## Summary - Adds the Spec 431 Exchange PowerShell invocation gate and operation registration slice. - Introduces trusted provider operation start handling and read-only Exchange PowerShell runner abstractions. - Updates provider capability/readiness evaluation and coverage for Exchange PowerShell invocation safety. ## Verification - `cd apps/platform && ./vendor/bin/sail artisan test tests/Feature/Providers/ProviderCapabilityEvaluationTest.php tests/Feature/Providers/ProviderOperationCapabilityGateTest.php tests/Feature/TenantConfiguration/Spec431ExchangePowerShellInvocationGateTest.php tests/Unit/Providers/ProviderCapabilityRegistryTest.php tests/Unit/Providers/ProviderOperationStartGateTest.php tests/Unit/Support/TenantConfiguration/Spec430ExchangePowerShellCommandAllowlistTest.php tests/Unit/Support/TenantConfiguration/Spec431ExchangePowerShellOperationRegistrationTest.php tests/Unit/Verification/ManagedEnvironmentPermissionCapabilityMappingTest.php` - Result: 80 passed, 685 assertions. ## Product Surface / Ops - Rendered UI surface changed: N/A. - Filament/Livewire surface changed: N/A. - Deployment impact: config/runtime service changes only; no migrations, queues, or assets added. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #498
60 lines
2.4 KiB
PHP
60 lines
2.4 KiB
PHP
<?php
|
|
|
|
namespace App\Support\Operations;
|
|
|
|
use App\Models\OperationRun;
|
|
use App\Support\Auth\Capabilities;
|
|
use App\Support\OperationCatalog;
|
|
|
|
final class OperationRunCapabilityResolver
|
|
{
|
|
public function requiredCapabilityForRun(OperationRun $run): ?string
|
|
{
|
|
return $this->requiredCapabilityForType((string) $run->type);
|
|
}
|
|
|
|
public function requiredCapabilityForType(string $operationType): ?string
|
|
{
|
|
$operationType = OperationCatalog::canonicalCode($operationType);
|
|
|
|
if ($operationType === '') {
|
|
return null;
|
|
}
|
|
|
|
return match ($operationType) {
|
|
'inventory.sync' => Capabilities::TENANT_INVENTORY_SYNC_RUN,
|
|
'directory.groups.sync' => Capabilities::TENANT_SYNC,
|
|
'backup.schedule.execute', 'backup.schedule.retention', 'backup.schedule.purge' => Capabilities::TENANT_BACKUP_SCHEDULES_RUN,
|
|
'restore.execute', 'promotion.execute' => Capabilities::TENANT_MANAGE,
|
|
'directory.role_definitions.sync' => Capabilities::TENANT_MANAGE,
|
|
'alerts.evaluate', 'alerts.deliver' => Capabilities::ALERTS_VIEW,
|
|
'environment.review.compose' => Capabilities::ENVIRONMENT_REVIEW_VIEW,
|
|
|
|
// Viewing verification reports should be possible for readonly members.
|
|
// Starting verification is separately guarded by the verification service.
|
|
'provider.connection.check' => Capabilities::PROVIDER_VIEW,
|
|
|
|
// Keep legacy / unknown types viewable by membership+entitlement only.
|
|
default => null,
|
|
};
|
|
}
|
|
|
|
public function requiredExecutionCapabilityForType(string $operationType): ?string
|
|
{
|
|
$operationType = OperationCatalog::canonicalCode($operationType);
|
|
|
|
if ($operationType === '') {
|
|
return null;
|
|
}
|
|
|
|
return match ($operationType) {
|
|
'provider.connection.check', 'inventory.sync', 'compliance.snapshot', 'tenant_configuration.exchange_powershell_invocation' => Capabilities::PROVIDER_RUN,
|
|
'policy.sync', 'tenant.sync' => Capabilities::TENANT_SYNC,
|
|
'policy.delete' => Capabilities::TENANT_MANAGE,
|
|
'assignments.restore', 'restore.execute', 'promotion.execute' => Capabilities::TENANT_MANAGE,
|
|
'environment.review.compose' => Capabilities::ENVIRONMENT_REVIEW_MANAGE,
|
|
default => $this->requiredCapabilityForType($operationType),
|
|
};
|
|
}
|
|
}
|