266 lines
9.4 KiB
PHP
266 lines
9.4 KiB
PHP
<?php
|
|
|
|
use App\Models\BackupItem;
|
|
use App\Models\BackupSet;
|
|
use App\Models\Tenant;
|
|
use App\Services\Graph\GraphClientInterface;
|
|
use App\Services\Graph\GraphResponse;
|
|
use App\Services\Intune\RestoreRiskChecker;
|
|
use App\Services\Intune\RestoreService;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
class EndpointSecurityRestoreGraphClient implements GraphClientInterface
|
|
{
|
|
/** @var array<int, array{policyType:string,policyId:string,payload:array,options:array<string,mixed>}> */
|
|
public array $applyPolicyCalls = [];
|
|
|
|
/** @var array<int, array{method:string,path:string,options:array<string,mixed>}> */
|
|
public array $requestCalls = [];
|
|
|
|
/**
|
|
* @param array<string, GraphResponse> $requestMap
|
|
*/
|
|
public function __construct(
|
|
private readonly GraphResponse $applyPolicyResponse,
|
|
private readonly array $requestMap = [],
|
|
) {}
|
|
|
|
public function listPolicies(string $policyType, array $options = []): GraphResponse
|
|
{
|
|
return new GraphResponse(true, []);
|
|
}
|
|
|
|
public function getPolicy(string $policyType, string $policyId, array $options = []): GraphResponse
|
|
{
|
|
return new GraphResponse(true, ['payload' => []]);
|
|
}
|
|
|
|
public function getOrganization(array $options = []): GraphResponse
|
|
{
|
|
return new GraphResponse(true, []);
|
|
}
|
|
|
|
public function applyPolicy(string $policyType, string $policyId, array $payload, array $options = []): GraphResponse
|
|
{
|
|
$this->applyPolicyCalls[] = [
|
|
'policyType' => $policyType,
|
|
'policyId' => $policyId,
|
|
'payload' => $payload,
|
|
'options' => $options,
|
|
];
|
|
|
|
return $this->applyPolicyResponse;
|
|
}
|
|
|
|
public function getServicePrincipalPermissions(array $options = []): GraphResponse
|
|
{
|
|
return new GraphResponse(true, []);
|
|
}
|
|
|
|
public function request(string $method, string $path, array $options = []): GraphResponse
|
|
{
|
|
$this->requestCalls[] = [
|
|
'method' => strtoupper($method),
|
|
'path' => $path,
|
|
'options' => $options,
|
|
];
|
|
|
|
foreach ($this->requestMap as $needle => $response) {
|
|
if (is_string($needle) && $needle !== '' && str_contains($path, $needle)) {
|
|
return $response;
|
|
}
|
|
}
|
|
|
|
return new GraphResponse(true, []);
|
|
}
|
|
}
|
|
|
|
test('restore executes endpoint security policy settings via settings endpoint', function () {
|
|
$client = new EndpointSecurityRestoreGraphClient(new GraphResponse(true, []));
|
|
app()->instance(GraphClientInterface::class, $client);
|
|
|
|
$tenant = Tenant::factory()->create();
|
|
$backupSet = BackupSet::factory()->for($tenant)->create([
|
|
'status' => 'completed',
|
|
'item_count' => 1,
|
|
]);
|
|
|
|
$backupItem = BackupItem::factory()->for($tenant)->for($backupSet)->create([
|
|
'policy_id' => null,
|
|
'policy_identifier' => 'esp-1',
|
|
'policy_type' => 'endpointSecurityPolicy',
|
|
'platform' => 'windows',
|
|
'payload' => [
|
|
'id' => 'esp-1',
|
|
'@odata.type' => '#microsoft.graph.deviceManagementConfigurationPolicy',
|
|
'name' => 'Endpoint Security Policy',
|
|
'platforms' => ['windows10'],
|
|
'technologies' => ['endpointSecurity'],
|
|
'templateReference' => [
|
|
'templateId' => 'template-1',
|
|
'templateFamily' => 'endpointSecurityFirewall',
|
|
'templateDisplayName' => 'Windows Firewall Rules',
|
|
'templateDisplayVersion' => 'Version 1',
|
|
],
|
|
'settings' => [
|
|
[
|
|
'id' => 's1',
|
|
'settingInstance' => [
|
|
'@odata.type' => '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance',
|
|
'settingDefinitionId' => 'device_vendor_msft_policy_config_defender_allowrealtimemonitoring',
|
|
'simpleSettingValue' => [
|
|
'value' => 1,
|
|
],
|
|
],
|
|
],
|
|
],
|
|
],
|
|
'assignments' => null,
|
|
]);
|
|
|
|
$service = app(RestoreService::class);
|
|
$run = $service->execute(
|
|
tenant: $tenant,
|
|
backupSet: $backupSet,
|
|
selectedItemIds: [$backupItem->id],
|
|
dryRun: false,
|
|
);
|
|
|
|
expect($run->status)->toBe('completed');
|
|
expect($client->applyPolicyCalls)->toHaveCount(1);
|
|
expect($client->applyPolicyCalls[0]['policyType'])->toBe('endpointSecurityPolicy');
|
|
expect($client->applyPolicyCalls[0]['payload'])->not->toHaveKey('settings');
|
|
|
|
$settingsCalls = collect($client->requestCalls)
|
|
->filter(fn (array $call) => $call['method'] === 'POST' && str_contains($call['path'], '/settings'))
