ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
7fbfae6303
TenantAtlas/app/Services/Intune/RestoreService.php

2531 lines
89 KiB
PHP
Raw Blame History

<?php
namespace App\Services\Intune;
use App\Models\BackupItem;
use App\Models\BackupSet;
use App\Models\Policy;
use App\Models\PolicyVersion;
use App\Models\RestoreRun;
use App\Models\Tenant;
use App\Services\AssignmentRestoreService;
use App\Services\Graph\GraphClientInterface;
use App\Services\Graph\GraphContractRegistry;
use App\Services\Graph\GraphErrorMapper;
use App\Services\Graph\GraphLogger;
use Carbon\CarbonImmutable;
use Illuminate\Support\Arr;
use Illuminate\Support\Collection;
use Throwable;
class RestoreService
{
public function __construct(
private readonly GraphClientInterface $graphClient,
private readonly GraphLogger $graphLogger,
private readonly AuditLogger $auditLogger,
private readonly VersionService $versionService,
private readonly SnapshotValidator $snapshotValidator,
private readonly GraphContractRegistry $contracts,
private readonly AssignmentRestoreService $assignmentRestoreService,
private readonly FoundationMappingService $foundationMappingService,
) {}
/**
* Build a preview describing intended restore actions.
*
* @param array<int>|null $selectedItemIds
*/
public function preview(Tenant $tenant, BackupSet $backupSet, ?array $selectedItemIds = null): array
{
$this->assertActiveContext($tenant, $backupSet);
if ($selectedItemIds === []) {
$selectedItemIds = null;
}
$items = $this->loadItems($backupSet, $selectedItemIds);
[$foundationItems, $policyItems] = $this->splitItems($items);
$notificationTemplateIds = $foundationItems
->where('policy_type', 'notificationMessageTemplate')
->pluck('policy_identifier')
->filter()
->values()
->all();
$foundationPreview = $this->foundationMappingService->map($tenant, $foundationItems, false)['entries'] ?? [];
$policyPreview = $policyItems->map(function (BackupItem $item) use ($tenant, $notificationTemplateIds) {
$existing = Policy::query()
->where('tenant_id', $tenant->id)
->where('external_id', $item->policy_identifier)
->where('policy_type', $item->policy_type)
->first();
$restoreMode = $this->resolveRestoreMode($item->policy_type);
$preview = [
'backup_item_id' => $item->id,
'policy_identifier' => $item->policy_identifier,
'policy_type' => $item->policy_type,
'platform' => $item->platform,
'action' => $existing ? 'update' : 'create',
'conflict' => false,
'restore_mode' => $restoreMode,
'validation_warning' => BackupItem::odataTypeWarning(
is_array($item->payload) ? $item->payload : [],
$item->policy_type,
$item->platform
) ?? ($this->snapshotValidator->validate(is_array($item->payload) ? $item->payload : [])['warnings'][0] ?? null),
];
if ($item->policy_type === 'deviceCompliancePolicy') {
$preview = array_merge(
$preview,
$this->previewComplianceNotificationTemplates(
payload: is_array($item->payload) ? $item->payload : [],
availableTemplateIds: $notificationTemplateIds
)
);
}
return $preview;
})->all();
return array_merge($foundationPreview, $policyPreview);
}
/**
* Execute restore or dry-run for selected items.
*
* @param array<int>|null $selectedItemIds
*/
public function executeFromPolicyVersion(
Tenant $tenant,
PolicyVersion $version,
bool $dryRun = true,
?string $actorEmail = null,
?string $actorName = null,
array $groupMapping = [],
): RestoreRun {
if ($version->tenant_id !== $tenant->id) {
throw new \InvalidArgumentException('Policy version does not belong to the provided tenant.');
}
$policy = $version->policy;
if (! $policy) {
throw new \RuntimeException('Policy version has no associated policy.');
}
$backupSet = BackupSet::create([
'tenant_id' => $tenant->id,
'name' => sprintf(
'Policy Version Restore • %s • v%d',
$policy->display_name,
$version->version_number
),
'created_by' => $actorEmail,
'status' => 'completed',
'item_count' => 1,
'completed_at' => CarbonImmutable::now(),
'metadata' => [
'source' => 'policy_version',
'policy_version_id' => $version->id,
'policy_version_number' => $version->version_number,
'policy_id' => $policy->id,
],
]);
$scopeTags = is_array($version->scope_tags) ? $version->scope_tags : [];
$scopeTagIds = $scopeTags['ids'] ?? null;
$scopeTagNames = $scopeTags['names'] ?? null;
$backupItemMetadata = [
'source' => 'policy_version',
'display_name' => $policy->display_name,
'policy_version_id' => $version->id,
'policy_version_number' => $version->version_number,
'version_captured_at' => $version->captured_at?->toIso8601String(),
];
$versionMetadata = is_array($version->metadata) ? $version->metadata : [];
$snapshotSource = $versionMetadata['source'] ?? null;
if (is_string($snapshotSource) && $snapshotSource !== '' && $snapshotSource !== 'policy_version') {
$backupItemMetadata['snapshot_source'] = $snapshotSource;
}
$snapshotWarnings = $versionMetadata['warnings'] ?? null;
if (is_array($snapshotWarnings) && $snapshotWarnings !== []) {
$backupItemMetadata['warnings'] = array_values(array_unique(array_filter($snapshotWarnings, static fn ($value) => is_string($value) && $value !== '')));
}
if (is_array($scopeTagIds) && $scopeTagIds !== []) {
$backupItemMetadata['scope_tag_ids'] = $scopeTagIds;
}
if (is_array($scopeTagNames) && $scopeTagNames !== []) {
$backupItemMetadata['scope_tag_names'] = $scopeTagNames;
}
$backupItem = BackupItem::create([
'tenant_id' => $tenant->id,
'backup_set_id' => $backupSet->id,
'policy_id' => $policy->id,
'policy_version_id' => $version->id,
'policy_identifier' => $policy->external_id,
'policy_type' => $policy->policy_type,
'platform' => $policy->platform,
'captured_at' => $version->captured_at ?? CarbonImmutable::now(),
'payload' => $version->snapshot ?? [],
'metadata' => $backupItemMetadata,
'assignments' => $version->assignments,
]);
return $this->execute(
tenant: $tenant,
backupSet: $backupSet,
selectedItemIds: [$backupItem->id],
dryRun: $dryRun,
actorEmail: $actorEmail,
actorName: $actorName,
groupMapping: $groupMapping,
);
}
public function executeForRun(
RestoreRun $restoreRun,
Tenant $tenant,
BackupSet $backupSet,
?string $actorEmail = null,
?string $actorName = null,
): RestoreRun {
$this->assertActiveContext($tenant, $backupSet);
if ($restoreRun->tenant_id !== $tenant->id) {
throw new \InvalidArgumentException('Restore run does not belong to the provided tenant.');
}
if ($restoreRun->backup_set_id !== $backupSet->id) {
throw new \InvalidArgumentException('Restore run does not belong to the provided backup set.');
}
if (in_array($restoreRun->status, ['completed', 'partial', 'failed', 'cancelled'], true)) {
throw new \RuntimeException('Restore run is already finished.');
}
$selectedItemIds = is_array($restoreRun->requested_items) ? $restoreRun->requested_items : null;
if ($selectedItemIds === []) {
$selectedItemIds = null;
}
return $this->execute(
tenant: $tenant,
backupSet: $backupSet,
selectedItemIds: $selectedItemIds,
dryRun: (bool) $restoreRun->is_dry_run,
actorEmail: $actorEmail,
actorName: $actorName,
groupMapping: $restoreRun->group_mapping ?? [],
existingRun: $restoreRun,
);
}
public function execute(
Tenant $tenant,
BackupSet $backupSet,
?array $selectedItemIds = null,
bool $dryRun = true,
?string $actorEmail = null,
?string $actorName = null,
array $groupMapping = [],
?RestoreRun $existingRun = null,
): RestoreRun {
$this->assertActiveContext($tenant, $backupSet);
if ($selectedItemIds === []) {
$selectedItemIds = null;
}
$tenantIdentifier = $tenant->tenant_id ?? $tenant->external_id;
$items = $this->loadItems($backupSet, $selectedItemIds);
[$foundationItems, $policyItems] = $this->splitItems($items);
