609 lines
22 KiB
PHP
609 lines
22 KiB
PHP
<?php
|
|
|
|
use App\Jobs\CompareBaselineToTenantJob;
|
|
use App\Models\BaselineProfile;
|
|
use App\Models\BaselineSnapshot;
|
|
use App\Models\BaselineSnapshotItem;
|
|
use App\Models\Finding;
|
|
use App\Models\InventoryItem;
|
|
use App\Models\Policy;
|
|
use App\Models\PolicyVersion;
|
|
use App\Services\Baselines\BaselineContentCapturePhase;
|
|
use App\Services\Baselines\BaselineSnapshotIdentity;
|
|
use App\Services\Intune\AuditLogger;
|
|
use App\Services\Intune\PolicyCaptureOrchestrator;
|
|
use App\Services\OperationRunService;
|
|
use App\Support\Baselines\BaselineCaptureMode;
|
|
use App\Support\Baselines\BaselineCompareReasonCode;
|
|
use App\Support\Baselines\BaselineSubjectKey;
|
|
use App\Support\Baselines\PolicyVersionCapturePurpose;
|
|
use App\Support\OperationRunOutcome;
|
|
use App\Support\OperationRunStatus;
|
|
use App\Support\OperationRunType;
|
|
use Carbon\CarbonImmutable;
|
|
|
|
it('records no_subjects_in_scope when the resolved subject list is empty', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$profile = BaselineProfile::factory()->active()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'scope_jsonb' => [
|
|
'policy_types' => ['deviceConfiguration'],
|
|
'foundation_types' => [],
|
|
],
|
|
]);
|
|
|
|
$snapshot = BaselineSnapshot::factory()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
'captured_at' => now()->subMinute(),
|
|
]);
|
|
|
|
$profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]);
|
|
|
|
$inventorySyncRun = \App\Models\OperationRun::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'type' => OperationRunType::InventorySync->value,
|
|
'status' => OperationRunStatus::Completed->value,
|
|
'outcome' => OperationRunOutcome::Succeeded->value,
|
|
'completed_at' => now(),
|
|
'context' => [
|
|
'inventory' => [
|
|
'coverage' => [
|
|
'policy_types' => [
|
|
'deviceConfiguration' => ['status' => 'succeeded'],
|
|
],
|
|
'foundation_types' => [],
|
|
],
|
|
],
|
|
],
|
|
]);
|
|
|
|
$opService = app(OperationRunService::class);
|
|
$compareRun = $opService->ensureRunWithIdentity(
|
|
tenant: $tenant,
|
|
type: OperationRunType::BaselineCompare->value,
|
|
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
|
context: [
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
'baseline_snapshot_id' => (int) $snapshot->getKey(),
|
|
'effective_scope' => [
|
|
'policy_types' => ['deviceConfiguration'],
|
|
'foundation_types' => [],
|
|
],
|
|
],
|
|
initiator: $user,
|
|
);
|
|
|
|
(new CompareBaselineToTenantJob($compareRun))->handle(
|
|
app(BaselineSnapshotIdentity::class),
|
|
app(AuditLogger::class),
|
|
$opService,
|
|
);
|
|
|
|
$compareRun->refresh();
|
|
expect(data_get($compareRun->context, 'baseline_compare.subjects_total'))->toBe(0);
|
|
expect(data_get($compareRun->context, 'baseline_compare.reason_code'))->toBe(BaselineCompareReasonCode::NoSubjectsInScope->value);
|
|
});
|
|
|
|
it('records no_drift_detected when subjects are processed but no drift findings are produced', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$profile = BaselineProfile::factory()->active()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'scope_jsonb' => [
|
|
'policy_types' => ['deviceConfiguration'],
|
|
'foundation_types' => [],
