TenantAtlas/apps/platform/tests/Browser/Spec421EntraComparableRenderableOperatorSurfaceSmokeTest.php

<?php

declare(strict_types=1);

use App\Filament\Pages\TenantConfiguration\CoverageV2Readiness;
use App\Models\ManagedEnvironment;
use App\Models\OperationRun;
use App\Models\ProviderConnection;
use App\Models\TenantConfigurationResource;
use App\Models\TenantConfigurationResourceEvidence;
use App\Models\TenantConfigurationResourceType;
use App\Models\TenantConfigurationSupportedScope;
use App\Models\User;
use App\Services\TenantConfiguration\ResourceTypeRegistry;
use App\Support\OperationRunOutcome;
use App\Support\OperationRunStatus;
use App\Support\OperationRunType;
use App\Support\TenantConfiguration\CanonicalKeyKind;
use App\Support\TenantConfiguration\CaptureOutcome;
use App\Support\TenantConfiguration\ClaimState;
use App\Support\TenantConfiguration\CoverageLevel;
use App\Support\TenantConfiguration\EvidenceState;
use App\Support\TenantConfiguration\IdentityState;
use App\Support\TenantConfiguration\SourceClass;
use App\Support\Workspaces\WorkspaceContext;
use Illuminate\Foundation\Testing\RefreshDatabase;

uses(RefreshDatabase::class);

pest()->browser()->timeout(60_000);

it('Spec421 smokes the Coverage v2 inspect surface for Entra comparable renderable evidence', function (): void {
    [$user, $environment] = spec421CoverageV2BrowserFixture();
    spec421AuthenticateCoverageV2Browser($this, $user, $environment);

    $page = visit(CoverageV2Readiness::getUrl(tenant: $environment, panel: 'admin'))
        ->resize(768, 1100)
        ->waitForText('Coverage v2 Readiness')
        ->waitForText('Spec421 Browser Conditional Access policy')
        ->assertSee('Resource type registry')
        ->assertSee('Resource instances')
        ->assertSee('Conditional Access policy')
        ->assertSee('Coverage level')
        ->assertSee('Renderable')
        ->assertSee('Internal only')
        ->assertDontSee('Entra covered')
        ->assertDontSee('certified')
        ->assertDontSee('restore-ready')
        ->assertDontSee('customer-ready')
        ->assertDontSee('100% Entra')
        ->assertDontSee('spec421-raw-secret')
        ->assertDontSee('spec421-normalized-secret')
        ->assertScript('typeof window.Livewire !== "undefined"', true)
        ->assertScript(<<<'JS'
            (() => {
                const badge = Array.from(document.querySelectorAll('span.fi-badge'))
                    .find((element) => element.textContent.trim() === 'Ready');
                const section = badge?.closest('section');

                if (! badge || ! section) {
                    return false;
                }

                const badgeRect = badge.getBoundingClientRect();
                const sectionRect = section.getBoundingClientRect();

                return badgeRect.width >= 60
                    && badgeRect.right <= sectionRect.right
                    && getComputedStyle(badge).whiteSpace === 'nowrap';
            })()
        JS, true)
        ->assertScript('(() => document.querySelectorAll("table tbody tr").length > 0)()', true)
        ->assertScript(<<<'JS'
            (() => {
                const row = Array.from(document.querySelectorAll('table tbody tr'))
                    .find((candidate) => candidate.textContent.includes('Spec421 Browser Conditional Access policy'));
                const resourceTypeCellText = row?.querySelectorAll('td')?.[1]?.innerText ?? '';

                return resourceTypeCellText.includes('Conditional Access policy')
                    && ! resourceTypeCellText.includes('conditionalAccessPolicy');
            })()
        JS, true)
        ->assertScript("(() => performance.getEntriesByType('resource').filter((entry) => /graph\\.microsoft\\.com|\\/tcm\\b|provider-remote/i.test(entry.name)).length)()", 0)
        ->assertScript("(() => Array.from(document.querySelectorAll('main button, main a')).map((element) => element.textContent.trim()).filter(Boolean).some((label) => /^(Capture|Restore|Certify|Export|Download)$/i.test(label)))()", false)
        ->assertNoJavaScriptErrors()
        ->assertNoConsoleLogs();

