ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
46b11d3770
TenantAtlas/tests/Feature/Baselines/BaselineCompareDriftEvidenceContractTest.php
ahmido 45a804970e feat: complete admin canonical tenant rollout (#165) 
## Summary
- complete Spec 136 canonical admin tenant rollout across admin-visible and shared Filament surfaces
- add the shared panel-aware tenant resolver helper, persisted filter-state synchronization, and admin navigation segregation for tenant-sensitive resources
- expand regression, guard, and parity coverage for admin-path tenant resolution, stale filters, workspace-wide tenant-default surfaces, and panel split behavior

## Validation
- `vendor/bin/sail artisan test --compact tests/Feature/Guards/AdminTenantResolverGuardTest.php`
- `vendor/bin/sail artisan test --compact tests/Feature/Filament/TableStatePersistenceTest.php`
- `vendor/bin/sail artisan test --compact --filter='CanonicalAdminTenantFilterState|PolicyResource|BackupSchedule|BackupSet|FindingResource|BaselineCompareLanding|RestoreRunResource|InventoryItemResource|PolicyVersionResource|ProviderConnectionResource|TenantDiagnostics|InventoryCoverage|InventoryKpiHeader|AuditLog|EntraGroup'`
- `vendor/bin/sail bin pint --dirty --format agent`

## Notes
- Livewire v4.0+ compliance is preserved with Filament v5.
- Provider registration remains unchanged in `bootstrap/providers.php`.
- `PolicyResource` and `PolicyVersionResource` have admin global search disabled explicitly; `EntraGroupResource` keeps admin-aware scoped search with a View page.
- Destructive and governance-sensitive actions retain existing confirmation and authorization behavior while using canonical tenant parity.
- No new assets were introduced, so deployment asset strategy is unchanged and does not add new `filament:assets` work.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #165
2026-03-13 08:09:20 +00:00

274 lines
12 KiB
PHP
Raw Blame History

<?php
use App\Jobs\CompareBaselineToTenantJob;
use App\Models\BaselineProfile;
use App\Models\BaselineSnapshot;
use App\Models\BaselineSnapshotItem;
use App\Models\Finding;
use App\Models\InventoryItem;
use App\Models\Policy;
use App\Models\PolicyVersion;
use App\Services\Baselines\BaselineSnapshotIdentity;
use App\Services\Intune\AuditLogger;
use App\Services\OperationRunService;
use App\Support\Baselines\BaselineSubjectKey;
use App\Support\OperationRunType;
use Carbon\CarbonImmutable;
use Tests\Support\AssertsDriftEvidenceContract;
it('writes diff-compatible drift evidence for different_version drift findings', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$policyType = 'deviceConfiguration';
$displayName = 'Policy Alpha';
$subjectKey = BaselineSubjectKey::fromDisplayName($displayName);
expect($subjectKey)->not->toBeNull();
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => (int) $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => [$policyType], 'foundation_types' => []],
]);
$baselineCapturedAt = CarbonImmutable::now()->subHours(2)->setMicrosecond(123456);
$snapshot = BaselineSnapshot::factory()->create([
'workspace_id' => (int) $tenant->workspace_id,
'baseline_profile_id' => (int) $profile->getKey(),
'captured_at' => $baselineCapturedAt->subSecond(),
]);
$profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]);
$inventorySyncRun = createInventorySyncOperationRunWithCoverage(
tenant: $tenant,
statusByType: [$policyType => 'succeeded'],
);
$externalId = 'policy-alpha-uuid';
$policy = Policy::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'external_id' => $externalId,
'policy_type' => $policyType,
'platform' => 'windows10',
'display_name' => $displayName,
]);
$baselineVersion = PolicyVersion::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'policy_id' => (int) $policy->getKey(),
'policy_type' => $policyType,
'platform' => 'windows10',
'version_number' => 1,
'captured_at' => $baselineCapturedAt,
'snapshot' => ['etag' => 'E_BASELINE'],
'assignments' => [],
'scope_tags' => ['ids' => ['0'], 'names' => ['Default']],
