ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
222a7e0a97
TenantAtlas/tests/Feature/PermissionPosture/PermissionPostureFindingGeneratorTest.php
Ahmed Darrazi 222a7e0a97 feat(104): implement Provider Permission Posture 
- T001-T014: Foundation - StoredReport model/migration, Finding resolved
  lifecycle, badge mappings (resolved status, permission_posture type),
  OperationCatalog + AlertRule constants
- T015-T022: US1 - PermissionPostureFindingGenerator with fingerprint-based
  idempotent upsert, severity from feature-impact count, auto-resolve on
  grant, auto-reopen on revoke, error findings (FR-015), stale finding
  cleanup; GeneratePermissionPostureFindingsJob dispatched from health check;
  PostureResult VO + PostureScoreCalculator
- T023-T026: US2+US4 - Stored report payload validation, temporal ordering,
  polymorphic reusability, score accuracy acceptance tests
- T027-T029: US3 - EvaluateAlertsJob.permissionMissingEvents() wired into
  alert pipeline, AlertRuleResource event type option, cooldown/dedupe tests
- T030-T034: Polish - PruneStoredReportsCommand with config retention,
  scheduled daily, end-to-end integration test, Pint clean

UI bug fixes found during testing:
- FindingResource: hide Diff section for non-drift findings
- TenantRequiredPermissions: fix re-run verification link
- tenant-required-permissions.blade.php: preserve details open state

70 tests (50 PermissionPosture + 20 FindingResolved/Badge/Alert), 216 assertions
2026-02-21 23:31:03 +01:00

340 lines
13 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
use App\Models\Finding;
use App\Models\StoredReport;
use App\Models\User;
use App\Services\PermissionPosture\PermissionPostureFindingGenerator;
use App\Services\PermissionPosture\PostureResult;
use Illuminate\Foundation\Testing\RefreshDatabase;
uses(RefreshDatabase::class);
function buildComparison(array $permissions, string $overallStatus = 'missing'): array
{
return [
'overall_status' => $overallStatus,
'permissions' => $permissions,
'last_refreshed_at' => now()->toIso8601String(),
];
}
function missingPermission(string $key, array $features = ['policy-sync']): array
{
return ['key' => $key, 'type' => 'application', 'status' => 'missing', 'features' => $features];
}
function grantedPermission(string $key, array $features = ['policy-sync']): array
{
return ['key' => $key, 'type' => 'application', 'status' => 'granted', 'features' => $features];
}
function errorPermission(string $key, array $features = []): array
{
return ['key' => $key, 'type' => 'application', 'status' => 'error', 'features' => $features];
}
// (1) Creates findings for missing permissions
it('creates findings for missing permissions with correct attributes', function (): void {
[$user, $tenant] = createUserWithTenant();
$generator = app(PermissionPostureFindingGenerator::class);
$comparison = buildComparison([
missingPermission('DeviceManagementApps.ReadWrite.All', ['policy-sync', 'backup']),
]);
$result = $generator->generate($tenant, $comparison);
expect($result)->toBeInstanceOf(PostureResult::class)
->and($result->findingsCreated)->toBe(1);
$finding = Finding::query()
->where('tenant_id', $tenant->getKey())
->where('finding_type', Finding::FINDING_TYPE_PERMISSION_POSTURE)
->first();
expect($finding)->not->toBeNull()
->and($finding->source)->toBe('permission_check')
->and($finding->subject_type)->toBe('permission')
->and($finding->subject_external_id)->toBe('DeviceManagementApps.ReadWrite.All')
->and($finding->severity)->toBe(Finding::SEVERITY_HIGH) // 2 features → high
->and($finding->status)->toBe(Finding::STATUS_NEW)
->and($finding->evidence_jsonb['permission_key'])->toBe('DeviceManagementApps.ReadWrite.All')
->and($finding->evidence_jsonb['actual_status'])->toBe('missing')
->and($finding->fingerprint)->not->toBeEmpty();
});
// (2) Auto-resolves finding when permission granted
it('auto-resolves finding when permission is granted', function (): void {
[$user, $tenant] = createUserWithTenant();
$generator = app(PermissionPostureFindingGenerator::class);
// First run: missing
$generator->generate($tenant, buildComparison([
missingPermission('Perm.A'),
]));
expect(Finding::query()->where('tenant_id', $tenant->getKey())->where('status', Finding::STATUS_NEW)->count())->toBe(1);
// Second run: granted
$result = $generator->generate($tenant, buildComparison([
grantedPermission('Perm.A'),
], 'granted'));
expect($result->findingsResolved)->toBe(1);
$finding = Finding::query()
->where('tenant_id', $tenant->getKey())
->where('finding_type', Finding::FINDING_TYPE_PERMISSION_POSTURE)
->first();
expect($finding->status)->toBe(Finding::STATUS_RESOLVED)
->and($finding->resolved_at)->not->toBeNull()
