TenantAtlas/tests/Feature/Baselines/BaselineCompareDriftEvidenceContractRbacTest.php

<?php

use App\Jobs\CompareBaselineToTenantJob;
use App\Models\BaselineProfile;
use App\Models\BaselineSnapshot;
use App\Models\BaselineSnapshotItem;
use App\Models\Finding;
use App\Models\InventoryItem;
use App\Models\Policy;
use App\Models\PolicyVersion;
use App\Services\Baselines\BaselineSnapshotIdentity;
use App\Services\Baselines\Evidence\ContentEvidenceProvider;
use App\Services\Intune\AuditLogger;
use App\Services\OperationRunService;
use App\Support\Baselines\BaselineSubjectKey;
use App\Support\OperationRunType;
use Carbon\CarbonImmutable;
use Tests\Support\AssertsDriftEvidenceContract;

function rbacContractSnapshot(
    string $displayName,
    string $description,
    bool $isBuiltIn,
    array $allowedActions,
    array $deniedActions = [],
    ?string $condition = null,
): array {
    return [
        'displayName' => $displayName,
        'description' => $description,
        'isBuiltIn' => $isBuiltIn,
        'rolePermissions' => [
            [
                'resourceActions' => [
                    array_filter([
                        'allowedResourceActions' => $allowedActions,
                        'notAllowedResourceActions' => $deniedActions,
                        'condition' => $condition,
                    ], static fn (mixed $value): bool => $value !== null),
                ],
            ],
        ],
        'roleScopeTagIds' => ['0'],
    ];
}

function rbacContractPolicy(
    \App\Models\Tenant $tenant,
    string $externalId,
    string $displayName,
): Policy {
    return Policy::factory()->create([
        'tenant_id' => (int) $tenant->getKey(),
        'external_id' => $externalId,
        'policy_type' => 'intuneRoleDefinition',
        'platform' => 'all',
        'display_name' => $displayName,
    ]);
}

function rbacContractVersion(
    Policy $policy,
    CarbonImmutable $capturedAt,
    int $versionNumber,
    array $snapshot,
): PolicyVersion {
    return PolicyVersion::factory()->create([
        'tenant_id' => (int) $policy->tenant_id,
        'policy_id' => (int) $policy->getKey(),
        'policy_type' => 'intuneRoleDefinition',
        'platform' => 'all',
        'version_number' => $versionNumber,
        'captured_at' => $capturedAt,
        'snapshot' => $snapshot,
        'assignments' => [],
        'scope_tags' => [],
    ]);
}

function rbacContractBaselineItem(
    BaselineSnapshot $snapshot,
    PolicyVersion $version,
    string $externalId,
    string $displayName,
    bool $isBuiltIn,
    int $rolePermissionCount = 1,
): BaselineSnapshotItem {
    $subjectKey = BaselineSubjectKey::forPolicy('intuneRoleDefinition', $displayName, $externalId);
    $workspaceSafeExternalId = BaselineSubjectKey::workspaceSafeSubjectExternalIdForPolicy('intuneRoleDefinition', $displayName, $externalId);

    expect($subjectKey)->not->toBeNull();
    expect($workspaceSafeExternalId)->not->toBeNull();

    $hash = app(ContentEvidenceProvider::class)->fromPolicyVersion(
        version: $version,
        subjectExternalId: (string) $workspaceSafeExternalId,
    )->hash;

    return BaselineSnapshotItem::factory()->create([
        'baseline_snapshot_id' => (int) $snapshot->getKey(),
        'subject_type' => 'policy',
        'subject_external_id' => (string) $workspaceSafeExternalId,
        'subject_key' => (string) $subjectKey,
        'policy_type' => 'intuneRoleDefinition',
        'baseline_hash' => $hash,
        'meta_jsonb' => [
            'display_name' => $displayName,
            'evidence' => [
                'fidelity' => 'content',
                'source' => 'policy_version',
                'observed_at' => $version->captured_at?->toIso8601String(),
            ],
            'identity' => [
                'strategy' => 'external_id',
                'subject_key' => (string) $subjectKey,
                'workspace_subject_external_id' => (string) $workspaceSafeExternalId,
            ],
            'version_reference' => [
                'policy_version_id' => (int) $version->getKey(),
                'capture_purpose' => 'baseline_capture',
            ],
            'rbac' => [
                'is_built_in' => $isBuiltIn,
                'role_permission_count' => $rolePermissionCount,
            ],
        ],
    ]);
}

function rbacContractInventoryItem(
    \App\Models\Tenant $tenant,
    int $inventorySyncRunId,
    string $externalId,
    string $displayName,
    bool $isBuiltIn,
    int $rolePermissionCount = 1,
): InventoryItem {
    return InventoryItem::factory()->create([
        'tenant_id' => (int) $tenant->getKey(),
        'workspace_id' => (int) $tenant->workspace_id,
        'external_id' => $externalId,
        'policy_type' => 'intuneRoleDefinition',
        'display_name' => $displayName,
        'category' => 'RBAC',
        'platform' => 'all',
        'meta_jsonb' => [
            'odata_type' => '#microsoft.graph.deviceAndAppManagementRoleDefinition',
            'is_built_in' => $isBuiltIn,
            'role_permission_count' => $rolePermissionCount,
        ],
        'last_seen_operation_run_id' => $inventorySyncRunId,
        'last_seen_at' => now(),
    ]);
}

