ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
6b381e9517
TenantAtlas/tests/Feature/EntraAdminRoles/ScanEntraAdminRolesJobTest.php
Ahmed Darrazi 6b381e9517 feat: spec 105 — Entra Admin Roles scan, reports, findings, widget + summary UX improvement 
- Entra admin roles scan job (ScanEntraAdminRolesJob)
- Report service with fingerprint deduplication
- Finding generator with high-privilege role catalog
- Admin roles summary widget on tenant view page
- Alert integration for entra.admin_roles findings
- Graph contracts for roleDefinitions + roleAssignments
- Entra permissions registry (config/entra_permissions.php)
- StoredReport fingerprint migration
- OperationCatalog label + duration for entra.admin_roles.scan
- SummaryCountsNormalizer: filter zeros, humanize keys globally
- 11 new test files (71+ tests, 286+ assertions)
- Spec + tasks + checklist updates
2026-02-22 03:35:46 +01:00

289 lines
9.8 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
use App\Jobs\ScanEntraAdminRolesJob;
use App\Models\Finding;
use App\Models\OperationRun;
use App\Models\StoredReport;
use App\Services\EntraAdminRoles\EntraAdminRolesFindingGenerator;
use App\Services\EntraAdminRoles\EntraAdminRolesReportService;
use App\Services\EntraAdminRoles\HighPrivilegeRoleCatalog;
use App\Services\Graph\GraphClientInterface;
use App\Services\Graph\GraphResponse;
use App\Services\Providers\MicrosoftGraphOptionsResolver;
use App\Support\OperationRunOutcome;
use App\Support\OperationRunStatus;
use Illuminate\Foundation\Testing\RefreshDatabase;
uses(RefreshDatabase::class);
// ---------------------------------------------------------------------------
// Helpers
// ---------------------------------------------------------------------------
function buildScanReportService(GraphClientInterface $graphClient): EntraAdminRolesReportService
{
return new EntraAdminRolesReportService(
$graphClient,
new HighPrivilegeRoleCatalog,
app(MicrosoftGraphOptionsResolver::class),
);
}
function scanJobRoleDefs(): array
{
return [
[
'id' => 'def-ga',
'displayName' => 'Global Administrator',
'templateId' => '62e90394-69f5-4237-9190-012177145e10',
'isBuiltIn' => true,
],
];
}
function scanJobAssignments(): array
{
return [
[
'id' => 'assign-1',
'roleDefinitionId' => 'def-ga',
'principalId' => 'user-aaa',
'directoryScopeId' => '/',
'principal' => [
'@odata.type' => '#microsoft.graph.user',
'displayName' => 'Alice Admin',
],
],
];
}
function scanJobGraphMock(bool $failDefinitions = false, bool $failAssignments = false): GraphClientInterface
{
return new class(scanJobRoleDefs(), scanJobAssignments(), $failDefinitions, $failAssignments) implements GraphClientInterface
{
public function __construct(
private readonly array $roleDefs,
private readonly array $assignments,
private readonly bool $failDefs,
private readonly bool $failAssigns,
) {}
public function listPolicies(string $policyType, array $options = []): GraphResponse
{
return match ($policyType) {
'entraRoleDefinitions' => new GraphResponse(
success: ! $this->failDefs,
data: $this->failDefs ? [] : $this->roleDefs,
status: $this->failDefs ? 403 : 200,
errors: $this->failDefs ? ['Forbidden'] : [],
),
'entraRoleAssignments' => new GraphResponse(
success: ! $this->failAssigns,
data: $this->failAssigns ? [] : $this->assignments,
status: $this->failAssigns ? 403 : 200,
errors: $this->failAssigns ? ['Forbidden'] : [],
),
default => new GraphResponse(success: false, status: 404),
};
}
public function getPolicy(string $policyType, string $policyId, array $options = []): GraphResponse
{
return new GraphResponse(success: false, status: 501);
}
public function getOrganization(array $options = []): GraphResponse
{
return new GraphResponse(success: false, status: 501);
}
public function applyPolicy(string $policyType, string $policyId, array $payload, array $options = []): GraphResponse
{
return new GraphResponse(success: false, status: 501);
}
public function getServicePrincipalPermissions(array $options = []): GraphResponse
{
return new GraphResponse(success: false, status: 501);
}
public function request(string $method, string $path, array $options = []): GraphResponse
{
return new GraphResponse(success: false, status: 501);
}
};
}
// ---------------------------------------------------------------------------
// Tests
// ---------------------------------------------------------------------------
it('successful run creates OperationRun and records success with counts', function (): void {
[$user, $tenant] = createUserWithTenant();
ensureDefaultProviderConnection($tenant);
$mock = scanJobGraphMock();
$job = new ScanEntraAdminRolesJob(
tenantId: (int) $tenant->getKey(),
workspaceId: (int) $tenant->workspace_id,
);
$job->handle(
buildScanReportService($mock),
