedule $schedule): bool
|
||||
public function forceDelete(User $user, BackupSchedule $schedule): Response|bool
|
||||
{
|
||||
return $this->authorizeScheduleAction($user, $schedule, Capabilities::TENANT_DELETE);
|
||||
}
|
||||
|
||||
protected function authorizeScheduleAction(User $user, BackupSchedule $schedule, string $capability): Response|bool
|
||||
{
|
||||
$tenant = $this->resolvedTenant();
|
||||
|
||||
if (! $this->isTenantMember($user, $tenant)) {
|
||||
return Response::denyAsNotFound();
|
||||
}
|
||||
|
||||
if (! $tenant instanceof Tenant || (int) $schedule->tenant_id !== (int) $tenant->getKey()) {
|
||||
return Response::denyAsNotFound();
|
||||
}
|
||||
|
||||
return Gate::forUser($user)->allows($capability, $tenant)
|
||||
? true
|
||||
: Response::deny();
|
||||
}
|
||||
|
||||
protected function resolvedTenant(): ?Tenant
|
||||
{
|
||||
if (Filament::getCurrentPanel()?->getId() === 'admin') {
|
||||
$tenant = app(OperateHubShell::class)->tenantOwnedPanelContext(request());
|
||||
|
||||
return $tenant instanceof Tenant ? $tenant : null;
|
||||
}
|
||||
|
||||
$tenant = Tenant::current();
|
||||
|
||||
return $tenant instanceof Tenant
|
||||
&& (int) $schedule->tenant_id === (int) $tenant->getKey()
|
||||
&& Gate::forUser($user)->allows(Capabilities::TENANT_DELETE, $tenant);
|
||||
return $tenant instanceof Tenant ? $tenant : null;
|
||||
}
|
||||
}
|
||||
|
||||
@ -8,6 +8,7 @@
|
||||
use App\Support\OperateHub\OperateHubShell;
|
||||
use Filament\Facades\Filament;
|
||||
use Illuminate\Auth\Access\HandlesAuthorization;
|
||||
use Illuminate\Auth\Access\Response;
|
||||
|
||||
class EntraGroupPolicy
|
||||
{
|
||||
@ -24,25 +25,29 @@ public function viewAny(User $user): bool
|
||||
return $user->canAccessTenant($tenant);
|
||||
}
|
||||
|
||||
public function view(User $user, EntraGroup $group): bool
|
||||
public function view(User $user, EntraGroup $group): Response|bool
|
||||
{
|
||||
$tenant = $this->resolvedTenant();
|
||||
|
||||
if (! $tenant) {
|
||||
return false;
|
||||
return Response::denyAsNotFound();
|
||||
}
|
||||
|
||||
if (! $user->canAccessTenant($tenant)) {
|
||||
return false;
|
||||
return Response::denyAsNotFound();
|
||||
}
|
||||
|
||||
return (int) $group->tenant_id === (int) $tenant->getKey();
|
||||
if ((int) $group->tenant_id !== (int) $tenant->getKey()) {
|
||||
return Response::denyAsNotFound();
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
private function resolvedTenant(): ?Tenant
|
||||
{
|
||||
if (Filament::getCurrentPanel()?->getId() === 'admin') {
|
||||
$tenant = app(OperateHubShell::class)->activeEntitledTenant(request());
|
||||
$tenant = app(OperateHubShell::class)->tenantOwnedPanelContext(request());
|
||||
|
||||
return $tenant instanceof Tenant ? $tenant : null;
|
||||
}
|
||||
|
||||
69
app/Policies/EvidenceSnapshotPolicy.php
Normal file
69
app/Policies/EvidenceSnapshotPolicy.php
Normal file
@ -0,0 +1,69 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Policies;
|
||||
|
||||
use App\Models\EvidenceSnapshot;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Services\Auth\CapabilityResolver;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use Illuminate\Auth\Access\HandlesAuthorization;
|
||||
|
||||
class EvidenceSnapshotPolicy
|
||||
{
|
||||
use HandlesAuthorization;
|
||||
|
||||
public function viewAny(User $user): bool
|
||||
{
|
||||
$tenant = Tenant::current();
|
||||
|
||||
if (! $tenant instanceof Tenant || ! $user->canAccessTenant($tenant)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return app(CapabilityResolver::class)->can($user, $tenant, Capabilities::EVIDENCE_VIEW);