|
|
],
|
|
]);
|
|
|
|
$snapshot = BaselineSnapshot::factory()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
'captured_at' => now()->subMinute(),
|
|
]);
|
|
|
|
$profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]);
|
|
|
|
$externalId = 'policy-uuid';
|
|
$displayName = 'Stable Policy';
|
|
$subjectKey = BaselineSubjectKey::fromDisplayName($displayName);
|
|
expect($subjectKey)->not->toBeNull();
|
|
|
|
$workspaceSafeExternalId = BaselineSubjectKey::workspaceSafeSubjectExternalId(
|
|
policyType: 'deviceConfiguration',
|
|
subjectKey: (string) $subjectKey,
|
|
);
|
|
|
|
$metaJsonb = [
|
|
'odata_type' => '#microsoft.graph.deviceConfiguration',
|
|
'etag' => 'E_STABLE',
|
|
];
|
|
|
|
$baselineHash = app(BaselineSnapshotIdentity::class)->hashItemContent(
|
|
policyType: 'deviceConfiguration',
|
|
subjectExternalId: $externalId,
|
|
metaJsonb: $metaJsonb,
|
|
);
|
|
|
|
BaselineSnapshotItem::factory()->create([
|
|
'baseline_snapshot_id' => (int) $snapshot->getKey(),
|
|
'subject_type' => 'policy',
|
|
'subject_external_id' => $workspaceSafeExternalId,
|
|
'subject_key' => (string) $subjectKey,
|
|
'policy_type' => 'deviceConfiguration',
|
|
'baseline_hash' => $baselineHash,
|
|
'meta_jsonb' => [
|
|
'display_name' => $displayName,
|
|
'evidence' => [
|
|
'fidelity' => 'meta',
|
|
'source' => 'inventory',
|
|
'observed_at' => now()->toIso8601String(),
|
|
],
|
|
],
|
|
]);
|
|
|
|
$inventorySyncRun = \App\Models\OperationRun::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'type' => OperationRunType::InventorySync->value,
|
|
'status' => OperationRunStatus::Completed->value,
|
|
'outcome' => OperationRunOutcome::Succeeded->value,
|
|
'completed_at' => now(),
|
|
'context' => [
|
|
'inventory' => [
|
|
'coverage' => [
|
|
'policy_types' => [
|
|
'deviceConfiguration' => ['status' => 'succeeded'],
|
|
],
|
|
'foundation_types' => [],
|
|
],
|
|
],
|
|
],
|
|
]);
|
|
|
|
InventoryItem::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'external_id' => $externalId,
|
|
'policy_type' => 'deviceConfiguration',
|
|
'display_name' => $displayName,
|
|
'meta_jsonb' => $metaJsonb,
|
|
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
|
|
'last_seen_at' => now(),
|
|
]);
|
|
|
|
$opService = app(OperationRunService::class);
|
|
$compareRun = $opService->ensureRunWithIdentity(
|
|
tenant: $tenant,
|
|
type: OperationRunType::BaselineCompare->value,
|
|
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
|
context: [
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
'baseline_snapshot_id' => (int) $snapshot->getKey(),
|
|
'effective_scope' => [
|
|
'policy_types' => ['deviceConfiguration'],
|
|
'foundation_types' => [],
|
|
],
|
|
],
|
|
initiator: $user,
|
|
);
|
|
|
|
(new CompareBaselineToTenantJob($compareRun))->handle(
|
|
app(BaselineSnapshotIdentity::class),
|
|
app(AuditLogger::class),
|
|
$opService,
|
|
);
|
|
|
|
$compareRun->refresh();
|
|
|
|
expect(data_get($compareRun->context, 'baseline_compare.subjects_total'))->toBe(1);
|
|
expect(data_get($compareRun->context, 'result.findings_total'))->toBe(0);
|
|
expect(data_get($compareRun->context, 'baseline_compare.reason_code'))->toBe(BaselineCompareReasonCode::NoDriftDetected->value);
|
|
});
|
|
|
|