function rbacContractRun(
    \App\Models\Tenant $tenant,
    \App\Models\User $user,
    BaselineProfile $profile,
    BaselineSnapshot $snapshot,
): \App\Models\OperationRun {
    return app(OperationRunService::class)->ensureRunWithIdentity(
        tenant: $tenant,
        type: OperationRunType::BaselineCompare->value,
        identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
        context: [
            'baseline_profile_id' => (int) $profile->getKey(),
            'baseline_snapshot_id' => (int) $snapshot->getKey(),
            'effective_scope' => [
                'policy_types' => [],
                'foundation_types' => ['intuneRoleDefinition'],
            ],
        ],
        initiator: $user,
    );
}

it('writes RBAC evidence for modified role definition drift with readable normalized before and after content', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'owner');

    $profile = BaselineProfile::factory()->active()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'scope_jsonb' => [
            'policy_types' => [],
            'foundation_types' => ['intuneRoleDefinition'],
        ],
    ]);

    $capturedAt = CarbonImmutable::parse('2026-03-08T10:00:00Z');

    $snapshot = BaselineSnapshot::factory()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'baseline_profile_id' => (int) $profile->getKey(),
        'captured_at' => $capturedAt,
    ]);
    $profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]);

    $inventorySyncRun = createInventorySyncOperationRunWithCoverage(
        tenant: $tenant,
        statusByType: ['intuneRoleDefinition' => 'succeeded'],
        foundationTypes: ['intuneRoleDefinition'],
    );

    $policy = rbacContractPolicy($tenant, 'rbac-modified-role', 'Security Reader');
    $baselineVersion = rbacContractVersion(
        policy: $policy,
        capturedAt: $capturedAt,
        versionNumber: 1,
        snapshot: rbacContractSnapshot(
            displayName: 'Security Reader',
            description: 'Baseline role description',
            isBuiltIn: false,
            allowedActions: ['microsoft.intune/devices/read'],
        ),
    );
    $currentVersion = rbacContractVersion(
        policy: $policy,
        capturedAt: $capturedAt->addMinutes(10),
        versionNumber: 2,
        snapshot: rbacContractSnapshot(
            displayName: 'Security Reader',
            description: 'Updated role description',
            isBuiltIn: false,
            allowedActions: ['microsoft.intune/devices/read'],
        ),
    );

    rbacContractBaselineItem(
        snapshot: $snapshot,
        version: $baselineVersion,
        externalId: 'rbac-modified-role',
        displayName: 'Security Reader',
        isBuiltIn: false,
    );

    rbacContractInventoryItem(
        tenant: $tenant,
        inventorySyncRunId: (int) $inventorySyncRun->getKey(),
        externalId: 'rbac-modified-role',
        displayName: 'Security Reader',
        isBuiltIn: false,
    );

    $run = rbacContractRun($tenant, $user, $profile, $snapshot);

    (new CompareBaselineToTenantJob($run))->handle(
        app(BaselineSnapshotIdentity::class),
        app(AuditLogger::class),
        app(OperationRunService::class),
    );

    $finding = Finding::query()
        ->where('tenant_id', (int) $tenant->getKey())
        ->where('source', 'baseline.compare')
        ->sole();

    $evidence = is_array($finding->evidence_jsonb) ? $finding->evidence_jsonb : [];

    AssertsDriftEvidenceContract::assertValid($evidence);

    expect(data_get($evidence, 'summary.kind'))->toBe('rbac_role_definition')
        ->and(data_get($evidence, 'rbac_role_definition.diff_kind'))->toBe('metadata_only')
        ->and(data_get($evidence, 'rbac_role_definition.changed_keys'))->toContain('Role definition > Description')
        ->and(data_get($evidence, 'rbac_role_definition.baseline.is_built_in'))->toBeFalse()
        ->and(data_get($evidence, 'rbac_role_definition.current.is_built_in'))->toBeFalse()
        ->and(data_get($evidence, 'rbac_role_definition.baseline.normalized.Role definition > Description'))->toBe('Baseline role description')
        ->and(data_get($evidence, 'rbac_role_definition.current.normalized.Role definition > Description'))->toBe('Updated role description');
});

it('writes RBAC evidence for missing role definition drift', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'owner');

    $profile = BaselineProfile::factory()->active()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'scope_jsonb' => [
            'policy_types' => [],
            'foundation_types' => ['intuneRoleDefinition'],
        ],
    ]);

    $capturedAt = CarbonImmutable::parse('2026-03-08T10:00:00Z');

