ahmido
0987527d0e
## Summary - add persisted customer review acknowledgement truth with capability gating and audit emission - extend the customer review workspace with acknowledgement state, evidence basis details, and accepted-risk lifecycle visibility - add focused feature and browser coverage plus Spec 343 screenshot artifacts and UI audit updates ## Scope - Livewire v4 / Filament v5 surface only; no panel provider changes - no new global assets; no `filament:assets` deployment change for this slice - includes a PostgreSQL migration for `environment_review_acknowledgements` ## Guardrail / Exception / Smoke Coverage - reachable UI surface changed: existing `/admin/reviews/workspace` customer-safe page - UI audit updated in `docs/ui-ux-enterprise-audit/page-reports/ui-006-customer-review-workspace.md` - screenshot artifacts included under `specs/343-customer-review-attestation-accepted-risk-lifecycle/artifacts/screenshots/` - spec package includes plan, tasks, repo-truth map, and state contract for the implemented slice ## Notes - target branch requested: `platform-dev` - branch pushed from commit `aaaad441fd13dbac54e971ab48765c502ced6b3f` Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #415
201 lines
6.5 KiB
PHP
201 lines
6.5 KiB
PHP
<?php
|
|
|
|
namespace App\Services\Auth;
|
|
|
|
use App\Support\Auth\Capabilities;
|
|
use App\Support\TenantRole;
|
|
|
|
/**
|
|
* Role to Capability Mapping (Single Source of Truth)
|
|
*
|
|
* This class defines which capabilities each role has.
|
|
* All capability strings MUST be references from the Capabilities registry.
|
|
*/
|
|
class RoleCapabilityMap
|
|
{
|
|
private static array $roleCapabilities = [
|
|
TenantRole::Owner->value => [
|
|
Capabilities::TENANT_VIEW,
|
|
Capabilities::TENANT_MANAGE,
|
|
Capabilities::TENANT_DELETE,
|
|
Capabilities::TENANT_SYNC,
|
|
Capabilities::SUPPORT_DIAGNOSTICS_VIEW,
|
|
Capabilities::SUPPORT_REQUESTS_CREATE,
|
|
Capabilities::TENANT_INVENTORY_SYNC_RUN,
|
|
Capabilities::TENANT_FINDINGS_VIEW,
|
|
Capabilities::TENANT_FINDINGS_TRIAGE,
|
|
Capabilities::TENANT_FINDINGS_ASSIGN,
|
|
Capabilities::TENANT_FINDINGS_RESOLVE,
|
|
Capabilities::TENANT_FINDINGS_CLOSE,
|
|
Capabilities::TENANT_FINDINGS_RISK_ACCEPT,
|
|
Capabilities::FINDING_EXCEPTION_VIEW,
|
|
Capabilities::FINDING_EXCEPTION_MANAGE,
|
|
Capabilities::TENANT_VERIFICATION_ACKNOWLEDGE,
|
|
|
|
Capabilities::TENANT_MEMBERSHIP_VIEW,
|
|
Capabilities::TENANT_MEMBERSHIP_MANAGE,
|
|
|
|
Capabilities::TENANT_ROLE_MAPPING_VIEW,
|
|
Capabilities::TENANT_ROLE_MAPPING_MANAGE,
|
|
|
|
Capabilities::TENANT_BACKUP_SCHEDULES_MANAGE,
|
|
Capabilities::TENANT_BACKUP_SCHEDULES_RUN,
|
|
|
|
Capabilities::PROVIDER_VIEW,
|
|
Capabilities::PROVIDER_MANAGE,
|
|
Capabilities::PROVIDER_MANAGE_DEDICATED,
|
|
Capabilities::PROVIDER_RUN,
|
|
|
|
Capabilities::AUDIT_VIEW,
|
|
|
|
Capabilities::ENTRA_ROLES_VIEW,
|
|
Capabilities::ENTRA_ROLES_MANAGE,
|
|
|
|
Capabilities::PERMISSION_POSTURE_VIEW,
|
|
|
|
Capabilities::REVIEW_PACK_VIEW,
|
|
Capabilities::REVIEW_PACK_MANAGE,
|
|
Capabilities::ENVIRONMENT_REVIEW_VIEW,
|
|
Capabilities::ENVIRONMENT_REVIEW_MANAGE,
|
|
Capabilities::ENVIRONMENT_REVIEW_ACKNOWLEDGE,
|
|
Capabilities::MANAGED_ENVIRONMENT_TRIAGE_REVIEW_MANAGE,
|
|
Capabilities::EVIDENCE_VIEW,
|
|
Capabilities::EVIDENCE_MANAGE,
|
|
],
|
|
|
|
TenantRole::Manager->value => [
|
|
Capabilities::TENANT_VIEW,
|
|
Capabilities::TENANT_MANAGE,
|
|
Capabilities::TENANT_SYNC,
|
|
Capabilities::SUPPORT_DIAGNOSTICS_VIEW,
|
|
Capabilities::SUPPORT_REQUESTS_CREATE,
|
|
Capabilities::TENANT_INVENTORY_SYNC_RUN,
