ahmido
ef380b67d1
Implements Spec 104: Provider Permission Posture. What changed - Generates permission posture findings after each tenant permission compare (queued) - Stores immutable posture snapshots as StoredReports (JSONB payload) - Adds global Finding resolved lifecycle (`resolved_at`, `resolved_reason`) with `resolve()` / `reopen()` - Adds alert pipeline event type `permission_missing` (Alerts v1) and Filament option for Alert Rules - Adds retention pruning command + daily schedule for StoredReports - Adds badge mappings for `resolved` finding status and `permission_posture` finding type UX fixes discovered during manual verification - Hide “Diff” section for non-drift findings (only drift findings show diff) - Required Permissions page: “Re-run verification” now links to Tenant view (not onboarding) - Preserve Technical Details `<details>` open state across Livewire re-renders (Alpine state) Verification - Ran `vendor/bin/sail artisan test --compact --filter=PermissionPosture` (50 tests) - Ran `vendor/bin/sail artisan test --compact --filter="FindingResolved|FindingBadge|PermissionMissingAlert"` (20 tests) - Ran `vendor/bin/sail bin pint --dirty` Filament v5 / Livewire v4 compliance - Filament v5 + Livewire v4: no Livewire v3 usage. Panel provider registration (Laravel 11+) - No new panels added. Existing panel providers remain registered via `bootstrap/providers.php`. Global search rule - No changes to global-searchable resources. Destructive actions - No new destructive Filament actions were added in this PR. Assets / deploy notes - No new Filament assets registered. Existing deploy step `php artisan filament:assets` remains unchanged. Test coverage - New/updated Pest feature tests cover generator behavior, job integration, alerting, retention pruning, and resolved lifecycle. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #127
361 lines
14 KiB
PHP
361 lines
14 KiB
PHP
<?php
|
|
|
|
return [
|
|
'break_glass' => [
|
|
'enabled' => (bool) env('BREAK_GLASS_ENABLED', false),
|
|
'ttl_minutes' => (int) env('BREAK_GLASS_TTL_MINUTES', 15),
|
|
],
|
|
|
|
'supported_policy_types' => [
|
|
[
|
|
'type' => 'deviceConfiguration',
|
|
'label' => 'Device Configuration',
|
|
'category' => 'Configuration',
|
|
'platform' => 'all',
|
|
'endpoint' => 'deviceManagement/deviceConfigurations',
|
|
'filter' => "not isof('microsoft.graph.windowsUpdateForBusinessConfiguration')",
|
|
'backup' => 'full',
|
|
'restore' => 'enabled',
|
|
'risk' => 'medium',
|
|
],
|
|
[
|
|
'type' => 'groupPolicyConfiguration',
|
|
'label' => 'Administrative Templates',
|
|
'category' => 'Configuration',
|
|
'platform' => 'windows',
|
|
'endpoint' => 'deviceManagement/groupPolicyConfigurations',
|
|
'backup' => 'full',
|
|
'restore' => 'enabled',
|
|
'risk' => 'medium',
|
|
],
|
|
[
|
|
'type' => 'settingsCatalogPolicy',
|
|
'label' => 'Settings Catalog Policy',
|
|
'category' => 'Configuration',
|
|
'platform' => 'windows',
|
|
'endpoint' => 'deviceManagement/configurationPolicies',
|
|
'backup' => 'full',
|
|
'restore' => 'enabled',
|
|
'risk' => 'medium',
|
|
],
|
|
[
|
|
'type' => 'windowsUpdateRing',
|
|
'label' => 'Software Update Ring',
|
|
'category' => 'Update Management',
|
|
'platform' => 'windows',
|
|
'endpoint' => 'deviceManagement/deviceConfigurations',
|
|
'filter' => "isof('microsoft.graph.windowsUpdateForBusinessConfiguration')",
