ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
03b1beb616
TenantAtlas/apps/platform/app/Support/RbacReason.php
ahmido ce0615a9c1 Spec 182: relocate Laravel platform to apps/platform (#213) 
## Summary
- move the Laravel application into `apps/platform` and keep the repository root for orchestration, docs, and tooling
- update the local command model, Sail/Docker wiring, runtime paths, and ignore rules around the new platform location
- add relocation quickstart/contracts plus focused smoke coverage for bootstrap, command model, routes, and runtime behavior

## Validation
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/PlatformRelocation`
- integrated browser smoke validated `/up`, `/`, `/admin`, `/admin/choose-workspace`, and tenant route semantics for `200`, `403`, and `404`

## Remaining Rollout Checks
- validate Dokploy build context and working-directory assumptions against the new `apps/platform` layout
- confirm web, queue, and scheduler processes all start from the expected working directory in staging/production
- verify no legacy volume mounts or asset-publish paths still point at the old root-level `public/` or `storage/` locations

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #213
2026-04-08 08:40:47 +00:00

98 lines
4.2 KiB
PHP
Raw Blame History

<?php
namespace App\Support;
use App\Support\ReasonTranslation\NextStepOption;
use App\Support\ReasonTranslation\ReasonResolutionEnvelope;
enum RbacReason: string
{
case MissingArtifacts = 'missing_artifacts';
case ServicePrincipalMissing = 'sp_missing';
case GroupMissing = 'group_missing';
case ServicePrincipalNotMember = 'sp_not_member';
case AssignmentMissing = 'assignment_missing';
case RoleMismatch = 'role_mismatch';
case ScopeMismatch = 'scope_mismatch';
case CanaryFailed = 'canary_failed';
case ManualAssignmentRequired = 'manual_assignment_required';
case UnsupportedApi = 'unsupported_api';
public function operatorLabel(): string
{
return match ($this) {
self::MissingArtifacts => 'RBAC setup incomplete',
self::ServicePrincipalMissing => 'Service principal missing',
self::GroupMissing => 'RBAC group missing',
self::ServicePrincipalNotMember => 'Service principal not in RBAC group',
self::AssignmentMissing => 'RBAC assignment missing',
self::RoleMismatch => 'RBAC role mismatch',
self::ScopeMismatch => 'RBAC scope mismatch',
self::CanaryFailed => 'RBAC validation needs review',
self::ManualAssignmentRequired => 'Manual role assignment required',
self::UnsupportedApi => 'RBAC API unsupported',
};
}
public function shortExplanation(): string
{
return match ($this) {
self::MissingArtifacts => 'TenantPilot could not find the RBAC artifacts required for this tenant.',
self::ServicePrincipalMissing => 'The provider app service principal could not be resolved in Microsoft Graph.',
self::GroupMissing => 'The configured Intune RBAC group could not be found.',
self::ServicePrincipalNotMember => 'The provider app service principal is not currently a member of the configured RBAC group.',
self::AssignmentMissing => 'No matching Intune RBAC assignment could be confirmed for this tenant.',
self::RoleMismatch => 'The existing Intune RBAC assignment uses a different role than expected.',
self::ScopeMismatch => 'The existing Intune RBAC assignment targets a different scope than expected.',
self::CanaryFailed => 'The RBAC canary checks reported a mismatch after setup completed.',
self::ManualAssignmentRequired => 'This tenant requires a manual Intune RBAC role assignment outside the automated API path.',
self::UnsupportedApi => 'This account type does not support the required Intune RBAC API path.',
};
}
public function actionability(): string
{
return match ($this) {
self::CanaryFailed => 'retryable_transient',
self::ManualAssignmentRequired => 'prerequisite_missing',
self::UnsupportedApi => 'non_actionable',
default => 'prerequisite_missing',
};
}
/**
* @return array<int, NextStepOption>
*/
public function nextSteps(): array
{
return match ($this) {
self::UnsupportedApi => [],
self::ManualAssignmentRequired => [
NextStepOption::instruction('Complete the Intune role assignment manually, then refresh RBAC status.', scope: 'tenant'),
],
self::CanaryFailed => [
NextStepOption::instruction('Review the RBAC canary checks and rerun the health check.', scope: 'tenant'),
],
default => [
NextStepOption::instruction('Review the RBAC setup and refresh the tenant RBAC status.', scope: 'tenant'),
],
};
}
/**
* @param array<string, mixed> $context
*/
public function toReasonResolutionEnvelope(string $surface = 'detail', array $context = []): ReasonResolutionEnvelope
{
return new ReasonResolutionEnvelope(
internalCode: $this->value,
operatorLabel: $this->operatorLabel(),
shortExplanation: $this->shortExplanation(),
actionability: $this->actionability(),
nextSteps: $this->nextSteps(),
showNoActionNeeded: $this->actionability() === 'non_actionable',
diagnosticCodeLabel: $this->value,
);
}
}
Reference in New Issue View Git Blame Copy Permalink