ahmido
7ac53f4cc4
Implements spec 111 (Findings workflow + SLA) and fixes Workspace findings SLA settings UX/validation. Key changes: - Findings workflow service + SLA policy and alerting. - Workspace settings: allow partial SLA overrides without auto-filling unset severities in the UI; effective values still resolve via defaults. - New migrations, jobs, command, UI/resource updates, and comprehensive test coverage. Tests: - `vendor/bin/sail artisan test --compact` (1779 passed, 8 skipped). Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #135
214 lines
8.0 KiB
PHP
214 lines
8.0 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Filament\Resources\AlertRuleResource;
|
|
use App\Models\AlertDelivery;
|
|
use App\Models\AlertDestination;
|
|
use App\Models\AlertRule;
|
|
use App\Models\Finding;
|
|
use App\Services\Alerts\AlertDispatchService;
|
|
use App\Support\Workspaces\WorkspaceContext;
|
|
use Carbon\CarbonImmutable;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Helpers
|
|
// ---------------------------------------------------------------------------
|
|
|
|
function createEntraAlertRuleWithDestination(int $workspaceId, string $minSeverity, int $cooldownSeconds = 0): array
|
|
{
|
|
$destination = AlertDestination::factory()->create([
|
|
'workspace_id' => $workspaceId,
|
|
'is_enabled' => true,
|
|
]);
|
|
|
|
$rule = AlertRule::factory()->create([
|
|
'workspace_id' => $workspaceId,
|
|
'event_type' => AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH,
|
|
'minimum_severity' => $minSeverity,
|
|
'is_enabled' => true,
|
|
'cooldown_seconds' => $cooldownSeconds,
|
|
]);
|
|
|
|
$rule->destinations()->attach($destination->getKey(), [
|
|
'workspace_id' => $workspaceId,
|
|
]);
|
|
|
|
return [$rule, $destination];
|
|
}
|
|
|
|
// ---------------------------------------------------------------------------
|
|
// Tests
|
|
// ---------------------------------------------------------------------------
|
|
|
|
it('queues delivery when entra admin role finding matches alert rule severity', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
$workspaceId = (int) session()->get(WorkspaceContext::SESSION_KEY);
|
|
|
|
[$rule, $destination] = createEntraAlertRuleWithDestination($workspaceId, 'high');
|
|
|
|
$finding = Finding::factory()->entraAdminRoles()->create([
|
|
'workspace_id' => $workspaceId,
|
|
'tenant_id' => $tenant->getKey(),
|
|
'severity' => Finding::SEVERITY_CRITICAL,
|
|
'status' => Finding::STATUS_NEW,
|
|
]);
|
|
|
|
$event = [
|
|
'event_type' => AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH,
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'severity' => Finding::SEVERITY_CRITICAL,
|
|
'fingerprint_key' => 'finding:'.(int) $finding->getKey(),
|
|
'title' => 'High-privilege Entra admin role detected',
|
|
'body' => 'Role "Global Administrator" assigned to Alice Admin (severity: critical).',
|
|
'metadata' => ['finding_id' => (int) $finding->getKey()],
|
|
];
|
|
|
|
$dispatchService = app(AlertDispatchService::class);
|
|
$workspace = \App\Models\Workspace::query()->find($workspaceId);
|
|
|
|
$created = $dispatchService->dispatchEvent($workspace, $event);
|
|
|
|
expect($created)->toBe(1);
|
|
|
|
$delivery = AlertDelivery::query()
|
|
->where('workspace_id', $workspaceId)
|
|
->where('event_type', AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH)
|
|
->first();
|
|
|
|
expect($delivery)->not->toBeNull()
|
|
->and($delivery->status)->toBe(AlertDelivery::STATUS_QUEUED)
|
|
->and($delivery->severity)->toBe(Finding::SEVERITY_CRITICAL);
|
|
});
|
|
|
|
it('does not queue delivery when finding severity is below minimum', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
$workspaceId = (int) session()->get(WorkspaceContext::SESSION_KEY);
|
|
|
|
[$rule, $destination] = createEntraAlertRuleWithDestination($workspaceId, 'critical');
|
|
|
|
$event = [
|
|
'event_type' => AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH,
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'severity' => Finding::SEVERITY_HIGH,
|
|
'fingerprint_key' => 'finding:999',
|
|
'title' => 'High-privilege Entra admin role detected',
|
|
'body' => 'Role "Privileged Role Administrator" assigned to Bob (severity: high).',
|
|
'metadata' => [],
|
|
];
|
|
|
|
$dispatchService = app(AlertDispatchService::class);
|
|
