ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
03b1beb616
TenantAtlas/apps/platform/tests/Unit/IntuneRoleDefinitionNormalizerTest.php
ahmido ce0615a9c1 Spec 182: relocate Laravel platform to apps/platform (#213) 
## Summary
- move the Laravel application into `apps/platform` and keep the repository root for orchestration, docs, and tooling
- update the local command model, Sail/Docker wiring, runtime paths, and ignore rules around the new platform location
- add relocation quickstart/contracts plus focused smoke coverage for bootstrap, command model, routes, and runtime behavior

## Validation
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/PlatformRelocation`
- integrated browser smoke validated `/up`, `/`, `/admin`, `/admin/choose-workspace`, and tenant route semantics for `200`, `403`, and `404`

## Remaining Rollout Checks
- validate Dokploy build context and working-directory assumptions against the new `apps/platform` layout
- confirm web, queue, and scheduler processes all start from the expected working directory in staging/production
- verify no legacy volume mounts or asset-publish paths still point at the old root-level `public/` or `storage/` locations

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #213
2026-04-08 08:40:47 +00:00

137 lines
5.3 KiB
PHP
Raw Blame History

<?php
use App\Services\Intune\IntuneRoleDefinitionNormalizer;
it('normalizes built-in intune role definitions into readable permission blocks', function (): void {
$normalizer = app(IntuneRoleDefinitionNormalizer::class);
$snapshot = [
'@odata.type' => '#microsoft.graph.deviceAndAppManagementRoleDefinition',
'displayName' => 'Policy and Profile Manager',
'description' => 'Built-in RBAC role',
'isBuiltIn' => true,
'rolePermissions' => [
[
'resourceActions' => [
[
'allowedResourceActions' => [
'Microsoft.Intune/deviceConfigurations/read',
'Microsoft.Intune/deviceConfigurations/create',
],
'notAllowedResourceActions' => [
'Microsoft.Intune/deviceConfigurations/delete',
],
],
],
],
],
'roleScopeTagIds' => ['scope-1', '0'],
];
$result = $normalizer->normalize($snapshot, 'intuneRoleDefinition', 'all');
$summary = collect($result['settings'])->firstWhere('title', 'Role definition');
$permissionBlock = collect($result['settings'])->firstWhere('title', 'Permission block 1');
$summaryEntries = collect($summary['entries'] ?? [])->keyBy('key');
$permissionEntries = collect($permissionBlock['entries'] ?? [])->keyBy('key');
expect($result['status'])->toBe('ok');
expect($summaryEntries['Role source']['value'] ?? null)->toBe('Built-in');
expect($summaryEntries['Permission blocks']['value'] ?? null)->toBe(1);
expect($summaryEntries['Scope tag IDs']['value'] ?? null)->toBe(['scope-1', '0']);
expect($permissionEntries['Allowed actions']['value'] ?? null)->toBe([
'Microsoft.Intune/deviceConfigurations/create',
'Microsoft.Intune/deviceConfigurations/read',
]);
expect($permissionEntries['Denied actions']['value'] ?? null)->toBe([
'Microsoft.Intune/deviceConfigurations/delete',
]);
});
it('flattens custom intune role definitions deterministically regardless of permission block order', function (): void {
$normalizer = app(IntuneRoleDefinitionNormalizer::class);
$firstSnapshot = [
'displayName' => 'Custom RBAC Role',
'isBuiltIn' => false,
'rolePermissions' => [
[
'resourceActions' => [
[
'allowedResourceActions' => [
'Microsoft.Intune/deviceCompliancePolicies/read',
],
],
],
],
[
'resourceActions' => [
[
'allowedResourceActions' => [
'Microsoft.Intune/deviceConfigurations/read',
],
'condition' => '@Resource[Microsoft.Intune/deviceConfigurations] Exists',
],
],
],
],
];
$secondSnapshot = [
'displayName' => 'Custom RBAC Role',
'isBuiltIn' => false,
'rolePermissions' => [
$firstSnapshot['rolePermissions'][1],
$firstSnapshot['rolePermissions'][0],
],
];
expect($normalizer->flattenForDiff($firstSnapshot, 'intuneRoleDefinition', 'all'))
->toBe($normalizer->flattenForDiff($secondSnapshot, 'intuneRoleDefinition', 'all'));
});
it('classifies metadata-only role definition changes separately from permission changes', function (): void {
$normalizer = app(IntuneRoleDefinitionNormalizer::class);
$baselineSnapshot = [
'displayName' => 'Custom RBAC Role',
'description' => 'Baseline description',
'isBuiltIn' => false,
'rolePermissions' => [
[
'resourceActions' => [
[
'allowedResourceActions' => [
'Microsoft.Intune/deviceConfigurations/read',
],
],
],
],
],
'roleScopeTagIds' => ['0'],
];
$metadataOnlySnapshot = $baselineSnapshot;
$metadataOnlySnapshot['description'] = 'Updated description';
$permissionChangedSnapshot = $baselineSnapshot;
$permissionChangedSnapshot['rolePermissions'][0]['resourceActions'][0]['allowedResourceActions'][] = 'Microsoft.Intune/deviceConfigurations/delete';
$metadataDiff = $normalizer->classifyDiff($baselineSnapshot, $metadataOnlySnapshot, 'all');
$permissionDiff = $normalizer->classifyDiff($baselineSnapshot, $permissionChangedSnapshot, 'all');
expect($metadataDiff['diff_kind'])->toBe('metadata_only');
expect($metadataDiff['changed_keys'])->toBe([
'Role definition > Description',
]);
expect($metadataDiff['metadata_keys'])->toBe([
'Role definition > Description',
]);
expect($metadataDiff['permission_keys'])->toBe([]);
expect($metadataDiff['diff_fingerprint'])->not->toBe($permissionDiff['diff_fingerprint']);
expect($permissionDiff['diff_kind'])->toBe('permission_change');
expect($permissionDiff['changed_keys'])->toContain('Permission block 1 > Allowed actions');
expect($permissionDiff['permission_keys'])->toContain('Permission block 1 > Allowed actions');
});
Reference in New Issue View Git Blame Copy Permalink