ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
38fa4cdea1
TenantAtlas/app/Jobs/Operations/TenantSyncWorkerJob.php
ahmido d90fb0f963 065-tenant-rbac-v1 (#79) 
PR Body
Implements Spec 065 “Tenant RBAC v1” with capabilities-first RBAC, tenant membership scoping (Option 3), and consistent Filament action semantics.

Key decisions / rules

Tenancy Option 3: tenant switching is tenantless (ChooseTenant), tenant-scoped routes stay scoped, non-members get 404 (not 403).
RBAC model: canonical capability registry + role→capability map + Gates for each capability (no role-string checks in UI logic).
UX policy: for tenant members lacking permission → actions are visible but disabled + tooltip (avoid click→403).
Security still enforced server-side.
What’s included

Capabilities foundation:
Central capability registry (Capabilities::*)
Role→capability mapping (RoleCapabilityMap)
Gate registration + resolver/manager updates to support tenant-scoped authorization
Filament enforcement hardening across the app:
Tenant registration & tenant CRUD properly gated
Backup/restore/policy flows aligned to “visible-but-disabled” where applicable
Provider operations (health check / inventory sync / compliance snapshot) guarded and normalized
Directory groups + inventory sync start surfaces normalized
Policy version maintenance actions (archive/restore/prune/force delete) gated
SpecKit artifacts for 065:
spec.md, plan/tasks updates, checklists, enforcement hitlist
Security guarantees

Non-member → 404 via tenant scoping/membership guards.
Member without capability → 403 on execution, even if UI is disabled.
No destructive actions execute without proper authorization checks.
Tests

Adds/updates Pest coverage for:
Tenant scoping & membership denial behavior
Role matrix expectations (owner/manager/operator/readonly)
Filament surface checks (visible/disabled actions, no side effects)
Provider/Inventory/Groups run-start authorization
Verified locally with targeted vendor/bin/sail artisan test --compact …
Deployment / ops notes

No new services required.
Safe change: behavior is authorization + UI semantics; no breaking route changes intended.

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #79
2026-01-28 21:09:47 +00:00

139 lines
4.0 KiB
PHP
Raw Blame History

<?php
namespace App\Jobs\Operations;
use App\Models\OperationRun;
use App\Models\Tenant;
use App\Models\User;
use App\Services\Intune\PolicySyncService;
use App\Services\OperationRunService;
use App\Services\Operations\TargetScopeConcurrencyLimiter;
use App\Support\Auth\Capabilities;
use Illuminate\Bus\Queueable;
use Illuminate\Contracts\Queue\ShouldQueue;
use Illuminate\Foundation\Bus\Dispatchable;
use Illuminate\Queue\InteractsWithQueue;
use Illuminate\Queue\SerializesModels;
use Illuminate\Support\Facades\Gate;
use RuntimeException;
use Throwable;
class TenantSyncWorkerJob implements ShouldQueue
{
use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
public ?OperationRun $operationRun = null;
/**
* @param array<string, mixed> $context
*/
public function __construct(
public int $tenantId,
public int $userId,
?OperationRun $operationRun = null,
public array $context = [],
) {
$this->operationRun = $operationRun;
}
public function handle(
OperationRunService $runs,
TargetScopeConcurrencyLimiter $limiter,
PolicySyncService $syncService,
): void {
if (! $this->operationRun instanceof OperationRun) {
throw new RuntimeException('OperationRun is required for tenant sync worker.');
}
$this->operationRun->refresh();
if ($this->operationRun->status === 'completed') {
return;
}
$lock = null;
try {
$tenant = Tenant::query()->whereKey($this->tenantId)->first();
if (! $tenant instanceof Tenant) {
$runs->incrementSummaryCounts($this->operationRun, [
'processed' => 1,
'failed' => 1,
]);
$runs->appendFailures($this->operationRun, [[
'code' => 'tenant.not_found',
'message' => 'Tenant '.$this->tenantId.' not found.',
]]);
$runs->maybeCompleteBulkRun($this->operationRun);
return;
}
$lock = $limiter->acquireSlot($tenant->getKey(), [
'entra_tenant_id' => (string) ($tenant->tenant_id ?? $tenant->external_id),
]);
if (! $lock) {
$delay = (int) config('tenantpilot.bulk_operations.poll_interval_seconds', 3);
$this->release(max(1, $delay));
return;
}
if (! $tenant->isActive()) {
$runs->incrementSummaryCounts($this->operationRun, [
'processed' => 1,
'skipped' => 1,
]);
$runs->maybeCompleteBulkRun($this->operationRun);
return;
}
$user = User::query()->whereKey($this->userId)->first();
if (! $user instanceof User || ! Gate::forUser($user)->allows(Capabilities::TENANT_SYNC, $tenant)) {
$runs->incrementSummaryCounts($this->operationRun, [
'processed' => 1,
'skipped' => 1,
]);
$runs->maybeCompleteBulkRun($this->operationRun);
return;
}
$supported = config('tenantpilot.supported_policy_types', []);
$syncService->syncPolicies($tenant, $supported);
$runs->incrementSummaryCounts($this->operationRun, [
'processed' => 1,
'succeeded' => 1,
]);
$runs->maybeCompleteBulkRun($this->operationRun);
} catch (Throwable $e) {
$runs->incrementSummaryCounts($this->operationRun, [
'processed' => 1,
'failed' => 1,
]);
$runs->appendFailures($this->operationRun, [[
'code' => 'tenant.sync_failed',
'message' => $e->getMessage(),
]]);
$runs->maybeCompleteBulkRun($this->operationRun);
throw $e;
} finally {
$lock?->release();
}
}
}
Reference in New Issue View Git Blame Copy Permalink