ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
72d71765db
TenantAtlas/app/Services/Intune/BackupService.php
Ahmed Darrazi 0e42164937 docs(004): Add Graph API permissions documentation 
- Created docs/PERMISSIONS.md with complete permission requirements
- Added logging for 403 errors in ScopeTagResolver
- Updated README with link to permissions documentation

Issue: Scope tags show 'Unknown (ID: 0)' due to missing permission
Required: DeviceManagementRBAC.Read.All with admin consent

User must:
1. Go to Azure Portal → App Registration
2. Add DeviceManagementRBAC.Read.All permission
3. Grant admin consent
4. Wait 5-10 min for propagation
5. Clear cache: php artisan cache:clear
2025-12-22 16:03:21 +01:00

300 lines
9.7 KiB
PHP
Raw Blame History

<?php
namespace App\Services\Intune;
use App\Models\BackupItem;
use App\Models\BackupSet;
use App\Models\Policy;
use App\Models\Tenant;
use App\Services\AssignmentBackupService;
use Carbon\CarbonImmutable;
use Illuminate\Support\Facades\DB;
class BackupService
{
public function __construct(
private readonly AuditLogger $auditLogger,
private readonly VersionService $versionService,
private readonly SnapshotValidator $snapshotValidator,
private readonly PolicySnapshotService $snapshotService,
private readonly AssignmentBackupService $assignmentBackupService,
) {}
/**
* Create a backup set with immutable snapshots for the provided policies.
*
* @param array<int> $policyIds
*/
public function createBackupSet(
Tenant $tenant,
array $policyIds,
?string $actorEmail = null,
?string $actorName = null,
?string $name = null,
bool $includeAssignments = false,
): BackupSet {
$this->assertActiveTenant($tenant);
$policies = Policy::query()
->where('tenant_id', $tenant->id)
->whereIn('id', $policyIds)
->get();
$backupSet = DB::transaction(function () use ($tenant, $policies, $actorEmail, $name, $includeAssignments) {
$backupSet = BackupSet::create([
'tenant_id' => $tenant->id,
'name' => $name ?? CarbonImmutable::now()->format('Y-m-d H:i:s').' backup',
'created_by' => $actorEmail,
'status' => 'running',
'metadata' => [],
]);
$failures = [];
$itemsCreated = 0;
foreach ($policies as $policy) {
[$item, $failure] = $this->snapshotPolicy($tenant, $backupSet, $policy, $actorEmail, $includeAssignments);
if ($failure !== null) {
$failures[] = $failure;
continue;
}
if ($item !== null) {
$itemsCreated++;
}
}
$status = $this->resolveStatus($itemsCreated, $failures);
$backupSet->update([
'status' => $status,
'item_count' => $itemsCreated,
'completed_at' => CarbonImmutable::now(),
'metadata' => ['failures' => $failures],
]);
return $backupSet->refresh();
});
$this->auditLogger->log(
tenant: $tenant,
action: 'backup.created',
context: [
'metadata' => [
'backup_set_id' => $backupSet->id,
'item_count' => $backupSet->item_count,
'status' => $backupSet->status,
],
],
actorEmail: $actorEmail,
actorName: $actorName,
resourceType: 'backup_set',
resourceId: (string) $backupSet->id,
status: $backupSet->status === 'completed' ? 'success' : 'partial'
);
// Log if assignments were included
if ($includeAssignments) {
$items = $backupSet->items;
$assignmentCount = $items->sum(function ($item) {
return $item->metadata['assignment_count'] ?? 0;
});
$this->auditLogger->log(
tenant: $tenant,
action: 'backup.assignments.included',
context: [
'metadata' => [
'backup_set_id' => $backupSet->id,
'policy_count' => $backupSet->item_count,
'assignment_count' => $assignmentCount,
],
],
actorEmail: $actorEmail,
actorName: $actorName,
resourceType: 'backup_set',
resourceId: (string) $backupSet->id,
status: 'success'
);
}
return $backupSet;
}
/**
* Add snapshots for additional policies to an existing backup set.
*
* @param array<int> $policyIds
*/
public function addPoliciesToSet(
Tenant $tenant,
BackupSet $backupSet,
array $policyIds,
?string $actorEmail = null,
?string $actorName = null,
): BackupSet {
$this->assertActiveTenant($tenant);
if ($backupSet->trashed() || $backupSet->tenant_id !== $tenant->id) {
throw new \RuntimeException('Backup set is archived or does not belong to the current tenant.');
