$displayName, 'description' => $description, 'isBuiltIn' => $isBuiltIn, 'rolePermissions' => [ [ 'resourceActions' => [ array_filter([ 'allowedResourceActions' => $allowedActions, 'notAllowedResourceActions' => $deniedActions, 'condition' => $condition, ], static fn (mixed $value): bool => $value !== null), ], ], ], 'roleScopeTagIds' => ['0'], ]; } function rbacContractPolicy( \App\Models\Tenant $tenant, string $externalId, string $displayName, ): Policy { return Policy::factory()->create([ 'tenant_id' => (int) $tenant->getKey(), 'external_id' => $externalId, 'policy_type' => 'intuneRoleDefinition', 'platform' => 'all', 'display_name' => $displayName, ]); } function rbacContractVersion( Policy $policy, CarbonImmutable $capturedAt, int $versionNumber, array $snapshot, ): PolicyVersion { return PolicyVersion::factory()->create([ 'tenant_id' => (int) $policy->tenant_id, 'policy_id' => (int) $policy->getKey(), 'policy_type' => 'intuneRoleDefinition', 'platform' => 'all', 'version_number' => $versionNumber, 'captured_at' => $capturedAt, 'snapshot' => $snapshot, 'assignments' => [], 'scope_tags' => [], ]); } function rbacContractBaselineItem( BaselineSnapshot $snapshot, PolicyVersion $version, string $externalId, string $displayName, bool $isBuiltIn, int $rolePermissionCount = 1, ): BaselineSnapshotItem { $subjectKey = BaselineSubjectKey::forPolicy('intuneRoleDefinition', $displayName, $externalId); $workspaceSafeExternalId = BaselineSubjectKey::workspaceSafeSubjectExternalIdForPolicy('intuneRoleDefinition', $displayName, $externalId); expect($subjectKey)->not->toBeNull(); expect($workspaceSafeExternalId)->not->toBeNull(); $hash = app(ContentEvidenceProvider::class)->fromPolicyVersion( version: $version, subjectExternalId: (string) $workspaceSafeExternalId, )->hash; return BaselineSnapshotItem::factory()->create([ 'baseline_snapshot_id' => (int) $snapshot->getKey(), 'subject_type' => 'policy', 'subject_external_id' => (string) $workspaceSafeExternalId, 'subject_key' => (string) $subjectKey, 'policy_type' => 'intuneRoleDefinition', 'baseline_hash' => $hash, 'meta_jsonb' => [ 'display_name' => $displayName, 'evidence' => [ 'fidelity' => 'content', 'source' => 'policy_version', 'observed_at' => $version->captured_at?->toIso8601String(), ], 'identity' => [ 'strategy' => 'external_id', 'subject_key' => (string) $subjectKey, 'workspace_subject_external_id' => (string) $workspaceSafeExternalId, ], 'version_reference' => [ 'policy_version_id' => (int) $version->getKey(), 'capture_purpose' => 'baseline_capture', ], 'rbac' => [ 'is_built_in' => $isBuiltIn, 'role_permission_count' => $rolePermissionCount, ], ], ]); } function rbacContractInventoryItem( \App\Models\Tenant $tenant, int $inventorySyncRunId, string $externalId, string $displayName, bool $isBuiltIn, int $rolePermissionCount = 1, ): InventoryItem { return InventoryItem::factory()->create([ 'tenant_id' => (int) $tenant->getKey(), 'workspace_id' => (int) $tenant->workspace_id, 'external_id' => $externalId, 'policy_type' => 'intuneRoleDefinition', 'display_name' => $displayName, 'category' => 'RBAC', 'platform' => 'all', 'meta_jsonb' => [ 'odata_type' => '#microsoft.graph.deviceAndAppManagementRoleDefinition', 'is_built_in' => $isBuiltIn, 'role_permission_count' => $rolePermissionCount, ], 'last_seen_operation_run_id' => $inventorySyncRunId, 'last_seen_at' => now(), ]); } function rbacContractRun( \App\Models\Tenant $tenant, \App\Models\User $user, BaselineProfile $profile, BaselineSnapshot $snapshot, ): \App\Models\OperationRun { return app(OperationRunService::class)->ensureRunWithIdentity( tenant: $tenant, type: OperationRunType::BaselineCompare->value, identityInputs: ['baseline_profile_id' => (int) $profile->getKey()], context: [ 'baseline_profile_id' => (int) $profile->getKey(), 'baseline_snapshot_id' => (int) $snapshot->getKey(), 