ahmido
bab01f07a9
## Summary - standardize Microsoft provider connections around explicit platform vs dedicated identity modes - centralize admin-consent URL and runtime identity resolution so platform flows no longer fall back to tenant-local credentials - add migration classification, richer consent and verification state handling, dedicated override management, and focused regression coverage ## Validation - focused repo test coverage was added across provider identity, onboarding, audit, policy, guard, and migration flows - latest explicit passing run in the workspace: `vendor/bin/sail artisan test --compact tests/Feature/AdminConsentCallbackTest.php tests/Feature/Audit/ProviderConnectionConsentAuditTest.php` ## Notes - branch includes the full Spec 137 artifact set under `specs/137-platform-provider-identity/` - target base branch: `dev` Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #166
163 lines
6.0 KiB
PHP
163 lines
6.0 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Models\AuditLog;
|
|
use App\Models\ProviderConnection;
|
|
use App\Models\ProviderCredential;
|
|
use App\Services\Providers\CredentialManager;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
it('Spec081 audits credential creation with stable action and no secret leakage', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$connection = ProviderConnection::factory()->dedicated()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'provider' => 'microsoft',
|
|
]);
|
|
|
|
$secret = 'spec081-secret-created';
|
|
|
|
$this->actingAs($user);
|
|
|
|
app(CredentialManager::class)->upsertClientSecretCredential(
|
|
connection: $connection,
|
|
clientId: 'spec081-client-created',
|
|
clientSecret: $secret,
|
|
);
|
|
|
|
$log = AuditLog::query()
|
|
->where('tenant_id', (int) $tenant->getKey())
|
|
->where('action', 'provider_connection.credentials_created')
|
|
->latest('id')
|
|
->first();
|
|
|
|
expect($log)->not->toBeNull()
|
|
->and($log?->resource_type)->toBe('provider_connection')
|
|
->and($log?->resource_id)->toBe((string) $connection->getKey())
|
|
->and($log?->actor_id)->toBe((int) $user->getKey())
|
|
->and($log?->metadata['provider_connection_id'] ?? null)->toBe((int) $connection->getKey())
|
|
->and($log?->metadata['changed_fields'] ?? [])->toContain('client_id')
|
|
->and($log?->metadata['changed_fields'] ?? [])->toContain('client_secret')
|
|
->and($log?->metadata['redacted_fields'] ?? [])->toContain('client_secret')
|
|
->and((string) json_encode($log?->metadata ?? []))->not->toContain($secret);
|
|
});
|
|
|
|
it('Spec081 audits client id updates as credentials_updated without leaking secrets', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$connection = ProviderConnection::factory()->dedicated()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'provider' => 'microsoft',
|
|
]);
|
|
|
|
ProviderCredential::factory()->create([
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
'payload' => [
|
|
'client_id' => 'spec081-client-before',
|
|
'client_secret' => 'spec081-secret-before',
|
|
],
|
|
]);
|
|
|
|
$this->actingAs($user);
|
|
|
|
app(CredentialManager::class)->updateClientIdPreservingSecret(
|
|
connection: $connection,
|
|
clientId: 'spec081-client-after',
|
|
);
|
|
|
|
$log = AuditLog::query()
|
|
->where('tenant_id', (int) $tenant->getKey())
|
|
->where('action', 'provider_connection.credentials_updated')
|
|
->latest('id')
|
|
->first();
|
|
|
|
expect($log)->not->toBeNull()
|
|
->and($log?->resource_type)->toBe('provider_connection')
|
|
->and($log?->resource_id)->toBe((string) $connection->getKey())
|
|
->and($log?->metadata['changed_fields'] ?? [])->toContain('client_id')
|
|
->and($log?->metadata['changed_fields'] ?? [])->not->toContain('client_secret')
|
|
->and((string) json_encode($log?->metadata ?? []))->not->toContain('spec081-secret-before');
|
|
});
|
|
|
|
it('Spec081 audits secret rotation as credentials_rotated with redacted metadata', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$connection = ProviderConnection::factory()->dedicated()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'provider' => 'microsoft',
|
|
]);
|
|
|
|
ProviderCredential::factory()->create([
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
'payload' => [
|
|
'client_id' => 'spec081-client-stable',
|
|
'client_secret' => 'spec081-secret-before-rotate',
|
|
],
|
|
]);
|
|
|
|
$this->actingAs($user);
|
|
|
|
$rotatedSecret = 'spec081-secret-after-rotate';
|
|
|
|
app(CredentialManager::class)->upsertClientSecretCredential(
|
|
connection: $connection,
|
|
clientId: 'spec081-client-stable',
|
|
clientSecret: $rotatedSecret,
|
|
);
|
|
|
|
$log = AuditLog::query()
|
|
->where('tenant_id', (int) $tenant->getKey())
|
|
->where('action', 'provider_connection.credentials_rotated')
|
|
->latest('id')
|
|
->first();
|
|
|
|
expect($log)->not->toBeNull()
|
|
->and($log?->resource_type)->toBe('provider_connection')
|
|
->and($log?->resource_id)->toBe((string) $connection->getKey())
|
|
->and($log?->metadata['changed_fields'] ?? [])->toContain('client_secret')
|
|
->and($log?->metadata['redacted_fields'] ?? [])->toContain('client_secret')
|
|
->and((string) json_encode($log?->metadata ?? []))->not->toContain($rotatedSecret);
|
|
});
|
|
|
|
it('Spec081 audits dedicated credential deletion without leaking secrets', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$connection = ProviderConnection::factory()->dedicated()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'provider' => 'microsoft',
|
|
]);
|
|
|
|
$credential = ProviderCredential::factory()->create([
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
'payload' => [
|
|
'client_id' => 'spec081-client-delete',
|
|
'client_secret' => 'spec081-secret-delete',
|
|
],
|
|
]);
|
|
|
|
$this->actingAs($user);
|
|
|
|
$credential->delete();
|
|
|
|
$log = AuditLog::query()
|
|
->where('tenant_id', (int) $tenant->getKey())
|
|
->where('action', 'provider_connection.credentials_deleted')
|
|
->latest('id')
|
|
->first();
|
|
|
|
expect($log)->not->toBeNull()
|
|
->and($log?->resource_type)->toBe('provider_connection')
|
|
->and($log?->resource_id)->toBe((string) $connection->getKey())
|
|
->and($log?->metadata['changed_fields'] ?? [])->toContain('client_id')
|
|
->and($log?->metadata['changed_fields'] ?? [])->toContain('client_secret')
|
|
->and($log?->metadata['connection_type'] ?? null)->toBe('dedicated')
|
|
->and((string) json_encode($log?->metadata ?? []))->not->toContain('spec081-secret-delete');
|
|
});
|