ahmido
38d9826f5e
Implements workspace-first enforcement and UX: - Workspace selected before tenant flows; /admin routes into choose-workspace/choose-tenant - Tenant lists and default tenant selection are scoped to current workspace - Workspaces UI is tenantless at /admin/workspaces Security hardening: - Workspaces can never have 0 owners (blocks last-owner removal/demotion) - Blocked attempts are audited with action_id=workspace_membership.last_owner_blocked + required metadata - Optional break-glass recovery page to re-assign workspace owner (audited) Tests: - Added/updated Pest feature tests covering redirects, scoping, tenantless workspaces, last-owner guards, and break-glass recovery. Notes: - Filament v5 strict Page property signatures respected in RepairWorkspaceOwners. Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box> Reviewed-on: #86
146 lines
4.2 KiB
PHP
146 lines
4.2 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Models\Tenant;
|
|
use App\Models\TenantMembership;
|
|
use App\Models\User;
|
|
use App\Models\Workspace;
|
|
use App\Models\WorkspaceMembership;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Illuminate\Support\Facades\Http;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
if (! function_exists('entra_build_jwt')) {
|
|
function entra_build_jwt(array $claims): string
|
|
{
|
|
$encode = static fn (array $data): string => rtrim(
|
|
strtr(base64_encode(json_encode($data, JSON_UNESCAPED_SLASHES) ?: ''), '+/', '-_'),
|
|
'='
|
|
);
|
|
|
|
return $encode(['alg' => 'none', 'typ' => 'JWT']).'.'.$encode($claims).'.';
|
|
}
|
|
}
|
|
|
|
function entra_configure_services(): void
|
|
{
|
|
config()->set('services.microsoft.client_id', 'test-client');
|
|
config()->set('services.microsoft.client_secret', 'test-secret');
|
|
config()->set('services.microsoft.redirect', 'http://localhost/auth/entra/callback');
|
|
config()->set('services.microsoft.tenant', 'organizations');
|
|
}
|
|
|
|
function entra_fake_token_exchange(string $tid, string $oid): void
|
|
{
|
|
Http::fake([
|
|
'https://login.microsoftonline.com/*/oauth2/v2.0/token' => Http::response([
|
|
'id_token' => entra_build_jwt([
|
|
'tid' => $tid,
|
|
'oid' => $oid,
|
|
'preferred_username' => 'user@example.com',
|
|
'name' => 'Test User',
|
|
]),
|
|
]),
|
|
]);
|
|
}
|
|
|
|
it('routes to no-access when user has no tenant memberships', function () {
|
|
entra_configure_services();
|
|
entra_fake_token_exchange('tenant-1', 'object-1');
|
|
|
|
User::factory()->create([
|
|
'entra_tenant_id' => 'tenant-1',
|
|
'entra_object_id' => 'object-1',
|
|
]);
|
|
|
|
$state = 'state-123';
|
|
|
|
$response = $this
|
|
->withSession(['entra_state' => $state])
|
|
->get(route('auth.entra.callback', ['code' => 'code-123', 'state' => $state]));
|
|
|
|
$response->assertRedirect('/admin/no-access');
|
|
});
|
|
|
|
it('routes to tenant dashboard when user has exactly one tenant membership', function () {
|
|
entra_configure_services();
|
|
entra_fake_token_exchange('tenant-1', 'object-1');
|
|
|
|
$user = User::factory()->create([
|
|
'entra_tenant_id' => 'tenant-1',
|
|
'entra_object_id' => 'object-1',
|
|
]);
|
|
|
|
$workspace = Workspace::factory()->create();
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => $workspace->getKey(),
|
|
'user_id' => $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
$tenant = Tenant::factory()->create([
|
|
'status' => 'active',
|
|
'workspace_id' => $workspace->getKey(),
|
|
]);
|
|
|
|
TenantMembership::query()->create([
|
|
'tenant_id' => $tenant->getKey(),
|
|
'user_id' => $user->getKey(),
|
|
'role' => 'owner',
|
|
'source' => 'manual',
|
|
'source_ref' => null,
|
|
'created_by_user_id' => null,
|
|
]);
|
|
|
|
$state = 'state-123';
|
|
|
|
$response = $this
|
|
->withSession(['entra_state' => $state])
|
|
->get(route('auth.entra.callback', ['code' => 'code-123', 'state' => $state]));
|
|
|
|
$response->assertRedirect('/admin');
|
|
});
|
|
|
|
it('routes to choose-tenant when user has multiple tenant memberships', function () {
|
|
entra_configure_services();
|
|
entra_fake_token_exchange('tenant-1', 'object-1');
|
|
|
|
$user = User::factory()->create([
|
|
'entra_tenant_id' => 'tenant-1',
|
|
'entra_object_id' => 'object-1',
|
|
]);
|
|
|
|
$workspace = Workspace::factory()->create();
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => $workspace->getKey(),
|
|
'user_id' => $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
$tenants = Tenant::factory()->count(2)->create([
|
|
'status' => 'active',
|
|
'workspace_id' => $workspace->getKey(),
|
|
]);
|
|
|
|
foreach ($tenants as $tenant) {
|
|
TenantMembership::query()->create([
|
|
'tenant_id' => $tenant->getKey(),
|
|
'user_id' => $user->getKey(),
|
|
'role' => 'owner',
|
|
'source' => 'manual',
|
|
'source_ref' => null,
|
|
'created_by_user_id' => null,
|
|
]);
|
|
}
|
|
|
|
$state = 'state-123';
|
|
|
|
$response = $this
|
|
->withSession(['entra_state' => $state])
|
|
->get(route('auth.entra.callback', ['code' => 'code-123', 'state' => $state]));
|
|
|
|
$response->assertRedirect('/admin');
|
|
});
|