TenantAtlas/tests/Feature/MonitoringOperationsTest.php

<?php

use App\Filament\Resources\OperationRunResource;
use App\Models\OperationRun;
use App\Models\Tenant;
use App\Models\User;
use App\Services\Graph\GraphClientInterface;

it('allows access to monitoring page for tenant members', function () {
    $tenant = Tenant::factory()->create();
    $user = User::factory()->create();
    $tenant->users()->attach($user);

    $run = OperationRun::create([
        'tenant_id' => $tenant->id,
        'type' => 'policy.sync',
        'status' => 'queued',
        'outcome' => 'pending',
        'initiator_name' => 'System',
        'run_identity_hash' => 'hash123',
    ]);

    $this->actingAs($user)
        ->get(OperationRunResource::getUrl('index', tenant: $tenant))
        ->assertSuccessful()
        ->assertSee('Policy sync');
});

it('renders monitoring pages DB-only (never calls Graph)', function () {
    $tenant = Tenant::factory()->create();
    $user = User::factory()->create();
    $tenant->users()->attach($user);

    $run = OperationRun::create([
        'tenant_id' => $tenant->id,
        'type' => 'policy.sync',
        'status' => 'queued',
        'outcome' => 'pending',
        'initiator_name' => 'System',
        'run_identity_hash' => 'hash123',
    ]);

    $this->mock(GraphClientInterface::class, function ($mock): void {
        $mock->shouldReceive('listPolicies')->never();
        $mock->shouldReceive('getPolicy')->never();
        $mock->shouldReceive('getOrganization')->never();
        $mock->shouldReceive('applyPolicy')->never();
        $mock->shouldReceive('getServicePrincipalPermissions')->never();
        $mock->shouldReceive('request')->never();
    });

    $this->actingAs($user)
        ->get(OperationRunResource::getUrl('index', tenant: $tenant))
        ->assertSuccessful();

    $this->actingAs($user)
        ->get(OperationRunResource::getUrl('view', ['record' => $run], tenant: $tenant))
        ->assertSuccessful();
});

it('shows runs only for current tenant', function () {
    $tenantA = Tenant::factory()->create();
    $tenantB = Tenant::factory()->create();
    $user = User::factory()->create();
    $tenantA->users()->attach($user);

    // We must simulate being in tenant context
    $this->actingAs($user);
    // Filament::setTenant($tenantA); // This is usually handled by middleware on routes, but in Livewire test we might need manual set or route visit.

    // Easier approach: visit the page for tenantA

    OperationRun::create([
        'tenant_id' => $tenantA->id,
        'type' => 'policy.sync',
        'status' => 'queued',
        'outcome' => 'pending',
        'initiator_name' => 'System',
        'run_identity_hash' => 'hashA',
    ]);

    OperationRun::create([
        'tenant_id' => $tenantB->id,
        'type' => 'inventory.sync',
        'status' => 'queued',
        'outcome' => 'pending',
        'initiator_name' => 'System',
        'run_identity_hash' => 'hashB',
    ]);

    // Livewire::test needs to know the tenant if the component relies on it.
    // However, the component relies on `Filament::getTenant()`.
    // The cleanest way is to just GET the page URL, which runs middleware.

    $this->get(OperationRunResource::getUrl('index', tenant: $tenantA))
        ->assertSee('Policy sync')
        ->assertDontSee('Inventory sync');
});

it('allows readonly users to view operations list and detail', function () {
    $tenant = Tenant::factory()->create();
    $user = User::factory()->create();
    $tenant->users()->attach($user, ['role' => 'readonly']);

    $run = OperationRun::create([
        'tenant_id' => $tenant->id,
        'type' => 'policy.sync',
        'status' => 'queued',
        'outcome' => 'pending',
        'initiator_name' => 'System',
        'run_identity_hash' => 'hash123',
    ]);

    $this->actingAs($user)
        ->get(OperationRunResource::getUrl('index', tenant: $tenant))
        ->assertSuccessful()
        ->assertSee('Policy sync');

    $this->actingAs($user)
        ->get(OperationRunResource::getUrl('view', ['record' => $run], tenant: $tenant))
        ->assertSuccessful()
        ->assertSee('Policy sync');
});

it('denies access to unauthorized users', function () {
    $tenant = Tenant::factory()->create();
    $user = User::factory()->create();
    // Not attached to tenant

    // In a multitenant app, if you try to access a tenant route you are not part of,
    // Filament typically returns 404 (Not Found) if it can't find the tenant-user relationship, or 403.
    // The previous fail said "Received 404". This confirms Filament couldn't find the tenant for this user scope or just hides it.
    // We should accept 404 or 403.

    $response = $this->actingAs($user)
        ->get(OperationRunResource::getUrl('index', tenant: $tenant));

    // Allow either 403 or 404 as "Denied"
    $this->assertTrue(in_array($response->status(), [403, 404]));
});