ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
6a15fe978a
TenantAtlas/tests/Feature/EntraAdminRoles/AdminRolesAlertIntegrationTest.php
ahmido 6a15fe978a feat: Spec 105 — Entra Admin Roles Evidence + Findings (#128) 
## Summary

Automated scanning of Entra ID directory roles to surface high-privilege role assignments as trackable findings with alerting support.

## What's included

### Core Services
- **EntraAdminRolesReportService** — Fetches role definitions + assignments via Graph API, builds payload with fingerprint deduplication
- **EntraAdminRolesFindingGenerator** — Creates/resolves/reopens findings based on high-privilege role catalog
- **HighPrivilegeRoleCatalog** — Curated list of high-privilege Entra roles (Global Admin, Privileged Auth Admin, etc.)
- **ScanEntraAdminRolesJob** — Queued job orchestrating scan → report → findings → alerts pipeline

### UI
- **AdminRolesSummaryWidget** — Tenant dashboard card showing last scan time, high-privilege assignment count, scan trigger button
- RBAC-gated: `ENTRA_ROLES_VIEW` for viewing, `ENTRA_ROLES_MANAGE` for scan trigger

### Infrastructure
- Graph contracts for `entraRoleDefinitions` + `entraRoleAssignments`
- `config/entra_permissions.php` — Entra permission registry
- `StoredReport.fingerprint` migration (deduplication support)
- `OperationCatalog` label + duration for `entra.admin_roles.scan`
- Artisan command `entra:scan-admin-roles` for CLI/scheduled use

### Global UX improvement
- **SummaryCountsNormalizer**: Zero values filtered, snake_case keys humanized (e.g. `report_deduped: 1` → `Report deduped: 1`). Affects all operation notifications.

## Test Coverage
- **12 test files**, **79+ tests**, **307+ assertions**
- Report service, finding generator, job orchestration, widget rendering, alert integration, RBAC enforcement, badge mapping

## Spec artifacts
- `specs/105-entra-admin-roles-evidence-findings/tasks.md` — Full task breakdown (38 tasks, all complete)
- `specs/105-entra-admin-roles-evidence-findings/checklists/requirements.md` — All items checked

## Files changed
46 files changed, 3641 insertions(+), 15 deletions(-)

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #128
2026-02-22 02:37:36 +00:00