it('records no_drift_detected and unchanged RBAC summary counts when intune role definitions match baseline', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$profile = BaselineProfile::factory()->active()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'scope_jsonb' => [
|
|
'policy_types' => ['deviceConfiguration'],
|
|
'foundation_types' => ['intuneRoleDefinition'],
|
|
],
|
|
]);
|
|
|
|
$snapshotCapturedAt = CarbonImmutable::parse('2026-03-08T12:00:00Z');
|
|
$snapshot = BaselineSnapshot::factory()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
'captured_at' => $snapshotCapturedAt,
|
|
]);
|
|
|
|
$profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]);
|
|
|
|
$policy = Policy::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'external_id' => 'rbac-role-stable',
|
|
'policy_type' => 'intuneRoleDefinition',
|
|
'platform' => 'all',
|
|
'display_name' => 'Stable RBAC Role',
|
|
]);
|
|
|
|
$baselineVersion = PolicyVersion::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'policy_id' => (int) $policy->getKey(),
|
|
'policy_type' => 'intuneRoleDefinition',
|
|
'platform' => 'all',
|
|
'version_number' => 1,
|
|
'captured_at' => $snapshotCapturedAt,
|
|
'snapshot' => [
|
|
'displayName' => 'Stable RBAC Role',
|
|
'description' => 'Stable role',
|
|
'isBuiltIn' => false,
|
|
'rolePermissions' => [
|
|
[
|
|
'resourceActions' => [
|
|
[
|
|
'allowedResourceActions' => ['Microsoft.Intune/deviceConfigurations/read'],
|
|
],
|
|
],
|
|
],
|
|
],
|
|
'roleScopeTagIds' => ['0'],
|
|
],
|
|
'assignments' => [],
|
|
'scope_tags' => [],
|
|
]);
|
|
|
|
$currentVersion = PolicyVersion::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'policy_id' => (int) $policy->getKey(),
|
|
'policy_type' => 'intuneRoleDefinition',
|
|
'platform' => 'all',
|
|
'version_number' => 2,
|
|
'captured_at' => $snapshotCapturedAt->addMinutes(5),
|
|
'snapshot' => $baselineVersion->snapshot,
|
|
'assignments' => [],
|
|
'scope_tags' => [],
|
|
]);
|
|
|
|
$subjectKey = BaselineSubjectKey::forPolicy('intuneRoleDefinition', 'Stable RBAC Role', 'rbac-role-stable');
|
|
$workspaceSafeExternalId = BaselineSubjectKey::workspaceSafeSubjectExternalIdForPolicy(
|
|
'intuneRoleDefinition',
|
|
'Stable RBAC Role',
|
|
'rbac-role-stable',
|
|
);
|
|
|
|
expect($subjectKey)->not->toBeNull();
|
|
expect($workspaceSafeExternalId)->not->toBeNull();
|
|
|
|
$baselineHash = app(\App\Services\Baselines\Evidence\ContentEvidenceProvider::class)->fromPolicyVersion(
|
|
version: $baselineVersion,
|
|
subjectExternalId: (string) $workspaceSafeExternalId,
|
|
)->hash;
|
|
|
|
BaselineSnapshotItem::factory()->create([
|
|
'baseline_snapshot_id' => (int) $snapshot->getKey(),
|
|
'subject_type' => 'policy',
|
|
'subject_external_id' => (string) $workspaceSafeExternalId,
|
|
'subject_key' => (string) $subjectKey,
|
|
'policy_type' => 'intuneRoleDefinition',
|
|
'baseline_hash' => $baselineHash,
|
|
'meta_jsonb' => [
|
|
'display_name' => 'Stable RBAC Role',
|
|
'evidence' => [
|
|
'fidelity' => 'content',
|
|
'source' => 'policy_version',
|
|
'observed_at' => $baselineVersion->captured_at?->toIso8601String(),
|
|
],
|
|
'identity' => [
|
|
'strategy' => 'external_id',
|
|
'subject_key' => (string) $subjectKey,
|
|
'workspace_subject_external_id' => (string) $workspaceSafeExternalId,
|
|
],
|
|
