ahmido
2752515da5
Some checks failed
Main Confidence / confidence (push) Failing after 54s
## Summary - harden baseline capture truth, compare readiness, and monitoring explanations around latest inventory eligibility, blocked prerequisites, and zero-subject outcomes - improve onboarding verification and bootstrap recovery handling, including admin-consent callback invalidation and queued execution legitimacy/report behavior - align workspace findings/workspace overview signals and refresh the related spec, roadmap, and spec-candidate artifacts ## Validation - `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/BaselineDriftEngine/BaselineCaptureAuditEventsTest.php tests/Feature/BaselineDriftEngine/BaselineSnapshotNoTenantIdentifiersTest.php tests/Feature/BaselineDriftEngine/CaptureBaselineContentTest.php tests/Feature/BaselineDriftEngine/CaptureBaselineFullContentOnDemandTest.php tests/Feature/BaselineDriftEngine/CaptureBaselineMetaFallbackTest.php tests/Feature/Baselines/BaselineCaptureTest.php tests/Feature/Baselines/BaselineCompareFindingsTest.php tests/Feature/Baselines/BaselineSnapshotBackfillTest.php tests/Feature/Filament/BaselineCaptureResultExplanationSurfaceTest.php tests/Feature/Filament/BaselineCompareLandingStartSurfaceTest.php tests/Feature/Filament/BaselineProfileCaptureStartSurfaceTest.php tests/Feature/Filament/OperationRunBaselineTruthSurfaceTest.php tests/Feature/Monitoring/AuditCoverageGovernanceTest.php tests/Feature/Monitoring/GovernanceOperationRunSummariesTest.php tests/Feature/Notifications/OperationRunNotificationTest.php tests/Feature/Authorization/OperatorExplanationSurfaceAuthorizationTest.php` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/AdminConsentCallbackTest.php tests/Feature/Filament/WorkspaceOverviewDbOnlyTest.php tests/Feature/Guards/Spec194GovernanceActionSemanticsGuardTest.php tests/Feature/ManagedTenantOnboardingWizardTest.php tests/Feature/Onboarding/OnboardingVerificationTest.php tests/Feature/Operations/QueuedExecutionAuditTrailTest.php tests/Unit/Operations/QueuedExecutionLegitimacyGateTest.php` ## Notes - browser validation was not re-run in this pass Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #271
758 lines
27 KiB
PHP
758 lines
27 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Filament\Pages\Workspaces\ManagedTenantOnboardingWizard;
|
|
use App\Models\AuditLog;
|
|
use App\Models\OperationRun;
|
|
use App\Models\ProviderConnection;
|
|
use App\Models\Tenant;
|
|
use App\Models\TenantOnboardingSession;
|
|
use App\Models\User;
|
|
use App\Models\Workspace;
|
|
use App\Models\WorkspaceMembership;
|
|
use App\Services\OperationRunService;
|
|
use App\Support\OperationRunLinks;
|
|
use App\Support\Operations\ExecutionAuthorityMode;
|
|
use App\Support\Operations\ExecutionDenialReasonCode;
|
|
use App\Support\Operations\QueuedExecutionContext;
|
|
use App\Support\Operations\QueuedExecutionLegitimacyDecision;
|
|
use App\Support\Verification\VerificationReportSchema;
|
|
use App\Support\Verification\VerificationReportWriter;
|
|
use App\Support\Workspaces\WorkspaceContext;
|
|
use Illuminate\Support\Facades\Queue;
|
|
use Livewire\Livewire;
|
|
|
|
it('dedupes active verification runs and stores the run id in the onboarding session', function (): void {
|
|
Queue::fake();
|
|
|
|
$workspace = Workspace::factory()->create();
|
|
$user = User::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
|
|
|
|
$entraTenantId = '77777777-7777-7777-7777-777777777777';