|
|
->values();
|
|
|
|
expect($settingsCalls)->toHaveCount(1);
|
|
expect($settingsCalls[0]['path'])->toContain('deviceManagement/configurationPolicies/esp-1/settings');
|
|
|
|
$body = $settingsCalls[0]['options']['json'] ?? null;
|
|
expect($body)->toBeArray()->not->toBeEmpty();
|
|
expect($body[0]['settingInstance']['settingDefinitionId'] ?? null)
|
|
->toBe('device_vendor_msft_policy_config_defender_allowrealtimemonitoring');
|
|
});
|
|
|
|
test('restore fails when endpoint security template is missing', function () {
|
|
$applyNotFound = new GraphResponse(false, ['error' => ['message' => 'Not found']], 404, [], [], [
|
|
'error_code' => 'NotFound',
|
|
'error_message' => 'Not found',
|
|
]);
|
|
|
|
$templateNotFound = new GraphResponse(false, ['error' => ['message' => 'Template missing']], 404, [], [], [
|
|
'error_code' => 'NotFound',
|
|
'error_message' => 'Template missing',
|
|
]);
|
|
|
|
$client = new EndpointSecurityRestoreGraphClient($applyNotFound, [
|
|
'configurationPolicyTemplates' => $templateNotFound,
|
|
]);
|
|
app()->instance(GraphClientInterface::class, $client);
|
|
|
|
$tenant = Tenant::factory()->create();
|
|
$backupSet = BackupSet::factory()->for($tenant)->create([
|
|
'status' => 'completed',
|
|
'item_count' => 1,
|
|
]);
|
|
|
|
$backupItem = BackupItem::factory()->for($tenant)->for($backupSet)->create([
|
|
'policy_id' => null,
|
|
'policy_identifier' => 'esp-missing',
|
|
'policy_type' => 'endpointSecurityPolicy',
|
|
'platform' => 'windows',
|
|
'payload' => [
|
|
'id' => 'esp-missing',
|
|
'@odata.type' => '#microsoft.graph.deviceManagementConfigurationPolicy',
|
|
'name' => 'Endpoint Security Policy',
|
|
'platforms' => ['windows10'],
|
|
'technologies' => ['endpointSecurity'],
|
|
'templateReference' => [
|
|
'templateId' => 'missing-template',
|
|
],
|
|
'settings' => [
|
|
[
|
|
'id' => 's1',
|
|
'settingInstance' => [
|
|
'@odata.type' => '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance',
|
|
'settingDefinitionId' => 'device_vendor_msft_policy_config_defender_allowrealtimemonitoring',
|
|
'simpleSettingValue' => [
|
|
'value' => 1,
|
|
],
|
|
],
|
|
],
|
|
],
|
|
],
|
|
'assignments' => null,
|
|
]);
|
|
|
|
$service = app(RestoreService::class);
|
|
$run = $service->execute(
|
|
tenant: $tenant,
|
|
backupSet: $backupSet,
|
|
selectedItemIds: [$backupItem->id],
|
|
dryRun: false,
|
|
);
|
|
|
|
expect($run->status)->toBe('failed');
|
|
|
|
$createCalls = collect($client->requestCalls)
|
|
->filter(fn (array $call) => $call['method'] === 'POST' && $call['path'] === 'deviceManagement/configurationPolicies')
|
|
->values();
|
|
|
|
expect($createCalls)->toHaveCount(0);
|
|
});
|
|
|
|
test('restore risk checks flag missing endpoint security templates as blocking', function () {
|
|
$templateNotFound = new GraphResponse(false, ['error' => ['message' => 'Template missing']], 404, [], [], [
|
|
'error_code' => 'NotFound',
|
|
'error_message' => 'Template missing',
|
|
]);
|
|
|
|
$client = new EndpointSecurityRestoreGraphClient(new GraphResponse(true, []), [
|
|
'configurationPolicyTemplates' => $templateNotFound,
|
|
]);
|
|
app()->instance(GraphClientInterface::class, $client);
|
|
|
|
$tenant = Tenant::factory()->create();
|
|
$backupSet = BackupSet::factory()->for($tenant)->create([
|
|
'status' => 'completed',
|
|
'item_count' => 1,
|
|
]);
|
|
|
|
$backupItem = BackupItem::factory()->for($tenant)->for($backupSet)->create([
|
|
'policy_id' => null,
|
|
'policy_identifier' => 'esp-missing',
|
|
'policy_type' => 'endpointSecurityPolicy',
|
|
'platform' => 'windows',
|
|
'payload' => [
|
|
'id' => 'esp-missing',
|
|
'@odata.type' => '#microsoft.graph.deviceManagementConfigurationPolicy',
|
|
'templateReference' => [
|
|
'templateId' => 'missing-template',
|
|
'templateFamily' => 'endpointSecurityFirewall',
|
|
],
|
|
'settings' => [],
|
|
],
|
|
'assignments' => null,
|
|
]);
|
|
|
|
$checker = app(RestoreRiskChecker::class);
|
|
$result = $checker->check(
|
|
tenant: $tenant,
|
|
backupSet: $backupSet,
|
|
selectedItemIds: [$backupItem->id],
|
|
groupMapping: [],
|
|
);
|
|
|
|
$results = collect($result['results'] ?? []);
|
|
$templateCheck = $results->firstWhere('code', 'endpoint_security_templates');
|
|
|
|
expect($templateCheck)->not->toBeNull();
|
|
expect($templateCheck['severity'] ?? null)->toBe('blocking');
|
|
});
|