|
|
'backup' => 'full',
|
|
'restore' => 'enabled',
|
|
'risk' => 'medium-high',
|
|
],
|
|
[
|
|
'type' => 'windowsFeatureUpdateProfile',
|
|
'label' => 'Feature Updates (Windows)',
|
|
'category' => 'Update Management',
|
|
'platform' => 'windows',
|
|
'endpoint' => 'deviceManagement/windowsFeatureUpdateProfiles',
|
|
'backup' => 'full',
|
|
'restore' => 'enabled',
|
|
'risk' => 'high',
|
|
],
|
|
[
|
|
'type' => 'windowsQualityUpdateProfile',
|
|
'label' => 'Quality Updates (Windows)',
|
|
'category' => 'Update Management',
|
|
'platform' => 'windows',
|
|
'endpoint' => 'deviceManagement/windowsQualityUpdateProfiles',
|
|
'backup' => 'full',
|
|
'restore' => 'enabled',
|
|
'risk' => 'high',
|
|
],
|
|
[
|
|
'type' => 'windowsDriverUpdateProfile',
|
|
'label' => 'Driver Updates (Windows)',
|
|
'category' => 'Update Management',
|
|
'platform' => 'windows',
|
|
'endpoint' => 'deviceManagement/windowsDriverUpdateProfiles',
|
|
'backup' => 'full',
|
|
'restore' => 'enabled',
|
|
'risk' => 'high',
|
|
],
|
|
[
|
|
'type' => 'deviceCompliancePolicy',
|
|
'label' => 'Device Compliance',
|
|
'category' => 'Compliance',
|
|
'platform' => 'all',
|
|
'endpoint' => 'deviceManagement/deviceCompliancePolicies',
|
|
'backup' => 'full',
|
|
'restore' => 'enabled',
|
|
'risk' => 'medium',
|
|
],
|
|
[
|
|
'type' => 'appProtectionPolicy',
|
|
'label' => 'App Protection (MAM)',
|
|
'category' => 'Apps/MAM',
|
|
'platform' => 'mobile',
|
|
'endpoint' => 'deviceAppManagement/managedAppPolicies',
|
|
'backup' => 'full',
|
|
'restore' => 'enabled',
|
|
'risk' => 'medium-high',
|
|
],
|
|
[
|
|
'type' => 'mamAppConfiguration',
|
|
'label' => 'App Configuration (MAM)',
|
|
'category' => 'Apps/MAM',
|
|
'platform' => 'mobile',
|
|
'endpoint' => 'deviceAppManagement/targetedManagedAppConfigurations',
|
|
'backup' => 'full',
|
|
'restore' => 'enabled',
|
|
'risk' => 'medium-high',
|
|
],
|
|
[
|
|
'type' => 'managedDeviceAppConfiguration',
|
|
'label' => 'App Configuration (Device)',
|
|
'category' => 'Apps/MAM',
|
|
'platform' => 'mobile',
|
|
'endpoint' => 'deviceAppManagement/mobileAppConfigurations',
|
|
'filter' => "microsoft.graph.androidManagedStoreAppConfiguration/appSupportsOemConfig eq false or isof('microsoft.graph.androidManagedStoreAppConfiguration') eq false",
|
|
'backup' => 'full',
|
|
'restore' => 'enabled',
|
|
'risk' => 'medium-high',
|
|
],
|
|
[
|
|
'type' => 'conditionalAccessPolicy',
|
|
'label' => 'Conditional Access',
|
|
'category' => 'Conditional Access',
|
|
'platform' => 'all',
|
|
'endpoint' => 'identity/conditionalAccess/policies',
|
|
'backup' => 'full',
|
|
'restore' => 'preview-only',
|
|
'risk' => 'high',
|
|
],
|
|
[
|
|
'type' => 'deviceManagementScript',
|
|
'label' => 'PowerShell Scripts',
|
|
'category' => 'Scripts',
|
|
'platform' => 'windows',
|
|
'endpoint' => 'deviceManagement/deviceManagementScripts',
|
|
'backup' => 'full',
|
|
'restore' => 'enabled',
|
|
'risk' => 'medium',
|
|
],
|
|
[
|
|
'type' => 'deviceShellScript',
|
|
'label' => 'macOS Shell Scripts',
|
|
'category' => 'Scripts',
|
|
'platform' => 'macOS',
|
|
'endpoint' => 'deviceManagement/deviceShellScripts',
|
|
'backup' => 'full',
|
|
'restore' => 'enabled',
|
|
'risk' => 'medium',
|
|
],
|
|
[
|
|
'type' => 'deviceHealthScript',
|
|
'label' => 'Proactive Remediations',
|
|
'category' => 'Scripts',
|
|
'platform' => 'windows',
|
|
