ahmido
ce0615a9c1
## Summary - move the Laravel application into `apps/platform` and keep the repository root for orchestration, docs, and tooling - update the local command model, Sail/Docker wiring, runtime paths, and ignore rules around the new platform location - add relocation quickstart/contracts plus focused smoke coverage for bootstrap, command model, routes, and runtime behavior ## Validation - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/PlatformRelocation` - integrated browser smoke validated `/up`, `/`, `/admin`, `/admin/choose-workspace`, and tenant route semantics for `200`, `403`, and `404` ## Remaining Rollout Checks - validate Dokploy build context and working-directory assumptions against the new `apps/platform` layout - confirm web, queue, and scheduler processes all start from the expected working directory in staging/production - verify no legacy volume mounts or asset-publish paths still point at the old root-level `public/` or `storage/` locations Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #213
85 lines
2.8 KiB
PHP
85 lines
2.8 KiB
PHP
<?php
|
|
|
|
namespace App\Services\Hardening;
|
|
|
|
use App\Contracts\Hardening\WriteGateInterface;
|
|
use App\Exceptions\Hardening\ProviderAccessHardeningRequired;
|
|
use App\Models\Tenant;
|
|
use Illuminate\Support\Facades\Log;
|
|
|
|
class IntuneRbacWriteGate implements WriteGateInterface
|
|
{
|
|
public function evaluate(Tenant $tenant, string $operationType): void
|
|
{
|
|
if (! $this->isEnabled()) {
|
|
Log::warning('Intune write gate is disabled — write operation proceeding without RBAC verification.', [
|
|
'tenant_id' => $tenant->getKey(),
|
|
'operation_type' => $operationType,
|
|
]);
|
|
|
|
return;
|
|
}
|
|
|
|
$status = $tenant->rbac_status;
|
|
|
|
if ($status === null || $status === 'not_configured') {
|
|
throw new ProviderAccessHardeningRequired(
|
|
tenantId: (int) $tenant->getKey(),
|
|
operationType: $operationType,
|
|
reasonCode: 'intune_rbac.not_configured',
|
|
reasonMessage: 'Intune RBAC is not configured for this tenant. Configure RBAC before performing write operations.',
|
|
);
|
|
}
|
|
|
|
if (in_array($status, ['degraded', 'failed', 'error', 'missing', 'partial'], true)) {
|
|
throw new ProviderAccessHardeningRequired(
|
|
tenantId: (int) $tenant->getKey(),
|
|
operationType: $operationType,
|
|
reasonCode: 'intune_rbac.unhealthy',
|
|
reasonMessage: sprintf(
|
|
'Intune RBAC status is "%s". Resolve RBAC issues before performing write operations.',
|
|
$status,
|
|
),
|
|
);
|
|
}
|
|
|
|
if ($this->isStale($tenant)) {
|
|
throw new ProviderAccessHardeningRequired(
|
|
tenantId: (int) $tenant->getKey(),
|
|
operationType: $operationType,
|
|
reasonCode: 'intune_rbac.stale',
|
|
reasonMessage: 'Intune RBAC health check is outdated. Run a fresh health check before performing write operations.',
|
|
);
|
|
}
|
|
}
|
|
|
|
public function wouldBlock(Tenant $tenant): bool
|
|
{
|
|
try {
|
|
$this->evaluate($tenant, 'ui_check');
|
|
|
|
return false;
|
|
} catch (ProviderAccessHardeningRequired) {
|
|
return true;
|
|
}
|
|
}
|
|
|
|
private function isEnabled(): bool
|
|
{
|
|
return (bool) config('tenantpilot.hardening.intune_write_gate.enabled', true);
|
|
}
|
|
|
|
private function isStale(Tenant $tenant): bool
|
|
{
|
|
$lastCheckedAt = $tenant->rbac_last_checked_at;
|
|
|
|
if ($lastCheckedAt === null) {
|
|
return true;
|
|
}
|
|
|
|
$thresholdHours = (int) config('tenantpilot.hardening.intune_write_gate.freshness_threshold_hours', 24);
|
|
|
|
return $lastCheckedAt->diffInHours(now()) >= $thresholdHours;
|
|
}
|
|
}
|