ahmido
b6343d5c3a
Implements workspace-scoped managed tenant onboarding wizard (Filament v5 / Livewire v4) with strict RBAC (404/403 semantics), resumable sessions, provider connection selection/creation, verification OperationRun, and optional bootstrap. Removes legacy onboarding entrypoints and adds Pest coverage + spec artifacts (073). ## Summary <!-- Kurz: Was ändert sich und warum? --> ## Spec-Driven Development (SDD) - [ ] Es gibt eine Spec unter `specs/<NNN>-<feature>/` - [ ] Enthaltene Dateien: `plan.md`, `tasks.md`, `spec.md` - [ ] Spec beschreibt Verhalten/Acceptance Criteria (nicht nur Implementation) - [ ] Wenn sich Anforderungen während der Umsetzung geändert haben: Spec/Plan/Tasks wurden aktualisiert ## Implementation - [ ] Implementierung entspricht der Spec - [ ] Edge cases / Fehlerfälle berücksichtigt - [ ] Keine unbeabsichtigten Änderungen außerhalb des Scopes ## Tests - [ ] Tests ergänzt/aktualisiert (Pest/PHPUnit) - [ ] Relevante Tests lokal ausgeführt (`./vendor/bin/sail artisan test` oder `php artisan test`) ## Migration / Config / Ops (falls relevant) - [ ] Migration(en) enthalten und getestet - [ ] Rollback bedacht (rückwärts kompatibel, sichere Migration) - [ ] Neue Env Vars dokumentiert (`.env.example` / Doku) - [ ] Queue/cron/storage Auswirkungen geprüft ## UI (Filament/Livewire) (falls relevant) - [ ] UI-Flows geprüft - [ ] Screenshots/Notizen hinzugefügt ## Notes <!-- Links, Screenshots, Follow-ups, offene Punkte --> Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.fritz.box> Reviewed-on: #88
237 lines
7.5 KiB
PHP
237 lines
7.5 KiB
PHP
<?php
|
|
|
|
use App\Filament\Resources\TenantResource\Pages\CreateTenant;
|
|
use App\Filament\Resources\TenantResource\Pages\ViewTenant;
|
|
use App\Models\Tenant;
|
|
use App\Models\TenantPermission;
|
|
use App\Models\User;
|
|
use App\Services\Graph\GraphClientInterface;
|
|
use App\Services\Graph\GraphResponse;
|
|
use Filament\Facades\Filament;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Livewire\Livewire;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
test('tenant can be created via filament and verified successfully', function () {
|
|
app()->bind(GraphClientInterface::class, fn () => new class implements GraphClientInterface
|
|
{
|
|
public function listPolicies(string $policyType, array $options = []): GraphResponse
|
|
{
|
|
return new GraphResponse(true, []);
|
|
}
|
|
|
|
public function getPolicy(string $policyType, string $policyId, array $options = []): GraphResponse
|
|
{
|
|
return new GraphResponse(true, []);
|
|
}
|
|
|
|
public function getOrganization(array $options = []): GraphResponse
|
|
{
|
|
return new GraphResponse(true, ['value' => [['id' => $options['tenant'] ?? 'tenant']]], 200);
|
|
}
|
|
|
|
public function applyPolicy(string $policyType, string $policyId, array $payload, array $options = []): GraphResponse
|
|
{
|
|
return new GraphResponse(true, []);
|
|
}
|
|
|
|
public function getServicePrincipalPermissions(array $options = []): GraphResponse
|
|
{
|
|
// Return all required permissions as granted
|
|
return new GraphResponse(true, [
|
|
'permissions' => collect(config('intune_permissions.permissions', []))
|
|
->pluck('key')
|
|
->toArray(),
|
|
]);
|
|
}
|
|
|
|
public function request(string $method, string $path, array $options = []): GraphResponse
|
|
{
|
|
return new GraphResponse(true, []);
|
|
}
|
|
});
|
|
|
|
$user = User::factory()->create();
|
|
$this->actingAs($user);
|
|
|
|
$contextTenant = Tenant::create([
|
|
'tenant_id' => 'tenant-context',
|
|
'name' => 'Context Tenant',
|
|
]);
|
|
[$user, $contextTenant] = createUserWithTenant($contextTenant, $user, role: 'owner');
|
|
$this->actingAs($user);
|
|
Filament::setTenant($contextTenant, true);
|
|
|
|
Livewire::test(CreateTenant::class)
|
|
->fillForm([
|
|
'name' => 'Contoso',
|
|
'environment' => 'other',
|
|
'tenant_id' => 'tenant-guid',
|
|
'domain' => 'contoso.com',
|
|
'app_client_id' => 'client-123',
|
|
'app_notes' => 'Test tenant',
|
|
])
|
|
->call('create')
|
|
->assertHasNoFormErrors();
|
|
|
|
$tenant = Tenant::query()->where('tenant_id', 'tenant-guid')->first();
|
|
expect($tenant)->not->toBeNull();
|
|
|
|
Livewire::test(ViewTenant::class, ['record' => $tenant->getRouteKey()])
|
|
->callAction('verify');
|
|
|
|
$tenant->refresh();
|
|
|
|
expect($tenant->app_status)->toBe('ok');
|
|
|
|
$this->assertDatabaseHas('audit_logs', [
|
|
'tenant_id' => $tenant->id,
|
|
'action' => 'tenant.config.verified',
|
|