185 lines
6.9 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
use App\Filament\Resources\AlertRuleResource;
use App\Models\AlertDelivery;
use App\Models\AlertDestination;
use App\Models\AlertRule;
use App\Models\Finding;
use App\Services\Alerts\AlertDispatchService;
use App\Support\Workspaces\WorkspaceContext;
use Carbon\CarbonImmutable;
use Illuminate\Foundation\Testing\RefreshDatabase;
uses(RefreshDatabase::class);
// ---------------------------------------------------------------------------
// Helpers
// ---------------------------------------------------------------------------
function createEntraAlertRuleWithDestination(int $workspaceId, string $minSeverity, int $cooldownSeconds = 0): array
{
$destination = AlertDestination::factory()->create([
'workspace_id' => $workspaceId,
'is_enabled' => true,
]);
$rule = AlertRule::factory()->create([
'workspace_id' => $workspaceId,
'event_type' => AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH,
'minimum_severity' => $minSeverity,
'is_enabled' => true,
'cooldown_seconds' => $cooldownSeconds,
]);
$rule->destinations()->attach($destination->getKey(), [
'workspace_id' => $workspaceId,
]);
return [$rule, $destination];
}
// ---------------------------------------------------------------------------
// Tests
// ---------------------------------------------------------------------------
it('queues delivery when entra admin role finding matches alert rule severity', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$workspaceId = (int) session()->get(WorkspaceContext::SESSION_KEY);
[$rule, $destination] = createEntraAlertRuleWithDestination($workspaceId, 'high');
$finding = Finding::factory()->entraAdminRoles()->create([
'workspace_id' => $workspaceId,
'tenant_id' => $tenant->getKey(),
'severity' => Finding::SEVERITY_CRITICAL,
'status' => Finding::STATUS_NEW,
]);
$event = [
'event_type' => AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH,
'tenant_id' => (int) $tenant->getKey(),
'severity' => Finding::SEVERITY_CRITICAL,
'fingerprint_key' => 'finding:'.(int) $finding->getKey(),
'title' => 'High-privilege Entra admin role detected',
'body' => 'Role "Global Administrator" assigned to Alice Admin (severity: critical).',
'metadata' => ['finding_id' => (int) $finding->getKey()],
];
$dispatchService = app(AlertDispatchService::class);
$workspace = \App\Models\Workspace::query()->find($workspaceId);
$created = $dispatchService->dispatchEvent($workspace, $event);
expect($created)->toBe(1);
$delivery = AlertDelivery::query()
->where('workspace_id', $workspaceId)
->where('event_type', AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH)
->first();
expect($delivery)->not->toBeNull()
->and($delivery->status)->toBe(AlertDelivery::STATUS_QUEUED)
->and($delivery->severity)->toBe(Finding::SEVERITY_CRITICAL);
});
it('does not queue delivery when finding severity is below minimum', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$workspaceId = (int) session()->get(WorkspaceContext::SESSION_KEY);
[$rule, $destination] = createEntraAlertRuleWithDestination($workspaceId, 'critical');
$event = [
'event_type' => AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH,
'tenant_id' => (int) $tenant->getKey(),
'severity' => Finding::SEVERITY_HIGH,
'fingerprint_key' => 'finding:999',
'title' => 'High-privilege Entra admin role detected',
'body' => 'Role "Privileged Role Administrator" assigned to Bob (severity: high).',
'metadata' => [],
];
$dispatchService = app(AlertDispatchService::class);
$workspace = \App\Models\Workspace::query()->find($workspaceId);
$created = $dispatchService->dispatchEvent($workspace, $event);
expect($created)->toBe(0);
});
it('suppresses duplicate delivery via fingerprint cooldown', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$workspaceId = (int) session()->get(WorkspaceContext::SESSION_KEY);
[$rule, $destination] = createEntraAlertRuleWithDestination($workspaceId, 'high', cooldownSeconds: 3600);
$finding = Finding::factory()->entraAdminRoles()->create([
'workspace_id' => $workspaceId,
'tenant_id' => $tenant->getKey(),
'severity' => Finding::SEVERITY_CRITICAL,
'status' => Finding::STATUS_NEW,
]);
$event = [
'event_type' => AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH,
'tenant_id' => (int) $tenant->getKey(),
'severity' => Finding::SEVERITY_CRITICAL,
'fingerprint_key' => 'finding:'.(int) $finding->getKey(),
'title' => 'High-privilege Entra admin role detected',
'body' => 'Role "Global Administrator" assigned to Alice Admin.',
'metadata' => ['finding_id' => (int) $finding->getKey()],
];
$dispatchService = app(AlertDispatchService::class);
$workspace = \App\Models\Workspace::query()->find($workspaceId);
// First dispatch — should create a QUEUED delivery
$firstCreated = $dispatchService->dispatchEvent($workspace, $event);
expect($firstCreated)->toBe(1);
// Second dispatch — same fingerprint within cooldown → SUPPRESSED
$secondCreated = $dispatchService->dispatchEvent($workspace, $event);
expect($secondCreated)->toBe(1);
$deliveries = AlertDelivery::query()
->where('workspace_id', $workspaceId)
->where('event_type', AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH)
->orderBy('id')
->get();
expect($deliveries)->toHaveCount(2)
->and($deliveries[0]->status)->toBe(AlertDelivery::STATUS_QUEUED)
->and($deliveries[1]->status)->toBe(AlertDelivery::STATUS_SUPPRESSED);
});
it('resolved findings are excluded from entraAdminRolesHighEvents', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$workspaceId = (int) session()->get(WorkspaceContext::SESSION_KEY);
// Create a resolved finding — should not appear in events
Finding::factory()->entraAdminRoles()->resolved()->create([
'workspace_id' => $workspaceId,
'tenant_id' => $tenant->getKey(),
'severity' => Finding::SEVERITY_CRITICAL,
]);
$job = new \App\Jobs\Alerts\EvaluateAlertsJob($workspaceId);
$reflection = new ReflectionMethod($job, 'entraAdminRolesHighEvents');
$events = $reflection->invoke(
$job,
$workspaceId,
CarbonImmutable::now('UTC')->subHours(1),
);
expect($events)->toBe([]);
});
it('new event type appears in AlertRuleResource event type options', function (): void {
$options = AlertRuleResource::eventTypeOptions();
expect($options)->toHaveKey(AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH)
->and($options[AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH])->toBe('Entra admin roles (high privilege)');
});
Reference in New Issue View Git Blame Copy Permalink