ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
19132dc433
TenantAtlas/apps/platform/app/Services/Workspaces/WorkspaceLifecycleService.php
ahmido 210508db9d feat: implement workspace and tenant closure lifecycle (#337) 
## Summary
- add explicit workspace closure and tenant removal lifecycle truth with a bounded `WorkspaceLifecycleService`
- surface closure and removal posture across admin/system pages, chooser recovery, and canonical historical viewers
- block new review-pack and operation starts for closed workspaces or removed tenants while preserving memberships, audit, and history
- add focused Pest coverage plus the Spec 292 artifacts for the implemented slice

## Testing
- `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/System/Directory/ViewWorkspaceClosureTest.php tests/Feature/System/Ops/ClosedWorkspaceHistoricalAccessTest.php tests/Feature/Filament/Resources/Workspaces/WorkspaceClosureStatusTest.php tests/Feature/Filament/Resources/TenantResource/TenantWorkspaceRemovalTest.php tests/Feature/Filament/Pages/WorkspaceContextClosureRecoveryTest.php`
- `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`
- manual integrated-browser smoke for admin tenant remove/restore plus chooser recovery and system workspace close/reopen

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #337
2026-05-07 13:12:17 +00:00

285 lines
10 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace App\Services\Workspaces;
use App\Models\ManagedEnvironment;
use App\Models\PlatformUser;
use App\Models\User;
use App\Models\Workspace;
use App\Services\Audit\WorkspaceAuditLogger;
use App\Services\Auth\CapabilityResolver;
use App\Support\Audit\AuditActionId;
use App\Support\Auth\Capabilities;
use App\Support\Auth\PlatformCapabilities;
use App\Support\Workspaces\WorkspaceContext;
use Illuminate\Auth\Access\AuthorizationException;
use Illuminate\Support\Facades\DB;
use Illuminate\Validation\ValidationException;
final class WorkspaceLifecycleService
{
public const WORKSPACE_POSTURE_OPEN = 'open';
public const WORKSPACE_POSTURE_CLOSED = 'closed';
public const TENANT_POSTURE_ACTIVE = 'active';
public const TENANT_POSTURE_REMOVED = 'removed_from_workspace';
public function __construct(
private readonly WorkspaceAuditLogger $auditLogger,
private readonly CapabilityResolver $capabilityResolver,
) {}
public function workspacePosture(Workspace $workspace): string
{
return $workspace->isClosed()
? self::WORKSPACE_POSTURE_CLOSED
: self::WORKSPACE_POSTURE_OPEN;
}
public function tenantPosture(ManagedEnvironment $tenant): string
{
return $tenant->isRemovedFromWorkspace()
? self::TENANT_POSTURE_REMOVED
: self::TENANT_POSTURE_ACTIVE;
}
public function assertWorkspaceMutationAllowed(Workspace $workspace): void
{
if (! $workspace->isClosed()) {
return;
}
throw ValidationException::withMessages([
'workspace' => 'This workspace is closed. Reopen it before making workspace or tenant changes.',
]);
}
public function closeWorkspace(Workspace $workspace, PlatformUser $actor, string $reason): Workspace
{
$this->authorizePlatformDirectoryManagement($actor);
$reason = $this->normalizeReason($reason);
return DB::transaction(function () use ($workspace, $actor, $reason): Workspace {
$workspace = Workspace::query()->lockForUpdate()->findOrFail($workspace->getKey());
if ($workspace->isClosed()) {
throw ValidationException::withMessages([
'reason' => 'This workspace is already closed.',
]);
}
$workspace->forceFill([
'closed_at' => now(),
'closed_by_platform_user_id' => (int) $actor->getKey(),
'closed_reason' => $reason,
])->save();
ManagedEnvironment::query()
->where('workspace_id', (int) $workspace->getKey())
->where('is_current', true)
->update(['is_current' => false]);
$this->auditLogger->log(
workspace: $workspace,
action: AuditActionId::WorkspaceClosed,
context: [
'reason' => $reason,
'before_status' => self::WORKSPACE_POSTURE_OPEN,
'after_status' => self::WORKSPACE_POSTURE_CLOSED,
'closed_at' => $workspace->closed_at?->toISOString(),
],
actor: $actor,
resourceType: 'workspace',
resourceId: (string) $workspace->getKey(),
targetLabel: (string) $workspace->name,
summary: 'Workspace closed for '.$workspace->name,
);
return $workspace;
});
}
public function reopenWorkspace(Workspace $workspace, PlatformUser $actor, string $reason): Workspace
{
$this->authorizePlatformDirectoryManagement($actor);
$reason = $this->normalizeReason($reason);
return DB::transaction(function () use ($workspace, $actor, $reason): Workspace {
$workspace = Workspace::query()->lockForUpdate()->findOrFail($workspace->getKey());
if (! $workspace->isClosed()) {
throw ValidationException::withMessages([
'reason' => 'This workspace is already open.',
]);
}
$previousClosedAt = $workspace->closed_at;
