ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects 1 Releases Wiki Activity
6a15fe978a
TenantAtlas/tests/Feature/EntraAdminRoles/EntraPermissionsRegistryTest.php
ahmido 6a15fe978a feat: Spec 105 — Entra Admin Roles Evidence + Findings (#128) 
## Summary

Automated scanning of Entra ID directory roles to surface high-privilege role assignments as trackable findings with alerting support.

## What's included

### Core Services
- **EntraAdminRolesReportService** — Fetches role definitions + assignments via Graph API, builds payload with fingerprint deduplication
- **EntraAdminRolesFindingGenerator** — Creates/resolves/reopens findings based on high-privilege role catalog
- **HighPrivilegeRoleCatalog** — Curated list of high-privilege Entra roles (Global Admin, Privileged Auth Admin, etc.)
- **ScanEntraAdminRolesJob** — Queued job orchestrating scan → report → findings → alerts pipeline

### UI
- **AdminRolesSummaryWidget** — Tenant dashboard card showing last scan time, high-privilege assignment count, scan trigger button
- RBAC-gated: `ENTRA_ROLES_VIEW` for viewing, `ENTRA_ROLES_MANAGE` for scan trigger

### Infrastructure
- Graph contracts for `entraRoleDefinitions` + `entraRoleAssignments`
- `config/entra_permissions.php` — Entra permission registry
- `StoredReport.fingerprint` migration (deduplication support)
- `OperationCatalog` label + duration for `entra.admin_roles.scan`
- Artisan command `entra:scan-admin-roles` for CLI/scheduled use

### Global UX improvement
- **SummaryCountsNormalizer**: Zero values filtered, snake_case keys humanized (e.g. `report_deduped: 1` → `Report deduped: 1`). Affects all operation notifications.

## Test Coverage
- **12 test files**, **79+ tests**, **307+ assertions**
- Report service, finding generator, job orchestration, widget rendering, alert integration, RBAC enforcement, badge mapping

## Spec artifacts
- `specs/105-entra-admin-roles-evidence-findings/tasks.md` — Full task breakdown (38 tasks, all complete)
- `specs/105-entra-admin-roles-evidence-findings/checklists/requirements.md` — All items checked

## Files changed
46 files changed, 3641 insertions(+), 15 deletions(-)

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #128
2026-02-22 02:37:36 +00:00

96 lines
4.0 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
use App\Services\Auth\RoleCapabilityMap;
use App\Services\Intune\TenantPermissionService;
use App\Support\Auth\Capabilities;
use App\Support\TenantRole;
it('has ENTRA_ROLES_VIEW and ENTRA_ROLES_MANAGE capability constants', function (): void {
expect(Capabilities::ENTRA_ROLES_VIEW)->toBe('entra_roles.view')
->and(Capabilities::ENTRA_ROLES_MANAGE)->toBe('entra_roles.manage');
});
it('includes ENTRA_ROLES_VIEW in all() capability registry', function (): void {
$all = Capabilities::all();
expect($all)->toContain(Capabilities::ENTRA_ROLES_VIEW)
->and($all)->toContain(Capabilities::ENTRA_ROLES_MANAGE);
});
it('maps ENTRA_ROLES_VIEW to Readonly and Operator roles', function (): void {
expect(RoleCapabilityMap::hasCapability(TenantRole::Readonly, Capabilities::ENTRA_ROLES_VIEW))->toBeTrue()
->and(RoleCapabilityMap::hasCapability(TenantRole::Operator, Capabilities::ENTRA_ROLES_VIEW))->toBeTrue();
});
it('maps ENTRA_ROLES_MANAGE to Manager and Owner roles only', function (): void {
expect(RoleCapabilityMap::hasCapability(TenantRole::Owner, Capabilities::ENTRA_ROLES_MANAGE))->toBeTrue()
->and(RoleCapabilityMap::hasCapability(TenantRole::Manager, Capabilities::ENTRA_ROLES_MANAGE))->toBeTrue()
->and(RoleCapabilityMap::hasCapability(TenantRole::Operator, Capabilities::ENTRA_ROLES_MANAGE))->toBeFalse()
->and(RoleCapabilityMap::hasCapability(TenantRole::Readonly, Capabilities::ENTRA_ROLES_MANAGE))->toBeFalse();
});
it('maps ENTRA_ROLES_VIEW to Manager and Owner roles', function (): void {
expect(RoleCapabilityMap::hasCapability(TenantRole::Owner, Capabilities::ENTRA_ROLES_VIEW))->toBeTrue()
->and(RoleCapabilityMap::hasCapability(TenantRole::Manager, Capabilities::ENTRA_ROLES_VIEW))->toBeTrue();
});
// ---------------------------------------------------------------------------
// T028 — TenantPermissionService merge tests
// ---------------------------------------------------------------------------
it('merged required permissions include both Intune and Entra entries', function (): void {
$service = app(TenantPermissionService::class);
$permissions = $service->getRequiredPermissions();
$keys = array_column($permissions, 'key');
// At least one Intune permission
expect($keys)->toContain('DeviceManagementConfiguration.ReadWrite.All')
// And the Entra permission
->and($keys)->toContain('RoleManagement.Read.Directory');
});
it('RoleManagement.Read.Directory has correct type and features in merged list', function (): void {
$service = app(TenantPermissionService::class);
$permissions = $service->getRequiredPermissions();
$entraPermission = collect($permissions)->firstWhere('key', 'RoleManagement.Read.Directory');
expect($entraPermission)->not->toBeNull()
->and($entraPermission['type'])->toBe('application')
->and($entraPermission['features'])->toContain('entra-admin-roles');
});
it('existing Intune permissions unchanged after Entra merge', function (): void {
$service = app(TenantPermissionService::class);
$merged = $service->getRequiredPermissions();
$intuneOnly = config('intune_permissions.permissions', []);
$intuneKeys = array_column($intuneOnly, 'key');
foreach ($intuneKeys as $key) {
$original = collect($intuneOnly)->firstWhere('key', $key);
$inMerged = collect($merged)->firstWhere('key', $key);
expect($inMerged)->not->toBeNull()
->and($inMerged['key'])->toBe($original['key'])
->and($inMerged['type'])->toBe($original['type']);
}
});
it('empty entra_permissions config returns only Intune entries', function (): void {
config()->set('entra_permissions.permissions', []);
$service = app(TenantPermissionService::class);
$permissions = $service->getRequiredPermissions();
$intuneOnly = config('intune_permissions.permissions', []);
expect($permissions)->toHaveCount(count($intuneOnly));
$keys = array_column($permissions, 'key');
expect($keys)->not->toContain('RoleManagement.Read.Directory');
});
Reference in New Issue View Git Blame Copy Permalink