ahmido
a74ab12f04
## Summary - add the Evidence Snapshot domain with immutable tenant-scoped snapshots, per-dimension items, queued generation, audit actions, badge mappings, and Filament list/detail surfaces - add the workspace evidence overview, capability and policy wiring, Livewire update-path hardening, and review-pack integration through explicit evidence snapshot resolution - add spec 153 artifacts, migrations, factories, and focused Pest coverage for evidence, review-pack reuse, authorization, action-surface regressions, and audit behavior ## Testing - `vendor/bin/sail artisan test --compact --stop-on-failure` - `CI=1 vendor/bin/sail artisan test --compact` - `vendor/bin/sail bin pint --dirty --format agent` ## Notes - branch: `153-evidence-domain-foundation` - commit: `b7dfa279` - spec: `specs/153-evidence-domain-foundation/` Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #183
173 lines
5.2 KiB
PHP
173 lines
5.2 KiB
PHP
<?php
|
|
|
|
namespace App\Services\Auth;
|
|
|
|
use App\Support\Auth\Capabilities;
|
|
use App\Support\TenantRole;
|
|
|
|
/**
|
|
* Role to Capability Mapping (Single Source of Truth)
|
|
*
|
|
* This class defines which capabilities each role has.
|
|
* All capability strings MUST be references from the Capabilities registry.
|
|
*/
|
|
class RoleCapabilityMap
|
|
{
|
|
private static array $roleCapabilities = [
|
|
TenantRole::Owner->value => [
|
|
Capabilities::TENANT_VIEW,
|
|
Capabilities::TENANT_MANAGE,
|
|
Capabilities::TENANT_DELETE,
|
|
Capabilities::TENANT_SYNC,
|
|
Capabilities::TENANT_INVENTORY_SYNC_RUN,
|
|
Capabilities::TENANT_FINDINGS_VIEW,
|
|
Capabilities::TENANT_FINDINGS_TRIAGE,
|
|
Capabilities::TENANT_FINDINGS_ASSIGN,
|
|
Capabilities::TENANT_FINDINGS_RESOLVE,
|
|
Capabilities::TENANT_FINDINGS_CLOSE,
|
|
Capabilities::TENANT_FINDINGS_RISK_ACCEPT,
|
|
Capabilities::TENANT_FINDINGS_ACKNOWLEDGE,
|
|
Capabilities::TENANT_VERIFICATION_ACKNOWLEDGE,
|
|
|
|
Capabilities::TENANT_MEMBERSHIP_VIEW,
|
|
Capabilities::TENANT_MEMBERSHIP_MANAGE,
|
|
|
|
Capabilities::TENANT_ROLE_MAPPING_VIEW,
|
|
Capabilities::TENANT_ROLE_MAPPING_MANAGE,
|
|
|
|
Capabilities::TENANT_BACKUP_SCHEDULES_MANAGE,
|
|
Capabilities::TENANT_BACKUP_SCHEDULES_RUN,
|
|
|
|
Capabilities::PROVIDER_VIEW,
|
|
Capabilities::PROVIDER_MANAGE,
|
|
Capabilities::PROVIDER_MANAGE_DEDICATED,
|
|
Capabilities::PROVIDER_RUN,
|
|
|
|
Capabilities::AUDIT_VIEW,
|
|
|
|
Capabilities::ENTRA_ROLES_VIEW,
|
|
Capabilities::ENTRA_ROLES_MANAGE,
|
|
|
|
Capabilities::REVIEW_PACK_VIEW,
|
|
Capabilities::REVIEW_PACK_MANAGE,
|
|
Capabilities::EVIDENCE_VIEW,
|
|
Capabilities::EVIDENCE_MANAGE,
|
|
],
|
|
|
|
TenantRole::Manager->value => [
|
|
Capabilities::TENANT_VIEW,
|
|
Capabilities::TENANT_MANAGE,
|
|
Capabilities::TENANT_SYNC,
|
|
Capabilities::TENANT_INVENTORY_SYNC_RUN,
|
|
Capabilities::TENANT_FINDINGS_VIEW,
|
|