|
||||
}
|
||||
|
||||
public function view(User $user, EvidenceSnapshot $snapshot): bool
|
||||
{
|
||||
$tenant = Tenant::current();
|
||||
|
||||
if (! $tenant instanceof Tenant || ! $user->canAccessTenant($tenant)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if ((int) $snapshot->tenant_id !== (int) $tenant->getKey()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return app(CapabilityResolver::class)->can($user, $tenant, Capabilities::EVIDENCE_VIEW);
|
||||
}
|
||||
|
||||
public function create(User $user): bool
|
||||
{
|
||||
$tenant = Tenant::current();
|
||||
|
||||
if (! $tenant instanceof Tenant || ! $user->canAccessTenant($tenant)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return app(CapabilityResolver::class)->can($user, $tenant, Capabilities::EVIDENCE_MANAGE);
|
||||
}
|
||||
|
||||
public function delete(User $user, EvidenceSnapshot $snapshot): bool
|
||||
{
|
||||
$tenant = Tenant::current();
|
||||
|
||||
if (! $tenant instanceof Tenant || ! $user->canAccessTenant($tenant)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if ((int) $snapshot->tenant_id !== (int) $tenant->getKey()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return app(CapabilityResolver::class)->can($user, $tenant, Capabilities::EVIDENCE_MANAGE);
|
||||
}
|
||||
}
|
||||
138
app/Policies/FindingExceptionPolicy.php
Normal file
138
app/Policies/FindingExceptionPolicy.php
Normal file
@ -0,0 +1,138 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Policies;
|
||||
|
||||
use App\Models\FindingException;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\User;
|
||||
use App\Models\Workspace;
|
||||
use App\Services\Auth\CapabilityResolver;
|
||||
use App\Services\Auth\WorkspaceCapabilityResolver;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Filament\Facades\Filament;
|
||||
use Illuminate\Auth\Access\HandlesAuthorization;
|
||||
use Illuminate\Auth\Access\Response;
|
||||
|
||||
class FindingExceptionPolicy
|
||||
{
|
||||
use HandlesAuthorization;
|
||||
|
||||
public function viewAny(User $user): bool
|
||||
{
|
||||
$tenant = $this->resolvedTenant();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (! $user->canAccessTenant($tenant)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return app(CapabilityResolver::class)->can($user, $tenant, Capabilities::FINDING_EXCEPTION_VIEW);
|
||||
}
|
||||
|
||||
public function view(User $user, FindingException $exception): Response|bool
|
||||
{
|
||||
$tenant = $this->authorizedTenantOrNull($user, $exception);
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return Response::denyAsNotFound();
|
||||
}
|
||||
|
||||
return app(CapabilityResolver::class)->can($user, $tenant, Capabilities::FINDING_EXCEPTION_VIEW);
|
||||
}
|
||||
|
||||
public function approve(User $user, FindingException $exception): Response|bool
|
||||
{
|
||||
return $this->authorizeCanonicalApproval($user, $exception);
|
||||
}
|
||||
|
||||
public function reject(User $user, FindingException $exception): Response|bool
|
||||
{
|
||||
return $this->authorizeCanonicalApproval($user, $exception);
|
||||
}
|
||||
|
||||
private function authorizeCanonicalApproval(User $user, FindingException $exception): Response|bool
|
||||
{
|
||||
$tenant = $exception->tenant;
|
||||
|
||||
if (! $tenant instanceof Tenant || ! $user->canAccessTenant($tenant)) {
|
||||
return Response::denyAsNotFound();
|
||||
}
|
||||
|
||||
$workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
|
||||
|
||||
if (! is_int($workspaceId) || $workspaceId !== (int) $exception->workspace_id) {
|
||||
return Response::denyAsNotFound();
|
||||
}
|
||||
|
