ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
platform-dev
TenantAtlas/specs/309-rbac-role-matrix-access-boundary-audit/tasks.md
ahmido dd175c16a1 fix: tighten workspace RBAC access boundaries (#364) 
## Summary
- tighten workspace RBAC and panel access boundaries
- remove non-owner workspace membership management capability from workspace role mapping
- add focused boundary coverage for admin panel, managed environments, providers, review packs, operation runs, finding exceptions, and workspace role capabilities
- include spec artifacts for feature 309

## Testing
- cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Auth/WorkspaceFirstManagedEnvironmentAccessTest.php tests/Feature/Rbac/RoleMatrix/ManagerAccessTest.php tests/Feature/Rbac/WorkspaceMembershipsRelationManagerUiEnforcementTest.php tests/Feature/Rbac/AdminPanelAccessBoundaryTest.php tests/Feature/Rbac/FindingExceptionLifecycleAccessBoundaryTest.php tests/Feature/Rbac/ManagedEnvironmentAccessBoundaryTest.php tests/Feature/Rbac/OperationRunAccessBoundaryTest.php tests/Feature/Rbac/ProviderConnectionAccessBoundaryTest.php tests/Feature/Rbac/ReviewPackAccessBoundaryTest.php tests/Feature/Rbac/SystemPanelAccessBoundaryTest.php tests/Feature/Rbac/WorkspaceRoleCapabilityBoundaryTest.php tests/Unit/Auth/CapabilityResolverTest.php tests/Unit/Auth/WorkspaceRoleCapabilityMapTest.php
- cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #364
2026-05-15 14:00:21 +00:00

205 lines
19 KiB
Markdown
Raw Permalink Blame History

# Tasks: RBAC Role Matrix & Access Boundary Audit
**Input**: Design documents from `/specs/309-rbac-role-matrix-access-boundary-audit/`
**Prerequisites**: `spec.md`, `plan.md`, `checklists/requirements.md`
**Tests**: Required. Use Pest 4 Unit/Feature tests; Browser only if Feature/Filament tests cannot prove the access boundary.
## Test Governance Checklist
- [x] Lane assignment is named and is the narrowest sufficient proof for the changed behavior.
- [x] New or changed tests stay in Unit/Feature unless a panel interaction cannot be proven otherwise.
- [x] Shared helpers, factories, seeds, fixtures, and context defaults stay cheap by default.
- [x] Planned validation commands cover the changed boundaries without pulling unrelated lane cost.
- [x] Browser coverage, if any, is explicit and justified.
- [x] Close-out records fixed contradictions, deferred decisions, and validation results.
## Phase 1: Read-Only Inventory
**Purpose**: Verify repo truth before any runtime or test changes.
- [x] T001 Confirm current branch is `309-rbac-role-matrix-access-boundary-audit` and working tree state is understood.
- [x] T002 Read `.specify/memory/constitution.md` RBAC, workspace isolation, tenant isolation, cross-plane, and testing sections.
- [x] T003 [P] Inspect `apps/platform/app/Support/Auth/Capabilities.php` and `apps/platform/app/Support/Auth/PlatformCapabilities.php`.
- [x] T004 [P] Inspect `apps/platform/app/Services/Auth/WorkspaceRoleCapabilityMap.php` and `apps/platform/app/Services/Auth/RoleCapabilityMap.php`.
- [x] T005 [P] Inspect `apps/platform/app/Support/Auth/WorkspaceRole.php` and `apps/platform/app/Support/TenantRole.php`.
- [x] T006 [P] Inspect `apps/platform/app/Models/User.php` and `apps/platform/app/Models/PlatformUser.php`.
- [x] T007 [P] Inspect `apps/platform/app/Providers/AuthServiceProvider.php` and `apps/platform/bootstrap/providers.php`.
- [x] T008 [P] Inspect `apps/platform/app/Providers/Filament/AdminPanelProvider.php` and `apps/platform/app/Providers/Filament/SystemPanelProvider.php`.
- [x] T009 [P] Inspect `apps/platform/app/Support/Workspaces/WorkspaceContext.php` and `apps/platform/app/Filament/Concerns/WorkspaceScopedTenantRoutes.php`.