    $snapshot = BaselineSnapshot::factory()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'baseline_profile_id' => (int) $profile->getKey(),
        'captured_at' => $capturedAt,
    ]);
    $profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]);

    createInventorySyncOperationRunWithCoverage(
        tenant: $tenant,
        statusByType: ['intuneRoleDefinition' => 'succeeded'],
        foundationTypes: ['intuneRoleDefinition'],
    );

    $policy = rbacContractPolicy($tenant, 'rbac-missing-role', 'Missing Role');
    $baselineVersion = rbacContractVersion(
        policy: $policy,
        capturedAt: $capturedAt,
        versionNumber: 1,
        snapshot: rbacContractSnapshot(
            displayName: 'Missing Role',
            description: 'Baseline-only role',
            isBuiltIn: true,
            allowedActions: ['microsoft.intune/devices/read'],
        ),
    );

    rbacContractBaselineItem(
        snapshot: $snapshot,
        version: $baselineVersion,
        externalId: 'rbac-missing-role',
        displayName: 'Missing Role',
        isBuiltIn: true,
    );

    $run = rbacContractRun($tenant, $user, $profile, $snapshot);

    (new CompareBaselineToTenantJob($run))->handle(
        app(BaselineSnapshotIdentity::class),
        app(AuditLogger::class),
        app(OperationRunService::class),
    );

    $finding = Finding::query()
        ->where('tenant_id', (int) $tenant->getKey())
        ->where('source', 'baseline.compare')
        ->sole();

    $evidence = is_array($finding->evidence_jsonb) ? $finding->evidence_jsonb : [];

    AssertsDriftEvidenceContract::assertValid($evidence);

    expect(data_get($evidence, 'summary.kind'))->toBe('rbac_role_definition')
        ->and(data_get($evidence, 'rbac_role_definition.diff_kind'))->toBe('missing')
        ->and(data_get($evidence, 'rbac_role_definition.baseline.is_built_in'))->toBeTrue()
        ->and(data_get($evidence, 'rbac_role_definition.current.normalized'))->toBe([])
        ->and(data_get($evidence, 'rbac_role_definition.baseline.normalized.Role definition > Display name'))->toBe('Missing Role');
});

it('writes RBAC evidence for unexpected role definition drift', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'owner');

    $profile = BaselineProfile::factory()->active()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'scope_jsonb' => [
            'policy_types' => [],
            'foundation_types' => ['intuneRoleDefinition'],
        ],
    ]);

    $capturedAt = CarbonImmutable::parse('2026-03-08T10:00:00Z');

    $snapshot = BaselineSnapshot::factory()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'baseline_profile_id' => (int) $profile->getKey(),
        'captured_at' => $capturedAt,
    ]);
    $profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]);

    $inventorySyncRun = createInventorySyncOperationRunWithCoverage(
        tenant: $tenant,
        statusByType: ['intuneRoleDefinition' => 'succeeded'],
        foundationTypes: ['intuneRoleDefinition'],
    );

    $policy = rbacContractPolicy($tenant, 'rbac-unexpected-role', 'Unexpected Role');
    rbacContractVersion(
        policy: $policy,
        capturedAt: $capturedAt->addMinutes(10),
        versionNumber: 1,
        snapshot: rbacContractSnapshot(
            displayName: 'Unexpected Role',
            description: 'Tenant-only role',
            isBuiltIn: false,
            allowedActions: ['microsoft.intune/devices/read'],
            deniedActions: ['microsoft.intune/devices/delete'],
        ),
    );

    rbacContractInventoryItem(
        tenant: $tenant,
        inventorySyncRunId: (int) $inventorySyncRun->getKey(),
        externalId: 'rbac-unexpected-role',
        displayName: 'Unexpected Role',
        isBuiltIn: false,
    );

    $run = rbacContractRun($tenant, $user, $profile, $snapshot);

    (new CompareBaselineToTenantJob($run))->handle(
        app(BaselineSnapshotIdentity::class),
        app(AuditLogger::class),
        app(OperationRunService::class),
    );

    $finding = Finding::query()
        ->where('tenant_id', (int) $tenant->getKey())
        ->where('source', 'baseline.compare')
        ->sole();

    $evidence = is_array($finding->evidence_jsonb) ? $finding->evidence_jsonb : [];

    AssertsDriftEvidenceContract::assertValid($evidence);

    expect(data_get($evidence, 'summary.kind'))->toBe('rbac_role_definition')
        ->and(data_get($evidence, 'rbac_role_definition.diff_kind'))->toBe('unexpected')
        ->and(data_get($evidence, 'rbac_role_definition.baseline.normalized'))->toBe([])
        ->and(data_get($evidence, 'rbac_role_definition.current.is_built_in'))->toBeFalse()
        ->and(data_get($evidence, 'rbac_role_definition.current.normalized.Role definition > Display name'))->toBe('Unexpected Role');
});