ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
e21643c46b
TenantAtlas/app/Services/Intune/BackupService.php
Ahmed Darrazi 2269904857 feat: move assignment options to capture actions
2025-12-22 21:36:04 +01:00

317 lines
10 KiB
PHP
Raw Blame History

<?php
namespace App\Services\Intune;
use App\Models\BackupItem;
use App\Models\BackupSet;
use App\Models\Policy;
use App\Models\Tenant;
use App\Services\AssignmentBackupService;
use Carbon\CarbonImmutable;
use Illuminate\Support\Facades\DB;
class BackupService
{
public function __construct(
private readonly AuditLogger $auditLogger,
private readonly VersionService $versionService,
private readonly SnapshotValidator $snapshotValidator,
private readonly PolicySnapshotService $snapshotService,
private readonly AssignmentBackupService $assignmentBackupService,
private readonly PolicyCaptureOrchestrator $captureOrchestrator,
) {}
/**
* Create a backup set with immutable snapshots for the provided policies.
*
* @param array<int> $policyIds
*/
public function createBackupSet(
Tenant $tenant,
array $policyIds,
?string $actorEmail = null,
?string $actorName = null,
?string $name = null,
bool $includeAssignments = false,
bool $includeScopeTags = false,
): BackupSet {
$this->assertActiveTenant($tenant);
$policies = Policy::query()
->where('tenant_id', $tenant->id)
->whereIn('id', $policyIds)
->get();
$backupSet = DB::transaction(function () use ($tenant, $policies, $actorEmail, $name, $includeAssignments, $includeScopeTags) {
$backupSet = BackupSet::create([
'tenant_id' => $tenant->id,
'name' => $name ?? CarbonImmutable::now()->format('Y-m-d H:i:s').' backup',
'created_by' => $actorEmail,
'status' => 'running',
'metadata' => [],
]);
$failures = [];
$itemsCreated = 0;
foreach ($policies as $policy) {
[$item, $failure] = $this->snapshotPolicy(
$tenant,
$backupSet,
$policy,
$actorEmail,
$includeAssignments,
$includeScopeTags
);
if ($failure !== null) {
$failures[] = $failure;
continue;
}
if ($item !== null) {
$itemsCreated++;
}
}
$status = $this->resolveStatus($itemsCreated, $failures);
$backupSet->update([
'status' => $status,
'item_count' => $itemsCreated,
'completed_at' => CarbonImmutable::now(),
'metadata' => ['failures' => $failures],
]);
return $backupSet->refresh();
});
$this->auditLogger->log(
tenant: $tenant,
action: 'backup.created',
context: [
'metadata' => [
'backup_set_id' => $backupSet->id,
'item_count' => $backupSet->item_count,
'status' => $backupSet->status,
],
],
actorEmail: $actorEmail,
actorName: $actorName,
resourceType: 'backup_set',
resourceId: (string) $backupSet->id,
status: $backupSet->status === 'completed' ? 'success' : 'partial'
);
// Log if assignments were included
if ($includeAssignments) {
$items = $backupSet->items;
$assignmentCount = $items->sum(function ($item) {
return $item->metadata['assignment_count'] ?? 0;
});
$this->auditLogger->log(
tenant: $tenant,
action: 'backup.assignments.included',
context: [
'metadata' => [
'backup_set_id' => $backupSet->id,
'policy_count' => $backupSet->item_count,
'assignment_count' => $assignmentCount,
],
],
actorEmail: $actorEmail,
actorName: $actorName,
resourceType: 'backup_set',
resourceId: (string) $backupSet->id,
status: 'success'
);
}
return $backupSet;
}
/**
* Add snapshots for additional policies to an existing backup set.
