ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
169a6a1198
TenantAtlas/app/Services/EntraAdminRoles/EntraAdminRolesReportService.php
ahmido 6a15fe978a feat: Spec 105 — Entra Admin Roles Evidence + Findings (#128) 
## Summary

Automated scanning of Entra ID directory roles to surface high-privilege role assignments as trackable findings with alerting support.

## What's included

### Core Services
- **EntraAdminRolesReportService** — Fetches role definitions + assignments via Graph API, builds payload with fingerprint deduplication
- **EntraAdminRolesFindingGenerator** — Creates/resolves/reopens findings based on high-privilege role catalog
- **HighPrivilegeRoleCatalog** — Curated list of high-privilege Entra roles (Global Admin, Privileged Auth Admin, etc.)
- **ScanEntraAdminRolesJob** — Queued job orchestrating scan → report → findings → alerts pipeline

### UI
- **AdminRolesSummaryWidget** — Tenant dashboard card showing last scan time, high-privilege assignment count, scan trigger button
- RBAC-gated: `ENTRA_ROLES_VIEW` for viewing, `ENTRA_ROLES_MANAGE` for scan trigger

### Infrastructure
- Graph contracts for `entraRoleDefinitions` + `entraRoleAssignments`
- `config/entra_permissions.php` — Entra permission registry
- `StoredReport.fingerprint` migration (deduplication support)
- `OperationCatalog` label + duration for `entra.admin_roles.scan`
- Artisan command `entra:scan-admin-roles` for CLI/scheduled use

### Global UX improvement
- **SummaryCountsNormalizer**: Zero values filtered, snake_case keys humanized (e.g. `report_deduped: 1` → `Report deduped: 1`). Affects all operation notifications.

## Test Coverage
- **12 test files**, **79+ tests**, **307+ assertions**
- Report service, finding generator, job orchestration, widget rendering, alert integration, RBAC enforcement, badge mapping

## Spec artifacts
- `specs/105-entra-admin-roles-evidence-findings/tasks.md` — Full task breakdown (38 tasks, all complete)
- `specs/105-entra-admin-roles-evidence-findings/checklists/requirements.md` — All items checked

## Files changed
46 files changed, 3641 insertions(+), 15 deletions(-)

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #128
2026-02-22 02:37:36 +00:00