'version_reference' => [
|
|
'policy_version_id' => (int) $baselineVersion->getKey(),
|
|
],
|
|
'rbac' => [
|
|
'is_built_in' => false,
|
|
'role_permission_count' => 1,
|
|
],
|
|
],
|
|
]);
|
|
|
|
$inventorySyncRun = \App\Models\OperationRun::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'type' => OperationRunType::InventorySync->value,
|
|
'status' => OperationRunStatus::Completed->value,
|
|
'outcome' => OperationRunOutcome::Succeeded->value,
|
|
'completed_at' => now(),
|
|
'context' => [
|
|
'inventory' => [
|
|
'coverage' => [
|
|
'policy_types' => [
|
|
'deviceConfiguration' => ['status' => 'succeeded'],
|
|
],
|
|
'foundation_types' => [
|
|
'intuneRoleDefinition' => ['status' => 'succeeded'],
|
|
],
|
|
],
|
|
],
|
|
],
|
|
]);
|
|
|
|
InventoryItem::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'external_id' => 'rbac-role-stable',
|
|
'policy_type' => 'intuneRoleDefinition',
|
|
'display_name' => 'Stable RBAC Role',
|
|
'category' => 'RBAC',
|
|
'platform' => 'all',
|
|
'meta_jsonb' => [
|
|
'odata_type' => '#microsoft.graph.deviceAndAppManagementRoleDefinition',
|
|
'is_built_in' => false,
|
|
'role_permission_count' => 1,
|
|
],
|
|
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
|
|
'last_seen_at' => now(),
|
|
]);
|
|
|
|
expect($currentVersion->getKey())->toBeGreaterThan(0);
|
|
|
|
$opService = app(OperationRunService::class);
|
|
$compareRun = $opService->ensureRunWithIdentity(
|
|
tenant: $tenant,
|
|
type: OperationRunType::BaselineCompare->value,
|
|
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
|
context: [
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
'baseline_snapshot_id' => (int) $snapshot->getKey(),
|
|
'effective_scope' => [
|
|
'policy_types' => ['deviceConfiguration'],
|
|
'foundation_types' => ['intuneRoleDefinition'],
|
|
],
|
|
],
|
|
initiator: $user,
|
|
);
|
|
|
|
(new CompareBaselineToTenantJob($compareRun))->handle(
|
|
app(BaselineSnapshotIdentity::class),
|
|
app(AuditLogger::class),
|
|
$opService,
|
|
);
|
|
|
|
$compareRun->refresh();
|
|
|
|
expect(data_get($compareRun->context, 'baseline_compare.subjects_total'))->toBe(1);
|
|
expect(data_get($compareRun->context, 'result.findings_total'))->toBe(0);
|
|
expect(data_get($compareRun->context, 'baseline_compare.reason_code'))->toBe(BaselineCompareReasonCode::NoDriftDetected->value);
|
|
expect(data_get($compareRun->context, 'baseline_compare.rbac_role_definitions'))->toBe([
|
|
'total_compared' => 1,
|
|
'unchanged' => 1,
|
|
'modified' => 0,
|
|
'missing' => 0,
|
|
'unexpected' => 0,
|
|
]);
|
|
});
|
|
|
|
it('records no_drift_detected when full-content compare reuses an older identical version', function (): void {
|
|
config()->set('tenantpilot.baselines.full_content_capture.enabled', true);
|
|
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$profile = BaselineProfile::factory()->active()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'capture_mode' => BaselineCaptureMode::FullContent->value,
|
|
'scope_jsonb' => [
|
|
'policy_types' => ['deviceConfiguration'],
|
|
'foundation_types' => [],
|
|
],
|
|
]);
|
|
|
|
$snapshotCapturedAt = CarbonImmutable::parse('2026-03-06 00:41:38');
|
|
|
|
$snapshot = BaselineSnapshot::factory()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
