ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
6063f866a9
TenantAtlas/tests/Feature/Baselines/BaselineCaptureRbacRoleDefinitionsTest.php
ahmido ef41c9193a feat: add Intune RBAC baseline compare support (#156) 
## Summary
- add Intune RBAC Role Definition baseline scope support, capture references, compare classification, findings evidence, and landing/detail UI labels
- keep Intune Role Assignments explicitly excluded from baseline compare scope, summaries, findings, and restore messaging
- add focused Pest coverage for baseline scope selection, capture, compare behavior, recurrence, isolation, findings rendering, inventory anchoring, and RBAC summaries

## Verification
- `vendor/bin/sail bin pint --dirty --format agent`
- `vendor/bin/sail artisan test --compact tests/Unit/Inventory/InventoryPolicyTypeMetaBaselineSupportTest.php tests/Unit/Baselines/BaselinePolicyVersionResolverTest.php tests/Unit/Baselines/BaselineScopeTest.php tests/Unit/IntuneRoleDefinitionNormalizerTest.php tests/Feature/Baselines/BaselineCaptureRbacRoleDefinitionsTest.php tests/Feature/Baselines/BaselineCompareRbacRoleDefinitionsTest.php tests/Feature/Baselines/BaselineCompareDriftEvidenceContractRbacTest.php tests/Feature/Baselines/BaselineCompareCoverageGuardTest.php tests/Feature/Baselines/BaselineCompareCrossTenantMatchTest.php tests/Feature/Baselines/BaselineCompareFindingRecurrenceKeyTest.php tests/Feature/Baselines/BaselineCompareWhyNoFindingsReasonCodeTest.php tests/Feature/Filament/BaselineProfileFoundationScopeTest.php tests/Feature/Filament/BaselineSnapshotRbacRoleDefinitionsTest.php tests/Feature/Filament/BaselineCompareLandingRbacLabelsTest.php tests/Feature/Filament/FindingViewRbacEvidenceTest.php tests/Feature/Findings/FindingRecurrenceTest.php tests/Feature/Findings/DriftStaleAutoResolveTest.php tests/Feature/Inventory/InventorySyncButtonTest.php tests/Feature/Inventory/InventorySyncServiceTest.php tests/Feature/RunAuthorizationTenantIsolationTest.php`
- result: `71 passed (467 assertions)`

## Filament / Platform Notes
- Livewire compliance: unchanged and compatible with Livewire v4.0+
- Provider registration: no panel/provider changes; `bootstrap/providers.php` remains the registration location
- Global search: no new globally searchable resource added; existing global search behavior is unchanged
- Destructive actions: no new destructive actions introduced; existing confirmed actions remain unchanged
- Assets: no new Filament assets introduced; deploy asset handling remains unchanged, including `php artisan filament:assets`
- Testing plan covered: baseline profile scope, snapshot detail, compare job, findings recurrence, findings detail, compare landing labels, inventory sync anchoring, and tenant isolation

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #156
2026-03-09 18:49:20 +00:00