|
|
|
|
$component = Livewire::actingAs($user)->test(ManagedTenantOnboardingWizard::class);
|
|
|
|
$component->call('identifyManagedTenant', [
|
|
'entra_tenant_id' => $entraTenantId,
|
|
'environment' => 'prod',
|
|
'name' => 'Acme',
|
|
]);
|
|
|
|
$component->call('createProviderConnection', [
|
|
'display_name' => 'Acme connection',
|
|
'client_id' => '00000000-0000-0000-0000-000000000000',
|
|
'client_secret' => 'super-secret',
|
|
'is_default' => true,
|
|
]);
|
|
|
|
$tenant = Tenant::query()->where('tenant_id', $entraTenantId)->firstOrFail();
|
|
|
|
ProviderConnection::query()
|
|
->where('tenant_id', (int) $tenant->getKey())
|
|
->update([
|
|
'consent_status' => 'granted',
|
|
'last_error_reason_code' => null,
|
|
'last_error_message' => null,
|
|
]);
|
|
|
|
$component->call('startVerification');
|
|
$component->call('startVerification');
|
|
|
|
expect(OperationRun::query()
|
|
->where('tenant_id', (int) $tenant->getKey())
|
|
->where('type', 'provider.connection.check')
|
|
->count())->toBe(1);
|
|
|
|
$runId = (int) OperationRun::query()
|
|
->where('tenant_id', (int) $tenant->getKey())
|
|
->where('type', 'provider.connection.check')
|
|
->value('id');
|
|
|
|
$notificationActionUrls = collect(session('filament.notifications', []))
|
|
->flatMap(static fn (array $notification): array => is_array($notification['actions'] ?? null)
|
|
? $notification['actions']
|
|
: [])
|
|
->tap(function (\Illuminate\Support\Collection $actions): void {
|
|
expect($actions->pluck('label')->filter()->values()->all())->toContain(OperationRunLinks::openLabel());
|
|
})
|
|
->pluck('url')
|
|
->filter(static fn (mixed $url): bool => is_string($url) && trim($url) !== '')
|
|
->values()
|
|
->all();
|
|
|
|
expect($notificationActionUrls)->toContain(OperationRunLinks::tenantlessView($runId));
|
|
|
|
$session = TenantOnboardingSession::query()
|
|
->where('workspace_id', (int) $workspace->getKey())
|
|
->where('entra_tenant_id', $entraTenantId)
|
|
->whereNull('completed_at')
|
|
->firstOrFail();
|
|
|
|
expect($session->state['verification_operation_run_id'] ?? null)->toBe($runId);
|
|
|
|
expect(AuditLog::query()
|
|
->where('workspace_id', (int) $workspace->getKey())
|
|
->where('action', 'managed_tenant_onboarding.verification_start')
|
|
->exists())->toBeTrue()
|
|
->and(AuditLog::query()
|
|
->where('workspace_id', (int) $workspace->getKey())
|
|
->where('action', 'managed_tenant_onboarding.verification_persisted')
|
|
->exists())->toBeTrue();
|
|
});
|
|
|
|
it('stores a blocked verification report and canonical link when onboarding verification cannot proceed', function (): void {
|
|
Queue::fake();
|
|
|
|
$workspace = Workspace::factory()->create();
|
|
$user = User::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
|
|
|
|
$entraTenantId = '72727272-7272-7272-7272-727272727272';
|
|
|
|
$component = Livewire::actingAs($user)->test(ManagedTenantOnboardingWizard::class);
|
|
|
|
$component->call('identifyManagedTenant', [
|
|
'entra_tenant_id' => $entraTenantId,
|
|
'environment' => 'prod',
|
|
'name' => 'Blocked Tenant',
|
|
]);
|
|
|
|
$tenant = Tenant::query()->where('tenant_id', $entraTenantId)->firstOrFail();
|
|
|
|
$connection = ProviderConnection::factory()->dedicated()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'provider' => 'microsoft',
|
|
'entra_tenant_id' => $entraTenantId,
|
|
'display_name' => 'Blocked connection',
|
|
'is_default' => true,
|
|
'consent_status' => 'granted',
