ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
2752515da5
TenantAtlas/apps/platform/app/Http/Controllers/AdminConsentCallbackController.php
ahmido 2752515da5
Some checks failed
Main Confidence / confidence (push) Failing after 54s
Details
Spec 235: harden baseline truth and onboarding flows (#271) 
## Summary
- harden baseline capture truth, compare readiness, and monitoring explanations around latest inventory eligibility, blocked prerequisites, and zero-subject outcomes
- improve onboarding verification and bootstrap recovery handling, including admin-consent callback invalidation and queued execution legitimacy/report behavior
- align workspace findings/workspace overview signals and refresh the related spec, roadmap, and spec-candidate artifacts

## Validation
- `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/BaselineDriftEngine/BaselineCaptureAuditEventsTest.php tests/Feature/BaselineDriftEngine/BaselineSnapshotNoTenantIdentifiersTest.php tests/Feature/BaselineDriftEngine/CaptureBaselineContentTest.php tests/Feature/BaselineDriftEngine/CaptureBaselineFullContentOnDemandTest.php tests/Feature/BaselineDriftEngine/CaptureBaselineMetaFallbackTest.php tests/Feature/Baselines/BaselineCaptureTest.php tests/Feature/Baselines/BaselineCompareFindingsTest.php tests/Feature/Baselines/BaselineSnapshotBackfillTest.php tests/Feature/Filament/BaselineCaptureResultExplanationSurfaceTest.php tests/Feature/Filament/BaselineCompareLandingStartSurfaceTest.php tests/Feature/Filament/BaselineProfileCaptureStartSurfaceTest.php tests/Feature/Filament/OperationRunBaselineTruthSurfaceTest.php tests/Feature/Monitoring/AuditCoverageGovernanceTest.php tests/Feature/Monitoring/GovernanceOperationRunSummariesTest.php tests/Feature/Notifications/OperationRunNotificationTest.php tests/Feature/Authorization/OperatorExplanationSurfaceAuthorizationTest.php`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/AdminConsentCallbackTest.php tests/Feature/Filament/WorkspaceOverviewDbOnlyTest.php tests/Feature/Guards/Spec194GovernanceActionSemanticsGuardTest.php tests/Feature/ManagedTenantOnboardingWizardTest.php tests/Feature/Onboarding/OnboardingVerificationTest.php tests/Feature/Operations/QueuedExecutionAuditTrailTest.php tests/Unit/Operations/QueuedExecutionLegitimacyGateTest.php`

## Notes
- browser validation was not re-run in this pass

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #271
2026-04-24 05:44:54 +00:00

