Cristiano Benassati
6f4b457ce0
Services: - EmailService: CSIRT notifications (24h/72h/30d), training alerts, welcome email - RateLimitService: File-based rate limiting for auth and AI endpoints - ReportService: Executive HTML report, CSV exports (risks/incidents/controls/assets) Integrations: - AuthController: Rate limiting on login (5/min, 20/h) and register (3/10min) - IncidentController: Email notifications on CSIRT milestones - AuditController: Executive report and CSV export endpoints - Router: 429 rate limit error handling, new audit export routes Database: - Migration 002: email_log table for notification tracking Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
242 lines
9.2 KiB
PHP
242 lines
9.2 KiB
PHP
<?php
|
|
/**
|
|
* NIS2 Agile - Audit Controller
|
|
*
|
|
* Controlli compliance, evidenze, audit logs, mapping ISO 27001.
|
|
*/
|
|
|
|
require_once __DIR__ . '/BaseController.php';
|
|
require_once APP_PATH . '/services/ReportService.php';
|
|
|
|
class AuditController extends BaseController
|
|
{
|
|
public function listControls(): void
|
|
{
|
|
$this->requireOrgAccess();
|
|
|
|
$controls = Database::fetchAll(
|
|
'SELECT cc.*, u.full_name as responsible_name
|
|
FROM compliance_controls cc
|
|
LEFT JOIN users u ON u.id = cc.responsible_user_id
|
|
WHERE cc.organization_id = ?
|
|
ORDER BY cc.control_code',
|
|
[$this->getCurrentOrgId()]
|
|
);
|
|
|
|
$this->jsonSuccess($controls);
|
|
}
|
|
|
|
public function updateControl(int $id): void
|
|
{
|
|
$this->requireOrgRole(['org_admin', 'compliance_manager', 'auditor']);
|
|
|
|
$updates = [];
|
|
foreach (['status', 'implementation_percentage', 'evidence_description', 'responsible_user_id', 'next_review_date'] as $field) {
|
|
if ($this->hasParam($field)) {
|
|
$updates[$field] = $this->getParam($field);
|
|
}
|
|
}
|
|
|
|
if (isset($updates['status']) && $updates['status'] === 'verified') {
|
|
$updates['last_verified_at'] = date('Y-m-d H:i:s');
|
|
}
|
|
|
|
if (!empty($updates)) {
|
|
Database::update('compliance_controls', $updates, 'id = ? AND organization_id = ?', [$id, $this->getCurrentOrgId()]);
|
|
$this->logAudit('control_updated', 'compliance_control', $id, $updates);
|
|
}
|
|
|
|
$this->jsonSuccess($updates, 'Controllo aggiornato');
|
|
}
|
|
|
|
public function uploadEvidence(): void
|
|
{
|
|
$this->requireOrgRole(['org_admin', 'compliance_manager', 'auditor']);
|
|
|
|
if (!isset($_FILES['file'])) {
|
|
$this->jsonError('File non fornito', 400, 'NO_FILE');
|
|
}
|
|
|
|
$file = $_FILES['file'];
|
|
$maxSize = 10 * 1024 * 1024; // 10MB
|
|
|
|
if ($file['size'] > $maxSize) {
|
|
$this->jsonError('File troppo grande (max 10MB)', 400, 'FILE_TOO_LARGE');
|
|
}
|
|
|
|
$orgId = $this->getCurrentOrgId();
|
|
$uploadDir = UPLOAD_PATH . "/evidence/{$orgId}";
|
|
|
|
if (!is_dir($uploadDir)) {
|
|
mkdir($uploadDir, 0755, true);
|
|
}
|
|
|
|
$ext = pathinfo($file['name'], PATHINFO_EXTENSION);
|
|
$filename = uniqid('ev_') . '.' . $ext;
|
|
$filePath = $uploadDir . '/' . $filename;
|
|
|
|
if (!move_uploaded_file($file['tmp_name'], $filePath)) {
|
|
$this->jsonError('Errore caricamento file', 500, 'UPLOAD_ERROR');
|
|
}
|
|
|
|
$evidenceId = Database::insert('evidence_files', [
|
|
'organization_id' => $orgId,