|
|
]);
|
|
|
|
$component->call('selectProviderConnection', (int) $connection->getKey());
|
|
$component->call('startVerification');
|
|
|
|
$run = OperationRun::query()
|
|
->where('tenant_id', (int) $tenant->getKey())
|
|
->where('type', 'provider.connection.check')
|
|
->latest('id')
|
|
->first();
|
|
|
|
expect($run)->not->toBeNull()
|
|
->and($run?->outcome)->toBe('blocked');
|
|
|
|
$report = $run?->context['verification_report'] ?? null;
|
|
|
|
expect($report)->toBeArray();
|
|
expect(VerificationReportSchema::isValidReport($report))->toBeTrue();
|
|
|
|
$notificationActionUrls = collect(session('filament.notifications', []))
|
|
->flatMap(static fn (array $notification): array => is_array($notification['actions'] ?? null)
|
|
? $notification['actions']
|
|
: [])
|
|
->tap(function (\Illuminate\Support\Collection $actions): void {
|
|
expect($actions->pluck('label')->filter()->values()->all())->toContain(OperationRunLinks::openLabel());
|
|
})
|
|
->pluck('url')
|
|
->filter(static fn (mixed $url): bool => is_string($url) && trim($url) !== '')
|
|
->values()
|
|
->all();
|
|
|
|
expect($notificationActionUrls)->toContain(OperationRunLinks::tenantlessView((int) $run?->getKey()));
|
|
|
|
Queue::assertNothingPushed();
|
|
});
|
|
|
|
it('does not start verification or write audit history when the workspace changes after mount', function (): void {
|
|
Queue::fake();
|
|
|
|
$workspaceA = Workspace::factory()->create();
|
|
$workspaceB = Workspace::factory()->create();
|
|
$user = User::factory()->create();
|
|
|
|
$tenant = Tenant::factory()->create([
|
|
'workspace_id' => (int) $workspaceA->getKey(),
|
|
'status' => Tenant::STATUS_ONBOARDING,
|
|
]);
|
|
|
|
createUserWithTenant(
|
|
tenant: $tenant,
|
|
user: $user,
|
|
role: 'owner',
|
|
workspaceRole: 'owner',
|
|
ensureDefaultMicrosoftProviderConnection: false,
|
|
);
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspaceB->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
$connection = ProviderConnection::factory()->platform()->consentGranted()->create([
|
|
'workspace_id' => (int) $workspaceA->getKey(),
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'provider' => 'microsoft',
|
|
'entra_tenant_id' => (string) $tenant->tenant_id,
|
|
'display_name' => 'Verified connection',
|
|
'is_default' => true,
|
|
]);
|
|
|
|
$draft = createOnboardingDraft([
|
|
'workspace' => $workspaceA,
|
|
'tenant' => $tenant,
|
|
'started_by' => $user,
|
|
'updated_by' => $user,
|
|
'current_step' => 'connection',
|
|
'state' => [
|
|
'entra_tenant_id' => (string) $tenant->tenant_id,
|
|
'tenant_name' => (string) $tenant->name,
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
],
|
|
]);
|
|
|
|
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspaceA->getKey());
|
|
|
|
$component = Livewire::actingAs($user)->test(ManagedTenantOnboardingWizard::class, [
|
|
'onboardingDraft' => (int) $draft->getKey(),
|
|
]);
|
|
|
|
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspaceB->getKey());
|
|
|
|
$component->call('startVerification')->assertNotFound();
|
|
|
|
expect(OperationRun::query()
|
|
->where('tenant_id', (int) $tenant->getKey())
|
|
->where('type', 'provider.connection.check')
|
|
->exists())->toBeFalse()
|
|
->and(AuditLog::query()
|
|
->where('workspace_id', (int) $workspaceA->getKey())
|
|
->whereIn('action', [
|
|
'managed_tenant_onboarding.verification_start',
|
|
'managed_tenant_onboarding.verification_persisted',
|
|
])
|
|