'endpoint' => 'deviceManagement/deviceHealthScripts',
|
|
'backup' => 'full',
|
|
'restore' => 'enabled',
|
|
'risk' => 'medium',
|
|
],
|
|
[
|
|
'type' => 'deviceComplianceScript',
|
|
'label' => 'Custom Compliance Scripts',
|
|
'category' => 'Compliance',
|
|
'platform' => 'windows',
|
|
'endpoint' => 'deviceManagement/deviceComplianceScripts',
|
|
'backup' => 'full',
|
|
'restore' => 'enabled',
|
|
'risk' => 'medium-high',
|
|
],
|
|
[
|
|
'type' => 'windowsAutopilotDeploymentProfile',
|
|
'label' => 'Windows Autopilot Profiles',
|
|
'category' => 'Autopilot',
|
|
'platform' => 'windows',
|
|
'endpoint' => 'deviceManagement/windowsAutopilotDeploymentProfiles',
|
|
'backup' => 'full',
|
|
'restore' => 'enabled',
|
|
'risk' => 'medium-high',
|
|
],
|
|
[
|
|
'type' => 'windowsEnrollmentStatusPage',
|
|
'label' => 'Enrollment Status Page (ESP)',
|
|
'category' => 'Enrollment',
|
|
'platform' => 'all',
|
|
'endpoint' => 'deviceManagement/deviceEnrollmentConfigurations',
|
|
'backup' => 'full',
|
|
'restore' => 'enabled',
|
|
'risk' => 'medium',
|
|
],
|
|
[
|
|
'type' => 'deviceEnrollmentLimitConfiguration',
|
|
'label' => 'Enrollment Limits',
|
|
'category' => 'Enrollment',
|
|
'platform' => 'all',
|
|
'endpoint' => 'deviceManagement/deviceEnrollmentConfigurations',
|
|
'backup' => 'full',
|
|
'restore' => 'preview-only',
|
|
'risk' => 'high',
|
|
],
|
|
[
|
|
'type' => 'deviceEnrollmentPlatformRestrictionsConfiguration',
|
|
'label' => 'Platform Restrictions (Enrollment)',
|
|
'category' => 'Enrollment',
|
|
'platform' => 'all',
|
|
'endpoint' => 'deviceManagement/deviceEnrollmentConfigurations',
|
|
'backup' => 'full',
|
|
'restore' => 'preview-only',
|
|
'risk' => 'high',
|
|
],
|
|
[
|
|
'type' => 'deviceEnrollmentNotificationConfiguration',
|
|
'label' => 'Enrollment Notifications',
|
|
'category' => 'Enrollment',
|
|
'platform' => 'all',
|
|
'endpoint' => 'deviceManagement/deviceEnrollmentConfigurations',
|
|
'filter' => "deviceEnrollmentConfigurationType eq 'EnrollmentNotificationsConfiguration'",
|
|
'backup' => 'full',
|
|
'restore' => 'preview-only',
|
|
'risk' => 'high',
|
|
],
|
|
[
|
|
'type' => 'enrollmentRestriction',
|
|
'label' => 'Enrollment Restrictions',
|
|
'category' => 'Enrollment',
|
|
'platform' => 'all',
|
|
'endpoint' => 'deviceManagement/deviceEnrollmentConfigurations',
|
|
'backup' => 'full',
|
|
'restore' => 'preview-only',
|
|
'risk' => 'high',
|
|
],
|
|
[
|
|
'type' => 'termsAndConditions',
|
|
'label' => 'Terms & Conditions',
|
|
'category' => 'Enrollment',
|
|
'platform' => 'all',
|
|
'endpoint' => 'deviceManagement/termsAndConditions',
|
|
'backup' => 'full',
|
|
'restore' => 'enabled',
|
|
'risk' => 'medium-high',
|
|
],
|
|
[
|
|
'type' => 'endpointSecurityIntent',
|
|
'label' => 'Endpoint Security Intents',
|
|
'category' => 'Endpoint Security',
|
|
'platform' => 'windows',
|
|
'endpoint' => 'deviceManagement/intents',
|
|
'backup' => 'full',
|
|
'restore' => 'enabled',
|
|
'risk' => 'high',
|
|
],
|
|
[
|
|
'type' => 'endpointSecurityPolicy',
|
|
'label' => 'Endpoint Security Policies',
|
|
'category' => 'Endpoint Security',
|
|
'platform' => 'windows',
|
|
'endpoint' => 'deviceManagement/configurationPolicies',
|
|
'backup' => 'full',
|
|
'restore' => 'enabled',
|
|
'risk' => 'high',
|
|
],
|
|
[
|
|
'type' => 'securityBaselinePolicy',
|
|
'label' => 'Security Baselines',
|
|
