ahmido
da18d3cb14
Dieses PR liefert den Inventory Dependencies Graph end-to-end: Abhängigkeiten (Edges) werden aus Inventory-Sync-Daten extrahiert, tenant-sicher gespeichert und in der Inventory Item Detailansicht angezeigt. Ziel: Admins können Prerequisites + Blast Radius (direct) schnell erkennen, ohne Snapshot/Restore anzufassen. ⸻ Was ist drin? Dependency Graph (Edges) • inventory_links Schema + Indizes + idempotentes Upsert (Unique Key) • Relationship Types (u.a.): • assigned_to_include, assigned_to_exclude • uses_assignment_filter • scoped_by_scope_tag • UI: Inventory Item → Dependencies Section • Direction Filter: All / Inbound / Outbound • Relationship Filter: All + spezifische Relationship Types • Missing-Badge + sicheres Tooltip (safe subset) Safety / Observability • Unknown/unsupported Shapes erzeugen keine Edges, sondern: • Warning in InventorySyncRun.error_context.warnings[] • optional info-log (ohne Secrets) • Limit-only Semantik (MVP): bis zu 50 Edges pro Richtung (max 100 bei “All”) • Blast Radius in MVP = direct only (kein depth>1 traversal) Name Resolution (lokal, ohne Entra Calls) • Resolver/DTO Layer für deterministische Labels (kein “Unknown” mehr) • Auflösung aus lokaler DB nur für Foundations, wenn vorhanden: • scope_tag → roleScopeTag • assignment_filter → assignmentFilter • aad_group bleibt bewusst external ref: “Group (external): …” (keine Graph/Entra Lookups im UI) • Zentraler FoundationTypeMap als Source-of-Truth (keine Hardcodings) ⸻ Out of Scope / Follow-up • Entra Group Name Resolution (braucht eigenes “Group Inventory” Modul + Permissions) • Foundations als Inventory Items / Coverage Tab (Scope Tags / Assignment Filters sichtbar & syncbar) → folgt als separater PR (Inventory Core/UI), damit 042 sauber “Edges-only” bleibt. ⸻ Tests / Verifikation • Targeted Pest Tests (Unit + Feature + UI smoke) für: • deterministische Edge-Erzeugung + idempotent upsert • tenant isolation (UI/Query) • warnings auf Run Record • resolver/name rendering + links (wo möglich) • pint --dirty ausgeführt ⸻ Manual QA (UI) 1. Inventory Sync Run mit include_dependencies=true starten 2. Inventory Item öffnen → Dependencies prüfen: • include/exclude + filter + scoped_by sichtbar (wenn vorhanden) • Relationship/Direction Filter funktionieren • keine “Unknown” Labels mehr, sondern deterministische Labels Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.local> Reviewed-on: #50
208 lines
8.2 KiB
PHP
208 lines
8.2 KiB
PHP
<?php
|
|
|
|
namespace App\Services\Inventory;
|
|
|
|
use App\Models\InventoryItem;
|
|
use App\Models\InventoryLink;
|
|
use App\Support\Enums\RelationshipType;
|
|
use Illuminate\Support\Arr;
|
|
use Illuminate\Support\Collection;
|
|
use Illuminate\Support\Facades\Log;
|
|
|
|
class DependencyExtractionService
|
|
{
|
|
/**
|
|
* Extracts dependencies for a given inventory item using the raw policy payload if available.
|
|
* Idempotent via unique key on inventory_links. Enforces a max of 50 outbound edges per item.
|
|
*
|
|
* @param array<string, mixed> $policyData
|
|
*/
|
|
public function extractForPolicyData(InventoryItem $item, array $policyData): array
|
|
{
|
|
$warnings = [];
|
|
$edges = collect();
|
|
|
|
$edges = $edges->merge($this->extractAssignments($item, $policyData, $warnings));
|
|
$edges = $edges->merge($this->extractScopedBy($item, $policyData));
|
|
|
|
// Prevent PostgreSQL cardinality violation on upsert by deduplicating payload rows.