->exists())->toBeFalse();
|
|
});
|
|
|
|
it('renders stored verification findings in the wizard report section', function (): void {
|
|
$workspace = Workspace::factory()->create();
|
|
$user = User::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
|
|
|
|
$entraTenantId = '99999999-9999-9999-9999-999999999999';
|
|
|
|
$tenant = Tenant::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => $entraTenantId,
|
|
'status' => 'onboarding',
|
|
]);
|
|
|
|
$user->tenants()->syncWithoutDetaching([
|
|
$tenant->getKey() => ['role' => 'owner'],
|
|
]);
|
|
|
|
$connection = ProviderConnection::factory()->platform()->consentGranted()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'provider' => 'microsoft',
|
|
'entra_tenant_id' => $entraTenantId,
|
|
'display_name' => 'Contoso platform connection',
|
|
'is_default' => true,
|
|
]);
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'type' => 'provider.connection.check',
|
|
'status' => 'completed',
|
|
'outcome' => 'succeeded',
|
|
'context' => [
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
'target_scope' => [
|
|
'entra_tenant_id' => $entraTenantId,
|
|
'entra_tenant_name' => 'Contoso',
|
|
],
|
|
'verification_report' => VerificationReportWriter::build('provider.connection.check', [
|
|
[
|
|
'key' => 'permission_check',
|
|
'title' => 'Graph permissions',
|
|
'status' => 'fail',
|
|
'severity' => 'high',
|
|
'blocking' => true,
|
|
'reason_code' => 'permission_denied',
|
|
'message' => 'Missing required Graph permissions.',
|
|
'evidence' => [],
|
|
'next_steps' => [],
|
|
],
|
|
]),
|
|
],
|
|
]);
|
|
|
|
TenantOnboardingSession::query()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'entra_tenant_id' => $entraTenantId,
|
|
'current_step' => 'verify',
|
|
'state' => [
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
'verification_operation_run_id' => (int) $run->getKey(),
|
|
],
|
|
'started_by_user_id' => (int) $user->getKey(),
|
|
'updated_by_user_id' => (int) $user->getKey(),
|
|
]);
|
|
|
|
$response = $this->actingAs($user)
|
|
->followingRedirects()
|
|
->get('/admin/onboarding')
|
|
->assertSuccessful()
|
|
->assertSee('Status: Blocked')
|
|
->assertSee(OperationRunLinks::openLabel())
|
|
->assertSee('Technical details')
|
|
->assertDontSee('Open operation in Monitoring (advanced)')
|
|
->assertDontSee('Open previous operation')
|
|
->assertSee('Missing required Graph permissions.')
|
|
->assertSee('Graph permissions')
|
|
->assertSee($entraTenantId);
|
|
|
|
expect($response->getContent())
|
|
->toContain('data-shared-detail-family="verification-report"')
|
|
->toContain('data-host-kind="onboarding_wizard"')
|
|
->toContain('data-shared-zone="summary"')
|
|
->toContain('data-shared-zone="issues"')
|
|
->not->toContain('data-shared-zone="diagnostics"');
|
|
});
|
|
|
|
it('renders a queued legitimacy blocked verification report in the wizard instead of the empty state', function (): void {
|
|
$workspace = Workspace::factory()->create();
|
|
$user = User::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
|
|
|
|
$entraTenantId = '20202020-2020-2020-2020-202020202020';
|
|
|
|
$tenant = Tenant::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => $entraTenantId,
|
|
'status' => Tenant::STATUS_ONBOARDING,
|
|
]);
|
|
|
|
$user->tenants()->syncWithoutDetaching([
|
|
$tenant->getKey() => ['role' => 'owner'],
|
|
]);
|
|
|
|
$connection = ProviderConnection::factory()->platform()->consentGranted()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'provider' => 'microsoft',