|
|
'control_id' => $this->getParam('control_id'),
|
|
'entity_type' => $this->getParam('entity_type'),
|
|
'entity_id' => $this->getParam('entity_id'),
|
|
'file_name' => $file['name'],
|
|
'file_path' => "evidence/{$orgId}/{$filename}",
|
|
'file_size' => $file['size'],
|
|
'mime_type' => $file['type'],
|
|
'uploaded_by' => $this->getCurrentUserId(),
|
|
]);
|
|
|
|
$this->logAudit('evidence_uploaded', 'evidence', $evidenceId);
|
|
$this->jsonSuccess(['id' => $evidenceId], 'Evidenza caricata', 201);
|
|
}
|
|
|
|
public function listEvidence(): void
|
|
{
|
|
$this->requireOrgAccess();
|
|
|
|
$where = 'organization_id = ?';
|
|
$params = [$this->getCurrentOrgId()];
|
|
|
|
if ($this->hasParam('control_id')) {
|
|
$where .= ' AND control_id = ?';
|
|
$params[] = $this->getParam('control_id');
|
|
}
|
|
if ($this->hasParam('entity_type') && $this->hasParam('entity_id')) {
|
|
$where .= ' AND entity_type = ? AND entity_id = ?';
|
|
$params[] = $this->getParam('entity_type');
|
|
$params[] = $this->getParam('entity_id');
|
|
}
|
|
|
|
$evidence = Database::fetchAll(
|
|
"SELECT ef.*, u.full_name as uploaded_by_name
|
|
FROM evidence_files ef
|
|
LEFT JOIN users u ON u.id = ef.uploaded_by
|
|
WHERE ef.{$where}
|
|
ORDER BY ef.created_at DESC",
|
|
$params
|
|
);
|
|
|
|
$this->jsonSuccess($evidence);
|
|
}
|
|
|
|
public function generateReport(): void
|
|
{
|
|
$this->requireOrgAccess();
|
|
$orgId = $this->getCurrentOrgId();
|
|
|
|
$org = Database::fetchOne('SELECT * FROM organizations WHERE id = ?', [$orgId]);
|
|
$controls = Database::fetchAll('SELECT * FROM compliance_controls WHERE organization_id = ? ORDER BY control_code', [$orgId]);
|
|
$lastAssessment = Database::fetchOne('SELECT * FROM assessments WHERE organization_id = ? AND status = "completed" ORDER BY completed_at DESC LIMIT 1', [$orgId]);
|
|
$riskCount = Database::count('risks', 'organization_id = ? AND status != "closed"', [$orgId]);
|
|
$incidentCount = Database::count('incidents', 'organization_id = ?', [$orgId]);
|
|
$policyCount = Database::count('policies', 'organization_id = ? AND status IN ("approved","published")', [$orgId]);
|
|
|
|
$totalControls = count($controls);
|
|
$implemented = count(array_filter($controls, fn($c) => in_array($c['status'], ['implemented', 'verified'])));
|
|
|
|
$this->jsonSuccess([
|
|
'organization' => $org,
|
|
'report_date' => date('Y-m-d H:i:s'),
|
|
'compliance_summary' => [
|
|
'total_controls' => $totalControls,
|
|
'implemented_controls' => $implemented,
|
|
'compliance_percentage' => $totalControls > 0 ? round($implemented / $totalControls * 100) : 0,
|
|
],
|
|
'controls' => $controls,
|
|
'last_assessment' => $lastAssessment,
|
|
'risk_count' => $riskCount,
|
|
'incident_count' => $incidentCount,
|
|
'policy_count' => $policyCount,
|
|
]);
|
|
}
|
|
|
|
public function getAuditLogs(): void
|
|
{
|
|
$this->requireOrgRole(['org_admin', 'auditor']);
|
|
$pagination = $this->getPagination(50);
|
|
|
|
$total = Database::count('audit_logs', 'organization_id = ?', [$this->getCurrentOrgId()]);
|
|
|
|
$logs = Database::fetchAll(
|
|
"SELECT al.*, u.full_name
|
|
FROM audit_logs al
|
|
LEFT JOIN users u ON u.id = al.user_id
|
|
WHERE al.organization_id = ?
