ahmido
ef41c9193a
## Summary - add Intune RBAC Role Definition baseline scope support, capture references, compare classification, findings evidence, and landing/detail UI labels - keep Intune Role Assignments explicitly excluded from baseline compare scope, summaries, findings, and restore messaging - add focused Pest coverage for baseline scope selection, capture, compare behavior, recurrence, isolation, findings rendering, inventory anchoring, and RBAC summaries ## Verification - `vendor/bin/sail bin pint --dirty --format agent` - `vendor/bin/sail artisan test --compact tests/Unit/Inventory/InventoryPolicyTypeMetaBaselineSupportTest.php tests/Unit/Baselines/BaselinePolicyVersionResolverTest.php tests/Unit/Baselines/BaselineScopeTest.php tests/Unit/IntuneRoleDefinitionNormalizerTest.php tests/Feature/Baselines/BaselineCaptureRbacRoleDefinitionsTest.php tests/Feature/Baselines/BaselineCompareRbacRoleDefinitionsTest.php tests/Feature/Baselines/BaselineCompareDriftEvidenceContractRbacTest.php tests/Feature/Baselines/BaselineCompareCoverageGuardTest.php tests/Feature/Baselines/BaselineCompareCrossTenantMatchTest.php tests/Feature/Baselines/BaselineCompareFindingRecurrenceKeyTest.php tests/Feature/Baselines/BaselineCompareWhyNoFindingsReasonCodeTest.php tests/Feature/Filament/BaselineProfileFoundationScopeTest.php tests/Feature/Filament/BaselineSnapshotRbacRoleDefinitionsTest.php tests/Feature/Filament/BaselineCompareLandingRbacLabelsTest.php tests/Feature/Filament/FindingViewRbacEvidenceTest.php tests/Feature/Findings/FindingRecurrenceTest.php tests/Feature/Findings/DriftStaleAutoResolveTest.php tests/Feature/Inventory/InventorySyncButtonTest.php tests/Feature/Inventory/InventorySyncServiceTest.php tests/Feature/RunAuthorizationTenantIsolationTest.php` - result: `71 passed (467 assertions)` ## Filament / Platform Notes - Livewire compliance: unchanged and compatible with Livewire v4.0+ - Provider registration: no panel/provider changes; `bootstrap/providers.php` remains the registration location - Global search: no new globally searchable resource added; existing global search behavior is unchanged - Destructive actions: no new destructive actions introduced; existing confirmed actions remain unchanged - Assets: no new Filament assets introduced; deploy asset handling remains unchanged, including `php artisan filament:assets` - Testing plan covered: baseline profile scope, snapshot detail, compare job, findings recurrence, findings detail, compare landing labels, inventory sync anchoring, and tenant isolation Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #156
286 lines
7.8 KiB
YAML
286 lines
7.8 KiB
YAML
openapi: 3.1.0
|
|
info:
|
|
title: TenantPilot Baseline Compare RBAC Planning Contract
|
|
version: 0.1.0
|
|
description: |
|
|
Planning artifact for Spec 128. Documents the existing workflow surfaces that
|
|
will gain Intune RBAC Role Definition baseline support.
|
|
servers:
|
|
- url: https://tenantpilot.local
|
|
paths:
|
|
/workspaces/{workspaceId}/baseline-profiles/{profileId}:
|
|
patch:
|
|
summary: Update baseline profile scope to include baseline-supported foundations
|
|
operationId: updateBaselineProfileScope
|
|
parameters:
|
|
- $ref: '#/components/parameters/WorkspaceId'
|
|
- $ref: '#/components/parameters/ProfileId'
|
|
requestBody:
|
|
required: true
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/BaselineProfileScopeUpdate'
|
|
responses:
|
|
'200':
|
|
description: Baseline profile updated
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/BaselineProfile'
|
|
'403':
|
|
description: In-scope member lacks workspace baseline management capability
|
|
'404':
|
|
description: Workspace or profile is outside authorized scope
|
|
|
|
/workspaces/{workspaceId}/baseline-profiles/{profileId}/captures:
|
|
post:
|
|
summary: Start baseline capture for the selected baseline profile
|
|
operationId: startBaselineCapture
|
|
parameters:
|
|
- $ref: '#/components/parameters/WorkspaceId'
|
|
- $ref: '#/components/parameters/ProfileId'
|
|
responses:
|
|
'202':
|
|
description: Baseline capture accepted and queued
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/OperationRunQueued'
|
|
'403':
|
|
description: In-scope member lacks workspace baseline management capability
|
|
'404':
|
|
description: Workspace or profile is outside authorized scope
|
|
|
|
/tenants/{tenantId}/baseline-compares:
|
|
post:
|
|
summary: Start baseline compare for the tenant using the assigned baseline profile
|
|
operationId: startBaselineCompare
|
|
parameters:
|
|
- $ref: '#/components/parameters/TenantId'