}
$existingPolicyIds = $backupSet->items()->withTrashed()->pluck('policy_id')->filter()->all();
// Separate into truly new policies and soft-deleted ones to restore
$softDeletedItems = $backupSet->items()->onlyTrashed()->whereIn('policy_id', $policyIds)->get();
$softDeletedPolicyIds = $softDeletedItems->pluck('policy_id')->all();
// Restore soft-deleted items
foreach ($softDeletedItems as $item) {
$item->restore();
}
// Only create new items for policies that don't exist at all
$policyIds = array_values(array_diff($policyIds, $existingPolicyIds));
if (empty($policyIds) && $softDeletedItems->isEmpty()) {
return $backupSet->refresh();
}
$policies = Policy::query()
->where('tenant_id', $tenant->id)
->whereIn('id', $policyIds)
->get();
$metadata = $backupSet->metadata ?? [];
$failures = $metadata['failures'] ?? [];
$itemsCreated = 0;
foreach ($policies as $policy) {
[$item, $failure] = $this->snapshotPolicy($tenant, $backupSet, $policy, $actorEmail);
if ($failure !== null) {
$failures[] = $failure;
continue;
}
if ($item !== null) {
$itemsCreated++;
}
}
$status = $this->resolveStatus($itemsCreated, $failures);
$backupSet->update([
'status' => $status,
'item_count' => $backupSet->items()->count(),
'completed_at' => CarbonImmutable::now(),
'metadata' => ['failures' => $failures],
]);
$this->auditLogger->log(
tenant: $tenant,
action: 'backup.items_added',
context: [
'metadata' => [
'backup_set_id' => $backupSet->id,
'added_count' => $itemsCreated,
'restored_count' => $softDeletedItems->count(),
'status' => $status,
],
],
actorEmail: $actorEmail,
actorName: $actorName,
resourceType: 'backup_set',
resourceId: (string) $backupSet->id,
status: $status === 'completed' ? 'success' : 'partial'
);
return $backupSet->refresh();
}
private function resolveStatus(int $itemsCreated, array $failures): string
{
return match (true) {
$itemsCreated === 0 && count($failures) > 0 => 'failed',
count($failures) > 0 => 'partial',
default => 'completed',
};
}
/**
* @return array{0:?BackupItem,1:?array{policy_id:int,reason:string,status:int|string|null}}
*/
private function snapshotPolicy(
Tenant $tenant,
BackupSet $backupSet,
Policy $policy,
?string $actorEmail = null,
bool $includeAssignments = false
): array {
$snapshot = $this->snapshotService->fetch($tenant, $policy, $actorEmail);
if (isset($snapshot['failure'])) {
return [null, $snapshot['failure']];
}
$payload = $snapshot['payload'];
$metadata = $snapshot['metadata'] ?? [];
$metadataWarnings = $snapshot['warnings'] ?? [];
$validation = $this->snapshotValidator->validate(is_array($payload) ? $payload : []);
$metadataWarnings = array_merge($metadataWarnings, $validation['warnings']);
$odataWarning = BackupItem::odataTypeWarning(is_array($payload) ? $payload : [], $policy->policy_type, $policy->platform);
if ($odataWarning) {
$metadataWarnings[] = $odataWarning;
}
if (! empty($metadataWarnings)) {
$metadata['warnings'] = array_values(array_unique($metadataWarnings));
}
$backupItem = BackupItem::create([
'tenant_id' => $tenant->id,
'backup_set_id' => $backupSet->id,
'policy_id' => $policy->id,
'policy_identifier' => $policy->external_id,
'policy_type' => $policy->policy_type,
'platform' => $policy->platform,
'payload' => $payload,
'metadata' => $metadata,
]);
$this->versionService->captureVersion(
policy: $policy,
payload: $payload,
createdBy: $actorEmail,
metadata: [
'source' => 'backup',
'backup_set_id' => $backupSet->id,
'backup_item_id' => $backupItem->id,
]
);
// Enrich with assignments and scope tags if requested
if ($policy->policy_type === 'settingsCatalogPolicy') {
$backupItem = $this->assignmentBackupService->enrichWithAssignments(
backupItem: $backupItem,
tenant: $tenant,
policyId: $policy->external_id,
policyPayload: $payload,
includeAssignments: $includeAssignments
);
}
return [$backupItem, null];
}
private function assertActiveTenant(Tenant $tenant): void
{
if (! $tenant->isActive()) {
throw new \RuntimeException('Tenant is archived or inactive.');
}
}
}
Reference in New Issue View Git Blame Copy Permalink