$preview = $this->preview($tenant, $backupSet, $selectedItemIds);
$wizardMetadata = [
'scope_mode' => $selectedItemIds === null ? 'all' : 'selected',
'environment' => app()->environment('production') ? 'prod' : 'test',
'highlander_label' => (string) ($tenant->name ?? $tenantIdentifier ?? $tenant->getKey()),
];
if ($existingRun !== null) {
if ($existingRun->tenant_id !== $tenant->id) {
throw new \InvalidArgumentException('Restore run does not belong to the provided tenant.');
}
if ($existingRun->backup_set_id !== $backupSet->id) {
throw new \InvalidArgumentException('Restore run does not belong to the provided backup set.');
}
$metadata = array_merge($wizardMetadata, $existingRun->metadata ?? []);
$existingRun->update([
'requested_by' => $existingRun->requested_by ?? $actorEmail,
'is_dry_run' => $dryRun,
'status' => 'running',
'requested_items' => $selectedItemIds,
'preview' => $preview,
'results' => null,
'failure_reason' => null,
'started_at' => $existingRun->started_at ?? CarbonImmutable::now(),
'completed_at' => null,
'metadata' => $metadata,
'group_mapping' => $groupMapping !== [] ? $groupMapping : ($existingRun->group_mapping ?? null),
]);
$restoreRun = $existingRun->refresh();
} else {
$restoreRun = RestoreRun::create([
'tenant_id' => $tenant->id,
'backup_set_id' => $backupSet->id,
'requested_by' => $actorEmail,
'is_dry_run' => $dryRun,
'status' => 'running',
'requested_items' => $selectedItemIds,
'preview' => $preview,
'started_at' => CarbonImmutable::now(),
'metadata' => $wizardMetadata,
'group_mapping' => $groupMapping !== [] ? $groupMapping : null,
]);
}
if ($groupMapping !== []) {
$this->auditLogger->log(
tenant: $tenant,
action: 'restore.group_mapping.applied',
context: [
'metadata' => [
'restore_run_id' => $restoreRun->id,
'backup_set_id' => $backupSet->id,
'mapped_groups' => count($groupMapping),
],
],
actorEmail: $actorEmail,
actorName: $actorName,
resourceType: 'restore_run',
resourceId: (string) $restoreRun->id,
status: 'success'
);
}
$foundationOutcome = $this->foundationMappingService->map($tenant, $foundationItems, ! $dryRun);
$foundationEntries = $foundationOutcome['entries'] ?? [];
$foundationFailures = (int) ($foundationOutcome['failed'] ?? 0);
$foundationSkipped = (int) ($foundationOutcome['skipped'] ?? 0);
$foundationMappingByType = $this->buildFoundationMappingByType($foundationEntries);
$scopeTagMapping = $foundationMappingByType['roleScopeTag'] ?? [];
$scopeTagNamesById = $this->buildScopeTagNameLookup($foundationEntries);
if (! $dryRun) {
$this->auditFoundationMapping(
tenant: $tenant,
restoreRun: $restoreRun,
entries: $foundationEntries,
actorEmail: $actorEmail,
actorName: $actorName
);
}
$results = $foundationEntries;
$hardFailures = $foundationFailures;
foreach ($policyItems as $item) {
$context = [
'tenant' => $tenantIdentifier,
'policy_type' => $item->policy_type,
'policy_id' => $item->policy_identifier,
'backup_item_id' => $item->id,
];
$restoreMode = $this->resolveRestoreMode($item->policy_type);
if ($restoreMode === 'preview-only') {
$results[] = $context + [
'status' => $dryRun ? 'dry_run' : 'skipped',
'reason' => 'preview_only',
'restore_mode' => $restoreMode,
];
continue;
}
$odataValidation = BackupItem::validateODataType(
is_array($item->payload) ? $item->payload : [],
$item->policy_type,
$item->platform
);
if (! $odataValidation['matches']) {
$results[] = $context + [
'status' => 'failed',
'reason' => BackupItem::odataTypeWarning(
is_array($item->payload) ? $item->payload : [],
$item->policy_type,
$item->platform
) ?? 'Snapshot type mismatch',
'code' => 'odata_mismatch',
];
$hardFailures++;
continue;
}
if ($dryRun) {
$results[] = $context + [
'status' => 'dry_run',
'restore_mode' => $restoreMode,
];
continue;
}
$this->graphLogger->logRequest('apply_policy', $context);
try {
$originalPayload = is_array($item->payload) ? $item->payload : [];
$originalPayload = $this->applyScopeTagMapping($originalPayload, $scopeTagMapping);
$complianceActionSummary = null;
$complianceActionOutcomes = null;
if ($item->policy_type === 'deviceCompliancePolicy') {
[$originalPayload, $complianceActionSummary, $complianceActionOutcomes] = $this->applyComplianceNotificationTemplateMapping(
payload: $originalPayload,
templateMapping: $foundationMappingByType['notificationMessageTemplate'] ?? []
);
}
$mappedScopeTagIds = $this->resolvePayloadArray($originalPayload, ['roleScopeTagIds', 'RoleScopeTagIds']);
// sanitize high-level fields according to contract
$payload = $this->contracts->sanitizeUpdatePayload($item->policy_type, $originalPayload);
$payload = $this->applyScopeTagIdsToPayload($payload, $mappedScopeTagIds, $scopeTagMapping);
$graphOptions = [
'tenant' => $tenantIdentifier,
'client_id' => $tenant->app_client_id,
'client_secret' => $tenant->app_client_secret,
'platform' => $item->platform,
];
$updateMethod = $this->resolveUpdateMethod($item->policy_type);
$settingsApply = null;
$itemStatus = 'applied';
$settings = [];
$resultReason = null;
$createdPolicyId = null;
$createdPolicyMode = null;
$settingsApplyEligible = false;
if ($item->policy_type === 'settingsCatalogPolicy') {
$settings = $this->extractSettingsCatalogSettings($originalPayload);
$policyPayload = $this->stripSettingsFromPayload($payload);
$response = $this->graphClient->applyPolicy(
$item->policy_type,
$item->policy_identifier,
$policyPayload,
$graphOptions + ['method' => $updateMethod]
);
$settingsApplyEligible = $response->successful();
if ($response->failed() && $this->shouldAttemptPolicyCreate($item->policy_type, $response)) {
$createOutcome = $this->createSettingsCatalogPolicy(
originalPayload: $originalPayload,
settings: $settings,
graphOptions: $graphOptions,
context: $context,
fallbackName: $item->resolvedDisplayName(),
);
$response = $createOutcome['response'] ?? $response;
if ($createOutcome['success']) {
$createdPolicyId = $createOutcome['policy_id'];
$createdPolicyMode = $createOutcome['mode'] ?? null;
$mode = $createOutcome['mode'] ?? 'settings';
$itemStatus = $mode === 'settings' ? 'applied' : 'partial';
$resultReason = $mode === 'metadata_only'
? 'Policy missing; created metadata-only policy. Manual settings apply required.'
: 'Policy missing; created new policy with settings.';
if ($settings !== []) {
$settingsApply = $mode === 'metadata_only'
? [
'total' => count($settings),
'applied' => 0,
'failed' => 0,
'manual_required' => count($settings),
'issues' => [],
]
: [
'total' => count($settings),
'applied' => count($settings),
'failed' => 0,
'manual_required' => 0,
'issues' => [],
];
}
$settingsApplyEligible = false;
}
}
if ($settingsApplyEligible && $settings !== []) {
[$settingsApply, $itemStatus] = $this->applySettingsCatalogPolicySettings(
policyId: $item->policy_identifier,
settings: $settings,
graphOptions: $graphOptions,
context: $context,
);
if ($itemStatus === 'manual_required' && $settingsApply !== null
&& $this->shouldAttemptSettingsCatalogCreate($settingsApply)) {
$createOutcome = $this->createSettingsCatalogPolicy(
originalPayload: $originalPayload,
settings: $settings,
graphOptions: $graphOptions,
context: $context,
fallbackName: $item->resolvedDisplayName(),
);
if ($createOutcome['success']) {
$createdPolicyId = $createOutcome['policy_id'];
$createdPolicyMode = $createOutcome['mode'] ?? null;
$mode = $createOutcome['mode'] ?? 'settings';
// When settings are included in CREATE, mark as applied instead of partial
$itemStatus = $mode === 'settings' ? 'applied' : 'partial';
$resultReason = $mode === 'metadata_only'
? 'Settings endpoint unsupported; created metadata-only policy. Manual settings apply required.'
