ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
29385a88e4
TenantAtlas/tests/Feature/Audit/TenantMembershipAuditLogTest.php
ahmido d90fb0f963 065-tenant-rbac-v1 (#79) 
PR Body
Implements Spec 065 “Tenant RBAC v1” with capabilities-first RBAC, tenant membership scoping (Option 3), and consistent Filament action semantics.

Key decisions / rules

Tenancy Option 3: tenant switching is tenantless (ChooseTenant), tenant-scoped routes stay scoped, non-members get 404 (not 403).
RBAC model: canonical capability registry + role→capability map + Gates for each capability (no role-string checks in UI logic).
UX policy: for tenant members lacking permission → actions are visible but disabled + tooltip (avoid click→403).
Security still enforced server-side.
What’s included

Capabilities foundation:
Central capability registry (Capabilities::*)
Role→capability mapping (RoleCapabilityMap)
Gate registration + resolver/manager updates to support tenant-scoped authorization
Filament enforcement hardening across the app:
Tenant registration & tenant CRUD properly gated
Backup/restore/policy flows aligned to “visible-but-disabled” where applicable
Provider operations (health check / inventory sync / compliance snapshot) guarded and normalized
Directory groups + inventory sync start surfaces normalized
Policy version maintenance actions (archive/restore/prune/force delete) gated
SpecKit artifacts for 065:
spec.md, plan/tasks updates, checklists, enforcement hitlist
Security guarantees

Non-member → 404 via tenant scoping/membership guards.
Member without capability → 403 on execution, even if UI is disabled.
No destructive actions execute without proper authorization checks.
Tests

Adds/updates Pest coverage for:
Tenant scoping & membership denial behavior
Role matrix expectations (owner/manager/operator/readonly)
Filament surface checks (visible/disabled actions, no side effects)
Provider/Inventory/Groups run-start authorization
Verified locally with targeted vendor/bin/sail artisan test --compact …
Deployment / ops notes

No new services required.
Safe change: behavior is authorization + UI semantics; no breaking route changes intended.

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #79
2026-01-28 21:09:47 +00:00

131 lines
4.0 KiB
PHP
Raw Blame History

<?php
use App\Models\AuditLog;
use App\Models\TenantMembership;
use App\Models\User;
use App\Services\Auth\TenantMembershipManager;
use App\Support\Audit\AuditActionId;
it('writes canonical audit action IDs for membership mutations', function () {
[$owner, $tenant] = createUserWithTenant(role: 'owner');
$member = User::factory()->create();
/** @var TenantMembershipManager $manager */
$manager = app(TenantMembershipManager::class);
$membership = $manager->addMember(
tenant: $tenant,
actor: $owner,
member: $member,
role: 'readonly',
source: 'manual',
);
$manager->changeRole(
tenant: $tenant,
actor: $owner,
membership: $membership,
newRole: 'operator',
);
$manager->removeMember(
tenant: $tenant,
actor: $owner,
membership: $membership,
);
$logs = AuditLog::query()
->where('tenant_id', $tenant->id)
->whereIn('action', [
AuditActionId::TenantMembershipAdd->value,
AuditActionId::TenantMembershipRoleChange->value,
AuditActionId::TenantMembershipRemove->value,
])
->get()
->keyBy('action');
expect($logs)->toHaveCount(3);
$addLog = $logs->get(AuditActionId::TenantMembershipAdd->value);
$roleChangeLog = $logs->get(AuditActionId::TenantMembershipRoleChange->value);
$removeLog = $logs->get(AuditActionId::TenantMembershipRemove->value);
expect($addLog)->not->toBeNull();
expect($roleChangeLog)->not->toBeNull();
expect($removeLog)->not->toBeNull();
expect($addLog->status)->toBe('success');
expect($roleChangeLog->status)->toBe('success');
expect($removeLog->status)->toBe('success');
expect($addLog->metadata)
->toHaveKey('member_user_id', $member->id)
->toHaveKey('role', 'readonly')
->toHaveKey('source', 'manual')
->not->toHaveKey('member_email')
->not->toHaveKey('member_name');
expect($roleChangeLog->metadata)
->toHaveKey('member_user_id', $member->id)
->toHaveKey('from_role', 'readonly')
->toHaveKey('to_role', 'operator')
->not->toHaveKey('member_email')
->not->toHaveKey('member_name');
expect($removeLog->metadata)
->toHaveKey('member_user_id', $member->id)
->toHaveKey('role', 'operator')
->not->toHaveKey('member_email')
->not->toHaveKey('member_name');
});
it('writes a last-owner-blocked audit log when demoting or removing the last owner', function () {
[$owner, $tenant] = createUserWithTenant(role: 'owner');
$membership = TenantMembership::query()
->where('tenant_id', $tenant->id)
->where('user_id', $owner->id)
->firstOrFail();
/** @var TenantMembershipManager $manager */
$manager = app(TenantMembershipManager::class);
expect(fn () => $manager->changeRole(
tenant: $tenant,
actor: $owner,
membership: $membership,
newRole: 'manager',
))->toThrow(DomainException::class);
expect(fn () => $manager->removeMember(
tenant: $tenant,
actor: $owner,
membership: $membership,
))->toThrow(DomainException::class);
$blockedLogs = AuditLog::query()
->where('tenant_id', $tenant->id)
->where('action', AuditActionId::TenantMembershipLastOwnerBlocked->value)
->where('status', 'blocked')
->get();
expect($blockedLogs->count())->toBeGreaterThanOrEqual(2);
expect($blockedLogs->contains(fn (AuditLog $log): bool => (
($log->metadata['member_user_id'] ?? null) === $owner->id
&& ($log->metadata['attempted_to_role'] ?? null) === 'manager'
)))->toBeTrue();
expect($blockedLogs->contains(fn (AuditLog $log): bool => (
($log->metadata['member_user_id'] ?? null) === $owner->id
&& ($log->metadata['attempted_action'] ?? null) === 'remove'
)))->toBeTrue();
foreach ($blockedLogs as $log) {
expect($log->metadata)
->not->toHaveKey('member_email')
->not->toHaveKey('member_name');
}
});
Reference in New Issue View Git Blame Copy Permalink