|
|
'entra_tenant_id' => $entraTenantId,
|
|
'display_name' => 'Blocked queued verification connection',
|
|
'is_default' => true,
|
|
]);
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'initiator_name' => $user->name,
|
|
'type' => 'provider.connection.check',
|
|
'status' => 'queued',
|
|
'outcome' => 'pending',
|
|
'context' => [
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
'target_scope' => [
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
'entra_tenant_id' => $entraTenantId,
|
|
],
|
|
],
|
|
]);
|
|
|
|
$context = new QueuedExecutionContext(
|
|
run: $run,
|
|
operationType: 'provider.connection.check',
|
|
workspaceId: (int) $workspace->getKey(),
|
|
tenant: $tenant,
|
|
initiator: $user,
|
|
authorityMode: ExecutionAuthorityMode::ActorBound,
|
|
requiredCapability: 'providers.view',
|
|
providerConnectionId: (int) $connection->getKey(),
|
|
targetScope: [
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
'entra_tenant_id' => $entraTenantId,
|
|
],
|
|
);
|
|
|
|
$decision = QueuedExecutionLegitimacyDecision::deny(
|
|
context: $context,
|
|
checks: [
|
|
'workspace_scope' => 'passed',
|
|
'tenant_scope' => 'passed',
|
|
'capability' => 'not_applicable',
|
|
'tenant_operability' => 'failed',
|
|
'execution_prerequisites' => 'not_applicable',
|
|
],
|
|
reasonCode: ExecutionDenialReasonCode::TenantNotOperable,
|
|
);
|
|
|
|
app(OperationRunService::class)->finalizeExecutionLegitimacyBlockedRun($run, $decision);
|
|
|
|
TenantOnboardingSession::query()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'entra_tenant_id' => $entraTenantId,
|
|
'current_step' => 'verify',
|
|
'state' => [
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
'verification_operation_run_id' => (int) $run->getKey(),
|
|
],
|
|
'started_by_user_id' => (int) $user->getKey(),
|
|
'updated_by_user_id' => (int) $user->getKey(),
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->followingRedirects()
|
|
->get('/admin/onboarding')
|
|
->assertSuccessful()
|
|
->assertSee('Status: Blocked')
|
|
->assertSee(ExecutionDenialReasonCode::TenantNotOperable->message())
|
|
->assertDontSee('Verification report unavailable');
|
|
});
|
|
|
|
it('keeps one onboarding verification path per state while leaving workflow actions on the wizard step', function (): void {
|
|
$workspace = Workspace::factory()->create();
|
|
$user = User::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
|
|
|
|
$tenant = Tenant::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'status' => Tenant::STATUS_ONBOARDING,
|
|
]);
|
|
|
|
$user->tenants()->syncWithoutDetaching([
|
|
$tenant->getKey() => ['role' => 'owner'],
|
|
]);
|
|
|
|
$connection = ProviderConnection::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'is_default' => true,
|
|
'consent_status' => 'granted',
|
|
]);
|
|
|
|
$session = TenantOnboardingSession::query()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'entra_tenant_id' => (string) $tenant->tenant_id,
|
|
'current_step' => 'verify',
|
|
'state' => [
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
],
|
|
'started_by_user_id' => (int) $user->getKey(),
|
|
'updated_by_user_id' => (int) $user->getKey(),
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->followingRedirects()
|
|
->get('/admin/onboarding')
|
|
->assertSuccessful()
|
|
->assertSee('Start verification')
|
|
->assertSee('Use the workflow action above to start verification for this tenant.')