: 'Settings endpoint unsupported; created new policy with settings. Manual cleanup required.';
if ($settingsApply !== null && $createdPolicyId) {
$settingsApply['created_policy_id'] = $createdPolicyId;
$settingsApply['created_policy_mode'] = $mode;
// Update statistics when settings were included in CREATE
if ($mode === 'settings') {
$settingsApply['applied'] = $settingsApply['total'] ?? count($settings);
$settingsApply['manual_required'] = 0;
$settingsApply['issues'] = [];
}
}
} elseif ($settingsApply !== null && $createOutcome['response']) {
$settingsApply['issues'][] = [
'setting_id' => null,
'status' => 'manual_required',
'reason' => 'Fallback policy create failed',
'graph_error_message' => $createOutcome['response']->meta['error_message'] ?? null,
'graph_error_code' => $createOutcome['response']->meta['error_code'] ?? null,
'graph_request_id' => $createOutcome['response']->meta['request_id'] ?? null,
'graph_client_request_id' => $createOutcome['response']->meta['client_request_id'] ?? null,
];
}
}
} elseif ($settingsApplyEligible && $settings !== []) {
$settingsApply = [
'total' => count($settings),
'applied' => 0,
'failed' => count($settings),
'manual_required' => 0,
'issues' => [],
];
}
} else {
if ($item->policy_type === 'appProtectionPolicy') {
$updatePath = $this->resolveAppProtectionPolicyUpdatePath(
policyId: $item->policy_identifier,
odataType: $this->resolvePayloadString($originalPayload, ['@odata.type']),
);
$response = $updatePath
? $this->graphClient->request(
$updateMethod,
$updatePath,
['json' => $payload] + Arr::except($graphOptions, ['platform'])
)
: $this->graphClient->applyPolicy(
$item->policy_type,
$item->policy_identifier,
$payload,
$graphOptions + ['method' => $updateMethod]
);
} elseif ($item->policy_type === 'windowsUpdateRing') {
$odataType = $this->resolvePayloadString($originalPayload, ['@odata.type']);
$castSegment = $odataType && str_starts_with($odataType, '#')
? ltrim($odataType, '#')
: 'microsoft.graph.windowsUpdateForBusinessConfiguration';
$updatePath = sprintf(
'deviceManagement/deviceConfigurations/%s/%s',
urlencode($item->policy_identifier),
$castSegment,
);
$response = $this->graphClient->request(
$updateMethod,
$updatePath,
['json' => $payload] + Arr::except($graphOptions, ['platform'])
);
} else {
$response = $this->graphClient->applyPolicy(
$item->policy_type,
$item->policy_identifier,
$payload,
$graphOptions + ['method' => $updateMethod]
);
}
if ($item->policy_type === 'windowsAutopilotDeploymentProfile' && $response->failed()) {
$createOutcome = $this->createAutopilotDeploymentProfileIfMissing(
originalPayload: $originalPayload,
graphOptions: $graphOptions,
context: $context,
policyId: $item->policy_identifier,
);
if ($createOutcome['attempted']) {
$response = $createOutcome['response'] ?? $response;
if ($createOutcome['success']) {
$createdPolicyId = $createOutcome['policy_id'];
$createdPolicyMode = 'created';
$itemStatus = 'applied';
$resultReason = 'Policy missing; created new Autopilot profile.';
}
}
} elseif ($response->failed() && $this->shouldAttemptPolicyCreate($item->policy_type, $response)) {
$createOutcome = $this->createPolicyFromSnapshot(
policyType: $item->policy_type,
payload: $payload,
originalPayload: $originalPayload,
graphOptions: $graphOptions,
context: $context,
fallbackName: $item->resolvedDisplayName(),
);
if ($createOutcome['attempted']) {
$response = $createOutcome['response'] ?? $response;
if ($createOutcome['success']) {
$createdPolicyId = $createOutcome['policy_id'];
$createdPolicyMode = 'created';
$itemStatus = 'applied';
$resultReason = 'Policy missing; created new policy.';
}
}
}
}
} catch (Throwable $throwable) {
$mapped = GraphErrorMapper::fromThrowable($throwable, $context);
$results[] = $context + [
'status' => 'failed',
'reason' => $mapped->getMessage(),
'code' => $mapped->status,
'graph_error_message' => $mapped->getMessage(),
'graph_error_code' => $mapped->status,
];
$hardFailures++;
continue;
}
$this->graphLogger->logResponse('apply_policy', $response, $context);
if ($response->failed()) {
$results[] = $context + [
'status' => 'failed',
'reason' => 'Graph apply failed',
'code' => $response->status,
'graph_error_message' => $response->meta['error_message'] ?? null,
'graph_error_code' => $response->meta['error_code'] ?? null,
'graph_request_id' => $response->meta['request_id'] ?? null,
'graph_client_request_id' => $response->meta['client_request_id'] ?? null,
];
$hardFailures++;
continue;
}
$assignmentOutcomes = null;
$assignmentSummary = null;
$restoredAssignments = null;
$definitionValueApply = null;
if (
! $dryRun
&& $item->policy_type === 'groupPolicyConfiguration'
&& is_array($originalPayload)
&& is_array($originalPayload['definitionValues'] ?? null)
&& $originalPayload['definitionValues'] !== []
) {
$definitionValueApply = $this->applyGroupPolicyDefinitionValues(
tenant: $tenant,
tenantIdentifier: $tenantIdentifier,
policyId: $createdPolicyId ?? $item->policy_identifier,
definitionValues: $originalPayload['definitionValues'],
graphOptions: $graphOptions,
context: $context,
);
$definitionSummary = $definitionValueApply['summary'] ?? null;
if (is_array($definitionSummary) && ($definitionSummary['failed'] ?? 0) > 0 && $itemStatus === 'applied') {
$itemStatus = 'partial';
$resultReason = 'Administrative Template settings restored with failures';
}
}
if (! $dryRun && is_array($item->assignments) && $item->assignments !== []) {
$assignmentPolicyId = $createdPolicyId ?? $item->policy_identifier;
$assignmentOutcomes = $this->assignmentRestoreService->restore(
tenant: $tenant,
policyType: $item->policy_type,
policyId: $assignmentPolicyId,
assignments: $item->assignments,
groupMapping: $groupMapping,
foundationMapping: $foundationMappingByType,
restoreRun: $restoreRun,
actorEmail: $actorEmail,
actorName: $actorName,
policyOdataType: $this->resolvePayloadString($originalPayload, ['@odata.type']),
);
$assignmentSummary = $assignmentOutcomes['summary'] ?? null;
if (is_array($assignmentSummary) && ($assignmentSummary['failed'] ?? 0) > 0 && $itemStatus === 'applied') {
$itemStatus = 'partial';
$resultReason = 'Assignments restored with failures';
}
}
if (is_array($assignmentOutcomes)) {
$restoredAssignments = collect($assignmentOutcomes['outcomes'] ?? [])
->filter(fn (array $outcome) => ($outcome['status'] ?? null) === 'success')
->pluck('assignment')
->filter()
->values()
->all();
if ($restoredAssignments === []) {
$restoredAssignments = null;
}
}
if (is_array($complianceActionSummary) && ($complianceActionSummary['skipped'] ?? 0) > 0 && $itemStatus === 'applied') {
$itemStatus = 'partial';
$resultReason = 'Compliance notification actions skipped';
}
if ($complianceActionSummary !== null) {
$this->auditComplianceActionMapping(
tenant: $tenant,
restoreRun: $restoreRun,
policyId: $item->policy_identifier,
policyType: $item->policy_type,
summary: $complianceActionSummary,
outcomes: $complianceActionOutcomes ?? [],
actorEmail: $actorEmail,
actorName: $actorName
);
}
$result = $context + [
'status' => $itemStatus,
'restore_mode' => $restoreMode,
];
if ($settingsApply !== null) {
$result['settings_apply'] = $settingsApply;
}
if ($createdPolicyId) {
$result['created_policy_id'] = $createdPolicyId;
}
if ($createdPolicyMode) {
$result['created_policy_mode'] = $createdPolicyMode;
}
if ($resultReason !== null) {
$result['reason'] = $resultReason;
} elseif ($itemStatus !== 'applied') {
$result['reason'] = 'Some settings require attention';
}
if ($assignmentOutcomes !== null) {
$result['assignment_outcomes'] = $assignmentOutcomes['outcomes'] ?? [];
}
if ($assignmentSummary !== null) {
$result['assignment_summary'] = $assignmentSummary;
}
if (is_array($definitionValueApply)) {
$result['definition_value_outcomes'] = $definitionValueApply['outcomes'] ?? [];
$result['definition_value_summary'] = $definitionValueApply['summary'] ?? null;
}
if ($complianceActionSummary !== null) {
$result['compliance_action_summary'] = $complianceActionSummary;
}
if ($complianceActionOutcomes !== null) {
$result['compliance_action_outcomes'] = $complianceActionOutcomes;
}
$results[] = $result;
$appliedPolicyId = $item->policy_identifier;
$policy = Policy::query()
->where('tenant_id', $tenant->id)
->where('external_id', $appliedPolicyId)
->where('policy_type', $item->policy_type)
->first();
if ($policy && $itemStatus === 'applied') {
