222a7e0a97
- T001-T014: Foundation - StoredReport model/migration, Finding resolved lifecycle, badge mappings (resolved status, permission_posture type), OperationCatalog + AlertRule constants - T015-T022: US1 - PermissionPostureFindingGenerator with fingerprint-based idempotent upsert, severity from feature-impact count, auto-resolve on grant, auto-reopen on revoke, error findings (FR-015), stale finding cleanup; GeneratePermissionPostureFindingsJob dispatched from health check; PostureResult VO + PostureScoreCalculator - T023-T026: US2+US4 - Stored report payload validation, temporal ordering, polymorphic reusability, score accuracy acceptance tests - T027-T029: US3 - EvaluateAlertsJob.permissionMissingEvents() wired into alert pipeline, AlertRuleResource event type option, cooldown/dedupe tests - T030-T034: Polish - PruneStoredReportsCommand with config retention, scheduled daily, end-to-end integration test, Pint clean UI bug fixes found during testing: - FindingResource: hide Diff section for non-drift findings - TenantRequiredPermissions: fix re-run verification link - tenant-required-permissions.blade.php: preserve details open state 70 tests (50 PermissionPosture + 20 FindingResolved/Badge/Alert), 216 assertions
153 lines
6.0 KiB
PHP
153 lines
6.0 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Jobs\GeneratePermissionPostureFindingsJob;
|
|
use App\Models\Finding;
|
|
use App\Models\OperationRun;
|
|
use App\Models\StoredReport;
|
|
use App\Services\PermissionPosture\FindingGeneratorContract;
|
|
use App\Support\OperationCatalog;
|
|
use App\Support\OperationRunOutcome;
|
|
use App\Support\OperationRunStatus;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
it('full posture check flow: findings, report, score, operations', function (): void {
|
|
[$user, $tenant] = createUserWithTenant();
|
|
|
|
$comparison = [
|
|
'overall_status' => 'missing',
|
|
'permissions' => [
|
|
['key' => 'DeviceManagementConfiguration.ReadWrite.All', 'type' => 'application', 'status' => 'missing', 'features' => ['backup', 'restore']],
|
|
['key' => 'DeviceManagementApps.ReadWrite.All', 'type' => 'application', 'status' => 'granted', 'features' => ['app_management']],
|
|
['key' => 'DeviceManagementManagedDevices.ReadWrite.All', 'type' => 'application', 'status' => 'missing', 'features' => ['compliance']],
|
|
['key' => 'Group.Read.All', 'type' => 'application', 'status' => 'granted', 'features' => ['assignments']],
|
|
['key' => 'User.Read', 'type' => 'delegated', 'status' => 'granted', 'features' => []],
|
|
],
|
|
'last_refreshed_at' => now()->toIso8601String(),
|
|
];
|
|
|
|
$start = microtime(true);
|
|
|
|
$job = new GeneratePermissionPostureFindingsJob($tenant->getKey(), $comparison);
|
|
$job->handle(
|
|
app(FindingGeneratorContract::class),
|
|
app(\App\Services\OperationRunService::class),
|
|
);
|
|
|
|
$elapsed = (microtime(true) - $start) * 1000;
|
|
|
|
// --- Timing assertion ---
|
|
expect($elapsed)->toBeLessThan(5000);
|
|
|
|
// --- Findings ---
|
|
$findings = Finding::query()
|
|
->where('tenant_id', $tenant->getKey())
|
|
->where('finding_type', Finding::FINDING_TYPE_PERMISSION_POSTURE)
|
|
->get();
|
|
|
|
$missingFindings = $findings->where('status', Finding::STATUS_NEW);
|
|
expect($missingFindings)->toHaveCount(2); // 2 missing permissions
|
|
|
|
// --- StoredReport ---
|
|
$report = StoredReport::query()
|
|
->where('tenant_id', $tenant->getKey())
|
|
->where('report_type', StoredReport::REPORT_TYPE_PERMISSION_POSTURE)
|
|
->first();
|
|
|
|
expect($report)->not->toBeNull()
|
|
->and($report->payload['posture_score'])->toBe(60) // 3/5 = 60%
