ahmido
92a36ab89e
Implements Spec 093 (SCOPE-001) workspace isolation at the data layer. What changed - Adds `workspace_id` to 12 tenant-owned tables and enforces correct binding. - Model write-path enforcement derives workspace from tenant + rejects mismatches. - Prevents `tenant_id` changes (immutability) on tenant-owned records. - Adds queued backfill command + job (`tenantpilot:backfill-workspace-ids`) with OperationRun + AuditLog observability. - Enforces DB constraints (NOT NULL + FK `workspace_id` → `workspaces.id` + composite FK `(tenant_id, workspace_id)` → `tenants(id, workspace_id)`), plus audit_logs invariant. UI / operator visibility - Monitor backfill runs in **Monitoring → Operations** (OperationRun). Tests - `vendor/bin/sail artisan test --compact tests/Feature/WorkspaceIsolation` Notes - Backfill is queued: ensure a queue worker is running (`vendor/bin/sail artisan queue:work`). Spec package - `specs/093-scope-001-workspace-id-isolation/` (plan, tasks, contracts, quickstart, research) Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #112
90 lines
2.8 KiB
PHP
90 lines
2.8 KiB
PHP
<?php
|
|
|
|
use App\Models\AuditLog;
|
|
use App\Models\Tenant;
|
|
use App\Models\Workspace;
|
|
use App\Services\Intune\AuditLogger;
|
|
use Illuminate\Database\QueryException;
|
|
use Illuminate\Support\Facades\DB;
|
|
|
|
it('stores workspace_id for tenant scoped audit writes', function (): void {
|
|
$workspace = Workspace::factory()->create();
|
|
|
|
$tenant = Tenant::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
]);
|
|
|
|
$log = app(AuditLogger::class)->log(
|
|
tenant: $tenant,
|
|
action: 'workspace_isolation.audit_logger_test',
|
|
context: ['source' => 'test'],
|
|
status: 'success',
|
|
);
|
|
|
|
expect((int) $log->tenant_id)->toBe((int) $tenant->getKey());
|
|
expect((int) $log->workspace_id)->toBe((int) $workspace->getKey());
|
|
});
|
|
|
|
it('allows workspace only and platform only audit scopes', function (): void {
|
|
$workspace = Workspace::factory()->create();
|
|
|
|
$workspaceScoped = AuditLog::query()->create([
|
|
'tenant_id' => null,
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'actor_id' => null,
|
|
'actor_email' => null,
|
|
'actor_name' => null,
|
|
'action' => 'workspace_isolation.workspace_scope',
|
|
'resource_type' => 'workspace',
|
|
'resource_id' => (string) $workspace->getKey(),
|
|
'status' => 'success',
|
|
'metadata' => [],
|
|
'recorded_at' => now(),
|
|
]);
|
|
|
|
$platformScoped = AuditLog::query()->create([
|
|
'tenant_id' => null,
|
|
'workspace_id' => null,
|
|
'actor_id' => null,
|
|
'actor_email' => null,
|
|
'actor_name' => null,
|
|
'action' => 'workspace_isolation.platform_scope',
|
|
'resource_type' => null,
|
|
'resource_id' => null,
|
|
'status' => 'success',
|
|
'metadata' => [],
|
|
'recorded_at' => now(),
|
|
]);
|
|
|
|
expect($workspaceScoped->exists)->toBeTrue();
|
|
expect($platformScoped->exists)->toBeTrue();
|
|
});
|
|
|
|
it('rejects tenant scoped audit rows without workspace_id at the database layer', function (): void {
|
|
if (DB::getDriverName() === 'sqlite') {
|
|
$this->markTestSkipped('Audit scope check constraint is enforced on pgsql/mysql migrations.');
|
|
}
|
|
|
|
$workspace = Workspace::factory()->create();
|
|
|
|
$tenant = Tenant::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
]);
|
|
|
|
expect(fn () => DB::table('audit_logs')->insert([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => null,
|
|
'actor_id' => null,
|
|
'actor_email' => null,
|
|
'actor_name' => null,
|
|
'action' => 'workspace_isolation.invalid_scope',
|
|
'resource_type' => 'tenant',
|
|
'resource_id' => (string) $tenant->getKey(),
|
|
'status' => 'failed',
|
|
'metadata' => json_encode([], JSON_THROW_ON_ERROR),
|
|
'recorded_at' => now(),
|
|
'created_at' => now(),
|
|
'updated_at' => now(),
|
|
]))->toThrow(QueryException::class);
|
|
});
|