ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
04d0d6184f
TenantAtlas/apps/platform/tests/Feature/Baselines/BaselineCompareGapClassificationTest.php
ahmido 04d0d6184f feat(resources): implement provider resource identity binding (#452) 
Added `ProviderResourceBinding` model, migrations, policies, and supporting framework for canonical resource identity mapping as defined in Spec 381. This provides the structural capability to resolve baseline and posture discrepancies by binding logical entities across source providers to canonical identities.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #452
2026-06-15 18:45:38 +00:00

160 lines
7.4 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
use App\Jobs\CompareBaselineToTenantJob;
use App\Models\BaselineProfile;
use App\Models\BaselineSnapshot;
use App\Models\BaselineSnapshotItem;
use App\Models\InventoryItem;
use App\Models\ProviderResourceBinding;
use App\Services\Baselines\BaselineSnapshotIdentity;
use App\Services\Intune\AuditLogger;
use App\Services\OperationRunService;
use App\Support\Baselines\BaselineCaptureMode;
use App\Support\Baselines\BaselineSubjectKey;
use App\Support\OperationRunType;
use App\Support\Resources\ProviderResourceResolutionMode;
use App\Support\Resources\ResourceIdentity;
use Tests\Feature\Baselines\Support\AssertsStructuredBaselineGaps;
it('classifies compare capture-path gaps as structural or missing-local-data without using policy_not_found', function (): void {
config()->set('tenantpilot.baselines.full_content_capture.enabled', true);
config()->set('tenantpilot.baselines.full_content_capture.max_items_per_run', 50);
config()->set('tenantpilot.baselines.full_content_capture.max_concurrency', 1);
config()->set('tenantpilot.baselines.full_content_capture.max_retries', 0);
[$user, $tenant] = createUserWithTenant(role: 'owner');
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => (int) $tenant->workspace_id,
'capture_mode' => BaselineCaptureMode::FullContent->value,
'scope_jsonb' => [
'policy_types' => ['deviceConfiguration'],
'foundation_types' => ['roleScopeTag'],
],
]);
$snapshot = BaselineSnapshot::factory()->create([
'workspace_id' => (int) $tenant->workspace_id,
'baseline_profile_id' => (int) $profile->getKey(),
'captured_at' => now()->subMinute(),
]);
$profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]);
$policySubjectKey = BaselineSubjectKey::fromDisplayName('Missing Compare Policy');
$foundationSubjectKey = BaselineSubjectKey::fromDisplayName('Structural Compare Foundation');
expect($policySubjectKey)->not->toBeNull()
->and($foundationSubjectKey)->not->toBeNull();
ProviderResourceBinding::factory()
->providerResource(ResourceIdentity::providerResource('fake-provider', 'policy', 'compare-missing-policy'))
->create([
'managed_environment_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'canonical_subject_key' => (string) $policySubjectKey,
'display_label' => 'Fake Provider Binding For Missing Compare Policy',
'resolution_mode' => ProviderResourceResolutionMode::ManualBinding->value,
]);
BaselineSnapshotItem::factory()->create([
'baseline_snapshot_id' => (int) $snapshot->getKey(),
'subject_type' => 'policy',
'subject_external_id' => BaselineSubjectKey::workspaceSafeSubjectExternalId('deviceConfiguration', (string) $policySubjectKey),
'subject_key' => (string) $policySubjectKey,
'policy_type' => 'deviceConfiguration',
'baseline_hash' => hash('sha256', 'baseline-policy'),
'meta_jsonb' => ['display_name' => 'Missing Compare Policy'],
]);
BaselineSnapshotItem::factory()->create([
'baseline_snapshot_id' => (int) $snapshot->getKey(),
'subject_type' => 'policy',
'subject_external_id' => BaselineSubjectKey::workspaceSafeSubjectExternalId('roleScopeTag', (string) $foundationSubjectKey),
'subject_key' => (string) $foundationSubjectKey,
'policy_type' => 'roleScopeTag',
'baseline_hash' => hash('sha256', 'baseline-foundation'),
'meta_jsonb' => ['display_name' => 'Structural Compare Foundation'],
]);
$inventorySyncRun = createInventorySyncOperationRunWithCoverage(
tenant: $tenant,
statusByType: [
'deviceConfiguration' => 'succeeded',
'roleScopeTag' => 'succeeded',
],
foundationTypes: ['roleScopeTag'],
);
InventoryItem::factory()->create([
'managed_environment_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'external_id' => 'compare-missing-policy',
'policy_type' => 'deviceConfiguration',
'display_name' => 'Missing Compare Policy',
'meta_jsonb' => ['odata_type' => '#microsoft.graph.deviceConfiguration', 'etag' => 'etag-compare-policy'],
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
'last_seen_at' => now(),
]);
InventoryItem::factory()->create([
'managed_environment_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'external_id' => 'compare-scope-tag',
'policy_type' => 'roleScopeTag',
'display_name' => 'Structural Compare Foundation',
'meta_jsonb' => ['odata_type' => '#microsoft.graph.roleScopeTag', 'etag' => 'etag-compare-foundation'],
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
'last_seen_at' => now(),
]);
$run = app(OperationRunService::class)->ensureRunWithIdentity(
tenant: $tenant,
type: OperationRunType::BaselineCompare->value,
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
context: [
'baseline_profile_id' => (int) $profile->getKey(),
'baseline_snapshot_id' => (int) $snapshot->getKey(),
'effective_scope' => [
'policy_types' => ['deviceConfiguration'],
'foundation_types' => ['roleScopeTag'],
'truthful_types' => ['deviceConfiguration', 'roleScopeTag'],
],
'capture_mode' => BaselineCaptureMode::FullContent->value,
],
initiator: $user,
);
(new CompareBaselineToTenantJob($run))->handle(
app(BaselineSnapshotIdentity::class),
app(AuditLogger::class),
app(OperationRunService::class),
);
$run->refresh();
expect(data_get($run->context, 'baseline_compare.evidence_gaps.by_reason.policy_not_found'))->toBeNull()
->and(data_get($run->context, 'baseline_compare.provider_resource_bindings'))->toBeNull()
->and(data_get($run->context, 'baseline_compare.strategy.key'))->toBe('intune_policy')
->and(data_get($run->context, 'baseline_compare.strategy.selection_state'))->toBe('supported')
->and(data_get($run->context, 'baseline_compare.evidence_gaps.by_reason.policy_record_missing'))->toBe(1)
->and(data_get($run->context, 'baseline_compare.evidence_gaps.by_reason.foundation_not_policy_backed'))->toBe(1);
$subjects = data_get($run->context, 'baseline_compare.evidence_gaps.subjects');
expect($subjects)->toBeArray();
AssertsStructuredBaselineGaps::assertStructuredSubjects($subjects);
$subjectsByType = collect($subjects)->keyBy('policy_type');
expect(data_get($subjectsByType['deviceConfiguration'], 'resolution_outcome'))->toBe('policy_record_missing')
->and(data_get($subjectsByType['deviceConfiguration'], 'reason_code'))->toBe('policy_record_missing')
->and(data_get($subjectsByType['deviceConfiguration'], 'operator_action_category'))->toBe('run_policy_sync_or_backup');
expect(data_get($subjectsByType['roleScopeTag'], 'resolution_outcome'))->toBe('foundation_inventory_only')
->and(data_get($subjectsByType['roleScopeTag'], 'reason_code'))->toBe('foundation_not_policy_backed')
->and(data_get($subjectsByType['roleScopeTag'], 'operator_action_category'))->toBe('product_follow_up');
});
Reference in New Issue View Git Blame Copy Permalink