ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
194-governance-friction-hardening
TenantAtlas/apps/platform/routes/web.php
Ahmed Darrazi 6872de5810 feat: harden governance action semantics
2026-04-12 23:14:50 +02:00

509 lines
18 KiB
PHP
Raw Permalink Blame History

<?php
use App\Filament\Pages\WorkspaceOverview;
use App\Http\Controllers\AdminConsentCallbackController;
use App\Http\Controllers\Auth\EntraController;
use App\Http\Controllers\ClearTenantContextController;
use App\Http\Controllers\OpenFindingExceptionsQueueController;
use App\Http\Controllers\RbacDelegatedAuthController;
use App\Http\Controllers\ReviewPackDownloadController;
use App\Http\Controllers\SelectTenantController;
use App\Http\Controllers\SwitchWorkspaceController;
use App\Http\Controllers\TenantOnboardingController;
use App\Http\Middleware\SuppressDebugbarForSmokeRequests;
use App\Models\ProviderConnection;
use App\Models\Tenant;
use App\Models\TenantOnboardingSession;
use App\Models\User;
use App\Models\Workspace;
use App\Services\Onboarding\OnboardingDraftResolver;
use App\Support\Auth\WorkspaceRole;
use App\Services\Tenants\TenantOperabilityService;
use App\Support\Tenants\TenantOperabilityQuestion;
use App\Support\Tenants\TenantPageCategory;
use App\Support\Workspaces\WorkspaceContext;
use App\Support\Workspaces\WorkspaceResolver;
use Filament\Http\Middleware\Authenticate as FilamentAuthenticate;
use Filament\Http\Middleware\DisableBladeIconComponents;
use Filament\Http\Middleware\DispatchServingFilamentEvent;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Route;
Route::get('/', function () {
return view('welcome');
});
Route::get('/admin/consent/callback', AdminConsentCallbackController::class)
->name('admin.consent.callback');
Route::get('/admin/consent/start', TenantOnboardingController::class)
->name('admin.consent.start');
// Avoid Filament's tenancy root redirect which otherwise sends users into legacy flows.
// when no default tenant can be resolved.
Route::middleware([
'web',
'panel:admin',
'ensure-correct-guard:web',
DisableBladeIconComponents::class,
DispatchServingFilamentEvent::class,
FilamentAuthenticate::class,
'ensure-workspace-selected',
])
->get('/admin', WorkspaceOverview::class)
->name('admin.home');
Route::get('/admin/rbac/start', [RbacDelegatedAuthController::class, 'start'])
->name('admin.rbac.start');
Route::get('/admin/rbac/callback', [RbacDelegatedAuthController::class, 'callback'])
->name('admin.rbac.callback');
Route::get('/auth/entra/redirect', [EntraController::class, 'redirect'])
->name('auth.entra.redirect');
Route::get('/auth/entra/callback', [EntraController::class, 'callback'])
->middleware('throttle:entra-callback')
->name('auth.entra.callback');
$makeSmokeCookie = static fn () => cookie()->make(
SuppressDebugbarForSmokeRequests::COOKIE_NAME,
SuppressDebugbarForSmokeRequests::COOKIE_VALUE,
120,
);
$resolveSmokeTenant = static function (?string $identifier): ?Tenant {
$identifier = trim((string) $identifier);
if ($identifier === '') {
return null;
}
return Tenant::query()
->withTrashed()
->where(function ($query) use ($identifier): void {
$query->where('external_id', $identifier)
->orWhere('tenant_id', $identifier);
if (ctype_digit($identifier)) {
$query->orWhereKey((int) $identifier);
}
})
->first();
};
$resolveSmokeWorkspace = static function (?string $identifier, ?Tenant $tenant = null): ?Workspace {
if ($tenant instanceof Tenant) {
return Workspace::query()->whereKey($tenant->workspace_id)->first();
}
$identifier = trim((string) $identifier);
if ($identifier === '') {
return null;
}
return Workspace::query()
->where(function ($query) use ($identifier): void {
$query->where('slug', $identifier);
if (ctype_digit($identifier)) {
$query->orWhereKey((int) $identifier);
}
})
->first();
};
$resolveSmokeRedirect = static function (?string $redirect, ?Tenant $tenant = null): string {
$fallback = $tenant instanceof Tenant && ! $tenant->trashed()
? '/admin/t/'.$tenant->external_id
: '/admin';
$redirect = trim((string) $redirect);
if ($redirect === '') {
return $fallback;
}
$parsedRedirect = parse_url($redirect);
if ($parsedRedirect === false || isset($parsedRedirect['scheme']) || isset($parsedRedirect['host'])) {
