ahmido
32c3a64147
Implements LIST `$expand` parity with GET by forwarding caller-provided, contract-allowlisted expands. Key changes: - Entra Admin Roles scan now requests `expand=principal` for role assignments so `principal.displayName` can render. - `$expand` normalization/sanitization: top-level comma split (commas inside balanced parentheses preserved), trim, dedupe, allowlist exact match, caps (max 10 tokens, max 200 chars/token). - Diagnostics when expands are removed/truncated (non-prod warning, production low-noise). Tests: - Adds/extends unit coverage for Graph contract sanitization, list request shaping, and the EntraAdminRolesReportService. Spec artifacts included under `specs/112-list-expand-parity/`. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #136
53 lines
2.4 KiB
PHP
53 lines
2.4 KiB
PHP
<?php
|
|
|
|
namespace App\Services\Graph;
|
|
|
|
interface GraphClientInterface
|
|
{
|
|
/**
|
|
* List policies of a given type.
|
|
*
|
|
* Supported list query options (sanitized against the contract allowlists for the policy type):
|
|
* - `select`: `string|string[]` Optional `$select` fields. Accepts comma-separated string or list of fields.
|
|
* - `expand`: `string|string[]` Optional `$expand` expansions. Accepts comma-separated string or list of tokens.
|
|
* String input is split on top-level commas only (commas inside balanced parentheses are not separators).
|
|
* - `filter`: `string` Optional `$filter`.
|
|
* - `top`: `int` Optional `$top`.
|
|
* - `platform`: `string` Optional platform filter (contract-specific).
|
|
*
|
|
* Tenant/auth context options (typically resolved by `MicrosoftGraphOptionsResolver`):
|
|
* - `tenant`, `client_id`, `client_secret`, `scope`, `token_url`, `access_token`, `client_request_id`
|
|
*
|
|
* @param string $policyType Graph policy type identifier
|
|
* @param array{select?: string|string[], expand?: string|string[], filter?: string, top?: int, platform?: string, client_request_id?: string, tenant?: string, client_id?: string, client_secret?: string, scope?: string|string[], token_url?: string, access_token?: string} $options
|
|
*/
|
|
public function listPolicies(string $policyType, array $options = []): GraphResponse;
|
|
|
|
/**
|
|
* Fetch a single policy payload by type and identifier.
|
|
*/
|
|
public function getPolicy(string $policyType, string $policyId, array $options = []): GraphResponse;
|
|
|
|
/**
|
|
* Fetch basic organization metadata for connectivity validation.
|
|
*/
|
|
public function getOrganization(array $options = []): GraphResponse;
|
|
|
|
/**
|
|
* Apply or restore a policy payload.
|
|
*/
|
|
public function applyPolicy(string $policyType, string $policyId, array $payload, array $options = []): GraphResponse;
|
|
|
|
/**
|
|
* Get granted OAuth2 permissions for the service principal.
|
|
*/
|
|
public function getServicePrincipalPermissions(array $options = []): GraphResponse;
|
|
|
|
/**
|
|
* Execute an arbitrary Graph request (used for specialized operations like RBAC setup).
|
|
*
|
|
* Supported options: `query`, `json`, `tenant`, `client_id`, `client_secret`, `scope`, `token_url`, `access_token`.
|
|
*/
|
|
public function request(string $method, string $path, array $options = []): GraphResponse;
|
|
}
|