ahmido
b1e1e06861
## Summary - add a first-class finding exception domain with request, approval, rejection, renewal, and revocation lifecycle support - add tenant-scoped exception register, finding governance surfaces, and a canonical workspace approval queue in Filament - add audit, badge, evidence, and review-pack integrations plus focused Pest coverage for workflow, authorization, and governance validity ## Validation - vendor/bin/sail bin pint --dirty --format agent - CI=1 vendor/bin/sail artisan test --compact - manual integrated-browser smoke test for the request-exception happy path, tenant register visibility, and canonical queue visibility ## Notes - Filament implementation remains on v5 with Livewire v4-compatible surfaces - canonical queue lives in the admin panel; provider registration stays in bootstrap/providers.php - finding exceptions stay out of global search in this rollout Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #184
174 lines
6.9 KiB
PHP
174 lines
6.9 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Filament\Resources\FindingExceptionResource\Pages\ListFindingExceptions;
|
|
use App\Filament\Resources\FindingResource\Pages\ViewFinding;
|
|
use App\Models\Finding;
|
|
use App\Models\FindingException;
|
|
use App\Models\User;
|
|
use App\Services\Findings\FindingExceptionService;
|
|
use App\Services\Findings\FindingRiskGovernanceResolver;
|
|
use Filament\Facades\Filament;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Livewire\Livewire;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
it('shows an expiring governance cue on finding detail for entitled viewers', function (): void {
|
|
[$viewer, $tenant] = createUserWithTenant(role: 'readonly');
|
|
[$requester] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
|
$approver = User::factory()->create();
|
|
createUserWithTenant(tenant: $tenant, user: $approver, role: 'owner');
|
|
|
|
$finding = Finding::factory()->for($tenant)->create([
|
|
'status' => Finding::STATUS_RISK_ACCEPTED,
|
|
]);
|
|
|
|
FindingException::query()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'finding_id' => (int) $finding->getKey(),
|
|
'requested_by_user_id' => (int) $requester->getKey(),
|
|
'owner_user_id' => (int) $requester->getKey(),
|
|
'approved_by_user_id' => (int) $approver->getKey(),
|
|
'status' => FindingException::STATUS_EXPIRING,
|
|
'current_validity_state' => FindingException::VALIDITY_EXPIRING,
|
|
'request_reason' => 'Short-lived exception while remediation is scheduled',
|
|
'approval_reason' => 'Compensating controls accepted',
|
|
'requested_at' => now()->subDays(8),
|
|
'approved_at' => now()->subDays(7),
|
|
'effective_from' => now()->subDays(7),
|
|
'expires_at' => now()->addDays(2),
|
|
'review_due_at' => now()->addDay(),
|
|
'evidence_summary' => ['reference_count' => 0],
|
|
]);
|
|
|
|
$this->actingAs($viewer);
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
Livewire::test(ViewFinding::class, ['record' => $finding->getKey()])
|
|
->assertSee('Risk governance')
|
|
->assertSee('Expiring');
|
|
});
|
|
|
|
it('shows a governance warning when a finding is marked as accepted risk without a valid exception', function (): void {
|
|
[$viewer, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
$finding = Finding::factory()->for($tenant)->create([
|
|
'status' => Finding::STATUS_RISK_ACCEPTED,
|
|
]);
|
|
|
|
$this->actingAs($viewer);
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
Livewire::test(ViewFinding::class, ['record' => $finding->getKey()])
|
|
->assertSee('Risk governance')
|
|
->assertSee('without a valid exception record');
|
|
|
|
expect(app(FindingRiskGovernanceResolver::class)->resolveFindingState($finding->fresh()))
|
|
->toBe('risk_accepted_without_valid_exception');
|
|
});
|
|
|
|
it('surfaces expired and revoked exceptions as governance warnings instead of valid accepted risk', function (string $mode, string $expectedWarning, string $expectedState): void {