|
|
->and($report->payload['required_count'])->toBe(5)
|
|
->and($report->payload['granted_count'])->toBe(3)
|
|
->and($report->payload['permissions'])->toHaveCount(5);
|
|
|
|
// --- OperationRun ---
|
|
$run = OperationRun::query()
|
|
->where('tenant_id', $tenant->getKey())
|
|
->where('type', OperationCatalog::TYPE_PERMISSION_POSTURE_CHECK)
|
|
->first();
|
|
|
|
expect($run)->not->toBeNull()
|
|
->and($run->status)->toBe(OperationRunStatus::Completed->value)
|
|
->and($run->outcome)->toBe(OperationRunOutcome::Succeeded->value)
|
|
->and($run->summary_counts['findings_created'])->toBe(2)
|
|
->and($run->summary_counts['posture_score'])->toBe(60);
|
|
});
|
|
|
|
it('second run auto-resolves findings for newly granted permissions', function (): void {
|
|
[$user, $tenant] = createUserWithTenant();
|
|
|
|
$generator = app(FindingGeneratorContract::class);
|
|
|
|
// First run: 2 missing permissions
|
|
$comparison1 = [
|
|
'overall_status' => 'missing',
|
|
'permissions' => [
|
|
['key' => 'Perm.A', 'type' => 'application', 'status' => 'missing', 'features' => ['a']],
|
|
['key' => 'Perm.B', 'type' => 'application', 'status' => 'missing', 'features' => ['b']],
|
|
['key' => 'Perm.C', 'type' => 'application', 'status' => 'granted', 'features' => ['c']],
|
|
],
|
|
'last_refreshed_at' => now()->toIso8601String(),
|
|
];
|
|
|
|
$result1 = $generator->generate($tenant, $comparison1);
|
|
expect($result1->findingsCreated)->toBe(2)
|
|
->and($result1->postureScore)->toBe(33);
|
|
|
|
// Second run: Perm.A now granted
|
|
$comparison2 = [
|
|
'overall_status' => 'missing',
|
|
'permissions' => [
|
|
['key' => 'Perm.A', 'type' => 'application', 'status' => 'granted', 'features' => ['a']],
|
|
['key' => 'Perm.B', 'type' => 'application', 'status' => 'missing', 'features' => ['b']],
|
|
['key' => 'Perm.C', 'type' => 'application', 'status' => 'granted', 'features' => ['c']],
|
|
],
|
|
'last_refreshed_at' => now()->toIso8601String(),
|
|
];
|
|
|
|
$result2 = $generator->generate($tenant, $comparison2);
|
|
expect($result2->findingsResolved)->toBe(1)
|
|
->and($result2->findingsUnchanged)->toBe(1)
|
|
->and($result2->postureScore)->toBe(67);
|
|
|
|
// Verify the resolved finding
|
|
$resolvedFinding = Finding::query()
|
|
->where('tenant_id', $tenant->getKey())
|
|
->where('finding_type', Finding::FINDING_TYPE_PERMISSION_POSTURE)
|
|
->where('status', Finding::STATUS_RESOLVED)
|
|
->first();
|
|
|
|
expect($resolvedFinding)->not->toBeNull()
|
|
->and($resolvedFinding->resolved_reason)->toBe('permission_granted');
|
|
});
|
|
|
|
it('alert events are produced for new missing permission findings', function (): void {
|
|
[$user, $tenant] = createUserWithTenant();
|
|
|
|
$generator = app(FindingGeneratorContract::class);
|
|
|
|
$comparison = [
|
|
'overall_status' => 'missing',
|
|
'permissions' => [
|
|
['key' => 'Perm.Dangerous', 'type' => 'application', 'status' => 'missing', 'features' => ['backup', 'restore', 'sync']],
|
|
],
|
|
'last_refreshed_at' => now()->toIso8601String(),
|
|
];
|
|
|
|
$result = $generator->generate($tenant, $comparison);
|
|
expect($result->findingsCreated)->toBe(1);
|
|
|
|
// Verify the finding was created and has proper data for alert pipeline
|
|
$finding = Finding::query()
|
|
->where('tenant_id', $tenant->getKey())
|
|
->where('finding_type', Finding::FINDING_TYPE_PERMISSION_POSTURE)
|
|
->where('status', Finding::STATUS_NEW)
|
|
->first();
|
|
|
|
expect($finding)->not->toBeNull()
|
|
->and($finding->evidence_jsonb)->toHaveKey('permission_key')
|
|
->and($finding->evidence_jsonb['permission_key'])->toBe('Perm.Dangerous');
|
|
});
|