where('workspace_id', (int) $environment->workspace_id) ->where('managed_environment_id', (int) $environment->getKey()) ->where('permission_key', self::PERMISSION_KEY) ->orderByDesc('last_checked_at') ->orderByDesc('id') ->first(); if (! $permission instanceof ManagedEnvironmentPermission) { return $this->blocked('permission_evidence_blocked_missing', 'permission_evidence_state', 'missing'); } $details = is_array($permission->details) ? $permission->details : []; if ((string) $permission->status !== 'granted') { return $this->blocked('permission_evidence_blocked_unvalidated', 'permission_evidence_state', 'unvalidated', $permission); } if (! $permission->last_checked_at || $permission->last_checked_at->lt(now()->subDays(30))) { return $this->blocked('permission_evidence_blocked_stale', 'permission_evidence_state', 'stale', $permission); } if ((int) ($details['workspace_id'] ?? 0) !== (int) $connection->workspace_id) { return $this->blocked('permission_evidence_blocked_wrong_workspace', 'permission_evidence_state', 'wrong_workspace', $permission); } if ((int) ($details['managed_environment_id'] ?? 0) !== (int) $connection->managed_environment_id) { return $this->blocked('permission_evidence_blocked_wrong_environment', 'permission_evidence_state', 'wrong_environment', $permission); } if ((string) ($details['provider'] ?? '') !== (string) $connection->provider) { return $this->blocked('permission_evidence_blocked_unsupported_provider', 'permission_evidence_state', 'unsupported_provider', $permission); } if ((int) ($details['provider_connection_id'] ?? 0) !== (int) $connection->getKey()) { return $this->blocked('permission_evidence_blocked_wrong_provider_connection', 'permission_evidence_state', 'wrong_provider_connection', $permission); } return ExchangePowerShellGateResult::allowed([ 'permission_evidence_state' => 'verified', 'permission_key' => self::PERMISSION_KEY, 'permission_evidence_id' => (int) $permission->getKey(), 'last_checked_at' => $permission->last_checked_at?->toJSON(), ]); } private function blocked( string $failureCode, string $stateKey, string $state, ?ManagedEnvironmentPermission $permission = null, ): ExchangePowerShellGateResult { return ExchangePowerShellGateResult::blocked( reasonCode: ProviderReasonCodes::ProviderPermissionMissing, failureCode: $failureCode, message: 'Verified Exchange PowerShell permission evidence is required.', context: array_filter([ $stateKey => $state, 'permission_key' => self::PERMISSION_KEY, 'permission_evidence_id' => $permission instanceof ManagedEnvironmentPermission ? (int) $permission->getKey() : null, ], static fn (mixed $value): bool => $value !== null && $value !== ''), ); } }