active()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []], ]); $displayName = 'Policy X'; $subjectKey = BaselineSubjectKey::fromDisplayName($displayName); expect($subjectKey)->not->toBeNull(); $workspaceSafeExternalId = BaselineSubjectKey::workspaceSafeSubjectExternalId( policyType: 'deviceConfiguration', subjectKey: (string) $subjectKey, ); $snapshot1 = BaselineSnapshot::factory()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'baseline_profile_id' => (int) $profile->getKey(), 'captured_at' => now()->subMinutes(2), ]); BaselineSnapshotItem::factory()->create([ 'baseline_snapshot_id' => (int) $snapshot1->getKey(), 'subject_type' => 'policy', 'subject_external_id' => $workspaceSafeExternalId, 'subject_key' => (string) $subjectKey, 'policy_type' => 'deviceConfiguration', 'baseline_hash' => hash('sha256', 'baseline-v1'), 'meta_jsonb' => [ 'display_name' => $displayName, 'evidence' => [ 'fidelity' => 'meta', 'source' => 'inventory', 'observed_at' => now()->toIso8601String(), ], ], ]); $snapshot2 = BaselineSnapshot::factory()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'baseline_profile_id' => (int) $profile->getKey(), 'captured_at' => now()->subMinute(), ]); BaselineSnapshotItem::factory()->create([ 'baseline_snapshot_id' => (int) $snapshot2->getKey(), 'subject_type' => 'policy', 'subject_external_id' => $workspaceSafeExternalId, 'subject_key' => (string) $subjectKey, 'policy_type' => 'deviceConfiguration', 'baseline_hash' => hash('sha256', 'baseline-v2'), 'meta_jsonb' => [ 'display_name' => $displayName, 'evidence' => [ 'fidelity' => 'meta', 'source' => 'inventory', 'observed_at' => now()->toIso8601String(), ], ], ]); $inventorySyncRun = createInventorySyncOperationRunWithCoverage( tenant: $tenant, statusByType: ['deviceConfiguration' => 'succeeded'], ); InventoryItem::factory()->create([ 'tenant_id' => (int) $tenant->getKey(), 'workspace_id' => (int) $tenant->workspace_id, 'external_id' => 'policy-x-uuid', 'policy_type' => 'deviceConfiguration', 'meta_jsonb' => ['odata_type' => '#microsoft.graph.deviceConfiguration', 'etag' => 'E_CURRENT_1'], 'display_name' => $displayName, 'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(), 'last_seen_at' => now(), ]); $opService = app(OperationRunService::class); $run1 = $opService->ensureRunWithIdentity( tenant: $tenant, type: OperationRunType::BaselineCompare->value, identityInputs: ['baseline_profile_id' => (int) $profile->getKey()], context: [ 'baseline_profile_id' => (int) $profile->getKey(), 'baseline_snapshot_id' => (int) $snapshot1->getKey(), 'effective_scope' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []], ], initiator: $user, ); $job = new CompareBaselineToTenantJob($run1); $job->handle( app(BaselineSnapshotIdentity::class), app(AuditLogger::class), $opService, ); $finding = Finding::query() ->where('tenant_id', (int) $tenant->getKey()) ->where('source', 'baseline.compare') ->sole(); expect($finding->recurrence_key)->not->toBeNull(); expect($finding->fingerprint)->toBe($finding->recurrence_key); expect($finding->times_seen)->toBe(1); $fingerprint = (string) $finding->fingerprint; // Retry the same run ID (job retry): times_seen MUST NOT increment twice for the same run. $job->handle( app(BaselineSnapshotIdentity::class), app(AuditLogger::class), $opService, ); $finding->refresh(); expect($finding->times_seen)->toBe(1); expect((string) $finding->fingerprint)->toBe($fingerprint); // Compare against a different baseline snapshot (hash changes), but recurrence identity stays stable. $run2 = $opService->ensureRunWithIdentity( tenant: $tenant, type: OperationRunType::BaselineCompare->value, identityInputs: ['baseline_profile_id' => (int) $profile->getKey()], context: [ 