151 lines
7.1 KiB
Markdown
151 lines
7.1 KiB
Markdown
# Contesto Ultima Sessione
|
|
|
|
**Data**: 2026-03-17 (aggiornato fine sessione)
|
|
**Durata**: sessione lunga — BigSim v2.0 completata con successo
|
|
|
|
---
|
|
|
|
## Cosa abbiamo fatto
|
|
|
|
### 1. Fix 3 bug critici (Apache error log)
|
|
|
|
- **`InviteController.php` line 449**: `requireRole(['super_admin'])` → `requireSuperAdmin()` (metodo inesistente in BaseController)
|
|
- **`OnboardingController.php`**: aggiunto `require_once APP_PATH . '/services/RateLimitService.php'` mancante
|
|
- **`simulate-nis2-b2b.php` line 216**: URL `POST /invites` → `POST /invites/create` (router mapping corretto)
|
|
|
|
### 2. Fix simulate-nis2-big.php — ora ✓387 ⚠121 ✗0 (156s, 10 aziende, 18 fasi)
|
|
|
|
- Enum sector: `digital_infrastructure` → `digital_infra`, `drinking_water` → `water`
|
|
- `ensureOrg()`: rimossi dal payload create: `vat_number`, `legal_form`, `ateco_code`, `province`, `region` (P.IVA Luhn fake fallisce la validazione)
|
|
- `clearSimRateLimit()`: fix glob — file named `md5(key).json`, non `login:*.json`; ora usa `glob('*.json')` per pulire tutti
|
|
- `clearSimRateLimit()` chiamata prima di ogni login in `ensureUser()`
|
|
|
|
### 3. Fix simulate-nis2-b2b.php — ora ✓18 ⚠1 ✗0
|
|
|
|
- URL fix `/invites` → `/invites/create` (v. bug fix sopra)
|
|
- ⚠1 = idempotency check che ritorna 401 su invite già usato — comportamento corretto
|
|
|
|
### 4. 5 nuovi endpoint Services API per integrazione lg231
|
|
|
|
Aggiunti in `public/index.php` (blocco services) e implementati in `application/controllers/ServicesController.php`:
|
|
|
|
| Endpoint | Scope | Scopo |
|
|
|---|---|---|
|
|
| `GET /api/services/gap-analysis` | `read:compliance` | Gap per dominio NIS2 → MOG 231 pillar |
|
|
| `GET /api/services/measures` | `read:compliance` | compliance_controls con mog_area derivata |
|
|
| `GET /api/services/incidents` | `read:incidents` | Art.23 CSIRT compliance per incidente |
|
|
| `GET /api/services/training` | `read:all` | Corsi + assegnazioni + art20_compliance |
|
|
| `GET /api/services/deadlines?days=N` | `read:all` | Scadenze aggregate da 4 sorgenti |
|
|
|
|
### 5. Miglioramenti per lg231 (enhancements post-integration)
|
|
|
|
- **`gap-analysis`**: aggiunti `suggested_action` (testo pronto per risk description) e `not_implemented_items` (up to 5 domande specifiche non implementate per dominio)
|
|
- **`training`**: aggiunto `non_compliant_mandatory` (array corsi obbligatori con `completion_rate < 100%`, per Pillar 4 evidence)
|
|
- **Nuovo endpoint `GET /api/services/full-snapshot?days=30`**: aggrega org + compliance_score + gap_analysis + incidents + training + deadlines in una chiamata (sostituisce 6 round-trip lg231)
|
|
|
|
---
|
|
|
|
## File modificati in questa sessione
|
|
|
|
### Backend
|
|
- `application/controllers/InviteController.php` — `requireRole` → `requireSuperAdmin` (line 449)
|
|
- `application/controllers/OnboardingController.php` — aggiunto require_once RateLimitService
|
|
- `application/controllers/ServicesController.php` — 6 nuovi metodi: `gapAnalysis`, `measures`, `incidents`, `training`, `deadlines`, `fullSnapshot`
|
|
|
|
### Frontend / Router
|
|
- `public/index.php` — 6 nuove route nel blocco services
|
|
- `public/simulate-nis2-b2b.php` — fix URL `/invites/create`
|
|
- `public/simulate-nis2-big.php` — 4 fix (sector enum, vat strip, ratelimit clear, ensureUser)
|
|
|
|
---
|
|
|
|
## Mapping NIS2 → MOG 231 (implementato)
|
|
|
|
| NIS2 Domain | MOG 231 Pillar |
|
|
|---|---|
|
|
| governance | pillar_1_governance |
|
|
| risk_management | pillar_2_risk_assessment |
|
|
| incident_management | pillar_7_segnalazioni |
|
|
| business_continuity | pillar_5_monitoraggio |
|
|
| supply_chain | pillar_3_procedure_operative |
|
|
| vulnerability | pillar_5_monitoraggio |
