ahmido
1655cc481e
## Summary - migrate provider connections to the canonical three-dimension state model: lifecycle via `is_enabled`, consent via `consent_status`, and verification via `verification_status` - remove legacy provider status and health badge paths, update admin and system directory surfaces, and align onboarding, consent callback, verification, resolver, and mutation flows with the new model - add the Spec 188 artifact set, schema migrations, guard coverage, and expanded provider-state tests across admin, system, onboarding, verification, and rendering paths ## Verification - `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Auth/SystemPanelAuthTest.php tests/Feature/Filament/TenantGlobalSearchLifecycleScopeTest.php tests/Feature/ProviderConnections/ProviderConnectionEnableDisableTest.php tests/Feature/ProviderConnections/ProviderConnectionTruthCleanupSpec179Test.php` - integrated browser smoke: validated admin provider list/detail/edit, tenant provider summary, system directory tenant detail, provider-connection search exclusion, and cleaned up the temporary smoke record afterward ## Filament / implementation notes - Livewire v4.0+ compliance: preserved; this change targets Filament v5 on Livewire v4 and does not introduce older APIs - Provider registration location: unchanged; Laravel 11+ panel providers remain registered in `bootstrap/providers.php` - Globally searchable resources: `ProviderConnectionResource` remains intentionally excluded from global search; tenant global search remains enabled and continues to resolve to view pages - Destructive actions: no new destructive action surface was introduced without confirmation or authorization; existing capability checks continue to gate provider mutations - Asset strategy: unchanged; no new Filament assets were added, so deploy behavior for `php artisan filament:assets` remains unchanged - Testing plan covered: system auth, tenant global search, provider lifecycle enable/disable behavior, and provider truth cleanup cutover behavior Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #219
125 lines
4.6 KiB
PHP
125 lines
4.6 KiB
PHP
<?php
|
|
|
|
namespace App\Services\Providers;
|
|
|
|
use App\Models\ProviderConnection;
|
|
use App\Models\Tenant;
|
|
use App\Support\Providers\ProviderConsentStatus;
|
|
use App\Support\Providers\ProviderReasonCodes;
|
|
|
|
final class ProviderConnectionResolver
|
|
{
|
|
public function __construct(
|
|
private readonly ProviderIdentityResolver $identityResolver,
|
|
) {}
|
|
|
|
public function resolveDefault(Tenant $tenant, string $provider): ProviderConnectionResolution
|
|
{
|
|
$defaults = ProviderConnection::query()
|
|
->where('tenant_id', (int) $tenant->getKey())
|
|
->where('provider', $provider)
|
|
->where('is_default', true)
|
|
->orderBy('id')
|
|
->get();
|
|
|
|
if ($defaults->count() === 0) {
|
|
return ProviderConnectionResolution::blocked(
|
|
ProviderReasonCodes::ProviderConnectionMissing,
|
|
'No default provider connection is configured for this tenant/provider.',
|
|
);
|
|
}
|
|
|
|
if ($defaults->count() > 1) {
|
|
return ProviderConnectionResolution::blocked(
|
|
ProviderReasonCodes::ProviderConnectionInvalid,
|
|
'Multiple default provider connections were detected.',
|
|
'ext.multiple_defaults_detected',
|
|
);
|
|
}
|
|
|
|
/** @var ProviderConnection $connection */
|
|
$connection = $defaults->first();
|
|
|
|
return $this->validateConnection($tenant, $provider, $connection);
|
|
}
|
|
|
|
public function validateConnection(Tenant $tenant, string $provider, ProviderConnection $connection): ProviderConnectionResolution
|
|
{
|
|
if ((int) $connection->tenant_id !== (int) $tenant->getKey() || (string) $connection->provider !== $provider) {
|
|
return ProviderConnectionResolution::blocked(
|
|
ProviderReasonCodes::ProviderConnectionInvalid,
|
|
'Provider connection does not match tenant/provider scope.',
|
|
'ext.connection_scope_mismatch',
|
|
$connection,
|
|
);
|
|
}
|
|
|
|
if (! (bool) $connection->is_enabled) {
|
|
return ProviderConnectionResolution::blocked(
|
|
ProviderReasonCodes::ProviderConnectionInvalid,
|
|
'Provider connection is disabled.',
|
|
'ext.connection_disabled',
|
|
$connection,
|
|
);
|
|
}
|
|
|
|
if ($connection->entra_tenant_id === null || trim((string) $connection->entra_tenant_id) === '') {
|
|
return ProviderConnectionResolution::blocked(
|
|
ProviderReasonCodes::ProviderConnectionInvalid,
|
|
'Provider connection is missing target tenant scope.',
|
|
'ext.connection_tenant_missing',
|
|
$connection,
|
|
);
|
|
}
|
|
|
|
$consentBlocker = $this->consentBlocker($connection);
|
|
|
|
if ($consentBlocker instanceof ProviderConnectionResolution) {
|
|
return $consentBlocker;
|
|
}
|
|
|
|
$identity = $this->identityResolver->resolve($connection);
|
|
|
|
if (! $identity->resolved) {
|
|
return ProviderConnectionResolution::blocked(
|
|
$identity->effectiveReasonCode(),
|
|
$identity->message,
|
|
connection: $connection,
|
|
);
|
|
}
|
|
|
|
return ProviderConnectionResolution::resolved($connection);
|
|
}
|
|
|
|
private function consentBlocker(ProviderConnection $connection): ?ProviderConnectionResolution
|
|
{
|
|
$consentStatus = $connection->consent_status;
|
|
|
|
if (! $consentStatus instanceof ProviderConsentStatus && is_string($consentStatus)) {
|
|
$consentStatus = ProviderConsentStatus::tryFrom(trim($consentStatus));
|
|
}
|
|
|
|
return match ($consentStatus) {
|
|
ProviderConsentStatus::Required => ProviderConnectionResolution::blocked(
|
|
ProviderReasonCodes::ProviderConsentMissing,
|
|
'Provider connection requires admin consent before use.',
|
|
'ext.connection_needs_consent',
|
|
$connection,
|
|
),
|
|
ProviderConsentStatus::Failed => ProviderConnectionResolution::blocked(
|
|
ProviderReasonCodes::ProviderConsentFailed,
|
|
'Provider connection consent failed. Retry admin consent before use.',
|
|
'ext.connection_consent_failed',
|
|
$connection,
|
|
),
|
|
ProviderConsentStatus::Revoked => ProviderConnectionResolution::blocked(
|
|
ProviderReasonCodes::ProviderConsentRevoked,
|
|
'Provider connection consent was revoked. Grant admin consent again before use.',
|
|
'ext.connection_consent_revoked',
|
|
$connection,
|
|
),
|
|
default => null,
|
|
};
|
|
}
|
|
}
|