ahmido
28cfe38ba4
## Summary - turn the Monitoring audit log placeholder into a real workspace-scoped audit review surface - introduce a shared audit recorder, richer audit value objects, and additive audit log schema evolution - add audit outcome and actor badges, permission-aware related navigation, and durable audit retention coverage ## Included - canonical `/admin/audit-log` list and detail inspection UI - audit model helpers, taxonomy expansion, actor/target snapshots, and recorder/builder services - operation terminal audit writes and purge command retention changes - spec 134 design artifacts and focused Pest coverage for audit foundation behavior ## Validation - `vendor/bin/sail bin pint --dirty --format agent` - `vendor/bin/sail artisan test --compact tests/Unit/Audit tests/Unit/Badges/AuditBadgesTest.php tests/Feature/Filament/AuditLogPageTest.php tests/Feature/Filament/AuditLogDetailInspectionTest.php tests/Feature/Filament/AuditLogAuthorizationTest.php tests/Feature/Monitoring/AuditCoverageGovernanceTest.php tests/Feature/Monitoring/AuditCoverageOperationsTest.php tests/Feature/Console/TenantpilotPurgeNonPersistentDataTest.php` ## Notes - Livewire v4.0+ compliance is preserved within the existing Filament v5 application. - No provider registration changes were needed; panel provider registration remains in `bootstrap/providers.php`. - No new globally searchable resource was introduced. - The audit page remains read-only; no destructive actions were added. - No new asset pipeline changes were introduced; existing deploy-time `php artisan filament:assets` behavior remains unchanged. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #163
119 lines
4.7 KiB
PHP
119 lines
4.7 KiB
PHP
<?php
|
|
|
|
namespace App\Services\Auth;
|
|
|
|
use App\Support\Auth\Capabilities;
|
|
use App\Support\Auth\WorkspaceRole;
|
|
|
|
/**
|
|
* Workspace Role to Capability Mapping (Single Source of Truth)
|
|
*
|
|
* This class defines which capabilities each workspace role has.
|
|
* All capability strings MUST be references from the Capabilities registry.
|
|
*/
|
|
class WorkspaceRoleCapabilityMap
|
|
{
|
|
/**
|
|
* @var array<string, array<int, string>>
|
|
*/
|
|
private static array $roleCapabilities = [
|
|
WorkspaceRole::Owner->value => [
|
|
Capabilities::WORKSPACE_VIEW,
|
|
Capabilities::WORKSPACE_MANAGE,
|
|
Capabilities::WORKSPACE_ARCHIVE,
|
|
Capabilities::WORKSPACE_MEMBERSHIP_VIEW,
|
|
Capabilities::WORKSPACE_MEMBERSHIP_MANAGE,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_IDENTIFY,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_VIEW,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_MANAGE,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_VERIFICATION_START,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_INVENTORY_SYNC,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_POLICY_SYNC,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_BACKUP_BOOTSTRAP,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_ACTIVATE,
|
|
Capabilities::WORKSPACE_SETTINGS_VIEW,
|
|
Capabilities::WORKSPACE_SETTINGS_MANAGE,
|
|
Capabilities::ALERTS_VIEW,
|
|
Capabilities::ALERTS_MANAGE,
|
|
Capabilities::WORKSPACE_BASELINES_VIEW,
|
|
Capabilities::WORKSPACE_BASELINES_MANAGE,
|
|
Capabilities::AUDIT_VIEW,
|
|
],
|
|
|
|
WorkspaceRole::Manager->value => [
|
|
Capabilities::WORKSPACE_VIEW,
|
|
Capabilities::WORKSPACE_MEMBERSHIP_VIEW,
|
|
Capabilities::WORKSPACE_MEMBERSHIP_MANAGE,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_IDENTIFY,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_VIEW,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_MANAGE,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_VERIFICATION_START,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_INVENTORY_SYNC,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_POLICY_SYNC,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_BACKUP_BOOTSTRAP,
|
|
Capabilities::WORKSPACE_SETTINGS_VIEW,
|
|
Capabilities::WORKSPACE_SETTINGS_MANAGE,
|
|
Capabilities::ALERTS_VIEW,
|
|
Capabilities::ALERTS_MANAGE,
|
|
Capabilities::WORKSPACE_BASELINES_VIEW,
|
|
Capabilities::WORKSPACE_BASELINES_MANAGE,
|
|
Capabilities::AUDIT_VIEW,
|
|
],
|
|
|
|
WorkspaceRole::Operator->value => [
|
|
Capabilities::WORKSPACE_VIEW,
|
|
Capabilities::WORKSPACE_MEMBERSHIP_VIEW,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_VIEW,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_VERIFICATION_START,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_INVENTORY_SYNC,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_POLICY_SYNC,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_BACKUP_BOOTSTRAP,
|
|
Capabilities::WORKSPACE_SETTINGS_VIEW,
|
|
Capabilities::ALERTS_VIEW,
|
|
Capabilities::WORKSPACE_BASELINES_VIEW,
|
|
Capabilities::AUDIT_VIEW,
|
|
],
|
|
|
|
WorkspaceRole::Readonly->value => [
|
|
Capabilities::WORKSPACE_VIEW,
|
|
Capabilities::WORKSPACE_SETTINGS_VIEW,
|
|
Capabilities::ALERTS_VIEW,
|
|
Capabilities::WORKSPACE_BASELINES_VIEW,
|
|
Capabilities::AUDIT_VIEW,
|
|
],
|
|
];
|
|
|
|
/**
|
|
* @return array<string>
|
|
*/
|
|
public static function getCapabilities(WorkspaceRole|string $role): array
|
|
{
|
|
$roleValue = $role instanceof WorkspaceRole ? $role->value : $role;
|
|
|
|
return self::$roleCapabilities[$roleValue] ?? [];
|
|
}
|
|
|
|
/**
|
|
* @return array<string>
|
|
*/
|
|
public static function rolesWithCapability(string $capability): array
|
|
{
|
|
$roles = [];
|
|
|
|
foreach (self::$roleCapabilities as $role => $capabilities) {
|
|
if (in_array($capability, $capabilities, true)) {
|
|
$roles[] = $role;
|
|
}
|
|
}
|
|
|
|
return $roles;
|
|
}
|
|
|
|
public static function hasCapability(WorkspaceRole|string $role, string $capability): bool
|
|
{
|
|
return in_array($capability, self::getCapabilities($role), true);
|
|
}
|
|
}
|