ahmido
1b88d28739
## Summary - align operator-visible OperationRun terminology to canonical `Operations` / `Operation` labels across shared links, notifications, verification/onboarding surfaces, summary widgets, and monitoring/detail pages - add the Spec 171 planning artifacts under `specs/171-operations-naming-consolidation/` - close the remaining tenant dashboard and admin copy drift found during browser smoke validation ## Validation - `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && vendor/bin/sail artisan test --compact tests/Unit/Support/RelatedNavigationResolverTest.php tests/Unit/Support/References/RelatedContextReferenceAdapterTest.php tests/Feature/OpsUx/NotificationViewRunLinkTest.php tests/Feature/Guards/ActionSurfaceContractTest.php tests/Feature/Operations/TenantlessOperationRunViewerTest.php tests/Feature/Filament/BackupSetResolvedReferencePresentationTest.php tests/Feature/Filament/TenantVerificationReportWidgetTest.php tests/Feature/Onboarding/OnboardingVerificationTest.php tests/Feature/Onboarding/OnboardingVerificationClustersTest.php tests/Feature/Onboarding/OnboardingVerificationV1_5UxTest.php tests/Feature/Filament/BaselineCompareSummaryConsistencyTest.php tests/Feature/Filament/WorkspaceOverviewContentTest.php tests/Feature/Filament/RecentOperationsSummaryWidgetTest.php tests/Feature/Monitoring/OperationLifecycleAggregateVisibilityTest.php tests/Feature/System/Spec114/OpsTriageActionsTest.php tests/Feature/System/Spec114/OpsFailuresViewTest.php tests/Feature/System/Spec114/OpsStuckViewTest.php` - `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && vendor/bin/sail artisan test --compact tests/Browser/OnboardingDraftRefreshTest.php` - `export PATH="/bin:/usr/bin:/usr/local/bin:$PATH" && vendor/bin/sail bin pint --dirty --format agent` ## Notes - no schema or route renames - Filament / Livewire surface behavior stays within the existing admin and tenant panels - OperationRunResource remains excluded from global search Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #202
284 lines
9.6 KiB
PHP
284 lines
9.6 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Filament\Pages\Monitoring\Operations;
|
|
use App\Filament\Resources\RestoreRunResource\Pages\ListRestoreRuns;
|
|
use App\Models\BackupSet;
|
|
use App\Models\OperationRun;
|
|
use App\Models\RestoreRun;
|
|
use App\Models\Tenant;
|
|
use App\Models\User;
|
|
use App\Models\Workspace;
|
|
use App\Models\WorkspaceMembership;
|
|
use App\Support\Workspaces\WorkspaceContext;
|
|
use Filament\Facades\Filament;
|
|
use Livewire\Livewire;
|
|
|
|
uses(\Illuminate\Foundation\Testing\RefreshDatabase::class);
|
|
|
|
test('operation runs default to the active tenant when tenant context is set', function (): void {
|
|
$tenantA = Tenant::factory()->create();
|
|
[$user, $tenantA] = createUserWithTenant($tenantA, role: 'owner');
|
|
|
|
$tenantB = Tenant::factory()->create([
|
|
'status' => 'active',
|
|
'workspace_id' => (int) $tenantA->workspace_id,
|
|
]);
|
|
|
|
$user->tenants()->syncWithoutDetaching([
|
|
$tenantB->getKey() => ['role' => 'owner'],
|
|
]);
|
|
|
|
$runA = OperationRun::factory()->create([
|
|
'tenant_id' => (int) $tenantA->getKey(),
|
|
'workspace_id' => (int) $tenantA->workspace_id,
|
|
'type' => 'policy.sync',
|
|
'status' => 'queued',
|
|
'outcome' => 'pending',
|
|
'initiator_name' => 'Tenant A Scope',
|
|
]);
|
|
|
|
$runB = OperationRun::factory()->create([
|
|
'tenant_id' => (int) $tenantB->getKey(),
|
|
