ahmido
a30be84084
Summary: - Baseline Compare landing: enterprise UI (stats grid, critical drift banner, better actions), navigation grouping under Governance, and Action Surface Contract declaration. - Baseline Profile view page: switches from disabled form fields to proper Infolist entries for a clean read-only view. - Fixes tenant name column usages (`display_name` → `name`) in baseline assignment flows. - Dashboard: improved baseline governance widget with severity breakdown + last compared. Notes: - Filament v5 / Livewire v4 compatible. - Destructive actions remain confirmed (`->requiresConfirmation()`). Tests: - `vendor/bin/sail artisan test --compact tests/Feature/Baselines` - `vendor/bin/sail artisan test --compact tests/Feature/Guards/ActionSurfaceContractTest.php` Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #123
350 lines
12 KiB
PHP
350 lines
12 KiB
PHP
<?php
|
|
|
|
use App\Jobs\CaptureBaselineSnapshotJob;
|
|
use App\Models\BaselineProfile;
|
|
use App\Models\BaselineSnapshot;
|
|
use App\Models\BaselineSnapshotItem;
|
|
use App\Models\InventoryItem;
|
|
use App\Models\OperationRun;
|
|
use App\Services\Baselines\BaselineCaptureService;
|
|
use App\Services\Baselines\BaselineSnapshotIdentity;
|
|
use App\Services\Intune\AuditLogger;
|
|
use App\Services\OperationRunService;
|
|
use Illuminate\Support\Facades\Queue;
|
|
|
|
// --- T031: Capture enqueue + precondition tests ---
|
|
|
|
it('enqueues capture for an active profile and creates an operation run', function () {
|
|
Queue::fake();
|
|
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$profile = BaselineProfile::factory()->active()->create([
|
|
'workspace_id' => $tenant->workspace_id,
|
|
'scope_jsonb' => ['policy_types' => ['deviceConfiguration']],
|
|
]);
|
|
|
|
/** @var BaselineCaptureService $service */
|
|
$service = app(BaselineCaptureService::class);
|
|
$result = $service->startCapture($profile, $tenant, $user);
|
|
|
|
expect($result['ok'])->toBeTrue();
|
|
expect($result)->toHaveKey('run');
|
|
|
|
/** @var OperationRun $run */
|
|
$run = $result['run'];
|
|
expect($run->type)->toBe('baseline_capture');
|
|
expect($run->status)->toBe('queued');
|
|
expect($run->tenant_id)->toBe((int) $tenant->getKey());
|
|
|
|
$context = is_array($run->context) ? $run->context : [];
|
|
expect($context['baseline_profile_id'])->toBe((int) $profile->getKey());
|
|
expect($context['source_tenant_id'])->toBe((int) $tenant->getKey());
|
|
|
|
Queue::assertPushed(CaptureBaselineSnapshotJob::class);
|
|
});
|
|
|
|
it('rejects capture for a draft profile with reason code', function () {
|
|
Queue::fake();
|
|
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$profile = BaselineProfile::factory()->create([
|
|
'workspace_id' => $tenant->workspace_id,
|
|
'status' => BaselineProfile::STATUS_DRAFT,
|
|
]);
|
|
|
|
$service = app(BaselineCaptureService::class);
|
|
$result = $service->startCapture($profile, $tenant, $user);
|
|
|
|
expect($result['ok'])->toBeFalse();
|
|
expect($result['reason_code'])->toBe('baseline.capture.profile_not_active');
|
|
|
|
Queue::assertNotPushed(CaptureBaselineSnapshotJob::class);
|
|
expect(OperationRun::query()->where('type', 'baseline_capture')->count())->toBe(0);
|
|
});
|
|
|
|
it('rejects capture for an archived profile with reason code', function () {
|
|
Queue::fake();
|
|
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$profile = BaselineProfile::factory()->archived()->create([
|
|
'workspace_id' => $tenant->workspace_id,
|
|
]);
|
|
|
|
$service = app(BaselineCaptureService::class);
|
|
$result = $service->startCapture($profile, $tenant, $user);
|
|
|
|
expect($result['ok'])->toBeFalse();
|
|
expect($result['reason_code'])->toBe('baseline.capture.profile_not_active');
|
|
|
|
Queue::assertNotPushed(CaptureBaselineSnapshotJob::class);
|
|
expect(OperationRun::query()->where('type', 'baseline_capture')->count())->toBe(0);
|
|
});
|
|
|
|
it('rejects capture for a tenant from a different workspace', function () {
|
|
Queue::fake();
|
|
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
[$otherUser, $otherTenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$profile = BaselineProfile::factory()->active()->create([
|
|
'workspace_id' => $tenant->workspace_id,
|
|
]);
|
|
|
|