|
|
ORDER BY al.created_at DESC
|
|
LIMIT {$pagination['per_page']} OFFSET {$pagination['offset']}",
|
|
[$this->getCurrentOrgId()]
|
|
);
|
|
|
|
$this->jsonPaginated($logs, $total, $pagination['page'], $pagination['per_page']);
|
|
}
|
|
|
|
public function getIsoMapping(): void
|
|
{
|
|
$this->requireOrgAccess();
|
|
|
|
$mapping = [
|
|
['nis2' => '21.2.a', 'iso27001' => 'A.5.1, A.5.2, A.8.1, A.8.2', 'title' => 'Risk analysis and security policies'],
|
|
['nis2' => '21.2.b', 'iso27001' => 'A.5.24, A.5.25, A.5.26, A.6.8', 'title' => 'Incident handling'],
|
|
['nis2' => '21.2.c', 'iso27001' => 'A.5.29, A.5.30', 'title' => 'Business continuity'],
|
|
['nis2' => '21.2.d', 'iso27001' => 'A.5.19, A.5.20, A.5.21, A.5.22', 'title' => 'Supply chain security'],
|
|
['nis2' => '21.2.e', 'iso27001' => 'A.8.25, A.8.26, A.8.27, A.8.28', 'title' => 'System acquisition and development'],
|
|
['nis2' => '21.2.f', 'iso27001' => 'A.5.35, A.5.36', 'title' => 'Effectiveness assessment'],
|
|
['nis2' => '21.2.g', 'iso27001' => 'A.6.3, A.6.6', 'title' => 'Cyber hygiene and training'],
|
|
['nis2' => '21.2.h', 'iso27001' => 'A.8.24', 'title' => 'Cryptography and encryption'],
|
|
['nis2' => '21.2.i', 'iso27001' => 'A.5.15, A.5.16, A.5.17, A.5.18, A.6.1, A.6.2', 'title' => 'HR security, access control, asset management'],
|
|
['nis2' => '21.2.j', 'iso27001' => 'A.8.5', 'title' => 'Multi-factor authentication'],
|
|
];
|
|
|
|
$this->jsonSuccess($mapping);
|
|
}
|
|
|
|
/**
|
|
* GET /api/audit/executive-report
|
|
* Genera report esecutivo HTML (stampabile come PDF)
|
|
*/
|
|
public function executiveReport(): void
|
|
{
|
|
$this->requireOrgRole(['org_admin', 'compliance_manager', 'board_member']);
|
|
|
|
$reportService = new ReportService();
|
|
$html = $reportService->generateExecutiveReport($this->getCurrentOrgId());
|
|
|
|
header('Content-Type: text/html; charset=utf-8');
|
|
echo $html;
|
|
exit;
|
|
}
|
|
|
|
/**
|
|
* GET /api/audit/export/{type}
|
|
* Esporta dati in CSV
|
|
*/
|
|
public function export(int $type = 0): void
|
|
{
|
|
$this->requireOrgRole(['org_admin', 'compliance_manager', 'auditor']);
|
|
|
|
$exportType = $_GET['type'] ?? 'controls';
|
|
$orgId = $this->getCurrentOrgId();
|
|
$reportService = new ReportService();
|
|
|
|
$csv = match ($exportType) {
|
|
'risks' => $reportService->exportRisksCSV($orgId),
|
|
'incidents' => $reportService->exportIncidentsCSV($orgId),
|
|
'controls' => $reportService->exportControlsCSV($orgId),
|
|
'assets' => $reportService->exportAssetsCSV($orgId),
|
|
default => $reportService->exportControlsCSV($orgId),
|
|
};
|
|
|
|
$filename = "nis2_{$exportType}_" . date('Y-m-d') . '.csv';
|
|
|
|
header('Content-Type: text/csv; charset=utf-8');
|
|
header('Content-Disposition: attachment; filename="' . $filename . '"');
|
|
echo $csv;
|
|
exit;
|
|
}
|
|
}
|