Implements spec 425 with Entra certified compare pack support, coverage, guards, evaluator, fixtures, and tests. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #492
71 lines
3.0 KiB
PHP
71 lines
3.0 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Models\TenantConfigurationSupportedScope;
|
|
use App\Models\TenantConfigurationResourceType;
|
|
use App\Services\TenantConfiguration\CoverageV2ReadinessReadModel;
|
|
use App\Services\TenantConfiguration\EntraCertifiedComparePackEvaluator;
|
|
use App\Support\TenantConfiguration\CoverageLevel;
|
|
use Tests\Support\TenantConfiguration\Spec425Fixtures as Spec425;
|
|
|
|
it('Spec425 syncs the certified supported scope with exact metadata and Graph fallback allowlist', function (): void {
|
|
Spec425::syncDefaults();
|
|
|
|
$scope = TenantConfigurationSupportedScope::query()
|
|
->where('scope_key', EntraCertifiedComparePackEvaluator::SCOPE_KEY)
|
|
->firstOrFail();
|
|
|
|
expect($scope->display_name)->toBe('Certified Entra Core Compare Pack')
|
|
->and($scope->minimum_coverage_level)->toBe(CoverageLevel::Certified)
|
|
->and($scope->included_resource_types)->toBe(['conditionalAccessPolicy', 'securityDefaults'])
|
|
->and($scope->allow_beta)->toBeFalse()
|
|
->and($scope->allow_graph_fallback)->toBeTrue()
|
|
->and($scope->customer_claims_allowed)->toBeFalse()
|
|
->and($scope->metadata['graph_fallback_allowlist'])->toBe(['securityDefaults'])
|
|
->and($scope->metadata['resource_type_denominator'])->toBe(['conditionalAccessPolicy', 'securityDefaults'])
|
|
->and($scope->metadata['customer_claims_allowed'])->toBeFalse()
|
|
->and($scope->metadata['restore_allowed'])->toBeFalse()
|
|
->and($scope->metadata['visible_in_coverage_readiness'])->toBeFalse();
|
|
});
|
|
|
|
it('Spec425 does not certify non-denominator Entra resource types', function (): void {
|
|
Spec425::syncDefaults();
|
|
|
|
$scope = TenantConfigurationSupportedScope::query()
|
|
->where('scope_key', EntraCertifiedComparePackEvaluator::SCOPE_KEY)
|
|
->firstOrFail();
|
|
|
|
expect($scope->included_resource_types)->not->toContain(
|
|
'application',
|
|
'servicePrincipal',
|
|
'roleDefinition',
|
|
'administrativeUnit',
|
|
'authenticationMethodsPolicy',
|
|
'identityProtectionPolicy',
|
|
'authorizationPolicy',
|
|
'crossTenantAccessPolicy',
|
|
'accessReview',
|
|
);
|
|
});
|
|
|
|
it('Spec425 keeps the internal certified scope out of existing Coverage v2 readiness options', function (): void {
|
|
Spec425::syncDefaults();
|
|
|
|
$readModel = app(CoverageV2ReadinessReadModel::class);
|
|
|
|
expect($readModel->supportedScopeOptions())
|
|
->not->toHaveKey(EntraCertifiedComparePackEvaluator::SCOPE_KEY)
|
|
->and($readModel->defaultScopeKey())->toBe('intune_tcm_core')
|
|
->and($readModel->includedCanonicalTypesForScope(EntraCertifiedComparePackEvaluator::SCOPE_KEY))->toBe([]);
|
|
|
|
$resourceType = TenantConfigurationResourceType::query()
|
|
->where('canonical_type', 'conditionalAccessPolicy')
|
|
->firstOrFail();
|
|
$details = $readModel->resourceTypeInspectDetails($resourceType, EntraCertifiedComparePackEvaluator::SCOPE_KEY);
|
|
|
|
expect($details['scope'])->toBeNull()
|
|
->and($details['scope_key'])->toBeNull()
|
|
->and($details['supported_scope'])->toBe('No active scope');
|
|
});
|