ahmido
0dc79520a4
Implements provider access hardening for Intune write operations: - RBAC-based write gate with configurable staleness thresholds - Gate enforced at restore start and in jobs (execute + assignments) - UI affordances: disabled rerun action, tenant RBAC status card, refresh RBAC action - Audit logging for blocked writes - Ops UX label: `rbac.health_check` now displays as “RBAC health check” - Adds/updates Pest tests and SpecKit artifacts for feature 108 Notes: - Filament v5 / Livewire v4 compliant. - Destructive actions require confirmation. - Assets: no new global assets. Tested: - `vendor/bin/sail artisan test --compact` (suite previously green) + focused OpsUx tests for OperationCatalog labels. - `vendor/bin/sail bin pint --dirty`. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #132
70 lines
2.2 KiB
PHP
70 lines
2.2 KiB
PHP
<?php
|
|
|
|
use App\Contracts\Hardening\WriteGateInterface;
|
|
use App\Exceptions\Hardening\ProviderAccessHardeningRequired;
|
|
use App\Models\Tenant;
|
|
use App\Services\Hardening\IntuneRbacWriteGate;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
beforeEach(function () {
|
|
config()->set('tenantpilot.hardening.intune_write_gate.enabled', true);
|
|
config()->set('tenantpilot.hardening.intune_write_gate.freshness_threshold_hours', 24);
|
|
});
|
|
|
|
test('gate blocks when rbac_status is null', function () {
|
|
$tenant = Tenant::factory()->create([
|
|
'rbac_status' => null,
|
|
'rbac_last_checked_at' => null,
|
|
]);
|
|
|
|
$gate = app(WriteGateInterface::class);
|
|
|
|
expect(fn () => $gate->evaluate($tenant, 'restore.execute'))
|
|
->toThrow(ProviderAccessHardeningRequired::class);
|
|
|
|
try {
|
|
$gate->evaluate($tenant, 'restore.execute');
|
|
} catch (ProviderAccessHardeningRequired $e) {
|
|
expect($e->reasonCode)->toBe('intune_rbac.not_configured')
|
|
->and($e->tenantId)->toBe((int) $tenant->getKey())
|
|
->and($e->operationType)->toBe('restore.execute');
|
|
}
|
|
});
|
|
|
|
test('gate blocks when rbac_status is not_configured', function () {
|
|
$tenant = Tenant::factory()->create([
|
|
'rbac_status' => 'not_configured',
|
|
'rbac_last_checked_at' => null,
|
|
]);
|
|
|
|
$gate = app(WriteGateInterface::class);
|
|
|
|
try {
|
|
$gate->evaluate($tenant, 'restore.execute');
|
|
$this->fail('Expected ProviderAccessHardeningRequired to be thrown');
|
|
} catch (ProviderAccessHardeningRequired $e) {
|
|
expect($e->reasonCode)->toBe('intune_rbac.not_configured')
|
|
->and($e->tenantId)->toBe((int) $tenant->getKey());
|
|
}
|
|
});
|
|
|
|
test('wouldBlock returns true when rbac_status is null', function () {
|
|
$tenant = Tenant::factory()->create([
|
|
'rbac_status' => null,
|
|
'rbac_last_checked_at' => null,
|
|
]);
|
|
|
|
expect(app(WriteGateInterface::class)->wouldBlock($tenant))->toBeTrue();
|
|
});
|
|
|
|
test('wouldBlock returns true when rbac_status is not_configured', function () {
|
|
$tenant = Tenant::factory()->create([
|
|
'rbac_status' => 'not_configured',
|
|
'rbac_last_checked_at' => null,
|
|
]);
|
|
|
|
expect(app(WriteGateInterface::class)->wouldBlock($tenant))->toBeTrue();
|
|
});
|