ahmido
5bcb4f6ab8
## Summary
- add a canonical queued execution legitimacy contract for actor-bound and system-authority operation runs
- enforce legitimacy before queued jobs transition runs to running across provider, inventory, restore, bulk, sync, and scheduled backup flows
- surface blocked execution outcomes consistently in Monitoring, notifications, audit data, and the tenantless operation viewer
- add Spec 149 artifacts and focused Pest coverage for legitimacy decisions, middleware ordering, blocked presentation, retry behavior, and cross-family adoption
## Testing
- vendor/bin/sail artisan test --compact tests/Unit/Operations/QueuedExecutionLegitimacyGateTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/QueuedExecutionMiddlewareOrderingTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Verification/ProviderExecutionReauthorizationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/RunInventorySyncExecutionReauthorizationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/ExecuteRestoreRunExecutionReauthorizationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/SystemRunBlockedExecutionNotificationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/BulkOperationExecutionReauthorizationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/QueuedExecutionRetryReauthorizationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/QueuedExecutionContractMatrixTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/OperationRunBlockedExecutionPresentationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/QueuedExecutionAuditTrailTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/TenantlessOperationRunViewerTest.php
- vendor/bin/sail bin pint --dirty --format agent
## Manual validation
- validated queued provider execution blocking for tenant operability drift in the integrated browser on /admin/operations and /admin/operations/{run}
- validated 404 vs 403 route behavior for non-membership vs in-scope capability denial
- validated initiator-null blocked system-run behavior without creating a user terminal notification
Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #179
241 lines
7.6 KiB
PHP
241 lines
7.6 KiB
PHP
<?php
|
|
|
|
use App\Models\OperationRun;
|
|
use App\Notifications\OperationRunCompleted;
|
|
use App\Notifications\OperationRunQueued;
|
|
use App\Services\OperationRunService;
|
|
use App\Support\OperationRunLinks;
|
|
use Filament\Facades\Filament;
|
|
|
|
it('emits a queued notification after successful dispatch (initiator only) with view link', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
$this->actingAs($user);
|
|
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
$service = app(OperationRunService::class);
|
|
$run = $service->ensureRun(
|
|
tenant: $tenant,
|
|
type: 'policy.sync',
|
|
inputs: ['scope' => 'all'],
|
|
initiator: $user,
|
|
);
|
|
|
|
$service->dispatchOrFail($run, function (): void {
|
|
// no-op (dispatch succeeded)
|
|
}, emitQueuedNotification: true);
|
|
|
|
$this->assertDatabaseHas('notifications', [
|
|
'notifiable_id' => $user->getKey(),
|
|
'notifiable_type' => $user->getMorphClass(),
|
|
'type' => OperationRunQueued::class,
|
|
'data->format' => 'filament',
|
|
'data->title' => 'Policy sync queued',
|
|
]);
|
|
|
|
$notification = $user->notifications()->latest('id')->first();
|
|
expect($notification)->not->toBeNull();
|
|
expect($notification->data['actions'][0]['url'] ?? null)
|
|
->toBe(OperationRunLinks::view($run, $tenant));
|
|
});
|
|
|
|
it('does not emit queued notifications for runs without an initiator', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
$this->actingAs($user);
|
|
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
$service = app(OperationRunService::class);
|
|
|
|
$run = $service->ensureRun(
|
|
tenant: $tenant,
|
|
type: 'policy.sync',
|
|
inputs: ['scope' => 'all'],
|
|
initiator: null,
|
|
);
|
|
|
|
$service->dispatchOrFail($run, function (): void {
|
|
// no-op
|
|
}, emitQueuedNotification: true);
|
|
|
|
expect($user->notifications()->count())->toBe(0);
|
|
});
|
|
|
|
it('uses a tenantless view link for managed tenant onboarding wizard runs', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
$this->actingAs($user);
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'tenant_id' => $tenant->getKey(),
|
|
'user_id' => $user->getKey(),
|
|
'initiator_name' => $user->name,
|
|
'type' => 'provider.connection.check',
|
|
'status' => 'queued',
|
|
'outcome' => 'pending',
|
|
'context' => [
|
|
'wizard' => [
|
|
'flow' => 'managed_tenant_onboarding',
|
|
'step' => 'verification',
|
|
],
|
|
],
|
|
]);
|
|
|
|
$user->notify(new OperationRunQueued($run));
