ahmido
bab01f07a9
## Summary - standardize Microsoft provider connections around explicit platform vs dedicated identity modes - centralize admin-consent URL and runtime identity resolution so platform flows no longer fall back to tenant-local credentials - add migration classification, richer consent and verification state handling, dedicated override management, and focused regression coverage ## Validation - focused repo test coverage was added across provider identity, onboarding, audit, policy, guard, and migration flows - latest explicit passing run in the workspace: `vendor/bin/sail artisan test --compact tests/Feature/AdminConsentCallbackTest.php tests/Feature/Audit/ProviderConnectionConsentAuditTest.php` ## Notes - branch includes the full Spec 137 artifact set under `specs/137-platform-provider-identity/` - target base branch: `dev` Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #166
134 lines
5.0 KiB
PHP
134 lines
5.0 KiB
PHP
<?php
|
|
|
|
namespace App\Services\Providers;
|
|
|
|
use App\Models\ProviderConnection;
|
|
use App\Models\Tenant;
|
|
use App\Support\Providers\ProviderConsentStatus;
|
|
use App\Support\Providers\ProviderReasonCodes;
|
|
|
|
final class ProviderConnectionResolver
|
|
{
|
|
public function __construct(
|
|
private readonly ProviderIdentityResolver $identityResolver,
|
|
) {}
|
|
|
|
public function resolveDefault(Tenant $tenant, string $provider): ProviderConnectionResolution
|
|
{
|
|
$defaults = ProviderConnection::query()
|
|
->where('tenant_id', (int) $tenant->getKey())
|
|
->where('provider', $provider)
|
|
->where('is_default', true)
|
|
->orderBy('id')
|
|
->get();
|
|
|
|
if ($defaults->count() === 0) {
|
|
return ProviderConnectionResolution::blocked(
|
|
ProviderReasonCodes::ProviderConnectionMissing,
|
|
'No default provider connection is configured for this tenant/provider.',
|
|
);
|
|
}
|
|
|
|
if ($defaults->count() > 1) {
|
|
return ProviderConnectionResolution::blocked(
|
|
ProviderReasonCodes::ProviderConnectionInvalid,
|
|
'Multiple default provider connections were detected.',
|
|
'ext.multiple_defaults_detected',
|
|
);
|
|
}
|
|
|
|
/** @var ProviderConnection $connection */
|
|
$connection = $defaults->first();
|
|
|
|
return $this->validateConnection($tenant, $provider, $connection);
|
|
}
|
|
|
|
public function validateConnection(Tenant $tenant, string $provider, ProviderConnection $connection): ProviderConnectionResolution
|
|
{
|
|
if ((int) $connection->tenant_id !== (int) $tenant->getKey() || (string) $connection->provider !== $provider) {
|
|
return ProviderConnectionResolution::blocked(
|
|
ProviderReasonCodes::ProviderConnectionInvalid,
|
|
'Provider connection does not match tenant/provider scope.',
|
|
'ext.connection_scope_mismatch',
|
|
$connection,
|
|
);
|
|
}
|
|
|
|
if ((string) $connection->status === 'disabled') {
|
|
return ProviderConnectionResolution::blocked(
|
|
ProviderReasonCodes::ProviderConnectionInvalid,
|
|
'Provider connection is disabled.',
|
|
'ext.connection_disabled',
|
|
$connection,
|
|
);
|
|
}
|
|
|
|
if ($connection->entra_tenant_id === null || trim((string) $connection->entra_tenant_id) === '') {
|
|
return ProviderConnectionResolution::blocked(
|
|
ProviderReasonCodes::ProviderConnectionInvalid,
|
|
'Provider connection is missing target tenant scope.',
|
|
'ext.connection_tenant_missing',
|
|
$connection,
|
|
);
|
|
}
|
|
|
|
$consentBlocker = $this->consentBlocker($connection);
|
|
|
|
if ($consentBlocker instanceof ProviderConnectionResolution) {
|
|
return $consentBlocker;
|
|
}
|
|
|
|
$identity = $this->identityResolver->resolve($connection);
|
|
|
|
if (! $identity->resolved) {
|
|
return ProviderConnectionResolution::blocked(
|
|
$identity->effectiveReasonCode(),
|
|
$identity->message,
|
|
connection: $connection,
|
|
);
|
|
}
|
|
|
|
return ProviderConnectionResolution::resolved($connection);
|
|
}
|
|
|
|
private function consentBlocker(ProviderConnection $connection): ?ProviderConnectionResolution
|
|
{
|
|
$consentStatus = $connection->consent_status;
|
|
|
|
if ($consentStatus instanceof ProviderConsentStatus) {
|
|
return match ($consentStatus) {
|
|
ProviderConsentStatus::Required => ProviderConnectionResolution::blocked(
|
|
ProviderReasonCodes::ProviderConsentMissing,
|
|
'Provider connection requires admin consent before use.',
|
|
'ext.connection_needs_consent',
|
|
$connection,
|
|
),
|
|
ProviderConsentStatus::Failed => ProviderConnectionResolution::blocked(
|
|
ProviderReasonCodes::ProviderConsentFailed,
|
|
'Provider connection consent failed. Retry admin consent before use.',
|
|
'ext.connection_consent_failed',
|
|
$connection,
|
|
),
|
|
ProviderConsentStatus::Revoked => ProviderConnectionResolution::blocked(
|
|
ProviderReasonCodes::ProviderConsentRevoked,
|
|
'Provider connection consent was revoked. Grant admin consent again before use.',
|
|
'ext.connection_consent_revoked',
|
|
$connection,
|
|
),
|
|
default => null,
|
|
};
|
|
}
|
|
|
|
if ((string) $connection->status === 'needs_consent') {
|
|
return ProviderConnectionResolution::blocked(
|
|
ProviderReasonCodes::ProviderConsentMissing,
|
|
'Provider connection requires admin consent before use.',
|
|
'ext.connection_needs_consent',
|
|
$connection,
|
|
);
|
|
}
|
|
|
|
return null;
|
|
}
|
|
}
|