ahmido
92704a2f7e
Implements Spec 118 baseline drift engine improvements: - Resumable, budget-aware evidence capture for baseline capture/compare runs (resume token + UI action) - “Why no findings?” reason-code driven explanations and richer run context panels - Baseline Snapshot resource (list/detail) with fidelity visibility - Retention command + schedule for pruning baseline-purpose PolicyVersions - i18n strings for Baseline Compare landing Verification: - `vendor/bin/sail bin pint --dirty --format agent` - `vendor/bin/sail artisan test --compact --filter=Baseline` (159 passed) Note: - `docs/audits/redaction-audit-2026-03-04.md` left untracked (not part of PR). Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #143
243 lines
8.7 KiB
PHP
243 lines
8.7 KiB
PHP
<?php
|
|
|
|
use App\Jobs\CompareBaselineToTenantJob;
|
|
use App\Models\BaselineProfile;
|
|
use App\Models\BaselineSnapshot;
|
|
use App\Models\BaselineSnapshotItem;
|
|
use App\Models\InventoryItem;
|
|
use App\Services\Baselines\BaselineSnapshotIdentity;
|
|
use App\Services\Intune\AuditLogger;
|
|
use App\Services\OperationRunService;
|
|
use App\Support\Baselines\BaselineCompareReasonCode;
|
|
use App\Support\Baselines\BaselineSubjectKey;
|
|
use App\Support\OperationRunOutcome;
|
|
use App\Support\OperationRunStatus;
|
|
use App\Support\OperationRunType;
|
|
|
|
it('records no_subjects_in_scope when the resolved subject list is empty', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$profile = BaselineProfile::factory()->active()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'scope_jsonb' => [
|
|
'policy_types' => ['deviceConfiguration'],
|
|
'foundation_types' => [],
|
|
],
|
|
]);
|
|
|
|
$snapshot = BaselineSnapshot::factory()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
'captured_at' => now()->subMinute(),
|
|
]);
|
|
|
|
$profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]);
|
|
|
|
$inventorySyncRun = \App\Models\OperationRun::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'type' => OperationRunType::InventorySync->value,
|
|
'status' => OperationRunStatus::Completed->value,
|
|
'outcome' => OperationRunOutcome::Succeeded->value,
|
|
'completed_at' => now(),
|
|
'context' => [
|
|
'inventory' => [
|
|
'coverage' => [
|
|
'policy_types' => [
|
|
'deviceConfiguration' => ['status' => 'succeeded'],
|
|
],
|
|
'foundation_types' => [],
|
|
],
|
|
],
|
|
],
|
|
]);
|
|
|
|
$opService = app(OperationRunService::class);
|
|
$compareRun = $opService->ensureRunWithIdentity(
|
|
tenant: $tenant,
|
|
type: OperationRunType::BaselineCompare->value,
|
|
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
|
context: [
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
'baseline_snapshot_id' => (int) $snapshot->getKey(),
|
|
'effective_scope' => [
|
|
'policy_types' => ['deviceConfiguration'],
|
|
'foundation_types' => [],
|
|
],
|
|
],
|
|
initiator: $user,
|
|
);
|
|
|
|
(new CompareBaselineToTenantJob($compareRun))->handle(
|
|
app(BaselineSnapshotIdentity::class),
|
|
app(AuditLogger::class),
|
|
$opService,
|
|
);
|
|
|
|
$compareRun->refresh();
|
|
expect(data_get($compareRun->context, 'baseline_compare.subjects_total'))->toBe(0);
|
|
expect(data_get($compareRun->context, 'baseline_compare.reason_code'))->toBe(BaselineCompareReasonCode::NoSubjectsInScope->value);
|
|
});
|
|
|
|
it('records no_drift_detected when subjects are processed but no drift findings are produced', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$profile = BaselineProfile::factory()->active()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'scope_jsonb' => [
|
|
'policy_types' => ['deviceConfiguration'],
|
|
'foundation_types' => [],
|
|
],
|
|
]);
|
|
|
|
$snapshot = BaselineSnapshot::factory()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
'captured_at' => now()->subMinute(),
|
|
]);
|
|
|
|
$profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]);
|
|
|
|
$externalId = 'policy-uuid';
|
|
$displayName = 'Stable Policy';
|
|
$subjectKey = BaselineSubjectKey::fromDisplayName($displayName);
|
|
expect($subjectKey)->not->toBeNull();
|
|
|
|
$workspaceSafeExternalId = BaselineSubjectKey::workspaceSafeSubjectExternalId(
|
|
policyType: 'deviceConfiguration',
