ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
367-operationrun-actionability-system
TenantAtlas/apps/platform/tests/Feature/ProviderConnections/ScopeHardeningAuthoritySourcesTest.php
ahmido fcb03d2aee feat: harden provider connection authority resolution (339) (#410) 
## Summary
- harden Provider Connection authority so workspace scope comes only from explicit workspace context and record ownership
- require explicit `environment_id` for Provider Connection create flows and remove remembered-environment or Filament-tenant fallback authority
- keep legacy query aliases such as `tenant`, `tenant_id`, and `managed_environment_id` inert for Provider Connection access
- add targeted Spec 339 feature coverage for create authority, workspace authority, and wrong-workspace / legacy-query denial behavior
- include Spec 339 artifacts (`spec.md`, `plan.md`, `tasks.md`) for the hardening slice

## Validation
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ProviderConnections --filter=ScopeHardening`

## Notes
- no new uncommitted workspace changes were present to commit in this turn; the branch already contained the feature commits
- Livewire v4 compliance unchanged
- Filament provider registration remains in `bootstrap/providers.php`
- no migrations, new assets, or route-family restructures

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #410
2026-05-31 11:59:41 +00:00

198 lines
7.5 KiB
PHP
Raw Permalink Blame History

<?php
declare(strict_types=1);
use App\Models\ManagedEnvironment;
use App\Models\Workspace;
use App\Policies\ProviderConnectionPolicy;
use App\Support\Workspaces\WorkspaceContext;
use Filament\Facades\Filament;
use Illuminate\Auth\Access\Response;
use Illuminate\Http\Request;
it('ScopeHardening requires explicit environment_id for ProviderConnectionPolicy::create even if a remembered environment exists', function (): void {
$environment = ManagedEnvironment::factory()->active()->create([
'external_id' => 'spec339-scopehardening-env-remembered',
]);
[$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner');
$this->actingAs($user);
session()->put(WorkspaceContext::SESSION_KEY, (int) $environment->workspace_id);
session()->put(WorkspaceContext::LAST_ENVIRONMENT_IDS_SESSION_KEY, [
(string) $environment->workspace_id => (int) $environment->getKey(),
]);
/** @var ProviderConnectionPolicy $policy */
$policy = app(ProviderConnectionPolicy::class);
$result = $policy->create($user);
expect($result)->toBeInstanceOf(Response::class);
expect($result->denied())->toBeTrue();
});
it('ScopeHardening requires explicit environment_id for ProviderConnectionPolicy::create even if Filament tenant is set', function (): void {
$environment = ManagedEnvironment::factory()->active()->create([
'external_id' => 'spec339-scopehardening-env-filament',
]);
[$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner');
Filament::setTenant($environment, true);
$this->actingAs($user);
session()->put(WorkspaceContext::SESSION_KEY, (int) $environment->workspace_id);
/** @var ProviderConnectionPolicy $policy */
$policy = app(ProviderConnectionPolicy::class);
$result = $policy->create($user);
expect($result)->toBeInstanceOf(Response::class);
expect($result->denied())->toBeTrue();
});
it('ScopeHardening ignores legacy query aliases for ProviderConnectionPolicy::create authority', function (): void {
$environment = ManagedEnvironment::factory()->active()->create([
'external_id' => 'spec339-scopehardening-env-alias',
]);
[$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner');
$request = Request::create('/admin/provider-connections/create', 'GET', [
'managed_environment_id' => (int) $environment->getKey(),
]);
$this->app->instance('request', $request);
$this->actingAs($user);
session()->put(WorkspaceContext::SESSION_KEY, (int) $environment->workspace_id);
session()->put(WorkspaceContext::LAST_ENVIRONMENT_IDS_SESSION_KEY, [
(string) $environment->workspace_id => (int) $environment->getKey(),
]);
/** @var ProviderConnectionPolicy $policy */
$policy = app(ProviderConnectionPolicy::class);
$result = $policy->create($user);
expect($result)->toBeInstanceOf(Response::class);
expect($result->denied())->toBeTrue();
