12973248e7
Implements RBAC-based write gating for Intune restore flows, UI affordances, and audit logging; adds tests and specs.
46 lines
1.4 KiB
PHP
46 lines
1.4 KiB
PHP
<?php
|
|
|
|
use App\Contracts\Hardening\WriteGateInterface;
|
|
use App\Models\Tenant;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Illuminate\Support\Facades\Log;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
test('gate bypasses when disabled and logs warning', function () {
|
|
config()->set('tenantpilot.hardening.intune_write_gate.enabled', false);
|
|
|
|
$tenant = Tenant::factory()->create([
|
|
'rbac_status' => null,
|
|
'rbac_last_checked_at' => null,
|
|
]);
|
|
|
|
Log::shouldReceive('warning')
|
|
->once()
|
|
->withArgs(function (string $message, array $context) use ($tenant): bool {
|
|
return str_contains($message, 'write gate is disabled')
|
|
&& ($context['tenant_id'] ?? null) === $tenant->getKey()
|
|
&& ($context['operation_type'] ?? null) === 'restore.execute';
|
|
});
|
|
|
|
$gate = app(WriteGateInterface::class);
|
|
|
|
// Should not throw even with null rbac_status
|
|
$gate->evaluate($tenant, 'restore.execute');
|
|
|
|
expect(true)->toBeTrue();
|
|
});
|
|
|
|
test('wouldBlock returns false when gate is disabled', function () {
|
|
config()->set('tenantpilot.hardening.intune_write_gate.enabled', false);
|
|
|
|
$tenant = Tenant::factory()->create([
|
|
'rbac_status' => null,
|
|
'rbac_last_checked_at' => null,
|
|
]);
|
|
|
|
Log::shouldReceive('warning')->once();
|
|
|
|
expect(app(WriteGateInterface::class)->wouldBlock($tenant))->toBeFalse();
|
|
});
|