'status' => 'success',
|
|
]);
|
|
|
|
$this->assertDatabaseHas('tenant_permissions', [
|
|
'tenant_id' => $tenant->id,
|
|
'status' => 'granted',
|
|
]);
|
|
});
|
|
|
|
test('verify configuration records error when graph fails', function () {
|
|
app()->bind(GraphClientInterface::class, fn () => new class implements GraphClientInterface
|
|
{
|
|
public function listPolicies(string $policyType, array $options = []): GraphResponse
|
|
{
|
|
return new GraphResponse(true, []);
|
|
}
|
|
|
|
public function getPolicy(string $policyType, string $policyId, array $options = []): GraphResponse
|
|
{
|
|
return new GraphResponse(true, []);
|
|
}
|
|
|
|
public function getOrganization(array $options = []): GraphResponse
|
|
{
|
|
return new GraphResponse(false, [], 401, ['auth failed']);
|
|
}
|
|
|
|
public function applyPolicy(string $policyType, string $policyId, array $payload, array $options = []): GraphResponse
|
|
{
|
|
return new GraphResponse(true, []);
|
|
}
|
|
|
|
public function getServicePrincipalPermissions(array $options = []): GraphResponse
|
|
{
|
|
// Return error for permissions check
|
|
return new GraphResponse(false, [], 403, ['Permission denied']);
|
|
}
|
|
|
|
public function request(string $method, string $path, array $options = []): GraphResponse
|
|
{
|
|
return new GraphResponse(true, []);
|
|
}
|
|
});
|
|
|
|
$user = User::factory()->create();
|
|
|
|
$tenant = Tenant::factory()->create([
|
|
'tenant_id' => 'tenant-error',
|
|
'name' => 'Error Tenant',
|
|
'status' => 'active',
|
|
]);
|
|
|
|
[$user, $tenant] = createUserWithTenant(tenant: $tenant, user: $user, role: 'owner');
|
|
$this->actingAs($user);
|
|
Filament::setTenant($tenant, true);
|
|
|
|
Livewire::test(ViewTenant::class, ['record' => $tenant->getRouteKey()])
|
|
->callAction('verify');
|
|
|
|
$tenant->refresh();
|
|
|
|
expect($tenant->app_status)->toBe('error');
|
|
|
|
$this->assertDatabaseHas('audit_logs', [
|
|
'tenant_id' => $tenant->id,
|
|
'action' => 'tenant.config.verified',
|
|
'status' => 'error',
|
|
]);
|
|
|
|
$this->assertDatabaseHas('tenant_permissions', [
|
|
'tenant_id' => $tenant->id,
|
|
'status' => 'error',
|
|
]);
|
|
});
|
|
|
|
test('tenant detail shows required permissions with statuses', function () {
|
|
$user = User::factory()->create();
|
|
$this->actingAs($user);
|
|
|
|
$tenant = Tenant::create([
|
|
'tenant_id' => 'tenant-ui',
|
|
'name' => 'UI Tenant',
|
|
]);
|
|
[$user, $tenant] = createUserWithTenant($tenant, $user, role: 'owner');
|
|
$this->actingAs($user);
|
|
|
|
config(['intune_permissions.granted_stub' => []]);
|
|
|
|
$permissions = config('intune_permissions.permissions', []);
|
|
$firstKey = $permissions[0]['key'] ?? 'DeviceManagementConfiguration.ReadWrite.All';
|
|
|
|
TenantPermission::create([
|
|
'tenant_id' => $tenant->id,
|
|
'permission_key' => $firstKey,
|
|
'status' => 'ok',
|
|
]);
|
|
|
|
$response = $this->get(route('filament.admin.resources.tenants.view', array_merge(filamentTenantRouteParams($tenant), ['record' => $tenant])));
|
|
|
|
$response->assertOk();
|
|
$response->assertSee('Actions');
|
|
$response->assertSee($firstKey);
|
|
$response->assertSee('ok');
|
|
$response->assertSee('Missing');
|
|
});
|
|
|
|
test('tenant list shows Open in Entra action', function () {
|
|
$user = User::factory()->create();
|
|
$this->actingAs($user);
|
|
|
|
$tenant = Tenant::create([
|
|
'tenant_id' => 'tenant-ui-list',
|
|
'name' => 'UI Tenant List',
|
|
'app_client_id' => 'client-123',
|
|
]);
|
|
|
|
[$user, $tenant] = createUserWithTenant($tenant, $user, role: 'owner');
|
|
$this->actingAs($user);
|
|
|
|
$response = $this->get(route('filament.admin.resources.tenants.index', filamentTenantRouteParams($tenant)));
|
|
|
|
$response->assertOk();
|
|
$response->assertSee('Open in Entra');
|
|
});
|
|
|
|
test('tenant can be deactivated from the tenant detail action menu', function () {
|
|
$user = User::factory()->create();
|
|
$this->actingAs($user);
|
|
|
|
$tenant = Tenant::create([
|
|
'tenant_id' => 'tenant-ui-deactivate',
|
|
'name' => 'UI Tenant Deactivate',
|
|
]);
|
|
|
|
[$user, $tenant] = createUserWithTenant($tenant, $user, role: 'owner');
|
|
$this->actingAs($user);
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
Livewire::test(ViewTenant::class, ['record' => $tenant->getRouteKey()])
|
|
->mountAction('archive')
|
|
->callMountedAction()
|
|
->assertHasNoActionErrors();
|
|
|
|
$this->assertSoftDeleted('tenants', ['id' => $tenant->id]);
|
|
});
|