||||
$workspace = $tenant->workspace;
|
||||
|
||||
if (! $workspace instanceof Workspace) {
|
||||
return Response::denyAsNotFound();
|
||||
}
|
||||
|
||||
/** @var WorkspaceCapabilityResolver $resolver */
|
||||
$resolver = app(WorkspaceCapabilityResolver::class);
|
||||
|
||||
if (! $resolver->isMember($user, $workspace)) {
|
||||
return Response::denyAsNotFound();
|
||||
}
|
||||
|
||||
return $resolver->can($user, $workspace, Capabilities::FINDING_EXCEPTION_APPROVE)
|
||||
? true
|
||||
: Response::deny();
|
||||
}
|
||||
|
||||
private function authorizedTenantOrNull(User $user, FindingException $exception): ?Tenant
|
||||
{
|
||||
$tenant = $this->resolvedTenant();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return null;
|
||||
}
|
||||
|
||||
if (! $user->canAccessTenant($tenant)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
if ((int) $exception->tenant_id !== (int) $tenant->getKey()) {
|
||||
return null;
|
||||
}
|
||||
|
||||
if ((int) $exception->workspace_id !== (int) $tenant->workspace_id) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return $tenant;
|
||||
}
|
||||
|
||||
private function resolvedTenant(): ?Tenant
|
||||
{
|
||||
if (Filament::getCurrentPanel()?->getId() === 'admin') {
|
||||
$workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
|
||||
|
||||
if (! is_int($workspaceId)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$tenantId = app(WorkspaceContext::class)->lastTenantId(request());
|
||||
|
||||
if (! is_int($tenantId)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$tenant = Tenant::query()->whereKey($tenantId)->first();
|
||||
|
||||
return $tenant instanceof Tenant && (int) $tenant->workspace_id === $workspaceId ? $tenant : null;
|
||||
}
|
||||
|
||||
$tenant = Tenant::current();
|
||||
|
||||
return $tenant instanceof Tenant ? $tenant : null;
|
||||
}
|
||||
}
|
||||
@ -7,7 +7,10 @@
|
||||
use App\Models\User;
|
||||
use App\Services\Auth\CapabilityResolver;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use App\Support\OperateHub\OperateHubShell;
|
||||
use Filament\Facades\Filament;
|
||||
use Illuminate\Auth\Access\HandlesAuthorization;
|
||||
use Illuminate\Auth\Access\Response;
|
||||
|
||||
class FindingPolicy
|
||||
{
|
||||
@ -15,7 +18,7 @@ class FindingPolicy
|
||||
|
||||
public function viewAny(User $user): bool
|
||||
{
|
||||
$tenant = Tenant::current();
|
||||
$tenant = $this->resolvedTenant();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return false;
|
||||
@ -28,31 +31,23 @@ public function viewAny(User $user): bool
|
||||
return app(CapabilityResolver::class)->can($user, $tenant, Capabilities::TENANT_FINDINGS_VIEW);
|
||||
}
|
||||
|
||||
public function view(User $user, Finding $finding): bool
|
||||
public function view(User $user, Finding $finding): Response|bool
|
||||
{
|
||||
$tenant = Tenant::current();
|
||||
$tenant = $this->authorizedTenantOrNull($user, $finding);
|
||||
|
||||
if (! $tenant) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (! $user->canAccessTenant($tenant)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if ((int) $finding->tenant_id !== (int) $tenant->getKey()) {
|
||||
return false;
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return Response::denyAsNotFound();
|
||||
}
|
||||
|
||||
return app(CapabilityResolver::class)->can($user, $tenant, Capabilities::TENANT_FINDINGS_VIEW);
|
||||
}
|
||||
|
||||
public function update(User $user, Finding $finding): bool
|
||||
public function update(User $user, Finding $finding): Response|bool
|
||||
{
|
||||
return $this->triage($user, $finding);
|
||||
}
|
||||
|
||||