'category' => 'Endpoint Security',
|
|
'platform' => 'windows',
|
|
'endpoint' => 'deviceManagement/configurationPolicies',
|
|
'backup' => 'full',
|
|
'restore' => 'preview-only',
|
|
'risk' => 'high',
|
|
],
|
|
[
|
|
'type' => 'mobileApp',
|
|
'label' => 'Applications (Metadata only)',
|
|
'category' => 'Applications',
|
|
'platform' => 'all',
|
|
'endpoint' => 'deviceAppManagement/mobileApps',
|
|
'backup' => 'metadata-only',
|
|
'restore' => 'enabled',
|
|
'risk' => 'low-medium',
|
|
],
|
|
],
|
|
|
|
'foundation_types' => [
|
|
[
|
|
'type' => 'assignmentFilter',
|
|
'label' => 'Assignment Filter',
|
|
'category' => 'Foundations',
|
|
'platform' => 'all',
|
|
'endpoint' => 'deviceManagement/assignmentFilters',
|
|
'backup' => 'full',
|
|
'restore' => 'enabled',
|
|
'risk' => 'low',
|
|
],
|
|
[
|
|
'type' => 'roleScopeTag',
|
|
'label' => 'Scope Tag',
|
|
'category' => 'Foundations',
|
|
'platform' => 'all',
|
|
'endpoint' => 'deviceManagement/roleScopeTags',
|
|
'backup' => 'full',
|
|
'restore' => 'enabled',
|
|
'risk' => 'low',
|
|
],
|
|
[
|
|
'type' => 'notificationMessageTemplate',
|
|
'label' => 'Notification Message Template',
|
|
'category' => 'Foundations',
|
|
'platform' => 'all',
|
|
'endpoint' => 'deviceManagement/notificationMessageTemplates',
|
|
'backup' => 'full',
|
|
'restore' => 'enabled',
|
|
'risk' => 'low',
|
|
],
|
|
],
|
|
|
|
'features' => [
|
|
'conditional_access' => true,
|
|
],
|
|
|
|
'bulk_operations' => [
|
|
'chunk_size' => (int) env('TENANTPILOT_BULK_CHUNK_SIZE', 10),
|
|
'poll_interval_seconds' => (int) env('TENANTPILOT_BULK_POLL_INTERVAL_SECONDS', 3),
|
|
'recent_finished_seconds' => (int) env('TENANTPILOT_BULK_RECENT_FINISHED_SECONDS', 12),
|
|
'progress_widget_enabled' => (bool) env('TENANTPILOT_BULK_PROGRESS_WIDGET_ENABLED', true),
|
|
'concurrency' => [
|
|
'per_target_scope_max' => (int) env('TENANTPILOT_BULK_CONCURRENCY_PER_TARGET_SCOPE_MAX', 1),
|
|
'lock_ttl_seconds' => (int) env('TENANTPILOT_BULK_CONCURRENCY_LOCK_TTL_SECONDS', 900),
|
|
],
|
|
],
|
|
|
|
'inventory_sync' => [
|
|
'concurrency' => [
|
|
'global_max' => (int) env('TENANTPILOT_INVENTORY_SYNC_CONCURRENCY_GLOBAL_MAX', 2),
|
|
'per_tenant_max' => (int) env('TENANTPILOT_INVENTORY_SYNC_CONCURRENCY_PER_TENANT_MAX', 1),
|
|
],
|
|
],
|
|
|
|
'alerts' => [
|
|
'enabled' => (bool) env('TENANTPILOT_ALERTS_ENABLED', true),
|
|
'evaluate_initial_lookback_minutes' => (int) env('TENANTPILOT_ALERTS_EVALUATE_INITIAL_LOOKBACK_MINUTES', 15),
|
|
'delivery_retention_days' => (int) env('TENANTPILOT_ALERTS_DELIVERY_RETENTION_DAYS', 90),
|
|
'delivery_max_attempts' => (int) env('TENANTPILOT_ALERTS_DELIVERY_MAX_ATTEMPTS', 3),
|
|
'delivery_retry_base_seconds' => (int) env('TENANTPILOT_ALERTS_DELIVERY_RETRY_BASE_SECONDS', 60),
|
|
'delivery_retry_max_seconds' => (int) env('TENANTPILOT_ALERTS_DELIVERY_RETRY_MAX_SECONDS', 900),
|
|
'deliver_batch_size' => (int) env('TENANTPILOT_ALERTS_DELIVER_BATCH_SIZE', 200),
|
|
'http_timeout_seconds' => (int) env('TENANTPILOT_ALERTS_HTTP_TIMEOUT_SECONDS', 10),
|
|
],
|
|
|
|
'stored_reports' => [
|
|
'retention_days' => (int) env('TENANTPILOT_STORED_REPORTS_RETENTION_DAYS', 90),
|
|
],
|
|
|
|
'display' => [
|
|
'show_script_content' => (bool) env('TENANTPILOT_SHOW_SCRIPT_CONTENT', false),
|
|
'max_script_content_chars' => (int) env('TENANTPILOT_MAX_SCRIPT_CONTENT_CHARS', 5000),
|
|
],
|
|
];
|