ahmido
6a15fe978a
## Summary Automated scanning of Entra ID directory roles to surface high-privilege role assignments as trackable findings with alerting support. ## What's included ### Core Services - **EntraAdminRolesReportService** — Fetches role definitions + assignments via Graph API, builds payload with fingerprint deduplication - **EntraAdminRolesFindingGenerator** — Creates/resolves/reopens findings based on high-privilege role catalog - **HighPrivilegeRoleCatalog** — Curated list of high-privilege Entra roles (Global Admin, Privileged Auth Admin, etc.) - **ScanEntraAdminRolesJob** — Queued job orchestrating scan → report → findings → alerts pipeline ### UI - **AdminRolesSummaryWidget** — Tenant dashboard card showing last scan time, high-privilege assignment count, scan trigger button - RBAC-gated: `ENTRA_ROLES_VIEW` for viewing, `ENTRA_ROLES_MANAGE` for scan trigger ### Infrastructure - Graph contracts for `entraRoleDefinitions` + `entraRoleAssignments` - `config/entra_permissions.php` — Entra permission registry - `StoredReport.fingerprint` migration (deduplication support) - `OperationCatalog` label + duration for `entra.admin_roles.scan` - Artisan command `entra:scan-admin-roles` for CLI/scheduled use ### Global UX improvement - **SummaryCountsNormalizer**: Zero values filtered, snake_case keys humanized (e.g. `report_deduped: 1` → `Report deduped: 1`). Affects all operation notifications. ## Test Coverage - **12 test files**, **79+ tests**, **307+ assertions** - Report service, finding generator, job orchestration, widget rendering, alert integration, RBAC enforcement, badge mapping ## Spec artifacts - `specs/105-entra-admin-roles-evidence-findings/tasks.md` — Full task breakdown (38 tasks, all complete) - `specs/105-entra-admin-roles-evidence-findings/checklists/requirements.md` — All items checked ## Files changed 46 files changed, 3641 insertions(+), 15 deletions(-) Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #128
70 lines
1.9 KiB
PHP
70 lines
1.9 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Models;
|
|
|
|
use Illuminate\Database\Eloquent\Factories\HasFactory;
|
|
use Illuminate\Database\Eloquent\Model;
|
|
use Illuminate\Database\Eloquent\Relations\BelongsTo;
|
|
use Illuminate\Database\Eloquent\Relations\BelongsToMany;
|
|
use Illuminate\Database\Eloquent\Relations\HasMany;
|
|
|
|
class AlertRule extends Model
|
|
{
|
|
use HasFactory;
|
|
|
|
public const string EVENT_HIGH_DRIFT = 'high_drift';
|
|
|
|
public const string EVENT_COMPARE_FAILED = 'compare_failed';
|
|
|
|
public const string EVENT_SLA_DUE = 'sla_due';
|
|
|
|
public const string EVENT_PERMISSION_MISSING = 'permission_missing';
|
|
|
|
public const string EVENT_ENTRA_ADMIN_ROLES_HIGH = 'entra.admin_roles.high';
|
|
|
|
public const string TENANT_SCOPE_ALL = 'all';
|
|
|
|
public const string TENANT_SCOPE_ALLOWLIST = 'allowlist';
|
|
|
|
protected $guarded = [];
|
|
|
|
protected $casts = [
|
|
'is_enabled' => 'boolean',
|
|
'tenant_allowlist' => 'array',
|
|
'cooldown_seconds' => 'integer',
|
|
'quiet_hours_enabled' => 'boolean',
|
|
];
|
|
|
|
public function workspace(): BelongsTo
|
|
{
|
|
return $this->belongsTo(Workspace::class);
|
|
}
|
|
|
|
public function destinations(): BelongsToMany
|
|
{
|
|
return $this->belongsToMany(AlertDestination::class, 'alert_rule_destinations')
|
|
->using(AlertRuleDestination::class)
|
|
->withPivot(['id', 'workspace_id'])
|
|
->withTimestamps();
|
|
}
|
|
|
|
public function deliveries(): HasMany
|
|
{
|
|
return $this->hasMany(AlertDelivery::class);
|
|
}
|
|
|
|
public function appliesToTenant(int $tenantId): bool
|
|
{
|
|
if ($this->tenant_scope_mode !== self::TENANT_SCOPE_ALLOWLIST) {
|
|
return true;
|
|
}
|
|
|
|
$allowlist = is_array($this->tenant_allowlist) ? $this->tenant_allowlist : [];
|
|
$allowlist = array_values(array_unique(array_map(static fn (mixed $value): int => (int) $value, $allowlist)));
|
|
|
|
return in_array($tenantId, $allowlist, true);
|
|
}
|
|
}
|