'workspace_id' => (int) $tenantB->workspace_id,
|
|
'type' => 'inventory_sync',
|
|
'status' => 'queued',
|
|
'outcome' => 'pending',
|
|
'initiator_name' => 'Tenant B Scope',
|
|
]);
|
|
|
|
Filament::setTenant($tenantA, true);
|
|
|
|
$this->withSession([WorkspaceContext::SESSION_KEY => (int) $tenantA->workspace_id]);
|
|
session([WorkspaceContext::SESSION_KEY => (int) $tenantA->workspace_id]);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(Operations::class)
|
|
->assertCanSeeTableRecords([$runA])
|
|
->assertCanNotSeeTableRecords([$runB])
|
|
->assertSet('tableFilters.tenant_id.value', (string) $tenantA->getKey());
|
|
});
|
|
|
|
test('operation run view is not accessible cross-workspace', function (): void {
|
|
$workspaceA = Workspace::factory()->create();
|
|
$workspaceB = Workspace::factory()->create();
|
|
|
|
$user = User::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspaceA->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
$tenantB = Tenant::factory()->create([
|
|
'status' => 'active',
|
|
'workspace_id' => (int) $workspaceB->getKey(),
|
|
]);
|
|
|
|
$runB = OperationRun::factory()->create([
|
|
'tenant_id' => (int) $tenantB->getKey(),
|
|
'workspace_id' => (int) $workspaceB->getKey(),
|
|
'type' => 'inventory_sync',
|
|
'status' => 'queued',
|
|
'outcome' => 'pending',
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->withSession([WorkspaceContext::SESSION_KEY => (int) $workspaceA->getKey()])
|
|
->get(route('admin.operations.view', ['run' => (int) $runB->getKey()]))
|
|
->assertNotFound();
|
|
});
|
|
|
|
test('readonly users can view operation runs in their workspace', function (): void {
|
|
$tenant = Tenant::factory()->create();
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'type' => 'baseline_compare',
|
|
'status' => 'queued',
|
|
'outcome' => 'pending',
|
|
]);
|
|
|
|
[$user, $tenant] = createUserWithTenant($tenant, role: 'readonly');
|
|
|
|
Filament::setTenant(null, true);
|
|
|
|
$this->actingAs($user)
|
|
->withSession([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id])
|
|
->get('/admin/operations')
|
|
->assertOk()
|
|
->assertSee('Baseline compare');
|
|
|
|
$this->actingAs($user)
|
|
->withSession([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id])
|
|
->get(route('admin.operations.view', ['run' => (int) $run->getKey()]))
|
|
->assertOk()
|
|
->assertSee(\App\Support\OperationRunLinks::identifier($run));
|
|
});
|
|
|
|
test('tenant-associated run viewer requires tenant entitlement even for workspace members', function (): void {
|
|
$workspace = Workspace::factory()->create();
|
|
$tenant = Tenant::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'status' => 'active',
|
|
]);
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'type' => 'provider.connection.check',
|
|
'status' => 'queued',
|
|
'outcome' => 'pending',
|
|
]);
|
|
|
|
$user = User::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()])
|
|
->get(route('admin.operations.view', ['run' => (int) $run->getKey()]))
|
|
->assertNotFound();
|
|
});
|
|
|
|
test('baseline compare runs with RBAC context still require tenant entitlement', function (): void {
|
|
$workspace = Workspace::factory()->create();
|
|
$tenant = Tenant::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'status' => 'active',
|
|
]);
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'type' => 'baseline_compare',
|
|
'status' => 'completed',
|
|
'outcome' => 'succeeded',
|
|
'context' => [
|
|
'baseline_profile_id' => 42,
|
|