- [x] T010 [P] Inspect `apps/platform/app/Policies/WorkspaceMembershipPolicy.php`, `apps/platform/app/Policies/WorkspacePolicy.php`, and workspace membership Filament relation-manager surfaces.
- [x] T011 [P] Inspect `apps/platform/app/Policies/ProviderConnectionPolicy.php` and provider connection resources/actions.
- [x] T012 [P] Inspect `apps/platform/app/Policies/EnvironmentReviewPolicy.php`, `apps/platform/app/Policies/ReviewPackPolicy.php`, `apps/platform/app/Policies/EvidenceSnapshotPolicy.php`, and related resources/pages.
- [x] T013 [P] Inspect `apps/platform/app/Policies/FindingExceptionPolicy.php` and finding exception lifecycle services/actions.
- [x] T014 [P] Inspect `apps/platform/app/Policies/OperationRunPolicy.php`, `apps/platform/app/Support/Operations/OperationRunCapabilityResolver.php`, and operation link/view helpers.
- [x] T015 [P] Inspect existing RBAC, panel, provider, review-pack, customer-review, finding-exception, and OperationRun authorization tests under `apps/platform/tests/`.
- [x] T016 Produce a close-out-ready initial inventory table: `Role -> Capabilities -> Sensitive? -> Matches target? -> Action`.
## Phase 2: Classification
**Purpose**: Decide what is a confirmed bug versus intentional product behavior or docs drift.
- [x] T017 Classify Manager `WORKSPACE_MEMBERSHIP_MANAGE` grant in `apps/platform/app/Services/Auth/WorkspaceRoleCapabilityMap.php`.
- [x] T018 Classify Manager `TENANT_MEMBERSHIP_MANAGE` grant appended in `WorkspaceRoleCapabilityMap::getCapabilities()`.
- [x] T019 Classify Manager provider manage and dedicated credential boundaries in `apps/platform/app/Policies/ProviderConnectionPolicy.php`.
- [x] T020 Classify Manager review, review-pack, evidence, and finding-exception approval/manage capabilities.
- [x] T021 Classify `apps/platform/app/Models/User.php::canAccessPanel()` as safe-by-middleware or a confirmed defense-in-depth gap.
- [x] T022 Classify `/system` cross-plane behavior using existing system-panel tests and direct route behavior.
- [x] T023 Identify confirmed security blockers that must be fixed in Spec 309.
- [x] T024 Identify product-decision-needed items that must not be fixed blindly.
- [x] T025 Identify docs-only drift and follow-up candidates outside Spec 309.
- [x] T026 Record the minimal runtime fix list before editing application code.
## Phase 3: Tests First - Role And Panel Boundaries
**Purpose**: Add failing or tightening proof before runtime fixes.
- [x] T027 [P] Add or update `apps/platform/tests/Unit/Auth/WorkspaceRoleCapabilityMapTest.php` to assert known capabilities, unknown capability rejection, and Owner-only membership-management expectations once confirmed.
- [x] T028 [P] Update `apps/platform/tests/Unit/Auth/CapabilityResolverTest.php` if Manager tenant-membership management is confirmed incorrect.
- [x] T029 [P] Update `apps/platform/tests/Feature/Rbac/RoleMatrix/ManagerAccessTest.php` if Manager tenant-membership management is confirmed incorrect.
- [x] T030 [P] Add or update `apps/platform/tests/Feature/Rbac/WorkspaceRoleCapabilityBoundaryTest.php` for Manager/Operator/Readonly owner-only membership denial and Owner positive coverage.
- [x] T031 [P] Add or update `apps/platform/tests/Feature/Rbac/AdminPanelAccessBoundaryTest.php` to prove direct `/admin` workspace surfaces deny unauthenticated users, users without valid workspace authority, and wrong-plane actors.
- [x] T032 [P] Add or update `apps/platform/tests/Feature/Rbac/SystemPanelAccessBoundaryTest.php` or extend existing system tests to prove ordinary workspace users cannot access `/system` or representative `/system/*` routes.
## Phase 4: Tests First - Workspace And Environment Isolation
**Purpose**: Prove direct object access boundaries for representative high-risk resources.
- [x] T033 [P] Add or update `apps/platform/tests/Feature/Rbac/ManagedEnvironmentAccessBoundaryTest.php` for same-workspace wrong-environment denial.
