ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
92704a2f7e
TenantAtlas/tests/Feature/BaselineDriftEngine/FindingProvenanceTest.php
ahmido 92704a2f7e Spec 118: Resumable baseline evidence capture + snapshot UX (#143) 
Implements Spec 118 baseline drift engine improvements:

- Resumable, budget-aware evidence capture for baseline capture/compare runs (resume token + UI action)
- “Why no findings?” reason-code driven explanations and richer run context panels
- Baseline Snapshot resource (list/detail) with fidelity visibility
- Retention command + schedule for pruning baseline-purpose PolicyVersions
- i18n strings for Baseline Compare landing

Verification:
- `vendor/bin/sail bin pint --dirty --format agent`
- `vendor/bin/sail artisan test --compact --filter=Baseline` (159 passed)

Note:
- `docs/audits/redaction-audit-2026-03-04.md` left untracked (not part of PR).

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #143
2026-03-04 22:34:13 +00:00

147 lines
5.7 KiB
PHP
Raw Blame History

<?php
use App\Jobs\CompareBaselineToTenantJob;
use App\Models\BaselineProfile;
use App\Models\BaselineSnapshot;
use App\Models\BaselineSnapshotItem;
use App\Models\Finding;
use App\Models\InventoryItem;
use App\Models\Policy;
use App\Models\PolicyVersion;
use App\Services\Baselines\BaselineSnapshotIdentity;
use App\Services\Drift\DriftHasher;
use App\Services\Drift\Normalizers\AssignmentsNormalizer;
use App\Services\Drift\Normalizers\SettingsNormalizer;
use App\Services\Drift\Normalizers\ScopeTagsNormalizer;
use App\Services\Intune\AuditLogger;
use App\Services\OperationRunService;
use App\Support\Baselines\BaselineSubjectKey;
use App\Support\OperationRunType;
use Carbon\CarbonImmutable;
it('Baseline compare persists baseline+current provenance on drift findings', function () {
[$user, $tenant] = createUserWithTenant();
$profile = BaselineProfile::factory()->active()->create([
'workspace_id' => $tenant->workspace_id,
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
]);
$baselineCapturedAt = CarbonImmutable::parse('2026-03-01 00:00:00');
$snapshot = BaselineSnapshot::factory()->create([
'workspace_id' => $tenant->workspace_id,
'baseline_profile_id' => (int) $profile->getKey(),
'captured_at' => $baselineCapturedAt,
]);
$inventorySyncRun = createInventorySyncOperationRunWithCoverage(
tenant: $tenant,
statusByType: ['deviceConfiguration' => 'succeeded'],
);
$policy = Policy::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'policy_type' => 'deviceConfiguration',
'external_id' => 'policy-provenance',
'platform' => 'windows',
'display_name' => 'Policy Provenance',
]);
$baselineSnapshotPayload = [
'settings' => [
['displayName' => 'SettingA', 'value' => 1],
],
];
$baselineHash = app(DriftHasher::class)->hashNormalized([
'settings' => app(SettingsNormalizer::class)->normalizeForDiff($baselineSnapshotPayload, 'deviceConfiguration', 'windows'),
'assignments' => app(AssignmentsNormalizer::class)->normalizeForDiff([]),
'scope_tag_ids' => app(ScopeTagsNormalizer::class)->normalizeIds([]),
]);
$subjectKey = BaselineSubjectKey::fromDisplayName((string) $policy->display_name);
expect($subjectKey)->not->toBeNull();
BaselineSnapshotItem::factory()->create([
'baseline_snapshot_id' => (int) $snapshot->getKey(),
'subject_type' => 'policy',
'subject_external_id' => BaselineSubjectKey::workspaceSafeSubjectExternalId(
policyType: (string) $policy->policy_type,
subjectKey: (string) $subjectKey,
),
'subject_key' => (string) $subjectKey,
'policy_type' => (string) $policy->policy_type,
'baseline_hash' => $baselineHash,
'meta_jsonb' => [
'display_name' => (string) $policy->display_name,
'evidence' => [
'fidelity' => 'content',
'source' => 'policy_version',
'observed_at' => $baselineCapturedAt->toIso8601String(),
'observed_operation_run_id' => null,
],
],
]);
InventoryItem::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'external_id' => (string) $policy->external_id,
'policy_type' => (string) $policy->policy_type,
'display_name' => (string) $policy->display_name,
'meta_jsonb' => [
'odata_type' => '#microsoft.graph.deviceConfiguration',
'etag' => 'W/"same-etag"',
'scope_tag_ids' => [],
'assignment_target_count' => 1,
],
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
'last_seen_at' => now(),
]);
PolicyVersion::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'policy_id' => (int) $policy->getKey(),
'policy_type' => (string) $policy->policy_type,
'platform' => (string) $policy->platform,
'captured_at' => $baselineCapturedAt->addHour(),
'snapshot' => [
'settings' => [
['displayName' => 'SettingA', 'value' => 2],
],
],
]);
$opService = app(OperationRunService::class);
$compareRun = $opService->ensureRunWithIdentity(
tenant: $tenant,
type: OperationRunType::BaselineCompare->value,
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
context: [
'baseline_profile_id' => (int) $profile->getKey(),
'baseline_snapshot_id' => (int) $snapshot->getKey(),
'effective_scope' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
],
initiator: $user,
);
(new CompareBaselineToTenantJob($compareRun))->handle(
app(BaselineSnapshotIdentity::class),
app(AuditLogger::class),
$opService,
);
$finding = Finding::query()
->where('tenant_id', (int) $tenant->getKey())
->where('subject_external_id', (string) $policy->external_id)
->sole();
expect(data_get($finding->evidence_jsonb, 'baseline.provenance.fidelity'))->toBe('content');
expect(data_get($finding->evidence_jsonb, 'baseline.provenance.source'))->toBe('policy_version');
expect(data_get($finding->evidence_jsonb, 'baseline.provenance.observed_at'))->not->toBeNull();
expect(data_get($finding->evidence_jsonb, 'current.provenance.fidelity'))->toBe('content');
expect(data_get($finding->evidence_jsonb, 'current.provenance.source'))->toBe('policy_version');
expect(data_get($finding->evidence_jsonb, 'current.provenance.observed_at'))->not->toBeNull();
});
Reference in New Issue View Git Blame Copy Permalink