return $fallback;
}
$path = '/'.ltrim((string) ($parsedRedirect['path'] ?? ''), '/');
if ($path !== '/admin' && ! str_starts_with($path, '/admin/')) {
return $fallback;
}
$query = isset($parsedRedirect['query']) ? '?'.$parsedRedirect['query'] : '';
$fragment = isset($parsedRedirect['fragment']) ? '#'.$parsedRedirect['fragment'] : '';
return $path.$query.$fragment;
};
$resolveSmokeUser = static function (?string $email, ?Workspace $workspace = null, ?Tenant $tenant = null): ?User {
$email = trim((string) $email);
if ($email !== '') {
$user = User::query()->where('email', $email)->first();
return $user instanceof User ? $user : null;
}
$scopedWorkspace = $workspace;
if (! $scopedWorkspace instanceof Workspace && $tenant instanceof Tenant) {
$scopedWorkspace = Workspace::query()->whereKey($tenant->workspace_id)->first();
}
if (! $scopedWorkspace instanceof Workspace) {
return null;
}
$rolePriority = [
WorkspaceRole::Owner->value => 0,
WorkspaceRole::Manager->value => 1,
WorkspaceRole::Operator->value => 2,
WorkspaceRole::Readonly->value => 3,
];
$users = User::query()
->whereHas('workspaceMemberships', function ($query) use ($scopedWorkspace): void {
$query->where('workspace_id', (int) $scopedWorkspace->getKey());
})
->when($tenant instanceof Tenant, function ($query) use ($tenant): void {
$query->whereHas('tenantMemberships', function ($membershipQuery) use ($tenant): void {
$membershipQuery->where('tenant_id', (int) $tenant->getKey());
});
})
->with(['workspaceMemberships' => function ($query) use ($scopedWorkspace): void {
$query->where('workspace_id', (int) $scopedWorkspace->getKey());
}])
->get()
->filter(function (User $user) use ($tenant): bool {
return ! $tenant instanceof Tenant || $user->canAccessTenant($tenant);
})
->sortBy(function (User $user) use ($rolePriority): array {
$role = $user->workspaceMemberships->first()?->role;
return [
$rolePriority[(string) $role] ?? 99,
(int) $user->getKey(),
];
})
->values();
$user = $users->first();
return $user instanceof User ? $user : null;
};
$completeSmokeLogin = static function (
Request $request,
?string $email = null,
?string $tenantIdentifier = null,
?string $workspaceIdentifier = null,
?string $redirect = null,
) use (
$makeSmokeCookie,
$resolveSmokeRedirect,
$resolveSmokeTenant,
$resolveSmokeUser,
$resolveSmokeWorkspace,
): \Illuminate\Http\RedirectResponse {
$tenant = $resolveSmokeTenant($tenantIdentifier);
$workspace = $resolveSmokeWorkspace($workspaceIdentifier, $tenant);
$user = $resolveSmokeUser($email, $workspace, $tenant);
abort_unless($user instanceof User, 404);
$workspaceContext = app(WorkspaceContext::class);
if (! $workspace instanceof Workspace) {
$workspace = $workspaceContext->resolveInitialWorkspaceFor($user, $request);
}
abort_unless($workspace instanceof Workspace, 404);
abort_unless($workspaceContext->isMember($user, $workspace), 404);
if ($tenant instanceof Tenant) {
abort_unless((int) $tenant->workspace_id === (int) $workspace->getKey(), 404);
abort_unless($user->canAccessTenant($tenant), 404);
}
Auth::guard('web')->login($user);
$request->session()->regenerate();
$request->session()->put(
SuppressDebugbarForSmokeRequests::SESSION_KEY,
SuppressDebugbarForSmokeRequests::COOKIE_VALUE,
);
$workspaceContext->setCurrentWorkspace($workspace, $user, $request);
if ($tenant instanceof Tenant) {
$workspaceContext->rememberTenantContext($tenant, $request);
} else {
$workspaceContext->clearRememberedTenantContext($request);
}
return redirect()
->to($resolveSmokeRedirect($redirect, $tenant))
->withCookie($makeSmokeCookie());
};
Route::get('/admin/local/smoke-login', function (Request $request) use ($completeSmokeLogin) {
abort_unless(app()->environment(['local', 'testing']), 404);
$fixture = config('tenantpilot.backup_health.browser_smoke_fixture');
$defaultEmail = is_array($fixture) ? data_get($fixture, 'user.email') : null;
$defaultTenant = is_array($fixture)
? (data_get($fixture, 'blocked_drillthrough.tenant_external_id') ?? data_get($fixture, 'blocked_drillthrough.tenant_id'))
: null;
$defaultWorkspace = is_array($fixture) ? data_get($fixture, 'workspace.slug') : null;
