ahmido
6a15fe978a
## Summary Automated scanning of Entra ID directory roles to surface high-privilege role assignments as trackable findings with alerting support. ## What's included ### Core Services - **EntraAdminRolesReportService** — Fetches role definitions + assignments via Graph API, builds payload with fingerprint deduplication - **EntraAdminRolesFindingGenerator** — Creates/resolves/reopens findings based on high-privilege role catalog - **HighPrivilegeRoleCatalog** — Curated list of high-privilege Entra roles (Global Admin, Privileged Auth Admin, etc.) - **ScanEntraAdminRolesJob** — Queued job orchestrating scan → report → findings → alerts pipeline ### UI - **AdminRolesSummaryWidget** — Tenant dashboard card showing last scan time, high-privilege assignment count, scan trigger button - RBAC-gated: `ENTRA_ROLES_VIEW` for viewing, `ENTRA_ROLES_MANAGE` for scan trigger ### Infrastructure - Graph contracts for `entraRoleDefinitions` + `entraRoleAssignments` - `config/entra_permissions.php` — Entra permission registry - `StoredReport.fingerprint` migration (deduplication support) - `OperationCatalog` label + duration for `entra.admin_roles.scan` - Artisan command `entra:scan-admin-roles` for CLI/scheduled use ### Global UX improvement - **SummaryCountsNormalizer**: Zero values filtered, snake_case keys humanized (e.g. `report_deduped: 1` → `Report deduped: 1`). Affects all operation notifications. ## Test Coverage - **12 test files**, **79+ tests**, **307+ assertions** - Report service, finding generator, job orchestration, widget rendering, alert integration, RBAC enforcement, badge mapping ## Spec artifacts - `specs/105-entra-admin-roles-evidence-findings/tasks.md` — Full task breakdown (38 tasks, all complete) - `specs/105-entra-admin-roles-evidence-findings/checklists/requirements.md` — All items checked ## Files changed 46 files changed, 3641 insertions(+), 15 deletions(-) Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #128
340 lines
12 KiB
PHP
340 lines
12 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Jobs\Alerts;
|
|
|
|
use App\Models\AlertRule;
|
|
use App\Models\Finding;
|
|
use App\Models\OperationRun;
|
|
use App\Models\Workspace;
|
|
use App\Services\Alerts\AlertDispatchService;
|
|
use App\Services\OperationRunService;
|
|
use App\Support\OperationRunOutcome;
|
|
use App\Support\OperationRunStatus;
|
|
use Carbon\CarbonImmutable;
|
|
use Illuminate\Bus\Queueable;
|
|
use Illuminate\Contracts\Queue\ShouldQueue;
|
|
use Illuminate\Foundation\Bus\Dispatchable;
|
|
use Illuminate\Queue\InteractsWithQueue;
|
|
use Illuminate\Queue\SerializesModels;
|
|
use Throwable;
|
|
|
|
class EvaluateAlertsJob implements ShouldQueue
|
|
{
|
|
use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
|
|
|
|
public function __construct(
|
|
public int $workspaceId,
|
|
public ?int $operationRunId = null,
|
|
) {}
|
|
|
|
public function handle(AlertDispatchService $dispatchService, OperationRunService $operationRuns): void
|
|
{
|
|
$workspace = Workspace::query()->whereKey($this->workspaceId)->first();
|
|
|
|
if (! $workspace instanceof Workspace) {
|
|
return;
|
|
}
|
|
|
|
$operationRun = $this->resolveOperationRun($workspace, $operationRuns);
|
|
|
|
if (! $operationRun instanceof OperationRun) {
|
|
return;
|
|
}
|
|
|
|
if ($operationRun->status === OperationRunStatus::Completed->value) {
|
|
return;
|
|
}
|
|
|
|
$operationRuns->updateRun(
|
|
$operationRun,
|
|
status: OperationRunStatus::Running->value,
|
|
outcome: OperationRunOutcome::Pending->value,
|
|
);
|
|
|
|
$windowStart = $this->resolveWindowStart($operationRun);
|
|
|
|
try {
|
|
$events = [
|
|
...$this->highDriftEvents((int) $workspace->getKey(), $windowStart),
|
|
...$this->compareFailedEvents((int) $workspace->getKey(), $windowStart),
|
|
...$this->permissionMissingEvents((int) $workspace->getKey(), $windowStart),
|
|
...$this->entraAdminRolesHighEvents((int) $workspace->getKey(), $windowStart),
|
|
];
|
|
|
|
$createdDeliveries = 0;
|
|
|
|
foreach ($events as $event) {
|
|
