ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
136-admin-canonical-tenant
TenantAtlas/tests/Feature/Baselines/BaselineCompareCrossTenantMatchTest.php
Ahmed Darrazi df72c4adb7 fix: stabilize full suite regressions
2026-03-13 02:20:09 +01:00

327 lines
12 KiB
PHP
Raw Permalink Blame History

<?php
use App\Jobs\CompareBaselineToTenantJob;
use App\Models\BaselineProfile;
use App\Models\BaselineSnapshot;
use App\Models\BaselineSnapshotItem;
use App\Models\Finding;
use App\Models\InventoryItem;
use App\Models\Policy;
use App\Models\PolicyVersion;
use App\Models\Tenant;
use App\Services\Baselines\BaselineSnapshotIdentity;
use App\Services\Intune\AuditLogger;
use App\Services\OperationRunService;
use App\Support\Baselines\BaselineSubjectKey;
use App\Support\OperationRunType;
it('matches baseline to tenant inventory by policy_type + subject_key (cross-tenant)', function () {
[$user, $sourceTenant] = createUserWithTenant(role: 'owner');
$targetTenant = Tenant::factory()->create([
'workspace_id' => (int) $sourceTenant->workspace_id,
]);
$user->tenants()->syncWithoutDetaching([
$targetTenant->getKey() => ['role' => 'owner'],
]);
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => (int) $sourceTenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
$snapshot = BaselineSnapshot::factory()->create([
'workspace_id' => (int) $sourceTenant->workspace_id,
'baseline_profile_id' => (int) $profile->getKey(),
'captured_at' => now()->subMinute(),
]);
$displayName = 'Shared Policy';
$subjectKey = BaselineSubjectKey::fromDisplayName($displayName);
expect($subjectKey)->not->toBeNull();
$baselineSubjectExternalId = BaselineSubjectKey::workspaceSafeSubjectExternalId(
policyType: 'deviceConfiguration',
subjectKey: (string) $subjectKey,
);
$snapshotPayload = [
'settings' => [
['displayName' => 'SettingX', 'value' => 1],
],
];
$expectedContentHash = expectedPolicyVersionContentHash(
snapshot: $snapshotPayload,
policyType: 'deviceConfiguration',
platform: 'windows',
);
BaselineSnapshotItem::factory()->create([
'baseline_snapshot_id' => (int) $snapshot->getKey(),
'subject_type' => 'policy',
'subject_external_id' => $baselineSubjectExternalId,
'subject_key' => (string) $subjectKey,
'policy_type' => 'deviceConfiguration',
'baseline_hash' => $expectedContentHash,
'meta_jsonb' => [
'display_name' => $displayName,
'evidence' => [
'fidelity' => 'content',
'source' => 'policy_version',
'observed_at' => now()->toIso8601String(),
],
],
]);
$inventorySyncRun = createInventorySyncOperationRunWithCoverage(
tenant: $targetTenant,
statusByType: ['deviceConfiguration' => 'succeeded'],
);
$policy = Policy::factory()->create([
'tenant_id' => (int) $targetTenant->getKey(),
'policy_type' => 'deviceConfiguration',
'external_id' => 'tenant-policy-uuid',
'platform' => 'windows',
'display_name' => $displayName,
]);
PolicyVersion::factory()->create([
'tenant_id' => (int) $targetTenant->getKey(),
'policy_id' => (int) $policy->getKey(),
'policy_type' => (string) $policy->policy_type,
'platform' => (string) $policy->platform,
'captured_at' => now(),
'snapshot' => $snapshotPayload,
'assignments' => [],
'scope_tags' => [],
]);
InventoryItem::factory()->create([
'tenant_id' => (int) $targetTenant->getKey(),
'workspace_id' => (int) $targetTenant->workspace_id,
'external_id' => (string) $policy->external_id,
'policy_type' => (string) $policy->policy_type,
'display_name' => $displayName,
'meta_jsonb' => ['etag' => 'E1'],
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
'last_seen_at' => now(),
]);
$opService = app(OperationRunService::class);
$run = $opService->ensureRunWithIdentity(
tenant: $targetTenant,
type: OperationRunType::BaselineCompare->value,
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
context: [
'baseline_profile_id' => (int) $profile->getKey(),
'baseline_snapshot_id' => (int) $snapshot->getKey(),
'effective_scope' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
],
initiator: $user,
);
(new CompareBaselineToTenantJob($run))->handle(
app(BaselineSnapshotIdentity::class),
app(AuditLogger::class),
$opService,
);
$run->refresh();
expect($run->status)->toBe('completed');
expect(['succeeded', 'partially_succeeded'])->toContain((string) $run->outcome);
expect(
Finding::query()
->where('tenant_id', (int) $targetTenant->getKey())
->where('source', 'baseline.compare')
->count(),
)->toBe(0);
});
it('does not match role definitions across tenants when the role definition id differs', function (): void {
[$user, $sourceTenant] = createUserWithTenant(role: 'owner');
$targetTenant = Tenant::factory()->create([
'workspace_id' => (int) $sourceTenant->workspace_id,
]);
$user->tenants()->syncWithoutDetaching([
$targetTenant->getKey() => ['role' => 'owner'],
]);
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => (int) $sourceTenant->workspace_id,