public function triage(User $user, Finding $finding): bool
|
||||
public function triage(User $user, Finding $finding): Response|bool
|
||||
{
|
||||
return $this->canMutateWithAnyCapability($user, $finding, [
|
||||
Capabilities::TENANT_FINDINGS_TRIAGE,
|
||||
@ -60,32 +55,32 @@ public function triage(User $user, Finding $finding): bool
|
||||
]);
|
||||
}
|
||||
|
||||
public function assign(User $user, Finding $finding): bool
|
||||
public function assign(User $user, Finding $finding): Response|bool
|
||||
{
|
||||
return $this->canMutateWithCapability($user, $finding, Capabilities::TENANT_FINDINGS_ASSIGN);
|
||||
}
|
||||
|
||||
public function resolve(User $user, Finding $finding): bool
|
||||
public function resolve(User $user, Finding $finding): Response|bool
|
||||
{
|
||||
return $this->canMutateWithCapability($user, $finding, Capabilities::TENANT_FINDINGS_RESOLVE);
|
||||
}
|
||||
|
||||
public function close(User $user, Finding $finding): bool
|
||||
public function close(User $user, Finding $finding): Response|bool
|
||||
{
|
||||
return $this->canMutateWithCapability($user, $finding, Capabilities::TENANT_FINDINGS_CLOSE);
|
||||
}
|
||||
|
||||
public function riskAccept(User $user, Finding $finding): bool
|
||||
public function riskAccept(User $user, Finding $finding): Response|bool
|
||||
{
|
||||
return $this->canMutateWithCapability($user, $finding, Capabilities::TENANT_FINDINGS_RISK_ACCEPT);
|
||||
}
|
||||
|
||||
public function reopen(User $user, Finding $finding): bool
|
||||
public function reopen(User $user, Finding $finding): Response|bool
|
||||
{
|
||||
return $this->triage($user, $finding);
|
||||
}
|
||||
|
||||
private function canMutateWithCapability(User $user, Finding $finding, string $capability): bool
|
||||
private function canMutateWithCapability(User $user, Finding $finding, string $capability): Response|bool
|
||||
{
|
||||
return $this->canMutateWithAnyCapability($user, $finding, [$capability]);
|
||||
}
|
||||
@ -93,20 +88,12 @@ private function canMutateWithCapability(User $user, Finding $finding, string $c
|
||||
/**
|
||||
* @param array<int, string> $capabilities
|
||||
*/
|
||||
private function canMutateWithAnyCapability(User $user, Finding $finding, array $capabilities): bool
|
||||
private function canMutateWithAnyCapability(User $user, Finding $finding, array $capabilities): Response|bool
|
||||
{
|
||||
$tenant = Tenant::current();
|
||||
$tenant = $this->authorizedTenantOrNull($user, $finding);
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (! $user->canAccessTenant($tenant)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if ((int) $finding->tenant_id !== (int) $tenant->getKey()) {
|
||||
return false;
|
||||
return Response::denyAsNotFound();
|
||||
}
|
||||
|
||||
/** @var CapabilityResolver $resolver */
|
||||
@ -118,6 +105,42 @@ private function canMutateWithAnyCapability(User $user, Finding $finding, array
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
return Response::deny();
|
||||
}
|
||||
|
||||
private function authorizedTenantOrNull(User $user, Finding $finding): ?Tenant
|
||||
{
|
||||
$tenant = $this->resolvedTenant();
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return null;
|
||||
}
|
||||
|
||||
if (! $user->canAccessTenant($tenant)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
if ((int) $finding->tenant_id !== (int) $tenant->getKey()) {
|
||||
return null;
|
||||
}
|
||||
|
||||
if ((int) $finding->workspace_id !== (int) $tenant->workspace_id) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return $tenant;
|
||||
}
|
||||
|
||||
private function resolvedTenant(): ?Tenant
|
||||
{