$service = app(BaselineCaptureService::class);
|
|
$result = $service->startCapture($profile, $otherTenant, $user);
|
|
|
|
expect($result['ok'])->toBeFalse();
|
|
expect($result['reason_code'])->toBe('baseline.capture.missing_source_tenant');
|
|
|
|
Queue::assertNotPushed(CaptureBaselineSnapshotJob::class);
|
|
});
|
|
|
|
// --- T032: Concurrent capture reuses active run [EC-004] ---
|
|
|
|
it('reuses an existing active run for the same profile/tenant instead of creating a new one', function () {
|
|
Queue::fake();
|
|
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$profile = BaselineProfile::factory()->active()->create([
|
|
'workspace_id' => $tenant->workspace_id,
|
|
'scope_jsonb' => ['policy_types' => ['deviceConfiguration']],
|
|
]);
|
|
|
|
$service = app(BaselineCaptureService::class);
|
|
|
|
$result1 = $service->startCapture($profile, $tenant, $user);
|
|
$result2 = $service->startCapture($profile, $tenant, $user);
|
|
|
|
expect($result1['ok'])->toBeTrue();
|
|
expect($result2['ok'])->toBeTrue();
|
|
|
|
expect($result1['run']->getKey())->toBe($result2['run']->getKey());
|
|
expect(OperationRun::query()->where('type', 'baseline_capture')->count())->toBe(1);
|
|
});
|
|
|
|
// --- Snapshot dedupe + capture job execution ---
|
|
|
|
it('creates a snapshot with items when the capture job executes', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$profile = BaselineProfile::factory()->active()->create([
|
|
'workspace_id' => $tenant->workspace_id,
|
|
'scope_jsonb' => ['policy_types' => ['deviceConfiguration']],
|
|
]);
|
|
|
|
InventoryItem::factory()->count(3)->create([
|
|
'tenant_id' => $tenant->getKey(),
|
|
'workspace_id' => $tenant->workspace_id,
|
|
'policy_type' => 'deviceConfiguration',
|
|
'meta_jsonb' => ['odata_type' => '#microsoft.graph.deviceConfiguration'],
|
|
]);
|
|
|
|
$opService = app(OperationRunService::class);
|
|
$run = $opService->ensureRunWithIdentity(
|
|
tenant: $tenant,
|
|
type: 'baseline_capture',
|
|
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
|
context: [
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
'source_tenant_id' => (int) $tenant->getKey(),
|
|
'effective_scope' => ['policy_types' => ['deviceConfiguration']],
|
|
],
|
|
initiator: $user,
|
|
);
|
|
|
|
$job = new CaptureBaselineSnapshotJob($run);
|
|
$job->handle(
|
|
app(BaselineSnapshotIdentity::class),
|
|
app(AuditLogger::class),
|
|
$opService,
|
|
);
|
|
|
|
$run->refresh();
|
|
expect($run->status)->toBe('completed');
|
|
expect($run->outcome)->toBe('succeeded');
|
|
|
|
$counts = is_array($run->summary_counts) ? $run->summary_counts : [];
|
|
expect((int) ($counts['total'] ?? 0))->toBe(3);
|
|
expect((int) ($counts['succeeded'] ?? 0))->toBe(3);
|
|
|
|
$snapshot = BaselineSnapshot::query()
|
|
->where('baseline_profile_id', $profile->getKey())
|
|
->first();
|
|
|
|
expect($snapshot)->not->toBeNull();
|
|
expect(BaselineSnapshotItem::query()->where('baseline_snapshot_id', $snapshot->getKey())->count())->toBe(3);
|
|
|
|
$profile->refresh();
|
|
expect($profile->active_snapshot_id)->toBe((int) $snapshot->getKey());
|
|
});
|
|
|
|
it('dedupes snapshots when content is unchanged', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$profile = BaselineProfile::factory()->active()->create([
|
|
'workspace_id' => $tenant->workspace_id,
|
|
'scope_jsonb' => ['policy_types' => ['deviceConfiguration']],
|
|
]);
|
|
|
|
InventoryItem::factory()->count(2)->create([
|
|
'tenant_id' => $tenant->getKey(),
|
|
'workspace_id' => $tenant->workspace_id,
|
|
'policy_type' => 'deviceConfiguration',
|
|
'meta_jsonb' => ['odata_type' => '#microsoft.graph.deviceConfiguration', 'stable_field' => 'value'],
|
|
]);
|
|
|
|
$opService = app(OperationRunService::class);
|
|
$idService = app(BaselineSnapshotIdentity::class);
|
|
$auditLogger = app(AuditLogger::class);
|
|
|
|
$run1 = $opService->ensureRunWithIdentity(
|
|
tenant: $tenant,
|
|
type: 'baseline_capture',
|
|
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
|
context: [
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
'source_tenant_id' => (int) $tenant->getKey(),
|
|
'effective_scope' => ['policy_types' => ['deviceConfiguration']],
|
|
],
|
|
initiator: $user,
|
|
);
|
|
|
|
$job1 = new CaptureBaselineSnapshotJob($run1);
|
|
