Ahmed Darrazi 12973248e7 feat: provider access hardening (RBAC write gate)

Implements RBAC-based write gating for Intune restore flows, UI affordances, and audit logging; adds tests and specs.

2026-02-23 01:20:28 +01:00

1.5 KiB

Raw Blame History

Quickstart — Provider Access Hardening v1 (Intune Write Gate)

Goal

Validate that Intune write operations (restore execution + restore assignments) are blocked unless tenant RBAC hardening is configured, healthy, and fresh.

Local setup

Start containers: vendor/bin/sail up -d

Manual verification (once implemented)

Navigate to a tenant view page (TenantResource → View).
Set tenant RBAC status to a blocked state (e.g., rbac_status = null or degraded, or make rbac_last_checked_at stale).
Attempt to start a restore execution (Restore Runs → Execute).
- Expected: start surface blocks before enqueue; operator sees reason + CTA; no OperationRun is started for execution.
Attempt to trigger assignments restore (where available).
- Expected: blocked with the same reason codes.
For job-level defense-in-depth, directly enqueue the job (or trigger a code path that dispatches it) while tenant is blocked.
- Expected: OperationRun is marked failed with reason_code and no Graph mutation occurs.

Test execution (once implemented)

Run the minimal related tests:

vendor/bin/sail artisan test --compact --filter=IntuneRbacWriteGate
or run file-scoped tests created for this feature under tests/Feature.

Notes

Gate evaluation is DB-only; no synchronous Graph calls are allowed during UI evaluation.
When the gate is disabled via config, writes proceed but a warning is logged per evaluation that the gate is bypassed.

1.5 KiB Raw Blame History