ahmido
b0a724acef
## Summary - harden the canonical operation run viewer so mismatched, missing, archived, onboarding, and selector-excluded tenant context no longer invalidates authorized canonical run viewing - extend canonical route, header-context, deep-link, and presentation coverage for Spec 144 and add the full spec artifact set under `specs/144-canonical-operation-viewer-context-decoupling/` - harden onboarding draft provider-connection resume logic so stale persisted provider connections fall back to the connect-provider step instead of resuming invalid state - add architecture-audit follow-up candidate material and prompt assets for the next governance hardening wave ## Testing - `vendor/bin/sail bin pint --dirty --format agent` - `vendor/bin/sail artisan test --compact tests/Feature/144/CanonicalOperationViewerContextMismatchTest.php tests/Feature/144/CanonicalOperationViewerDeepLinkTrustTest.php tests/Feature/Operations/TenantlessOperationRunViewerTest.php tests/Feature/OpsUx/OperateHubShellTest.php tests/Feature/Monitoring/OperationsTenantScopeTest.php tests/Feature/RunAuthorizationTenantIsolationTest.php tests/Feature/Filament/OperationRunEnterpriseDetailPageTest.php tests/Feature/Monitoring/HeaderContextBarTest.php tests/Feature/Monitoring/OperationRunResolvedReferencePresentationTest.php tests/Feature/Monitoring/OperationsCanonicalUrlsTest.php` - `vendor/bin/sail artisan test --compact tests/Feature/ManagedTenantOnboardingWizardTest.php tests/Unit/Onboarding/OnboardingDraftStageResolverTest.php tests/Unit/Onboarding/OnboardingLifecycleServiceTest.php` ## Notes - branch: `144-canonical-operation-viewer-context-decoupling` - base: `dev` Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #173
382 lines
13 KiB
PHP
382 lines
13 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Models\OperationRun;
|
|
use App\Models\Tenant;
|
|
use App\Models\User;
|
|
use App\Models\Workspace;
|
|
use App\Models\WorkspaceMembership;
|
|
use App\Support\Navigation\CanonicalNavigationContext;
|
|
use App\Support\OperationRunLinks;
|
|
use App\Support\OperationRunOutcome;
|
|
use App\Support\OperationRunStatus;
|
|
use App\Support\OpsUx\RunDetailPolling;
|
|
use App\Support\TenantRole;
|
|
use App\Support\Workspaces\WorkspaceContext;
|
|
use Filament\Facades\Filament;
|
|
use Illuminate\Support\Facades\Http;
|
|
use Livewire\Livewire;
|
|
|
|
beforeEach(function (): void {
|
|
Http::preventStrayRequests();
|
|
});
|
|
|
|
it('allows viewing an operation run without a selected workspace when the user is a member of the run workspace', function (): void {
|
|
$workspace = Workspace::factory()->create();
|
|
$user = User::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
session()->forget(WorkspaceContext::SESSION_KEY);
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => null,
|
|
'type' => 'provider.connection.check',
|
|
'status' => OperationRunStatus::Queued->value,
|
|
'outcome' => OperationRunOutcome::Pending->value,
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->get("/admin/operations/{$run->getKey()}")
|
|
->assertSuccessful();
|
|
|
|
expect(session()->get(WorkspaceContext::SESSION_KEY))->toBeNull();
|
|
});
|
|
|
|
it('returns 404 for non-members when viewing an operation run without a selected workspace', function (): void {
|
|
$workspace = Workspace::factory()->create();
|
|
$user = User::factory()->create();
|
|
|
|
session()->forget(WorkspaceContext::SESSION_KEY);
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => null,
|
|
'type' => 'provider.connection.check',
|
|
'status' => OperationRunStatus::Queued->value,
|
|
'outcome' => OperationRunOutcome::Pending->value,
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->get("/admin/operations/{$run->getKey()}")
|
|
->assertNotFound();
|
|
});
|
|
|
|
it('returns 403 for members missing the required capability for the operation type', function (): void {
|
|
$workspace = Workspace::factory()->create();
|
|
$tenant = Tenant::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
]);
|
|
|
|
$user = User::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
$tenant->users()->attach((int) $user->getKey(), [
|
|
'role' => TenantRole::Readonly->value,
|
|
'source' => 'manual',
|
|
'source_ref' => null,
|
|
'created_by_user_id' => null,
|
|
]);
|
|
|
|
