ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
feat/138-managed-tenant-onboarding-draft-identity
TenantAtlas/tests/Unit/IntuneRoleDefinitionNormalizerTest.php
ahmido ef41c9193a feat: add Intune RBAC baseline compare support (#156) 
## Summary
- add Intune RBAC Role Definition baseline scope support, capture references, compare classification, findings evidence, and landing/detail UI labels
- keep Intune Role Assignments explicitly excluded from baseline compare scope, summaries, findings, and restore messaging
- add focused Pest coverage for baseline scope selection, capture, compare behavior, recurrence, isolation, findings rendering, inventory anchoring, and RBAC summaries

## Verification
- `vendor/bin/sail bin pint --dirty --format agent`
- `vendor/bin/sail artisan test --compact tests/Unit/Inventory/InventoryPolicyTypeMetaBaselineSupportTest.php tests/Unit/Baselines/BaselinePolicyVersionResolverTest.php tests/Unit/Baselines/BaselineScopeTest.php tests/Unit/IntuneRoleDefinitionNormalizerTest.php tests/Feature/Baselines/BaselineCaptureRbacRoleDefinitionsTest.php tests/Feature/Baselines/BaselineCompareRbacRoleDefinitionsTest.php tests/Feature/Baselines/BaselineCompareDriftEvidenceContractRbacTest.php tests/Feature/Baselines/BaselineCompareCoverageGuardTest.php tests/Feature/Baselines/BaselineCompareCrossTenantMatchTest.php tests/Feature/Baselines/BaselineCompareFindingRecurrenceKeyTest.php tests/Feature/Baselines/BaselineCompareWhyNoFindingsReasonCodeTest.php tests/Feature/Filament/BaselineProfileFoundationScopeTest.php tests/Feature/Filament/BaselineSnapshotRbacRoleDefinitionsTest.php tests/Feature/Filament/BaselineCompareLandingRbacLabelsTest.php tests/Feature/Filament/FindingViewRbacEvidenceTest.php tests/Feature/Findings/FindingRecurrenceTest.php tests/Feature/Findings/DriftStaleAutoResolveTest.php tests/Feature/Inventory/InventorySyncButtonTest.php tests/Feature/Inventory/InventorySyncServiceTest.php tests/Feature/RunAuthorizationTenantIsolationTest.php`
- result: `71 passed (467 assertions)`

## Filament / Platform Notes
- Livewire compliance: unchanged and compatible with Livewire v4.0+
- Provider registration: no panel/provider changes; `bootstrap/providers.php` remains the registration location
- Global search: no new globally searchable resource added; existing global search behavior is unchanged
- Destructive actions: no new destructive actions introduced; existing confirmed actions remain unchanged
- Assets: no new Filament assets introduced; deploy asset handling remains unchanged, including `php artisan filament:assets`
- Testing plan covered: baseline profile scope, snapshot detail, compare job, findings recurrence, findings detail, compare landing labels, inventory sync anchoring, and tenant isolation

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #156
2026-03-09 18:49:20 +00:00