$scopeTagsForVersion = $this->buildScopeTagsForVersion(
scopeTagIds: $mappedScopeTagIds ?? null,
backupItemMetadata: $item->metadata ?? [],
scopeTagMapping: $scopeTagMapping,
scopeTagNamesById: $scopeTagNamesById,
);
$this->versionService->captureVersion(
policy: $policy,
payload: $item->payload,
createdBy: $actorEmail,
metadata: [
'source' => 'restore',
'restore_run_id' => $restoreRun->id,
'backup_item_id' => $item->id,
],
assignments: $item->assignments,
scopeTags: $scopeTagsForVersion,
);
}
}
$resultStatuses = collect($results)->pluck('status')->all();
$nonApplied = collect($resultStatuses)->filter(fn ($status) => is_string($status) && $status !== 'applied' && $status !== 'dry_run')->count();
$foundationNonApplied = collect($foundationEntries)->filter(function (array $entry): bool {
$decision = $entry['decision'] ?? null;
return in_array($decision, ['failed', 'skipped'], true);
})->count();
$nonApplied += $foundationNonApplied;
$totalCount = count($results);
$allHardFailed = $totalCount > 0 && $hardFailures === $totalCount;
$status = $dryRun
? 'previewed'
: (match (true) {
$allHardFailed => 'failed',
$nonApplied > 0 => 'partial',
default => 'completed',
});
$restoreRun->update([
'status' => $status,
'results' => $results,
'completed_at' => CarbonImmutable::now(),
'metadata' => array_merge($restoreRun->metadata ?? [], [
'failed' => $hardFailures,
'non_applied' => $nonApplied,
'total' => $totalCount,
'foundations_skipped' => $foundationSkipped,
]),
]);
$this->auditLogger->log(
tenant: $tenant,
action: $dryRun ? 'restore.previewed' : 'restore.executed',
context: [
'metadata' => [
'restore_run_id' => $restoreRun->id,
'backup_set_id' => $backupSet->id,
'status' => $status,
'dry_run' => $dryRun,
],
],
actorEmail: $actorEmail,
actorName: $actorName,
resourceType: 'restore_run',
resourceId: (string) $restoreRun->id,
status: $status === 'completed' || $status === 'previewed' ? 'success' : 'partial'
);
return $restoreRun->refresh();
}
/**
* @param Collection<int, BackupItem> $items
* @return array{0: Collection<int, BackupItem>, 1: Collection<int, BackupItem>}
*/
private function splitItems(Collection $items): array
{
$foundationItems = $items->filter(fn (BackupItem $item) => $item->isFoundation())->values();
$policyItems = $items->reject(fn (BackupItem $item) => $item->isFoundation())->values();
return [$foundationItems, $policyItems];
}
/**
* @return array<string, mixed>
*/
private function resolveTypeMeta(string $policyType): array
{
$types = array_merge(
config('tenantpilot.supported_policy_types', []),
config('tenantpilot.foundation_types', [])
);
foreach ($types as $typeConfig) {
if (($typeConfig['type'] ?? null) === $policyType) {
return $typeConfig;
}
}
return [];
}
private function resolveRestoreMode(string $policyType): string
{
$meta = $this->resolveTypeMeta($policyType);
$restore = $meta['restore'] ?? 'enabled';
if (! is_string($restore) || $restore === '') {
return 'enabled';
}
return $restore;
}
private function resolveUpdateMethod(string $policyType): string
{
$contract = $this->contracts->get($policyType);
$method = strtoupper((string) ($contract['update_method'] ?? 'PATCH'));
return $method !== '' ? $method : 'PATCH';
}
private function resolveCreateMethod(string $policyType): ?string
{
$contract = $this->contracts->get($policyType);
$method = strtoupper((string) ($contract['create_method'] ?? 'POST'));
return $method !== '' ? $method : null;
}
private function shouldAttemptPolicyCreate(string $policyType, object $response): bool
{
if (! $this->isNotFoundResponse($response)) {
return false;
}
$resource = $this->contracts->resourcePath($policyType);
$method = $this->resolveCreateMethod($policyType);
return is_string($resource) && $resource !== '' && $method !== null;
}
private function isNotFoundResponse(object $response): bool
{
if (($response->status ?? null) === 404) {
return true;
}
$code = strtolower((string) ($response->meta['error_code'] ?? ''));
$message = strtolower((string) ($response->meta['error_message'] ?? ''));
if ($code !== '' && (str_contains($code, 'notfound') || str_contains($code, 'resource'))) {
return true;
}
return $message !== '' && (str_contains($message, 'not found')
|| str_contains($message, 'resource not found')
|| str_contains($message, 'does not exist'));
}
/**
* @param array<int, array<string, mixed>> $entries
* @return array<string, array<string, string>>
*/
private function buildFoundationMappingByType(array $entries): array
{
$mapping = [];
foreach ($entries as $entry) {
if (! is_array($entry)) {
continue;
}
$type = $entry['type'] ?? null;
$sourceId = $entry['sourceId'] ?? null;
$targetId = $entry['targetId'] ?? null;
if (! is_string($type) || $type === '') {
continue;
}
if (! is_string($sourceId) || $sourceId === '') {
continue;
}
if (! is_string($targetId) || $targetId === '') {
continue;
}
$mapping[$type][$sourceId] = $targetId;
}
return $mapping;
}
/**
* @param array<string, mixed> $payload
* @param array<string, string> $scopeTagMapping
* @return array<string, mixed>
*/
private function applyScopeTagMapping(array $payload, array $scopeTagMapping): array
{
if ($scopeTagMapping === []) {
return $payload;
}
$roleScopeTagIds = $this->resolvePayloadArray($payload, ['roleScopeTagIds', 'RoleScopeTagIds']);
if ($roleScopeTagIds === null) {
return $payload;
}
$mapped = [];
foreach ($roleScopeTagIds as $id) {
if (is_string($id) || is_int($id)) {
$stringId = (string) $id;
$mapped[] = $scopeTagMapping[$stringId] ?? $stringId;
}
}
if ($mapped === []) {
return $payload;
}
$payload['roleScopeTagIds'] = array_values(array_unique($mapped));
unset($payload['RoleScopeTagIds']);
return $payload;
}
/**
* @param array<string, mixed> $payload
* @param array<int, mixed>|null $scopeTagIds
* @param array<string, string> $scopeTagMapping
* @return array<string, mixed>
*/
private function applyScopeTagIdsToPayload(array $payload, ?array $scopeTagIds, array $scopeTagMapping): array
{
if ($scopeTagIds === null) {
return $payload;
}
$mapped = [];
foreach ($scopeTagIds as $id) {
if (! is_string($id) && ! is_int($id)) {
continue;
}
$stringId = (string) $id;
if ($stringId === '') {
continue;
}
$mapped[] = $scopeTagMapping[$stringId] ?? $stringId;
}
if ($mapped === []) {
return $payload;
}
$payload['roleScopeTagIds'] = array_values(array_unique($mapped));
unset($payload['RoleScopeTagIds']);
return $payload;
}
/**
* @param array<string, mixed> $payload
* @param array<int, string> $availableTemplateIds
* @return array<string, mixed>
*/
private function previewComplianceNotificationTemplates(array $payload, array $availableTemplateIds): array
{
$templateIds = $this->collectComplianceNotificationTemplateIds($payload);
if ($templateIds === []) {
return [];
}
$available = array_values(array_unique($availableTemplateIds));
$missing = array_values(array_diff($templateIds, $available));
$summary = [
'total' => count($templateIds),
'missing' => count($missing),
];
$warning = null;
if ($missing !== []) {
$warning = sprintf('Missing %d notification template(s); notification actions may be skipped.', count($missing));
}
return array_filter([
'compliance_action_summary' => $summary,
'compliance_action_warning' => $warning,
'compliance_action_missing_templates' => $missing !== [] ? $missing : null,
], static fn ($value) => $value !== null);
}
/**
* @param array<string, mixed> $payload
* @param array<string, string> $templateMapping
* @return array{0: array<string, mixed>, 1: ?array{total:int,mapped:int,skipped:int}, 2: ?array<int, array<string, mixed>>}
*/
private function applyComplianceNotificationTemplateMapping(array $payload, array $templateMapping): array
{
$scheduled = $payload['scheduledActionsForRule'] ?? null;
if (! is_array($scheduled)) {
return [$payload, null, null];
}
$rules = [];
$total = 0;
$mapped = 0;
$skipped = 0;
$outcomes = [];
foreach ($scheduled as $rule) {
if (! is_array($rule)) {
continue;
}
$configs = $rule['scheduledActionConfigurations'] ?? null;
if (! is_array($configs)) {
$rules[] = $rule;
continue;
}
$ruleName = $rule['ruleName'] ?? null;
$updatedConfigs = [];
foreach ($configs as $config) {
if (! is_array($config)) {
$updatedConfigs[] = $config;
continue;
}
$actionType = $config['actionType'] ?? null;
$templateKey = $this->resolveNotificationTemplateKey($config);
if ($actionType !== 'notification' || $templateKey === null) {
