99 lines
3.3 KiB
PHP
99 lines
3.3 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
/**
|
|
* CI guard: prevent new ad-hoc auth patterns in Filament.
|
|
*
|
|
* Rationale:
|
|
* - We want UiEnforcement (and centralized RBAC services) to be the default.
|
|
* - Gate::allows/denies, abort_if/unless, and similar ad-hoc patterns tend to drift.
|
|
* - We allowlist legacy files so CI only fails on NEW violations.
|
|
*
|
|
* If you migrate a legacy file to UiEnforcement, remove it from the allowlist.
|
|
*/
|
|
describe('Filament auth guard (no new ad-hoc patterns)', function () {
|
|
it('fails if new files introduce forbidden auth patterns under app/Filament/**', function () {
|
|
$filamentDir = base_path('app/Filament');
|
|
|
|
expect(is_dir($filamentDir))->toBeTrue("Filament directory not found: {$filamentDir}");
|
|
|
|
/**
|
|
* Legacy allowlist: these files currently contain forbidden patterns.
|
|
*
|
|
* IMPORTANT:
|
|
* - Do NOT add new entries casually.
|
|
* - The goal is to shrink this list over time.
|
|
*
|
|
* Paths are workspace-relative (e.g. app/Filament/Resources/Foo.php).
|
|
*/
|
|
$legacyAllowlist = [
|
|
// Pages (page-level authorization or legacy patterns)
|
|
];
|
|
|
|
$patterns = [
|
|
// Gate facade usage
|
|
'/\\bGate::(allows|denies|check|authorize)\\b/',
|
|
'/^\\s*use\\s+Illuminate\\\\Support\\\\Facades\\\\Gate\\s*;\\s*$/m',
|
|
|
|
// Ad-hoc abort helpers
|
|
'/\\babort_(if|unless)\\s*\\(/',
|
|
];
|
|
|
|
$iterator = new RecursiveIteratorIterator(
|
|
new RecursiveDirectoryIterator($filamentDir, RecursiveDirectoryIterator::SKIP_DOTS)
|
|
);
|
|
|
|
/** @var array<string, array<int, string>> $violations */
|
|
$violations = [];
|
|
|
|
foreach ($iterator as $file) {
|
|
if ($file->getExtension() !== 'php') {
|
|
continue;
|
|
}
|
|
|
|
$absolutePath = $file->getPathname();
|
|
$relativePath = str_replace(base_path().DIRECTORY_SEPARATOR, '', $absolutePath);
|
|
$relativePath = str_replace(DIRECTORY_SEPARATOR, '/', $relativePath);
|
|
|
|
if (in_array($relativePath, $legacyAllowlist, true)) {
|
|
continue;
|
|
}
|
|
|
|
$content = file_get_contents($absolutePath);
|
|
if (! is_string($content)) {
|
|
continue;
|
|
}
|
|
|
|
$lines = preg_split('/\\R/', $content) ?: [];
|
|
|
|
foreach ($lines as $lineNumber => $line) {
|
|
foreach ($patterns as $pattern) {
|
|
if (preg_match($pattern, $line) === 1) {
|
|
$violations[$relativePath][] = ($lineNumber + 1).': '.trim($line);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if ($violations !== []) {
|
|
$messageLines = [
|
|
'Forbidden ad-hoc auth patterns detected in app/Filament/**.',
|
|
'Migrate to UiEnforcement (preferred) or add a justified temporary entry to the legacy allowlist.',
|
|
'',
|
|
];
|
|
|
|
foreach ($violations as $path => $hits) {
|
|
$messageLines[] = $path;
|
|
foreach ($hits as $hit) {
|
|
$messageLines[] = ' - '.$hit;
|
|
}
|
|
}
|
|
|
|
expect($violations)->toBeEmpty(implode("\n", $messageLines));
|
|
}
|
|
|
|
expect(true)->toBeTrue();
|
|
});
|
|
});
|