|
|
|
|
$notification = $user->notifications()->latest('id')->first();
|
|
expect($notification)->not->toBeNull();
|
|
expect($notification->data['actions'][0]['url'] ?? null)
|
|
->toBe(OperationRunLinks::tenantlessView($run));
|
|
});
|
|
|
|
it('emits a terminal notification when an operation run transitions to completed', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
$this->actingAs($user);
|
|
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'tenant_id' => $tenant->getKey(),
|
|
'user_id' => $user->getKey(),
|
|
'initiator_name' => $user->name,
|
|
'type' => 'inventory_sync',
|
|
'status' => 'queued',
|
|
'outcome' => 'pending',
|
|
'context' => ['policy_types' => ['deviceConfiguration']],
|
|
]);
|
|
|
|
$service = app(OperationRunService::class);
|
|
|
|
$service->updateRun(
|
|
$run,
|
|
status: 'completed',
|
|
outcome: 'succeeded',
|
|
summaryCounts: ['total' => 1],
|
|
failures: [],
|
|
);
|
|
|
|
$this->assertDatabaseHas('notifications', [
|
|
'notifiable_id' => $user->getKey(),
|
|
'notifiable_type' => $user->getMorphClass(),
|
|
'type' => OperationRunCompleted::class,
|
|
'data->format' => 'filament',
|
|
'data->title' => 'Inventory sync completed',
|
|
]);
|
|
|
|
$notification = $user->notifications()->latest('id')->first();
|
|
expect($notification)->not->toBeNull();
|
|
expect($notification->data['actions'][0]['url'] ?? null)
|
|
->toBe(OperationRunLinks::view($run, $tenant));
|
|
});
|
|
|
|
it('uses a tenantless view link for completed tenantless runs', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
$this->actingAs($user);
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'tenant_id' => null,
|
|
'user_id' => (int) $user->getKey(),
|
|
'initiator_name' => $user->name,
|
|
'type' => 'provider.connection.check',
|
|
'status' => 'queued',
|
|
'outcome' => 'pending',
|
|
]);
|
|
|
|
app(OperationRunService::class)->updateRun(
|
|
$run,
|
|
status: 'completed',
|
|
outcome: 'blocked',
|
|
failures: [[
|
|
'code' => 'operation.blocked',
|
|
'reason_code' => 'execution_prerequisite_invalid',
|
|
'message' => 'Operation blocked because the queued execution prerequisites are no longer satisfied.',
|
|
]],
|
|
);
|
|
|
|
$notification = $user->notifications()->latest('id')->first();
|
|
|
|
expect($notification)->not->toBeNull()
|
|
->and($notification->data['actions'][0]['url'] ?? null)->toBe(OperationRunLinks::tenantlessView($run));
|
|
});
|
|
|
|
it('renders partial backup-set update notifications with RBAC foundation summary counts', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
$this->actingAs($user);
|
|
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'tenant_id' => $tenant->getKey(),
|
|
'user_id' => $user->getKey(),
|
|
'initiator_name' => $user->name,
|
|
'type' => 'backup_set.add_policies',
|
|
'status' => 'queued',
|
|
'outcome' => 'pending',
|
|
'context' => [
|
|
'backup_set_id' => 42,
|
|
'options' => ['include_foundations' => true],
|
|
],
|
|
]);
|
|
|
|
$service = app(OperationRunService::class);
|
|
|
|
$service->updateRun(
|
|
$run,
|
|
status: 'completed',
|
|
outcome: 'partially_succeeded',
|
|
summaryCounts: [
|
|
'total' => 3,
|
|
'processed' => 3,
|
|
'succeeded' => 2,
|
|
'failed' => 1,
|
|
'items' => 3,
|
|
'created' => 2,
|
|
],
|
|
failures: [[
|
|
'code' => 'foundation.capture_failed',
|
|
'message' => 'DeviceManagementRBAC.Read.All is missing.',
|
|
]],
|
|
);
|
|
|
|
$notification = $user->notifications()->latest('id')->first();
|
|
|
|
expect($notification)->not->toBeNull();
|
|
expect($notification->data['title'] ?? null)->toBe('Backup set update completed with warnings');
|
|
expect($notification->data['body'] ?? null)->toContain('Completed with warnings.');
|
|
expect($notification->data['body'] ?? null)->toContain('Total: 3');
|
|
expect($notification->data['body'] ?? null)->toContain('Affected items: 3');
|
|
expect($notification->data['actions'][0]['url'] ?? null)
|
|
->toBe(OperationRunLinks::view($run, $tenant));
|
|
});
|
|
|
|
it('marks a run failed if dispatch throws synchronously', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
$this->actingAs($user);
|
|
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
$service = app(OperationRunService::class);
|
|
|
|
$run = $service->ensureRun(
|
|
tenant: $tenant,
|
|
type: 'policy.sync',
|
|
inputs: ['scope' => 'all'],
|
|
initiator: $user,
|
|
);
|
|
|
|
expect(fn () => $service->dispatchOrFail($run, function (): void {
|
|
throw new RuntimeException('Queue misconfigured');
|
|
}))
|
|
->toThrow(RuntimeException::class);
|
|
|
|
$run->refresh();
|
|
expect($run->status)->toBe('completed');
|
|
expect($run->outcome)->toBe('failed');
|
|
});
|