$updatedConfigs[] = $config;
continue;
}
$templateId = $config[$templateKey] ?? null;
if (! is_string($templateId) || $templateId === '' || $this->isEmptyGuid($templateId)) {
$updatedConfigs[] = $config;
continue;
}
$total++;
if ($templateMapping === []) {
$outcomes[] = [
'status' => 'skipped',
'template_id' => $templateId,
'rule_name' => $ruleName,
'reason' => 'Notification template mapping unavailable.',
];
$skipped++;
continue;
}
$mappedTemplateId = $templateMapping[$templateId] ?? null;
if (! is_string($mappedTemplateId) || $mappedTemplateId === '') {
$outcomes[] = [
'status' => 'skipped',
'template_id' => $templateId,
'rule_name' => $ruleName,
'reason' => 'Notification template mapping missing for template ID.',
];
$skipped++;
continue;
}
$config[$templateKey] = $mappedTemplateId;
$updatedConfigs[] = $config;
$mapped++;
$outcomes[] = [
'status' => 'mapped',
'template_id' => $templateId,
'mapped_template_id' => $mappedTemplateId,
'rule_name' => $ruleName,
];
}
if ($updatedConfigs === []) {
continue;
}
$rule['scheduledActionConfigurations'] = array_values($updatedConfigs);
$rules[] = $rule;
}
if ($rules !== []) {
$payload['scheduledActionsForRule'] = array_values($rules);
} else {
unset($payload['scheduledActionsForRule']);
}
if ($total === 0) {
return [$payload, null, null];
}
return [$payload, ['total' => $total, 'mapped' => $mapped, 'skipped' => $skipped], $outcomes];
}
/**
* @param array<string, mixed> $payload
* @return array<int, string>
*/
private function collectComplianceNotificationTemplateIds(array $payload): array
{
$scheduled = $payload['scheduledActionsForRule'] ?? null;
if (! is_array($scheduled)) {
return [];
}
$ids = [];
foreach ($scheduled as $rule) {
if (! is_array($rule)) {
continue;
}
$configs = $rule['scheduledActionConfigurations'] ?? null;
if (! is_array($configs)) {
continue;
}
foreach ($configs as $config) {
if (! is_array($config)) {
continue;
}
if (($config['actionType'] ?? null) !== 'notification') {
continue;
}
$templateKey = $this->resolveNotificationTemplateKey($config);
if ($templateKey === null) {
continue;
}
$templateId = $config[$templateKey] ?? null;
if (! is_string($templateId) || $templateId === '' || $this->isEmptyGuid($templateId)) {
continue;
}
$ids[] = $templateId;
}
}
return array_values(array_unique($ids));
}
private function resolveNotificationTemplateKey(array $config): ?string
{
if (array_key_exists('notificationTemplateId', $config)) {
return 'notificationTemplateId';
}
if (array_key_exists('notificationMessageTemplateId', $config)) {
return 'notificationMessageTemplateId';
}
return null;
}
private function isEmptyGuid(string $value): bool
{
return strtolower($value) === '00000000-0000-0000-0000-000000000000';
}
/**
* @param array<int, array<string, mixed>> $entries
*/
private function auditFoundationMapping(
Tenant $tenant,
RestoreRun $restoreRun,
array $entries,
?string $actorEmail,
?string $actorName
): void {
foreach ($entries as $entry) {
if (! is_array($entry)) {
continue;
}
$decision = $entry['decision'] ?? 'mapped_existing';
$action = match ($decision) {
'created_copy' => 'restore.foundation.created_copy',
'created' => 'restore.foundation.created',
'failed' => 'restore.foundation.failed',
'skipped' => 'restore.foundation.skipped',
default => 'restore.foundation.mapped',
};
$status = match ($decision) {
'failed' => 'failed',
'skipped' => 'warning',
default => 'success',
};
$this->auditLogger->log(
tenant: $tenant,
action: $action,
context: [
'metadata' => [
'restore_run_id' => $restoreRun->id,
'type' => $entry['type'] ?? null,
'source_id' => $entry['sourceId'] ?? null,
'source_name' => $entry['sourceName'] ?? null,
'target_id' => $entry['targetId'] ?? null,
'target_name' => $entry['targetName'] ?? null,
'decision' => $decision,
'reason' => $entry['reason'] ?? null,
],
],
actorEmail: $actorEmail,
actorName: $actorName,
resourceType: 'restore_run',
resourceId: (string) $restoreRun->id,
status: $status
);
}
}
/**
* @param array{total:int,mapped:int,skipped:int} $summary
* @param array<int, array<string, mixed>> $outcomes
*/
private function auditComplianceActionMapping(
Tenant $tenant,
RestoreRun $restoreRun,
string $policyId,
string $policyType,
array $summary,
array $outcomes,
?string $actorEmail,
?string $actorName
): void {
$skipped = (int) ($summary['skipped'] ?? 0);
$status = $skipped > 0 ? 'warning' : 'success';
$skippedTemplates = collect($outcomes)
->filter(fn (array $outcome) => ($outcome['status'] ?? null) === 'skipped')
->pluck('template_id')
->filter()
->values()
->all();
$this->auditLogger->log(
tenant: $tenant,
action: 'restore.compliance.actions.mapped',
context: [
'metadata' => [
'restore_run_id' => $restoreRun->id,
'policy_id' => $policyId,
'policy_type' => $policyType,
'total' => (int) ($summary['total'] ?? 0),
'mapped' => (int) ($summary['mapped'] ?? 0),
'skipped' => $skipped,
'skipped_template_ids' => $skippedTemplates,
],
],
actorEmail: $actorEmail,
actorName: $actorName,
resourceType: 'restore_run',
resourceId: (string) $restoreRun->id,
status: $status
);
}
/**
* @param array<int>|null $selectedItemIds
*/
private function loadItems(BackupSet $backupSet, ?array $selectedItemIds = null): Collection
{
$query = $backupSet->items()->getQuery();
if ($selectedItemIds !== null) {
$query->whereIn('id', $selectedItemIds);
}
return $query->orderBy('id')->get();
}
/**
* Strip read-only/metadata fields before sending payload back to Graph.
*/
private function sanitizePayload(array $payload): array
{
$readOnlyKeys = [
'@odata.context',
'id',
'createdDateTime',
'lastModifiedDateTime',
'version',
'supportsScopeTags',
'roleScopeTagIds',
];
$clean = [];
foreach ($payload as $key => $value) {
// Drop read-only/meta keys except @odata.type which we keep for type hinting
if (in_array($key, $readOnlyKeys, true)) {
continue;
}
// Keep @odata.type for Graph type resolution
if ($key === '@odata.type') {
$clean[$key] = $value;
continue;
}
if (is_array($value)) {
$clean[$key] = $this->sanitizePayload($value);
continue;
}
$clean[$key] = $value;
}
return $clean;
}
/**
* @return array<int, mixed>
*/
private function extractSettingsCatalogSettings(array $payload): array
{
foreach ($payload as $key => $value) {
if (strtolower((string) $key) !== 'settings') {
continue;
}
return is_array($value) ? $value : [];
}
return [];
}
private function stripSettingsFromPayload(array $payload): array
{
foreach (array_keys($payload) as $key) {
if (strtolower((string) $key) === 'settings') {
unset($payload[$key]);
}
}
return $payload;
}
private function resolveSettingsCatalogSettingId(array $setting): ?string
{
foreach ($setting as $key => $value) {
if (strtolower((string) $key) !== 'id') {
continue;
}
if (is_string($value) || is_int($value)) {
return (string) $value;
}
return null;
}
return null;
}
/**
* @param array<int, mixed> $settings
* @param array<string, mixed> $graphOptions
* @param array<string, mixed> $context
* @return array{0: array{total:int,applied:int,failed:int,manual_required:int,issues:array<int,array<string,mixed>>}, 1: string}
*/
private function applySettingsCatalogPolicySettings(
string $policyId,
array $settings,
array $graphOptions,
array $context,
): array {
$method = $this->contracts->settingsWriteMethod('settingsCatalogPolicy');
$path = $this->contracts->settingsWritePath('settingsCatalogPolicy', $policyId);
$bodyShape = strtolower($this->contracts->settingsWriteBodyShape('settingsCatalogPolicy'));
$fallbackShape = $this->contracts->settingsWriteFallbackBodyShape('settingsCatalogPolicy');
$buildIssues = function (string $reason) use ($settings): array {
$issues = [];
foreach ($settings as $setting) {
if (! is_array($setting)) {
continue;
}
$issues[] = [
'setting_id' => $this->resolveSettingsCatalogSettingId($setting),
'status' => 'manual_required',
'reason' => $reason,
];
}
return $issues;
};
if (! $method || ! $path) {
return [
[
'total' => count($settings),
'applied' => 0,
'failed' => 0,
'manual_required' => count($settings),
'issues' => $buildIssues('Settings write contract is not configured (cannot apply automatically).'),
],
'manual_required',
];
}
$sanitized = $this->contracts->sanitizeSettingsApplyPayload('settingsCatalogPolicy', $settings);
if (! is_array($sanitized) || $sanitized === []) {
return [
[
'total' => count($settings),
'applied' => 0,
'failed' => 0,
'manual_required' => count($settings),