'scope_jsonb' => [
'policy_types' => [],
'foundation_types' => ['intuneRoleDefinition'],
],
]);
$snapshot = BaselineSnapshot::factory()->create([
'workspace_id' => (int) $sourceTenant->workspace_id,
'baseline_profile_id' => (int) $profile->getKey(),
'captured_at' => now()->subMinute(),
]);
$displayName = 'Security Reader';
$sourceExternalId = 'source-role-definition-id';
$targetExternalId = 'target-role-definition-id';
$subjectKey = BaselineSubjectKey::forPolicy('intuneRoleDefinition', $displayName, $sourceExternalId);
$baselineSubjectExternalId = BaselineSubjectKey::workspaceSafeSubjectExternalIdForPolicy('intuneRoleDefinition', $displayName, $sourceExternalId);
expect($subjectKey)->not->toBeNull();
expect($baselineSubjectExternalId)->not->toBeNull();
$sourcePolicy = Policy::factory()->create([
'tenant_id' => (int) $sourceTenant->getKey(),
'external_id' => $sourceExternalId,
'policy_type' => 'intuneRoleDefinition',
'platform' => 'all',
'display_name' => $displayName,
]);
$sourceVersion = PolicyVersion::factory()->create([
'tenant_id' => (int) $sourceTenant->getKey(),
'policy_id' => (int) $sourcePolicy->getKey(),
'policy_type' => 'intuneRoleDefinition',
'platform' => 'all',
'captured_at' => now()->subMinute(),
'snapshot' => [
'displayName' => $displayName,
'description' => 'Source tenant role',
'isBuiltIn' => false,
'rolePermissions' => [
[
'resourceActions' => [
[
'allowedResourceActions' => ['microsoft.intune/devices/read'],
],
],
],
],
'roleScopeTagIds' => ['0'],
],
'assignments' => [],
'scope_tags' => [],
]);
BaselineSnapshotItem::factory()->create([
'baseline_snapshot_id' => (int) $snapshot->getKey(),
'subject_type' => 'policy',
'subject_external_id' => (string) $baselineSubjectExternalId,
'subject_key' => (string) $subjectKey,
'policy_type' => 'intuneRoleDefinition',
'baseline_hash' => app(\App\Services\Baselines\Evidence\ContentEvidenceProvider::class)
->fromPolicyVersion($sourceVersion, (string) $baselineSubjectExternalId)
->hash,
'meta_jsonb' => [
'display_name' => $displayName,
'evidence' => [
'fidelity' => 'content',
'source' => 'policy_version',
'observed_at' => $sourceVersion->captured_at?->toIso8601String(),
],
'version_reference' => [
'policy_version_id' => (int) $sourceVersion->getKey(),
],
'rbac' => [
'is_built_in' => false,
'role_permission_count' => 1,
],
],
]);
$inventorySyncRun = createInventorySyncOperationRunWithCoverage(
tenant: $targetTenant,
statusByType: ['intuneRoleDefinition' => 'succeeded'],
foundationTypes: ['intuneRoleDefinition'],
);
$targetPolicy = Policy::factory()->create([
'tenant_id' => (int) $targetTenant->getKey(),
'policy_type' => 'intuneRoleDefinition',
'external_id' => $targetExternalId,
'platform' => 'all',
'display_name' => $displayName,
]);
PolicyVersion::factory()->create([
'tenant_id' => (int) $targetTenant->getKey(),
'policy_id' => (int) $targetPolicy->getKey(),
'policy_type' => 'intuneRoleDefinition',
'platform' => 'all',
'captured_at' => now(),
'snapshot' => [
'displayName' => $displayName,
'description' => 'Target tenant role',
'isBuiltIn' => false,
'rolePermissions' => [
[
'resourceActions' => [
[
'allowedResourceActions' => ['microsoft.intune/devices/read'],
],
],
],
],
'roleScopeTagIds' => ['0'],
],
'assignments' => [],
'scope_tags' => [],
]);
InventoryItem::factory()->create([
'tenant_id' => (int) $targetTenant->getKey(),
'workspace_id' => (int) $targetTenant->workspace_id,
'external_id' => $targetExternalId,
'policy_type' => 'intuneRoleDefinition',
'display_name' => $displayName,
'meta_jsonb' => [
'etag' => 'E1',
'is_built_in' => false,
'role_permission_count' => 1,
],
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
'last_seen_at' => now(),
]);
$opService = app(OperationRunService::class);
$run = $opService->ensureRunWithIdentity(
tenant: $targetTenant,
type: OperationRunType::BaselineCompare->value,
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
context: [
'baseline_profile_id' => (int) $profile->getKey(),
'baseline_snapshot_id' => (int) $snapshot->getKey(),
'effective_scope' => [
'policy_types' => [],
'foundation_types' => ['intuneRoleDefinition'],
],
],
initiator: $user,
);
(new CompareBaselineToTenantJob($run))->handle(
app(BaselineSnapshotIdentity::class),
app(AuditLogger::class),
$opService,
);
$run->refresh();
expect($run->status)->toBe('completed');
expect(['succeeded', 'partially_succeeded'])->toContain((string) $run->outcome);
$findings = Finding::query()
->where('tenant_id', (int) $targetTenant->getKey())
->where('source', 'baseline.compare')
->get();
expect($findings->count())->toBe(2)
->and($findings->map(fn (Finding $finding): ?string => data_get($finding->evidence_jsonb, 'change_type'))->sort()->values()->all())->toBe([
'missing_policy',
'unexpected_policy',
]);
});
Reference in New Issue View Git Blame Copy Permalink