ahmido
440e63edff
## Summary
Implements Spec 145 for tenant action taxonomy and lifecycle-safe visibility.
This PR:
- adds a central tenant action policy surface and supporting value objects
- aligns tenant list, detail, edit, onboarding, and widget surfaces around lifecycle-safe actions
- standardizes operator-facing lifecycle wording around View, Resume onboarding, Archive, Restore, and Complete onboarding
- tightens onboarding and tenant lifecycle authorization semantics, including honest 404 vs 403 behavior
- updates related regression coverage and spec artifacts for Spec 145
- fixes follow-on full-suite regressions uncovered during validation, including onboarding browser flows, provider consent fixtures, workspace redirect DI expectations, and critical table/action/UI expectation drift
## Validation
Executed and passed:
- vendor/bin/sail bin pint --dirty --format agent
- vendor/bin/sail artisan test --compact
Result:
- 2581 passed
- 8 skipped
- 13534 assertions
## Notes
- Base branch: dev
- Feature branch commit: a33a41b
- Filament v5 / Livewire v4 compliance preserved
- No panel provider registration changes; Laravel 12 provider registration remains in bootstrap/providers.php
- No new globally searchable resource behavior added in this slice
- Destructive lifecycle actions remain confirmation-gated and authorization-protected
Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #174
117 lines
3.8 KiB
PHP
117 lines
3.8 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Models\OperationRun;
|
|
use App\Models\ProviderConnection;
|
|
use App\Models\ProviderCredential;
|
|
use App\Models\Tenant;
|
|
use App\Services\Verification\StartVerification;
|
|
use Illuminate\Auth\Access\AuthorizationException;
|
|
use Illuminate\Support\Facades\Queue;
|
|
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
|
|
|
it('returns 404 for non-members on verification view and start', function (): void {
|
|
Queue::fake();
|
|
|
|
$tenant = Tenant::factory()->create();
|
|
$otherTenant = Tenant::factory()->create();
|
|
|
|
[$user] = createUserWithTenant($otherTenant, role: 'readonly');
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'type' => 'provider.connection.check',
|
|
'status' => 'completed',
|
|
'outcome' => 'failed',
|
|
'context' => [
|
|
'verification_report' => json_decode(
|
|
(string) file_get_contents(base_path('specs/074-verification-checklist/contracts/examples/fail.json')),
|
|
true,
|
|
512,
|
|
JSON_THROW_ON_ERROR,
|
|
),
|
|
],
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->get(route('admin.operations.view', ['run' => (int) $run->getKey()]))
|
|
->assertStatus(404);
|
|
|
|
$connection = ProviderConnection::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
]);
|
|
|
|
expect(fn () => app(StartVerification::class)->providerConnectionCheck(
|
|
tenant: $tenant,
|
|
connection: $connection,
|
|
initiator: $user,
|
|
))->toThrow(NotFoundHttpException::class);
|
|
});
|
|
|
|
it('allows readonly members to view verification reports but forbids starting verification', function (): void {
|
|
Queue::fake();
|
|
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'type' => 'provider.connection.check',
|
|
'status' => 'completed',
|
|
'outcome' => 'failed',
|
|
'context' => [
|
|
'verification_report' => json_decode(
|
|
(string) file_get_contents(base_path('specs/074-verification-checklist/contracts/examples/fail.json')),
|
|
true,
|
|
512,
|
|
JSON_THROW_ON_ERROR,
|
|
),
|
|
],
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->get(route('admin.operations.view', ['run' => (int) $run->getKey()]))
|
|
->assertOk()
|
|
->assertSee('Verification report');
|
|
|
|
$connection = ProviderConnection::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
]);
|
|
|
|
expect(fn () => app(StartVerification::class)->providerConnectionCheck(
|
|
tenant: $tenant,
|
|
connection: $connection,
|
|
initiator: $user,
|
|
))->toThrow(AuthorizationException::class);
|
|
});
|
|
|
|
it('allows members with start capability to start verification', function (): void {
|
|
Queue::fake();
|
|
|
|
[$user, $tenant] = createUserWithTenant(role: 'operator');
|
|
|
|
$connection = ProviderConnection::factory()->consentGranted()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'provider' => 'microsoft',
|
|
'entra_tenant_id' => fake()->uuid(),
|
|
'status' => 'connected',
|
|
]);
|
|
ProviderCredential::factory()->create([
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
]);
|
|
|
|
$result = app(StartVerification::class)->providerConnectionCheck(
|
|
tenant: $tenant,
|
|
connection: $connection,
|
|
initiator: $user,
|
|
);
|
|
|
|
expect($result->status)->toBe('started');
|
|
expect($result->run->type)->toBe('provider.connection.check');
|
|
expect($result->run->tenant_id)->toBe((int) $tenant->getKey());
|
|
expect($result->run->context)->toMatchArray([
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
]);
|
|
});
|