session()->forget(WorkspaceContext::SESSION_KEY);
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'type' => 'inventory_sync',
|
|
'status' => OperationRunStatus::Queued->value,
|
|
'outcome' => OperationRunOutcome::Pending->value,
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->get("/admin/operations/{$run->getKey()}")
|
|
->assertForbidden();
|
|
});
|
|
|
|
it('keeps a canonical run viewer accessible when the remembered tenant differs from the run tenant', function (): void {
|
|
$workspace = Workspace::factory()->create();
|
|
$tenantA = Tenant::factory()->for($workspace)->create();
|
|
$tenantB = Tenant::factory()->for($workspace)->create();
|
|
$user = User::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
foreach ([$tenantA, $tenantB] as $tenant) {
|
|
$tenant->users()->attach((int) $user->getKey(), [
|
|
'role' => TenantRole::Owner->value,
|
|
'source' => 'manual',
|
|
'source_ref' => null,
|
|
'created_by_user_id' => null,
|
|
]);
|
|
}
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'tenant_id' => (int) $tenantA->getKey(),
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'type' => 'inventory_sync',
|
|
'status' => OperationRunStatus::Queued->value,
|
|
'outcome' => OperationRunOutcome::Pending->value,
|
|
]);
|
|
|
|
Filament::setTenant($tenantB, true);
|
|
|
|
$this->actingAs($user)
|
|
->withSession([
|
|
WorkspaceContext::SESSION_KEY => (int) $workspace->getKey(),
|
|
WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY => [
|
|
(string) $workspace->getKey() => (int) $tenantB->getKey(),
|
|
],
|
|
])
|
|
->get("/admin/operations/{$run->getKey()}")
|
|
->assertSuccessful()
|
|
->assertSee('Operation run')
|
|
->assertSee('Back to Operations');
|
|
});
|
|
|
|
it('keeps tenantless run viewing accessible while another tenant is selected', function (): void {
|
|
$selectedTenant = Tenant::factory()->create();
|
|
[$user, $selectedTenant] = createUserWithTenant(tenant: $selectedTenant, role: 'owner');
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'workspace_id' => (int) $selectedTenant->workspace_id,
|
|
'tenant_id' => null,
|
|
'type' => 'provider.connection.check',
|
|
'status' => OperationRunStatus::Completed->value,
|
|
'outcome' => OperationRunOutcome::Succeeded->value,
|
|
]);
|
|
|
|
Filament::setTenant($selectedTenant, true);
|
|
|
|
$this->actingAs($user)
|
|
->withSession([
|
|
WorkspaceContext::SESSION_KEY => (int) $selectedTenant->workspace_id,
|
|
WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY => [
|
|
(string) $selectedTenant->workspace_id => (int) $selectedTenant->getKey(),
|
|
],
|
|
])
|
|
->get(route('admin.operations.view', ['run' => (int) $run->getKey()]))
|
|
->assertSuccessful()
|
|
->assertSee('Workspace-level run')
|
|
->assertSee('This canonical workspace view is not tied to the current tenant context');
|
|
});
|
|
|
|
it('renders stored target scope and failure details for a completed run', function (): void {
|
|
$workspace = Workspace::factory()->create();
|
|
$user = User::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
session()->forget(WorkspaceContext::SESSION_KEY);
|
|
|
|
$entraTenantId = '11111111-1111-1111-1111-111111111111';
|
|
$failureMessage = 'Missing required Graph permissions.';
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => null,
|
|
'type' => 'provider.connection.check',
|
|
'status' => OperationRunStatus::Completed->value,
|
|
'outcome' => OperationRunOutcome::Failed->value,
|
|
'context' => [
|
|
'target_scope' => [
|
|
'entra_tenant_id' => $entraTenantId,
|
|
'entra_tenant_name' => 'Contoso',
|
|
],
|
|
],
|
|
'failure_summary' => [
|
|
[
|
|
'code' => 'provider.connection.check.failed',
|
|
'reason_code' => 'permission_denied',
|
|
'message' => $failureMessage,
|
|
],
|
|
],
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->get("/admin/operations/{$run->getKey()}")
|
|
->assertSuccessful()
|
|
->assertSee($entraTenantId)
|
|
->assertSee('permission_denied')
|
|
->assertSee($failureMessage);
|
|
});
|
|
|
|
it('renders explicit back-link lineage when opened from a canonical source context', function (): void {
|
|
$workspace = Workspace::factory()->create();
|
|
$tenant = Tenant::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
]);
|
|
$user = User::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