'effective_scope' => [ 'policy_types' => [], 'foundation_types' => ['intuneRoleDefinition'], ], ], initiator: $user, ); } it('writes RBAC evidence for modified role definition drift with readable normalized before and after content', function (): void { [$user, $tenant] = createUserWithTenant(role: 'owner'); $profile = BaselineProfile::factory()->active()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'scope_jsonb' => [ 'policy_types' => [], 'foundation_types' => ['intuneRoleDefinition'], ], ]); $capturedAt = CarbonImmutable::parse('2026-03-08T10:00:00Z'); $snapshot = BaselineSnapshot::factory()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'baseline_profile_id' => (int) $profile->getKey(), 'captured_at' => $capturedAt, ]); $profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]); $inventorySyncRun = createInventorySyncOperationRunWithCoverage( tenant: $tenant, statusByType: ['intuneRoleDefinition' => 'succeeded'], foundationTypes: ['intuneRoleDefinition'], ); $policy = rbacContractPolicy($tenant, 'rbac-modified-role', 'Security Reader'); $baselineVersion = rbacContractVersion( policy: $policy, capturedAt: $capturedAt, versionNumber: 1, snapshot: rbacContractSnapshot( displayName: 'Security Reader', description: 'Baseline role description', isBuiltIn: false, allowedActions: ['microsoft.intune/devices/read'], ), ); $currentVersion = rbacContractVersion( policy: $policy, capturedAt: $capturedAt->addMinutes(10), versionNumber: 2, snapshot: rbacContractSnapshot( displayName: 'Security Reader', description: 'Updated role description', isBuiltIn: false, allowedActions: ['microsoft.intune/devices/read'], ), ); rbacContractBaselineItem( snapshot: $snapshot, version: $baselineVersion, externalId: 'rbac-modified-role', displayName: 'Security Reader', isBuiltIn: false, ); rbacContractInventoryItem( tenant: $tenant, inventorySyncRunId: (int) $inventorySyncRun->getKey(), externalId: 'rbac-modified-role', displayName: 'Security Reader', isBuiltIn: false, ); $run = rbacContractRun($tenant, $user, $profile, $snapshot); (new CompareBaselineToTenantJob($run))->handle( app(BaselineSnapshotIdentity::class), app(AuditLogger::class), app(OperationRunService::class), ); $finding = Finding::query() ->where('tenant_id', (int) $tenant->getKey()) ->where('source', 'baseline.compare') ->sole(); $evidence = is_array($finding->evidence_jsonb) ? $finding->evidence_jsonb : []; AssertsDriftEvidenceContract::assertValid($evidence); expect(data_get($evidence, 'summary.kind'))->toBe('rbac_role_definition') ->and(data_get($evidence, 'rbac_role_definition.diff_kind'))->toBe('metadata_only') ->and(data_get($evidence, 'rbac_role_definition.changed_keys'))->toContain('Role definition > Description') ->and(data_get($evidence, 'rbac_role_definition.baseline.is_built_in'))->toBeFalse() ->and(data_get($evidence, 'rbac_role_definition.current.is_built_in'))->toBeFalse() ->and(data_get($evidence, 'rbac_role_definition.baseline.normalized.Role definition > Description'))->toBe('Baseline role description') ->and(data_get($evidence, 'rbac_role_definition.current.normalized.Role definition > Description'))->toBe('Updated role description'); }); it('writes RBAC evidence for missing role definition drift', function (): void { [$user, $tenant] = createUserWithTenant(role: 'owner'); $profile = BaselineProfile::factory()->active()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'scope_jsonb' => [ 'policy_types' => [], 'foundation_types' => ['intuneRoleDefinition'], ], ]); $capturedAt = CarbonImmutable::parse('2026-03-08T10:00:00Z'); $snapshot = BaselineSnapshot::factory()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'baseline_profile_id' => (int) $profile->getKey(), 'captured_at' => $capturedAt, ]); $profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]); createInventorySyncOperationRunWithCoverage( tenant: $tenant, statusByType: ['intuneRoleDefinition' => 'succeeded'], foundationTypes: ['intuneRoleDefinition'], ); $policy = rbacContractPolicy($tenant, 'rbac-missing-role', 'Missing Role'); $baselineVersion = rbacContractVersion( policy: $policy, capturedAt: $capturedAt, versionNumber: 1, snapshot: rbacContractSnapshot( displayName: 'Missing Role', description: 'Baseline-only role', isBuiltIn: true, allowedActions: ['microsoft.intune/devices/read'], ), ); rbacContractBaselineItem( snapshot: $snapshot, version: $baselineVersion, externalId: 'rbac-missing-role', displayName: 'Missing Role', isBuiltIn: true, ); $run = rbacContractRun($tenant, $user, $profile, $snapshot); (new CompareBaselineToTenantJob($run))->handle( app(BaselineSnapshotIdentity::class), app(AuditLogger::class), app(OperationRunService::class), ); $finding = Finding::query() ->where('tenant_id', (int) $tenant->getKey()) ->where('source', 'baseline.compare') ->sole(); $evidence = is_array($finding->evidence_jsonb) ? $finding->evidence_jsonb : []; AssertsDriftEvidenceContract::assertValid($evidence); expect(data_get($evidence, 'summary.kind'))->toBe('rbac_role_definition') ->and(data_get($evidence, 'rbac_role_definition.diff_kind'))->toBe('missing') ->and(data_get($evidence, 'rbac_role_definition.baseline.is_built_in'))->toBeTrue() ->and(data_get($evidence, 'rbac_role_definition.current.normalized'))->toBe([]) ->and(data_get($evidence, 'rbac_role_definition.baseline.normalized.Role definition > Display name'))->toBe('Missing Role'); }); it('writes RBAC evidence for unexpected role definition drift', function (): void { [$user, $tenant] = createUserWithTenant(role: 'owner'); $profile = BaselineProfile::factory()->active()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'scope_jsonb' => [ 'policy_types' => [], 'foundation_types' => ['intuneRoleDefinition'], ], ]); $capturedAt = CarbonImmutable::parse('2026-03-08T10:00:00Z'); $snapshot = BaselineSnapshot::factory()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'baseline_profile_id' => (int) $profile->getKey(), 'captured_at' => $capturedAt, ]); $profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]); $inventorySyncRun = createInventorySyncOperationRunWithCoverage( tenant: $tenant, statusByType: ['intuneRoleDefinition' => 'succeeded'], foundationTypes: ['intuneRoleDefinition'], ); $policy = rbacContractPolicy($tenant, 'rbac-unexpected-role', 'Unexpected Role'); rbacContractVersion( policy: $policy, capturedAt: $capturedAt->addMinutes(10), versionNumber: 1, snapshot: rbacContractSnapshot( displayName: 'Unexpected Role', description: 'Tenant-only role', isBuiltIn: false, allowedActions: ['microsoft.intune/devices/read'], deniedActions: ['microsoft.intune/devices/delete'], ), ); rbacContractInventoryItem( tenant: $tenant, inventorySyncRunId: (int) $inventorySyncRun->getKey(), externalId: 'rbac-unexpected-role', displayName: 'Unexpected Role', isBuiltIn: false, ); $run = rbacContractRun($tenant, $user, $profile, $snapshot); (new CompareBaselineToTenantJob($run))->handle( app(BaselineSnapshotIdentity::class), app(AuditLogger::class), app(OperationRunService::class), ); $finding = Finding::query() ->where('tenant_id', (int) $tenant->getKey()) ->where('source', 'baseline.compare') ->sole(); $evidence = is_array($finding->evidence_jsonb) ? $finding->evidence_jsonb : []; AssertsDriftEvidenceContract::assertValid($evidence); expect(data_get($evidence, 'summary.kind'))->toBe('rbac_role_definition') ->and(data_get($evidence, 'rbac_role_definition.diff_kind'))->toBe('unexpected') ->and(data_get($evidence, 'rbac_role_definition.baseline.normalized'))->toBe([]) ->and(data_get($evidence, 'rbac_role_definition.current.is_built_in'))->toBeFalse() ->and(data_get($evidence, 'rbac_role_definition.current.normalized.Role definition > Display name'))->toBe('Unexpected Role'); });