->and($finding->resolved_reason)->toBe('permission_granted');
});
// (3) Auto-resolves acknowledged finding preserving metadata
it('auto-resolves acknowledged finding preserving acknowledged metadata', function (): void {
[$user, $tenant] = createUserWithTenant();
$generator = app(PermissionPostureFindingGenerator::class);
$generator->generate($tenant, buildComparison([missingPermission('Perm.A')]));
$finding = Finding::query()->where('tenant_id', $tenant->getKey())->first();
$ackUser = User::factory()->create();
$finding->acknowledge($ackUser);
$result = $generator->generate($tenant, buildComparison([grantedPermission('Perm.A')], 'granted'));
$finding->refresh();
expect($result->findingsResolved)->toBe(1)
->and($finding->status)->toBe(Finding::STATUS_RESOLVED)
->and($finding->acknowledged_at)->not->toBeNull()
->and($finding->acknowledged_by_user_id)->toBe($ackUser->getKey());
});
// (4) No duplicates on idempotent run
it('does not create duplicates on idempotent run', function (): void {
[$user, $tenant] = createUserWithTenant();
$generator = app(PermissionPostureFindingGenerator::class);
$comparison = buildComparison([missingPermission('Perm.A')]);
$result1 = $generator->generate($tenant, $comparison);
$result2 = $generator->generate($tenant, $comparison);
expect($result1->findingsCreated)->toBe(1)
->and($result2->findingsCreated)->toBe(0)
->and($result2->findingsUnchanged)->toBe(1);
expect(Finding::query()->where('tenant_id', $tenant->getKey())->count())->toBe(1);
});
// (5) Re-opens resolved finding when permission revoked again
it('re-opens resolved finding when permission is revoked again', function (): void {
[$user, $tenant] = createUserWithTenant();
$generator = app(PermissionPostureFindingGenerator::class);
// Missing → resolve → missing again
$generator->generate($tenant, buildComparison([missingPermission('Perm.A')]));
$generator->generate($tenant, buildComparison([grantedPermission('Perm.A')], 'granted'));
$finding = Finding::query()->where('tenant_id', $tenant->getKey())->first();
expect($finding->status)->toBe(Finding::STATUS_RESOLVED);
$result = $generator->generate($tenant, buildComparison([missingPermission('Perm.A')]));
$finding->refresh();
expect($result->findingsReopened)->toBe(1)
->and($finding->status)->toBe(Finding::STATUS_NEW)
->and($finding->resolved_at)->toBeNull()
->and($finding->resolved_reason)->toBeNull();
});
// (6) Creates error finding for status=error permissions
it('creates error finding for status=error permissions', function (): void {
[$user, $tenant] = createUserWithTenant();
$generator = app(PermissionPostureFindingGenerator::class);
$result = $generator->generate($tenant, buildComparison([
errorPermission('Perm.Error'),
]));
expect($result->errorsRecorded)->toBe(1);
$finding = Finding::query()
->where('tenant_id', $tenant->getKey())
->where('finding_type', Finding::FINDING_TYPE_PERMISSION_POSTURE)
->first();
expect($finding)->not->toBeNull()
->and($finding->severity)->toBe(Finding::SEVERITY_LOW)
->and($finding->evidence_jsonb['check_error'])->toBeTrue()
->and($finding->evidence_jsonb['actual_status'])->toBe('error');
// Distinct fingerprint from missing findings
$generator->generate($tenant, buildComparison([
missingPermission('Perm.Error'),
]));
expect(Finding::query()->where('tenant_id', $tenant->getKey())->count())->toBe(2);
});
// (7) Severity derivation
it('derives severity from feature count', function (int $featureCount, string $expectedSeverity): void {
[$user, $tenant] = createUserWithTenant();
$generator = app(PermissionPostureFindingGenerator::class);
$features = array_map(fn (int $i): string => "feature-$i", range(1, max(1, $featureCount)));
if ($featureCount === 0) {
$features = [];
}
$generator->generate($tenant, buildComparison([
missingPermission('Perm.Sev', $features),
]));
$finding = Finding::query()
->where('tenant_id', $tenant->getKey())
->where('finding_type', Finding::FINDING_TYPE_PERMISSION_POSTURE)
->whereNull('resolved_at')
->first();
expect($finding->severity)->toBe($expectedSeverity);
})->with([
'0 features → low' => [0, Finding::SEVERITY_LOW],
'1 feature → medium' => [1, Finding::SEVERITY_MEDIUM],
'2 features → high' => [2, Finding::SEVERITY_HIGH],
'3+ features → critical' => [3, Finding::SEVERITY_CRITICAL],
'5 features → critical' => [5, Finding::SEVERITY_CRITICAL],
]);
// (8) Creates StoredReport with correct payload
it('creates StoredReport with correct payload', function (): void {
[$user, $tenant] = createUserWithTenant();
$generator = app(PermissionPostureFindingGenerator::class);
$comparison = buildComparison([
grantedPermission('Perm.A', ['a', 'b']),
missingPermission('Perm.B', ['c']),
