ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
b6e376e875
TenantAtlas/app/Jobs/Alerts/EvaluateAlertsJob.php
ahmido ef380b67d1 feat(104): Provider Permission Posture (#127) 
Implements Spec 104: Provider Permission Posture.

What changed
- Generates permission posture findings after each tenant permission compare (queued)
- Stores immutable posture snapshots as StoredReports (JSONB payload)
- Adds global Finding resolved lifecycle (`resolved_at`, `resolved_reason`) with `resolve()` / `reopen()`
- Adds alert pipeline event type `permission_missing` (Alerts v1) and Filament option for Alert Rules
- Adds retention pruning command + daily schedule for StoredReports
- Adds badge mappings for `resolved` finding status and `permission_posture` finding type

UX fixes discovered during manual verification
- Hide “Diff” section for non-drift findings (only drift findings show diff)
- Required Permissions page: “Re-run verification” now links to Tenant view (not onboarding)
- Preserve Technical Details `<details>` open state across Livewire re-renders (Alpine state)

Verification
- Ran `vendor/bin/sail artisan test --compact --filter=PermissionPosture` (50 tests)
- Ran `vendor/bin/sail artisan test --compact --filter="FindingResolved|FindingBadge|PermissionMissingAlert"` (20 tests)
- Ran `vendor/bin/sail bin pint --dirty`

Filament v5 / Livewire v4 compliance
- Filament v5 + Livewire v4: no Livewire v3 usage.

Panel provider registration (Laravel 11+)
- No new panels added. Existing panel providers remain registered via `bootstrap/providers.php`.

Global search rule
- No changes to global-searchable resources.

Destructive actions
- No new destructive Filament actions were added in this PR.

Assets / deploy notes
- No new Filament assets registered. Existing deploy step `php artisan filament:assets` remains unchanged.

Test coverage
- New/updated Pest feature tests cover generator behavior, job integration, alerting, retention pruning, and resolved lifecycle.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #127
2026-02-21 22:32:52 +00:00

