ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
b1e1e06861
TenantAtlas/tests/Feature/Evidence/ExceptionValidityEvidenceIntegrationTest.php
ahmido b1e1e06861 feat: implement finding risk acceptance lifecycle (#184) 
## Summary
- add a first-class finding exception domain with request, approval, rejection, renewal, and revocation lifecycle support
- add tenant-scoped exception register, finding governance surfaces, and a canonical workspace approval queue in Filament
- add audit, badge, evidence, and review-pack integrations plus focused Pest coverage for workflow, authorization, and governance validity

## Validation
- vendor/bin/sail bin pint --dirty --format agent
- CI=1 vendor/bin/sail artisan test --compact
- manual integrated-browser smoke test for the request-exception happy path, tenant register visibility, and canonical queue visibility

## Notes
- Filament implementation remains on v5 with Livewire v4-compatible surfaces
- canonical queue lives in the admin panel; provider registration stays in bootstrap/providers.php
- finding exceptions stay out of global search in this rollout

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #184
2026-03-20 01:07:55 +00:00

105 lines
4.2 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
use App\Models\Finding;
use App\Models\OperationRun;
use App\Models\StoredReport;
use App\Models\User;
use App\Services\Evidence\EvidenceSnapshotService;
use App\Services\Findings\FindingExceptionService;
use App\Services\Findings\FindingRiskGovernanceResolver;
use Illuminate\Foundation\Testing\RefreshDatabase;
uses(RefreshDatabase::class);
it('counts only valid governed accepted risk in the findings summary evidence payload', function (): void {
[$requester, $tenant] = createUserWithTenant(role: 'owner');
$approver = User::factory()->create();
createUserWithTenant(tenant: $tenant, user: $approver, role: 'owner', workspaceRole: 'manager');
StoredReport::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'report_type' => StoredReport::REPORT_TYPE_PERMISSION_POSTURE,
]);
StoredReport::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'report_type' => StoredReport::REPORT_TYPE_ENTRA_ADMIN_ROLES,
]);
OperationRun::factory()->forTenant($tenant)->create();
/** @var FindingExceptionService $exceptionService */
$exceptionService = app(FindingExceptionService::class);
$createApprovedException = function (Finding $finding, string $expiresAt) use ($exceptionService, $requester, $tenant, $approver): Finding {
$requested = $exceptionService->request($finding, $tenant, $requester, [
'owner_user_id' => (int) $requester->getKey(),
'request_reason' => 'Temporary exception',
'review_due_at' => now()->addDays(5)->toDateTimeString(),
'expires_at' => now()->addDays(14)->toDateTimeString(),
]);
$exceptionService->approve($requested, $approver, [
'effective_from' => now()->subDays(10)->toDateTimeString(),
'expires_at' => $expiresAt,
'approval_reason' => 'Approved with controls',
]);
return $finding;
};
$validFinding = $createApprovedException(
Finding::factory()->for($tenant)->create(['status' => Finding::STATUS_RISK_ACCEPTED]),
now()->addDays(14)->toDateTimeString(),
);
$expiredFinding = $createApprovedException(
Finding::factory()->for($tenant)->create(['status' => Finding::STATUS_RISK_ACCEPTED]),
now()->subDay()->toDateTimeString(),
);
app(FindingRiskGovernanceResolver::class)->syncExceptionState($expiredFinding->findingException()->firstOrFail());
$revokedFinding = $createApprovedException(
Finding::factory()->for($tenant)->create(['status' => Finding::STATUS_RISK_ACCEPTED]),
now()->addDays(14)->toDateTimeString(),
);
$exceptionService->revoke($revokedFinding->findingException()->firstOrFail(), $requester, [
'revocation_reason' => 'Controls removed',
]);
$missingFinding = Finding::factory()->for($tenant)->create([
'status' => Finding::STATUS_RISK_ACCEPTED,
]);
Finding::factory()->for($tenant)->create([
'status' => Finding::STATUS_REOPENED,
]);
/** @var EvidenceSnapshotService $snapshotService */
$snapshotService = app(EvidenceSnapshotService::class);
$payload = $snapshotService->buildSnapshotPayload($tenant);
$findingsItem = collect($payload['items'])->firstWhere('dimension_key', 'findings_summary');
$summary = $findingsItem['summary_payload']['risk_acceptance'] ?? null;
$entries = collect($findingsItem['summary_payload']['entries'] ?? []);
expect($summary)->toBe([
'status_marked_count' => 4,
'valid_governed_count' => 1,
'warning_count' => 3,
'expired_count' => 1,
'revoked_count' => 1,
'missing_exception_count' => 1,
]);
expect($entries->firstWhere('id', (int) $validFinding->getKey())['governance_state'] ?? null)
->toBe('valid_exception')
->and($entries->firstWhere('id', (int) $expiredFinding->getKey())['governance_state'] ?? null)->toBe('expired_exception')
->and($entries->firstWhere('id', (int) $revokedFinding->getKey())['governance_state'] ?? null)->toBe('revoked_exception')
->and($entries->firstWhere('id', (int) $missingFinding->getKey())['governance_state'] ?? null)->toBe('risk_accepted_without_valid_exception');
});
Reference in New Issue View Git Blame Copy Permalink