|
|
subjectKey: (string) $subjectKey,
|
|
);
|
|
|
|
$metaJsonb = [
|
|
'odata_type' => '#microsoft.graph.deviceConfiguration',
|
|
'etag' => 'E_STABLE',
|
|
];
|
|
|
|
$baselineHash = app(BaselineSnapshotIdentity::class)->hashItemContent(
|
|
policyType: 'deviceConfiguration',
|
|
subjectExternalId: $externalId,
|
|
metaJsonb: $metaJsonb,
|
|
);
|
|
|
|
BaselineSnapshotItem::factory()->create([
|
|
'baseline_snapshot_id' => (int) $snapshot->getKey(),
|
|
'subject_type' => 'policy',
|
|
'subject_external_id' => $workspaceSafeExternalId,
|
|
'subject_key' => (string) $subjectKey,
|
|
'policy_type' => 'deviceConfiguration',
|
|
'baseline_hash' => $baselineHash,
|
|
'meta_jsonb' => [
|
|
'display_name' => $displayName,
|
|
'evidence' => [
|
|
'fidelity' => 'meta',
|
|
'source' => 'inventory',
|
|
'observed_at' => now()->toIso8601String(),
|
|
],
|
|
],
|
|
]);
|
|
|
|
$inventorySyncRun = \App\Models\OperationRun::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'type' => OperationRunType::InventorySync->value,
|
|
'status' => OperationRunStatus::Completed->value,
|
|
'outcome' => OperationRunOutcome::Succeeded->value,
|
|
'completed_at' => now(),
|
|
'context' => [
|
|
'inventory' => [
|
|
'coverage' => [
|
|
'policy_types' => [
|
|
'deviceConfiguration' => ['status' => 'succeeded'],
|
|
],
|
|
'foundation_types' => [],
|
|
],
|
|
],
|
|
],
|
|
]);
|
|
|
|
InventoryItem::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'external_id' => $externalId,
|
|
'policy_type' => 'deviceConfiguration',
|
|
'display_name' => $displayName,
|
|
'meta_jsonb' => $metaJsonb,
|
|
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
|
|
'last_seen_at' => now(),
|
|
]);
|
|
|
|
$opService = app(OperationRunService::class);
|
|
$compareRun = $opService->ensureRunWithIdentity(
|
|
tenant: $tenant,
|
|
type: OperationRunType::BaselineCompare->value,
|
|
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
|
context: [
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
'baseline_snapshot_id' => (int) $snapshot->getKey(),
|
|
'effective_scope' => [
|
|
'policy_types' => ['deviceConfiguration'],
|
|
'foundation_types' => [],
|
|
],
|
|
],
|
|
initiator: $user,
|
|
);
|
|
|
|
(new CompareBaselineToTenantJob($compareRun))->handle(
|
|
app(BaselineSnapshotIdentity::class),
|
|
app(AuditLogger::class),
|
|
$opService,
|
|
);
|
|
|
|
$compareRun->refresh();
|
|
|
|
expect(data_get($compareRun->context, 'baseline_compare.subjects_total'))->toBe(1);
|
|
expect(data_get($compareRun->context, 'result.findings_total'))->toBe(0);
|
|
expect(data_get($compareRun->context, 'baseline_compare.reason_code'))->toBe(BaselineCompareReasonCode::NoDriftDetected->value);
|
|
});
|
|
|
|
it('records coverage_unproven when findings are suppressed due to missing coverage proof', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$profile = BaselineProfile::factory()->active()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'scope_jsonb' => [
|
|
'policy_types' => ['deviceConfiguration'],
|
|
'foundation_types' => [],
|
|
],
|
|
]);
|
|
|
|
$snapshot = BaselineSnapshot::factory()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
'captured_at' => now()->subMinute(),
|
|
]);
|
|
|
|
$profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]);
|
|
|
|
$opService = app(OperationRunService::class);
|
|
$compareRun = $opService->ensureRunWithIdentity(
|
|
tenant: $tenant,
|
|
type: OperationRunType::BaselineCompare->value,
|
|
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
|
context: [
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
'baseline_snapshot_id' => (int) $snapshot->getKey(),
|
|
'effective_scope' => [
|
|
'policy_types' => ['deviceConfiguration'],
|
|
'foundation_types' => [],
|
|
],
|
|
],
|
|
initiator: $user,
|
|
);
|
|
|
|
(new CompareBaselineToTenantJob($compareRun))->handle(
|
|
app(BaselineSnapshotIdentity::class),
|
|
app(AuditLogger::class),
|
|
$opService,
|
|
);
|
|
|
|
$compareRun->refresh();
|
|
expect($compareRun->outcome)->toBe(OperationRunOutcome::PartiallySucceeded->value);
|
|
expect(data_get($compareRun->context, 'baseline_compare.reason_code'))->toBe(BaselineCompareReasonCode::CoverageUnproven->value);
|
|
});
|