'captured_at' => $snapshotCapturedAt,
|
|
]);
|
|
|
|
$profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]);
|
|
|
|
$policy = Policy::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'policy_type' => 'deviceConfiguration',
|
|
'external_id' => 'stable-policy',
|
|
'platform' => 'windows',
|
|
'display_name' => 'Stable Policy',
|
|
]);
|
|
|
|
$snapshotPayload = [
|
|
'settings' => [
|
|
['displayName' => 'SettingStable', 'value' => 1],
|
|
],
|
|
];
|
|
|
|
$baselineHash = expectedPolicyVersionContentHash(
|
|
snapshot: $snapshotPayload,
|
|
policyType: 'deviceConfiguration',
|
|
platform: 'windows',
|
|
);
|
|
|
|
$subjectKey = BaselineSubjectKey::fromDisplayName((string) $policy->display_name);
|
|
expect($subjectKey)->not->toBeNull();
|
|
|
|
BaselineSnapshotItem::factory()->create([
|
|
'baseline_snapshot_id' => (int) $snapshot->getKey(),
|
|
'subject_type' => 'policy',
|
|
'subject_external_id' => BaselineSubjectKey::workspaceSafeSubjectExternalId(
|
|
policyType: (string) $policy->policy_type,
|
|
subjectKey: (string) $subjectKey,
|
|
),
|
|
'subject_key' => (string) $subjectKey,
|
|
'policy_type' => (string) $policy->policy_type,
|
|
'baseline_hash' => $baselineHash,
|
|
'meta_jsonb' => [
|
|
'display_name' => (string) $policy->display_name,
|
|
'evidence' => [
|
|
'fidelity' => 'content',
|
|
'source' => 'policy_version',
|
|
'observed_at' => $snapshotCapturedAt->subMinutes(10)->toIso8601String(),
|
|
'observed_operation_run_id' => null,
|
|
],
|
|
],
|
|
]);
|
|
|
|
$inventorySyncRun = createInventorySyncOperationRunWithCoverage(
|
|
tenant: $tenant,
|
|
statusByType: ['deviceConfiguration' => 'succeeded'],
|
|
attributes: [
|
|
'completed_at' => $snapshotCapturedAt->addSeconds(5),
|
|
],
|
|
);
|
|
|
|
InventoryItem::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'external_id' => (string) $policy->external_id,
|
|
'policy_type' => (string) $policy->policy_type,
|
|
'display_name' => (string) $policy->display_name,
|
|
'meta_jsonb' => [
|
|
'odata_type' => '#microsoft.graph.deviceConfiguration',
|
|
'etag' => 'W/"stable"',
|
|
'scope_tag_ids' => [],
|
|
'assignment_target_count' => 1,
|
|
],
|
|
'last_seen_operation_run_id' => (int) $inventorySyncRun->getKey(),
|
|
'last_seen_at' => $snapshotCapturedAt->addSeconds(5),
|
|
]);
|
|
|
|
$existingVersion = PolicyVersion::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'policy_id' => (int) $policy->getKey(),
|
|
'policy_type' => (string) $policy->policy_type,
|
|
'platform' => (string) $policy->platform,
|
|
'captured_at' => $snapshotCapturedAt->subMinutes(10),
|
|
'snapshot' => $snapshotPayload,
|
|
'assignments' => [],
|
|
'scope_tags' => [],
|
|
'capture_purpose' => PolicyVersionCapturePurpose::BaselineCompare,
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
]);
|
|
|
|
$fakeOrchestrator = new class($existingVersion) extends PolicyCaptureOrchestrator
|
|
{
|
|
public function __construct(
|
|
private readonly PolicyVersion $existingVersion,
|
|
) {}
|
|
|
|
public function capture(
|
|
Policy $policy,
|
|
\App\Models\Tenant $tenant,
|
|
bool $includeAssignments = false,
|
|
bool $includeScopeTags = false,
|
|
?string $createdBy = null,
|
|
array $metadata = [],
|
|
PolicyVersionCapturePurpose $capturePurpose = PolicyVersionCapturePurpose::Backup,
|
