ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
a33a41be39
TenantAtlas/tests/Unit/Baselines/BaselinePolicyVersionResolverTest.php
ahmido ef41c9193a feat: add Intune RBAC baseline compare support (#156) 
## Summary
- add Intune RBAC Role Definition baseline scope support, capture references, compare classification, findings evidence, and landing/detail UI labels
- keep Intune Role Assignments explicitly excluded from baseline compare scope, summaries, findings, and restore messaging
- add focused Pest coverage for baseline scope selection, capture, compare behavior, recurrence, isolation, findings rendering, inventory anchoring, and RBAC summaries

## Verification
- `vendor/bin/sail bin pint --dirty --format agent`
- `vendor/bin/sail artisan test --compact tests/Unit/Inventory/InventoryPolicyTypeMetaBaselineSupportTest.php tests/Unit/Baselines/BaselinePolicyVersionResolverTest.php tests/Unit/Baselines/BaselineScopeTest.php tests/Unit/IntuneRoleDefinitionNormalizerTest.php tests/Feature/Baselines/BaselineCaptureRbacRoleDefinitionsTest.php tests/Feature/Baselines/BaselineCompareRbacRoleDefinitionsTest.php tests/Feature/Baselines/BaselineCompareDriftEvidenceContractRbacTest.php tests/Feature/Baselines/BaselineCompareCoverageGuardTest.php tests/Feature/Baselines/BaselineCompareCrossTenantMatchTest.php tests/Feature/Baselines/BaselineCompareFindingRecurrenceKeyTest.php tests/Feature/Baselines/BaselineCompareWhyNoFindingsReasonCodeTest.php tests/Feature/Filament/BaselineProfileFoundationScopeTest.php tests/Feature/Filament/BaselineSnapshotRbacRoleDefinitionsTest.php tests/Feature/Filament/BaselineCompareLandingRbacLabelsTest.php tests/Feature/Filament/FindingViewRbacEvidenceTest.php tests/Feature/Findings/FindingRecurrenceTest.php tests/Feature/Findings/DriftStaleAutoResolveTest.php tests/Feature/Inventory/InventorySyncButtonTest.php tests/Feature/Inventory/InventorySyncServiceTest.php tests/Feature/RunAuthorizationTenantIsolationTest.php`
- result: `71 passed (467 assertions)`

## Filament / Platform Notes
- Livewire compliance: unchanged and compatible with Livewire v4.0+
- Provider registration: no panel/provider changes; `bootstrap/providers.php` remains the registration location
- Global search: no new globally searchable resource added; existing global search behavior is unchanged
- Destructive actions: no new destructive actions introduced; existing confirmed actions remain unchanged
- Assets: no new Filament assets introduced; deploy asset handling remains unchanged, including `php artisan filament:assets`
- Testing plan covered: baseline profile scope, snapshot detail, compare job, findings recurrence, findings detail, compare landing labels, inventory sync anchoring, and tenant isolation

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #156
2026-03-09 18:49:20 +00:00