'issues' => $buildIssues('Settings payload could not be sanitized (empty payload).'),
],
'manual_required',
];
}
$buildPayload = function (string $shape) use ($sanitized): array {
return match ($shape) {
'wrapped' => ['settings' => $sanitized],
default => $sanitized,
};
};
$payload = $buildPayload($bodyShape);
$this->graphLogger->logRequest('apply_settings_bulk', $context + [
'endpoint' => $path,
'method' => $method,
'settings_count' => count($sanitized),
'body_shape' => $bodyShape,
]);
$response = $this->graphClient->request($method, $path, ['json' => $payload] + Arr::except($graphOptions, ['platform']));
$this->graphLogger->logResponse('apply_settings_bulk', $response, $context + [
'endpoint' => $path,
'method' => $method,
'settings_count' => count($sanitized),
'body_shape' => $bodyShape,
]);
if ($response->failed() && is_string($fallbackShape) && strtolower($fallbackShape) !== $bodyShape) {
$fallbackShape = strtolower($fallbackShape);
if ($this->shouldRetrySettingsBulkApply($response->meta['error_message'] ?? null)) {
$fallbackPayload = $buildPayload($fallbackShape);
$this->graphLogger->logRequest('apply_settings_bulk_retry', $context + [
'endpoint' => $path,
'method' => $method,
'settings_count' => count($sanitized),
'body_shape' => $fallbackShape,
]);
$response = $this->graphClient->request($method, $path, ['json' => $fallbackPayload] + Arr::except($graphOptions, ['platform']));
$this->graphLogger->logResponse('apply_settings_bulk_retry', $response, $context + [
'endpoint' => $path,
'method' => $method,
'settings_count' => count($sanitized),
'body_shape' => $fallbackShape,
]);
}
}
if ($response->successful()) {
return [
[
'total' => count($settings),
'applied' => count($settings),
'failed' => 0,
'manual_required' => 0,
'issues' => [],
],
'applied',
];
}
return [
[
'total' => count($settings),
'applied' => 0,
'failed' => 0,
'manual_required' => count($settings),
'issues' => [[
'setting_id' => null,
'status' => 'manual_required',
'reason' => 'Graph bulk apply failed',
'http_status' => $response->status,
'graph_error_message' => $response->meta['error_message'] ?? null,
'graph_error_code' => $response->meta['error_code'] ?? null,
'graph_request_id' => $response->meta['request_id'] ?? null,
'graph_client_request_id' => $response->meta['client_request_id'] ?? null,
]],
],
'manual_required',
];
}
private function shouldRetrySettingsBulkApply(?string $errorMessage): bool
{
if (! is_string($errorMessage) || $errorMessage === '') {
return false;
}
$message = strtolower($errorMessage);
return str_contains($message, 'empty payload')
|| str_contains($message, 'json content expected')
|| str_contains($message, 'request body');
}
private function shouldAttemptSettingsCatalogCreate(array $settingsApply): bool
{
$issues = $settingsApply['issues'] ?? [];
foreach ($issues as $issue) {
$message = strtolower((string) ($issue['graph_error_message'] ?? $issue['reason'] ?? ''));
if ($message === '') {
continue;
}
if (str_contains($message, 'no odata route exists') || str_contains($message, 'no method match route template')) {
return true;
}
}
return false;
}
/**
* @return array{success:bool,policy_id:?string,response:?object,mode:string}
*/
private function createSettingsCatalogPolicy(
array $originalPayload,
array $settings,
array $graphOptions,
array $context,
string $fallbackName,
): array {
$resource = $this->contracts->resourcePath('settingsCatalogPolicy') ?? 'deviceManagement/configurationPolicies';
$sanitizedSettings = $this->contracts->sanitizeSettingsApplyPayload('settingsCatalogPolicy', $settings);
if ($sanitizedSettings === []) {
return [
'success' => false,
'policy_id' => null,
'response' => null,
'mode' => 'failed',
];
}
$payload = $this->buildSettingsCatalogCreatePayload($originalPayload, $sanitizedSettings, $fallbackName, true);
$this->graphLogger->logRequest('create_settings_catalog_policy', $context + [
'endpoint' => $resource,
'method' => 'POST',
'settings_count' => count($sanitizedSettings),
]);
$response = $this->graphClient->request('POST', $resource, ['json' => $payload] + Arr::except($graphOptions, ['platform']));
$this->graphLogger->logResponse('create_settings_catalog_policy', $response, $context + [
'endpoint' => $resource,
'method' => 'POST',
'settings_count' => count($sanitizedSettings),
]);
$policyId = $this->extractCreatedPolicyId($response);
$mode = 'settings';
if ($response->failed() && $this->shouldRetrySettingsCatalogCreateWithoutSettings($response)) {
$fallbackPayload = $this->buildSettingsCatalogCreatePayload($originalPayload, $sanitizedSettings, $fallbackName, false);
$this->graphLogger->logRequest('create_settings_catalog_policy_fallback', $context + [
'endpoint' => $resource,
'method' => 'POST',
]);
$response = $this->graphClient->request('POST', $resource, ['json' => $fallbackPayload] + Arr::except($graphOptions, ['platform']));
$this->graphLogger->logResponse('create_settings_catalog_policy_fallback', $response, $context + [
'endpoint' => $resource,
'method' => 'POST',
]);
$policyId = $this->extractCreatedPolicyId($response);
$mode = 'metadata_only';
}
return [
'success' => $response->successful(),
'policy_id' => $policyId,
'response' => $response,
'mode' => $mode,
];
}
/**
* @return array{attempted:bool,success:bool,policy_id:?string,response:?object}
*/
private function createPolicyFromSnapshot(
string $policyType,
array $payload,
array $originalPayload,
array $graphOptions,
array $context,
string $fallbackName,
): array {
$resource = $this->contracts->resourcePath($policyType);
$method = $this->resolveCreateMethod($policyType);
if ($policyType === 'appProtectionPolicy') {
$odataType = $this->resolvePayloadString($originalPayload, ['@odata.type']);
$derivedResource = $this->resolveAppProtectionPolicyResource($odataType);
if ($derivedResource !== null) {
$resource = $derivedResource;
}
}
if (! is_string($resource) || $resource === '' || $method === null) {
return [
'attempted' => false,
'success' => false,
'policy_id' => null,
'response' => null,
];
}
$createPayload = Arr::except($payload, ['assignments']);
$createPayload = $this->applyOdataTypeForCreate($policyType, $createPayload, $originalPayload);
$createPayload = $this->applyRestoredNameToPayload($createPayload, $originalPayload, $fallbackName);
if ($createPayload === []) {
return [
'attempted' => true,
'success' => false,
'policy_id' => null,
'response' => null,
];
}
$this->graphLogger->logRequest('create_policy', $context + [
'endpoint' => $resource,
'method' => $method,
'policy_type' => $policyType,
]);
$response = $this->graphClient->request(
$method,
$resource,
['json' => $createPayload] + Arr::except($graphOptions, ['platform'])
);
$this->graphLogger->logResponse('create_policy', $response, $context + [
'endpoint' => $resource,
'method' => $method,
'policy_type' => $policyType,
]);
$policyId = $this->extractCreatedPolicyId($response);
return [
'attempted' => true,
'success' => $response->successful(),
'policy_id' => $policyId,
'response' => $response,
];
}
/**
* @return array{attempted:bool,success:bool,policy_id:?string,response:?object}
*/
private function createAutopilotDeploymentProfileIfMissing(
array $originalPayload,
array $graphOptions,
array $context,
string $policyId,
): array {
if (! $this->shouldAttemptAutopilotCreate($policyId, $graphOptions)) {
return [
'attempted' => false,
'success' => false,
'policy_id' => null,
'response' => null,
];
}
$resource = $this->contracts->resourcePath('windowsAutopilotDeploymentProfile')
?? 'deviceManagement/windowsAutopilotDeploymentProfiles';
$payload = $this->contracts->sanitizeUpdatePayload('windowsAutopilotDeploymentProfile', $originalPayload);
$payload['displayName'] = $this->prefixRestoredName(
$this->resolvePayloadString($payload, ['displayName', 'name']),
$policyId
);
unset($payload['name']);
if ($payload === []) {
return [
'attempted' => true,
'success' => false,
'policy_id' => null,
'response' => null,
];
}
$this->graphLogger->logRequest('create_autopilot_profile', $context + [
'endpoint' => $resource,
'method' => 'POST',
]);
$response = $this->graphClient->request(
'POST',
$resource,
['json' => $payload] + Arr::except($graphOptions, ['platform'])
);
$this->graphLogger->logResponse('create_autopilot_profile', $response, $context + [
'endpoint' => $resource,
'method' => 'POST',
]);
$policyId = $this->extractCreatedPolicyId($response);
return [
