ahmido
6a15fe978a
## Summary Automated scanning of Entra ID directory roles to surface high-privilege role assignments as trackable findings with alerting support. ## What's included ### Core Services - **EntraAdminRolesReportService** — Fetches role definitions + assignments via Graph API, builds payload with fingerprint deduplication - **EntraAdminRolesFindingGenerator** — Creates/resolves/reopens findings based on high-privilege role catalog - **HighPrivilegeRoleCatalog** — Curated list of high-privilege Entra roles (Global Admin, Privileged Auth Admin, etc.) - **ScanEntraAdminRolesJob** — Queued job orchestrating scan → report → findings → alerts pipeline ### UI - **AdminRolesSummaryWidget** — Tenant dashboard card showing last scan time, high-privilege assignment count, scan trigger button - RBAC-gated: `ENTRA_ROLES_VIEW` for viewing, `ENTRA_ROLES_MANAGE` for scan trigger ### Infrastructure - Graph contracts for `entraRoleDefinitions` + `entraRoleAssignments` - `config/entra_permissions.php` — Entra permission registry - `StoredReport.fingerprint` migration (deduplication support) - `OperationCatalog` label + duration for `entra.admin_roles.scan` - Artisan command `entra:scan-admin-roles` for CLI/scheduled use ### Global UX improvement - **SummaryCountsNormalizer**: Zero values filtered, snake_case keys humanized (e.g. `report_deduped: 1` → `Report deduped: 1`). Affects all operation notifications. ## Test Coverage - **12 test files**, **79+ tests**, **307+ assertions** - Report service, finding generator, job orchestration, widget rendering, alert integration, RBAC enforcement, badge mapping ## Spec artifacts - `specs/105-entra-admin-roles-evidence-findings/tasks.md` — Full task breakdown (38 tasks, all complete) - `specs/105-entra-admin-roles-evidence-findings/checklists/requirements.md` — All items checked ## Files changed 46 files changed, 3641 insertions(+), 15 deletions(-) Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #128
77 lines
2.5 KiB
PHP
77 lines
2.5 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Services\EntraAdminRoles;
|
|
|
|
final class HighPrivilegeRoleCatalog
|
|
{
|
|
/**
|
|
* Template ID → severity mapping.
|
|
*
|
|
* @var array<string, string>
|
|
*/
|
|
private const CATALOG = [
|
|
'62e90394-69f5-4237-9190-012177145e10' => 'critical', // Global Administrator
|
|
'e8611ab8-c189-46e8-94e1-60213ab1f814' => 'high', // Privileged Role Administrator
|
|
'194ae4cb-b126-40b2-bd5b-6091b380977d' => 'high', // Security Administrator
|
|
'b1be1c3e-b65d-4f19-8427-f6fa0d97feb9' => 'high', // Conditional Access Administrator
|
|
'29232cdf-9323-42fd-ade2-1d097af3e4de' => 'high', // Exchange Administrator
|
|
'c4e39bd9-1100-46d3-8c65-fb160da0071f' => 'high', // Authentication Administrator
|
|
];
|
|
|
|
/**
|
|
* Display name fallback (case-insensitive) for roles without template_id match.
|
|
*
|
|
* @var array<string, string>
|
|
*/
|
|
private const DISPLAY_NAME_FALLBACK = [
|
|
'global administrator' => 'critical',
|
|
'privileged role administrator' => 'high',
|
|
'security administrator' => 'high',
|
|
'conditional access administrator' => 'high',
|
|
'exchange administrator' => 'high',
|
|
'authentication administrator' => 'high',
|
|
];
|
|
|
|
/**
|
|
* Classify a role by template_id (preferred) or display_name (fallback).
|
|
*
|
|
* @return string|null Severity ('critical'|'high') or null if not high-privilege
|
|
*/
|
|
public function classify(string $templateIdOrId, ?string $displayName = null): ?string
|
|
{
|
|
if (isset(self::CATALOG[$templateIdOrId])) {
|
|
return self::CATALOG[$templateIdOrId];
|
|
}
|
|
|
|
if ($displayName !== null) {
|
|
$normalized = strtolower(trim($displayName));
|
|
|
|
if (isset(self::DISPLAY_NAME_FALLBACK[$normalized])) {
|
|
return self::DISPLAY_NAME_FALLBACK[$normalized];
|
|
}
|
|
}
|
|
|
|
return null;
|
|
}
|
|
|
|
public function isHighPrivilege(string $templateIdOrId, ?string $displayName = null): bool
|
|
{
|
|
return $this->classify($templateIdOrId, $displayName) !== null;
|
|
}
|
|
|
|
public function isGlobalAdministrator(string $templateIdOrId, ?string $displayName = null): bool
|
|
{
|
|
return $this->classify($templateIdOrId, $displayName) === 'critical';
|
|
}
|
|
|
|
/**
|
|
* @return array<string, string> All template_id → severity mappings
|
|
*/
|
|
public function allTemplateIds(): array
|
|
{
|
|
return self::CATALOG;
|
|
}
|
|
}
|