ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
19037e1dd8
TenantAtlas/apps/platform/tests/Feature/TenantConfiguration/Spec417IdentityClaimGuardFeatureTest.php
ahmido 8cbf1f7fe3 feat: implement canonical identity engine (#484) 
Automated PR provided by Codex via Gitea API.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #484
2026-06-26 06:50:25 +00:00

81 lines
3.1 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
use App\Models\ProviderConnection;
use App\Models\TenantConfigurationResourceType;
use App\Services\TenantConfiguration\CoverageResourceUpserter;
use App\Services\TenantConfiguration\CoverageSourceContractResolver;
use App\Services\TenantConfiguration\ResourceTypeRegistry;
use App\Support\TenantConfiguration\ClaimState;
use App\Support\TenantConfiguration\IdentityState;
it('Spec417 stores blocked or limited claim state from identity evaluation during upsert', function (): void {
[, $tenant] = createMinimalUserWithTenant(role: 'owner');
$connection = spec417ClaimConnection($tenant);
$resourceType = spec417ClaimResourceType('deviceAndAppManagementAssignmentFilter');
$decision = app(CoverageSourceContractResolver::class)->resolve($resourceType);
$derived = app(CoverageResourceUpserter::class)->upsert(
tenant: $tenant,
providerConnection: $connection,
resourceType: $resourceType,
payload: [
'platform' => 'windows10AndLater',
'assignmentFilterManagementType' => 'devices',
'rule' => '(device.deviceId -ne null)',
'displayName' => 'Derived',
],
sourceMetadata: $decision->sourceMetadata,
);
$missing = app(CoverageResourceUpserter::class)->upsert(
tenant: $tenant,
providerConnection: $connection,
resourceType: $resourceType,
payload: ['displayName' => 'Missing id'],
sourceMetadata: $decision->sourceMetadata,
);
expect($derived->latest_identity_state)->toBe(IdentityState::Derived)
->and($derived->latest_claim_state)->toBe(ClaimState::ClaimLimited)
->and($missing->latest_identity_state)->toBe(IdentityState::MissingExternalId)
->and($missing->latest_claim_state)->toBe(ClaimState::ClaimBlocked);
});
it('Spec417 keeps beta identity internal or claim-blocked by default', function (): void {
[, $tenant] = createMinimalUserWithTenant(role: 'owner');
$connection = spec417ClaimConnection($tenant);
$resourceType = spec417ClaimResourceType('roleScopeTag');
$resource = app(CoverageResourceUpserter::class)->upsert(
tenant: $tenant,
providerConnection: $connection,
resourceType: $resourceType,
payload: ['id' => 'scope-tag-1', 'displayName' => 'Pilot'],
sourceMetadata: [
'source_contract_key' => 'roleScopeTag',
'source_version' => 'beta',
],
);
expect($resource->latest_identity_state)->toBe(IdentityState::Derived)
->and($resource->latest_claim_state)->toBe(ClaimState::InternalOnly);
});
function spec417ClaimResourceType(string $canonicalType): TenantConfigurationResourceType
{
app(ResourceTypeRegistry::class)->syncDefaults();
return TenantConfigurationResourceType::query()
->where('canonical_type', $canonicalType)
->firstOrFail();
}
function spec417ClaimConnection($tenant): ProviderConnection
{
return ProviderConnection::factory()->create([
'workspace_id' => (int) $tenant->workspace_id,
'managed_environment_id' => (int) $tenant->getKey(),
]);
}
Reference in New Issue View Git Blame Copy Permalink