153 lines
5.6 KiB
PHP
153 lines
5.6 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Jobs\CaptureBaselineSnapshotJob;
|
|
use App\Models\BaselineProfile;
|
|
use App\Models\BaselineSnapshot;
|
|
use App\Models\BaselineSnapshotItem;
|
|
use App\Models\InventoryItem;
|
|
use App\Models\Policy;
|
|
use App\Models\PolicyVersion;
|
|
use App\Services\Baselines\BaselineSnapshotIdentity;
|
|
use App\Services\Baselines\InventoryMetaContract;
|
|
use App\Services\Intune\AuditLogger;
|
|
use App\Services\OperationRunService;
|
|
use App\Support\Baselines\BaselineSubjectKey;
|
|
|
|
it('captures intune role definitions with identity metadata and excludes role assignments from the baseline snapshot', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$profile = BaselineProfile::factory()->active()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'scope_jsonb' => [
|
|
'policy_types' => [],
|
|
'foundation_types' => ['intuneRoleDefinition'],
|
|
],
|
|
]);
|
|
|
|
$inventorySyncRun = createInventorySyncOperationRunWithCoverage(
|
|
tenant: $tenant,
|
|
statusByType: [
|
|
'intuneRoleAssignment' => 'succeeded',
|
|
'intuneRoleDefinition' => 'succeeded',
|
|
],
|
|
foundationTypes: ['intuneRoleAssignment', 'intuneRoleDefinition'],
|
|
);
|
|
|
|
$policy = Policy::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'external_id' => 'role-def-1',
|
|
'display_name' => 'Security Reader',
|
|
'policy_type' => 'intuneRoleDefinition',
|
|
'platform' => 'all',
|
|
]);
|
|
|
|
$version = PolicyVersion::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'policy_id' => (int) $policy->getKey(),
|
|
'policy_type' => 'intuneRoleDefinition',
|
|
'platform' => 'all',
|
|
'captured_at' => now()->subMinute(),
|
|
'snapshot' => [
|
|
'displayName' => 'Security Reader',
|
|
'description' => 'Security reporting role',
|
|
'isBuiltIn' => false,
|
|
'rolePermissions' => [
|
|
[
|
|
'resourceActions' => [
|
|
[
|
|
'allowedResourceActions' => ['Microsoft.Intune/managedDevices/read'],
|
|
],
|
|
],
|
|
],
|
|
],
|
|
],
|
|
]);
|
|
|
|
InventoryItem::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'external_id' => 'role-def-1',
|
|
'policy_type' => 'intuneRoleDefinition',
|
|
'display_name' => 'Security Reader',
|
|
'category' => 'RBAC',
|
|
'platform' => 'all',
|
|
'meta_jsonb' => [
|
|
'odata_type' => '#microsoft.graph.deviceAndAppManagementRoleDefinition',
|
|
'etag' => 'E-RBAC-1',
|
|
'is_built_in' => false,
|
|
'role_permission_count' => 1,
|
|
'warnings' => [],
|
|
],
|
|
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
|
|
'last_seen_at' => now(),
|
|
]);
|
|
|
|
InventoryItem::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'external_id' => 'role-assignment-1',
|
|
'policy_type' => 'intuneRoleAssignment',
|
|
'display_name' => 'Security Reader Assignment',
|
|
'category' => 'RBAC',
|
|
'platform' => 'all',
|
|
'meta_jsonb' => [
|
|
'odata_type' => '#microsoft.graph.deviceAndAppManagementRoleAssignment',
|
|
'etag' => 'E-RBAC-A1',
|
|
'warnings' => [],
|
|
],
|
|
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
|
|
'last_seen_at' => now(),
|
|
]);
|
|
|
|
$operationRuns = app(OperationRunService::class);
|
|
$run = $operationRuns->ensureRunWithIdentity(
|
|
tenant: $tenant,
|
|
type: 'baseline_capture',
|
|
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
|
context: [
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
'source_tenant_id' => (int) $tenant->getKey(),
|
|
'effective_scope' => [
|
|
'policy_types' => [],
|
|
'foundation_types' => ['intuneRoleDefinition'],
|
|
],
|
|
],
|
|
initiator: $user,
|
|
);
|
|
|
|
(new CaptureBaselineSnapshotJob($run))->handle(
|
|
app(BaselineSnapshotIdentity::class),
|
|
app(InventoryMetaContract::class),
|
|
app(AuditLogger::class),
|
|
$operationRuns,
|
|
);
|
|
|
|
$snapshot = BaselineSnapshot::query()
|
|
->where('baseline_profile_id', (int) $profile->getKey())
|
|
->sole();
|
|
|
|
expect(BaselineSnapshotItem::query()->where('baseline_snapshot_id', (int) $snapshot->getKey())->count())->toBe(1);
|
|
|
|
$item = BaselineSnapshotItem::query()
|
|
->where('baseline_snapshot_id', (int) $snapshot->getKey())
|
|
->sole();
|
|
|
|
$expectedSubjectKey = BaselineSubjectKey::forPolicy('intuneRoleDefinition', 'Security Reader', 'role-def-1');
|
|
$expectedExternalReference = BaselineSubjectKey::workspaceSafeSubjectExternalIdForPolicy('intuneRoleDefinition', 'Security Reader', 'role-def-1');
|
|
|
|
expect($item->policy_type)->toBe('intuneRoleDefinition');
|
|
expect($item->subject_key)->toBe($expectedSubjectKey);
|
|
expect($item->subject_external_id)->toBe($expectedExternalReference);
|
|
expect($item->subject_external_id)->not->toBe('role-def-1');
|
|
|
|
$meta = is_array($item->meta_jsonb) ? $item->meta_jsonb : [];
|
|
|
|
expect(data_get($meta, 'identity.strategy'))->toBe('external_id');
|
|
expect(data_get($meta, 'rbac.is_built_in'))->toBeFalse();
|
|
expect(data_get($meta, 'rbac.role_permission_count'))->toBe(1);
|
|
expect(data_get($meta, 'version_reference.policy_version_id'))->toBe((int) $version->getKey());
|
|
expect(data_get($meta, 'evidence.source'))->toBe('policy_version');
|
|
});
|