|
|
Capabilities::TENANT_FINDINGS_VIEW,
|
|
Capabilities::TENANT_FINDINGS_TRIAGE,
|
|
Capabilities::TENANT_FINDINGS_ASSIGN,
|
|
Capabilities::TENANT_FINDINGS_RESOLVE,
|
|
Capabilities::TENANT_FINDINGS_CLOSE,
|
|
Capabilities::TENANT_FINDINGS_RISK_ACCEPT,
|
|
Capabilities::FINDING_EXCEPTION_VIEW,
|
|
Capabilities::FINDING_EXCEPTION_MANAGE,
|
|
Capabilities::TENANT_VERIFICATION_ACKNOWLEDGE,
|
|
|
|
Capabilities::TENANT_MEMBERSHIP_VIEW,
|
|
|
|
Capabilities::TENANT_ROLE_MAPPING_VIEW,
|
|
|
|
Capabilities::TENANT_BACKUP_SCHEDULES_MANAGE,
|
|
Capabilities::TENANT_BACKUP_SCHEDULES_RUN,
|
|
|
|
Capabilities::PROVIDER_VIEW,
|
|
Capabilities::PROVIDER_MANAGE,
|
|
Capabilities::PROVIDER_RUN,
|
|
|
|
Capabilities::AUDIT_VIEW,
|
|
|
|
Capabilities::ENTRA_ROLES_VIEW,
|
|
Capabilities::ENTRA_ROLES_MANAGE,
|
|
|
|
Capabilities::PERMISSION_POSTURE_VIEW,
|
|
|
|
Capabilities::REVIEW_PACK_VIEW,
|
|
Capabilities::REVIEW_PACK_MANAGE,
|
|
Capabilities::ENVIRONMENT_REVIEW_VIEW,
|
|
Capabilities::ENVIRONMENT_REVIEW_MANAGE,
|
|
Capabilities::ENVIRONMENT_REVIEW_ACKNOWLEDGE,
|
|
Capabilities::MANAGED_ENVIRONMENT_TRIAGE_REVIEW_MANAGE,
|
|
Capabilities::EVIDENCE_VIEW,
|
|
Capabilities::EVIDENCE_MANAGE,
|
|
],
|
|
|
|
TenantRole::Operator->value => [
|
|
Capabilities::TENANT_VIEW,
|
|
Capabilities::TENANT_SYNC,
|
|
Capabilities::SUPPORT_DIAGNOSTICS_VIEW,
|
|
Capabilities::SUPPORT_REQUESTS_CREATE,
|
|
Capabilities::TENANT_INVENTORY_SYNC_RUN,
|
|
Capabilities::TENANT_FINDINGS_VIEW,
|
|
Capabilities::TENANT_FINDINGS_TRIAGE,
|
|
Capabilities::FINDING_EXCEPTION_VIEW,
|
|
|
|
Capabilities::TENANT_MEMBERSHIP_VIEW,
|
|
Capabilities::TENANT_ROLE_MAPPING_VIEW,
|
|
|
|
Capabilities::TENANT_BACKUP_SCHEDULES_RUN,
|
|
|
|
Capabilities::PROVIDER_VIEW,
|
|
Capabilities::PROVIDER_RUN,
|
|
|
|
Capabilities::AUDIT_VIEW,
|
|
|
|
Capabilities::ENTRA_ROLES_VIEW,
|
|
|
|
Capabilities::PERMISSION_POSTURE_VIEW,
|
|
|
|
Capabilities::REVIEW_PACK_VIEW,
|
|
Capabilities::ENVIRONMENT_REVIEW_VIEW,
|
|
Capabilities::MANAGED_ENVIRONMENT_TRIAGE_REVIEW_MANAGE,
|
|
Capabilities::EVIDENCE_VIEW,
|
|
],
|
|
|
|
TenantRole::Readonly->value => [
|
|
Capabilities::TENANT_VIEW,
|
|
Capabilities::TENANT_FINDINGS_VIEW,
|
|
Capabilities::FINDING_EXCEPTION_VIEW,
|
|
|
|
Capabilities::TENANT_MEMBERSHIP_VIEW,
|
|
Capabilities::TENANT_ROLE_MAPPING_VIEW,
|
|
|
|
Capabilities::PROVIDER_VIEW,
|
|
|
|
Capabilities::AUDIT_VIEW,
|
|
|
|
Capabilities::ENTRA_ROLES_VIEW,
|
|
|
|
Capabilities::PERMISSION_POSTURE_VIEW,
|
|
|
|
Capabilities::REVIEW_PACK_VIEW,
|
|
Capabilities::ENVIRONMENT_REVIEW_VIEW,
|
|
Capabilities::EVIDENCE_VIEW,
|
|
],
|
|
];
|
|
|
|
/**
|
|
* Get all capabilities for a given role
|
|
*
|
|
* @return array<string>
|
|
*/
|
|
public static function getCapabilities(TenantRole|string $role): array
|
|
{
|
|
$roleValue = $role instanceof TenantRole ? $role->value : $role;
|
|
|
|
return self::$roleCapabilities[$roleValue] ?? [];
|
|
}
|
|
|
|
/**
|
|
* Get all role values that grant a given capability.
|
|
*
|
|
* @return array<string>
|
|
*/
|
|
public static function rolesWithCapability(string $capability): array
|
|
{
|
|
$roles = [];
|
|
|
|
foreach (self::$roleCapabilities as $role => $capabilities) {
|
|
if (in_array($capability, $capabilities, true)) {
|
|
$roles[] = $role;
|
|
}
|
|
}
|
|
|
|
return $roles;
|
|
}
|
|
|
|
/**
|
|
* Check if a role has a specific capability
|
|
*/
|
|
public static function hasCapability(TenantRole|string $role, string $capability): bool
|
|
{
|
|
return in_array($capability, self::getCapabilities($role), true);
|
|
}
|
|
}
|