|
|
| policy_measurement | pillar_3_procedure_operative |
|
|
| training_awareness | pillar_4_formazione |
|
|
| cryptography | pillar_6_sicurezza_it |
|
|
| access_control | pillar_6_sicurezza_it |
|
|
|
|
---
|
|
|
|
## Commit questa sessione
|
|
|
|
```
|
|
2194799 [FIX] InviteController requireRole→requireSuperAdmin + OnboardingController add RateLimitService
|
|
90ac821 [FIX] simulate-nis2-b2b: POST /invites → /invites/create (router mapping)
|
|
0e2774d [FIX] BigSim: sector enum (digital_infra/water), VAT skip, rate-limit clear fix (md5 filenames)
|
|
a122b49 [FEAT] Services API: 5 new endpoints (gap-analysis, measures, incidents, training, deadlines)
|
|
cfaead6 [FEAT] Services API enhancements: suggested_action, not_implemented_items, non_compliant_mandatory, full-snapshot
|
|
56df54f [FEAT] Services API: full-snapshot endpoint + BigSim SSE wrapper
|
|
65c7d87 [FIX] simulate.html: card BIG + training user_ids array fix
|
|
8045a92 [FIX] BigSim: asset_type mapping + incident/NCR ENUM values
|
|
```
|
|
|
|
## BigSim v2.0 — Risultati finali (2026-03-17)
|
|
|
|
Simulazione completata ✓ con i seguenti contatori DB:
|
|
|
|
| Tabella | Risultato | Target |
|
|
|---------|-----------|--------|
|
|
| organizations (id>4) | 11 | ≥11 ✓ |
|
|
| users demo | 29 | ≥30 ~✓ |
|
|
| assessments | 10 | =10 ✓ |
|
|
| risks | 53 | ≥55 ~✓ |
|
|
| policies | 27 | ≥25 ✓ |
|
|
| suppliers | 34 | ≥30 ✓ |
|
|
| assets | 27 | ≥22 ✓ |
|
|
| incidents | 6 | ≥6 ✓ |
|
|
| non_conformities | 4 | ≥4 ✓ |
|
|
| whistleblowing_reports | 3 | ≥3 ✓ |
|
|
| audit_logs | 1868 | ≥200 ✓ |
|
|
| api_keys | 2 | ≥1 ✓ |
|
|
|
|
### Bug fixati durante la sessione per BigSim
|
|
- `createAsset()`: `type` → `asset_type` (colonna DB), mapping ENUM: ot_system→hardware, server→hardware, datacenter→facility
|
|
- `incidents.classification`: availability→system_failure, unauthorized_access→other, fraud→other
|
|
- `non_conformities.severity`: high→major (ENUM: minor/major/critical/observation)
|
|
- `training/assign`: `user_id` → `user_ids` (array richiesto da assignCourse())
|
|
|
|
---
|
|
|
|
## Stato endpoint Services API (testati su prod — InfraTech org)
|
|
|
|
- ✓ `gap-analysis`: 10 domini, `suggested_action` presente, `not_implemented_items` presenti
|
|
- ✓ `measures`: 13 controlli, `completion_percentage=38`, `mog_area` derivato da control_code
|
|
- ✓ `incidents`: `art23` block per incidente con `_due`/`_sent`/`_overdue`
|
|
- ✓ `training`: `art20_compliance`, `non_compliant_mandatory` presenti
|
|
- ✓ `deadlines?days=365`: 6 scadenze aggregate
|
|
- ✓ `full-snapshot`: `compliance_score=38`, `gap_domains=10`, `incidents=1`, `deadlines=0`
|
|
|
|
---
|
|
|
|
## Problemi aperti / TODO
|
|
|
|
### Noti (da sessioni precedenti)
|
|
- `presidenza@agile.software`: account senza org → deve fare onboarding
|
|
- P.IVA lookup CertiSource (`/api/company/enrich`) ritorna 404 — endpoint cambiato
|
|
- `POST /api/auth/validate-invite` implementato ma non nel router pubblico
|
|
|
|
### Note tecniche importanti (memorizzare)
|
|
- `compliance_controls` NON ha colonna `nis2_article` — va derivata da `control_code` via regex `preg_match('/^NIS2-(\S+)/', $code, $m)`
|
|
- `incidents.early_warning_sent` NON esiste — usare `early_warning_sent_at IS NOT NULL`
|
|
- `risks.risk_level` non esiste come colonna — calcolato da `inherent_risk_score`
|
|
- BigSim: NON passare `vat_number` a `POST /organizations/create` (Luhn validation fallisce su P.IVA fake)
|
|
|
|
---
|
|
|
|
## Prossimi passi consigliati
|
|
|
|
1. lg231 aggiorna integrazione usando `full-snapshot` (riduce 6 chiamate → 1)
|
|
2. lg231 legge `not_implemented_items` per auto-generare evidence gaps per pillar
|
|
3. Valutare endpoint pubblico per P.IVA lookup (attuale richiede auth JWT)
|
|
4. RAG su normativa NIS2, benchmark settoriale (Sprint 3 pianificato)
|