TenantAtlas/apps/platform/tests/Feature/TenantConfiguration/Spec425EntraCertifiedDenominatorFeatureTest.php
ahmido 33e496c182 feat: complete spec 425 enta certified compare pack (#492)
Implements spec 425 with Entra certified compare pack support, coverage, guards, evaluator, fixtures, and tests.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #492
2026-07-01 23:27:16 +00:00

71 lines
3.0 KiB
PHP

<?php
declare(strict_types=1);
use App\Models\TenantConfigurationSupportedScope;
use App\Models\TenantConfigurationResourceType;
use App\Services\TenantConfiguration\CoverageV2ReadinessReadModel;
use App\Services\TenantConfiguration\EntraCertifiedComparePackEvaluator;
use App\Support\TenantConfiguration\CoverageLevel;
use Tests\Support\TenantConfiguration\Spec425Fixtures as Spec425;
it('Spec425 syncs the certified supported scope with exact metadata and Graph fallback allowlist', function (): void {
Spec425::syncDefaults();
$scope = TenantConfigurationSupportedScope::query()
->where('scope_key', EntraCertifiedComparePackEvaluator::SCOPE_KEY)
->firstOrFail();
expect($scope->display_name)->toBe('Certified Entra Core Compare Pack')
->and($scope->minimum_coverage_level)->toBe(CoverageLevel::Certified)
->and($scope->included_resource_types)->toBe(['conditionalAccessPolicy', 'securityDefaults'])
->and($scope->allow_beta)->toBeFalse()
->and($scope->allow_graph_fallback)->toBeTrue()
->and($scope->customer_claims_allowed)->toBeFalse()
->and($scope->metadata['graph_fallback_allowlist'])->toBe(['securityDefaults'])
->and($scope->metadata['resource_type_denominator'])->toBe(['conditionalAccessPolicy', 'securityDefaults'])
->and($scope->metadata['customer_claims_allowed'])->toBeFalse()
->and($scope->metadata['restore_allowed'])->toBeFalse()
->and($scope->metadata['visible_in_coverage_readiness'])->toBeFalse();
});
it('Spec425 does not certify non-denominator Entra resource types', function (): void {
Spec425::syncDefaults();
$scope = TenantConfigurationSupportedScope::query()
->where('scope_key', EntraCertifiedComparePackEvaluator::SCOPE_KEY)
->firstOrFail();
expect($scope->included_resource_types)->not->toContain(
'application',
'servicePrincipal',
'roleDefinition',
'administrativeUnit',
'authenticationMethodsPolicy',
'identityProtectionPolicy',
'authorizationPolicy',
'crossTenantAccessPolicy',
'accessReview',
);
});
it('Spec425 keeps the internal certified scope out of existing Coverage v2 readiness options', function (): void {
Spec425::syncDefaults();
$readModel = app(CoverageV2ReadinessReadModel::class);
expect($readModel->supportedScopeOptions())
->not->toHaveKey(EntraCertifiedComparePackEvaluator::SCOPE_KEY)
->and($readModel->defaultScopeKey())->toBe('intune_tcm_core')
->and($readModel->includedCanonicalTypesForScope(EntraCertifiedComparePackEvaluator::SCOPE_KEY))->toBe([]);
$resourceType = TenantConfigurationResourceType::query()
->where('canonical_type', 'conditionalAccessPolicy')
->firstOrFail();
$details = $readModel->resourceTypeInspectDetails($resourceType, EntraCertifiedComparePackEvaluator::SCOPE_KEY);
expect($details['scope'])->toBeNull()
->and($details['scope_key'])->toBeNull()
->and($details['supported_scope'])->toBe('No active scope');
});