ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
2a8d3c3bc4
TenantAtlas/database/factories/FindingFactory.php
ahmido 6a15fe978a feat: Spec 105 — Entra Admin Roles Evidence + Findings (#128) 
## Summary

Automated scanning of Entra ID directory roles to surface high-privilege role assignments as trackable findings with alerting support.

## What's included

### Core Services
- **EntraAdminRolesReportService** — Fetches role definitions + assignments via Graph API, builds payload with fingerprint deduplication
- **EntraAdminRolesFindingGenerator** — Creates/resolves/reopens findings based on high-privilege role catalog
- **HighPrivilegeRoleCatalog** — Curated list of high-privilege Entra roles (Global Admin, Privileged Auth Admin, etc.)
- **ScanEntraAdminRolesJob** — Queued job orchestrating scan → report → findings → alerts pipeline

### UI
- **AdminRolesSummaryWidget** — Tenant dashboard card showing last scan time, high-privilege assignment count, scan trigger button
- RBAC-gated: `ENTRA_ROLES_VIEW` for viewing, `ENTRA_ROLES_MANAGE` for scan trigger

### Infrastructure
- Graph contracts for `entraRoleDefinitions` + `entraRoleAssignments`
- `config/entra_permissions.php` — Entra permission registry
- `StoredReport.fingerprint` migration (deduplication support)
- `OperationCatalog` label + duration for `entra.admin_roles.scan`
- Artisan command `entra:scan-admin-roles` for CLI/scheduled use

### Global UX improvement
- **SummaryCountsNormalizer**: Zero values filtered, snake_case keys humanized (e.g. `report_deduped: 1` → `Report deduped: 1`). Affects all operation notifications.

## Test Coverage
- **12 test files**, **79+ tests**, **307+ assertions**
- Report service, finding generator, job orchestration, widget rendering, alert integration, RBAC enforcement, badge mapping

## Spec artifacts
- `specs/105-entra-admin-roles-evidence-findings/tasks.md` — Full task breakdown (38 tasks, all complete)
- `specs/105-entra-admin-roles-evidence-findings/checklists/requirements.md` — All items checked

## Files changed
46 files changed, 3641 insertions(+), 15 deletions(-)

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #128
2026-02-22 02:37:36 +00:00

96 lines
3.2 KiB
PHP
Raw Blame History

<?php
namespace Database\Factories;
use App\Models\Finding;
use App\Models\Tenant;
use Illuminate\Database\Eloquent\Factories\Factory;
/**
* @extends \Illuminate\Database\Eloquent\Factories\Factory<\App\Models\Finding>
*/
class FindingFactory extends Factory
{
/**
* Define the model's default state.
*
* @return array<string, mixed>
*/
public function definition(): array
{
return [
'tenant_id' => Tenant::factory(),
'finding_type' => Finding::FINDING_TYPE_DRIFT,
'scope_key' => hash('sha256', fake()->uuid()),
'baseline_operation_run_id' => null,
'current_operation_run_id' => null,
'fingerprint' => hash('sha256', fake()->uuid()),
'subject_type' => 'assignment',
'subject_external_id' => fake()->uuid(),
'severity' => Finding::SEVERITY_MEDIUM,
'status' => Finding::STATUS_NEW,
'acknowledged_at' => null,
'acknowledged_by_user_id' => null,
'evidence_jsonb' => [],
];
}
/**
* State for permission posture findings.
*/
public function permissionPosture(): static
{
return $this->state(fn (array $attributes): array => [
'finding_type' => Finding::FINDING_TYPE_PERMISSION_POSTURE,
'source' => 'permission_check',
'subject_type' => 'permission',
'subject_external_id' => 'DeviceManagementConfiguration.ReadWrite.All',
'severity' => Finding::SEVERITY_MEDIUM,
'evidence_jsonb' => [
'permission_key' => 'DeviceManagementConfiguration.ReadWrite.All',
'permission_type' => 'application',
'expected_status' => 'granted',
'actual_status' => 'missing',
'blocked_features' => ['policy-sync', 'backup'],
'checked_at' => now()->toIso8601String(),
],
]);
}
/**
* State for resolved findings.
*/
public function resolved(): static
{
return $this->state(fn (array $attributes): array => [
'status' => Finding::STATUS_RESOLVED,
'resolved_at' => now(),
'resolved_reason' => 'permission_granted',
]);
}
/**
* State for Entra admin roles findings.
*/
public function entraAdminRoles(): static
{
return $this->state(fn (array $attributes): array => [
'finding_type' => Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES,
'source' => 'entra.admin_roles',
'severity' => Finding::SEVERITY_CRITICAL,
'subject_type' => 'role_assignment',
'evidence_jsonb' => [
'role_display_name' => 'Global Administrator',
'principal_display_name' => 'Admin User',
'principal_type' => 'user',
'principal_id' => fake()->uuid(),
'role_definition_id' => fake()->uuid(),
'role_template_id' => '62e90394-69f5-4237-9190-012177145e10',
'directory_scope_id' => '/',
'is_built_in' => true,
'measured_at' => now()->toIso8601String(),
],
]);
}
}
Reference in New Issue View Git Blame Copy Permalink