]);
$currentVersion = PolicyVersion::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'policy_id' => (int) $policy->getKey(),
'policy_type' => $policyType,
'platform' => 'windows10',
'version_number' => 2,
'captured_at' => $baselineCapturedAt->addMinutes(10),
'snapshot' => ['etag' => 'E_CURRENT'],
'assignments' => [],
'scope_tags' => ['ids' => ['0'], 'names' => ['Default']],
]);
$baselineHash = expectedPolicyVersionContentHash(
snapshot: is_array($baselineVersion->snapshot) ? $baselineVersion->snapshot : [],
policyType: $policyType,
platform: is_string($baselineVersion->platform) ? $baselineVersion->platform : null,
assignments: is_array($baselineVersion->assignments) ? $baselineVersion->assignments : [],
scopeTags: is_array($baselineVersion->scope_tags) ? $baselineVersion->scope_tags : [],
secretFingerprints: is_array($baselineVersion->secret_fingerprints) ? $baselineVersion->secret_fingerprints : [],
redactionVersion: is_numeric($baselineVersion->redaction_version) ? (int) $baselineVersion->redaction_version : null,
);
$workspaceSafeExternalId = BaselineSubjectKey::workspaceSafeSubjectExternalId($policyType, (string) $subjectKey);
BaselineSnapshotItem::factory()->create([
'baseline_snapshot_id' => (int) $snapshot->getKey(),
'subject_type' => 'policy',
'subject_external_id' => $workspaceSafeExternalId,
'subject_key' => (string) $subjectKey,
'policy_type' => $policyType,
'baseline_hash' => $baselineHash,
'meta_jsonb' => [
'display_name' => $displayName,
'evidence' => [
'fidelity' => 'content',
'source' => 'policy_version',
'observed_at' => $baselineCapturedAt->toIso8601String(),
],
],
]);
InventoryItem::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'external_id' => $externalId,
'policy_type' => $policyType,
'meta_jsonb' => ['odata_type' => '#microsoft.graph.deviceConfiguration', 'etag' => 'E_CURRENT_1'],
'display_name' => $displayName,
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
'last_seen_at' => now(),
]);
$opService = app(OperationRunService::class);
$compareRun = $opService->ensureRunWithIdentity(
tenant: $tenant,
type: OperationRunType::BaselineCompare->value,
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
context: [
'baseline_profile_id' => (int) $profile->getKey(),
'baseline_snapshot_id' => (int) $snapshot->getKey(),
'effective_scope' => ['policy_types' => [$policyType], 'foundation_types' => []],
],
initiator: $user,
);
(new CompareBaselineToTenantJob($compareRun))->handle(
app(BaselineSnapshotIdentity::class),
app(AuditLogger::class),
$opService,
);
$finding = Finding::query()
->where('tenant_id', (int) $tenant->getKey())
->where('source', 'baseline.compare')
->where('finding_type', Finding::FINDING_TYPE_DRIFT)
->sole();
$evidence = is_array($finding->evidence_jsonb) ? $finding->evidence_jsonb : [];
AssertsDriftEvidenceContract::assertValid($evidence);
expect((string) ($evidence['change_type'] ?? ''))->toBe('different_version');
expect(data_get($evidence, 'summary.kind'))->toBe('policy_snapshot');
expect(data_get($evidence, 'baseline.policy_version_id'))->toBe((int) $baselineVersion->getKey());
expect(data_get($evidence, 'current.policy_version_id'))->toBe((int) $currentVersion->getKey());
expect(data_get($evidence, 'provenance.baseline_profile_id'))->toBe((int) $profile->getKey());
expect(data_get($evidence, 'provenance.baseline_snapshot_id'))->toBe((int) $snapshot->getKey());
expect(data_get($evidence, 'provenance.compare_operation_run_id'))->toBe((int) $compareRun->getKey());
expect(data_get($evidence, 'provenance.inventory_sync_run_id'))->toBe((int) $inventorySyncRun->getKey());
});
it('writes diff-compatible drift evidence for missing_policy drift findings', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$policyType = 'deviceConfiguration';
$displayName = 'Policy Alpha';
$subjectKey = BaselineSubjectKey::fromDisplayName($displayName);
expect($subjectKey)->not->toBeNull();
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => (int) $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => [$policyType], 'foundation_types' => []],