|
|
$edges = $edges
|
|
->unique(fn (array $e) => implode('|', [
|
|
(string) ($e['tenant_id'] ?? ''),
|
|
(string) ($e['source_type'] ?? ''),
|
|
(string) ($e['source_id'] ?? ''),
|
|
(string) ($e['target_type'] ?? ''),
|
|
(string) ($e['target_id'] ?? ''),
|
|
(string) ($e['relationship_type'] ?? ''),
|
|
]))
|
|
->values();
|
|
|
|
// Enforce max 50 outbound edges by priority: assigned_to > scoped_by > others
|
|
$priorities = [
|
|
RelationshipType::AssignedToInclude->value => 1,
|
|
RelationshipType::AssignedToExclude->value => 2,
|
|
RelationshipType::AssignedTo->value => 3, // legacy
|
|
RelationshipType::UsesAssignmentFilter->value => 4,
|
|
RelationshipType::ScopedBy->value => 5,
|
|
RelationshipType::Targets->value => 6,
|
|
RelationshipType::DependsOn->value => 7,
|
|
];
|
|
|
|
/** @var Collection<int, array{tenant_id:int,source_type:string,source_id:string,target_type:string,target_id:?string,relationship_type:string,metadata:array}> $sorted */
|
|
$sorted = $edges->sortBy(fn ($e) => $priorities[$e['relationship_type']] ?? 99)->values();
|
|
|
|
$limited = $sorted->take(50);
|
|
|
|
$now = now();
|
|
$payload = $limited->map(function (array $e) use ($now) {
|
|
$metadata = $e['metadata'] ?? null;
|
|
if (is_array($metadata)) {
|
|
// Ensure portability across SQLite/Postgres when using upsert via query builder
|
|
$e['metadata'] = json_encode($metadata);
|
|
}
|
|
|
|
return array_merge($e, [
|
|
'created_at' => $now,
|
|
'updated_at' => $now,
|
|
]);
|
|
})->all();
|
|
|
|
if (! empty($payload)) {
|
|
InventoryLink::query()->upsert(
|
|
$payload,
|
|
['tenant_id', 'source_type', 'source_id', 'target_type', 'target_id', 'relationship_type'],
|
|
['metadata', 'updated_at']
|
|
);
|
|
}
|
|
|
|
return $warnings;
|
|
}
|
|
|
|
/**
|
|
* @param array<string, mixed> $policyData
|
|
* @return Collection<int, array<string, mixed>>
|
|
*/
|
|
private function extractAssignments(InventoryItem $item, array $policyData, array &$warnings): Collection
|
|
{
|
|
$assignments = Arr::get($policyData, 'assignments');
|
|
if (! is_array($assignments)) {
|
|
return collect();
|
|
}
|
|
|
|
$edges = [];
|
|
|
|
foreach ($assignments as $assignment) {
|
|
if (! is_array($assignment)) {
|
|
continue;
|
|
}
|
|
|
|
$policyId = (string) ($policyData['id'] ?? $item->external_id);
|
|
|
|
$target = Arr::get($assignment, 'target');
|
|
$odataType = is_array($target) ? (Arr::get($target, '@odata.type') ?? Arr::get($target, '@OData.Type')) : null;
|
|
$odataType = is_string($odataType) ? strtolower($odataType) : null;
|
|
|
|
$groupId = Arr::get($assignment, 'target.groupId') ?? Arr::get($assignment, 'groupId');
|
|
$groupId = is_string($groupId) ? trim($groupId) : null;
|
|
|
|
$filterId = Arr::get($assignment, 'deviceAndAppManagementAssignmentFilterId')
|
|
?? Arr::get($assignment, 'assignmentFilterId')
|
|
?? Arr::get($assignment, 'target.deviceAndAppManagementAssignmentFilterId');
|
|
$filterId = is_string($filterId) ? trim($filterId) : null;
|
|
|
|
$filterType = Arr::get($assignment, 'deviceAndAppManagementAssignmentFilterType')