167 lines
5.3 KiB
PHP
Raw Blame History

<?php
use App\Models\Policy;
use App\Models\PolicyVersion;
use App\Models\Tenant;
use App\Services\Baselines\Evidence\BaselinePolicyVersionResolver;
use App\Support\Baselines\BaselineSubjectKey;
use Carbon\CarbonImmutable;
use Illuminate\Foundation\Testing\RefreshDatabase;
uses(RefreshDatabase::class);
beforeEach(function () {
$this->resolver = new BaselinePolicyVersionResolver;
});
test('resolves baseline policy version id within observed second', function () {
$tenant = Tenant::factory()->create();
$displayName = 'Policy Alpha';
$subjectKey = BaselineSubjectKey::fromDisplayName($displayName);
expect($subjectKey)->not->toBeNull();
$policy = Policy::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'policy_type' => 'settingsCatalogPolicy',
'display_name' => $displayName,
]);
$capturedAt = CarbonImmutable::parse('2026-03-05 12:00:00.123456');
$version = PolicyVersion::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'policy_id' => (int) $policy->getKey(),
'policy_type' => (string) $policy->policy_type,
'version_number' => 1,
'captured_at' => $capturedAt,
]);
$resolved = $this->resolver->resolve(
tenant: $tenant,
policyType: (string) $policy->policy_type,
subjectKey: (string) $subjectKey,
observedAt: $capturedAt->toIso8601String(),
);
expect($resolved)->toBe((int) $version->getKey());
});
test('returns null when no policy matches subject key', function () {
$tenant = Tenant::factory()->create();
Policy::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'policy_type' => 'settingsCatalogPolicy',
'display_name' => 'Some Other Policy',
]);
$resolved = $this->resolver->resolve(
tenant: $tenant,
policyType: 'settingsCatalogPolicy',
subjectKey: 'missing-subject-key',
observedAt: CarbonImmutable::parse('2026-03-05 12:00:00')->toIso8601String(),
);
expect($resolved)->toBeNull();
});
test('returns null when observed_at is invalid', function () {
$tenant = Tenant::factory()->create();
$policy = Policy::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'policy_type' => 'settingsCatalogPolicy',
'display_name' => 'Policy Alpha',
]);
$subjectKey = BaselineSubjectKey::fromDisplayName((string) $policy->display_name);
expect($subjectKey)->not->toBeNull();
$resolved = $this->resolver->resolve(
tenant: $tenant,
policyType: (string) $policy->policy_type,
subjectKey: (string) $subjectKey,
observedAt: 'not-a-date',
);
expect($resolved)->toBeNull();
});
test('uses a deterministic tie-breaker when multiple candidates exist', function () {
$tenant = Tenant::factory()->create();
$displayName = 'Policy Alpha';
$subjectKey = BaselineSubjectKey::fromDisplayName($displayName);
expect($subjectKey)->not->toBeNull();
$policy = Policy::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'policy_type' => 'settingsCatalogPolicy',
'display_name' => $displayName,
]);
$versionEarly = PolicyVersion::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'policy_id' => (int) $policy->getKey(),
'policy_type' => (string) $policy->policy_type,
'version_number' => 1,
'captured_at' => CarbonImmutable::parse('2026-03-05 12:00:00.100000'),
]);
$versionLate = PolicyVersion::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'policy_id' => (int) $policy->getKey(),
'policy_type' => (string) $policy->policy_type,
'version_number' => 2,
'captured_at' => CarbonImmutable::parse('2026-03-05 12:00:00.900000'),
]);
$resolved = $this->resolver->resolve(
tenant: $tenant,
policyType: (string) $policy->policy_type,
subjectKey: (string) $subjectKey,
observedAt: CarbonImmutable::parse('2026-03-05 12:00:00')->toIso8601String(),
);
expect($resolved)
->toBe((int) $versionLate->getKey())
->and($resolved)->not->toBe((int) $versionEarly->getKey());
});
test('resolves intune role definition versions by external-id identity', function () {
$tenant = Tenant::factory()->create();
$policy = Policy::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'policy_type' => 'intuneRoleDefinition',
'external_id' => 'role-def-42',
'display_name' => 'Security Reader',
]);
$capturedAt = CarbonImmutable::parse('2026-03-08 12:00:00.123456');
$version = PolicyVersion::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'policy_id' => (int) $policy->getKey(),
'policy_type' => (string) $policy->policy_type,
'version_number' => 1,
'captured_at' => $capturedAt,
]);
$subjectKey = BaselineSubjectKey::forPolicy('intuneRoleDefinition', 'Security Reader', 'role-def-42');
expect($subjectKey)->not->toBeNull();
$resolved = $this->resolver->resolve(
tenant: $tenant,
policyType: 'intuneRoleDefinition',
subjectKey: (string) $subjectKey,
observedAt: $capturedAt->toIso8601String(),
);
expect($resolved)->toBe((int) $version->getKey());
});
Reference in New Issue View Git Blame Copy Permalink