    $page->script(<<<'JS'
        (() => {
            const rows = Array.from(document.querySelectorAll('table tbody tr'));
            const row = rows.find((candidate) => candidate.textContent.includes('Spec421 Browser Conditional Access policy'));
            const inspect = Array.from(row?.querySelectorAll('button, a') ?? [])
                .find((element) => element.textContent.includes('Spec421 Browser Conditional Access policy'));

            inspect?.click();
        })()
    JS);

    $page
        ->waitForText('Coverage: Renderable')
        ->assertSee('Conditional Access policy')
        ->assertSee('Display name')
        ->assertSee('Spec421 Browser Conditional Access policy')
        ->assertSee('State')
        ->assertSee('enabled')
        ->assertSee('Grant controls')
        ->assertSee('Built-in: mfa')
        ->assertSee('Compare summary')
        ->assertSee('Material changes detected')
        ->assertSee('Previous comparable evidence')
        ->assertSee('Grant Controls Built In Controls')
        ->assertSee('Users')
        ->assertSee('Include All')
        ->assertSee('Applications')
        ->assertSee('Include Office365')
        ->assertSee('Redacted fields')
        ->assertSee('clientSecret')
        ->assertSee('Evidence: Content backed')
        ->assertSee('Identity: Stable')
        ->assertSee('Claim: Internal only')
        ->assertDontSee('Entra covered')
        ->assertDontSee('certified')
        ->assertDontSee('restore-ready')
        ->assertDontSee('customer-ready')
        ->assertDontSee('100% Entra')
        ->assertDontSee('compliantDevice')
        ->assertDontSee('spec421-raw-secret')
        ->assertDontSee('spec421-normalized-secret')
        ->assertNoJavaScriptErrors()
        ->assertNoConsoleLogs()
        ->screenshot(true, 'spec421-entra-comparable-renderable-operator-surface');
});

/**
 * @return array{0: User, 1: ManagedEnvironment}
 */
function spec421CoverageV2BrowserFixture(): array
{
    app(ResourceTypeRegistry::class)->syncDefaults();

    $environment = ManagedEnvironment::factory()->active()->create([
        'name' => 'Spec421 Browser Environment',
        'external_id' => 'spec421-browser-environment',
    ]);

    [$user, $environment] = createUserWithTenant(
        tenant: $environment,
        role: 'owner',
        workspaceRole: 'owner',
        clearCapabilityCaches: true,
    );

    $connection = ProviderConnection::factory()->create([
        'workspace_id' => (int) $environment->workspace_id,
        'managed_environment_id' => (int) $environment->getKey(),
        'display_name' => 'Spec421 Browser Microsoft provider',
    ]);

    $resourceType = TenantConfigurationResourceType::query()
        ->where('canonical_type', 'conditionalAccessPolicy')
        ->where('source_class', SourceClass::Tcm->value)
        ->firstOrFail();

    TenantConfigurationSupportedScope::factory()->create([
        'scope_key' => 'spec421_browser_internal_entra_scope',
        'display_name' => 'Spec421 Browser internal Entra scope',
        'minimum_coverage_level' => CoverageLevel::ContentBacked->value,
        'included_resource_types' => ['conditionalAccessPolicy'],
        'allow_graph_fallback' => false,
        'allow_beta' => false,
        'customer_claims_allowed' => false,
    ]);