$tenant->users()->attach((int) $user->getKey(), [
|
|
'role' => TenantRole::Owner->value,
|
|
'source' => 'manual',
|
|
'source_ref' => null,
|
|
'created_by_user_id' => null,
|
|
]);
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'type' => 'backup_set.add_policies',
|
|
'status' => OperationRunStatus::Completed->value,
|
|
'outcome' => OperationRunOutcome::Succeeded->value,
|
|
]);
|
|
|
|
$context = new CanonicalNavigationContext(
|
|
sourceSurface: 'backup_set.detail_section',
|
|
canonicalRouteName: 'admin.operations.view',
|
|
tenantId: (int) $tenant->getKey(),
|
|
backLinkLabel: 'Back to backup set',
|
|
backLinkUrl: '/admin/tenant/backup-sets/1',
|
|
);
|
|
|
|
$this->actingAs($user)
|
|
->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()])
|
|
->get(OperationRunLinks::tenantlessView($run, $context))
|
|
->assertSuccessful()
|
|
->assertSee('Back to backup set')
|
|
->assertSee('/admin/tenant/backup-sets/1', false);
|
|
});
|
|
|
|
it('keeps the explicit back-link action after Livewire hydration', function (): void {
|
|
$workspace = Workspace::factory()->create();
|
|
$tenant = Tenant::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
]);
|
|
$user = User::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
$tenant->users()->attach((int) $user->getKey(), [
|
|
'role' => TenantRole::Owner->value,
|
|
'source' => 'manual',
|
|
'source_ref' => null,
|
|
'created_by_user_id' => null,
|
|
]);
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'type' => 'baseline_compare',
|
|
'status' => OperationRunStatus::Completed->value,
|
|
'outcome' => OperationRunOutcome::Succeeded->value,
|
|
]);
|
|
|
|
$this->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()]);
|
|
session([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()]);
|
|
|
|
Livewire::withQueryParams([
|
|
'nav' => [
|
|
'source_surface' => 'finding.detail_section',
|
|
'canonical_route_name' => 'admin.operations.view',
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'back_label' => 'Back to finding',
|
|
'back_url' => '/admin/findings/42?tenant='.$tenant->external_id,
|
|
],
|
|
])
|
|
->actingAs($user)
|
|
->test(\App\Filament\Pages\Operations\TenantlessOperationRunViewer::class, ['run' => $run])
|
|
->assertActionVisible('operate_hub_back_to_origin_run_detail');
|
|
});
|
|
|
|
it('renders shared polling markup for active tenantless runs', function (string $status, int $ageSeconds): void {
|
|
$workspace = Workspace::factory()->create();
|
|
$user = User::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
session()->forget(WorkspaceContext::SESSION_KEY);
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => null,
|
|
'type' => 'provider.connection.check',
|
|
'status' => $status,
|
|
'outcome' => OperationRunOutcome::Pending->value,
|
|
'created_at' => now()->subSeconds($ageSeconds),
|
|
]);
|
|
|
|
$expectedInterval = RunDetailPolling::interval($run);
|
|
|
|
expect($expectedInterval)->not->toBeNull();
|
|
|
|
$this->actingAs($user)
|
|
->get("/admin/operations/{$run->getKey()}")
|
|
->assertSuccessful()
|
|
->assertSee("wire:poll.{$expectedInterval}", escape: false);
|
|
})->with([
|
|
'queued runs poll every second at startup' => [
|
|
OperationRunStatus::Queued->value,
|
|
5,
|
|
],
|
|
'running runs slow to five seconds after startup' => [
|
|
OperationRunStatus::Running->value,
|
|
30,
|
|
],
|
|
]);
|
|
|
|
it('does not render polling markup for terminal tenantless runs', function (string $outcome): void {
|
|
$workspace = Workspace::factory()->create();
|
|
$user = User::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
session()->forget(WorkspaceContext::SESSION_KEY);
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => null,
|
|
'type' => 'provider.connection.check',
|
|
'status' => OperationRunStatus::Completed->value,
|
|
'outcome' => $outcome,
|
|
'created_at' => now()->subMinutes(2),
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->get("/admin/operations/{$run->getKey()}")
|
|
->assertSuccessful()
|
|
->assertDontSee('wire:poll.1s', escape: false)
|
|
->assertDontSee('wire:poll.5s', escape: false)
|
|
->assertDontSee('wire:poll.10s', escape: false);
|
|
})->with([
|
|
'succeeded runs stay stable' => OperationRunOutcome::Succeeded->value,
|
|
'failed runs stay stable' => OperationRunOutcome::Failed->value,
|
|
]);
|