ahmido
1f3619bd16
## Summary - introduce a shared tenant-owned query and record-resolution canon for first-slice Filament resources - harden direct views, row actions, bulk actions, relation managers, and workspace-admin canonical viewers against wrong-tenant access - add registry-backed rollout metadata, search posture handling, architectural guards, and focused Pest coverage for scope parity and 404/403 semantics ## Included - Spec 150 package under `specs/150-tenant-owned-query-canon-and-wrong-tenant-guards/` - shared support classes: `TenantOwnedModelFamilies`, `TenantOwnedQueryScope`, `TenantOwnedRecordResolver` - shared Filament concern: `InteractsWithTenantOwnedRecords` - resource/page/policy hardening across findings, policies, policy versions, backup schedules, backup sets, restore runs, inventory items, and Entra groups - additional regression coverage for canonical tenant state, wrong-tenant record resolution, relation-manager congruence, and action-surface guardrails ## Validation - `vendor/bin/sail artisan test --compact` passed - full suite result: `2733 passed, 8 skipped` - formatting applied with `vendor/bin/sail bin pint --dirty --format agent` ## Notes - Livewire v4.0+ compliant via existing Filament v5 stack - provider registration remains in `bootstrap/providers.php` - globally searchable first-slice posture: Entra groups scoped; policies and policy versions explicitly disabled - destructive actions continue to use confirmation and policy authorization - no new Filament assets added; existing deployment flow remains unchanged, including `php artisan filament:assets` when registered assets are used Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #180
168 lines
7.1 KiB
PHP
168 lines
7.1 KiB
PHP
<?php
|
|
|
|
namespace App\Filament\Resources\PolicyResource\Pages;
|
|
|
|
use App\Filament\Resources\PolicyResource;
|
|
use App\Jobs\CapturePolicySnapshotJob;
|
|
use App\Services\Intune\AuditLogger;
|
|
use App\Services\OperationRunService;
|
|
use App\Services\Operations\BulkSelectionIdentity;
|
|
use App\Support\Auth\Capabilities;
|
|
use App\Support\OperationRunLinks;
|
|
use App\Support\OpsUx\OperationUxPresenter;
|
|
use App\Support\Rbac\UiEnforcement;
|
|
use Filament\Actions\Action;
|
|
use Filament\Forms;
|
|
use Filament\Notifications\Notification;
|
|
use Filament\Resources\Pages\ViewRecord;
|
|
use Filament\Support\Enums\Width;
|
|
use Illuminate\Database\Eloquent\Model;
|
|
use Illuminate\Support\Str;
|
|
|
|
class ViewPolicy extends ViewRecord
|
|
{
|
|
protected static string $resource = PolicyResource::class;
|
|
|
|
protected Width|string|null $maxContentWidth = Width::Full;
|
|
|
|
protected function resolveRecord(int|string $key): Model
|
|
{
|
|
return PolicyResource::resolveScopedRecordOrFail($key);
|
|
}
|
|
|
|
protected function getActions(): array
|
|
{
|
|
return [$this->makeCaptureSnapshotAction()];
|
|
}
|
|
|
|
private function makeCaptureSnapshotAction(): Action
|
|
{
|
|
$action = UiEnforcement::forAction(
|
|
Action::make('capture_snapshot')
|
|
->label('Capture snapshot')
|
|
->requiresConfirmation()
|
|
->modalHeading('Capture snapshot now')
|
|
->modalSubheading('This queues a background job that fetches the latest configuration from Microsoft Graph and stores a new policy version.')
|
|
->form([
|
|
Forms\Components\Checkbox::make('include_assignments')
|
|
->label('Include assignments')
|
|
->default(true)
|
|
->helperText('Captures assignment include/exclude targeting and filters.'),
|
|
Forms\Components\Checkbox::make('include_scope_tags')
|
|
->label('Include scope tags')
|
|
->default(true)
|
|
->helperText('Captures policy scope tag IDs.'),
|
|
])
|
|
->action(function (array $data, AuditLogger $auditLogger) {
|
|
$policy = $this->record;
|
|
|
|
$tenant = $policy->tenant;
|
|
$user = auth()->user();
|
|
|
|
if (! $tenant || ! $user) {
|
|
Notification::make()
|
|
->title('Missing tenant or user context.')