$job1->handle($idService, $auditLogger, $opService);
|
|
|
|
$snapshotCountAfterFirst = BaselineSnapshot::query()
|
|
->where('baseline_profile_id', $profile->getKey())
|
|
->count();
|
|
|
|
expect($snapshotCountAfterFirst)->toBe(1);
|
|
|
|
$run2 = OperationRun::create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'initiator_name' => $user->name,
|
|
'type' => 'baseline_capture',
|
|
'status' => 'queued',
|
|
'outcome' => 'pending',
|
|
'run_identity_hash' => hash('sha256', 'second-run-' . now()->timestamp),
|
|
'context' => [
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
'source_tenant_id' => (int) $tenant->getKey(),
|
|
'effective_scope' => ['policy_types' => ['deviceConfiguration']],
|
|
],
|
|
]);
|
|
|
|
$job2 = new CaptureBaselineSnapshotJob($run2);
|
|
$job2->handle($idService, $auditLogger, $opService);
|
|
|
|
$snapshotCountAfterSecond = BaselineSnapshot::query()
|
|
->where('baseline_profile_id', $profile->getKey())
|
|
->count();
|
|
|
|
expect($snapshotCountAfterSecond)->toBe(1);
|
|
});
|
|
|
|
// --- EC-005: Empty scope produces empty snapshot without errors ---
|
|
|
|
it('captures an empty snapshot when no inventory items match the scope', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$profile = BaselineProfile::factory()->active()->create([
|
|
'workspace_id' => $tenant->workspace_id,
|
|
'scope_jsonb' => ['policy_types' => ['nonExistentPolicyType']],
|
|
]);
|
|
|
|
$opService = app(OperationRunService::class);
|
|
$run = $opService->ensureRunWithIdentity(
|
|
tenant: $tenant,
|
|
type: 'baseline_capture',
|
|
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
|
context: [
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
'source_tenant_id' => (int) $tenant->getKey(),
|
|
'effective_scope' => ['policy_types' => ['nonExistentPolicyType']],
|
|
],
|
|
initiator: $user,
|
|
);
|
|
|
|
$job = new CaptureBaselineSnapshotJob($run);
|
|
$job->handle(
|
|
app(BaselineSnapshotIdentity::class),
|
|
app(AuditLogger::class),
|
|
$opService,
|
|
);
|
|
|
|
$run->refresh();
|
|
expect($run->status)->toBe('completed');
|
|
expect($run->outcome)->toBe('succeeded');
|
|
|
|
$counts = is_array($run->summary_counts) ? $run->summary_counts : [];
|
|
expect((int) ($counts['total'] ?? 0))->toBe(0);
|
|
expect((int) ($counts['failed'] ?? 0))->toBe(0);
|
|
|
|
$snapshot = BaselineSnapshot::query()
|
|
->where('baseline_profile_id', $profile->getKey())
|
|
->first();
|
|
|
|
expect($snapshot)->not->toBeNull();
|
|
expect(BaselineSnapshotItem::query()->where('baseline_snapshot_id', $snapshot->getKey())->count())->toBe(0);
|
|
});
|
|
|
|
it('captures all inventory items when scope has empty policy_types (all types)', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$profile = BaselineProfile::factory()->active()->create([
|
|
'workspace_id' => $tenant->workspace_id,
|
|
'scope_jsonb' => ['policy_types' => []],
|
|
]);
|
|
|
|
InventoryItem::factory()->create([
|
|
'tenant_id' => $tenant->getKey(),
|
|
'workspace_id' => $tenant->workspace_id,
|
|
'policy_type' => 'deviceConfiguration',
|
|
]);
|
|
|
|
InventoryItem::factory()->create([
|
|
'tenant_id' => $tenant->getKey(),
|
|
'workspace_id' => $tenant->workspace_id,
|
|
'policy_type' => 'compliancePolicy',
|
|
]);
|
|
|
|
$opService = app(OperationRunService::class);
|
|
$run = $opService->ensureRunWithIdentity(
|
|
tenant: $tenant,
|
|
type: 'baseline_capture',
|
|
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
|
context: [
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
'source_tenant_id' => (int) $tenant->getKey(),
|
|
'effective_scope' => ['policy_types' => []],
|
|
],
|
|
initiator: $user,
|
|
);
|
|
|
|
$job = new CaptureBaselineSnapshotJob($run);
|
|
$job->handle(
|
|
app(BaselineSnapshotIdentity::class),
|
|
app(AuditLogger::class),
|
|
$opService,
|
|
);
|
|
|
|
$run->refresh();
|
|
expect($run->status)->toBe('completed');
|
|
|
|
$counts = is_array($run->summary_counts) ? $run->summary_counts : [];
|
|
expect((int) ($counts['total'] ?? 0))->toBe(2);
|
|
|
|
$snapshot = BaselineSnapshot::query()
|
|
->where('baseline_profile_id', $profile->getKey())
|
|
->first();
|
|
|
|
expect($snapshot)->not->toBeNull();
|
|
expect(BaselineSnapshotItem::query()->where('baseline_snapshot_id', $snapshot->getKey())->count())->toBe(2);
|
|
});
|