ahmido
92704a2f7e
Implements Spec 118 baseline drift engine improvements: - Resumable, budget-aware evidence capture for baseline capture/compare runs (resume token + UI action) - “Why no findings?” reason-code driven explanations and richer run context panels - Baseline Snapshot resource (list/detail) with fidelity visibility - Retention command + schedule for pruning baseline-purpose PolicyVersions - i18n strings for Baseline Compare landing Verification: - `vendor/bin/sail bin pint --dirty --format agent` - `vendor/bin/sail artisan test --compact --filter=Baseline` (159 passed) Note: - `docs/audits/redaction-audit-2026-03-04.md` left untracked (not part of PR). Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #143
120 lines
4.4 KiB
PHP
120 lines
4.4 KiB
PHP
<?php
|
|
|
|
use App\Jobs\CaptureBaselineSnapshotJob;
|
|
use App\Models\BaselineProfile;
|
|
use App\Models\BaselineSnapshot;
|
|
use App\Models\BaselineSnapshotItem;
|
|
use App\Models\InventoryItem;
|
|
use App\Models\Policy;
|
|
use App\Models\PolicyVersion;
|
|
use App\Services\Baselines\BaselineSnapshotIdentity;
|
|
use App\Services\Baselines\InventoryMetaContract;
|
|
use App\Services\Drift\DriftHasher;
|
|
use App\Services\Drift\Normalizers\AssignmentsNormalizer;
|
|
use App\Services\Drift\Normalizers\SettingsNormalizer;
|
|
use App\Services\Drift\Normalizers\ScopeTagsNormalizer;
|
|
use App\Services\Intune\AuditLogger;
|
|
use App\Services\OperationRunService;
|
|
use App\Support\Baselines\BaselineSubjectKey;
|
|
|
|
it('Baseline capture stores content fidelity hash when PolicyVersion evidence exists', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$profile = BaselineProfile::factory()->active()->create([
|
|
'workspace_id' => $tenant->workspace_id,
|
|
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
|
|
]);
|
|
|
|
$policy = Policy::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'policy_type' => 'deviceConfiguration',
|
|
'external_id' => 'policy-capture-content',
|
|
'platform' => 'windows',
|
|
'display_name' => 'Policy Capture Content',
|
|
]);
|
|
|
|
$inventory = InventoryItem::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'policy_type' => (string) $policy->policy_type,
|
|
'external_id' => (string) $policy->external_id,
|
|
'display_name' => (string) $policy->display_name,
|
|
'meta_jsonb' => [
|
|
'odata_type' => '#microsoft.graph.deviceConfiguration',
|
|
'etag' => 'E_META',
|
|
'scope_tag_ids' => [],
|
|
'assignment_target_count' => 1,
|
|
],
|
|
'last_seen_at' => now()->subHour(),
|
|
]);
|
|
|
|
$snapshotPayload = [
|
|
'settings' => [
|
|
['displayName' => 'SettingX', 'value' => 1],
|
|
],
|
|
];
|
|
|
|
$capturedAt = now();
|
|
|
|
PolicyVersion::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'policy_id' => (int) $policy->getKey(),
|
|
'policy_type' => (string) $policy->policy_type,
|
|
'platform' => (string) $policy->platform,
|
|
'captured_at' => $capturedAt,
|
|
'snapshot' => $snapshotPayload,
|
|
]);
|
|
|
|
$expectedContentHash = app(DriftHasher::class)->hashNormalized(
|
|
[
|
|
'settings' => app(SettingsNormalizer::class)->normalizeForDiff($snapshotPayload, 'deviceConfiguration', 'windows'),
|
|
'assignments' => app(AssignmentsNormalizer::class)->normalizeForDiff([]),
|
|
'scope_tag_ids' => app(ScopeTagsNormalizer::class)->normalizeIds([]),
|
|
],
|
|
);
|
|
|
|
$opService = app(OperationRunService::class);
|
|
$run = $opService->ensureRunWithIdentity(
|
|
tenant: $tenant,
|
|
type: 'baseline_capture',
|
|
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
|
context: [
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
'source_tenant_id' => (int) $tenant->getKey(),
|
|
'effective_scope' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
|
|
],
|
|
initiator: $user,
|
|
);
|
|
|
|
(new CaptureBaselineSnapshotJob($run))->handle(
|
|
app(BaselineSnapshotIdentity::class),
|
|
app(InventoryMetaContract::class),
|
|
app(AuditLogger::class),
|
|
$opService,
|
|
);
|
|
|
|
$snapshot = BaselineSnapshot::query()
|
|
->where('baseline_profile_id', (int) $profile->getKey())
|
|
->sole();
|
|
|
|
$subjectKey = BaselineSubjectKey::fromDisplayName((string) $policy->display_name);
|
|
expect($subjectKey)->not->toBeNull();
|
|
|
|
$workspaceSafeExternalId = BaselineSubjectKey::workspaceSafeSubjectExternalId(
|
|
policyType: (string) $policy->policy_type,
|
|
subjectKey: (string) $subjectKey,
|
|
);
|
|
|
|
$item = BaselineSnapshotItem::query()
|
|
->where('baseline_snapshot_id', (int) $snapshot->getKey())
|
|
->where('subject_external_id', $workspaceSafeExternalId)
|
|
->sole();
|
|
|
|
expect($item->baseline_hash)->toBe($expectedContentHash);
|
|
|
|
$meta = is_array($item->meta_jsonb) ? $item->meta_jsonb : [];
|
|
expect($meta)->toHaveKey('evidence');
|
|
expect(data_get($meta, 'evidence.fidelity'))->toBe('content');
|
|
expect(data_get($meta, 'evidence.source'))->toBe('policy_version');
|
|
expect(data_get($meta, 'evidence.observed_at'))->not->toBeNull();
|
|
});
|