'baseline_profile_id' => (int) $profile->getKey(), 'baseline_snapshot_id' => (int) $snapshot2->getKey(), 'effective_scope' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []], ], initiator: $user, ); (new CompareBaselineToTenantJob($run2))->handle( app(BaselineSnapshotIdentity::class), app(AuditLogger::class), $opService, ); $finding->refresh(); expect((string) $finding->fingerprint)->toBe($fingerprint); expect($finding->times_seen)->toBe(2); }); function rbacRecurrenceSnapshot(string $displayName, string $description, array $allowedActions): array { return [ 'displayName' => $displayName, 'description' => $description, 'isBuiltIn' => false, 'rolePermissions' => [ [ 'resourceActions' => [ [ 'allowedResourceActions' => $allowedActions, ], ], ], ], 'roleScopeTagIds' => ['0'], ]; } it('keeps intune role definition recurrence stable when the normalized diff fingerprint changes', function (): void { [$user, $tenant] = createUserWithTenant(role: 'owner'); $profile = BaselineProfile::factory()->active()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'scope_jsonb' => [ 'policy_types' => [], 'foundation_types' => ['intuneRoleDefinition'], ], ]); $capturedAt = now()->subMinutes(5); $displayName = 'Security Reader'; $externalId = 'rbac-role-stable'; $subjectKey = BaselineSubjectKey::forPolicy('intuneRoleDefinition', $displayName, $externalId); $workspaceSafeExternalId = BaselineSubjectKey::workspaceSafeSubjectExternalIdForPolicy('intuneRoleDefinition', $displayName, $externalId); expect($subjectKey)->not->toBeNull(); expect($workspaceSafeExternalId)->not->toBeNull(); $policy = \App\Models\Policy::factory()->create([ 'tenant_id' => (int) $tenant->getKey(), 'external_id' => $externalId, 'policy_type' => 'intuneRoleDefinition', 'platform' => 'all', 'display_name' => $displayName, ]); $baselineVersionOne = \App\Models\PolicyVersion::factory()->create([ 'tenant_id' => (int) $tenant->getKey(), 'policy_id' => (int) $policy->getKey(), 'policy_type' => 'intuneRoleDefinition', 'platform' => 'all', 'version_number' => 1, 'captured_at' => $capturedAt->copy(), 'snapshot' => rbacRecurrenceSnapshot($displayName, 'Baseline v1', ['microsoft.intune/devices/read']), 'assignments' => [], 'scope_tags' => [], ]); $baselineVersionTwo = \App\Models\PolicyVersion::factory()->create([ 'tenant_id' => (int) $tenant->getKey(), 'policy_id' => (int) $policy->getKey(), 'policy_type' => 'intuneRoleDefinition', 'platform' => 'all', 'version_number' => 2, 'captured_at' => $capturedAt->copy()->addMinute(), 'snapshot' => rbacRecurrenceSnapshot($displayName, 'Baseline v2', ['microsoft.intune/devices/read']), 'assignments' => [], 'scope_tags' => [], ]); $snapshot1 = BaselineSnapshot::factory()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'baseline_profile_id' => (int) $profile->getKey(), 'captured_at' => $capturedAt->copy(), ]); $snapshot2 = BaselineSnapshot::factory()->create([ 'workspace_id' => (int) $tenant->workspace_id, 'baseline_profile_id' => (int) $profile->getKey(), 'captured_at' => $capturedAt->copy()->addMinute(), ]); $provider = app(\App\Services\Baselines\Evidence\ContentEvidenceProvider::class); BaselineSnapshotItem::factory()->create([ 'baseline_snapshot_id' => (int) $snapshot1->getKey(), 'subject_type' => 'policy', 'subject_external_id' => (string) $workspaceSafeExternalId, 'subject_key' => (string) $subjectKey, 'policy_type' => 'intuneRoleDefinition', 'baseline_hash' => $provider->fromPolicyVersion($baselineVersionOne, (string) $workspaceSafeExternalId)->hash, 'meta_jsonb' => [ 'display_name' => $displayName, 'evidence' => [ 'fidelity' => 'content', 'source' => 'policy_version', 'observed_at' => $baselineVersionOne->captured_at?