194 lines
6.7 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace App\Services\EntraAdminRoles;
use App\Models\OperationRun;
use App\Models\StoredReport;
use App\Models\Tenant;
use App\Services\Graph\GraphClientInterface;
use App\Services\Providers\MicrosoftGraphOptionsResolver;
use Carbon\CarbonImmutable;
use RuntimeException;
final class EntraAdminRolesReportService
{
public function __construct(
private readonly GraphClientInterface $graphClient,
private readonly HighPrivilegeRoleCatalog $catalog,
private readonly MicrosoftGraphOptionsResolver $graphOptionsResolver,
) {}
/**
* Fetch Graph data and produce a stored report for the given tenant.
*/
public function generate(Tenant $tenant, ?OperationRun $operationRun = null): EntraAdminRolesReportResult
{
$graphOptions = $this->graphOptionsResolver->resolveForTenant($tenant);
$roleDefinitions = $this->fetchRoleDefinitions($graphOptions);
$roleAssignments = $this->fetchRoleAssignments($graphOptions);
$payload = $this->buildPayload($roleDefinitions, $roleAssignments);
$fingerprint = $this->computeFingerprint($roleDefinitions, $roleAssignments);
$latestReport = StoredReport::query()
->where('tenant_id', $tenant->getKey())
->where('report_type', StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES)
->orderByDesc('created_at')
->orderByDesc('id')
->first();
if ($latestReport instanceof StoredReport && $latestReport->fingerprint === $fingerprint) {
return new EntraAdminRolesReportResult(
created: false,
storedReportId: (int) $latestReport->getKey(),
fingerprint: $fingerprint,
payload: $payload,
);
}
$report = StoredReport::create([
'tenant_id' => (int) $tenant->getKey(),
'report_type' => StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES,
'payload' => $payload,
'fingerprint' => $fingerprint,
'previous_fingerprint' => $latestReport?->fingerprint,
]);
return new EntraAdminRolesReportResult(
created: true,
storedReportId: (int) $report->getKey(),
fingerprint: $fingerprint,
payload: $payload,
);
}
/**
* @return array<int, array<string, mixed>>
*/
private function fetchRoleDefinitions(array $graphOptions): array
{
$response = $this->graphClient->listPolicies('entraRoleDefinitions', $graphOptions);
if ($response->failed()) {
throw new RuntimeException('Failed to fetch Entra role definitions from Graph API.');
}
return $response->data;
}
/**
* @return array<int, array<string, mixed>>
*/
private function fetchRoleAssignments(array $graphOptions): array
{
$response = $this->graphClient->listPolicies('entraRoleAssignments', $graphOptions);
if ($response->failed()) {
throw new RuntimeException('Failed to fetch Entra role assignments from Graph API.');
}
return $response->data;
}
/**
* @return array<string, mixed>
*/
private function buildPayload(array $roleDefinitions, array $roleAssignments): array
{
$roleDefMap = [];
foreach ($roleDefinitions as $def) {
$id = (string) ($def['id'] ?? '');
if ($id !== '') {
$roleDefMap[$id] = $def;
}
}
$highPrivilegeAssignments = [];
foreach ($roleAssignments as $assignment) {
$roleDefId = (string) ($assignment['roleDefinitionId'] ?? '');
$roleDef = $roleDefMap[$roleDefId] ?? null;
$templateId = (string) ($roleDef['templateId'] ?? $roleDefId);
$displayName = $roleDef !== null ? (string) ($roleDef['displayName'] ?? '') : null;
$severity = $this->catalog->classify($templateId, $displayName);
if ($severity !== null) {
$principal = $assignment['principal'] ?? [];
$highPrivilegeAssignments[] = [
'role_definition_id' => $roleDefId,
'role_template_id' => (string) ($roleDef['templateId'] ?? ''),
'role_display_name' => (string) ($roleDef['displayName'] ?? 'Unknown'),
'is_built_in' => (bool) ($roleDef['isBuiltIn'] ?? false),
'principal_id' => (string) ($assignment['principalId'] ?? ''),
'principal_display_name' => (string) ($principal['displayName'] ?? 'Unknown'),
'principal_type' => $this->resolvePrincipalType($principal),
'directory_scope_id' => (string) ($assignment['directoryScopeId'] ?? '/'),
'severity' => $severity,
];
}
}
return [
'provider_key' => 'microsoft',
'domain' => 'entra.admin_roles',
'measured_at' => CarbonImmutable::now('UTC')->toIso8601String(),
'role_definitions' => $roleDefinitions,
'role_assignments' => $roleAssignments,
'totals' => [
'roles_total' => count($roleDefinitions),
'assignments_total' => count($roleAssignments),
'high_privilege_assignments' => count($highPrivilegeAssignments),
],
'high_privilege' => $highPrivilegeAssignments,
];
}
private function computeFingerprint(array $roleDefinitions, array $roleAssignments): string
{
$roleDefMap = [];
foreach ($roleDefinitions as $def) {
$id = (string) ($def['id'] ?? '');
if ($id !== '') {
$roleDefMap[$id] = $def;
}
}
$tuples = [];
foreach ($roleAssignments as $assignment) {
$roleDefId = (string) ($assignment['roleDefinitionId'] ?? '');
$roleDef = $roleDefMap[$roleDefId] ?? null;
$templateId = (string) ($roleDef['templateId'] ?? $roleDefId);
$principalId = (string) ($assignment['principalId'] ?? '');
$scopeId = (string) ($assignment['directoryScopeId'] ?? '/');
$tuples[] = "{$templateId}:{$principalId}:{$scopeId}";
}
sort($tuples);
return hash('sha256', implode("\n", $tuples));
}
private function resolvePrincipalType(array $principal): string
{
$odataType = (string) ($principal['@odata.type'] ?? '');
return match (true) {
str_contains($odataType, 'user') => 'user',
str_contains($odataType, 'group') => 'group',
str_contains($odataType, 'servicePrincipal') => 'servicePrincipal',
default => 'unknown',
};
}
}
Reference in New Issue View Git Blame Copy Permalink