]);
$baselineCapturedAt = CarbonImmutable::now()->subHours(2)->setMicrosecond(123456);
$snapshot = BaselineSnapshot::factory()->create([
'workspace_id' => (int) $tenant->workspace_id,
'baseline_profile_id' => (int) $profile->getKey(),
'captured_at' => $baselineCapturedAt->subSecond(),
]);
$profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]);
$inventorySyncRun = createInventorySyncOperationRunWithCoverage(
tenant: $tenant,
statusByType: [$policyType => 'succeeded'],
);
$policy = Policy::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'external_id' => 'policy-alpha-uuid',
'policy_type' => $policyType,
'platform' => 'windows10',
'display_name' => $displayName,
]);
$baselineVersion = PolicyVersion::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'policy_id' => (int) $policy->getKey(),
'policy_type' => $policyType,
'platform' => 'windows10',
'version_number' => 1,
'captured_at' => $baselineCapturedAt,
'snapshot' => ['etag' => 'E_BASELINE'],
'assignments' => [],
'scope_tags' => ['ids' => ['0'], 'names' => ['Default']],
]);
$baselineHash = expectedPolicyVersionContentHash(
snapshot: is_array($baselineVersion->snapshot) ? $baselineVersion->snapshot : [],
policyType: $policyType,
platform: is_string($baselineVersion->platform) ? $baselineVersion->platform : null,
assignments: is_array($baselineVersion->assignments) ? $baselineVersion->assignments : [],
scopeTags: is_array($baselineVersion->scope_tags) ? $baselineVersion->scope_tags : [],
secretFingerprints: is_array($baselineVersion->secret_fingerprints) ? $baselineVersion->secret_fingerprints : [],
redactionVersion: is_numeric($baselineVersion->redaction_version) ? (int) $baselineVersion->redaction_version : null,
);
$workspaceSafeExternalId = BaselineSubjectKey::workspaceSafeSubjectExternalId($policyType, (string) $subjectKey);
BaselineSnapshotItem::factory()->create([
'baseline_snapshot_id' => (int) $snapshot->getKey(),
'subject_type' => 'policy',
'subject_external_id' => $workspaceSafeExternalId,
'subject_key' => (string) $subjectKey,
'policy_type' => $policyType,
'baseline_hash' => $baselineHash,
'meta_jsonb' => [
'display_name' => $displayName,
'evidence' => [
'fidelity' => 'content',
'source' => 'policy_version',
'observed_at' => $baselineCapturedAt->toIso8601String(),
],
],
]);
$opService = app(OperationRunService::class);
$compareRun = $opService->ensureRunWithIdentity(
tenant: $tenant,
type: OperationRunType::BaselineCompare->value,
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
context: [
'baseline_profile_id' => (int) $profile->getKey(),
'baseline_snapshot_id' => (int) $snapshot->getKey(),
'effective_scope' => ['policy_types' => [$policyType], 'foundation_types' => []],
],
initiator: $user,
);
(new CompareBaselineToTenantJob($compareRun))->handle(
app(BaselineSnapshotIdentity::class),
app(AuditLogger::class),
$opService,
);
$finding = Finding::query()
->where('tenant_id', (int) $tenant->getKey())
->where('source', 'baseline.compare')
->where('finding_type', Finding::FINDING_TYPE_DRIFT)
->sole();
$evidence = is_array($finding->evidence_jsonb) ? $finding->evidence_jsonb : [];
AssertsDriftEvidenceContract::assertValid($evidence);
expect((string) ($evidence['change_type'] ?? ''))->toBe('missing_policy');
expect(data_get($evidence, 'summary.kind'))->toBe('policy_snapshot');
expect(data_get($evidence, 'baseline.policy_version_id'))->toBe((int) $baselineVersion->getKey());
expect(data_get($evidence, 'current.policy_version_id'))->toBeNull();
expect(data_get($evidence, 'provenance.baseline_profile_id'))->toBe((int) $profile->getKey());
expect(data_get($evidence, 'provenance.baseline_snapshot_id'))->toBe((int) $snapshot->getKey());
expect(data_get($evidence, 'provenance.compare_operation_run_id'))->toBe((int) $compareRun->getKey());
expect(data_get($evidence, 'provenance.inventory_sync_run_id'))->toBe((int) $inventorySyncRun->getKey());
});
Reference in New Issue View Git Blame Copy Permalink