ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
318-admin-surface-scope-shell-context-audit
TenantAtlas/apps/platform/app/Services/Auth/WorkspaceRoleCapabilityMap.php
ahmido dd175c16a1 fix: tighten workspace RBAC access boundaries (#364) 
## Summary
- tighten workspace RBAC and panel access boundaries
- remove non-owner workspace membership management capability from workspace role mapping
- add focused boundary coverage for admin panel, managed environments, providers, review packs, operation runs, finding exceptions, and workspace role capabilities
- include spec artifacts for feature 309

## Testing
- cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Auth/WorkspaceFirstManagedEnvironmentAccessTest.php tests/Feature/Rbac/RoleMatrix/ManagerAccessTest.php tests/Feature/Rbac/WorkspaceMembershipsRelationManagerUiEnforcementTest.php tests/Feature/Rbac/AdminPanelAccessBoundaryTest.php tests/Feature/Rbac/FindingExceptionLifecycleAccessBoundaryTest.php tests/Feature/Rbac/ManagedEnvironmentAccessBoundaryTest.php tests/Feature/Rbac/OperationRunAccessBoundaryTest.php tests/Feature/Rbac/ProviderConnectionAccessBoundaryTest.php tests/Feature/Rbac/ReviewPackAccessBoundaryTest.php tests/Feature/Rbac/SystemPanelAccessBoundaryTest.php tests/Feature/Rbac/WorkspaceRoleCapabilityBoundaryTest.php tests/Unit/Auth/CapabilityResolverTest.php tests/Unit/Auth/WorkspaceRoleCapabilityMapTest.php
- cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #364
2026-05-15 14:00:21 +00:00