|
|
->assertDontSee(OperationRunLinks::openLabel())
|
|
->assertDontSee('Refresh');
|
|
|
|
$activeRun = OperationRun::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'type' => 'provider.connection.check',
|
|
'status' => 'running',
|
|
'outcome' => 'pending',
|
|
'context' => [
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
],
|
|
]);
|
|
|
|
$session->forceFill([
|
|
'state' => [
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
'verification_operation_run_id' => (int) $activeRun->getKey(),
|
|
],
|
|
])->save();
|
|
|
|
$this->actingAs($user)
|
|
->followingRedirects()
|
|
->get('/admin/onboarding')
|
|
->assertSuccessful()
|
|
->assertSee('Refresh')
|
|
->assertSee(OperationRunLinks::openLabel())
|
|
->assertDontSee('Start verification');
|
|
|
|
$completedRun = OperationRun::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'type' => 'provider.connection.check',
|
|
'status' => 'completed',
|
|
'outcome' => 'succeeded',
|
|
'context' => [
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
'verification_report' => VerificationReportWriter::build('provider.connection.check', []),
|
|
],
|
|
]);
|
|
|
|
$session->forceFill([
|
|
'state' => [
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
'verification_operation_run_id' => (int) $completedRun->getKey(),
|
|
],
|
|
])->save();
|
|
|
|
$this->actingAs($user)
|
|
->followingRedirects()
|
|
->get('/admin/onboarding')
|
|
->assertSuccessful()
|
|
->assertSee(OperationRunLinks::openLabel())
|
|
->assertDontSee('Refresh');
|
|
});
|
|
|
|
it('clears the stored verification run id when switching provider connections', function (): void {
|
|
Queue::fake();
|
|
|
|
$workspace = Workspace::factory()->create();
|
|
$user = User::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
|
|
|
|
$entraTenantId = '12121212-1212-1212-1212-121212121212';
|
|
|
|
$component = Livewire::actingAs($user)->test(ManagedTenantOnboardingWizard::class);
|
|
|
|
$component->call('identifyManagedTenant', [
|
|
'entra_tenant_id' => $entraTenantId,
|
|
'environment' => 'prod',
|
|
'name' => 'Acme',
|
|
]);
|
|
|
|
$component->call('createProviderConnection', [
|
|
'display_name' => 'Acme connection',
|
|
'client_id' => '00000000-0000-0000-0000-000000000000',
|
|
'client_secret' => 'super-secret',
|
|
'is_default' => true,
|
|
]);
|
|
|
|
$tenant = Tenant::query()->where('tenant_id', $entraTenantId)->firstOrFail();
|
|
|
|
$otherConnection = ProviderConnection::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'provider' => 'dummy',
|
|
'entra_tenant_id' => $entraTenantId,
|
|
'display_name' => 'Dummy connection',
|
|
'is_default' => false,
|
|
]);
|
|
|
|
$component->call('startVerification');
|
|
|
|
$session = TenantOnboardingSession::query()
|
|
->where('workspace_id', (int) $workspace->getKey())
|
|
->where('entra_tenant_id', $entraTenantId)
|
|
->whereNull('completed_at')
|
|
->firstOrFail();
|
|
|
|
expect($session->state['verification_operation_run_id'] ?? null)->toBeInt();
|
|
|
|
$component->call('selectProviderConnection', (int) $otherConnection->getKey());
|
|
|
|
$session->refresh();
|
|
|
|
expect($session->state['verification_operation_run_id'] ?? null)->toBeNull();
|
|
});
|
|
|
|
it('ignores forged onboarding session and managed tenant state when starting verification', function (): void {
|
|
Queue::fake();
|
|
|
|
$workspace = Workspace::factory()->create();
|
|
$user = User::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
|
|
|
|
$entraTenantId = '17171717-1717-1717-1717-171717171717';
|
|
|
|
$component = Livewire::actingAs($user)->test(ManagedTenantOnboardingWizard::class);
|
|
|
|
$component->call('identifyManagedTenant', [
|
|
'entra_tenant_id' => $entraTenantId,
|
|
'environment' => 'prod',
|
|
