requireOrgAccess(); $pagination = $this->getPagination(); $where = 'organization_id = ?'; $params = [$this->getCurrentOrgId()]; // Filtri opzionali if ($this->hasParam('status')) { $where .= ' AND status = ?'; $params[] = $this->getParam('status'); } if ($this->hasParam('category')) { $where .= ' AND category = ?'; $params[] = $this->getParam('category'); } $total = Database::count('risks', $where, $params); $risks = Database::fetchAll( "SELECT r.*, u.full_name as owner_name FROM risks r LEFT JOIN users u ON u.id = r.owner_user_id WHERE r.{$where} ORDER BY r.inherent_risk_score DESC LIMIT {$pagination['per_page']} OFFSET {$pagination['offset']}", $params ); $this->jsonPaginated($risks, $total, $pagination['page'], $pagination['per_page']); } /** * POST /api/risks/create */ public function create(): void { $this->requireOrgRole(['org_admin', 'compliance_manager']); $this->validateRequired(['title', 'category']); $likelihood = (int) $this->getParam('likelihood', 0); $impact = (int) $this->getParam('impact', 0); $riskId = Database::insert('risks', [ 'organization_id' => $this->getCurrentOrgId(), 'risk_code' => $this->generateCode('RSK'), 'title' => trim($this->getParam('title')), 'description' => $this->getParam('description'), 'category' => $this->getParam('category'), 'threat_source' => $this->getParam('threat_source'), 'vulnerability' => $this->getParam('vulnerability'), 'affected_assets' => $this->getParam('affected_assets') ? json_encode($this->getParam('affected_assets')) : null, 'likelihood' => $likelihood, 'impact' => $impact, 'inherent_risk_score' => $likelihood * $impact, 'treatment' => $this->getParam('treatment', 'mitigate'), 'owner_user_id' => $this->getParam('owner_user_id'), 'review_date' => $this->getParam('review_date'), 'nis2_article' => $this->getParam('nis2_article'), ]); $this->logAudit('risk_created', 'risk', $riskId); $this->jsonSuccess(['id' => $riskId], 'Rischio registrato', 201); } /** * GET /api/risks/{id} */ public function get(int $id): void { $this->requireOrgAccess(); $risk = Database::fetchOne( 'SELECT r.*, u.full_name as owner_name FROM risks r LEFT JOIN users u ON u.id = r.owner_user_id WHERE r.id = ? AND r.organization_id = ?', [$id, $this->getCurrentOrgId()] ); if (!$risk) { $this->jsonError('Rischio non trovato', 404, 'RISK_NOT_FOUND'); } // Carica trattamenti $risk['treatments'] = Database::fetchAll( 'SELECT rt.*, u.full_name as responsible_name FROM risk_treatments rt LEFT JOIN users u ON u.id = rt.responsible_user_id WHERE rt.risk_id = ? ORDER BY rt.due_date', [$id] ); $this->jsonSuccess($risk); } /** * PUT /api/risks/{id} */ public function update(int $id): void { $this->requireOrgRole(['org_admin', 'compliance_manager']); $risk = Database::fetchOne( 'SELECT * FROM risks WHERE id = ? AND organization_id = ?', [$id, $this->getCurrentOrgId()] ); if (!$risk) { $this->jsonError('Rischio non trovato', 404, 'RISK_NOT_FOUND'); } $updates = []; $allowedFields = [ 'title', 'description', 'category', 'threat_source', 'vulnerability', 'likelihood', 'impact', 'treatment', 'residual_likelihood', 'residual_impact', 'status', 'owner_user_id', 'review_date', 'nis2_article', ]; foreach ($allowedFields as $field) { if ($this->hasParam($field)) { $updates[$field] = $this->getParam($field); } } // Ricalcola score se likelihood o impact cambiano $likelihood = (int) ($updates['likelihood'] ?? $risk['likelihood']); $impact = (int) ($updates['impact'] ?? $risk['impact']); $updates['inherent_risk_score'] = $likelihood * $impact; if (isset($updates['residual_likelihood']) || isset($updates['residual_impact'])) { $resLikelihood = (int) ($updates['residual_likelihood'] ?? $risk['residual_likelihood']); $resImpact = (int) ($updates['residual_impact'] ?? $risk['residual_impact']); $updates['residual_risk_score'] = $resLikelihood * $resImpact; } if (!empty($updates)) { Database::update('risks', $updates, 'id = ?', [$id]); $this->logAudit('risk_updated', 'risk', $id, $updates); } $this->jsonSuccess($updates, 