ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
154-finding-risk-acceptance
TenantAtlas/app/Services/Intune/AuditLogger.php
ahmido ec71c2d4e7 feat: harden findings workflow and audit backstop (#181) 
## Summary
- harden finding lifecycle changes behind the canonical `FindingWorkflowService` gateway
- route automated resolve and reopen flows through the same audited workflow path
- tighten tenant and workspace scope checks on finding actions and audit visibility
- add focused spec artifacts, workflow regression coverage, automation coverage, and audit visibility tests
- update legacy finding model tests to use the workflow service after direct lifecycle mutators were removed

## Testing
- `vendor/bin/sail bin pint --dirty --format agent`
- focused findings and audit slices passed during implementation
- `vendor/bin/sail artisan test --compact tests/Feature/Models/FindingResolvedTest.php`
- full repository suite passed: `2757 passed`, `8 skipped`, `14448 assertions`

## Notes
- Livewire v4.0+ compliance preserved
- no new Filament assets or panel providers introduced; provider registration remains in `bootstrap/providers.php`
- findings stay on existing Filament action surfaces, with destructive actions still confirmation-gated
- no global search behavior was changed for findings resources

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #181
2026-03-18 12:57:23 +00:00

79 lines
2.5 KiB
PHP
Raw Permalink Blame History

<?php
declare(strict_types=1);
namespace App\Services\Intune;
use App\Models\Tenant;
use App\Services\Audit\AuditRecorder;
use App\Support\Audit\AuditActionId;
use App\Support\Audit\AuditActorSnapshot;
use App\Support\Audit\AuditActorType;
use App\Support\Audit\AuditTargetSnapshot;
use Carbon\CarbonImmutable;
use InvalidArgumentException;
class AuditLogger
{
public function __construct(
private readonly AuditRecorder $auditRecorder,
) {}
public function log(
Tenant $tenant,
string|AuditActionId $action,
array $context = [],
?int $actorId = null,
?string $actorEmail = null,
?string $actorName = null,
string $status = 'success',
?string $resourceType = null,
?string $resourceId = null,
?AuditActorType $actorType = null,
?string $targetLabel = null,
?string $summary = null,
?int $operationRunId = null,
): \App\Models\AuditLog {
$workspaceId = is_numeric($tenant->workspace_id) ? (int) $tenant->workspace_id : null;
$metadata = is_array($context['metadata'] ?? null) ? $context['metadata'] : [];
if ($actorType instanceof AuditActorType) {
$metadata['_actor_type'] = $actorType->value;
}
$context['metadata'] = $metadata;
if ($workspaceId === null) {
throw new InvalidArgumentException('Tenant-scoped audit events require tenant workspace_id.');
}
return $this->auditRecorder->record(
action: $action,
context: $context,
workspace: $tenant->workspace,
tenant: $tenant,
actor: AuditActorSnapshot::fromLegacy(
type: $actorType ?? AuditActorType::infer($action instanceof AuditActionId ? $action->value : $action, $actorId, $actorEmail, $actorName, $context),
id: $actorId,
email: $actorEmail,
label: $actorName,
),
target: new AuditTargetSnapshot(
type: $resourceType,
id: $resourceId,
label: $targetLabel,
),
outcome: $status,
recordedAt: CarbonImmutable::now(),
summary: $summary ?? AuditActionId::summaryFor(
action: $action,
targetLabel: $targetLabel,
targetType: $resourceType,
context: $metadata,
),
operationRunId: $operationRunId,
);
}
}
Reference in New Issue View Git Blame Copy Permalink