ahmido
ef41c9193a
## Summary - add Intune RBAC Role Definition baseline scope support, capture references, compare classification, findings evidence, and landing/detail UI labels - keep Intune Role Assignments explicitly excluded from baseline compare scope, summaries, findings, and restore messaging - add focused Pest coverage for baseline scope selection, capture, compare behavior, recurrence, isolation, findings rendering, inventory anchoring, and RBAC summaries ## Verification - `vendor/bin/sail bin pint --dirty --format agent` - `vendor/bin/sail artisan test --compact tests/Unit/Inventory/InventoryPolicyTypeMetaBaselineSupportTest.php tests/Unit/Baselines/BaselinePolicyVersionResolverTest.php tests/Unit/Baselines/BaselineScopeTest.php tests/Unit/IntuneRoleDefinitionNormalizerTest.php tests/Feature/Baselines/BaselineCaptureRbacRoleDefinitionsTest.php tests/Feature/Baselines/BaselineCompareRbacRoleDefinitionsTest.php tests/Feature/Baselines/BaselineCompareDriftEvidenceContractRbacTest.php tests/Feature/Baselines/BaselineCompareCoverageGuardTest.php tests/Feature/Baselines/BaselineCompareCrossTenantMatchTest.php tests/Feature/Baselines/BaselineCompareFindingRecurrenceKeyTest.php tests/Feature/Baselines/BaselineCompareWhyNoFindingsReasonCodeTest.php tests/Feature/Filament/BaselineProfileFoundationScopeTest.php tests/Feature/Filament/BaselineSnapshotRbacRoleDefinitionsTest.php tests/Feature/Filament/BaselineCompareLandingRbacLabelsTest.php tests/Feature/Filament/FindingViewRbacEvidenceTest.php tests/Feature/Findings/FindingRecurrenceTest.php tests/Feature/Findings/DriftStaleAutoResolveTest.php tests/Feature/Inventory/InventorySyncButtonTest.php tests/Feature/Inventory/InventorySyncServiceTest.php tests/Feature/RunAuthorizationTenantIsolationTest.php` - result: `71 passed (467 assertions)` ## Filament / Platform Notes - Livewire compliance: unchanged and compatible with Livewire v4.0+ - Provider registration: no panel/provider changes; `bootstrap/providers.php` remains the registration location - Global search: no new globally searchable resource added; existing global search behavior is unchanged - Destructive actions: no new destructive actions introduced; existing confirmed actions remain unchanged - Assets: no new Filament assets introduced; deploy asset handling remains unchanged, including `php artisan filament:assets` - Testing plan covered: baseline profile scope, snapshot detail, compare job, findings recurrence, findings detail, compare landing labels, inventory sync anchoring, and tenant isolation Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #156
116 lines
4.2 KiB
PHP
116 lines
4.2 KiB
PHP
<?php
|
|
|
|
use App\Filament\Pages\BaselineCompareLanding;
|
|
use App\Models\BaselineProfile;
|
|
use App\Models\BaselineSnapshot;
|
|
use App\Models\BaselineTenantAssignment;
|
|
use App\Models\Finding;
|
|
use App\Models\OperationRun;
|
|
use App\Support\OperationRunOutcome;
|
|
use App\Support\OperationRunStatus;
|
|
use App\Support\OperationRunType;
|
|
use Filament\Facades\Filament;
|
|
use Livewire\Livewire;
|
|
|
|
it('shows RBAC-specific baseline compare labels and assignment exclusion messaging', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
$this->actingAs($user);
|
|
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
$profile = BaselineProfile::factory()->active()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'name' => 'RBAC Baseline',
|
|
'scope_jsonb' => [
|
|
'policy_types' => [],
|
|
'foundation_types' => ['intuneRoleDefinition'],
|
|
],
|
|
]);
|
|
|
|
$snapshot = BaselineSnapshot::factory()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
]);
|
|
|
|
$profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]);
|
|
|
|
BaselineTenantAssignment::factory()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
]);
|
|
|
|
OperationRun::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'type' => OperationRunType::BaselineCompare->value,
|
|
'status' => OperationRunStatus::Completed->value,
|
|
'outcome' => OperationRunOutcome::Succeeded->value,
|
|
'completed_at' => now(),
|
|
'context' => [
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
'baseline_snapshot_id' => (int) $snapshot->getKey(),
|
|
'baseline_compare' => [
|
|
'reason_code' => 'drift_detected',
|
|
'rbac_role_definitions' => [
|
|
'total_compared' => 4,
|
|
'unchanged' => 1,
|
|
'modified' => 1,
|
|
'missing' => 1,
|
|
'unexpected' => 1,
|
|
],
|
|
'coverage' => [
|
|
'effective_types' => ['intuneRoleDefinition'],
|
|
'covered_types' => ['intuneRoleDefinition'],
|
|
'uncovered_types' => [],
|
|
'proof' => true,
|
|
],
|
|
'fidelity' => 'content',
|
|
],
|
|
],
|
|
]);
|
|
|
|
Finding::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'finding_type' => Finding::FINDING_TYPE_DRIFT,
|
|
'source' => 'baseline.compare',
|
|
'scope_key' => 'baseline_profile:'.$profile->getKey(),
|
|
'severity' => Finding::SEVERITY_HIGH,
|
|
'status' => Finding::STATUS_NEW,
|
|
'subject_type' => 'policy',
|
|
'subject_external_id' => 'rbac-role-1',
|
|
'evidence_fidelity' => 'content',
|
|
'evidence_jsonb' => [
|
|
'change_type' => 'different_version',
|
|
'policy_type' => 'intuneRoleDefinition',
|
|
'subject_key' => hash('sha256', 'intuneRoleDefinition|rbac-role-1'),
|
|
'display_name' => 'Security Reader',
|
|
'summary' => [
|
|
'kind' => 'rbac_role_definition',
|
|
],
|
|
'baseline' => ['policy_version_id' => 10],
|
|
'current' => ['policy_version_id' => 11],
|
|
'rbac_role_definition' => [
|
|
'diff_kind' => 'permission_change',
|
|
],
|
|
'fidelity' => 'content',
|
|
'provenance' => [
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
'baseline_snapshot_id' => (int) $snapshot->getKey(),
|
|
'compare_operation_run_id' => 1,
|
|
'inventory_sync_run_id' => 1,
|
|
],
|
|
],
|
|
]);
|
|
|
|
Livewire::test(BaselineCompareLanding::class)
|
|
->assertSee('Intune RBAC Role Definitions')
|
|
->assertSee('Compared')
|
|
->assertSee('Modified')
|
|
->assertSee('Missing')
|
|
->assertSee('Unexpected')
|
|
->assertSee('Role Assignments are not included')
|
|
->assertDontSee('RBAC restore');
|
|
});
|