- [x] T034 [P] Add or update EnvironmentReview direct access coverage in `apps/platform/tests/Feature/Rbac/ManagedEnvironmentAccessBoundaryTest.php` or an existing EnvironmentReview authorization test.
- [x] T035 [P] Add or update ReviewPack cross-workspace and wrong-environment coverage in `apps/platform/tests/Feature/Rbac/ReviewPackAccessBoundaryTest.php` or existing ReviewPack authorization tests.
- [x] T036 [P] Add or update EvidenceSnapshot or StoredReport wrong-environment coverage using repo-real policies/resources.
- [x] T037 [P] Add or update FindingException cross-workspace and wrong-environment coverage in `apps/platform/tests/Feature/Rbac/FindingExceptionLifecycleAccessBoundaryTest.php` or existing finding exception authorization tests.
- [x] T038 [P] Add or update OperationRun workspace-bound and environment-bound access coverage in `apps/platform/tests/Feature/Rbac/OperationRunAccessBoundaryTest.php` or existing OperationRun authorization tests.
- [x] T039 [P] Add or update ProviderConnection cross-workspace and wrong-environment coverage in `apps/platform/tests/Feature/Rbac/ProviderConnectionAccessBoundaryTest.php` or existing ProviderConnection authorization tests.
## Phase 5: Tests First - Sensitive Actions
**Purpose**: Prove server-side authorization for mutation/action execution, not only navigation visibility.
- [x] T040 Add membership-management direct action or policy tests proving non-Owner denial and last-owner guard preservation.
- [x] T041 Add ProviderConnection credential-level denial tests for Manager/Operator/Readonly where high-privilege-only classification is confirmed.
- [x] T042 Add Review/ReviewPack mutation denial tests for Readonly and any non-owner role classified as unauthorized.
- [x] T043 Add FindingException approval/rejection/renew/revoke lifecycle denial tests for unauthorized roles.
- [x] T044 Add OperationRun view/start/cancel/retry/action denial tests for unauthorized or out-of-scope roles using existing operation action surfaces.
- [x] T045 Ensure each destructive action changed by this spec is tested for server-side authorization and existing `->requiresConfirmation()` posture.
## Phase 6: Minimal Runtime Fixes
**Purpose**: Fix only confirmed contradictions and direct boundary bugs.
- [x] T046 Remove or adjust Manager `WORKSPACE_MEMBERSHIP_MANAGE` in `apps/platform/app/Services/Auth/WorkspaceRoleCapabilityMap.php` if Owner-only is confirmed.
- [x] T047 Remove or adjust Manager-specific `TENANT_MEMBERSHIP_MANAGE` append in `WorkspaceRoleCapabilityMap::getCapabilities()` if Owner-only is confirmed.
- [x] T048 Update `apps/platform/app/Models/User.php::canAccessPanel()` only if direct tests prove current permissive behavior is unsafe or can be tightened without breaking login/workspace selection.
- [x] T049 Add missing `Gate::authorize(...)` or policy checks in confirmed service/action mutation paths only. No missing mutation path was confirmed beyond the fixed role-map grants.
- [x] T050 Fix missing policy logic in ProviderConnection, ReviewPack, EnvironmentReview, EvidenceSnapshot, FindingException, or OperationRun policies only for confirmed direct-access bypasses. No direct-access policy bypass was confirmed.
- [x] T051 Align Filament action visibility/disabled state with server-side policy only after the policy/gate behavior is correct.
- [x] T052 Ensure any changed destructive Filament execution action still uses `->action(...)`, `->requiresConfirmation()`, and server-side authorization. No destructive action implementation changed.
- [x] T053 Do not introduce new roles, tables, migrations, capability aliases, broad resolvers, or UI redesigns.
## Phase 7: Focused Validation
**Purpose**: Run the smallest honest lanes for changed behavior.
- [x] T054 Run `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Auth/WorkspaceRoleCapabilityMapTest.php`.
- [x] T055 Run focused RBAC boundary tests under `apps/platform/tests/Feature/Rbac/` that were added or updated for Spec 309.
- [x] T056 Run existing panel cross-plane tests if panel access changed: `apps/platform/tests/Feature/Auth/CrossScopeAccessTest.php`, `apps/platform/tests/Feature/System/Spec113/AuthorizationSemanticsTest.php`, and `apps/platform/tests/Feature/System/Spec114/SystemConsoleAccessSemanticsTest.php`.