|
|
?? Arr::get($assignment, 'assignmentFilterType')
|
|
?? Arr::get($assignment, 'target.deviceAndAppManagementAssignmentFilterType');
|
|
$filterType = is_string($filterType) ? strtolower(trim($filterType)) : null;
|
|
$filterMode = in_array($filterType, ['include', 'exclude'], true) ? $filterType : null;
|
|
|
|
if (is_string($filterId) && $filterId !== '') {
|
|
$edges[] = [
|
|
'tenant_id' => (int) $item->tenant_id,
|
|
'source_type' => 'inventory_item',
|
|
'source_id' => (string) $item->external_id,
|
|
'target_type' => 'foundation_object',
|
|
'target_id' => $filterId,
|
|
'relationship_type' => RelationshipType::UsesAssignmentFilter->value,
|
|
'metadata' => array_filter([
|
|
'last_known_name' => null,
|
|
'foundation_type' => 'assignment_filter',
|
|
'filter_mode' => $filterMode,
|
|
], fn ($v) => $v !== null),
|
|
];
|
|
}
|
|
|
|
if (is_string($groupId) && $groupId !== '') {
|
|
$relationshipType = RelationshipType::AssignedToInclude->value;
|
|
if (is_string($odataType) && str_contains($odataType, 'exclusion')) {
|
|
$relationshipType = RelationshipType::AssignedToExclude->value;
|
|
}
|
|
$edges[] = [
|
|
'tenant_id' => (int) $item->tenant_id,
|
|
'source_type' => 'inventory_item',
|
|
'source_id' => (string) $item->external_id,
|
|
'target_type' => 'foundation_object',
|
|
'target_id' => $groupId,
|
|
'relationship_type' => $relationshipType,
|
|
'metadata' => [
|
|
'last_known_name' => null,
|
|
'foundation_type' => 'aad_group',
|
|
],
|
|
];
|
|
|
|
continue;
|
|
}
|
|
|
|
// Known non-group targets (e.g. allDevices/allLicensedUsers) are out-of-scope for edges.
|
|
if (is_string($odataType) && (str_contains($odataType, 'alldevices') || str_contains($odataType, 'alllicensedusers') || str_contains($odataType, 'allusers'))) {
|
|
continue;
|
|
}
|
|
|
|
$warning = [
|
|
'type' => 'unsupported_reference',
|
|
'policy_id' => $policyId,
|
|
'raw_ref' => $assignment,
|
|
'reason' => 'unsupported_assignment_target_shape',
|
|
];
|
|
|
|
$warnings[] = $warning;
|
|
Log::info('Unsupported reference shape encountered', $warning);
|
|
}
|
|
|
|
return collect($edges);
|
|
}
|
|
|
|
/**
|
|
* @param array<string, mixed> $policyData
|
|
* @return Collection<int, array<string, mixed>>
|
|
*/
|
|
private function extractScopedBy(InventoryItem $item, array $policyData): Collection
|
|
{
|
|
$scopeTags = Arr::get($policyData, 'roleScopeTagIds');
|
|
if (! is_array($scopeTags)) {
|
|
return collect();
|
|
}
|
|
|
|
$edges = [];
|
|
|
|
foreach ($scopeTags as $tagId) {
|
|
if (is_string($tagId) && $tagId !== '') {
|
|
$edges[] = [
|
|
'tenant_id' => (int) $item->tenant_id,
|
|
'source_type' => 'inventory_item',
|
|
'source_id' => (string) $item->external_id,
|
|
'target_type' => 'foundation_object',
|
|
'target_id' => $tagId,
|
|
'relationship_type' => RelationshipType::ScopedBy->value,
|
|
'metadata' => [
|
|
'last_known_name' => null,
|
|
'foundation_type' => 'scope_tag',
|
|
],
|
|
];
|
|
}
|
|
}
|
|
|
|
return collect($edges);
|
|
}
|
|
}
|