249 lines
9.1 KiB
PHP
Raw Blame History

<?php
namespace App\Http\Controllers;
use App\Models\ProviderConnection;
use App\Models\Tenant;
use App\Models\TenantOnboardingSession;
use App\Services\Intune\AuditLogger;
use App\Support\Providers\ProviderConnectionType;
use App\Support\Providers\ProviderConsentStatus;
use App\Support\Providers\ProviderReasonCodes;
use App\Support\Providers\ProviderVerificationStatus;
use Illuminate\Http\Request;
use Illuminate\View\View;
use Symfony\Component\HttpFoundation\Response as ResponseAlias;
class AdminConsentCallbackController extends Controller
{
/**
* Handle the incoming request.
*/
public function __invoke(
Request $request,
AuditLogger $auditLogger,
): View {
$expectedState = $request->session()->pull('tenant_onboard_state');
$workspaceId = $request->session()->pull('tenant_onboard_workspace_id');
$tenantKey = $request->string('tenant')->toString();
$state = $request->string('state')->toString();
$tenantIdentifier = $tenantKey ?: $this->parseState($state);
if ($expectedState && $expectedState !== $state) {
abort(ResponseAlias::HTTP_FORBIDDEN, 'Invalid consent state');
}
abort_if(empty($tenantIdentifier), 404);
$tenant = $this->resolveTenant($tenantIdentifier, is_numeric($workspaceId) ? (int) $workspaceId : null);
$error = $request->string('error')->toString() ?: null;
$consentGranted = $request->has('admin_consent')
? filter_var($request->input('admin_consent'), FILTER_VALIDATE_BOOLEAN)
: null;
$status = match (true) {
$error !== null => 'error',
$consentGranted === false => 'consent_denied',
$consentGranted === true => 'ok',
default => 'pending',
};
$connection = $this->upsertProviderConnectionForConsent(
tenant: $tenant,
status: $status,
error: $error,
);
$this->invalidateResumableOnboardingVerificationState($tenant, $connection);
$legacyStatus = $status === 'ok' ? 'success' : 'failed';
$auditMetadata = [
'source' => 'admin.consent.callback',
'workspace_id' => (int) $connection->workspace_id,
'status' => $status,
'state' => $state,
'error' => $error,
'consent' => $consentGranted,
'provider_connection_id' => (int) $connection->getKey(),
'provider' => (string) $connection->provider,
'entra_tenant_id' => (string) $connection->entra_tenant_id,
'connection_type' => $connection->connection_type->value,
'consent_status' => $connection->consent_status->value,
'verification_status' => $connection->verification_status->value,
];
$auditLogger->log(
tenant: $tenant,
action: 'tenant.consent.callback',
context: [
'metadata' => $auditMetadata,
],
status: $legacyStatus,
resourceType: 'provider_connection',
resourceId: (string) $connection->getKey(),
);
$auditLogger->log(
tenant: $tenant,
action: 'provider_connection.consent_result',
context: [
'metadata' => $auditMetadata,
],
status: $legacyStatus,
resourceType: 'provider_connection',
resourceId: (string) $connection->getKey(),
);
return view('admin-consent-callback', [
'tenant' => $tenant,
'connection' => $connection,
'status' => $status,
'error' => $error,
'consentGranted' => $consentGranted,
'verificationStateLabel' => $this->verificationStateLabel($connection),
]);
}
private function resolveTenant(string $tenantIdentifier, ?int $workspaceId): Tenant
{
/** @var Tenant|null $tenant */
$tenant = Tenant::withTrashed()
->forTenant($tenantIdentifier)
->first();
if ($tenant?->trashed()) {
$tenant->restore();
}
if ($tenant instanceof Tenant) {
if ($tenant->workspace_id === null && $workspaceId !== null) {
$tenant->forceFill(['workspace_id' => $workspaceId])->save();
}
return $tenant;
}
abort_if($workspaceId === null, ResponseAlias::HTTP_FORBIDDEN, 'Missing workspace context');
return Tenant::create([
'tenant_id' => $tenantIdentifier,
'name' => 'New Tenant',
'workspace_id' => $workspaceId,
]);
}
private function upsertProviderConnectionForConsent(Tenant $tenant, string $status, ?string $error): ProviderConnection
{
$hasDefault = ProviderConnection::query()
->where('tenant_id', (int) $tenant->getKey())
->where('provider', 'microsoft')
->where('is_default', true)
->exists();
$consentStatus = match ($status) {
'ok' => ProviderConsentStatus::Granted,
'error' => ProviderConsentStatus::Failed,
default => ProviderConsentStatus::Required,
};
$verificationStatus = ProviderVerificationStatus::Unknown;
$reasonCode = match ($status) {
'ok' => null,
'error' => ProviderReasonCodes::ProviderAuthFailed,
default => ProviderReasonCodes::ProviderConsentMissing,
};
$connection = ProviderConnection::query()->updateOrCreate(
[
'tenant_id' => (int) $tenant->getKey(),
'provider' => 'microsoft',
'entra_tenant_id' => (string) ($tenant->graphTenantId() ?? $tenant->tenant_id ?? $tenant->external_id),
],
[
'workspace_id' => (int) $tenant->workspace_id,
'display_name' => (string) ($tenant->name ?? 'Microsoft Connection'),
'is_enabled' => true,
'connection_type' => ProviderConnectionType::Platform->value,
'consent_status' => $consentStatus->value,
'consent_granted_at' => $status === 'ok' ? now() : null,
'consent_last_checked_at' => now(),
'consent_error_code' => $status === 'error' ? $reasonCode : null,
'consent_error_message' => $status === 'error' ? $error : null,
'verification_status' => $verificationStatus->value,
'migration_review_required' => false,
'migration_reviewed_at' => null,
'last_error_reason_code' => $reasonCode,
'last_error_message' => $status === 'ok' ? null : $error,
'is_default' => $hasDefault ? false : true,
],
);
$connection->credential()->delete();
if (! $hasDefault && ! $connection->is_default) {
$connection->makeDefault();
}
return $connection->fresh();
}
private function parseState(?string $state): ?string
{
if (empty($state)) {
return null;
}
if (str_contains($state, '|')) {
[, $value] = explode('|', $state, 2);
return $value;
}
return $state;
}
private function verificationStateLabel(ProviderConnection $connection): string
{
$verificationStatus = $connection->verification_status instanceof ProviderVerificationStatus
? $connection->verification_status
: ProviderVerificationStatus::tryFrom((string) $connection->verification_status);
if ($verificationStatus === ProviderVerificationStatus::Unknown) {
return $connection->consent_status === ProviderConsentStatus::Granted
? 'Needs verification'
: 'Not verified';
}
return ucfirst(str_replace('_', ' ', $verificationStatus?->value ?? 'unknown'));
}
private function invalidateResumableOnboardingVerificationState(Tenant $tenant, ProviderConnection $connection): void
{
TenantOnboardingSession::query()
->where('tenant_id', (int) $tenant->getKey())
->resumable()
->each(function (TenantOnboardingSession $draft) use ($connection): void {
$state = is_array($draft->state) ? $draft->state : [];
$providerConnectionId = $state['provider_connection_id'] ?? null;
$providerConnectionId = is_numeric($providerConnectionId) ? (int) $providerConnectionId : null;
if ($providerConnectionId !== null && $providerConnectionId !== (int) $connection->getKey()) {
return;
}
unset(
$state['verification_operation_run_id'],
$state['verification_run_id'],
$state['bootstrap_operation_runs'],
$state['bootstrap_operation_types'],
$state['bootstrap_run_ids'],
);
$state['connection_recently_updated'] = true;
$draft->state = $state;
$draft->save();
});
}
}
Reference in New Issue View Git Blame Copy Permalink