3b1dd98f52
This commit introduces a comprehensive Role-Based Access Control (RBAC) system for TenantAtlas. - Implements authentication via Microsoft Entra ID (OIDC). - Manages authorization on a per-Suite-Tenant basis using a table. - Follows a capabilities-first approach, using Gates and Policies. - Includes a break-glass mechanism for platform superadmins. - Adds policies for bootstrapping tenants and managing admin responsibilities.
107 lines
3.4 KiB
PHP
107 lines
3.4 KiB
PHP
<?php
|
|
|
|
namespace App\Filament\Pages\Tenancy;
|
|
|
|
use App\Models\Tenant;
|
|
use App\Models\User;
|
|
use App\Services\Intune\AuditLogger;
|
|
use App\Support\TenantRole;
|
|
use Filament\Forms;
|
|
use Filament\Pages\Tenancy\RegisterTenant as BaseRegisterTenant;
|
|
use Filament\Schemas\Schema;
|
|
use Illuminate\Database\Eloquent\Model;
|
|
|
|
class RegisterTenant extends BaseRegisterTenant
|
|
{
|
|
public static function getLabel(): string
|
|
{
|
|
return 'Register tenant';
|
|
}
|
|
|
|
public static function canView(): bool
|
|
{
|
|
return true;
|
|
}
|
|
|
|
public function form(Schema $schema): Schema
|
|
{
|
|
return $schema
|
|
->schema([
|
|
Forms\Components\TextInput::make('name')
|
|
->required()
|
|
->maxLength(255),
|
|
Forms\Components\Select::make('environment')
|
|
->options([
|
|
'prod' => 'PROD',
|
|
'dev' => 'DEV',
|
|
'staging' => 'STAGING',
|
|
'other' => 'Other',
|
|
])
|
|
->default('other')
|
|
->required(),
|
|
Forms\Components\TextInput::make('tenant_id')
|
|
->label('Tenant ID (GUID)')
|
|
->required()
|
|
->maxLength(255)
|
|
->unique(ignoreRecord: true),
|
|
Forms\Components\TextInput::make('domain')
|
|
->label('Primary domain')
|
|
->maxLength(255),
|
|
Forms\Components\TextInput::make('app_client_id')
|
|
->label('App Client ID')
|
|
->maxLength(255),
|
|
Forms\Components\TextInput::make('app_client_secret')
|
|
->label('App Client Secret')
|
|
->password()
|
|
->dehydrateStateUsing(fn ($state) => filled($state) ? $state : null)
|
|
->dehydrated(fn ($state) => filled($state)),
|
|
Forms\Components\TextInput::make('app_certificate_thumbprint')
|
|
->label('Certificate thumbprint')
|
|
->maxLength(255),
|
|
Forms\Components\Textarea::make('app_notes')
|
|
->label('Notes')
|
|
->rows(3),
|
|
]);
|
|
}
|
|
|
|
/**
|
|
* @param array<string, mixed> $data
|
|
*/
|
|
protected function handleRegistration(array $data): Model
|
|
{
|
|
$tenant = Tenant::create($data);
|
|
|
|
$user = auth()->user();
|
|
|
|
if ($user instanceof User) {
|
|
$user->tenants()->syncWithoutDetaching([
|
|
$tenant->getKey() => [
|
|
'role' => TenantRole::Owner->value,
|
|
'source' => 'manual',
|
|
'created_by_user_id' => $user->getKey(),
|
|
],
|
|
]);
|
|
|
|
app(AuditLogger::class)->log(
|
|
tenant: $tenant,
|
|
action: 'tenant_membership.bootstrap_assign',
|
|
context: [
|
|
'metadata' => [
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => TenantRole::Owner->value,
|
|
'source' => 'manual',
|
|
],
|
|
],
|
|
actorId: (int) $user->getKey(),
|
|
actorEmail: $user->email,
|
|
actorName: $user->name,
|
|
status: 'success',
|
|
resourceType: 'tenant',
|
|
resourceId: (string) $tenant->getKey(),
|
|
);
|
|
}
|
|
|
|
return $tenant;
|
|
}
|
|
}
|