ahmido
5bcb4f6ab8
## Summary
- add a canonical queued execution legitimacy contract for actor-bound and system-authority operation runs
- enforce legitimacy before queued jobs transition runs to running across provider, inventory, restore, bulk, sync, and scheduled backup flows
- surface blocked execution outcomes consistently in Monitoring, notifications, audit data, and the tenantless operation viewer
- add Spec 149 artifacts and focused Pest coverage for legitimacy decisions, middleware ordering, blocked presentation, retry behavior, and cross-family adoption
## Testing
- vendor/bin/sail artisan test --compact tests/Unit/Operations/QueuedExecutionLegitimacyGateTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/QueuedExecutionMiddlewareOrderingTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Verification/ProviderExecutionReauthorizationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/RunInventorySyncExecutionReauthorizationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/ExecuteRestoreRunExecutionReauthorizationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/SystemRunBlockedExecutionNotificationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/BulkOperationExecutionReauthorizationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/QueuedExecutionRetryReauthorizationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/QueuedExecutionContractMatrixTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/OperationRunBlockedExecutionPresentationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/QueuedExecutionAuditTrailTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/TenantlessOperationRunViewerTest.php
- vendor/bin/sail bin pint --dirty --format agent
## Manual validation
- validated queued provider execution blocking for tenant operability drift in the integrated browser on /admin/operations and /admin/operations/{run}
- validated 404 vs 403 route behavior for non-membership vs in-scope capability denial
- validated initiator-null blocked system-run behavior without creating a user terminal notification
Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #179
140 lines
5.9 KiB
PHP
140 lines
5.9 KiB
PHP
<?php
|
|
|
|
namespace App\Support\OpsUx;
|
|
|
|
use App\Services\Intune\SecretClassificationService;
|
|
use App\Support\Operations\ExecutionDenialReasonCode;
|
|
use App\Support\Providers\ProviderReasonCodes;
|
|
|
|
final class RunFailureSanitizer
|
|
{
|
|
public const string REASON_GRAPH_THROTTLED = 'graph_throttled';
|
|
|
|
public const string REASON_GRAPH_TIMEOUT = 'graph_timeout';
|
|
|
|
public const string REASON_PERMISSION_DENIED = 'permission_denied';
|
|
|
|
public const string REASON_PROVIDER_AUTH_FAILED = 'provider_auth_failed';
|
|
|
|
public const string REASON_PROVIDER_OUTAGE = 'provider_outage';
|
|
|
|
public const string REASON_VALIDATION_ERROR = 'validation_error';
|
|
|
|
public const string REASON_CONFLICT_DETECTED = 'conflict_detected';
|
|
|
|
public const string REASON_UNKNOWN_ERROR = 'unknown_error';
|
|
|
|
public static function sanitizeCode(string $code): string
|
|
{
|
|
$code = strtolower(trim($code));
|
|
|
|
if ($code === '') {
|
|
return 'unknown';
|
|
}
|
|
|
|
return substr($code, 0, 80);
|
|
}
|
|
|
|
public static function normalizeReasonCode(string $candidate): string
|
|
{
|
|
$candidate = strtolower(trim($candidate));
|
|
$executionDenialReasonCodes = array_map(
|
|
static fn (ExecutionDenialReasonCode $reasonCode): string => $reasonCode->value,
|
|
ExecutionDenialReasonCode::cases(),
|
|
);
|
|
|
|
if ($candidate === '') {
|
|
return ProviderReasonCodes::UnknownError;
|
|
}
|
|
|
|
if (ProviderReasonCodes::isKnown($candidate) || in_array($candidate, ['ok', 'not_applicable'], true) || in_array($candidate, $executionDenialReasonCodes, true)) {
|
|
return $candidate;
|
|
}
|
|
|
|
if (str_starts_with($candidate, 'ext.')) {
|
|
return $candidate;
|
|
}
|
|
|
|
/**
|
|
* Appendix-A taxonomy mappings:
|
|
* - `graph_throttled`/`throttled` -> `rate_limited`
|
|
* - transport/transient/outage classes -> `network_unreachable`
|
|
* - auth failures -> `provider_auth_failed`
|
|
* - permission denied classes -> `provider_permission_denied`
|
|
* - generic missing/invalid configuration classes -> `provider_connection_*`
|
|
*/
|
|
// Compatibility mappings from existing codebase labels.