$previousReason = $workspace->closureReason();
$previousActorId = $workspace->closed_by_platform_user_id;
$workspace->forceFill([
'closed_at' => null,
'closed_by_platform_user_id' => null,
'closed_reason' => null,
])->save();
$this->auditLogger->log(
workspace: $workspace,
action: AuditActionId::WorkspaceReopened,
context: [
'reason' => $reason,
'before_status' => self::WORKSPACE_POSTURE_CLOSED,
'after_status' => self::WORKSPACE_POSTURE_OPEN,
'previous_closed_at' => $previousClosedAt?->toISOString(),
'previous_closed_reason' => $previousReason,
'previous_closed_by_platform_user_id' => $previousActorId,
],
actor: $actor,
resourceType: 'workspace',
resourceId: (string) $workspace->getKey(),
targetLabel: (string) $workspace->name,
summary: 'Workspace reopened for '.$workspace->name,
);
return $workspace;
});
}
public function removeTenantFromWorkspace(ManagedEnvironment $tenant, User $actor, string $reason): ManagedEnvironment
{
$reason = $this->normalizeReason($reason);
return DB::transaction(function () use ($tenant, $actor, $reason): ManagedEnvironment {
$tenant = ManagedEnvironment::query()
->with(['workspace'])
->withTrashed()
->lockForUpdate()
->findOrFail($tenant->getKey());
if (! $this->capabilityResolver->can($actor, $tenant, Capabilities::TENANT_DELETE)) {
throw new AuthorizationException('You are not allowed to remove this tenant from the workspace.');
}
if ($tenant->workspace?->isClosed()) {
$this->assertWorkspaceMutationAllowed($tenant->workspace);
}
if ($tenant->isRemovedFromWorkspace()) {
throw ValidationException::withMessages([
'reason' => 'This tenant is already removed from the workspace.',
]);
}
$tenant->forceFill([
'removed_from_workspace_at' => now(),
'removed_from_workspace_by_user_id' => (int) $actor->getKey(),
'removed_from_workspace_reason' => $reason,
'is_current' => false,
])->save();
app(WorkspaceContext::class)->clearRememberedTenantContext();
$this->auditLogger->logTenantLifecycleAction(
tenant: $tenant,
action: AuditActionId::TenantRemovedFromWorkspace,
context: [
'reason' => $reason,
'before_status' => self::TENANT_POSTURE_ACTIVE,
'after_status' => self::TENANT_POSTURE_REMOVED,
'removed_from_workspace_at' => $tenant->removed_from_workspace_at?->toISOString(),
],
actor: $actor,
summary: 'ManagedEnvironment removed from workspace for '.$tenant->name,
);
return $tenant;
});
}
public function restoreTenantToWorkspace(ManagedEnvironment $tenant, User $actor, string $reason): ManagedEnvironment
{
$reason = $this->normalizeReason($reason);
return DB::transaction(function () use ($tenant, $actor, $reason): ManagedEnvironment {
$tenant = ManagedEnvironment::query()
->with(['workspace'])
->withTrashed()
->lockForUpdate()
->findOrFail($tenant->getKey());
if (! $this->capabilityResolver->can($actor, $tenant, Capabilities::TENANT_DELETE)) {
throw new AuthorizationException('You are not allowed to restore this tenant to the workspace.');
}
if ($tenant->workspace?->isClosed()) {
$this->assertWorkspaceMutationAllowed($tenant->workspace);
}
if (! $tenant->isRemovedFromWorkspace()) {
throw ValidationException::withMessages([
'reason' => 'This tenant is not removed from the workspace.',
]);
}
$previousRemovedAt = $tenant->removed_from_workspace_at;
$previousReason = $tenant->workspaceRemovalReason();
$previousActorId = $tenant->removed_from_workspace_by_user_id;
$tenant->forceFill([
'removed_from_workspace_at' => null,
'removed_from_workspace_by_user_id' => null,
'removed_from_workspace_reason' => null,
])->save();
$this->auditLogger->logTenantLifecycleAction(
tenant: $tenant,
action: AuditActionId::TenantRestoredToWorkspace,
context: [
'reason' => $reason,
'before_status' => self::TENANT_POSTURE_REMOVED,
'after_status' => self::TENANT_POSTURE_ACTIVE,
'previous_removed_from_workspace_at' => $previousRemovedAt?->toISOString(),
'previous_removed_from_workspace_reason' => $previousReason,
'previous_removed_from_workspace_by_user_id' => $previousActorId,
],
actor: $actor,
summary: 'ManagedEnvironment restored to workspace for '.$tenant->name,
);
return $tenant;
});
}
private function authorizePlatformDirectoryManagement(PlatformUser $actor): void
{
if ($actor->hasCapability(PlatformCapabilities::DIRECTORY_MANAGE)) {
return;
}
throw new AuthorizationException('You are not allowed to manage workspace lifecycle.');
}
private function normalizeReason(string $reason): string
{
$reason = trim($reason);
if (mb_strlen($reason) < 5) {
throw ValidationException::withMessages([
'reason' => 'Provide a reason with at least 5 characters.',
]);
}
if (mb_strlen($reason) > 2000) {
throw ValidationException::withMessages([
'reason' => 'Provide a reason with 2000 characters or fewer.',
]);
}
return $reason;
}
}
Reference in New Issue View Git Blame Copy Permalink