ahmido
6a15fe978a
## Summary Automated scanning of Entra ID directory roles to surface high-privilege role assignments as trackable findings with alerting support. ## What's included ### Core Services - **EntraAdminRolesReportService** — Fetches role definitions + assignments via Graph API, builds payload with fingerprint deduplication - **EntraAdminRolesFindingGenerator** — Creates/resolves/reopens findings based on high-privilege role catalog - **HighPrivilegeRoleCatalog** — Curated list of high-privilege Entra roles (Global Admin, Privileged Auth Admin, etc.) - **ScanEntraAdminRolesJob** — Queued job orchestrating scan → report → findings → alerts pipeline ### UI - **AdminRolesSummaryWidget** — Tenant dashboard card showing last scan time, high-privilege assignment count, scan trigger button - RBAC-gated: `ENTRA_ROLES_VIEW` for viewing, `ENTRA_ROLES_MANAGE` for scan trigger ### Infrastructure - Graph contracts for `entraRoleDefinitions` + `entraRoleAssignments` - `config/entra_permissions.php` — Entra permission registry - `StoredReport.fingerprint` migration (deduplication support) - `OperationCatalog` label + duration for `entra.admin_roles.scan` - Artisan command `entra:scan-admin-roles` for CLI/scheduled use ### Global UX improvement - **SummaryCountsNormalizer**: Zero values filtered, snake_case keys humanized (e.g. `report_deduped: 1` → `Report deduped: 1`). Affects all operation notifications. ## Test Coverage - **12 test files**, **79+ tests**, **307+ assertions** - Report service, finding generator, job orchestration, widget rendering, alert integration, RBAC enforcement, badge mapping ## Spec artifacts - `specs/105-entra-admin-roles-evidence-findings/tasks.md` — Full task breakdown (38 tasks, all complete) - `specs/105-entra-admin-roles-evidence-findings/checklists/requirements.md` — All items checked ## Files changed 46 files changed, 3641 insertions(+), 15 deletions(-) Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #128
63 lines
2.1 KiB
PHP
63 lines
2.1 KiB
PHP
@php
|
|
/** @var ?\App\Models\Tenant $tenant */
|
|
/** @var ?array $reportSummary */
|
|
/** @var ?string $lastScanAt */
|
|
/** @var int $highPrivilegeCount */
|
|
/** @var bool $canManage */
|
|
/** @var bool $canView */
|
|
/** @var ?string $viewReportUrl */
|
|
@endphp
|
|
|
|
<x-filament::section heading="Entra admin roles">
|
|
<x-slot name="afterHeader">
|
|
@if ($canView && $viewReportUrl)
|
|
<a
|
|
href="{{ $viewReportUrl }}"
|
|
class="text-sm font-medium text-primary-600 hover:text-primary-500 dark:text-primary-400 dark:hover:text-primary-300"
|
|
>
|
|
View latest report
|
|
</a>
|
|
@endif
|
|
</x-slot>
|
|
|
|
@if ($reportSummary === null)
|
|
<div class="text-sm text-gray-500 dark:text-gray-400">
|
|
No scan performed yet.
|
|
</div>
|
|
@else
|
|
<div class="space-y-3">
|
|
<div class="flex items-center justify-between gap-3">
|
|
<div class="text-sm text-gray-500 dark:text-gray-400">
|
|
Last scan
|
|
</div>
|
|
<div class="text-sm font-medium">
|
|
{{ $lastScanAt }}
|
|
</div>
|
|
</div>
|
|
|
|
<div class="flex items-center justify-between gap-3">
|
|
<div class="text-sm text-gray-500 dark:text-gray-400">
|
|
High-privilege assignments
|
|
</div>
|
|
<div class="text-sm font-medium {{ $highPrivilegeCount > 0 ? 'text-danger-600 dark:text-danger-400' : 'text-success-600 dark:text-success-400' }}">
|
|
{{ $highPrivilegeCount }}
|
|
</div>
|
|
</div>
|
|
</div>
|
|
@endif
|
|
|
|
@if ($canManage)
|
|
<div class="mt-4">
|
|
<x-filament::button
|
|
wire:click="scanNow"
|
|
size="sm"
|
|
color="primary"
|
|
wire:loading.attr="disabled"
|
|
>
|
|
<span wire:loading.remove wire:target="scanNow">Scan now</span>
|
|
<span wire:loading wire:target="scanNow">Scanning…</span>
|
|
</x-filament::button>
|
|
</div>
|
|
@endif
|
|
</x-filament::section>
|