$workspace = \App\Models\Workspace::query()->find($workspaceId);
|
|
|
|
$created = $dispatchService->dispatchEvent($workspace, $event);
|
|
|
|
expect($created)->toBe(0);
|
|
});
|
|
|
|
it('suppresses duplicate delivery via fingerprint cooldown', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
$workspaceId = (int) session()->get(WorkspaceContext::SESSION_KEY);
|
|
|
|
[$rule, $destination] = createEntraAlertRuleWithDestination($workspaceId, 'high', cooldownSeconds: 3600);
|
|
|
|
$finding = Finding::factory()->entraAdminRoles()->create([
|
|
'workspace_id' => $workspaceId,
|
|
'tenant_id' => $tenant->getKey(),
|
|
'severity' => Finding::SEVERITY_CRITICAL,
|
|
'status' => Finding::STATUS_NEW,
|
|
]);
|
|
|
|
$event = [
|
|
'event_type' => AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH,
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'severity' => Finding::SEVERITY_CRITICAL,
|
|
'fingerprint_key' => 'finding:'.(int) $finding->getKey(),
|
|
'title' => 'High-privilege Entra admin role detected',
|
|
'body' => 'Role "Global Administrator" assigned to Alice Admin.',
|
|
'metadata' => ['finding_id' => (int) $finding->getKey()],
|
|
];
|
|
|
|
$dispatchService = app(AlertDispatchService::class);
|
|
$workspace = \App\Models\Workspace::query()->find($workspaceId);
|
|
|
|
// First dispatch — should create a QUEUED delivery
|
|
$firstCreated = $dispatchService->dispatchEvent($workspace, $event);
|
|
expect($firstCreated)->toBe(1);
|
|
|
|
// Second dispatch — same fingerprint within cooldown → SUPPRESSED
|
|
$secondCreated = $dispatchService->dispatchEvent($workspace, $event);
|
|
expect($secondCreated)->toBe(1);
|
|
|
|
$deliveries = AlertDelivery::query()
|
|
->where('workspace_id', $workspaceId)
|
|
->where('event_type', AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH)
|
|
->orderBy('id')
|
|
->get();
|
|
|
|
expect($deliveries)->toHaveCount(2)
|
|
->and($deliveries[0]->status)->toBe(AlertDelivery::STATUS_QUEUED)
|
|
->and($deliveries[1]->status)->toBe(AlertDelivery::STATUS_SUPPRESSED);
|
|
});
|
|
|
|
it('resolved findings are excluded from entraAdminRolesHighEvents', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
$workspaceId = (int) session()->get(WorkspaceContext::SESSION_KEY);
|
|
|
|
// Create a resolved finding — should not appear in events
|
|
Finding::factory()->entraAdminRoles()->resolved()->create([
|
|
'workspace_id' => $workspaceId,
|
|
'tenant_id' => $tenant->getKey(),
|
|
'severity' => Finding::SEVERITY_CRITICAL,
|
|
]);
|
|
|
|
$job = new \App\Jobs\Alerts\EvaluateAlertsJob($workspaceId);
|
|
$reflection = new ReflectionMethod($job, 'entraAdminRolesHighEvents');
|
|
|
|
$events = $reflection->invoke(
|
|
$job,
|
|
$workspaceId,
|
|
CarbonImmutable::now('UTC')->subHours(1),
|
|
);
|
|
|
|
expect($events)->toBe([]);
|
|
});
|
|
|
|
it('reopened findings are included in entraAdminRolesHighEvents', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
$workspaceId = (int) session()->get(WorkspaceContext::SESSION_KEY);
|
|
|
|
$finding = Finding::factory()->entraAdminRoles()->create([
|
|
'workspace_id' => $workspaceId,
|
|
'tenant_id' => $tenant->getKey(),
|
|
'severity' => Finding::SEVERITY_CRITICAL,
|
|
'status' => Finding::STATUS_REOPENED,
|
|
'reopened_at' => now(),
|
|
]);
|
|
|
|
$job = new \App\Jobs\Alerts\EvaluateAlertsJob($workspaceId);
|
|
$reflection = new ReflectionMethod($job, 'entraAdminRolesHighEvents');
|
|
|
|
$events = $reflection->invoke(
|
|
$job,
|
|
$workspaceId,
|
|
CarbonImmutable::now('UTC')->subHours(1),
|
|
);
|
|
|
|
expect($events)->toHaveCount(1)
|
|
->and($events[0]['event_type'])->toBe(AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH)
|
|
->and($events[0]['tenant_id'])->toBe((int) $tenant->getKey())
|
|
->and($events[0]['metadata']['finding_id'])->toBe((int) $finding->getKey());
|
|
});
|
|
|
|
it('new event type appears in AlertRuleResource event type options', function (): void {
|
|
$options = AlertRuleResource::eventTypeOptions();
|
|
|
|
expect($options)->toHaveKey(AlertRule::EVENT_SLA_DUE)
|
|
->and($options[AlertRule::EVENT_SLA_DUE])->toBe('SLA due')
|
|
->and($options)->toHaveKey(AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH)
|
|
->and($options[AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH])->toBe('Entra admin roles (high privilege)');
|
|
});
|