new EntraAdminRolesFindingGenerator(new HighPrivilegeRoleCatalog),
app(\App\Services\OperationRunService::class),
);
$run = OperationRun::query()
->where('tenant_id', $tenant->getKey())
->where('type', 'entra.admin_roles.scan')
->first();
expect($run)->not->toBeNull()
->and($run->status)->toBe(OperationRunStatus::Completed->value)
->and($run->outcome)->toBe(OperationRunOutcome::Succeeded->value)
->and($run->summary_counts)->toBeArray()
->and($run->summary_counts['report_created'])->toBe(1)
->and($run->summary_counts['findings_created'])->toBeGreaterThanOrEqual(1);
// Verify report and findings also exist
$report = StoredReport::query()
->where('tenant_id', $tenant->getKey())
->where('report_type', StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES)
->first();
expect($report)->not->toBeNull();
$findingsCount = Finding::query()
->where('tenant_id', $tenant->getKey())
->where('finding_type', Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES)
->count();
expect($findingsCount)->toBeGreaterThanOrEqual(1);
});
it('skips tenant without active provider connection', function (): void {
[$user, $tenant] = createUserWithTenant(ensureDefaultMicrosoftProviderConnection: false);
// Deliberately NOT creating a provider connection
$job = new ScanEntraAdminRolesJob(
tenantId: (int) $tenant->getKey(),
workspaceId: (int) $tenant->workspace_id,
);
$job->handle(
buildScanReportService(scanJobGraphMock()),
new EntraAdminRolesFindingGenerator(new HighPrivilegeRoleCatalog),
app(\App\Services\OperationRunService::class),
);
$runCount = OperationRun::query()
->where('tenant_id', $tenant->getKey())
->where('type', 'entra.admin_roles.scan')
->count();
expect($runCount)->toBe(0);
$reportCount = StoredReport::query()
->where('tenant_id', $tenant->getKey())
->where('report_type', StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES)
->count();
expect($reportCount)->toBe(0);
});
it('Graph failure marks OperationRun as failed and re-throws', function (): void {
[$user, $tenant] = createUserWithTenant();
ensureDefaultProviderConnection($tenant);
$mock = scanJobGraphMock(failDefinitions: true);
$job = new ScanEntraAdminRolesJob(
tenantId: (int) $tenant->getKey(),
workspaceId: (int) $tenant->workspace_id,
);
$thrown = false;
try {
$job->handle(
buildScanReportService($mock),
new EntraAdminRolesFindingGenerator(new HighPrivilegeRoleCatalog),
app(\App\Services\OperationRunService::class),
);
} catch (RuntimeException) {
$thrown = true;
}
expect($thrown)->toBeTrue();
$run = OperationRun::query()
->where('tenant_id', $tenant->getKey())
->where('type', 'entra.admin_roles.scan')
->first();
expect($run)->not->toBeNull()
->and($run->status)->toBe(OperationRunStatus::Completed->value)
->and($run->outcome)->toBe(OperationRunOutcome::Failed->value)
->and($run->failure_summary)->toBeArray()
->and($run->failure_summary[0]['code'])->toBe('entra.admin_roles.scan.failed');
});
it('finding generator runs even when report is deduped', function (): void {
[$user, $tenant] = createUserWithTenant();
ensureDefaultProviderConnection($tenant);
$mock = scanJobGraphMock();
$reportService = buildScanReportService($mock);
$findingGenerator = new EntraAdminRolesFindingGenerator(new HighPrivilegeRoleCatalog);
$runService = app(\App\Services\OperationRunService::class);
// Run 1: creates report
$job1 = new ScanEntraAdminRolesJob(
tenantId: (int) $tenant->getKey(),
workspaceId: (int) $tenant->workspace_id,
);
$job1->handle($reportService, $findingGenerator, $runService);
$reportCount = StoredReport::query()
->where('tenant_id', $tenant->getKey())
->where('report_type', StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES)
->count();
expect($reportCount)->toBe(1);
// Mark existing OperationRun as completed so a new one can be created
OperationRun::query()
->where('tenant_id', $tenant->getKey())
->where('type', 'entra.admin_roles.scan')
->update(['status' => OperationRunStatus::Completed->value]);
// Run 2: report deduped, but findings still processed
$job2 = new ScanEntraAdminRolesJob(
tenantId: (int) $tenant->getKey(),
workspaceId: (int) $tenant->workspace_id,
);
$job2->handle($reportService, $findingGenerator, $runService);
// Still only 1 report (deduped)
$reportCount2 = StoredReport::query()
->where('tenant_id', $tenant->getKey())
->where('report_type', StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES)
->count();
expect($reportCount2)->toBe(1);
// But the run completed successfully with deduped count
$latestRun = OperationRun::query()
->where('tenant_id', $tenant->getKey())
->where('type', 'entra.admin_roles.scan')
->where('outcome', OperationRunOutcome::Succeeded->value)
->latest()
->first();
expect($latestRun)->not->toBeNull()
->and($latestRun->summary_counts['report_deduped'])->toBe(1);
});
Reference in New Issue View Git Blame Copy Permalink