ahmido
0dc79520a4
Implements provider access hardening for Intune write operations: - RBAC-based write gate with configurable staleness thresholds - Gate enforced at restore start and in jobs (execute + assignments) - UI affordances: disabled rerun action, tenant RBAC status card, refresh RBAC action - Audit logging for blocked writes - Ops UX label: `rbac.health_check` now displays as “RBAC health check” - Adds/updates Pest tests and SpecKit artifacts for feature 108 Notes: - Filament v5 / Livewire v4 compliant. - Destructive actions require confirmation. - Assets: no new global assets. Tested: - `vendor/bin/sail artisan test --compact` (suite previously green) + focused OpsUx tests for OperationCatalog labels. - `vendor/bin/sail bin pint --dirty`. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #132
85 lines
2.8 KiB
PHP
85 lines
2.8 KiB
PHP
<?php
|
|
|
|
namespace App\Services\Hardening;
|
|
|
|
use App\Contracts\Hardening\WriteGateInterface;
|
|
use App\Exceptions\Hardening\ProviderAccessHardeningRequired;
|
|
use App\Models\Tenant;
|
|
use Illuminate\Support\Facades\Log;
|
|
|
|
class IntuneRbacWriteGate implements WriteGateInterface
|
|
{
|
|
public function evaluate(Tenant $tenant, string $operationType): void
|
|
{
|
|
if (! $this->isEnabled()) {
|
|
Log::warning('Intune write gate is disabled — write operation proceeding without RBAC verification.', [
|
|
'tenant_id' => $tenant->getKey(),
|
|
'operation_type' => $operationType,
|
|
]);
|
|
|
|
return;
|
|
}
|
|
|
|
$status = $tenant->rbac_status;
|
|
|
|
if ($status === null || $status === 'not_configured') {
|
|
throw new ProviderAccessHardeningRequired(
|
|
tenantId: (int) $tenant->getKey(),
|
|
operationType: $operationType,
|
|
reasonCode: 'intune_rbac.not_configured',
|
|
reasonMessage: 'Intune RBAC is not configured for this tenant. Configure RBAC before performing write operations.',
|
|
);
|
|
}
|
|
|
|
if (in_array($status, ['degraded', 'failed', 'error', 'missing', 'partial'], true)) {
|
|
throw new ProviderAccessHardeningRequired(
|
|
tenantId: (int) $tenant->getKey(),
|
|
operationType: $operationType,
|
|
reasonCode: 'intune_rbac.unhealthy',
|
|
reasonMessage: sprintf(
|
|
'Intune RBAC status is "%s". Resolve RBAC issues before performing write operations.',
|
|
$status,
|
|
),
|
|
);
|
|
}
|
|
|
|
if ($this->isStale($tenant)) {
|
|
throw new ProviderAccessHardeningRequired(
|
|
tenantId: (int) $tenant->getKey(),
|
|
operationType: $operationType,
|
|
reasonCode: 'intune_rbac.stale',
|
|
reasonMessage: 'Intune RBAC health check is outdated. Run a fresh health check before performing write operations.',
|
|
);
|
|
}
|
|
}
|
|
|
|
public function wouldBlock(Tenant $tenant): bool
|
|
{
|
|
try {
|
|
$this->evaluate($tenant, 'ui_check');
|
|
|
|
return false;
|
|
} catch (ProviderAccessHardeningRequired) {
|
|
return true;
|
|
}
|
|
}
|
|
|
|
private function isEnabled(): bool
|
|
{
|
|
return (bool) config('tenantpilot.hardening.intune_write_gate.enabled', true);
|
|
}
|
|
|
|
private function isStale(Tenant $tenant): bool
|
|
{
|
|
$lastCheckedAt = $tenant->rbac_last_checked_at;
|
|
|
|
if ($lastCheckedAt === null) {
|
|
return true;
|
|
}
|
|
|
|
$thresholdHours = (int) config('tenantpilot.hardening.intune_write_gate.freshness_threshold_hours', 24);
|
|
|
|
return $lastCheckedAt->diffInHours(now()) >= $thresholdHours;
|
|
}
|
|
}
|