128 lines
5.2 KiB
PHP
Raw Permalink Blame History

<?php
namespace App\Services\Auth;
use App\Support\Auth\Capabilities;
use App\Support\Auth\WorkspaceRole;
/**
* Workspace Role to Capability Mapping (Single Source of Truth)
*
* This class defines which capabilities each workspace role has.
* All capability strings MUST be references from the Capabilities registry.
*/
class WorkspaceRoleCapabilityMap
{
/**
* @var array<string, array<int, string>>
*/
private static array $roleCapabilities = [
WorkspaceRole::Owner->value => [
Capabilities::WORKSPACE_VIEW,
Capabilities::WORKSPACE_MANAGE,
Capabilities::WORKSPACE_ARCHIVE,
Capabilities::WORKSPACE_MEMBERSHIP_VIEW,
Capabilities::WORKSPACE_MEMBERSHIP_MANAGE,
Capabilities::WORKSPACE_MANAGED_ENVIRONMENT_ONBOARD,
Capabilities::WORKSPACE_MANAGED_ENVIRONMENT_ONBOARD_IDENTIFY,
Capabilities::WORKSPACE_MANAGED_ENVIRONMENT_ONBOARD_CANCEL,
Capabilities::WORKSPACE_MANAGED_ENVIRONMENT_ONBOARD_CONNECTION_VIEW,
Capabilities::WORKSPACE_MANAGED_ENVIRONMENT_ONBOARD_CONNECTION_MANAGE,
Capabilities::WORKSPACE_MANAGED_ENVIRONMENT_ONBOARD_CONNECTION_MANAGE_DEDICATED,
Capabilities::WORKSPACE_MANAGED_ENVIRONMENT_ONBOARD_VERIFICATION_START,
Capabilities::WORKSPACE_MANAGED_ENVIRONMENT_ONBOARD_BOOTSTRAP_INVENTORY_SYNC,
Capabilities::WORKSPACE_MANAGED_ENVIRONMENT_ONBOARD_BOOTSTRAP_POLICY_SYNC,
Capabilities::WORKSPACE_MANAGED_ENVIRONMENT_ONBOARD_BOOTSTRAP_BACKUP_BOOTSTRAP,
Capabilities::WORKSPACE_MANAGED_ENVIRONMENT_ONBOARD_ACTIVATE,
Capabilities::WORKSPACE_SETTINGS_VIEW,
Capabilities::WORKSPACE_SETTINGS_MANAGE,
Capabilities::ALERTS_VIEW,
Capabilities::ALERTS_MANAGE,
Capabilities::WORKSPACE_BASELINES_VIEW,
Capabilities::WORKSPACE_BASELINES_MANAGE,
Capabilities::AUDIT_VIEW,
Capabilities::FINDING_EXCEPTION_APPROVE,
],
WorkspaceRole::Manager->value => [
Capabilities::WORKSPACE_VIEW,
Capabilities::WORKSPACE_MEMBERSHIP_VIEW,
Capabilities::WORKSPACE_MANAGED_ENVIRONMENT_ONBOARD,
Capabilities::WORKSPACE_MANAGED_ENVIRONMENT_ONBOARD_IDENTIFY,
Capabilities::WORKSPACE_MANAGED_ENVIRONMENT_ONBOARD_CANCEL,
Capabilities::WORKSPACE_MANAGED_ENVIRONMENT_ONBOARD_CONNECTION_VIEW,
Capabilities::WORKSPACE_MANAGED_ENVIRONMENT_ONBOARD_CONNECTION_MANAGE,
Capabilities::WORKSPACE_MANAGED_ENVIRONMENT_ONBOARD_VERIFICATION_START,
Capabilities::WORKSPACE_MANAGED_ENVIRONMENT_ONBOARD_BOOTSTRAP_INVENTORY_SYNC,
Capabilities::WORKSPACE_MANAGED_ENVIRONMENT_ONBOARD_BOOTSTRAP_POLICY_SYNC,
Capabilities::WORKSPACE_MANAGED_ENVIRONMENT_ONBOARD_BOOTSTRAP_BACKUP_BOOTSTRAP,
Capabilities::WORKSPACE_SETTINGS_VIEW,
Capabilities::WORKSPACE_SETTINGS_MANAGE,
Capabilities::ALERTS_VIEW,
Capabilities::ALERTS_MANAGE,
Capabilities::WORKSPACE_BASELINES_VIEW,
Capabilities::WORKSPACE_BASELINES_MANAGE,
Capabilities::AUDIT_VIEW,
Capabilities::FINDING_EXCEPTION_APPROVE,
],
WorkspaceRole::Operator->value => [
Capabilities::WORKSPACE_VIEW,
Capabilities::WORKSPACE_MEMBERSHIP_VIEW,
Capabilities::WORKSPACE_MANAGED_ENVIRONMENT_ONBOARD_CONNECTION_VIEW,
Capabilities::WORKSPACE_MANAGED_ENVIRONMENT_ONBOARD_VERIFICATION_START,
Capabilities::WORKSPACE_MANAGED_ENVIRONMENT_ONBOARD_BOOTSTRAP_INVENTORY_SYNC,
Capabilities::WORKSPACE_MANAGED_ENVIRONMENT_ONBOARD_BOOTSTRAP_POLICY_SYNC,
Capabilities::WORKSPACE_MANAGED_ENVIRONMENT_ONBOARD_BOOTSTRAP_BACKUP_BOOTSTRAP,
Capabilities::WORKSPACE_SETTINGS_VIEW,
Capabilities::ALERTS_VIEW,
Capabilities::WORKSPACE_BASELINES_VIEW,
Capabilities::AUDIT_VIEW,
],
WorkspaceRole::Readonly->value => [
Capabilities::WORKSPACE_VIEW,
Capabilities::WORKSPACE_SETTINGS_VIEW,
Capabilities::ALERTS_VIEW,
Capabilities::WORKSPACE_BASELINES_VIEW,
Capabilities::AUDIT_VIEW,
],
];
/**
* @return array<string>
*/
public static function getCapabilities(WorkspaceRole|string $role): array
{
$roleValue = $role instanceof WorkspaceRole ? $role->value : $role;
$capabilities = array_merge(
self::$roleCapabilities[$roleValue] ?? [],
RoleCapabilityMap::getCapabilities($roleValue),
);
return array_values(array_unique($capabilities));
}
/**
* @return array<string>
*/
public static function rolesWithCapability(string $capability): array
{
$roles = [];
foreach (array_keys(self::$roleCapabilities) as $role) {
if (in_array($capability, self::getCapabilities($role), true)) {
$roles[] = $role;
}
}
return $roles;
}
public static function hasCapability(WorkspaceRole|string $role, string $capability): bool
{
return in_array($capability, self::getCapabilities($role), true);
}
}
Reference in New Issue View Git Blame Copy Permalink