ahmido
b1e1e06861
## Summary - add a first-class finding exception domain with request, approval, rejection, renewal, and revocation lifecycle support - add tenant-scoped exception register, finding governance surfaces, and a canonical workspace approval queue in Filament - add audit, badge, evidence, and review-pack integrations plus focused Pest coverage for workflow, authorization, and governance validity ## Validation - vendor/bin/sail bin pint --dirty --format agent - CI=1 vendor/bin/sail artisan test --compact - manual integrated-browser smoke test for the request-exception happy path, tenant register visibility, and canonical queue visibility ## Notes - Filament implementation remains on v5 with Livewire v4-compatible surfaces - canonical queue lives in the admin panel; provider registration stays in bootstrap/providers.php - finding exceptions stay out of global search in this rollout Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #184
179 lines
5.5 KiB
PHP
179 lines
5.5 KiB
PHP
<?php
|
|
|
|
namespace App\Services\Auth;
|
|
|
|
use App\Support\Auth\Capabilities;
|
|
use App\Support\TenantRole;
|
|
|
|
/**
|
|
* Role to Capability Mapping (Single Source of Truth)
|
|
*
|
|
* This class defines which capabilities each role has.
|
|
* All capability strings MUST be references from the Capabilities registry.
|
|
*/
|
|
class RoleCapabilityMap
|
|
{
|
|
private static array $roleCapabilities = [
|
|
TenantRole::Owner->value => [
|
|
Capabilities::TENANT_VIEW,
|
|
Capabilities::TENANT_MANAGE,
|
|
Capabilities::TENANT_DELETE,
|
|
Capabilities::TENANT_SYNC,
|
|
Capabilities::TENANT_INVENTORY_SYNC_RUN,
|
|
Capabilities::TENANT_FINDINGS_VIEW,
|
|
Capabilities::TENANT_FINDINGS_TRIAGE,
|
|
Capabilities::TENANT_FINDINGS_ASSIGN,
|
|
Capabilities::TENANT_FINDINGS_RESOLVE,
|
|
Capabilities::TENANT_FINDINGS_CLOSE,
|
|
Capabilities::TENANT_FINDINGS_RISK_ACCEPT,
|
|
Capabilities::TENANT_FINDINGS_ACKNOWLEDGE,
|
|
Capabilities::FINDING_EXCEPTION_VIEW,
|
|
Capabilities::FINDING_EXCEPTION_MANAGE,
|
|
Capabilities::TENANT_VERIFICATION_ACKNOWLEDGE,
|
|
|
|
Capabilities::TENANT_MEMBERSHIP_VIEW,
|
|
Capabilities::TENANT_MEMBERSHIP_MANAGE,
|
|
|
|
Capabilities::TENANT_ROLE_MAPPING_VIEW,
|
|
Capabilities::TENANT_ROLE_MAPPING_MANAGE,
|
|
|
|
Capabilities::TENANT_BACKUP_SCHEDULES_MANAGE,
|
|
Capabilities::TENANT_BACKUP_SCHEDULES_RUN,
|
|
|
|
Capabilities::PROVIDER_VIEW,
|
|
Capabilities::PROVIDER_MANAGE,
|
|
Capabilities::PROVIDER_MANAGE_DEDICATED,
|
|
Capabilities::PROVIDER_RUN,
|
|
|
|
Capabilities::AUDIT_VIEW,
|
|
|
|
Capabilities::ENTRA_ROLES_VIEW,
|
|
Capabilities::ENTRA_ROLES_MANAGE,
|
|
|
|
Capabilities::REVIEW_PACK_VIEW,
|
|
Capabilities::REVIEW_PACK_MANAGE,
|
|
Capabilities::EVIDENCE_VIEW,
|
|
Capabilities::EVIDENCE_MANAGE,
|
|
],
|
|
|
|
TenantRole::Manager->value => [
|
|
Capabilities::TENANT_VIEW,
|
|
Capabilities::TENANT_MANAGE,
|
|
Capabilities::TENANT_SYNC,
|
|
Capabilities::TENANT_INVENTORY_SYNC_RUN,
|
|
Capabilities::TENANT_FINDINGS_VIEW,
|
|
Capabilities::TENANT_FINDINGS_TRIAGE,