'Rischio aggiornato'); } /** * DELETE /api/risks/{id} */ public function delete(int $id): void { $this->requireOrgRole(['org_admin']); $deleted = Database::delete('risks', 'id = ? AND organization_id = ?', [$id, $this->getCurrentOrgId()]); if ($deleted === 0) { $this->jsonError('Rischio non trovato', 404, 'RISK_NOT_FOUND'); } $this->logAudit('risk_deleted', 'risk', $id); $this->jsonSuccess(null, 'Rischio eliminato'); } /** * POST /api/risks/{id}/treatments */ public function addTreatment(int $id): void { $this->requireOrgRole(['org_admin', 'compliance_manager']); $this->validateRequired(['action_description']); // Verifica che il rischio esista per l'organizzazione $risk = Database::fetchOne( 'SELECT id FROM risks WHERE id = ? AND organization_id = ?', [$id, $this->getCurrentOrgId()] ); if (!$risk) { $this->jsonError('Rischio non trovato', 404, 'RISK_NOT_FOUND'); } $treatmentId = Database::insert('risk_treatments', [ 'risk_id' => $id, 'action_description' => $this->getParam('action_description'), 'responsible_user_id' => $this->getParam('responsible_user_id'), 'due_date' => $this->getParam('due_date'), 'status' => 'planned', 'notes' => $this->getParam('notes'), ]); $this->logAudit('treatment_added', 'risk', $id, ['treatment_id' => $treatmentId]); $this->jsonSuccess(['id' => $treatmentId], 'Trattamento aggiunto', 201); } /** * PUT /api/risks/treatments/{id} */ public function updateTreatment(int $treatmentId): void { $this->requireOrgRole(['org_admin', 'compliance_manager']); $treatment = Database::fetchOne( 'SELECT rt.* FROM risk_treatments rt JOIN risks r ON r.id = rt.risk_id WHERE rt.id = ? AND r.organization_id = ?', [$treatmentId, $this->getCurrentOrgId()] ); if (!$treatment) { $this->jsonError('Trattamento non trovato', 404, 'TREATMENT_NOT_FOUND'); } $updates = []; foreach (['action_description', 'responsible_user_id', 'due_date', 'status', 'completion_date', 'notes'] as $field) { if ($this->hasParam($field)) { $updates[$field] = $this->getParam($field); } } if (!empty($updates)) { Database::update('risk_treatments', $updates, 'id = ?', [$treatmentId]); $this->logAudit('treatment_updated', 'risk_treatment', $treatmentId, $updates); } $this->jsonSuccess($updates, 'Trattamento aggiornato'); } /** * GET /api/risks/matrix */ public function getRiskMatrix(): void { $this->requireOrgAccess(); $risks = Database::fetchAll( 'SELECT id, title, category, likelihood, impact, inherent_risk_score, residual_likelihood, residual_impact, residual_risk_score, status FROM risks WHERE organization_id = ? AND status != "closed"', [$this->getCurrentOrgId()] ); $this->jsonSuccess([ 'risks' => $risks, 'summary' => [ 'total' => count($risks), 'critical' => count(array_filter($risks, fn($r) => ($r['inherent_risk_score'] ?? 0) >= 20)), 'high' => count(array_filter($risks, fn($r) => ($r['inherent_risk_score'] ?? 0) >= 12 && ($r['inherent_risk_score'] ?? 0) < 20)), 'medium' => count(array_filter($risks, fn($r) => ($r['inherent_risk_score'] ?? 0) >= 6 && ($r['inherent_risk_score'] ?? 0) < 12)), 'low' => count(array_filter($risks, fn($r) => ($r['inherent_risk_score'] ?? 0) < 6)), ], ]); } /** * POST /api/risks/ai-suggest */ public function aiSuggestRisks(): void { $this->requireOrgRole(['org_admin', 'compliance_manager']); $org = Database::fetchOne('SELECT * FROM organizations WHERE id = ?', [$this->getCurrentOrgId()]); $assets = Database::fetchAll( 'SELECT name, asset_type, criticality FROM assets WHERE organization_id = ? AND status = "active"', [$this->getCurrentOrgId()] ); try { $aiService = new AIService(); $suggestions = $aiService->suggestRisks($org, $assets); $aiService->logInteraction( $this->getCurrentOrgId(), $this->getCurrentUserId(), 'risk_suggestion', 'Risk suggestions for ' . $org['sector'], substr(json_encode($suggestions), 0, 500) ); $this->jsonSuccess($suggestions, 'Suggerimenti rischi generati'); } catch (Throwable $e) { $this->jsonError('Errore AI: ' . $e->getMessage(), 500, 'AI_ERROR'); } } }