});
it('ScopeHardening denies ProviderConnectionPolicy::create for environment_id that belongs to another workspace', function (): void {
$environmentA = ManagedEnvironment::factory()->active()->create([
'external_id' => 'spec339-scopehardening-env-a',
]);
[$user, $environmentA] = createUserWithTenant(tenant: $environmentA, role: 'owner');
$workspaceB = Workspace::factory()->create();
$environmentB = ManagedEnvironment::factory()->active()->create([
'workspace_id' => (int) $workspaceB->getKey(),
'external_id' => 'spec339-scopehardening-env-b',
]);
$request = Request::create('/admin/provider-connections/create', 'GET', [
'environment_id' => (int) $environmentB->getKey(),
]);
$this->app->instance('request', $request);
$this->actingAs($user);
session()->put(WorkspaceContext::SESSION_KEY, (int) $environmentA->workspace_id);
/** @var ProviderConnectionPolicy $policy */
$policy = app(ProviderConnectionPolicy::class);
$result = $policy->create($user);
expect($result)->toBeInstanceOf(Response::class);
expect($result->denied())->toBeTrue();
});
it('ScopeHardening returns 403 (not 404) for the create page when environment_id is missing (UI entry behavior)', function (): void {
$environment = ManagedEnvironment::factory()->active()->create([
'external_id' => 'spec339-scopehardening-create-page',
]);
[$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner');
$this->actingAs($user)
->withSession([
WorkspaceContext::SESSION_KEY => (int) $environment->workspace_id,
])
->get('/admin/provider-connections/create')
->assertForbidden();
});
it('ScopeHardening returns 404 for the create page when environment_id belongs to another workspace (UI entry behavior)', function (): void {
$environmentA = ManagedEnvironment::factory()->active()->create([
'external_id' => 'spec339-scopehardening-create-page-a',
]);
[$user, $environmentA] = createUserWithTenant(tenant: $environmentA, role: 'owner');
$workspaceB = Workspace::factory()->create();
$environmentB = ManagedEnvironment::factory()->active()->create([
'workspace_id' => (int) $workspaceB->getKey(),
'external_id' => 'spec339-scopehardening-create-page-b',
]);
$this->actingAs($user)
->withSession([
WorkspaceContext::SESSION_KEY => (int) $environmentA->workspace_id,
])
->get('/admin/provider-connections/create?environment_id='.(int) $environmentB->getKey())
->assertNotFound();
});
it('ScopeHardening returns 403 (not 404) for the create page when legacy alias is provided (UI entry behavior)', function (): void {
$environment = ManagedEnvironment::factory()->active()->create([
'external_id' => 'spec339-scopehardening-create-page-alias',
]);
[$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner');
$this->actingAs($user)
->withSession([
WorkspaceContext::SESSION_KEY => (int) $environment->workspace_id,
])
->get('/admin/provider-connections/create?managed_environment_id='.(int) $environment->getKey())
->assertForbidden();
});
it('ScopeHardening returns 403 (not 404) for the create page even if a remembered environment exists (UI entry behavior)', function (): void {
$environment = ManagedEnvironment::factory()->active()->create([
'external_id' => 'spec339-scopehardening-create-page-remembered',
]);
[$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner');
$this->actingAs($user)
->withSession([
WorkspaceContext::SESSION_KEY => (int) $environment->workspace_id,
WorkspaceContext::LAST_ENVIRONMENT_IDS_SESSION_KEY => [
(string) $environment->workspace_id => (int) $environment->getKey(),
],
])
->get('/admin/provider-connections/create')
->assertForbidden();
});
it('ScopeHardening returns 403 (not 404) for the create page even if Filament tenant is set (UI entry behavior)', function (): void {
$environment = ManagedEnvironment::factory()->active()->create([
'external_id' => 'spec339-scopehardening-create-page-filament',
]);
[$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner');
Filament::setTenant($environment, true);
$this->actingAs($user)
->withSession([
WorkspaceContext::SESSION_KEY => (int) $environment->workspace_id,
])
->get('/admin/provider-connections/create')
->assertForbidden();
});
Reference in New Issue View Git Blame Copy Permalink