|
||||
if (Filament::getCurrentPanel()?->getId() === 'admin') {
|
||||
$tenant = app(OperateHubShell::class)->tenantOwnedPanelContext(request());
|
||||
|
||||
return $tenant instanceof Tenant ? $tenant : null;
|
||||
}
|
||||
|
||||
$tenant = Tenant::current();
|
||||
|
||||
return $tenant instanceof Tenant ? $tenant : null;
|
||||
}
|
||||
}
|
||||
|
||||
@ -9,7 +9,10 @@
|
||||
use App\Models\User;
|
||||
use App\Models\Workspace;
|
||||
use App\Services\Auth\WorkspaceCapabilityResolver;
|
||||
use App\Services\Tenants\TenantOperabilityService;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use App\Support\Tenants\TenantInteractionLane;
|
||||
use App\Support\Tenants\TenantOperabilityQuestion;
|
||||
use App\Support\Workspaces\WorkspaceContext;
|
||||
use Illuminate\Auth\Access\Response;
|
||||
use Illuminate\Support\Facades\Gate;
|
||||
@ -95,8 +98,18 @@ private function authorizeForDraft(
|
||||
|
||||
$tenant = $tenantOnboardingSession->tenant;
|
||||
|
||||
if ($tenant instanceof Tenant && ! $user->canAccessTenant($tenant)) {
|
||||
return Response::denyAsNotFound();
|
||||
if ($tenant instanceof Tenant) {
|
||||
$viewability = app(TenantOperabilityService::class)->outcomeFor(
|
||||
tenant: $tenant,
|
||||
question: TenantOperabilityQuestion::TenantBoundViewability,
|
||||
actor: $user,
|
||||
workspaceId: (int) $workspace->getKey(),
|
||||
lane: TenantInteractionLane::AdministrativeManagement,
|
||||
);
|
||||
|
||||
if (! $viewability->allowed) {
|
||||
return Response::denyAsNotFound();
|
||||
}
|
||||
}
|
||||
|
||||
return $this->authorizeForWorkspace($user, $workspace, $capability);
|
||||
|
||||
110
app/Policies/TenantReviewPolicy.php
Normal file
110
app/Policies/TenantReviewPolicy.php
Normal file
@ -0,0 +1,110 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace App\Policies;
|
||||
|
||||
use App\Models\Tenant;
|
||||
use App\Models\TenantReview;
|
||||
use App\Models\User;
|
||||
use App\Services\Auth\CapabilityResolver;
|
||||
use App\Support\Auth\Capabilities;
|
||||
use Illuminate\Auth\Access\HandlesAuthorization;
|
||||
use Illuminate\Auth\Access\Response;
|
||||
|
||||
class TenantReviewPolicy
|
||||
{
|
||||
use HandlesAuthorization;
|
||||
|
||||
public function viewAny(User $user): bool
|
||||
{
|
||||
$tenant = Tenant::current();
|
||||
|
||||
if (! $tenant instanceof Tenant || ! $user->canAccessTenant($tenant)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return app(CapabilityResolver::class)->can($user, $tenant, Capabilities::TENANT_REVIEW_VIEW);
|
||||
}
|
||||
|
||||
public function view(User $user, TenantReview $review): Response|bool
|
||||
{
|
||||
$tenant = $this->authorizedTenantOrNull($user, $review);
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return Response::denyAsNotFound();
|
||||
}
|
||||
|
||||
return app(CapabilityResolver::class)->can($user, $tenant, Capabilities::TENANT_REVIEW_VIEW)
|
||||
? true
|
||||
: Response::deny();
|
||||
}
|
||||
|
||||
public function create(User $user): bool
|
||||
{
|
||||
$tenant = Tenant::current();
|
||||
|
||||
if (! $tenant instanceof Tenant || ! $user->canAccessTenant($tenant)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return app(CapabilityResolver::class)->can($user, $tenant, Capabilities::TENANT_REVIEW_MANAGE);
|
||||
}
|
||||
|
||||
public function refresh(User $user, TenantReview $review): Response|bool
|
||||
{
|
||||
return $this->authorizeManageAction($user, $review);
|
||||
}
|
||||
|
||||
public function publish(User $user, TenantReview $review): Response|bool
|
||||
{
|
||||
return $this->authorizeManageAction($user, $review);
|
||||
}
|
||||
|