    $previousRun = OperationRun::factory()->create([
        'workspace_id' => (int) $environment->workspace_id,
        'managed_environment_id' => (int) $environment->getKey(),
        'user_id' => (int) $user->getKey(),
        'initiator_name' => (string) $user->name,
        'type' => OperationRunType::TenantConfigurationCapture->value,
        'status' => OperationRunStatus::Completed->value,
        'outcome' => OperationRunOutcome::Succeeded->value,
        'summary_counts' => [
            'total' => 1,
            'processed' => 1,
            'succeeded' => 1,
            'skipped' => 0,
            'failed' => 0,
            'errors_recorded' => 0,
        ],
        'context' => [
            'requested_resource_types' => ['conditionalAccessPolicy'],
            'outcomes' => [
                ['canonical_type' => 'conditionalAccessPolicy', 'outcome' => CaptureOutcome::Captured->value],
            ],
        ],
        'started_at' => now()->subMinutes(6),
        'completed_at' => now()->subMinutes(5),
    ]);

    $run = OperationRun::factory()->create([
        'workspace_id' => (int) $environment->workspace_id,
        'managed_environment_id' => (int) $environment->getKey(),
        'user_id' => (int) $user->getKey(),
        'initiator_name' => (string) $user->name,
        'type' => OperationRunType::TenantConfigurationCapture->value,
        'status' => OperationRunStatus::Completed->value,
        'outcome' => OperationRunOutcome::Succeeded->value,
        'summary_counts' => [
            'total' => 1,
            'processed' => 1,
            'succeeded' => 1,
            'skipped' => 0,
            'failed' => 0,
            'errors_recorded' => 0,
        ],
        'context' => [
            'requested_resource_types' => ['conditionalAccessPolicy'],
            'outcomes' => [
                ['canonical_type' => 'conditionalAccessPolicy', 'outcome' => CaptureOutcome::Captured->value],
            ],
        ],
        'started_at' => now()->subMinute(),
        'completed_at' => now(),
    ]);

    $resource = TenantConfigurationResource::factory()->create([
        'workspace_id' => (int) $environment->workspace_id,
        'managed_environment_id' => (int) $environment->getKey(),
        'provider_connection_id' => (int) $connection->getKey(),
        'resource_type_id' => (int) $resourceType->getKey(),
        'canonical_type' => 'conditionalAccessPolicy',
        'canonical_resource_key' => 'conditionalAccessPolicy:graph_object_id:cap-browser-421',
        'canonical_key_kind' => CanonicalKeyKind::GraphObjectId->value,
        'source_resource_id' => 'cap-browser-421',
        'source_display_name' => 'Spec421 Browser Conditional Access policy',
        'source_class' => SourceClass::Tcm->value,
        'source_metadata' => [
            'source_contract_key' => 'conditionalAccessPolicy',
            'source_endpoint' => '/identity/conditionalAccess/policies',
            'source_version' => 'v1.0',
            'registry_source_class' => SourceClass::Tcm->value,
            'registry_support_state' => 'out_of_scope',
        ],
        'identity_strategy' => 'graph.conditional_access_policy.v1',
        'source_identity' => [
            'primary_field' => 'id',
            'primary_value' => 'cap-browser-421',
        ],
        'identity_diagnostics' => [
            'reason_code' => 'graph_object_id',
        ],
        'identity_evaluated_at' => now(),
        'latest_evidence_state' => EvidenceState::ContentBacked->value,
        'latest_identity_state' => IdentityState::Stable->value,
        'latest_claim_state' => ClaimState::InternalOnly->value,
        'latest_captured_at' => now(),
    ]);