137 lines
5.3 KiB
PHP
Raw Permalink Blame History

<?php
use App\Services\Intune\IntuneRoleDefinitionNormalizer;
it('normalizes built-in intune role definitions into readable permission blocks', function (): void {
$normalizer = app(IntuneRoleDefinitionNormalizer::class);
$snapshot = [
'@odata.type' => '#microsoft.graph.deviceAndAppManagementRoleDefinition',
'displayName' => 'Policy and Profile Manager',
'description' => 'Built-in RBAC role',
'isBuiltIn' => true,
'rolePermissions' => [
[
'resourceActions' => [
[
'allowedResourceActions' => [
'Microsoft.Intune/deviceConfigurations/read',
'Microsoft.Intune/deviceConfigurations/create',
],
'notAllowedResourceActions' => [
'Microsoft.Intune/deviceConfigurations/delete',
],
],
],
],
],
'roleScopeTagIds' => ['scope-1', '0'],
];
$result = $normalizer->normalize($snapshot, 'intuneRoleDefinition', 'all');
$summary = collect($result['settings'])->firstWhere('title', 'Role definition');
$permissionBlock = collect($result['settings'])->firstWhere('title', 'Permission block 1');
$summaryEntries = collect($summary['entries'] ?? [])->keyBy('key');
$permissionEntries = collect($permissionBlock['entries'] ?? [])->keyBy('key');
expect($result['status'])->toBe('ok');
expect($summaryEntries['Role source']['value'] ?? null)->toBe('Built-in');
expect($summaryEntries['Permission blocks']['value'] ?? null)->toBe(1);
expect($summaryEntries['Scope tag IDs']['value'] ?? null)->toBe(['scope-1', '0']);
expect($permissionEntries['Allowed actions']['value'] ?? null)->toBe([
'Microsoft.Intune/deviceConfigurations/create',
'Microsoft.Intune/deviceConfigurations/read',
]);
expect($permissionEntries['Denied actions']['value'] ?? null)->toBe([
'Microsoft.Intune/deviceConfigurations/delete',
]);
});
it('flattens custom intune role definitions deterministically regardless of permission block order', function (): void {
$normalizer = app(IntuneRoleDefinitionNormalizer::class);
$firstSnapshot = [
'displayName' => 'Custom RBAC Role',
'isBuiltIn' => false,
'rolePermissions' => [
[
'resourceActions' => [
[
'allowedResourceActions' => [
'Microsoft.Intune/deviceCompliancePolicies/read',
],
],
],
],
[
'resourceActions' => [
[
'allowedResourceActions' => [
'Microsoft.Intune/deviceConfigurations/read',
],
'condition' => '@Resource[Microsoft.Intune/deviceConfigurations] Exists',
],
],
],
],
];
$secondSnapshot = [
'displayName' => 'Custom RBAC Role',
'isBuiltIn' => false,
'rolePermissions' => [
$firstSnapshot['rolePermissions'][1],
$firstSnapshot['rolePermissions'][0],
],
];
expect($normalizer->flattenForDiff($firstSnapshot, 'intuneRoleDefinition', 'all'))
->toBe($normalizer->flattenForDiff($secondSnapshot, 'intuneRoleDefinition', 'all'));
});
it('classifies metadata-only role definition changes separately from permission changes', function (): void {
$normalizer = app(IntuneRoleDefinitionNormalizer::class);
$baselineSnapshot = [
'displayName' => 'Custom RBAC Role',
'description' => 'Baseline description',
'isBuiltIn' => false,
'rolePermissions' => [
[
'resourceActions' => [
[
'allowedResourceActions' => [
'Microsoft.Intune/deviceConfigurations/read',
],
],
],
],
],
'roleScopeTagIds' => ['0'],
];
$metadataOnlySnapshot = $baselineSnapshot;
$metadataOnlySnapshot['description'] = 'Updated description';
$permissionChangedSnapshot = $baselineSnapshot;
$permissionChangedSnapshot['rolePermissions'][0]['resourceActions'][0]['allowedResourceActions'][] = 'Microsoft.Intune/deviceConfigurations/delete';
$metadataDiff = $normalizer->classifyDiff($baselineSnapshot, $metadataOnlySnapshot, 'all');
$permissionDiff = $normalizer->classifyDiff($baselineSnapshot, $permissionChangedSnapshot, 'all');
expect($metadataDiff['diff_kind'])->toBe('metadata_only');
expect($metadataDiff['changed_keys'])->toBe([
'Role definition > Description',
]);
expect($metadataDiff['metadata_keys'])->toBe([
'Role definition > Description',
]);
expect($metadataDiff['permission_keys'])->toBe([]);
expect($metadataDiff['diff_fingerprint'])->not->toBe($permissionDiff['diff_fingerprint']);
expect($permissionDiff['diff_kind'])->toBe('permission_change');
expect($permissionDiff['changed_keys'])->toContain('Permission block 1 > Allowed actions');
expect($permissionDiff['permission_keys'])->toContain('Permission block 1 > Allowed actions');
});
Reference in New Issue View Git Blame Copy Permalink