|
|
$candidate = match ($candidate) {
|
|
self::REASON_GRAPH_THROTTLED,
|
|
'throttled' => ProviderReasonCodes::RateLimited,
|
|
self::REASON_GRAPH_TIMEOUT,
|
|
self::REASON_PROVIDER_OUTAGE,
|
|
'graph_transient',
|
|
'dependency_unreachable' => ProviderReasonCodes::NetworkUnreachable,
|
|
self::REASON_PERMISSION_DENIED,
|
|
'graph_forbidden',
|
|
'permission_denied' => ProviderReasonCodes::ProviderPermissionDenied,
|
|
self::REASON_PROVIDER_AUTH_FAILED,
|
|
'authentication_failed' => ProviderReasonCodes::ProviderAuthFailed,
|
|
self::REASON_VALIDATION_ERROR,
|
|
self::REASON_CONFLICT_DETECTED,
|
|
'invalid_state' => ProviderReasonCodes::ProviderConnectionInvalid,
|
|
'missing_configuration' => ProviderReasonCodes::ProviderConnectionMissing,
|
|
'unknown',
|
|
self::REASON_UNKNOWN_ERROR => ProviderReasonCodes::UnknownError,
|
|
default => $candidate,
|
|
};
|
|
|
|
if (ProviderReasonCodes::isKnown($candidate) || in_array($candidate, ['ok', 'not_applicable'], true) || in_array($candidate, $executionDenialReasonCodes, true)) {
|
|
return $candidate;
|
|
}
|
|
|
|
// Heuristic normalization for ad-hoc codes used across jobs/services.
|
|
if (str_contains($candidate, 'throttle') || str_contains($candidate, '429')) {
|
|
return ProviderReasonCodes::RateLimited;
|
|
}
|
|
|
|
if (str_contains($candidate, 'invalid_client') || str_contains($candidate, 'invalid_grant') || str_contains($candidate, '401') || str_contains($candidate, 'aadsts')) {
|
|
return ProviderReasonCodes::ProviderAuthFailed;
|
|
}
|
|
|
|
if (str_contains($candidate, 'timeout') || str_contains($candidate, 'transient') || str_contains($candidate, '503') || str_contains($candidate, '504')) {
|
|
return ProviderReasonCodes::NetworkUnreachable;
|
|
}
|
|
|
|
if (str_contains($candidate, 'outage') || str_contains($candidate, '500') || str_contains($candidate, '502') || str_contains($candidate, 'bad_gateway')) {
|
|
return ProviderReasonCodes::NetworkUnreachable;
|
|
}
|
|
|
|
if (str_contains($candidate, 'forbidden') || str_contains($candidate, 'permission') || str_contains($candidate, 'unauthorized') || str_contains($candidate, '403')) {
|
|
return ProviderReasonCodes::ProviderPermissionDenied;
|
|
}
|
|
|
|
if (str_contains($candidate, 'validation') || str_contains($candidate, 'not_found') || str_contains($candidate, 'bad_request') || str_contains($candidate, '400') || str_contains($candidate, '422')) {
|
|
return ProviderReasonCodes::ProviderConnectionInvalid;
|
|
}
|
|
|
|
if (str_contains($candidate, 'conflict') || str_contains($candidate, '409')) {
|
|
return ProviderReasonCodes::ProviderConnectionInvalid;
|
|
}
|
|
|
|
return ProviderReasonCodes::UnknownError;
|
|
}
|
|
|
|
public static function sanitizeMessage(string $message): string
|
|
{
|
|
$message = trim(str_replace(["\r", "\n"], ' ', $message));
|
|
$message = self::classifier()->sanitizeOpsFailureString($message);
|
|
$message = preg_replace('/\b[A-Za-z0-9\-\._~\+\/]{64,}\b/', '[REDACTED]', $message) ?? $message;
|
|
$message = preg_replace('/\b(access_token|refresh_token|client_secret|password)\b\s*=\s*\[REDACTED_SECRET\]/i', '[REDACTED_SECRET]', $message) ?? $message;
|
|
$message = preg_replace('/"(access_token|refresh_token|client_secret|password)"\s*:\s*"\[REDACTED_SECRET\]"/i', '"[REDACTED_SECRET]"', $message) ?? $message;
|
|
|
|
return substr($message, 0, 120);
|
|
}
|
|
|
|
private static function classifier(): SecretClassificationService
|
|
{
|
|
return app(SecretClassificationService::class);
|
|
}
|
|
}
|