|
|
Capabilities::TENANT_FINDINGS_ASSIGN,
|
|
Capabilities::TENANT_FINDINGS_RESOLVE,
|
|
Capabilities::TENANT_FINDINGS_CLOSE,
|
|
Capabilities::TENANT_FINDINGS_RISK_ACCEPT,
|
|
Capabilities::TENANT_FINDINGS_ACKNOWLEDGE,
|
|
Capabilities::FINDING_EXCEPTION_VIEW,
|
|
Capabilities::FINDING_EXCEPTION_MANAGE,
|
|
Capabilities::TENANT_VERIFICATION_ACKNOWLEDGE,
|
|
|
|
Capabilities::TENANT_MEMBERSHIP_VIEW,
|
|
|
|
Capabilities::TENANT_ROLE_MAPPING_VIEW,
|
|
|
|
Capabilities::TENANT_BACKUP_SCHEDULES_MANAGE,
|
|
Capabilities::TENANT_BACKUP_SCHEDULES_RUN,
|
|
|
|
Capabilities::PROVIDER_VIEW,
|
|
Capabilities::PROVIDER_MANAGE,
|
|
Capabilities::PROVIDER_RUN,
|
|
|
|
Capabilities::AUDIT_VIEW,
|
|
|
|
Capabilities::ENTRA_ROLES_VIEW,
|
|
Capabilities::ENTRA_ROLES_MANAGE,
|
|
|
|
Capabilities::REVIEW_PACK_VIEW,
|
|
Capabilities::REVIEW_PACK_MANAGE,
|
|
Capabilities::EVIDENCE_VIEW,
|
|
Capabilities::EVIDENCE_MANAGE,
|
|
],
|
|
|
|
TenantRole::Operator->value => [
|
|
Capabilities::TENANT_VIEW,
|
|
Capabilities::TENANT_SYNC,
|
|
Capabilities::TENANT_INVENTORY_SYNC_RUN,
|
|
Capabilities::TENANT_FINDINGS_VIEW,
|
|
Capabilities::TENANT_FINDINGS_TRIAGE,
|
|
Capabilities::TENANT_FINDINGS_ACKNOWLEDGE,
|
|
Capabilities::FINDING_EXCEPTION_VIEW,
|
|
|
|
Capabilities::TENANT_MEMBERSHIP_VIEW,
|
|
Capabilities::TENANT_ROLE_MAPPING_VIEW,
|
|
|
|
Capabilities::TENANT_BACKUP_SCHEDULES_RUN,
|
|
|
|
Capabilities::PROVIDER_VIEW,
|
|
Capabilities::PROVIDER_RUN,
|
|
|
|
Capabilities::AUDIT_VIEW,
|
|
|
|
Capabilities::ENTRA_ROLES_VIEW,
|
|
|
|
Capabilities::REVIEW_PACK_VIEW,
|
|
Capabilities::EVIDENCE_VIEW,
|
|
],
|
|
|
|
TenantRole::Readonly->value => [
|
|
Capabilities::TENANT_VIEW,
|
|
Capabilities::TENANT_FINDINGS_VIEW,
|
|
Capabilities::FINDING_EXCEPTION_VIEW,
|
|
|
|
Capabilities::TENANT_MEMBERSHIP_VIEW,
|
|
Capabilities::TENANT_ROLE_MAPPING_VIEW,
|
|
|
|
Capabilities::PROVIDER_VIEW,
|
|
|
|
Capabilities::AUDIT_VIEW,
|
|
|
|
Capabilities::ENTRA_ROLES_VIEW,
|
|
|
|
Capabilities::REVIEW_PACK_VIEW,
|
|
Capabilities::EVIDENCE_VIEW,
|
|
],
|
|
];
|
|
|
|
/**
|
|
* Get all capabilities for a given role
|
|
*
|
|
* @return array<string>
|
|
*/
|
|
public static function getCapabilities(TenantRole|string $role): array
|
|
{
|
|
$roleValue = $role instanceof TenantRole ? $role->value : $role;
|
|
|
|
return self::$roleCapabilities[$roleValue] ?? [];
|
|
}
|
|
|
|
/**
|
|
* Get all role values that grant a given capability.
|
|
*
|
|
* @return array<string>
|
|
*/
|
|
public static function rolesWithCapability(string $capability): array
|
|
{
|
|
$roles = [];
|
|
|
|
foreach (self::$roleCapabilities as $role => $capabilities) {
|
|
if (in_array($capability, $capabilities, true)) {
|
|
$roles[] = $role;
|
|
}
|
|
}
|
|
|
|
return $roles;
|
|
}
|
|
|
|
/**
|
|
* Check if a role has a specific capability
|
|
*/
|
|
public static function hasCapability(TenantRole|string $role, string $capability): bool
|
|
{
|
|
return in_array($capability, self::getCapabilities($role), true);
|
|
}
|
|
}
|