129 lines
5.0 KiB
PHP
129 lines
5.0 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Jobs\ProviderConnectionHealthCheckJob;
|
|
use App\Models\AuditLog;
|
|
use App\Models\OperationRun;
|
|
use App\Models\ProviderConnection;
|
|
use App\Models\Tenant;
|
|
use App\Models\User;
|
|
use App\Services\Graph\GraphClientInterface;
|
|
use App\Services\Graph\GraphResponse;
|
|
use App\Services\OperationRunService;
|
|
use App\Support\OperationRunOutcome;
|
|
use App\Support\OperationRunStatus;
|
|
use App\Support\Providers\ProviderReasonCodes;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
it('audits consent revocation detection when verification finds consent missing after it was previously granted', function (): void {
|
|
config()->set('graph.client_id', 'platform-client-id');
|
|
config()->set('graph.client_secret', 'platform-client-secret');
|
|
|
|
app()->instance(GraphClientInterface::class, new class implements GraphClientInterface
|
|
{
|
|
public function listPolicies(string $policyType, array $options = []): GraphResponse
|
|
{
|
|
return new GraphResponse(true);
|
|
}
|
|
|
|
public function getPolicy(string $policyType, string $policyId, array $options = []): GraphResponse
|
|
{
|
|
return new GraphResponse(true);
|
|
}
|
|
|
|
public function getOrganization(array $options = []): GraphResponse
|
|
{
|
|
throw new RuntimeException(ProviderReasonCodes::ProviderConsentMissing);
|
|
}
|
|
|
|
public function applyPolicy(string $policyType, string $policyId, array $payload, array $options = []): GraphResponse
|
|
{
|
|
return new GraphResponse(true);
|
|
}
|
|
|
|
public function getServicePrincipalPermissions(array $options = []): GraphResponse
|
|
{
|
|
return new GraphResponse(true);
|
|
}
|
|
|
|
public function request(string $method, string $path, array $options = []): GraphResponse
|
|
{
|
|
return new GraphResponse(true);
|
|
}
|
|
});
|
|
|
|
$user = User::factory()->create();
|
|
$tenant = Tenant::factory()->create([
|
|
'tenant_id' => 'revoked-audit-tenant-id',
|
|
]);
|
|
[$user, $tenant] = createUserWithTenant(tenant: $tenant, user: $user, role: 'owner', ensureDefaultMicrosoftProviderConnection: false);
|
|
|
|
$connection = ProviderConnection::factory()->platform()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'provider' => 'microsoft',
|
|
'entra_tenant_id' => 'revoked-audit-tenant-id',
|
|
'is_default' => true,
|
|
'consent_status' => 'granted',
|
|
'verification_status' => 'healthy',
|
|
'status' => 'connected',
|
|
'health_status' => 'ok',
|
|
]);
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'user_id' => (int) $user->getKey(),
|
|
'initiator_name' => $user->name,
|
|
'type' => 'provider.connection.check',
|
|
'status' => OperationRunStatus::Running->value,
|
|
'outcome' => OperationRunOutcome::Pending->value,
|
|
'context' => [
|
|
'provider' => 'microsoft',
|
|
'module' => 'health_check',
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
'target_scope' => [
|
|
'entra_tenant_id' => $connection->entra_tenant_id,
|
|
],
|
|
],
|
|
]);
|
|
|
|
$job = new ProviderConnectionHealthCheckJob(
|
|
tenantId: (int) $tenant->getKey(),
|
|
userId: (int) $user->getKey(),
|
|
providerConnectionId: (int) $connection->getKey(),
|
|
operationRun: $run,
|
|
);
|
|
|
|
$job->handle(app(\App\Services\Providers\MicrosoftProviderHealthCheck::class), app(OperationRunService::class));
|
|
|
|
$connection->refresh();
|
|
$run->refresh();
|
|
|
|
expect($connection->consent_status?->value ?? $connection->consent_status)->toBe('revoked')
|
|
->and($connection->verification_status?->value ?? $connection->verification_status)->toBe('blocked')
|
|
->and($connection->status)->toBe('needs_consent')
|
|
->and($run->outcome)->toBe(OperationRunOutcome::Blocked->value)
|
|
->and($run->context['reason_code'] ?? null)->toBe(ProviderReasonCodes::ProviderConsentRevoked);
|
|
|
|
$log = AuditLog::query()
|
|
->where('tenant_id', (int) $tenant->getKey())
|
|
->where('action', 'provider_connection.consent_revoked')
|
|
->latest('id')
|
|
->first();
|
|
|
|
expect($log)->not->toBeNull()
|
|
->and($log?->status)->toBe('failed')
|
|
->and($log?->resource_type)->toBe('provider_connection')
|
|
->and($log?->resource_id)->toBe((string) $connection->getKey())
|
|
->and($log?->metadata['provider_connection_id'] ?? null)->toBe((int) $connection->getKey())
|
|
->and($log?->metadata['connection_type'] ?? null)->toBe('platform')
|
|
->and($log?->metadata['previous_consent_status'] ?? null)->toBe('granted')
|
|
->and($log?->metadata['consent_status'] ?? null)->toBe('revoked')
|
|
->and($log?->metadata['verification_status'] ?? null)->toBe('blocked')
|
|
->and($log?->metadata['detected_reason_code'] ?? null)->toBe(ProviderReasonCodes::ProviderConsentMissing);
|
|
});
|