|
|
[$viewer, $tenant] = createUserWithTenant(role: 'readonly');
|
|
[$requester] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
|
$approver = User::factory()->create();
|
|
createUserWithTenant(tenant: $tenant, user: $approver, role: 'owner', workspaceRole: 'manager');
|
|
|
|
$finding = Finding::factory()->for($tenant)->create([
|
|
'status' => Finding::STATUS_RISK_ACCEPTED,
|
|
]);
|
|
|
|
/** @var FindingExceptionService $service */
|
|
$service = app(FindingExceptionService::class);
|
|
|
|
$requested = $service->request($finding, $tenant, $requester, [
|
|
'owner_user_id' => (int) $requester->getKey(),
|
|
'request_reason' => 'Temporary exception',
|
|
'review_due_at' => now()->addDays(5)->toDateTimeString(),
|
|
'expires_at' => now()->addDays(14)->toDateTimeString(),
|
|
]);
|
|
|
|
$exception = $service->approve($requested, $approver, [
|
|
'effective_from' => now()->subDays(10)->toDateTimeString(),
|
|
'expires_at' => $mode === 'expired'
|
|
? now()->subDay()->toDateTimeString()
|
|
: now()->addDays(14)->toDateTimeString(),
|
|
'approval_reason' => 'Approved with controls',
|
|
]);
|
|
|
|
if ($mode === 'expired') {
|
|
$exception = app(FindingRiskGovernanceResolver::class)->syncExceptionState($exception->fresh());
|
|
} else {
|
|
$exception = $service->revoke($exception->fresh(), $requester, [
|
|
'revocation_reason' => 'Compensating controls were removed.',
|
|
]);
|
|
}
|
|
|
|
$this->actingAs($viewer);
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
Livewire::test(ViewFinding::class, ['record' => $finding->getKey()])
|
|
->assertSee($expectedWarning);
|
|
|
|
Livewire::test(ListFindingExceptions::class)
|
|
->assertSee($expectedWarning);
|
|
|
|
expect(app(FindingRiskGovernanceResolver::class)->resolveFindingState($finding->fresh('findingException')))
|
|
->toBe($expectedState);
|
|
})->with([
|
|
'expired exception' => ['expired', 'expired and no longer governs accepted risk', 'expired_exception'],
|
|
'revoked exception' => ['revoked', 'was revoked and no longer governs accepted risk', 'revoked_exception'],
|
|
]);
|
|
|
|
it('keeps historical exceptions visible while requiring a fresh decision after a finding reopens', function (): void {
|
|
[$viewer, $tenant] = createUserWithTenant(role: 'readonly');
|
|
[$requester] = createUserWithTenant(tenant: $tenant, role: 'owner');
|
|
$approver = User::factory()->create();
|
|
createUserWithTenant(tenant: $tenant, user: $approver, role: 'owner', workspaceRole: 'manager');
|
|
|
|
$finding = Finding::factory()->for($tenant)->create([
|
|
'status' => Finding::STATUS_RISK_ACCEPTED,
|
|
]);
|
|
|
|
/** @var FindingExceptionService $service */
|
|
$service = app(FindingExceptionService::class);
|
|
|
|
$requested = $service->request($finding, $tenant, $requester, [
|
|
'owner_user_id' => (int) $requester->getKey(),
|
|
'request_reason' => 'Temporary exception while remediation is scheduled',
|
|
'review_due_at' => now()->addDays(7)->toDateTimeString(),
|
|
'expires_at' => now()->addDays(20)->toDateTimeString(),
|
|
]);
|
|
|
|
$service->approve($requested, $approver, [
|
|
'effective_from' => now()->subDay()->toDateTimeString(),
|
|
'expires_at' => now()->addDays(20)->toDateTimeString(),
|
|
'approval_reason' => 'Approved with controls',
|
|
]);
|
|
|
|
$finding->forceFill([
|
|
'status' => Finding::STATUS_REOPENED,
|
|
'reopened_at' => now(),
|
|
'closed_reason' => null,
|
|
'closed_at' => null,
|
|
])->save();
|
|
|
|
$this->actingAs($viewer);
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
Livewire::test(ViewFinding::class, ['record' => $finding->getKey()])
|
|
->assertSee('fresh decision is required');
|
|
|
|
Livewire::test(ListFindingExceptions::class)
|
|
->assertSee('fresh decision is required');
|
|
|
|
expect(app(FindingRiskGovernanceResolver::class)->resolveFindingState($finding->fresh('findingException')))
|
|
->toBe('ungoverned');
|
|
});
|