||||
public function archive(User $user, TenantReview $review): Response|bool
|
||||
{
|
||||
return $this->authorizeManageAction($user, $review);
|
||||
}
|
||||
|
||||
public function export(User $user, TenantReview $review): Response|bool
|
||||
{
|
||||
return $this->authorizeManageAction($user, $review);
|
||||
}
|
||||
|
||||
public function createNextReview(User $user, TenantReview $review): Response|bool
|
||||
{
|
||||
return $this->authorizeManageAction($user, $review);
|
||||
}
|
||||
|
||||
private function authorizeManageAction(User $user, TenantReview $review): Response|bool
|
||||
{
|
||||
$tenant = $this->authorizedTenantOrNull($user, $review);
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return Response::denyAsNotFound();
|
||||
}
|
||||
|
||||
return app(CapabilityResolver::class)->can($user, $tenant, Capabilities::TENANT_REVIEW_MANAGE)
|
||||
? true
|
||||
: Response::deny();
|
||||
}
|
||||
|
||||
private function authorizedTenantOrNull(User $user, TenantReview $review): ?Tenant
|
||||
{
|
||||
$tenant = $review->tenant;
|
||||
|
||||
if (! $tenant instanceof Tenant) {
|
||||
return null;
|
||||
}
|
||||
|
||||
if (! $user->canAccessTenant($tenant)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
if ((int) $review->workspace_id !== (int) $tenant->workspace_id) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return $tenant;
|
||||
}
|
||||
}
|
||||
@ -39,6 +39,7 @@
|
||||
use App\Services\Intune\WindowsFeatureUpdateProfileNormalizer;
|
||||
use App\Services\Intune\WindowsQualityUpdateProfileNormalizer;
|
||||
use App\Services\Intune\WindowsUpdateRingNormalizer;
|
||||
use App\Services\Operations\QueuedExecutionLegitimacyGate;
|
||||
use App\Services\PermissionPosture\FindingGeneratorContract;
|
||||
use App\Services\PermissionPosture\PermissionPostureFindingGenerator;
|
||||
use App\Services\Providers\MicrosoftGraphOptionsResolver;
|
||||
@ -122,6 +123,7 @@ public function register(): void
|
||||
$this->app->singleton(EntraGroupReferenceResolver::class);
|
||||
$this->app->singleton(EntraRoleDefinitionReferenceResolver::class);
|
||||
$this->app->singleton(PrincipalReferenceResolver::class);
|
||||
$this->app->singleton(QueuedExecutionLegitimacyGate::class);
|
||||
$this->app->singleton(ReferenceResolverRegistry::class, function ($app): ReferenceResolverRegistry {
|
||||
/** @var array<int, ReferenceResolver> $resolvers */
|
||||
$resolvers = [
|
||||
|
||||
@ -9,6 +9,7 @@
|
||||
use App\Models\ProviderConnection;
|
||||
use App\Models\Tenant;
|
||||
use App\Models\TenantOnboardingSession;
|
||||
use App\Models\TenantReview;
|
||||
use App\Models\User;
|
||||
use App\Models\Workspace;
|
||||
use App\Models\WorkspaceSetting;
|
||||
@ -17,6 +18,7 @@
|
||||
use App\Policies\AlertRulePolicy;
|
||||
use App\Policies\ProviderConnectionPolicy;
|
||||
use App\Policies\TenantOnboardingSessionPolicy;
|
||||
use App\Policies\TenantReviewPolicy;
|
||||
use App\Policies\WorkspaceSettingPolicy;
|
||||
use App\Services\Auth\CapabilityResolver;
|
||||
use App\Services\Auth\WorkspaceCapabilityResolver;
|
||||
@ -30,6 +32,7 @@ class AuthServiceProvider extends ServiceProvider
|
||||
protected $policies = [
|
||||
ProviderConnection::class => ProviderConnectionPolicy::class,
|
||||
TenantOnboardingSession::class => TenantOnboardingSessionPolicy::class,
|
||||
TenantReview::class => TenantReviewPolicy::class,
|
||||
WorkspaceSetting::class => WorkspaceSettingPolicy::class,
|
||||
AlertDestination::class => AlertDestinationPolicy::class,
|
||||
AlertDelivery::class => AlertDeliveryPolicy::class,
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user