'attempted' => true,
'success' => $response->successful(),
'policy_id' => $policyId,
'response' => $response,
];
}
private function shouldAttemptAutopilotCreate(string $policyId, array $graphOptions): bool
{
$response = $this->graphClient->getPolicy(
'windowsAutopilotDeploymentProfile',
$policyId,
$graphOptions
);
if ($response->successful()) {
return false;
}
if ($response->status === 404) {
return true;
}
$code = strtolower((string) ($response->meta['error_code'] ?? ''));
$message = strtolower((string) ($response->meta['error_message'] ?? ''));
if (str_contains($code, 'notfound') || str_contains($code, 'resource')) {
return true;
}
return str_contains($message, 'not found')
|| str_contains($message, 'resource not found')
|| str_contains($message, 'does not exist');
}
private function shouldRetrySettingsCatalogCreateWithoutSettings(object $response): bool
{
$code = strtolower((string) ($response->meta['error_code'] ?? ''));
$message = strtolower((string) ($response->meta['error_message'] ?? ''));
if ($code === 'notsupported' || str_contains($code, 'notsupported')) {
return true;
}
return str_contains($message, 'not supported');
}
private function extractCreatedPolicyId(object $response): ?string
{
if ($response->successful() && isset($response->data['id']) && is_string($response->data['id'])) {
return $response->data['id'];
}
return null;
}
/**
* @param array<int, mixed> $settings
* @return array<string, mixed>
*/
private function buildSettingsCatalogCreatePayload(
array $originalPayload,
array $settings,
string $fallbackName,
bool $includeSettings,
): array {
$payload = [];
$name = $this->resolvePayloadString($originalPayload, ['name', 'displayName']);
$payload['name'] = $this->prefixRestoredName($name, $fallbackName);
$description = $this->resolvePayloadString($originalPayload, ['description', 'Description']);
if ($description !== null) {
$payload['description'] = $description;
}
// Platforms and technologies must be singular strings for CREATE (not arrays)
// Graph API inconsistency: GET returns arrays, but POST expects strings
$platforms = $this->resolvePayloadArray($originalPayload, ['platforms', 'Platforms']);
if ($platforms !== null && $platforms !== []) {
$payload['platforms'] = is_array($platforms) ? $platforms[0] : $platforms;
} elseif ($platforms === null) {
// Fallback: extract from policy_type or default to windows10
$payload['platforms'] = 'windows10';
}
$technologies = $this->resolvePayloadArray($originalPayload, ['technologies', 'Technologies']);
if ($technologies !== null && $technologies !== []) {
$payload['technologies'] = is_array($technologies) ? $technologies[0] : $technologies;
} elseif ($technologies === null) {
// Default to mdm if not present
$payload['technologies'] = 'mdm';
}
$roleScopeTagIds = $this->resolvePayloadArray($originalPayload, ['roleScopeTagIds', 'RoleScopeTagIds']);
if ($roleScopeTagIds !== null) {
$payload['roleScopeTagIds'] = array_values($roleScopeTagIds);
}
$templateReference = $this->resolvePayloadArray($originalPayload, ['templateReference', 'TemplateReference']);
if ($templateReference !== null) {
$payload['templateReference'] = $this->stripOdataAndReadOnly($templateReference);
}
if ($includeSettings && $settings !== []) {
$payload['settings'] = $settings;
}
return $payload;
}
private function prefixRestoredName(?string $name, string $fallback): string
{
$prefix = 'Restored_';
$base = trim((string) ($name ?? $fallback));
if ($base === '') {
$base = $fallback;
}
$normalized = strtolower($base);
if (str_starts_with($normalized, 'restored_') || str_starts_with($normalized, 'restored ')) {
return $base;
}
return $prefix.$base;
}
/**
* @param array<string, mixed> $payload
* @param array<string, mixed> $originalPayload
* @return array<string, mixed>
*/
private function applyRestoredNameToPayload(array $payload, array $originalPayload, string $fallbackName): array
{
$displayName = $this->resolvePayloadString($payload, ['displayName']);
$name = $this->resolvePayloadString($payload, ['name']);
$originalDisplayName = $this->resolvePayloadString($originalPayload, ['displayName']);
$originalName = $this->resolvePayloadString($originalPayload, ['name']);
$baseName = $displayName ?? $originalDisplayName ?? $name ?? $originalName ?? $fallbackName;
$restoredName = $this->prefixRestoredName($baseName, $fallbackName);
if (array_key_exists('displayName', $payload) || $originalDisplayName !== null || $displayName !== null) {
$payload['displayName'] = $restoredName;
return $payload;
}
if (array_key_exists('name', $payload) || $originalName !== null || $name !== null) {
$payload['name'] = $restoredName;
return $payload;
}
$payload['displayName'] = $restoredName;
return $payload;
}
/**
* @param array<string, mixed> $payload
* @param array<string, mixed> $originalPayload
* @return array<string, mixed>
*/
private function applyOdataTypeForCreate(string $policyType, array $payload, array $originalPayload): array
{
if (array_key_exists('@odata.type', $payload)) {
return $payload;
}
$odataType = $this->resolvePayloadString($originalPayload, ['@odata.type']);
if ($odataType === null) {
return $payload;
}
if (! $this->contracts->matchesTypeFamily($policyType, $odataType)) {
return $payload;
}
$payload['@odata.type'] = $odataType;
return $payload;
}
private function resolveAppProtectionPolicyUpdatePath(string $policyId, ?string $odataType): ?string
{
$resource = $this->resolveAppProtectionPolicyResource($odataType);
if ($resource === null) {
return null;
}
return sprintf('%s/%s', rtrim($resource, '/'), urlencode($policyId));
}
private function resolveAppProtectionPolicyResource(?string $odataType): ?string
{
$entitySet = $this->resolveAppProtectionEntitySet($odataType);
if ($entitySet === null) {
return null;
}
return "deviceAppManagement/{$entitySet}";
}
private function resolveAppProtectionEntitySet(?string $odataType): ?string
{
if (! is_string($odataType) || $odataType === '') {
return null;
}
return match (strtolower($odataType)) {
'#microsoft.graph.androidmanagedappprotection' => 'androidManagedAppProtections',
'#microsoft.graph.iosmanagedappprotection' => 'iosManagedAppProtections',
'#microsoft.graph.windowsinformationprotectionpolicy' => 'windowsInformationProtectionPolicies',
'#microsoft.graph.mdmwindowsinformationprotectionpolicy' => 'mdmWindowsInformationProtectionPolicies',
'#microsoft.graph.targetedmanagedappprotection' => 'targetedManagedAppProtections',
default => null,
};
}
/**
* @param array<string, mixed> $payload
* @param array<int, string> $keys
*/
private function resolvePayloadString(array $payload, array $keys): ?string
{
$value = $this->resolvePayloadValue($payload, $keys);
if (! is_string($value) || trim($value) === '') {
return null;
}
return $value;
}
/**
* @param array<string, mixed> $payload
* @param array<int, string> $keys
* @return array<int, mixed>|null
*/
private function resolvePayloadArray(array $payload, array $keys): ?array
{
$value = $this->resolvePayloadValue($payload, $keys);
if (! is_array($value) || $value === []) {
return null;
}
return $value;
}
/**
* @param array<string, mixed> $payload
* @param array<int, string> $keys
*/
private function resolvePayloadValue(array $payload, array $keys): mixed
{
$normalized = array_map('strtolower', $keys);
foreach ($payload as $key => $value) {
if (in_array(strtolower((string) $key), $normalized, true)) {
return $value;
}
}
return null;
}
/**
* @param array<string, mixed> $payload
* @return array<string, mixed>
*/
private function stripOdataAndReadOnly(array $payload): array
{
$clean = [];
$readOnlyKeys = ['id', 'createddatetime', 'lastmodifieddatetime', 'version'];
foreach ($payload as $key => $value) {
$normalizedKey = strtolower((string) $key);
if (str_starts_with($normalizedKey, '@odata')) {
continue;
}
if (in_array($normalizedKey, $readOnlyKeys, true)) {
continue;
}
if (is_array($value)) {
if (array_is_list($value)) {
$items = array_map(function ($item) {
if (is_array($item)) {
return $this->stripOdataAndReadOnly($item);
}
return $item;
}, $value);
$clean[$key] = array_values(array_filter($items, static fn ($item) => $item !== []));
continue;
}
$clean[$key] = $this->stripOdataAndReadOnly($value);
continue;
}
$clean[$key] = $value;
}
return $clean;
}
/**
* Administrative Templates (groupPolicyConfiguration) restore: wipe existing definitionValues and recreate from snapshot.