    TenantConfigurationResourceEvidence::factory()->create([
        'resource_id' => (int) $resource->getKey(),
        'workspace_id' => (int) $environment->workspace_id,
        'managed_environment_id' => (int) $environment->getKey(),
        'provider_connection_id' => (int) $connection->getKey(),
        'resource_type_id' => (int) $resourceType->getKey(),
        'operation_run_id' => (int) $previousRun->getKey(),
        'source_contract_key' => 'conditionalAccessPolicy',
        'source_endpoint' => '/identity/conditionalAccess/policies',
        'source_version' => 'v1.0',
        'source_schema_hash' => 'spec421-browser-previous-schema-hash',
        'source_metadata' => [
            'registry_source_class' => SourceClass::Tcm->value,
            'registry_support_state' => 'out_of_scope',
        ],
        'raw_payload' => ['id' => 'cap-browser-421'],
        'normalized_payload' => [
            'id' => 'cap-browser-421',
            'displayName' => 'Spec421 Browser Conditional Access policy',
            'state' => 'enabled',
            'conditions' => [
                'users' => ['includeUsers' => ['All']],
                'applications' => ['includeApplications' => ['Office365']],
            ],
            'grantControls' => ['builtInControls' => ['compliantDevice']],
        ],
        'payload_hash' => str_repeat('e', 64),
        'permission_context' => ['scopes_granted' => ['Policy.Read.All']],
        'evidence_state' => EvidenceState::ContentBacked->value,
        'coverage_level' => CoverageLevel::Comparable->value,
        'capture_outcome' => CaptureOutcome::Captured->value,
        'captured_at' => now()->subMinutes(5),
    ]);

    $evidence = TenantConfigurationResourceEvidence::factory()->create([
        'resource_id' => (int) $resource->getKey(),
        'workspace_id' => (int) $environment->workspace_id,
        'managed_environment_id' => (int) $environment->getKey(),
        'provider_connection_id' => (int) $connection->getKey(),
        'resource_type_id' => (int) $resourceType->getKey(),
        'operation_run_id' => (int) $run->getKey(),
        'source_contract_key' => 'conditionalAccessPolicy',
        'source_endpoint' => '/identity/conditionalAccess/policies',
        'source_version' => 'v1.0',
        'source_schema_hash' => 'spec421-browser-schema-hash',
        'source_metadata' => [
            'registry_source_class' => SourceClass::Tcm->value,
            'registry_support_state' => 'out_of_scope',
        ],
        'raw_payload' => ['id' => 'cap-browser-421', 'secret' => 'spec421-raw-secret'],
        'normalized_payload' => [
            'id' => 'cap-browser-421',
            'displayName' => 'Spec421 Browser Conditional Access policy',
            'state' => 'enabled',
            'conditions' => [
                'users' => ['includeUsers' => ['All']],
                'applications' => ['includeApplications' => ['Office365']],
            ],
            'grantControls' => ['builtInControls' => ['mfa']],
            'clientSecret' => '[redacted]',
        ],
        'payload_hash' => str_repeat('f', 64),
        'permission_context' => ['scopes_granted' => ['Policy.Read.All']],
        'evidence_state' => EvidenceState::ContentBacked->value,
        'coverage_level' => CoverageLevel::Renderable->value,
        'capture_outcome' => CaptureOutcome::Captured->value,
        'captured_at' => now(),
    ]);

    $resource->forceFill([
        'latest_evidence_id' => (int) $evidence->getKey(),
        'latest_payload_hash' => str_repeat('f', 64),
    ])->save();

    return [$user, $environment->refresh()];
}

function spec421AuthenticateCoverageV2Browser(
    mixed $test,
    User $user,
    ManagedEnvironment $environment,
): void {
    $workspaceId = (int) $environment->workspace_id;

    $test->actingAs($user)->withSession([
        WorkspaceContext::SESSION_KEY => $workspaceId,
        WorkspaceContext::LAST_ENVIRONMENT_IDS_SESSION_KEY => [
            (string) $workspaceId => (int) $environment->getKey(),
        ],
    ]);

    session()->put(WorkspaceContext::SESSION_KEY, $workspaceId);
    session()->put(WorkspaceContext::LAST_ENVIRONMENT_IDS_SESSION_KEY, [
        (string) $workspaceId => (int) $environment->getKey(),
    ]);
}