Capabilities::TENANT_FINDINGS_TRIAGE,
|
|
Capabilities::TENANT_FINDINGS_ASSIGN,
|
|
Capabilities::TENANT_FINDINGS_RESOLVE,
|
|
Capabilities::TENANT_FINDINGS_CLOSE,
|
|
Capabilities::TENANT_FINDINGS_RISK_ACCEPT,
|
|
Capabilities::TENANT_FINDINGS_ACKNOWLEDGE,
|
|
Capabilities::TENANT_VERIFICATION_ACKNOWLEDGE,
|
|
|
|
Capabilities::TENANT_MEMBERSHIP_VIEW,
|
|
|
|
Capabilities::TENANT_ROLE_MAPPING_VIEW,
|
|
|
|
Capabilities::TENANT_BACKUP_SCHEDULES_MANAGE,
|
|
Capabilities::TENANT_BACKUP_SCHEDULES_RUN,
|
|
|
|
Capabilities::PROVIDER_VIEW,
|
|
Capabilities::PROVIDER_MANAGE,
|
|
Capabilities::PROVIDER_RUN,
|
|
|
|
Capabilities::AUDIT_VIEW,
|
|
|
|
Capabilities::ENTRA_ROLES_VIEW,
|
|
Capabilities::ENTRA_ROLES_MANAGE,
|
|
|
|
Capabilities::REVIEW_PACK_VIEW,
|
|
Capabilities::REVIEW_PACK_MANAGE,
|
|
Capabilities::EVIDENCE_VIEW,
|
|
Capabilities::EVIDENCE_MANAGE,
|
|
],
|
|
|
|
TenantRole::Operator->value => [
|
|
Capabilities::TENANT_VIEW,
|
|
Capabilities::TENANT_SYNC,
|
|
Capabilities::TENANT_INVENTORY_SYNC_RUN,
|
|
Capabilities::TENANT_FINDINGS_VIEW,
|
|
Capabilities::TENANT_FINDINGS_TRIAGE,
|
|
Capabilities::TENANT_FINDINGS_ACKNOWLEDGE,
|
|
|
|
Capabilities::TENANT_MEMBERSHIP_VIEW,
|
|
Capabilities::TENANT_ROLE_MAPPING_VIEW,
|
|
|
|
Capabilities::TENANT_BACKUP_SCHEDULES_RUN,
|
|
|
|
Capabilities::PROVIDER_VIEW,
|
|
Capabilities::PROVIDER_RUN,
|
|
|
|
Capabilities::AUDIT_VIEW,
|
|
|
|
Capabilities::ENTRA_ROLES_VIEW,
|
|
|
|
Capabilities::REVIEW_PACK_VIEW,
|
|
Capabilities::EVIDENCE_VIEW,
|
|
],
|
|
|
|
TenantRole::Readonly->value => [
|
|
Capabilities::TENANT_VIEW,
|
|
Capabilities::TENANT_FINDINGS_VIEW,
|
|
|
|
Capabilities::TENANT_MEMBERSHIP_VIEW,
|
|
Capabilities::TENANT_ROLE_MAPPING_VIEW,
|
|
|
|
Capabilities::PROVIDER_VIEW,
|
|
|
|
Capabilities::AUDIT_VIEW,
|
|
|
|
Capabilities::ENTRA_ROLES_VIEW,
|
|
|
|
Capabilities::REVIEW_PACK_VIEW,
|
|
Capabilities::EVIDENCE_VIEW,
|
|
],
|
|
];
|
|
|
|
/**
|
|
* Get all capabilities for a given role
|
|
*
|
|
* @return array<string>
|
|
*/
|
|
public static function getCapabilities(TenantRole|string $role): array
|
|
{
|
|
$roleValue = $role instanceof TenantRole ? $role->value : $role;
|
|
|
|
return self::$roleCapabilities[$roleValue] ?? [];
|
|
}
|
|
|
|
/**
|
|
* Get all role values that grant a given capability.
|
|
*
|
|
* @return array<string>
|
|
*/
|
|
public static function rolesWithCapability(string $capability): array
|
|
{
|
|
$roles = [];
|
|
|
|
foreach (self::$roleCapabilities as $role => $capabilities) {
|
|
if (in_array($capability, $capabilities, true)) {
|
|
$roles[] = $role;
|
|
}
|
|
}
|
|
|
|
return $roles;
|
|
}
|
|
|
|
/**
|
|
* Check if a role has a specific capability
|
|
*/
|
|
public static function hasCapability(TenantRole|string $role, string $capability): bool
|
|
{
|
|
return in_array($capability, self::getCapabilities($role), true);
|
|
}
|
|
}
|