$createdDeliveries += $dispatchService->dispatchEvent($workspace, $event);
|
|
}
|
|
|
|
$operationRuns->updateRun(
|
|
$operationRun,
|
|
status: OperationRunStatus::Completed->value,
|
|
outcome: OperationRunOutcome::Succeeded->value,
|
|
summaryCounts: [
|
|
'total' => count($events),
|
|
'processed' => count($events),
|
|
'created' => $createdDeliveries,
|
|
],
|
|
);
|
|
} catch (Throwable $exception) {
|
|
$operationRuns->updateRun(
|
|
$operationRun,
|
|
status: OperationRunStatus::Completed->value,
|
|
outcome: OperationRunOutcome::Failed->value,
|
|
failures: [
|
|
[
|
|
'code' => 'alerts.evaluate.failed',
|
|
'message' => $this->sanitizeErrorMessage($exception),
|
|
],
|
|
],
|
|
);
|
|
|
|
throw $exception;
|
|
}
|
|
}
|
|
|
|
private function resolveOperationRun(Workspace $workspace, OperationRunService $operationRuns): ?OperationRun
|
|
{
|
|
if (is_int($this->operationRunId) && $this->operationRunId > 0) {
|
|
$operationRun = OperationRun::query()
|
|
->whereKey($this->operationRunId)
|
|
->where('workspace_id', (int) $workspace->getKey())
|
|
->where('type', 'alerts.evaluate')
|
|
->first();
|
|
|
|
if ($operationRun instanceof OperationRun) {
|
|
return $operationRun;
|
|
}
|
|
}
|
|
|
|
$slotKey = CarbonImmutable::now('UTC')->format('YmdHi').'Z';
|
|
|
|
return $operationRuns->ensureWorkspaceRunWithIdentity(
|
|
workspace: $workspace,
|
|
type: 'alerts.evaluate',
|
|
identityInputs: [
|
|
'slot_key' => $slotKey,
|
|
],
|
|
context: [
|
|
'trigger' => 'job',
|
|
'slot_key' => $slotKey,
|
|
],
|
|
initiator: null,
|
|
);
|
|
}
|
|
|
|
private function resolveWindowStart(OperationRun $operationRun): CarbonImmutable
|
|
{
|
|
$previous = OperationRun::query()
|
|
->where('workspace_id', (int) $operationRun->workspace_id)
|
|
->whereNull('tenant_id')
|
|
->where('type', 'alerts.evaluate')
|
|
->where('status', OperationRunStatus::Completed->value)
|
|
->whereNotNull('completed_at')
|
|
->where('id', '<', (int) $operationRun->getKey())
|
|
->orderByDesc('completed_at')
|
|
->orderByDesc('id')
|
|
->first();
|
|
|
|
if ($previous instanceof OperationRun && $previous->completed_at !== null) {
|
|
return CarbonImmutable::instance($previous->completed_at);
|
|
}
|
|
|
|
$lookbackMinutes = max(1, (int) config('tenantpilot.alerts.evaluate_initial_lookback_minutes', 15));
|
|
|
|
return CarbonImmutable::now('UTC')->subMinutes($lookbackMinutes);
|
|
}
|
|
|
|
/**
|
|
* @return array<int, array<string, mixed>>
|
|
*/
|
|
private function highDriftEvents(int $workspaceId, CarbonImmutable $windowStart): array
|
|
{
|
|
$findings = Finding::query()
|
|
->where('workspace_id', $workspaceId)
|
|
->where('finding_type', Finding::FINDING_TYPE_DRIFT)
|
|
->whereIn('severity', [Finding::SEVERITY_HIGH, Finding::SEVERITY_CRITICAL])
|
|
->where('status', Finding::STATUS_NEW)
|
|
->where('created_at', '>', $windowStart)
|
|
->orderBy('id')
|
|
->get();
|
|
|
|
$events = [];
|
|
|
|
foreach ($findings as $finding) {
|
|
$events[] = [
|
|
'event_type' => 'high_drift',
|
|
'tenant_id' => (int) $finding->tenant_id,
|
|
'severity' => (string) $finding->severity,
|
|
'fingerprint_key' => 'finding:'.(int) $finding->getKey(),
|
|
'title' => 'High drift finding detected',
|
|
'body' => sprintf(
|
|
'Finding %d was created with severity %s.',
|
|
(int) $finding->getKey(),
|
|
(string) $finding->severity,
|
|
),
|
|
'metadata' => [
|
|
'finding_id' => (int) $finding->getKey(),
|
|
],
|
|
];
|
|
}
|
|
|
|
return $events;
|
|
}
|
|
|
|
/**
|
|
* @return array<int, array<string, mixed>>
|
|
*/
|
|
private function compareFailedEvents(int $workspaceId, CarbonImmutable $windowStart): array
|
|
{
|
|
$failedRuns = OperationRun::query()
|
|
->where('workspace_id', $workspaceId)
|
|
->whereNotNull('tenant_id')
|
|
->where('type', 'drift_generate_findings')
|
|
->where('status', OperationRunStatus::Completed->value)
|
|
->where('outcome', OperationRunOutcome::Failed->value)
|
|
->where('created_at', '>', $windowStart)
|
|
->orderBy('id')
|
|
->get();
|
|
|
|
$events = [];
|
|
|
|
foreach ($failedRuns as $failedRun) {
|
|