- [x] T057 Run review/customer workspace regressions: `apps/platform/tests/Feature/Reviews/CustomerReviewWorkspaceAuthorizationTest.php`, `apps/platform/tests/Feature/Reviews/CustomerReviewWorkspacePackAccessTest.php`, `apps/platform/tests/Feature/ReviewPack/ReviewPackRbacTest.php`, and `apps/platform/tests/Feature/ReviewPack/ReviewPackDownloadTest.php`.
- [x] T058 Run provider connection authorization regressions if provider boundaries changed.
- [x] T059 Run OperationRun authorization/link regressions if OperationRun policy or links changed. No OperationRun policy/link code changed; existing OperationRun RBAC regression was still run.
- [x] T060 Run `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`.
- [x] T061 Run `git diff --check`.
- [x] T062 Run browser smoke only if Feature/Filament tests cannot prove a changed panel/action boundary; otherwise document why browser was not needed.
## Phase 8: Close-Out
**Purpose**: Leave implementation reviewers with exact security and product-truth decisions.
- [x] T063 Record final role/capability inventory in close-out notes.
- [x] T064 Record confirmed contradictions fixed.
- [x] T065 Record product decisions deferred.
- [x] T066 Record docs-only drift and follow-up candidates.
- [x] T067 Record tests run, tests not run, and why.
- [x] T068 Confirm no new RBAC model/table/capability framework/migration was introduced.
- [x] T069 Confirm Filament v5 / Livewire v4 compliance, provider registration location, global-search resource posture, destructive-action confirmation/authorization, no new asset strategy, and testing plan coverage.
- [x] T070 Confirm remaining risks and recommended next spec after 309.
## Dependencies & Execution Order
- Phase 1 blocks all later phases.
- Phase 2 blocks test writing and runtime edits.
- Phases 3, 4, and 5 can run partly in parallel once classification is complete, but each worker must own disjoint test files.
- Phase 6 starts only after tests for confirmed contradictions exist.
- Phase 7 starts after runtime fixes.
- Phase 8 closes after validation.
## Parallel Execution Examples
- T003-T015 can run in parallel as read-only inspection.
- T027-T032 can run in parallel with disjoint test files.
- T033-T039 can run in parallel with disjoint test files.
- T041-T044 can run in parallel when each action group owns separate policies/tests.
- T054-T059 can run in parallel if the Sail environment supports concurrent lanes; otherwise run serially.
## Implementation Strategy
1. MVP = role-map contradiction proof + `/admin` and `/system` direct boundary tests.
2. Add workspace/environment isolation proof for the representative resource set.
3. Add sensitive-action tests for the confirmed bug set.
4. Apply minimal fixes.
5. Validate focused lanes and close out with inventory and decisions.
## Deferred Follow-Ups / Non-Goals
- Support Access Governance v1.
- Product Truth / Docs Drift Reconciliation.
- Customer Review Workspace v1 Completion.
- Route / Panel Access Contract Audit beyond confirmed 309 bugs.
- Commercial entitlements or billing state.
- New RBAC management UI or permission matrix.
## Implementation Close-Out Notes
### RBAC Inventory
| Role | Capabilities | Sensitive? | Matches target? | Action |
|---|---|---:|---|---|
| Workspace Owner | Workspace membership manage, tenant membership manage, provider manage + dedicated credential manage, review/review-pack/evidence manage, finding exception approve, OperationRun view by capability | Yes | Yes | Kept. Owner positive tests added. |
| Workspace Manager | Workspace membership view, provider manage/run, review/review-pack/evidence manage, finding exception approve, workspace settings/manage, alerts/baselines/audit | Yes | Partially | Fixed confirmed membership-management contradiction. Provider/review/evidence/finding manage remains product-decision-needed because existing runtime and tests treat it as intended. |
| Workspace Operator | Workspace membership view, provider view/run, review/evidence view, findings triage, audit, allowed operation visibility | Medium/High | Yes | Kept and covered by boundary tests. |
| Workspace Readonly | Workspace/settings/alerts/baselines/audit view plus customer-safe tenant/review/evidence/provider/review-pack view where scoped | Medium | Yes | Kept and mutation denials covered. |
| Platform/System | Separate `platform` guard + `PlatformCapabilities`; no implicit admin/workspace access | Critical | Yes | Kept; `/system` direct tests added and cross-plane regressions passed. |
### Confirmed Contradictions Fixed
- Manager no longer receives `Capabilities::WORKSPACE_MEMBERSHIP_MANAGE` from `WorkspaceRoleCapabilityMap`.
