ahmido
e64bae9cfc
## Summary - replace the legacy Tenant and TenantMembership core models with ManagedEnvironment and ManagedEnvironmentMembership - propagate the managed environment naming and key changes across Filament resources, pages, controllers, jobs, models, and supporting runtime paths - add feature 279 spec artifacts and focused managed-environment test coverage for model behavior, route binding, panel context, authorization, and legacy guardrails ## Validation - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ManagedEnvironment/LegacyTenantCoreGuardTest.php tests/Feature/ManagedEnvironment/ManagedEnvironmentAuthorizationTest.php tests/Feature/ManagedEnvironment/ManagedEnvironmentPanelContextTest.php tests/Feature/ManagedEnvironment/ManagedEnvironmentRouteBindingTest.php tests/Unit/ManagedEnvironment/ManagedEnvironmentContextResolverTest.php tests/Unit/ManagedEnvironment/ManagedEnvironmentModelTest.php` - `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent` ## Notes - branch pushed from commit `1123b122` - browser smoke test file was added but not run in this pass Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #335
177 lines
4.5 KiB
PHP
177 lines
4.5 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Services\Auth;
|
|
|
|
use App\Models\PlatformUser;
|
|
use App\Models\ManagedEnvironment;
|
|
use App\Services\Intune\AuditLogger;
|
|
use Carbon\CarbonImmutable;
|
|
use Illuminate\Contracts\Session\Session;
|
|
|
|
class BreakGlassSession
|
|
{
|
|
private const KEY_PREFIX = 'system.break_glass.';
|
|
|
|
public function __construct(
|
|
private readonly Session $session,
|
|
private readonly AuditLogger $auditLogger,
|
|
) {}
|
|
|
|
public function isEnabled(): bool
|
|
{
|
|
return (bool) config('tenantpilot.break_glass.enabled', false);
|
|
}
|
|
|
|
public function ttlMinutes(): int
|
|
{
|
|
return (int) config('tenantpilot.break_glass.ttl_minutes', 15);
|
|
}
|
|
|
|
public function isActive(): bool
|
|
{
|
|
if (! $this->isEnabled()) {
|
|
return false;
|
|
}
|
|
|
|
$expiresAt = $this->expiresAt();
|
|
|
|
if (! $expiresAt instanceof CarbonImmutable) {
|
|
return false;
|
|
}
|
|
|
|
if ($expiresAt->isPast()) {
|
|
$user = auth('platform')->user();
|
|
|
|
if ($user instanceof PlatformUser) {
|
|
$this->expire($user);
|
|
} else {
|
|
$this->clear();
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
public function start(PlatformUser $user, string $reason): void
|
|
{
|
|
if (! $this->isEnabled()) {
|
|
return;
|
|
}
|
|
|
|
$reason = trim($reason);
|
|
|
|
$now = CarbonImmutable::now();
|
|
$expiresAt = $now->addMinutes($this->ttlMinutes());
|
|
|
|
$this->session->put(self::KEY_PREFIX.'started_at', $now->toISOString());
|
|
$this->session->put(self::KEY_PREFIX.'expires_at', $expiresAt->toISOString());
|
|
$this->session->put(self::KEY_PREFIX.'reason', $reason);
|
|
|
|
$this->audit(
|
|
$user,
|
|
action: 'platform.break_glass.enter',
|
|
status: 'success',
|
|
metadata: [
|
|
'reason' => $reason,
|
|
'started_at' => $now->toISOString(),
|
|
'expires_at' => $expiresAt->toISOString(),
|
|
],
|
|
);
|
|
}
|
|
|
|
public function exit(PlatformUser $user): void
|
|
{
|
|
if (! $this->isEnabled()) {
|
|
return;
|
|
}
|
|
|
|
if (! $this->expiresAt() instanceof CarbonImmutable) {
|
|
$this->clear();
|
|
|
|
return;
|
|
}
|
|
|
|
$metadata = [
|
|
'started_at' => $this->session->get(self::KEY_PREFIX.'started_at'),
|
|
'expires_at' => $this->session->get(self::KEY_PREFIX.'expires_at'),
|
|
'reason' => $this->session->get(self::KEY_PREFIX.'reason'),
|
|
];
|
|
|
|
$this->clear();
|
|
|
|
$this->audit(
|
|
$user,
|
|
action: 'platform.break_glass.exit',
|
|
status: 'success',
|
|
metadata: array_filter($metadata, fn ($value): bool => $value !== null),
|
|
);
|
|
}
|
|
|
|
public function clear(): void
|
|
{
|
|
$this->session->forget([
|
|
self::KEY_PREFIX.'started_at',
|
|
self::KEY_PREFIX.'expires_at',
|
|
self::KEY_PREFIX.'reason',
|
|
]);
|
|
}
|
|
|
|
public function expiresAt(): ?CarbonImmutable
|
|
{
|
|
$raw = $this->session->get(self::KEY_PREFIX.'expires_at');
|
|
|
|
if (! is_string($raw) || $raw === '') {
|
|
return null;
|
|
}
|
|
|
|
try {
|
|
return CarbonImmutable::parse($raw);
|
|
} catch (\Throwable) {
|
|
return null;
|
|
}
|
|
}
|
|
|
|
private function expire(PlatformUser $user): void
|
|
{
|
|
$metadata = [
|
|
'started_at' => $this->session->get(self::KEY_PREFIX.'started_at'),
|
|
'expires_at' => $this->session->get(self::KEY_PREFIX.'expires_at'),
|
|
'reason' => $this->session->get(self::KEY_PREFIX.'reason'),
|
|
];
|
|
|
|
$this->clear();
|
|
|
|
$this->audit(
|
|
$user,
|
|
action: 'platform.break_glass.expired',
|
|
status: 'success',
|
|
metadata: array_filter($metadata, fn ($value): bool => $value !== null),
|
|
);
|
|
}
|
|
|
|
private function audit(PlatformUser $user, string $action, string $status, array $metadata): void
|
|
{
|
|
$tenant = ManagedEnvironment::query()->where('slug', 'platform')->first();
|
|
|
|
if (! $tenant instanceof ManagedEnvironment) {
|
|
return;
|
|
}
|
|
|
|
$this->auditLogger->log(
|
|
$tenant,
|
|
action: $action,
|
|
context: [
|
|
'metadata' => $metadata,
|
|
],
|
|
actorId: (int) $user->getKey(),
|
|
actorEmail: $user->email,
|
|
actorName: $user->name,
|
|
status: $status,
|
|
);
|
|
}
|
|
}
|