string('tenant')->toString(); abort_if($tenantIdentifier === '', ResponseAlias::HTTP_NOT_FOUND); $state = Str::uuid()->toString(); $request->session()->put('tenant_onboard_state', $state); $workspaceId = app(WorkspaceContext::class)->currentWorkspaceId($request); if ($workspaceId !== null) { $request->session()->put('tenant_onboard_workspace_id', (int) $workspaceId); } $tenant = $this->resolveTenant($tenantIdentifier, is_numeric($workspaceId) ? (int) $workspaceId : null); $connection = $this->upsertPlatformConnection($tenant); $url = $consentUrlFactory->make($connection, $state); $auditLogger->log( tenant: $tenant, action: 'provider_connection.consent_started', context: [ 'metadata' => [ 'source' => 'admin.consent.start', 'workspace_id' => (int) $connection->workspace_id, 'provider_connection_id' => (int) $connection->getKey(), 'provider' => (string) $connection->provider, 'entra_tenant_id' => (string) $connection->entra_tenant_id, 'connection_type' => $connection->connection_type->value, 'effective_client_id' => trim((string) config('graph.client_id')), 'state' => $state, ], ], actorId: auth()->id(), actorEmail: auth()->user()?->email, actorName: auth()->user()?->name, resourceType: 'provider_connection', resourceId: (string) $connection->getKey(), status: 'success', ); return redirect()->away($url); } private function resolveTenant(string $tenantIdentifier, ?int $workspaceId): Tenant { $tenant = Tenant::query() ->where(function ($query) use ($tenantIdentifier): void { $query->where('tenant_id', $tenantIdentifier) ->orWhere('external_id', $tenantIdentifier); }) ->first(); if ($tenant instanceof Tenant) { if ($tenant->workspace_id === null && $workspaceId !== null) { $tenant->forceFill(['workspace_id' => $workspaceId])->save(); } return $tenant; } abort_if($workspaceId === null, ResponseAlias::HTTP_FORBIDDEN, 'Missing workspace context'); return Tenant::create([ 'tenant_id' => $tenantIdentifier, 'name' => 'New Tenant', 'workspace_id' => $workspaceId, ]); } private function upsertPlatformConnection(Tenant $tenant): ProviderConnection { $hasDefault = ProviderConnection::query() ->where('tenant_id', (int) $tenant->getKey()) ->where('provider', 'microsoft') ->where('is_default', true) ->exists(); $projectedState = app(ProviderConnectionStateProjector::class)->project( connectionType: ProviderConnectionType::Platform, consentStatus: ProviderConsentStatus::Required, verificationStatus: ProviderVerificationStatus::Unknown, ); $connection = ProviderConnection::query()->updateOrCreate( [ 'tenant_id' => (int) $tenant->getKey(), 'provider' => 'microsoft', 'entra_tenant_id' => (string) ($tenant->graphTenantId() ?? $tenant->tenant_id ?? $tenant->external_id), ], [ 'workspace_id' => (int) $tenant->workspace_id, 'display_name' => (string) ($tenant->name ?? 'Microsoft Connection'), 'connection_type' => ProviderConnectionType::Platform->value, 'status' => $projectedState['status'], 'consent_status' => ProviderConsentStatus::Required->value, 'consent_granted_at' => null, 'consent_last_checked_at' => null, 'consent_error_code' => null, 'consent_error_message' => null, 'verification_status' => ProviderVerificationStatus::Unknown->value, 'health_status' => $projectedState['health_status'], 'migration_review_required' => false, 'migration_reviewed_at' => null, 'last_error_reason_code' => ProviderReasonCodes::ProviderConsentMissing, 'last_error_message' => null, 'is_default' => $hasDefault ? false : true, ], ); $connection->credential()->delete(); if (! $hasDefault && ! $connection->is_default) { $connection->makeDefault(); } return $connection->fresh(); } }