ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
076-permissions-enterprise-ui
TenantAtlas/tests/Feature/Verification/VerificationCheckAcknowledgementTest.php
ahmido 53dc89e6ef Spec 075: Verification Checklist Framework V1.5 (fingerprint + acknowledgements) (#93) 
Implements Spec 075 (V1.5) on top of Spec 074.

Highlights
- Deterministic report fingerprint (sha256) + previous_report_id linkage
- Viewer change indicator: "No changes" vs "Changed" when previous exists
- Check acknowledgements (fail|warn|block) with capability-first auth, confirmation, and audit event
- Verify-step UX polish (issues-first, primary CTA)

Testing
- Focused Pest coverage for fingerprint, previous resolver, change indicator, acknowledgements, badge semantics, DB-only viewer guard.

Notes
- Viewing remains DB-only (no external calls while rendering).

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #93
2026-02-05 21:44:19 +00:00

181 lines
6.8 KiB
PHP
Raw Permalink Blame History

<?php
declare(strict_types=1);
use App\Models\AuditLog;
use App\Models\OperationRun;
use App\Models\Tenant;
use App\Services\Verification\VerificationCheckAcknowledgementService;
use App\Support\Audit\AuditActionId;
use App\Support\Verification\VerificationReportFingerprint;
use Illuminate\Auth\Access\AuthorizationException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
it('returns 404 for non-members on verification check acknowledgement', function (): void {
$tenant = Tenant::factory()->create();
$otherTenant = Tenant::factory()->create();
[$user] = createUserWithTenant($otherTenant, role: 'readonly');
$run = OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'type' => 'provider.connection.check',
'status' => 'completed',
'outcome' => 'failed',
'context' => [
'verification_report' => json_decode(
(string) file_get_contents(base_path('specs/074-verification-checklist/contracts/examples/fail.json')),
true,
512,
JSON_THROW_ON_ERROR,
),
],
]);
expect(fn () => app(VerificationCheckAcknowledgementService::class)->acknowledge(
tenant: $tenant,
run: $run,
checkKey: 'provider_connection.token_acquisition',
ackReason: 'Known issue',
expiresAt: null,
actor: $user,
))->toThrow(NotFoundHttpException::class);
});
it('returns 403 for members without tenant_verification.acknowledge on verification check acknowledgement', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'operator');
$run = OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'type' => 'provider.connection.check',
'status' => 'completed',
'outcome' => 'failed',
'context' => [
'verification_report' => json_decode(
(string) file_get_contents(base_path('specs/074-verification-checklist/contracts/examples/fail.json')),
true,
512,
JSON_THROW_ON_ERROR,
),
],
]);
expect(fn () => app(VerificationCheckAcknowledgementService::class)->acknowledge(
tenant: $tenant,
run: $run,
checkKey: 'provider_connection.token_acquisition',
ackReason: 'Known issue',
expiresAt: null,
actor: $user,
))->toThrow(AuthorizationException::class);
});
it('acknowledges a failing check (with optional expiry) and writes a minimal audit log (no ack_reason)', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'manager');
$run = OperationRun::factory()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'type' => 'provider.connection.check',
'status' => 'completed',
'outcome' => 'failed',
'context' => [
'verification_report' => json_decode(
(string) file_get_contents(base_path('specs/074-verification-checklist/contracts/examples/fail.json')),
true,
512,
JSON_THROW_ON_ERROR,
),
],
]);
$reportBefore = $run->context['verification_report'] ?? null;
$reportBefore = is_array($reportBefore) ? $reportBefore : [];
$summaryBefore = is_array($reportBefore['summary'] ?? null) ? $reportBefore['summary'] : [];
$countsBefore = is_array($summaryBefore['counts'] ?? null) ? $summaryBefore['counts'] : [];
$checksBefore = is_array($reportBefore['checks'] ?? null) ? $reportBefore['checks'] : [];
$checksBeforeByKey = collect($checksBefore)
->filter(fn ($check): bool => is_array($check) && is_string($check['key'] ?? null))
->mapWithKeys(fn (array $check): array => [
(string) $check['key'] => [
'status' => $check['status'] ?? null,
'blocking' => $check['blocking'] ?? null,
'severity' => $check['severity'] ?? null,
'reason_code' => $check['reason_code'] ?? null,
],
])
->all();
$fingerprintBefore = VerificationReportFingerprint::forReport($reportBefore);
$expiresAt = now()->addDay()->toISOString();
$ack = app(VerificationCheckAcknowledgementService::class)->acknowledge(
tenant: $tenant,
run: $run,
checkKey: 'provider_connection.token_acquisition',
ackReason: 'Known issue',
expiresAt: $expiresAt,
actor: $user,
);
expect($ack->operation_run_id)->toBe((int) $run->getKey());
expect($ack->check_key)->toBe('provider_connection.token_acquisition');
expect($ack->ack_reason)->toBe('Known issue');
expect($ack->expires_at)->not->toBeNull();
$run->refresh();
$reportAfter = $run->context['verification_report'] ?? null;
$reportAfter = is_array($reportAfter) ? $reportAfter : [];
$summaryAfter = is_array($reportAfter['summary'] ?? null) ? $reportAfter['summary'] : [];
$countsAfter = is_array($summaryAfter['counts'] ?? null) ? $summaryAfter['counts'] : [];
expect($summaryAfter['overall'] ?? null)->toBe($summaryBefore['overall'] ?? null);
expect($countsAfter)->toBe($countsBefore);
$checksAfter = is_array($reportAfter['checks'] ?? null) ? $reportAfter['checks'] : [];
$checksAfterByKey = collect($checksAfter)
->filter(fn ($check): bool => is_array($check) && is_string($check['key'] ?? null))
->mapWithKeys(fn (array $check): array => [
(string) $check['key'] => [
'status' => $check['status'] ?? null,
'blocking' => $check['blocking'] ?? null,
'severity' => $check['severity'] ?? null,
'reason_code' => $check['reason_code'] ?? null,
],
])
->all();
expect($checksAfterByKey)->toBe($checksBeforeByKey);
$fingerprintAfter = VerificationReportFingerprint::forReport($reportAfter);
expect($fingerprintAfter)->toBe($fingerprintBefore);
$audit = AuditLog::query()
->where('workspace_id', (int) $tenant->workspace_id)
->where('action', AuditActionId::VerificationCheckAcknowledged->value)
->latest('id')
->first();
expect($audit)->not->toBeNull();
expect($audit?->metadata)->toMatchArray([
'tenant_id' => (int) $tenant->getKey(),
'operation_run_id' => (int) $run->getKey(),
'report_id' => (int) $run->getKey(),
'flow' => 'provider.connection.check',
'check_key' => 'provider_connection.token_acquisition',
'reason_code' => 'authentication_failed',
]);
$metadata = $audit?->metadata ?? [];
expect($metadata)->not->toHaveKey('ack_reason');
expect(json_encode($metadata))->not->toContain('Known issue');
});
Reference in New Issue View Git Blame Copy Permalink