return $completeSmokeLogin(
$request,
email: (string) ($request->query('email', $defaultEmail ?? '')),
tenantIdentifier: (string) ($request->query('tenant', $defaultTenant ?? '')),
workspaceIdentifier: (string) ($request->query('workspace', $defaultWorkspace ?? '')),
redirect: (string) ($request->query('redirect', '')),
);
})->name('admin.local.smoke-login');
Route::get('/admin/local/backup-health-browser-fixture-login', function (Request $request) use ($completeSmokeLogin) {
abort_unless(app()->environment(['local', 'testing']), 404);
$fixture = config('tenantpilot.backup_health.browser_smoke_fixture');
$userEmail = is_array($fixture) ? data_get($fixture, 'user.email') : null;
$tenantRouteKey = is_array($fixture)
? (data_get($fixture, 'blocked_drillthrough.tenant_id') ?? data_get($fixture, 'blocked_drillthrough.tenant_external_id'))
: null;
abort_unless(is_string($userEmail) && $userEmail !== '', 404);
abort_unless(is_string($tenantRouteKey) && $tenantRouteKey !== '', 404);
return $completeSmokeLogin(
$request,
email: $userEmail,
tenantIdentifier: $tenantRouteKey,
workspaceIdentifier: is_array($fixture) ? data_get($fixture, 'workspace.slug') : null,
);
})->name('admin.local.backup-health-browser-fixture-login');
Route::middleware(['web', 'auth', 'ensure-correct-guard:web'])
->post('/admin/switch-workspace', SwitchWorkspaceController::class)
->name('admin.switch-workspace');
Route::middleware(['web', 'auth', 'ensure-correct-guard:web'])
->get('/admin/finding-exceptions/open-queue/{tenant}', OpenFindingExceptionsQueueController::class)
->name('admin.finding-exceptions.open-queue');
Route::middleware(['web', 'auth', 'ensure-correct-guard:web', 'ensure-workspace-selected'])
->post('/admin/select-tenant', SelectTenantController::class)
->name('admin.select-tenant');
Route::middleware(['web', 'auth', 'ensure-correct-guard:web', 'ensure-workspace-selected'])
->post('/admin/clear-tenant-context', ClearTenantContextController::class)
->name('admin.clear-tenant-context');
Route::bind('workspace', function (string $value): Workspace {
/** @var WorkspaceResolver $resolver */
$resolver = app(WorkspaceResolver::class);
$workspace = $resolver->resolve($value);
abort_unless($workspace instanceof Workspace, 404);
return $workspace;
});
Route::bind('onboardingDraft', function (string $value): TenantOnboardingSession {
$user = auth()->user();
abort_unless($user instanceof \App\Models\User, 403);
$workspaceId = app(WorkspaceContext::class)->currentWorkspaceId(request());
abort_unless(is_int($workspaceId), 404);
$workspace = Workspace::query()->whereKey($workspaceId)->first();
abort_unless($workspace instanceof Workspace, 404);
return app(OnboardingDraftResolver::class)->resolve((int) $value, $user, $workspace);
});
$authorizeManagedTenantRoute = function (Tenant $tenant, Request $request): void {
$user = $request->user();
abort_unless($user instanceof User, 403);
$workspaceContext = app(WorkspaceContext::class);
$workspaceId = $workspaceContext->currentWorkspaceId($request);
abort_unless(is_int($workspaceId), 404);
abort_unless((int) $tenant->workspace_id === $workspaceId, 404);
$workspace = Workspace::query()->whereKey($workspaceId)->first();
abort_unless($workspace instanceof Workspace, 404);
abort_unless($workspaceContext->isMember($user, $workspace), 404);
$allowed = app(TenantOperabilityService::class)->outcomeFor(
tenant: $tenant,
question: TenantOperabilityQuestion::TenantBoundViewability,
actor: $user,
workspaceId: $workspaceId,
lane: TenantPageCategory::TenantBound->lane(),
)->allowed;
abort_unless($allowed, 404);
};
Route::middleware(['web', 'auth', 'ensure-correct-guard:web', 'ensure-workspace-member'])
->prefix('/admin/w/{workspace}')
->group(function (): void {
Route::get('/', fn () => redirect()->route('admin.workspace.managed-tenants.index', ['workspace' => request()->route('workspace')]))
->name('admin.workspace.home');
Route::get('/ping', fn () => response()->noContent())->name('admin.workspace.ping');
});
Route::middleware([
'web',
'panel:admin',
'ensure-correct-guard:web',
DisableBladeIconComponents::class,
DispatchServingFilamentEvent::class,
FilamentAuthenticate::class,
])