297 lines
9.8 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace App\Jobs\Alerts;
use App\Models\AlertRule;
use App\Models\Finding;
use App\Models\OperationRun;
use App\Models\Workspace;
use App\Services\Alerts\AlertDispatchService;
use App\Services\OperationRunService;
use App\Support\OperationRunOutcome;
use App\Support\OperationRunStatus;
use Carbon\CarbonImmutable;
use Illuminate\Bus\Queueable;
use Illuminate\Contracts\Queue\ShouldQueue;
use Illuminate\Foundation\Bus\Dispatchable;
use Illuminate\Queue\InteractsWithQueue;
use Illuminate\Queue\SerializesModels;
use Throwable;
class EvaluateAlertsJob implements ShouldQueue
{
use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
public function __construct(
public int $workspaceId,
public ?int $operationRunId = null,
) {}
public function handle(AlertDispatchService $dispatchService, OperationRunService $operationRuns): void
{
$workspace = Workspace::query()->whereKey($this->workspaceId)->first();
if (! $workspace instanceof Workspace) {
return;
}
$operationRun = $this->resolveOperationRun($workspace, $operationRuns);
if (! $operationRun instanceof OperationRun) {
return;
}
if ($operationRun->status === OperationRunStatus::Completed->value) {
return;
}
$operationRuns->updateRun(
$operationRun,
status: OperationRunStatus::Running->value,
outcome: OperationRunOutcome::Pending->value,
);
$windowStart = $this->resolveWindowStart($operationRun);
try {
$events = [
...$this->highDriftEvents((int) $workspace->getKey(), $windowStart),
...$this->compareFailedEvents((int) $workspace->getKey(), $windowStart),
...$this->permissionMissingEvents((int) $workspace->getKey(), $windowStart),
];
$createdDeliveries = 0;
foreach ($events as $event) {
$createdDeliveries += $dispatchService->dispatchEvent($workspace, $event);
}
$operationRuns->updateRun(
$operationRun,
status: OperationRunStatus::Completed->value,
outcome: OperationRunOutcome::Succeeded->value,
summaryCounts: [
'total' => count($events),
'processed' => count($events),
'created' => $createdDeliveries,
],
);
} catch (Throwable $exception) {
$operationRuns->updateRun(
$operationRun,
status: OperationRunStatus::Completed->value,
outcome: OperationRunOutcome::Failed->value,
failures: [
[
'code' => 'alerts.evaluate.failed',
'message' => $this->sanitizeErrorMessage($exception),
],
],
);
throw $exception;
}
}
private function resolveOperationRun(Workspace $workspace, OperationRunService $operationRuns): ?OperationRun
{
if (is_int($this->operationRunId) && $this->operationRunId > 0) {
$operationRun = OperationRun::query()
->whereKey($this->operationRunId)
->where('workspace_id', (int) $workspace->getKey())
->where('type', 'alerts.evaluate')
->first();
if ($operationRun instanceof OperationRun) {
return $operationRun;
}
}
$slotKey = CarbonImmutable::now('UTC')->format('YmdHi').'Z';
return $operationRuns->ensureWorkspaceRunWithIdentity(
workspace: $workspace,
type: 'alerts.evaluate',
identityInputs: [
'slot_key' => $slotKey,
],
context: [
'trigger' => 'job',
'slot_key' => $slotKey,
],
initiator: null,
);
}
private function resolveWindowStart(OperationRun $operationRun): CarbonImmutable
{
$previous = OperationRun::query()
->where('workspace_id', (int) $operationRun->workspace_id)
->whereNull('tenant_id')
->where('type', 'alerts.evaluate')
->where('status', OperationRunStatus::Completed->value)
->whereNotNull('completed_at')
->where('id', '<', (int) $operationRun->getKey())
->orderByDesc('completed_at')
->orderByDesc('id')
->first();
if ($previous instanceof OperationRun && $previous->completed_at !== null) {
return CarbonImmutable::instance($previous->completed_at);
}
$lookbackMinutes = max(1, (int) config('tenantpilot.alerts.evaluate_initial_lookback_minutes', 15));
return CarbonImmutable::now('UTC')->subMinutes($lookbackMinutes);
}
/**
* @return array<int, array<string, mixed>>
*/
private function highDriftEvents(int $workspaceId, CarbonImmutable $windowStart): array
{
$findings = Finding::query()
->where('workspace_id', $workspaceId)
->where('finding_type', Finding::FINDING_TYPE_DRIFT)
->whereIn('severity', [Finding::SEVERITY_HIGH, Finding::SEVERITY_CRITICAL])
->where('status', Finding::STATUS_NEW)
->where('created_at', '>', $windowStart)
->orderBy('id')
->get();
$events = [];
foreach ($findings as $finding) {
$events[] = [
'event_type' => 'high_drift',
'tenant_id' => (int) $finding->tenant_id,
'severity' => (string) $finding->severity,
'fingerprint_key' => 'finding:'.(int) $finding->getKey(),
'title' => 'High drift finding detected',
'body' => sprintf(
'Finding %d was created with severity %s.',
(int) $finding->getKey(),
(string) $finding->severity,
),
'metadata' => [
'finding_id' => (int) $finding->getKey(),
],
];
}
return $events;
}
/**
* @return array<int, array<string, mixed>>
*/
private function compareFailedEvents(int $workspaceId, CarbonImmutable $windowStart): array
{
$failedRuns = OperationRun::query()
->where('workspace_id', $workspaceId)
->whereNotNull('tenant_id')
->where('type', 'drift_generate_findings')
->where('status', OperationRunStatus::Completed->value)
->where('outcome', OperationRunOutcome::Failed->value)
->where('created_at', '>', $windowStart)
->orderBy('id')
->get();
$events = [];
foreach ($failedRuns as $failedRun) {
$tenantId = (int) ($failedRun->tenant_id ?? 0);
if ($tenantId <= 0) {
continue;
}
$events[] = [
'event_type' => 'compare_failed',
'tenant_id' => $tenantId,
'severity' => 'high',
'fingerprint_key' => 'operation_run:'.(int) $failedRun->getKey(),
'title' => 'Drift compare failed',
'body' => $this->firstFailureMessage($failedRun),
'metadata' => [
'operation_run_id' => (int) $failedRun->getKey(),
],
];
}
return $events;
}
private function firstFailureMessage(OperationRun $run): string
{
$failures = is_array($run->failure_summary) ? $run->failure_summary : [];
foreach ($failures as $failure) {
if (! is_array($failure)) {
continue;
}
$message = trim((string) ($failure['message'] ?? ''));
if ($message !== '') {
return $message;
}
}
return 'A drift compare operation run failed.';
}
private function sanitizeErrorMessage(Throwable $exception): string
{
$message = trim($exception->getMessage());
if ($message === '') {
return 'Unexpected alert evaluation error.';
}
$message = preg_replace('/https?:\/\/\S+/i', '[redacted-url]', $message) ?? $message;
return mb_substr($message, 0, 500);
}
/**
* @return array<int, array<string, mixed>>
*/
private function permissionMissingEvents(int $workspaceId, CarbonImmutable $windowStart): array
{
$findings = Finding::query()
->where('workspace_id', $workspaceId)
->where('finding_type', Finding::FINDING_TYPE_PERMISSION_POSTURE)
->where('status', Finding::STATUS_NEW)
->where('updated_at', '>', $windowStart)
->orderBy('id')
->get();
$events = [];
foreach ($findings as $finding) {
$events[] = [
'event_type' => AlertRule::EVENT_PERMISSION_MISSING,
'tenant_id' => (int) $finding->tenant_id,
'severity' => (string) $finding->severity,
'fingerprint_key' => 'finding:'.(int) $finding->getKey(),
'title' => 'Missing permission detected',
'body' => sprintf(
'Permission "%s" is missing for tenant %d (severity: %s).',
(string) ($finding->evidence_jsonb['permission_key'] ?? $finding->subject_external_id ?? 'unknown'),
(int) $finding->tenant_id,
(string) $finding->severity,
),
'metadata' => [
'finding_id' => (int) $finding->getKey(),
'permission_key' => (string) ($finding->evidence_jsonb['permission_key'] ?? ''),
],
];
}
return $events;
}
}
Reference in New Issue View Git Blame Copy Permalink