ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
7c492ef6df
TenantAtlas/tests/Feature/Evidence/ExceptionValidityEvidenceIntegrationTest.php
Ahmed Darrazi 7c492ef6df feat: implement finding risk acceptance lifecycle
2026-03-20 02:05:50 +01:00

105 lines
4.2 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
use App\Models\Finding;
use App\Models\OperationRun;
use App\Models\StoredReport;
use App\Models\User;
use App\Services\Evidence\EvidenceSnapshotService;
use App\Services\Findings\FindingExceptionService;
use App\Services\Findings\FindingRiskGovernanceResolver;
use Illuminate\Foundation\Testing\RefreshDatabase;
uses(RefreshDatabase::class);
it('counts only valid governed accepted risk in the findings summary evidence payload', function (): void {
[$requester, $tenant] = createUserWithTenant(role: 'owner');
$approver = User::factory()->create();
createUserWithTenant(tenant: $tenant, user: $approver, role: 'owner', workspaceRole: 'manager');
StoredReport::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'report_type' => StoredReport::REPORT_TYPE_PERMISSION_POSTURE,
]);
StoredReport::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'report_type' => StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES,
]);
OperationRun::factory()->forTenant($tenant)->create();
/** @var FindingExceptionService $exceptionService */
$exceptionService = app(FindingExceptionService::class);
$createApprovedException = function (Finding $finding, string $expiresAt) use ($exceptionService, $requester, $tenant, $approver): Finding {
$requested = $exceptionService->request($finding, $tenant, $requester, [
'owner_user_id' => (int) $requester->getKey(),
'request_reason' => 'Temporary exception',
'review_due_at' => now()->addDays(5)->toDateTimeString(),
'expires_at' => now()->addDays(14)->toDateTimeString(),
]);
$exceptionService->approve($requested, $approver, [
'effective_from' => now()->subDays(10)->toDateTimeString(),
'expires_at' => $expiresAt,
'approval_reason' => 'Approved with controls',
]);
return $finding;
};
$validFinding = $createApprovedException(
Finding::factory()->for($tenant)->create(['status' => Finding::STATUS_RISK_ACCEPTED]),
now()->addDays(14)->toDateTimeString(),
);
$expiredFinding = $createApprovedException(
Finding::factory()->for($tenant)->create(['status' => Finding::STATUS_RISK_ACCEPTED]),
now()->subDay()->toDateTimeString(),
);
app(FindingRiskGovernanceResolver::class)->syncExceptionState($expiredFinding->findingException()->firstOrFail());
$revokedFinding = $createApprovedException(
Finding::factory()->for($tenant)->create(['status' => Finding::STATUS_RISK_ACCEPTED]),
now()->addDays(14)->toDateTimeString(),
);
$exceptionService->revoke($revokedFinding->findingException()->firstOrFail(), $requester, [
'revocation_reason' => 'Controls removed',
]);
$missingFinding = Finding::factory()->for($tenant)->create([
'status' => Finding::STATUS_RISK_ACCEPTED,
]);
Finding::factory()->for($tenant)->create([
'status' => Finding::STATUS_REOPENED,
]);
/** @var EvidenceSnapshotService $snapshotService */
$snapshotService = app(EvidenceSnapshotService::class);
$payload = $snapshotService->buildSnapshotPayload($tenant);
$findingsItem = collect($payload['items'])->firstWhere('dimension_key', 'findings_summary');
$summary = $findingsItem['summary_payload']['risk_acceptance'] ?? null;
$entries = collect($findingsItem['summary_payload']['entries'] ?? []);
expect($summary)->toBe([
'status_marked_count' => 4,
'valid_governed_count' => 1,
'warning_count' => 3,
'expired_count' => 1,
'revoked_count' => 1,
'missing_exception_count' => 1,
]);
expect($entries->firstWhere('id', (int) $validFinding->getKey())['governance_state'] ?? null)
->toBe('valid_exception')
->and($entries->firstWhere('id', (int) $expiredFinding->getKey())['governance_state'] ?? null)->toBe('expired_exception')
->and($entries->firstWhere('id', (int) $revokedFinding->getKey())['governance_state'] ?? null)->toBe('revoked_exception')
->and($entries->firstWhere('id', (int) $missingFinding->getKey())['governance_state'] ?? null)->toBe('risk_accepted_without_valid_exception');
});
Reference in New Issue View Git Blame Copy Permalink