'baseline_compare' => [
|
|
'rbac_role_definitions' => [
|
|
'total_compared' => 3,
|
|
'unchanged' => 1,
|
|
'modified' => 1,
|
|
'missing' => 1,
|
|
'unexpected' => 0,
|
|
],
|
|
],
|
|
],
|
|
]);
|
|
|
|
$user = User::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()])
|
|
->get(route('admin.operations.view', ['run' => (int) $run->getKey()]))
|
|
->assertNotFound();
|
|
});
|
|
|
|
test('canonical run detail returns 403 for in-scope members missing the required capability', function (): void {
|
|
$tenant = Tenant::factory()->create();
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'type' => 'inventory_sync',
|
|
'status' => 'queued',
|
|
'outcome' => 'pending',
|
|
]);
|
|
|
|
[$user, $tenant] = createUserWithTenant($tenant, role: 'readonly');
|
|
|
|
Filament::setTenant(null, true);
|
|
|
|
$this->actingAs($user)
|
|
->withSession([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id])
|
|
->get(route('admin.operations.view', ['run' => (int) $run->getKey()]))
|
|
->assertForbidden();
|
|
});
|
|
|
|
test('reconciled lifecycle run detail keeps capability denial semantics', function (): void {
|
|
$tenant = Tenant::factory()->create();
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'type' => 'inventory_sync',
|
|
'status' => 'completed',
|
|
'outcome' => 'failed',
|
|
'context' => [
|
|
'reason_code' => 'run.infrastructure_timeout_or_abandonment',
|
|
'reconciliation' => [
|
|
'reconciled_at' => now('UTC')->toIso8601String(),
|
|
'reason' => 'Infrastructure ended the run before completion.',
|
|
'reason_code' => 'run.infrastructure_timeout_or_abandonment',
|
|
'reason_message' => 'Infrastructure ended the run before completion.',
|
|
'source' => 'failed_callback',
|
|
],
|
|
],
|
|
'failure_summary' => [[
|
|
'code' => 'operation.failed',
|
|
'reason_code' => 'run.infrastructure_timeout_or_abandonment',
|
|
'message' => 'Infrastructure ended the run before completion.',
|
|
]],
|
|
]);
|
|
|
|
[$user, $tenant] = createUserWithTenant($tenant, role: 'readonly');
|
|
|
|
Filament::setTenant(null, true);
|
|
|
|
$this->actingAs($user)
|
|
->withSession([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id])
|
|
->get(route('admin.operations.view', ['run' => (int) $run->getKey()]))
|
|
->assertForbidden();
|
|
});
|
|
|
|
test('tenant-scoped restore run actions return 404 for forged foreign-tenant run keys', function (): void {
|
|
$tenantA = Tenant::factory()->create();
|
|
[$user, $tenantA] = createUserWithTenant($tenantA, role: 'owner');
|
|
|
|
$tenantB = Tenant::factory()->create([
|
|
'status' => 'active',
|
|
'workspace_id' => (int) $tenantA->workspace_id,
|
|
]);
|
|
|
|
$user->tenants()->syncWithoutDetaching([
|
|
$tenantB->getKey() => ['role' => 'owner'],
|
|
]);
|
|
|
|
$backupSet = BackupSet::factory()->create([
|
|
'tenant_id' => (int) $tenantB->getKey(),
|
|
]);
|
|
|
|
$foreignRun = RestoreRun::factory()->create([
|
|
'tenant_id' => (int) $tenantB->getKey(),
|
|
'backup_set_id' => (int) $backupSet->getKey(),
|
|
'status' => 'completed',
|
|
'is_dry_run' => true,
|
|
'requested_by' => 'owner@example.com',
|
|
]);
|
|
|
|
Filament::setTenant($tenantA, true);
|
|
|
|
$component = Livewire::actingAs($user)
|
|
->test(ListRestoreRuns::class);
|
|
|
|
expect(fn () => $component->instance()->mountTableAction('archive', (string) $foreignRun->getKey()))
|
|
->toThrow(\Symfony\Component\HttpKernel\Exception\NotFoundHttpException::class);
|
|
|
|
expect($foreignRun->fresh()?->trashed())->toBeFalse();
|
|
});
|