153 lines
5.6 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
use App\Jobs\CaptureBaselineSnapshotJob;
use App\Models\BaselineProfile;
use App\Models\BaselineSnapshot;
use App\Models\BaselineSnapshotItem;
use App\Models\InventoryItem;
use App\Models\Policy;
use App\Models\PolicyVersion;
use App\Services\Baselines\BaselineSnapshotIdentity;
use App\Services\Baselines\InventoryMetaContract;
use App\Services\Intune\AuditLogger;
use App\Services\OperationRunService;
use App\Support\Baselines\BaselineSubjectKey;
it('captures intune role definitions with identity metadata and excludes role assignments from the baseline snapshot', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => (int) $tenant->workspace_id,
'scope_jsonb' => [
'policy_types' => [],
'foundation_types' => ['intuneRoleDefinition'],
],
]);
$inventorySyncRun = createInventorySyncOperationRunWithCoverage(
tenant: $tenant,
statusByType: [
'intuneRoleAssignment' => 'succeeded',
'intuneRoleDefinition' => 'succeeded',
],
foundationTypes: ['intuneRoleAssignment', 'intuneRoleDefinition'],
);
$policy = Policy::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'external_id' => 'role-def-1',
'display_name' => 'Security Reader',
'policy_type' => 'intuneRoleDefinition',
'platform' => 'all',
]);
$version = PolicyVersion::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'policy_id' => (int) $policy->getKey(),
'policy_type' => 'intuneRoleDefinition',
'platform' => 'all',
'captured_at' => now()->subMinute(),
'snapshot' => [
'displayName' => 'Security Reader',
'description' => 'Security reporting role',
'isBuiltIn' => false,
'rolePermissions' => [
[
'resourceActions' => [
[
'allowedResourceActions' => ['Microsoft.Intune/managedDevices/read'],
],
],
],
],
],
]);
InventoryItem::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'external_id' => 'role-def-1',
'policy_type' => 'intuneRoleDefinition',
'display_name' => 'Security Reader',
'category' => 'RBAC',
'platform' => 'all',
'meta_jsonb' => [
'odata_type' => '#microsoft.graph.deviceAndAppManagementRoleDefinition',
'etag' => 'E-RBAC-1',
'is_built_in' => false,
'role_permission_count' => 1,
'warnings' => [],
],
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
'last_seen_at' => now(),
]);
InventoryItem::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'external_id' => 'role-assignment-1',
'policy_type' => 'intuneRoleAssignment',
'display_name' => 'Security Reader Assignment',
'category' => 'RBAC',
'platform' => 'all',
'meta_jsonb' => [
'odata_type' => '#microsoft.graph.deviceAndAppManagementRoleAssignment',
'etag' => 'E-RBAC-A1',
'warnings' => [],
],
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
'last_seen_at' => now(),
]);
$operationRuns = app(OperationRunService::class);
$run = $operationRuns->ensureRunWithIdentity(
tenant: $tenant,
type: 'baseline_capture',
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
context: [
'baseline_profile_id' => (int) $profile->getKey(),
'source_tenant_id' => (int) $tenant->getKey(),
'effective_scope' => [
'policy_types' => [],
'foundation_types' => ['intuneRoleDefinition'],
],
],
initiator: $user,
);
(new CaptureBaselineSnapshotJob($run))->handle(
app(BaselineSnapshotIdentity::class),
app(InventoryMetaContract::class),
app(AuditLogger::class),
$operationRuns,
);
$snapshot = BaselineSnapshot::query()
->where('baseline_profile_id', (int) $profile->getKey())
->sole();
expect(BaselineSnapshotItem::query()->where('baseline_snapshot_id', (int) $snapshot->getKey())->count())->toBe(1);
$item = BaselineSnapshotItem::query()
->where('baseline_snapshot_id', (int) $snapshot->getKey())
->sole();
$expectedSubjectKey = BaselineSubjectKey::forPolicy('intuneRoleDefinition', 'Security Reader', 'role-def-1');
$expectedExternalReference = BaselineSubjectKey::workspaceSafeSubjectExternalIdForPolicy('intuneRoleDefinition', 'Security Reader', 'role-def-1');
expect($item->policy_type)->toBe('intuneRoleDefinition');
expect($item->subject_key)->toBe($expectedSubjectKey);
expect($item->subject_external_id)->toBe($expectedExternalReference);
expect($item->subject_external_id)->not->toBe('role-def-1');
$meta = is_array($item->meta_jsonb) ? $item->meta_jsonb : [];
expect(data_get($meta, 'identity.strategy'))->toBe('external_id');
expect(data_get($meta, 'rbac.is_built_in'))->toBeFalse();
expect(data_get($meta, 'rbac.role_permission_count'))->toBe(1);
expect(data_get($meta, 'version_reference.policy_version_id'))->toBe((int) $version->getKey());
expect(data_get($meta, 'evidence.source'))->toBe('policy_version');
});
Reference in New Issue View Git Blame Copy Permalink