|
?int $operationRunId = null,
|
|
?int $baselineProfileId = null,
|
|
): array {
|
|
return [
|
|
'version' => $this->existingVersion->fresh(),
|
|
'captured' => [
|
|
'payload' => $this->existingVersion->snapshot,
|
|
'assignments' => $this->existingVersion->assignments,
|
|
'scope_tags' => $this->existingVersion->scope_tags,
|
|
],
|
|
];
|
|
}
|
|
};
|
|
|
|
$contentCapturePhase = new BaselineContentCapturePhase($fakeOrchestrator);
|
|
|
|
$opService = app(OperationRunService::class);
|
|
$compareRun = $opService->ensureRunWithIdentity(
|
|
tenant: $tenant,
|
|
type: OperationRunType::BaselineCompare->value,
|
|
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
|
context: [
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
'baseline_snapshot_id' => (int) $snapshot->getKey(),
|
|
'effective_scope' => [
|
|
'policy_types' => ['deviceConfiguration'],
|
|
'foundation_types' => [],
|
|
],
|
|
],
|
|
initiator: $user,
|
|
);
|
|
|
|
(new CompareBaselineToTenantJob($compareRun))->handle(
|
|
app(BaselineSnapshotIdentity::class),
|
|
app(AuditLogger::class),
|
|
$opService,
|
|
contentCapturePhase: $contentCapturePhase,
|
|
);
|
|
|
|
$compareRun->refresh();
|
|
|
|
expect($compareRun->outcome)->toBe(OperationRunOutcome::Succeeded->value);
|
|
expect(data_get($compareRun->context, 'baseline_compare.reason_code'))->toBe(BaselineCompareReasonCode::NoDriftDetected->value);
|
|
expect(data_get($compareRun->context, 'baseline_compare.coverage.resolved_content'))->toBe(1);
|
|
expect(data_get($compareRun->context, 'baseline_compare.evidence_gaps.count'))->toBe(0);
|
|
expect(
|
|
Finding::query()
|
|
->where('tenant_id', (int) $tenant->getKey())
|
|
->where('source', 'baseline.compare')
|
|
->count(),
|
|
)->toBe(0);
|
|
});
|
|
|
|
it('records coverage_unproven when findings are suppressed due to missing coverage proof', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$profile = BaselineProfile::factory()->active()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'scope_jsonb' => [
|
|
'policy_types' => ['deviceConfiguration'],
|
|
'foundation_types' => [],
|
|
],
|
|
]);
|
|
|
|
$snapshot = BaselineSnapshot::factory()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
'captured_at' => now()->subMinute(),
|
|
]);
|
|
|
|
$profile->update(['active_snapshot_id' => (int) $snapshot->getKey()]);
|
|
|
|
$opService = app(OperationRunService::class);
|
|
$compareRun = $opService->ensureRunWithIdentity(
|
|
tenant: $tenant,
|
|
type: OperationRunType::BaselineCompare->value,
|
|
identityInputs: ['baseline_profile_id' => (int) $profile->getKey()],
|
|
context: [
|
|
'baseline_profile_id' => (int) $profile->getKey(),
|
|
'baseline_snapshot_id' => (int) $snapshot->getKey(),
|
|
'effective_scope' => [
|
|
'policy_types' => ['deviceConfiguration'],
|
|
'foundation_types' => [],
|
|
],
|
|
],
|
|
initiator: $user,
|
|
);
|
|
|
|
(new CompareBaselineToTenantJob($compareRun))->handle(
|
|
app(BaselineSnapshotIdentity::class),
|
|
app(AuditLogger::class),
|
|
$opService,
|
|
);
|
|
|
|
$compareRun->refresh();
|
|
expect($compareRun->outcome)->toBe(OperationRunOutcome::PartiallySucceeded->value);
|
|
expect(data_get($compareRun->context, 'baseline_compare.reason_code'))->toBe(BaselineCompareReasonCode::CoverageUnproven->value);
|
|
});
|