$tenantId = (int) ($failedRun->tenant_id ?? 0);
|
|
|
|
if ($tenantId <= 0) {
|
|
continue;
|
|
}
|
|
|
|
$events[] = [
|
|
'event_type' => 'compare_failed',
|
|
'tenant_id' => $tenantId,
|
|
'severity' => 'high',
|
|
'fingerprint_key' => 'operation_run:'.(int) $failedRun->getKey(),
|
|
'title' => 'Drift compare failed',
|
|
'body' => $this->firstFailureMessage($failedRun),
|
|
'metadata' => [
|
|
'operation_run_id' => (int) $failedRun->getKey(),
|
|
],
|
|
];
|
|
}
|
|
|
|
return $events;
|
|
}
|
|
|
|
private function firstFailureMessage(OperationRun $run): string
|
|
{
|
|
$failures = is_array($run->failure_summary) ? $run->failure_summary : [];
|
|
|
|
foreach ($failures as $failure) {
|
|
if (! is_array($failure)) {
|
|
continue;
|
|
}
|
|
|
|
$message = trim((string) ($failure['message'] ?? ''));
|
|
|
|
if ($message !== '') {
|
|
return $message;
|
|
}
|
|
}
|
|
|
|
return 'A drift compare operation run failed.';
|
|
}
|
|
|
|
private function sanitizeErrorMessage(Throwable $exception): string
|
|
{
|
|
$message = trim($exception->getMessage());
|
|
|
|
if ($message === '') {
|
|
return 'Unexpected alert evaluation error.';
|
|
}
|
|
|
|
$message = preg_replace('/https?:\/\/\S+/i', '[redacted-url]', $message) ?? $message;
|
|
|
|
return mb_substr($message, 0, 500);
|
|
}
|
|
|
|
/**
|
|
* @return array<int, array<string, mixed>>
|
|
*/
|
|
private function permissionMissingEvents(int $workspaceId, CarbonImmutable $windowStart): array
|
|
{
|
|
$findings = Finding::query()
|
|
->where('workspace_id', $workspaceId)
|
|
->where('finding_type', Finding::FINDING_TYPE_PERMISSION_POSTURE)
|
|
->where('status', Finding::STATUS_NEW)
|
|
->where('updated_at', '>', $windowStart)
|
|
->orderBy('id')
|
|
->get();
|
|
|
|
$events = [];
|
|
|
|
foreach ($findings as $finding) {
|
|
$events[] = [
|
|
'event_type' => AlertRule::EVENT_PERMISSION_MISSING,
|
|
'tenant_id' => (int) $finding->tenant_id,
|
|
'severity' => (string) $finding->severity,
|
|
'fingerprint_key' => 'finding:'.(int) $finding->getKey(),
|
|
'title' => 'Missing permission detected',
|
|
'body' => sprintf(
|
|
'Permission "%s" is missing for tenant %d (severity: %s).',
|
|
(string) ($finding->evidence_jsonb['permission_key'] ?? $finding->subject_external_id ?? 'unknown'),
|
|
(int) $finding->tenant_id,
|
|
(string) $finding->severity,
|
|
),
|
|
'metadata' => [
|
|
'finding_id' => (int) $finding->getKey(),
|
|
'permission_key' => (string) ($finding->evidence_jsonb['permission_key'] ?? ''),
|
|
],
|
|
];
|
|
}
|
|
|
|
return $events;
|
|
}
|
|
|
|
/**
|
|
* @return array<int, array<string, mixed>>
|
|
*/
|
|
private function entraAdminRolesHighEvents(int $workspaceId, CarbonImmutable $windowStart): array
|
|
{
|
|
$findings = Finding::query()
|
|
->where('workspace_id', $workspaceId)
|
|
->where('finding_type', Finding::FINDING_TYPE_ENTRA_ADMIN_ROLES)
|
|
->whereIn('severity', [Finding::SEVERITY_HIGH, Finding::SEVERITY_CRITICAL])
|
|
->where('status', Finding::STATUS_NEW)
|
|
->where('updated_at', '>', $windowStart)
|
|
->orderBy('id')
|
|
->get();
|
|
|
|
$events = [];
|
|
|
|
foreach ($findings as $finding) {
|
|
$evidence = is_array($finding->evidence_jsonb) ? $finding->evidence_jsonb : [];
|
|
|
|
$events[] = [
|
|
'event_type' => AlertRule::EVENT_ENTRA_ADMIN_ROLES_HIGH,
|
|
'tenant_id' => (int) $finding->tenant_id,
|
|
'severity' => (string) $finding->severity,
|
|
'fingerprint_key' => 'finding:'.(int) $finding->getKey(),
|
|
'title' => 'High-privilege Entra admin role detected',
|
|
'body' => sprintf(
|
|
'Role "%s" assigned to %s (severity: %s).',
|
|
(string) ($evidence['role_display_name'] ?? 'unknown'),
|
|
(string) ($evidence['principal_display_name'] ?? $finding->subject_external_id ?? 'unknown'),
|
|
(string) $finding->severity,
|
|
),
|
|
'metadata' => [
|
|
'finding_id' => (int) $finding->getKey(),
|
|
'role_display_name' => (string) ($evidence['role_display_name'] ?? ''),
|
|
'principal_display_name' => (string) ($evidence['principal_display_name'] ?? ''),
|
|
],
|
|
];
|
|
}
|
|
|
|
return $events;
|
|
}
|
|
}
|