ahmido
da1adbdeb5
Implements Spec 119 (Drift Golden Master Cutover): - Baseline Compare is the only drift writer (`source = baseline.compare`). - Drift findings now store diff-compatible `evidence_jsonb` (summary.kind, baseline/current policy_version_id refs, fidelity + provenance). - Findings UI renders one-sided diffs for `missing_policy`/`unexpected_policy` when a single ref exists; otherwise shows explicit “diff unavailable”. - Removes legacy drift generator runtime (jobs/services/UI) and related tests. - Adds one-time migration to delete legacy drift findings (`finding_type=drift` where source is null or != baseline.compare). - Scopes baseline capture & landing duplicate warnings to latest completed inventory sync. - Canonicalizes compliance `scheduledActionsForRule` drift signal and keeps legacy snapshots comparable. Tests: - `vendor/bin/sail artisan test --compact` (full suite per tasks) - Focused pack: BaselinePolicyVersionResolverTest, BaselineCompareDriftEvidenceContractTest, DriftFindingDiffUnavailableTest, LegacyDriftFindingsCleanupMigrationTest, ComplianceNoncomplianceActionsDriftTest Notes: - Livewire v4+ / Filament v5 compatible (no legacy APIs). - No new external dependencies. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #144
179 lines
6.2 KiB
PHP
179 lines
6.2 KiB
PHP
<?php
|
|
|
|
use App\Models\Finding;
|
|
use App\Models\Policy;
|
|
use App\Models\PolicyVersion;
|
|
|
|
it('shows an explicit diff unavailable message when policy version references are missing', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$finding = Finding::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'finding_type' => Finding::FINDING_TYPE_DRIFT,
|
|
'source' => 'baseline.compare',
|
|
'subject_type' => 'policy',
|
|
'subject_external_id' => 'policy-alpha-uuid',
|
|
'evidence_fidelity' => 'meta',
|
|
'evidence_jsonb' => [
|
|
'change_type' => 'different_version',
|
|
'policy_type' => 'deviceConfiguration',
|
|
'subject_key' => 'policy alpha',
|
|
'summary' => [
|
|
'kind' => 'policy_snapshot',
|
|
],
|
|
'baseline' => [
|
|
'policy_version_id' => null,
|
|
],
|
|
'current' => [
|
|
'policy_version_id' => null,
|
|
],
|
|
'fidelity' => 'meta',
|
|
'provenance' => [
|
|
'baseline_profile_id' => 1,
|
|
'baseline_snapshot_id' => 1,
|
|
'compare_operation_run_id' => 1,
|
|
'inventory_sync_run_id' => null,
|
|
],
|
|
],
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->get(route('filament.tenant.resources.findings.view', array_merge(
|
|
filamentTenantRouteParams($tenant),
|
|
['record' => $finding],
|
|
)))
|
|
->assertOk()
|
|
->assertSee('Diff unavailable')
|
|
->assertDontSee('No normalized changes were found');
|
|
});
|
|
|
|
it('renders a diff against an empty baseline for unexpected_policy findings with a current policy version reference', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$policy = Policy::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'external_id' => 'policy-unexpected-uuid',
|
|
'policy_type' => 'deviceCompliancePolicy',
|
|
'platform' => 'windows',
|
|
'display_name' => 'Bitlocker Require',
|
|
]);
|
|
|
|
$currentVersion = PolicyVersion::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'policy_id' => (int) $policy->getKey(),
|
|
'policy_type' => 'deviceCompliancePolicy',
|
|
'platform' => 'windows',
|
|
'snapshot' => [
|
|
'@odata.type' => '#microsoft.graph.windows10CompliancePolicy',
|
|
'passwordRequired' => true,
|
|
],
|
|
'assignments' => [],
|
|
'scope_tags' => [],
|
|
]);
|
|
|
|
$finding = Finding::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'finding_type' => Finding::FINDING_TYPE_DRIFT,
|
|
'source' => 'baseline.compare',
|
|
'subject_type' => 'policy',
|
|
'subject_external_id' => 'policy-unexpected-uuid',
|
|
'evidence_fidelity' => 'mixed',
|
|
'evidence_jsonb' => [
|
|
'change_type' => 'unexpected_policy',
|
|
'policy_type' => 'deviceCompliancePolicy',
|
|
'subject_key' => 'bitlocker require',
|
|
'summary' => [
|
|
'kind' => 'policy_snapshot',
|
|
],
|
|
'baseline' => [
|
|
'policy_version_id' => null,
|
|
],
|
|
'current' => [
|
|
'policy_version_id' => (int) $currentVersion->getKey(),
|
|
],
|
|
'fidelity' => 'mixed',
|
|
'provenance' => [
|
|
'baseline_profile_id' => 1,
|
|
'baseline_snapshot_id' => 1,
|
|
'compare_operation_run_id' => 1,
|
|
'inventory_sync_run_id' => null,
|
|
],
|
|
],
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->get(route('filament.tenant.resources.findings.view', array_merge(
|
|
filamentTenantRouteParams($tenant),
|
|
['record' => $finding],
|
|
)))
|
|
->assertOk()
|
|
->assertDontSee('Diff unavailable')
|
|
->assertSee('1 added')
|
|
->assertSee('Password required');
|
|
});
|
|
|
|
it('renders a diff against an empty current side for missing_policy findings with a baseline policy version reference', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$policy = Policy::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'external_id' => 'policy-missing-uuid',
|
|
'policy_type' => 'deviceCompliancePolicy',
|
|
'platform' => 'windows',
|
|
'display_name' => 'Bitlocker Require',
|
|
]);
|
|
|
|
$baselineVersion = PolicyVersion::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'policy_id' => (int) $policy->getKey(),
|
|
'policy_type' => 'deviceCompliancePolicy',
|
|
'platform' => 'windows',
|
|
'snapshot' => [
|
|
'@odata.type' => '#microsoft.graph.windows10CompliancePolicy',
|
|
'passwordRequired' => true,
|
|
],
|
|
'assignments' => [],
|
|
'scope_tags' => [],
|
|
]);
|
|
|
|
$finding = Finding::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'finding_type' => Finding::FINDING_TYPE_DRIFT,
|
|
'source' => 'baseline.compare',
|
|
'subject_type' => 'policy',
|
|
'subject_external_id' => 'policy-missing-uuid',
|
|
'evidence_fidelity' => 'mixed',
|
|
'evidence_jsonb' => [
|
|
'change_type' => 'missing_policy',
|
|
'policy_type' => 'deviceCompliancePolicy',
|
|
'subject_key' => 'bitlocker require',
|
|
'summary' => [
|
|
'kind' => 'policy_snapshot',
|
|
],
|
|
'baseline' => [
|
|
'policy_version_id' => (int) $baselineVersion->getKey(),
|
|
],
|
|
'current' => [
|
|
'policy_version_id' => null,
|
|
],
|
|
'fidelity' => 'mixed',
|
|
'provenance' => [
|
|
'baseline_profile_id' => 1,
|
|
'baseline_snapshot_id' => 1,
|
|
'compare_operation_run_id' => 1,
|
|
'inventory_sync_run_id' => null,
|
|
],
|
|
],
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->get(route('filament.tenant.resources.findings.view', array_merge(
|
|
filamentTenantRouteParams($tenant),
|
|
['record' => $finding],
|
|
)))
|
|
->assertOk()
|
|
->assertDontSee('Diff unavailable')
|
|
->assertSee('1 removed')
|
|
->assertSee('Password required');
|
|
});
|