]);
$result = $generator->generate($tenant, $comparison);
$report = StoredReport::query()->find($result->storedReportId);
expect($report)->not->toBeNull()
->and($report->report_type)->toBe(StoredReport::REPORT_TYPE_PERMISSION_POSTURE)
->and($report->tenant_id)->toBe($tenant->getKey())
->and($report->payload['posture_score'])->toBe(50)
->and($report->payload['required_count'])->toBe(2)
->and($report->payload['granted_count'])->toBe(1)
->and($report->payload)->toHaveKey('checked_at')
->and($report->payload['permissions'])->toHaveCount(2);
});
// (9) No findings when all granted
it('resolves open findings when all permissions are granted', function (): void {
[$user, $tenant] = createUserWithTenant();
$generator = app(PermissionPostureFindingGenerator::class);
$generator->generate($tenant, buildComparison([missingPermission('Perm.A')]));
expect(Finding::query()->where('tenant_id', $tenant->getKey())->where('status', Finding::STATUS_NEW)->count())->toBe(1);
$result = $generator->generate($tenant, buildComparison([grantedPermission('Perm.A')], 'granted'));
expect($result->findingsResolved)->toBe(1)
->and($result->findingsCreated)->toBe(0);
});
// (10) Produces alert events for new and reopened findings only
it('produces alert events for new and reopened findings only', function (): void {
[$user, $tenant] = createUserWithTenant();
$generator = app(PermissionPostureFindingGenerator::class);
// Run 1: create new finding → should produce alert event
$generator->generate($tenant, buildComparison([missingPermission('Perm.A')]));
$events = $generator->getAlertEvents();
expect($events)->toHaveCount(1)
->and($events[0]['event_type'])->toBe('permission_missing');
});
// (11) Generator reads permissions from comparison, not hardcoded
it('processes arbitrary permission keys from comparison', function (): void {
[$user, $tenant] = createUserWithTenant();
$generator = app(PermissionPostureFindingGenerator::class);
$generator->generate($tenant, buildComparison([
missingPermission('CustomPerm.ReadWrite.All', ['feature-x']),
]));
$finding = Finding::query()->where('tenant_id', $tenant->getKey())->first();
expect($finding->subject_external_id)->toBe('CustomPerm.ReadWrite.All');
});
// (12) All findings are scoped to tenant_id
it('scopes all findings to tenant_id', function (): void {
[$user1, $tenant1] = createUserWithTenant();
[$user2, $tenant2] = createUserWithTenant();
$generator = app(PermissionPostureFindingGenerator::class);
$generator->generate($tenant1, buildComparison([missingPermission('Perm.A')]));
$generator->generate($tenant2, buildComparison([missingPermission('Perm.A')]));
expect(Finding::query()->where('tenant_id', $tenant1->getKey())->count())->toBe(1)
->and(Finding::query()->where('tenant_id', $tenant2->getKey())->count())->toBe(1);
});
// (13) subject_type and subject_external_id set correctly
it('sets subject_type=permission and subject_external_id on all posture findings', function (): void {
[$user, $tenant] = createUserWithTenant();
$generator = app(PermissionPostureFindingGenerator::class);
$generator->generate($tenant, buildComparison([
missingPermission('DeviceManagementApps.ReadWrite.All'),
missingPermission('DeviceManagementConfiguration.ReadWrite.All'),
]));
$findings = Finding::query()
->where('tenant_id', $tenant->getKey())
->where('finding_type', Finding::FINDING_TYPE_PERMISSION_POSTURE)
->get();
foreach ($findings as $finding) {
expect($finding->subject_type)->toBe('permission')
->and($finding->subject_external_id)->not->toBeEmpty();
}
});
// (14) Stale findings auto-resolved for registry removals
it('auto-resolves stale findings for permissions removed from registry', function (): void {
[$user, $tenant] = createUserWithTenant();
$generator = app(PermissionPostureFindingGenerator::class);
// Run 1: Perm.A and Perm.B are missing
$generator->generate($tenant, buildComparison([
missingPermission('Perm.A'),
missingPermission('Perm.B'),
]));
expect(Finding::query()->where('tenant_id', $tenant->getKey())->where('status', Finding::STATUS_NEW)->count())->toBe(2);
// Run 2: Perm.B is no longer in the registry (only Perm.A remains)
$result = $generator->generate($tenant, buildComparison([
missingPermission('Perm.A'),
]));
expect($result->findingsResolved)->toBeGreaterThanOrEqual(1);
$stale = Finding::query()
->where('tenant_id', $tenant->getKey())
->where('finding_type', Finding::FINDING_TYPE_PERMISSION_POSTURE)
->whereJsonContains('evidence_jsonb->permission_key', 'Perm.B')
->first();
expect($stale->status)->toBe(Finding::STATUS_RESOLVED)
->and($stale->resolved_reason)->toBe('permission_removed_from_registry');
});
Reference in New Issue View Git Blame Copy Permalink