- Manager no longer receives the Manager-only appended `Capabilities::TENANT_MEMBERSHIP_MANAGE` from `WorkspaceRoleCapabilityMap::getCapabilities()`.
- `User::canAccessPanel()` is now restricted to the `admin` panel; ordinary web users no longer advertise access to the `system` panel.
### Product Decisions Deferred
- Manager `PROVIDER_MANAGE`, `REVIEW_PACK_MANAGE`, `ENVIRONMENT_REVIEW_MANAGE`, `EVIDENCE_MANAGE`, and `FINDING_EXCEPTION_APPROVE` remain unchanged because repo-real policies and existing regressions treat them as current product behavior.
- Provider dedicated credential management remains high-privilege only through `PROVIDER_MANAGE_DEDICATED`; tests prove Manager/Operator/Readonly denial and Owner allowance.
- Support access governance, commercial lifecycle enforcement, and broader route/panel contract cleanup remain follow-up candidates.
### Validation Results
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Auth/WorkspaceRoleCapabilityMapTest.php tests/Unit/Auth/CapabilityResolverTest.php tests/Feature/Rbac/RoleMatrix/ManagerAccessTest.php tests/Feature/Rbac/WorkspaceRoleCapabilityBoundaryTest.php tests/Feature/Rbac/AdminPanelAccessBoundaryTest.php tests/Feature/Rbac/SystemPanelAccessBoundaryTest.php` — 17 passed.
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Rbac/ManagedEnvironmentAccessBoundaryTest.php tests/Feature/Rbac/ProviderConnectionAccessBoundaryTest.php tests/Feature/Rbac/ReviewPackAccessBoundaryTest.php tests/Feature/Rbac/OperationRunAccessBoundaryTest.php tests/Feature/Rbac/FindingExceptionLifecycleAccessBoundaryTest.php` — 12 passed.
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Auth/WorkspaceFirstManagedEnvironmentAccessTest.php tests/Feature/Rbac/WorkspaceMembershipsRelationManagerUiEnforcementTest.php tests/Feature/Auth/CrossScopeAccessTest.php tests/Feature/Auth/SystemPanelAuthTest.php` — 14 passed.
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/System/Spec113/AuthorizationSemanticsTest.php tests/Feature/System/Spec114/SystemConsoleAccessSemanticsTest.php` — 22 passed.
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Reviews/CustomerReviewWorkspaceAuthorizationTest.php tests/Feature/Reviews/CustomerReviewWorkspacePackAccessTest.php tests/Feature/ReviewPack/ReviewPackRbacTest.php tests/Feature/ReviewPack/ReviewPackDownloadTest.php` — 30 passed.
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php tests/Feature/Rbac/OperationRunWorkspaceFirstAuthorizationTest.php tests/Feature/ProviderConnections/ManageCapabilityEnforcementTest.php tests/Feature/ProviderConnections/ProviderConnectionAuthorizationTest.php` — 13 passed.
- `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent` — passed.
- `git diff --check` — passed.
Browser smoke was not run because the changed behavior is backend authorization, role maps, panel contract checks, and Filament/Livewire action enforcement proven by Feature/Livewire tests. No frontend assets, layouts, forms, or navigation redesign were introduced.
### Filament / Runtime Compliance
- Filament v5 remains on Livewire v4.1.4.
- Panel providers remain registered through `apps/platform/bootstrap/providers.php`.
- New/changed resources are not introduced; existing touched resources keep their current global-search posture.
- No destructive action implementation changed. Existing workspace membership destructive removal still uses an execution action with confirmation and the server-side workspace capability guard.
- No assets were added or changed; no `filament:assets` deploy impact.
- No new RBAC model, role, table, migration, capability alias, public permission framework, or UI redesign was introduced.
Reference in New Issue View Git Blame Copy Permalink