|
|
->danger()
|
|
->send();
|
|
|
|
return;
|
|
}
|
|
|
|
/** @var BulkSelectionIdentity $selection */
|
|
$selection = app(BulkSelectionIdentity::class);
|
|
$selectionIdentity = $selection->fromIds([(string) $policy->getKey()]);
|
|
|
|
/** @var OperationRunService $runs */
|
|
$runs = app(OperationRunService::class);
|
|
|
|
$includeAssignments = (bool) ($data['include_assignments'] ?? false);
|
|
$includeScopeTags = (bool) ($data['include_scope_tags'] ?? false);
|
|
|
|
$opRun = $runs->enqueueBulkOperation(
|
|
tenant: $tenant,
|
|
type: 'policy.capture_snapshot',
|
|
targetScope: [
|
|
'entra_tenant_id' => (string) ($tenant->tenant_id ?? $tenant->external_id),
|
|
],
|
|
selectionIdentity: $selectionIdentity,
|
|
dispatcher: function ($operationRun) use ($tenant, $policy, $user, $includeAssignments, $includeScopeTags): void {
|
|
CapturePolicySnapshotJob::dispatch(
|
|
tenantId: (int) $tenant->getKey(),
|
|
userId: (int) $user->getKey(),
|
|
policyId: (int) $policy->getKey(),
|
|
includeAssignments: $includeAssignments,
|
|
includeScopeTags: $includeScopeTags,
|
|
createdBy: $user->email ? Str::limit($user->email, 255, '') : null,
|
|
operationRun: $operationRun,
|
|
context: [],
|
|
);
|
|
},
|
|
initiator: $user,
|
|
extraContext: [
|
|
'policy_id' => (int) $policy->getKey(),
|
|
'include_assignments' => $includeAssignments,
|
|
'include_scope_tags' => $includeScopeTags,
|
|
],
|
|
emitQueuedNotification: false,
|
|
);
|
|
|
|
if (! $opRun->wasRecentlyCreated) {
|
|
Notification::make()
|
|
->title('Snapshot already in progress')
|
|
->body('An active run already exists for this policy. Opening run details.')
|
|
->actions([
|
|
\Filament\Actions\Action::make('view_run')
|
|
->label('View run')
|
|
->url(OperationRunLinks::view($opRun, $tenant)),
|
|
])
|
|
->info()
|
|
->send();
|
|
|
|
$this->redirect(OperationRunLinks::view($opRun, $tenant));
|
|
|
|
return;
|
|
}
|
|
|
|
$auditLogger->log(
|
|
tenant: $tenant,
|
|
action: 'policy.capture_snapshot_dispatched',
|
|
resourceType: 'operation_run',
|
|
resourceId: (string) $opRun->getKey(),
|
|
status: 'success',
|
|
context: [
|
|
'metadata' => [
|
|
'policy_id' => (int) $policy->getKey(),
|
|
'operation_run_id' => (int) $opRun->getKey(),
|
|
'include_assignments' => $includeAssignments,
|
|
'include_scope_tags' => $includeScopeTags,
|
|
],
|
|
],
|
|
actorId: (int) $user->getKey(),
|
|
actorEmail: $user->email,
|
|
actorName: $user->name,
|
|
);
|
|
|
|
OperationUxPresenter::queuedToast('policy.capture_snapshot')
|
|
->actions([
|
|
\Filament\Actions\Action::make('view_run')
|
|
->label('View run')
|
|
->url(OperationRunLinks::view($opRun, $tenant)),
|
|
])
|
|
->send();
|
|
|
|
$this->redirect(OperationRunLinks::view($opRun, $tenant));
|
|
})
|
|
->color('primary')
|
|
)
|
|
->requireCapability(Capabilities::TENANT_SYNC)
|
|
->tooltip('You do not have permission to capture policy snapshots.')
|
|
->apply();
|
|
|
|
if (! $action instanceof Action) {
|
|
throw new \RuntimeException('Capture snapshot action must resolve to a Filament action.');
|
|
}
|
|
|
|
return $action;
|
|
}
|
|
}
|