->toIso8601String(), ], 'version_reference' => [ 'policy_version_id' => (int) $baselineVersionOne->getKey(), ], 'rbac' => [ 'is_built_in' => false, 'role_permission_count' => 1, ], ], ]); BaselineSnapshotItem::factory()->create([ 'baseline_snapshot_id' => (int) $snapshot2->getKey(), 'subject_type' => 'policy', 'subject_external_id' => (string) $workspaceSafeExternalId, 'subject_key' => (string) $subjectKey, 'policy_type' => 'intuneRoleDefinition', 'baseline_hash' => $provider->fromPolicyVersion($baselineVersionTwo, (string) $workspaceSafeExternalId)->hash, 'meta_jsonb' => [ 'display_name' => $displayName, 'evidence' => [ 'fidelity' => 'content', 'source' => 'policy_version', 'observed_at' => $baselineVersionTwo->captured_at?->toIso8601String(), ], 'version_reference' => [ 'policy_version_id' => (int) $baselineVersionTwo->getKey(), ], 'rbac' => [ 'is_built_in' => false, 'role_permission_count' => 1, ], ], ]); $currentVersion = \App\Models\PolicyVersion::factory()->create([ 'tenant_id' => (int) $tenant->getKey(), 'policy_id' => (int) $policy->getKey(), 'policy_type' => 'intuneRoleDefinition', 'platform' => 'all', 'version_number' => 3, 'captured_at' => $capturedAt->copy()->addMinutes(2), 'snapshot' => rbacRecurrenceSnapshot($displayName, 'Current drifted role', [ 'microsoft.intune/devices/read', 'microsoft.intune/devices/delete', ]), 'assignments' => [], 'scope_tags' => [], ]); $inventorySyncRun = createInventorySyncOperationRunWithCoverage( tenant: $tenant, statusByType: ['intuneRoleDefinition' => 'succeeded'], foundationTypes: ['intuneRoleDefinition'], ); InventoryItem::factory()->create([ 'tenant_id' => (int) $tenant->getKey(), 'workspace_id' => (int) $tenant->workspace_id, 'external_id' => $externalId, 'policy_type' => 'intuneRoleDefinition', 'meta_jsonb' => [ 'odata_type' => '#microsoft.graph.deviceAndAppManagementRoleDefinition', 'is_built_in' => false, 'role_permission_count' => 1, ], 'display_name' => $displayName, 'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(), 'last_seen_at' => now(), ]); $opService = app(OperationRunService::class); $run1 = $opService->ensureRunWithIdentity( tenant: $tenant, type: OperationRunType::BaselineCompare->value, identityInputs: ['baseline_profile_id' => (int) $profile->getKey()], context: [ 'baseline_profile_id' => (int) $profile->getKey(), 'baseline_snapshot_id' => (int) $snapshot1->getKey(), 'effective_scope' => [ 'policy_types' => [], 'foundation_types' => ['intuneRoleDefinition'], ], ], initiator: $user, ); (new CompareBaselineToTenantJob($run1))->handle( app(BaselineSnapshotIdentity::class), app(AuditLogger::class), $opService, ); $finding = Finding::query() ->where('tenant_id', (int) $tenant->getKey()) ->where('source', 'baseline.compare') ->sole(); $fingerprint = (string) $finding->fingerprint; $firstDiffFingerprint = (string) data_get($finding->evidence_jsonb, 'rbac_role_definition.diff_fingerprint'); expect($finding->recurrence_key)->toBe($fingerprint) ->and($firstDiffFingerprint)->not->toBe(''); $run2 = $opService->ensureRunWithIdentity( tenant: $tenant, type: OperationRunType::BaselineCompare->value, identityInputs: ['baseline_profile_id' => (int) $profile->getKey()], context: [ 'baseline_profile_id' => (int) $profile->getKey(), 'baseline_snapshot_id' => (int) $snapshot2->getKey(), 'effective_scope' => [ 'policy_types' => [], 'foundation_types' => ['intuneRoleDefinition'], ], ], initiator: $user, ); (new CompareBaselineToTenantJob($run2))->handle( app(BaselineSnapshotIdentity::class), app(AuditLogger::class), $opService, ); $finding->refresh(); expect((string) $finding->fingerprint)->toBe($fingerprint) ->and($finding->times_seen)->toBe(2) ->and((string) data_get($finding->evidence_jsonb, 'rbac_role_definition.diff_fingerprint'))->not->toBe($firstDiffFingerprint); });