98 lines
4.2 KiB
PHP
98 lines
4.2 KiB
PHP
<?php
|
|
|
|
namespace App\Support;
|
|
|
|
use App\Support\ReasonTranslation\NextStepOption;
|
|
use App\Support\ReasonTranslation\ReasonResolutionEnvelope;
|
|
|
|
enum RbacReason: string
|
|
{
|
|
case MissingArtifacts = 'missing_artifacts';
|
|
case ServicePrincipalMissing = 'sp_missing';
|
|
case GroupMissing = 'group_missing';
|
|
case ServicePrincipalNotMember = 'sp_not_member';
|
|
case AssignmentMissing = 'assignment_missing';
|
|
case RoleMismatch = 'role_mismatch';
|
|
case ScopeMismatch = 'scope_mismatch';
|
|
case CanaryFailed = 'canary_failed';
|
|
case ManualAssignmentRequired = 'manual_assignment_required';
|
|
case UnsupportedApi = 'unsupported_api';
|
|
|
|
public function operatorLabel(): string
|
|
{
|
|
return match ($this) {
|
|
self::MissingArtifacts => 'RBAC setup incomplete',
|
|
self::ServicePrincipalMissing => 'Service principal missing',
|
|
self::GroupMissing => 'RBAC group missing',
|
|
self::ServicePrincipalNotMember => 'Service principal not in RBAC group',
|
|
self::AssignmentMissing => 'RBAC assignment missing',
|
|
self::RoleMismatch => 'RBAC role mismatch',
|
|
self::ScopeMismatch => 'RBAC scope mismatch',
|
|
self::CanaryFailed => 'RBAC validation needs review',
|
|
self::ManualAssignmentRequired => 'Manual role assignment required',
|
|
self::UnsupportedApi => 'RBAC API unsupported',
|
|
};
|
|
}
|
|
|
|
public function shortExplanation(): string
|
|
{
|
|
return match ($this) {
|
|
self::MissingArtifacts => 'TenantPilot could not find the RBAC artifacts required for this tenant.',
|
|
self::ServicePrincipalMissing => 'The provider app service principal could not be resolved in Microsoft Graph.',
|
|
self::GroupMissing => 'The configured Intune RBAC group could not be found.',
|
|
self::ServicePrincipalNotMember => 'The provider app service principal is not currently a member of the configured RBAC group.',
|
|
self::AssignmentMissing => 'No matching Intune RBAC assignment could be confirmed for this tenant.',
|
|
self::RoleMismatch => 'The existing Intune RBAC assignment uses a different role than expected.',
|
|
self::ScopeMismatch => 'The existing Intune RBAC assignment targets a different scope than expected.',
|
|
self::CanaryFailed => 'The RBAC canary checks reported a mismatch after setup completed.',
|
|
self::ManualAssignmentRequired => 'This tenant requires a manual Intune RBAC role assignment outside the automated API path.',
|
|
self::UnsupportedApi => 'This account type does not support the required Intune RBAC API path.',
|
|
};
|
|
}
|
|
|
|
public function actionability(): string
|
|
{
|
|
return match ($this) {
|
|
self::CanaryFailed => 'retryable_transient',
|
|
self::ManualAssignmentRequired => 'prerequisite_missing',
|
|
self::UnsupportedApi => 'non_actionable',
|
|
default => 'prerequisite_missing',
|
|
};
|
|
}
|
|
|
|
/**
|
|
* @return array<int, NextStepOption>
|
|
*/
|
|
public function nextSteps(): array
|
|
{
|
|
return match ($this) {
|
|
self::UnsupportedApi => [],
|
|
self::ManualAssignmentRequired => [
|
|
NextStepOption::instruction('Complete the Intune role assignment manually, then refresh RBAC status.', scope: 'tenant'),
|
|
],
|
|
self::CanaryFailed => [
|
|
NextStepOption::instruction('Review the RBAC canary checks and rerun the health check.', scope: 'tenant'),
|
|
],
|
|
default => [
|
|
NextStepOption::instruction('Review the RBAC setup and refresh the tenant RBAC status.', scope: 'tenant'),
|
|
],
|
|
};
|
|
}
|
|
|
|
/**
|
|
* @param array<string, mixed> $context
|
|
*/
|
|
public function toReasonResolutionEnvelope(string $surface = 'detail', array $context = []): ReasonResolutionEnvelope
|
|
{
|
|
return new ReasonResolutionEnvelope(
|
|
internalCode: $this->value,
|
|
operatorLabel: $this->operatorLabel(),
|
|
shortExplanation: $this->shortExplanation(),
|
|
actionability: $this->actionability(),
|
|
nextSteps: $this->nextSteps(),
|
|
showNoActionNeeded: $this->actionability() === 'non_actionable',
|
|
diagnosticCodeLabel: $this->value,
|
|
);
|
|
}
|
|
}
|