*
* @param array<int, mixed> $definitionValues
* @param array<string, mixed> $graphOptions
* @param array<string, mixed> $context
* @return array{outcomes: array<int, array<string, mixed>>, summary: array{success:int,failed:int,skipped:int}}
*/
private function applyGroupPolicyDefinitionValues(
Tenant $tenant,
string $tenantIdentifier,
string $policyId,
array $definitionValues,
array $graphOptions,
array $context,
): array {
$outcomes = [];
$summary = ['success' => 0, 'failed' => 0, 'skipped' => 0];
$listPath = "/deviceManagement/groupPolicyConfigurations/{$policyId}/definitionValues";
$createPath = "/deviceManagement/groupPolicyConfigurations/{$policyId}/definitionValues";
$this->graphLogger->logRequest('restore_group_policy_definition_values_list', $context + [
'method' => 'GET',
'endpoint' => $listPath,
]);
$existingResponse = $this->graphClient->request('GET', $listPath, $graphOptions);
$this->graphLogger->logResponse('restore_group_policy_definition_values_list', $existingResponse, $context + [
'method' => 'GET',
'endpoint' => $listPath,
]);
$existing = $existingResponse->data['value'] ?? [];
foreach ($existing as $existingValue) {
$existingId = is_array($existingValue) ? ($existingValue['id'] ?? null) : null;
if (! is_string($existingId) || $existingId === '') {
continue;
}
$deletePath = "/deviceManagement/groupPolicyConfigurations/{$policyId}/definitionValues/{$existingId}";
$this->graphLogger->logRequest('restore_group_policy_definition_values_delete', $context + [
'method' => 'DELETE',
'endpoint' => $deletePath,
'definition_value_id' => $existingId,
]);
$deleteResponse = $this->graphClient->request('DELETE', $deletePath, $graphOptions);
$this->graphLogger->logResponse('restore_group_policy_definition_values_delete', $deleteResponse, $context + [
'method' => 'DELETE',
'endpoint' => $deletePath,
'definition_value_id' => $existingId,
]);
}
foreach ($definitionValues as $definitionValue) {
if (! is_array($definitionValue)) {
continue;
}
$displayName = $definitionValue['#Definition_displayName'] ?? null;
$definitionId = $definitionValue['#Definition_Id'] ?? null;
$sanitized = $this->sanitizeGroupPolicyDefinitionValue($definitionValue);
if (! isset($sanitized['definition@odata.bind'])) {
$outcomes[] = [
'status' => 'skipped',
'definition_id' => $definitionId,
'definition' => $displayName,
'reason' => 'Missing definition@odata.bind',
];
$summary['skipped']++;
continue;
}
$this->graphLogger->logRequest('restore_group_policy_definition_values_create', $context + [
'method' => 'POST',
'endpoint' => $createPath,
'definition_id' => $definitionId,
'definition' => $displayName,
]);
$createResponse = $this->graphClient->request('POST', $createPath, [
'json' => $sanitized,
] + $graphOptions);
$this->graphLogger->logResponse('restore_group_policy_definition_values_create', $createResponse, $context + [
'method' => 'POST',
'endpoint' => $createPath,
'definition_id' => $definitionId,
'definition' => $displayName,
]);
if ($createResponse->successful()) {
$outcomes[] = [
'status' => 'success',
'definition_id' => $definitionId,
'definition' => $displayName,
];
$summary['success']++;
} else {
$outcomes[] = array_filter([
'status' => 'failed',
'definition_id' => $definitionId,
'definition' => $displayName,
'reason' => $createResponse->meta['error_message'] ?? 'Graph create failed',
'graph_error_message' => $createResponse->meta['error_message'] ?? null,
'graph_error_code' => $createResponse->meta['error_code'] ?? null,
'graph_request_id' => $createResponse->meta['request_id'] ?? null,
'graph_client_request_id' => $createResponse->meta['client_request_id'] ?? null,
], static fn ($value) => $value !== null);
$summary['failed']++;
}
usleep(100000);
}
$this->auditLogger->log(
tenant: $tenant,
action: 'restore.group_policy_definition_values.applied',
context: [
'metadata' => [
'tenant' => $tenantIdentifier,
'policy_id' => $policyId,
'summary' => $summary,
],
],
status: ($summary['failed'] ?? 0) > 0 ? 'warning' : 'success',
resourceType: 'policy',
resourceId: $policyId
);
return [
'outcomes' => $outcomes,
'summary' => $summary,
];
}
/**
* @param array<string, mixed> $definitionValue
* @return array<string, mixed>
*/
private function sanitizeGroupPolicyDefinitionValue(array $definitionValue): array
{
$clean = [];
foreach ($definitionValue as $key => $value) {
if (is_string($key) && str_starts_with($key, '#')) {
continue;
}
if ($key === 'id') {
continue;
}
if ($key === 'presentationValues' && is_array($value)) {
$cleanPresentationValues = [];
foreach ($value as $presentationValue) {
if (! is_array($presentationValue)) {
continue;
}
$presentationClean = [];
foreach ($presentationValue as $pKey => $pValue) {
if (is_string($pKey) && str_starts_with($pKey, '#')) {
continue;
}
if (in_array($pKey, ['id', 'createdDateTime', 'lastModifiedDateTime', 'presentation'], true)) {
continue;
}
$presentationClean[$pKey] = $pValue;
}
if ($presentationClean !== []) {
$cleanPresentationValues[] = $presentationClean;
}
}
if ($cleanPresentationValues !== []) {
$clean['presentationValues'] = $cleanPresentationValues;
}
continue;
}
$clean[$key] = $value;
}
return $clean;
}
/**
* @param array<int, array<string, mixed>> $foundationEntries
* @return array<string, string>
*/
private function buildScopeTagNameLookup(array $foundationEntries): array
{
$names = [];
foreach ($foundationEntries as $entry) {
if (! is_array($entry)) {
continue;
}
if (($entry['type'] ?? null) !== 'roleScopeTag') {
continue;
}
$targetId = $entry['targetId'] ?? null;
$targetName = $entry['targetName'] ?? null;
if (! is_string($targetId) || $targetId === '') {
continue;
}
if (! is_string($targetName) || $targetName === '') {
continue;
}
$names[$targetId] = $targetName;
}
return $names;
}
/**
* @param array<int, mixed>|null $scopeTagIds
* @param array<string, mixed> $backupItemMetadata
* @param array<string, string> $scopeTagMapping
* @param array<string, string> $scopeTagNamesById
* @return array{ids: array<int, string>, names: array<int, string>}|null
*/
private function buildScopeTagsForVersion(
?array $scopeTagIds,
array $backupItemMetadata,
array $scopeTagMapping,
array $scopeTagNamesById,
): ?array {
if ($scopeTagIds === null) {
return null;
}
$ids = [];
foreach ($scopeTagIds as $id) {
if (! is_string($id) && ! is_int($id)) {
continue;
}
$id = (string) $id;
if ($id === '') {
continue;
}
$ids[] = $id;
}
$ids = array_values(array_unique($ids));
if ($ids === []) {
return null;
}
$namesById = $scopeTagNamesById;
$metaScopeTagIds = $backupItemMetadata['scope_tag_ids'] ?? null;
$metaScopeTagNames = $backupItemMetadata['scope_tag_names'] ?? null;
if (is_array($metaScopeTagIds) && is_array($metaScopeTagNames)) {
foreach ($metaScopeTagIds as $index => $sourceId) {
if (! is_string($sourceId) && ! is_int($sourceId)) {
continue;
}
$sourceId = (string) $sourceId;
if ($sourceId === '') {
continue;
}
$name = $metaScopeTagNames[$index] ?? null;
if (! is_string($name) || $name === '') {
continue;
}
$targetId = $scopeTagMapping[$sourceId] ?? $sourceId;
if ($targetId !== '' && ! array_key_exists($targetId, $namesById)) {
$namesById[$targetId] = $name;
}
}
}
$names = [];
foreach ($ids as $id) {
if ($id === '0') {
$names[] = 'Default';
continue;
}
$names[] = $namesById[$id] ?? "Unknown (ID: {$id})";
}
return [
'ids' => $ids,
'names' => $names,
];
}
private function assertActiveContext(Tenant $tenant, BackupSet $backupSet): void
{
if (! $tenant->isActive()) {
throw new \RuntimeException('Tenant is archived or inactive.');
}
if ($backupSet->trashed()) {
throw new \RuntimeException('Backup set is archived.');
}
}
}
Reference in New Issue View Git Blame Copy Permalink