->get('/admin/onboarding', \App\Filament\Pages\Workspaces\ManagedTenantOnboardingWizard::class)
->name('admin.onboarding');
Route::middleware([
'web',
'panel:admin',
'ensure-correct-guard:web',
DisableBladeIconComponents::class,
DispatchServingFilamentEvent::class,
FilamentAuthenticate::class,
])
->get('/admin/onboarding/{onboardingDraft}', \App\Filament\Pages\Workspaces\ManagedTenantOnboardingWizard::class)
->name('admin.onboarding.draft');
Route::middleware([
'web',
'panel:admin',
'ensure-correct-guard:web',
DisableBladeIconComponents::class,
DispatchServingFilamentEvent::class,
FilamentAuthenticate::class,
'ensure-workspace-selected',
])
->get('/admin/operations', \App\Filament\Pages\Monitoring\Operations::class)
->name('admin.operations.index');
Route::middleware([
'web',
'panel:admin',
'ensure-correct-guard:web',
DisableBladeIconComponents::class,
DispatchServingFilamentEvent::class,
FilamentAuthenticate::class,
'ensure-workspace-selected',
])
->get('/admin/evidence/overview', \App\Filament\Pages\Monitoring\EvidenceOverview::class)
->name('admin.evidence.overview');
Route::middleware([
'web',
'panel:admin',
'ensure-correct-guard:web',
DisableBladeIconComponents::class,
DispatchServingFilamentEvent::class,
FilamentAuthenticate::class,
'ensure-workspace-selected',
])
->prefix('/admin/tenants/{tenant:external_id}/provider-connections')
->group(function () use ($authorizeManagedTenantRoute): void {
Route::get('/', function (Tenant $tenant, Request $request) use ($authorizeManagedTenantRoute) {
$authorizeManagedTenantRoute($tenant, $request);
return redirect()->to('/admin/provider-connections?tenant_id='.$tenant->external_id);
})->name('admin.provider-connections.legacy-index');
Route::get('/create', function (Tenant $tenant, Request $request) use ($authorizeManagedTenantRoute) {
$authorizeManagedTenantRoute($tenant, $request);
return redirect()->to('/admin/provider-connections/create?tenant_id='.$tenant->external_id);
})->name('admin.provider-connections.legacy-create');
Route::get('/{record}/edit', function (Tenant $tenant, mixed $record, Request $request) use ($authorizeManagedTenantRoute) {
$authorizeManagedTenantRoute($tenant, $request);
$connection = ProviderConnection::query()
->whereKey((int) $record)
->where('tenant_id', (int) $tenant->getKey())
->where('workspace_id', (int) $tenant->workspace_id)
->first();
abort_unless($connection instanceof ProviderConnection, 404);
return redirect()->to('/admin/provider-connections/'.$connection->getKey().'/edit?tenant_id='.$tenant->external_id);
})->name('admin.provider-connections.legacy-edit');
});
Route::middleware([
'web',
'panel:admin',
'ensure-correct-guard:web',
DisableBladeIconComponents::class,
DispatchServingFilamentEvent::class,
FilamentAuthenticate::class,
'ensure-workspace-selected',
'ensure-filament-tenant-selected',
])
->get('/admin/audit-log', \App\Filament\Pages\Monitoring\AuditLog::class)
->name('admin.monitoring.audit-log');
Route::middleware([
'web',
'panel:admin',
'ensure-correct-guard:web',
DisableBladeIconComponents::class,
DispatchServingFilamentEvent::class,
FilamentAuthenticate::class,
'ensure-workspace-selected',
])
->get('/admin/operations/{run}', \App\Filament\Pages\Operations\TenantlessOperationRunViewer::class)
->name('admin.operations.view');
Route::middleware([
'web',
'panel:admin',
'ensure-correct-guard:web',
DisableBladeIconComponents::class,
DispatchServingFilamentEvent::class,
FilamentAuthenticate::class,
'ensure-workspace-member',
])
->get('/admin/w/{workspace}/managed-tenants', \App\Filament\Pages\Workspaces\ManagedTenantsLanding::class)
->name('admin.workspace.managed-tenants.index');
Route::middleware(['signed'])
->get('/admin/review-packs/{reviewPack}/download', ReviewPackDownloadController::class)
->name('admin.review-packs.download');
if (app()->runningUnitTests()) {
Route::middleware(['web', 'auth', 'ensure-workspace-selected'])
->get('/admin/_test/workspace-context', function (Request $request) {
$workspaceId = app(\App\Support\Workspaces\WorkspaceContext::class)->currentWorkspaceId($request);
return response()->json([
'workspace_id' => $workspaceId,
]);
});
}
Reference in New Issue View Git Blame Copy Permalink