*
* @param array<int> $policyIds
*/
public function addPoliciesToSet(
Tenant $tenant,
BackupSet $backupSet,
array $policyIds,
?string $actorEmail = null,
?string $actorName = null,
bool $includeAssignments = false,
bool $includeScopeTags = false,
): BackupSet {
$this->assertActiveTenant($tenant);
if ($backupSet->trashed() || $backupSet->tenant_id !== $tenant->id) {
throw new \RuntimeException('Backup set is archived or does not belong to the current tenant.');
}
$existingPolicyIds = $backupSet->items()->withTrashed()->pluck('policy_id')->filter()->all();
// Separate into truly new policies and soft-deleted ones to restore
$softDeletedItems = $backupSet->items()->onlyTrashed()->whereIn('policy_id', $policyIds)->get();
$softDeletedPolicyIds = $softDeletedItems->pluck('policy_id')->all();
// Restore soft-deleted items
foreach ($softDeletedItems as $item) {
$item->restore();
}
// Only create new items for policies that don't exist at all
$policyIds = array_values(array_diff($policyIds, $existingPolicyIds));
if (empty($policyIds) && $softDeletedItems->isEmpty()) {
return $backupSet->refresh();
}
$policies = Policy::query()
->where('tenant_id', $tenant->id)
->whereIn('id', $policyIds)
->get();
$metadata = $backupSet->metadata ?? [];
$failures = $metadata['failures'] ?? [];
$itemsCreated = 0;
foreach ($policies as $policy) {
[$item, $failure] = $this->snapshotPolicy(
$tenant,
$backupSet,
$policy,
$actorEmail,
$includeAssignments,
$includeScopeTags
);
if ($failure !== null) {
$failures[] = $failure;
continue;
}
if ($item !== null) {
$itemsCreated++;
}
}
$status = $this->resolveStatus($itemsCreated, $failures);
$backupSet->update([
'status' => $status,
'item_count' => $backupSet->items()->count(),
'completed_at' => CarbonImmutable::now(),
'metadata' => ['failures' => $failures],
]);
$this->auditLogger->log(
tenant: $tenant,
action: 'backup.items_added',
context: [
'metadata' => [
'backup_set_id' => $backupSet->id,
'added_count' => $itemsCreated,
'restored_count' => $softDeletedItems->count(),
'status' => $status,
],
],
actorEmail: $actorEmail,
actorName: $actorName,
resourceType: 'backup_set',
resourceId: (string) $backupSet->id,
status: $status === 'completed' ? 'success' : 'partial'
);
return $backupSet->refresh();
}
private function resolveStatus(int $itemsCreated, array $failures): string
{
return match (true) {
$itemsCreated === 0 && count($failures) > 0 => 'failed',
count($failures) > 0 => 'partial',
default => 'completed',
};
}
/**
* @return array{0:?BackupItem,1:?array{policy_id:int,reason:string,status:int|string|null}}
*/
private function snapshotPolicy(
Tenant $tenant,
BackupSet $backupSet,
Policy $policy,
?string $actorEmail = null,
bool $includeAssignments = false,
bool $includeScopeTags = false
): array {
// Use orchestrator to capture policy + assignments into PolicyVersion first
$captureResult = $this->captureOrchestrator->capture(
policy: $policy,
tenant: $tenant,
includeAssignments: $includeAssignments,
includeScopeTags: $includeScopeTags,
createdBy: $actorEmail,
metadata: [
'source' => 'backup',
'backup_set_id' => $backupSet->id,
]
);
// Check for capture failure
if (isset($captureResult['failure'])) {
return [null, $captureResult['failure']];
}
$version = $captureResult['version'];
$captured = $captureResult['captured'];
$payload = $captured['payload'];
$metadata = $captured['metadata'] ?? [];
$metadataWarnings = $captured['warnings'] ?? [];
// Validate snapshot
$validation = $this->snapshotValidator->validate(is_array($payload) ? $payload : []);
$metadataWarnings = array_merge($metadataWarnings, $validation['warnings']);
$odataWarning = BackupItem::odataTypeWarning(is_array($payload) ? $payload : [], $policy->policy_type, $policy->platform);
if ($odataWarning) {
$metadataWarnings[] = $odataWarning;
}
if (! empty($metadataWarnings)) {
$metadata['warnings'] = array_values(array_unique($metadataWarnings));
}
// Create BackupItem as a copy/reference of the PolicyVersion
$backupItem = BackupItem::create([
'tenant_id' => $tenant->id,
'backup_set_id' => $backupSet->id,
'policy_id' => $policy->id,
'policy_version_id' => $version->id, // Link to version
'policy_identifier' => $policy->external_id,
'policy_type' => $policy->policy_type,
'platform' => $policy->platform,
'payload' => $payload,
'metadata' => $metadata,
// Copy assignments from version (already captured)
// Note: scope_tags are only stored in PolicyVersion
'assignments' => $captured['assignments'] ?? null,
]);
return [$backupItem, null];
}
private function assertActiveTenant(Tenant $tenant): void
{
if (! $tenant->isActive()) {
throw new \RuntimeException('Tenant is archived or inactive.');
}
}
}
Reference in New Issue View Git Blame Copy Permalink