ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
0dc79520a4
TenantAtlas/specs/108-provider-access-hardening/quickstart.md
ahmido 0dc79520a4 feat: provider access hardening (RBAC write gate) (#132) 
Implements provider access hardening for Intune write operations:

- RBAC-based write gate with configurable staleness thresholds
- Gate enforced at restore start and in jobs (execute + assignments)
- UI affordances: disabled rerun action, tenant RBAC status card, refresh RBAC action
- Audit logging for blocked writes
- Ops UX label: `rbac.health_check` now displays as “RBAC health check”
- Adds/updates Pest tests and SpecKit artifacts for feature 108

Notes:
- Filament v5 / Livewire v4 compliant.
- Destructive actions require confirmation.
- Assets: no new global assets.

Tested:
- `vendor/bin/sail artisan test --compact` (suite previously green) + focused OpsUx tests for OperationCatalog labels.
- `vendor/bin/sail bin pint --dirty`.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #132
2026-02-23 00:49:37 +00:00

1.5 KiB
Raw Blame History

Quickstart — Provider Access Hardening v1 (Intune Write Gate)

Goal

Validate that Intune write operations (restore execution + restore assignments) are blocked unless tenant RBAC hardening is configured, healthy, and fresh.

Local setup

  • Start containers: vendor/bin/sail up -d

Manual verification (once implemented)

  1. Navigate to a tenant view page (TenantResource → View).
  2. Set tenant RBAC status to a blocked state (e.g., rbac_status = null or degraded, or make rbac_last_checked_at stale).
  3. Attempt to start a restore execution (Restore Runs → Execute).
    • Expected: start surface blocks before enqueue; operator sees reason + CTA; no OperationRun is started for execution.
  4. Attempt to trigger assignments restore (where available).
    • Expected: blocked with the same reason codes.
  5. For job-level defense-in-depth, directly enqueue the job (or trigger a code path that dispatches it) while tenant is blocked.
    • Expected: OperationRun is marked failed with reason_code and no Graph mutation occurs.

Test execution (once implemented)

Run the minimal related tests:

  • vendor/bin/sail artisan test --compact --filter=IntuneRbacWriteGate
  • or run file-scoped tests created for this feature under tests/Feature.

Notes

  • Gate evaluation is DB-only; no synchronous Graph calls are allowed during UI evaluation.
  • When the gate is disabled via config, writes proceed but a warning is logged per evaluation that the gate is bypassed.