'name' => 'Primary Tenant',
|
|
]);
|
|
|
|
$primaryTenant = Tenant::query()->where('tenant_id', $entraTenantId)->firstOrFail();
|
|
|
|
$otherTenant = Tenant::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => '18181818-1818-1818-1818-181818181818',
|
|
'status' => Tenant::STATUS_ONBOARDING,
|
|
]);
|
|
|
|
$otherConnection = ProviderConnection::factory()->platform()->consentGranted()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => (int) $otherTenant->getKey(),
|
|
'provider' => 'microsoft',
|
|
'entra_tenant_id' => (string) $otherTenant->tenant_id,
|
|
'display_name' => 'Forged verification connection',
|
|
'is_default' => true,
|
|
]);
|
|
|
|
$otherDraft = TenantOnboardingSession::query()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => (int) $otherTenant->getKey(),
|
|
'entra_tenant_id' => (string) $otherTenant->tenant_id,
|
|
'current_step' => 'connection',
|
|
'state' => [
|
|
'provider_connection_id' => (int) $otherConnection->getKey(),
|
|
],
|
|
'started_by_user_id' => (int) $user->getKey(),
|
|
'updated_by_user_id' => (int) $user->getKey(),
|
|
]);
|
|
|
|
$component
|
|
->set('onboardingSession', $otherDraft)
|
|
->set('managedTenant', $otherTenant)
|
|
->set('selectedProviderConnectionId', (int) $otherConnection->getKey())
|
|
->call('startVerification');
|
|
|
|
expect(OperationRun::query()
|
|
->where('tenant_id', (int) $otherTenant->getKey())
|
|
->where('type', 'provider.connection.check')
|
|
->exists())->toBeFalse()
|
|
->and(OperationRun::query()
|
|
->where('tenant_id', (int) $primaryTenant->getKey())
|
|
->where('type', 'provider.connection.check')
|
|
->exists())->toBeFalse();
|
|
});
|
|
|
|
it('treats a completed verification run as stale when it belongs to a different provider connection', function (): void {
|
|
$workspace = Workspace::factory()->create();
|
|
$user = User::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
|
|
|
|
$entraTenantId = '13131313-1313-1313-1313-131313131313';
|
|
|
|
$tenant = Tenant::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => $entraTenantId,
|
|
'status' => Tenant::STATUS_ONBOARDING,
|
|
]);
|
|
|
|
$user->tenants()->syncWithoutDetaching([
|
|
$tenant->getKey() => ['role' => 'owner'],
|
|
]);
|
|
|
|
$microsoftConnection = ProviderConnection::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'provider' => 'microsoft',
|
|
'entra_tenant_id' => $entraTenantId,
|
|
'display_name' => 'Microsoft connection',
|
|
'is_default' => true,
|
|
]);
|
|
|
|
$otherConnection = ProviderConnection::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'provider' => 'dummy',
|
|
'entra_tenant_id' => $entraTenantId,
|
|
'display_name' => 'Dummy connection',
|
|
'is_default' => false,
|
|
]);
|
|
|
|
$run = OperationRun::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'type' => 'provider.connection.check',
|
|
'status' => 'completed',
|
|
'outcome' => 'succeeded',
|
|
'context' => [
|
|
'provider_connection_id' => (int) $microsoftConnection->getKey(),
|
|
'target_scope' => [
|
|
'entra_tenant_id' => $entraTenantId,
|
|
],
|
|
],
|
|
]);
|
|
|
|
$session = TenantOnboardingSession::query()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'entra_tenant_id' => $entraTenantId,
|
|
'current_step' => 'verify',
|
|
'state' => [
|
|
'provider_connection_id' => (int) $otherConnection->getKey(),
|
|
'verification_operation_run_id' => (int) $run->getKey(),
|
|
],
|
|
'started_by_user_id' => (int) $user->getKey(),
|
|
'updated_by_user_id' => (int) $user->getKey(),
|
|
]);
|
|
|
|
$component = Livewire::actingAs($user)->test(ManagedTenantOnboardingWizard::class, [
|
|
'onboardingDraft' => (int) $session->getKey(),
|
|
]);
|
|
|
|
expect($component->instance()->verificationSucceeded())->toBeFalse();
|
|
});
|