|
|
requestBody:
|
|
required: false
|
|
content:
|
|
application/json:
|
|
schema:
|
|
type: object
|
|
properties:
|
|
baseline_snapshot_id:
|
|
type: integer
|
|
minimum: 1
|
|
responses:
|
|
'202':
|
|
description: Baseline compare accepted and queued
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/OperationRunQueued'
|
|
'403':
|
|
description: In-scope member lacks tenant sync capability
|
|
'404':
|
|
description: Tenant is outside authorized scope
|
|
|
|
/tenants/{tenantId}/baseline-compares/{runId}:
|
|
get:
|
|
summary: Read baseline compare run detail including RBAC Role Definition summary
|
|
operationId: getBaselineCompareRun
|
|
parameters:
|
|
- $ref: '#/components/parameters/TenantId'
|
|
- $ref: '#/components/parameters/RunId'
|
|
responses:
|
|
'200':
|
|
description: Compare run detail
|
|
content:
|
|
application/json:
|
|
schema:
|
|
$ref: '#/components/schemas/BaselineCompareRun'
|
|
'403':
|
|
description: In-scope member lacks required capability
|
|
'404':
|
|
description: Tenant or run is outside authorized scope
|
|
|
|
/tenants/{tenantId}/findings:
|
|
get:
|
|
summary: List tenant findings, including baseline.compare RBAC Role Definition drift
|
|
operationId: listTenantFindings
|
|
parameters:
|
|
- $ref: '#/components/parameters/TenantId'
|
|
- name: source
|
|
in: query
|
|
schema:
|
|
type: string
|
|
enum: [baseline.compare]
|
|
- name: policy_type
|
|
in: query
|
|
schema:
|
|
type: string
|
|
enum: [intuneRoleDefinition]
|
|
responses:
|
|
'200':
|
|
description: Findings list
|
|
content:
|
|
application/json:
|
|
schema:
|
|
type: object
|
|
properties:
|
|
data:
|
|
type: array
|
|
items:
|
|
$ref: '#/components/schemas/Finding'
|
|
'403':
|
|
description: In-scope member lacks findings-view capability
|
|
'404':
|
|
description: Tenant is outside authorized scope
|
|
|
|
components:
|
|
parameters:
|
|
WorkspaceId:
|
|
name: workspaceId
|
|
in: path
|
|
required: true
|
|
schema:
|
|
type: integer
|
|
minimum: 1
|
|
ProfileId:
|
|
name: profileId
|
|
in: path
|
|
required: true
|
|
schema:
|
|
type: integer
|
|
minimum: 1
|
|
TenantId:
|
|
name: tenantId
|
|
in: path
|
|
required: true
|
|
schema:
|
|
type: integer
|
|
minimum: 1
|
|
RunId:
|
|
name: runId
|
|
in: path
|
|
required: true
|
|
schema:
|
|
type: integer
|
|
minimum: 1
|
|
|
|
schemas:
|
|
BaselineProfileScopeUpdate:
|
|
type: object
|
|
required: [scope_jsonb]
|
|
properties:
|
|
scope_jsonb:
|
|
type: object
|
|
properties:
|
|
policy_types:
|
|
type: array
|
|
items:
|
|
type: string
|
|
foundation_types:
|
|
type: array
|
|
items:
|
|
type: string
|
|
enum: [intuneRoleDefinition]
|
|
|
|
BaselineProfile:
|
|
type: object
|
|
required: [id, scope_jsonb]
|
|
properties:
|
|
id:
|
|
type: integer
|
|
scope_jsonb:
|
|
type: object
|
|
properties:
|
|
policy_types:
|
|
type: array
|
|
items:
|
|
type: string
|
|
foundation_types:
|
|
type: array
|
|
items:
|
|
type: string
|
|
|
|
OperationRunQueued:
|
|
type: object
|
|
required: [id, type, status]
|
|
properties:
|
|
id:
|
|
type: integer
|
|
type:
|
|
type: string
|
|
enum: [baseline_capture, baseline_compare]
|
|
status:
|
|
type: string
|
|
enum: [queued, running]
|
|
|
|
BaselineCompareRun:
|
|
type: object
|
|
required: [id, type, status, context]
|
|
properties:
|
|
id:
|
|
type: integer
|
|
type:
|
|
type: string
|
|
enum: [baseline_compare]
|
|
status:
|
|
type: string
|
|
outcome:
|
|
type: string
|
|
context:
|
|
type: object
|
|
properties:
|
|
baseline_compare:
|
|
type: object
|
|
properties:
|
|
reason_code:
|
|
type: string
|
|
rbac_role_definitions:
|
|
$ref: '#/components/schemas/RbacRoleDefinitionSummary'
|
|
|
|
RbacRoleDefinitionSummary:
|
|
type: object
|
|
required: [total_compared, unchanged, modified, missing, unexpected]
|
|
properties:
|
|
total_compared:
|
|
type: integer
|
|
minimum: 0
|
|
unchanged:
|
|
type: integer
|
|
minimum: 0
|
|
modified:
|
|
type: integer
|
|
minimum: 0
|
|
missing:
|
|
type: integer
|
|
minimum: 0
|
|
unexpected:
|
|
type: integer
|
|
minimum: 0
|
|
|
|
Finding:
|
|
type: object
|
|
required: [id, source, severity, evidence_jsonb]
|
|
properties:
|
|
id:
|
|
type: integer
|
|
source:
|
|
type: string
|
|
enum: [baseline.compare]
|
|
severity:
|
|
type: string
|
|
enum: [low, medium, high]
|
|
evidence_jsonb:
|
|
type: object
|
|
properties:
|
|
change_type:
|
|
type: string
|
|
enum: [modified, missing, unexpected]
|
|
summary:
|
|
type: object
|
|
properties:
|
|
kind:
|
|
type: string
|
|
enum: [intune_rbac_role_definition]
|
|
baseline:
|
|
type: object
|
|
current:
|
|
type: object |