ahmido
3c38192405
## Summary This PR implements Spec 206 end to end and establishes the first checked-in test suite governance foundation for the platform app. Key changes: - add manifest-backed test lanes for fast-feedback, confidence, browser, heavy-governance, profiling, and junit - add budget and report helpers plus app-local artifact generation under `apps/platform/storage/logs/test-lanes` - add repo-root Sail-friendly lane/report wrappers - switch the default contributor test path to the fast-feedback lane - introduce explicit fixture profiles and cheaper defaults for shared tenant/provider test setup - add minimal/heavy factory states for tenant and provider connection setup - migrate the first high-usage and provider-sensitive tests to explicit fixture profiles - document budgets, taxonomy rules, DB reset guidance, and the full Spec 206 plan/contracts/tasks set ## Validation Executed during implementation: - focused Spec 206 guard/support/factory validation pack: 31 passed - provider-sensitive regression pack: 29 passed - first high-usage caller migration pack: 120 passed - lane routing and wrapper validation succeeded - pint completed successfully Measured lane baselines captured in docs: - fast-feedback: 176.74s - confidence: 394.38s - heavy-governance: 83.66s - browser: 128.87s - junit: 380.14s - profiling: 2701.51s - full-suite baseline anchor: 2624.60s ## Notes - Livewire v4 / Filament v5 runtime behavior is unchanged by this PR. - No new runtime routes, product UI flows, or database migrations are introduced. - Panel provider registration remains unchanged in `bootstrap/providers.php`. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #239
157 lines
6.0 KiB
PHP
157 lines
6.0 KiB
PHP
<?php
|
|
|
|
use App\Filament\Pages\ChooseTenant;
|
|
use App\Filament\Pages\TenantDashboard;
|
|
use App\Filament\Resources\TenantResource\Pages\ListTenants;
|
|
use App\Models\Tenant;
|
|
use App\Support\Auth\UiTooltips;
|
|
use Filament\Facades\Filament;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Illuminate\Support\Facades\Gate;
|
|
use Illuminate\Support\Facades\Http;
|
|
use Livewire\Livewire;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
beforeEach(function (): void {
|
|
Http::preventStrayRequests();
|
|
});
|
|
|
|
test('readonly users may switch current tenant via ChooseTenant', function () {
|
|
[$user, $tenantA] = createUserWithTenant(role: 'readonly', fixtureProfile: 'credential-enabled');
|
|
|
|
$tenantB = Tenant::factory()->create([
|
|
'status' => 'active',
|
|
'is_current' => false,
|
|
]);
|
|
|
|
$user->tenants()->syncWithoutDetaching([
|
|
$tenantB->getKey() => ['role' => 'readonly'],
|
|
]);
|
|
|
|
$tenantB->makeCurrent();
|
|
|
|
expect($tenantA->fresh()->is_current)->toBeFalse();
|
|
expect($tenantB->fresh()->is_current)->toBeTrue();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ChooseTenant::class)
|
|
->call('selectTenant', $tenantA->getKey())
|
|
->assertRedirect(TenantDashboard::getUrl(tenant: $tenantA));
|
|
});
|
|
|
|
test('users cannot switch to a tenant they are not a member of', function () {
|
|
[$user] = createUserWithTenant(role: 'readonly', fixtureProfile: 'credential-enabled');
|
|
|
|
$tenant = Tenant::factory()->create([
|
|
'status' => 'active',
|
|
]);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ChooseTenant::class)
|
|
->call('selectTenant', $tenant->getKey())
|
|
->assertStatus(404);
|
|
});
|
|
|
|
test('readonly users cannot archive tenants', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly', fixtureProfile: 'credential-enabled');
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_DELETE, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('archive', $tenant)
|
|
->assertTableActionExists('archive', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $tenant)
|
|
->callTableAction('archive', $tenant, [
|
|
'archive_reason' => 'Readonly users should not be able to archive tenants.',
|
|
]);
|
|
|
|
expect($tenant->fresh()->trashed())->toBeFalse();
|
|
});
|
|
|
|
test('readonly users cannot force delete tenants', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly', fixtureProfile: 'credential-enabled');
|
|
|
|
$tenant->delete();
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_DELETE, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('forceDelete', $tenant)
|
|
->assertTableActionExists('forceDelete', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $tenant)
|
|
->callTableAction('forceDelete', $tenant);
|
|
|
|
expect(Tenant::withTrashed()->find($tenant->getKey()))->not->toBeNull();
|
|
});
|
|
|
|
test('readonly users cannot verify tenant configuration', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly', fixtureProfile: 'credential-enabled');
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_MANAGE, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('verify', $tenant)
|
|
->assertTableActionExists('verify', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $tenant)
|
|
->callTableAction('verify', $tenant);
|
|
});
|
|
|
|
test('readonly users cannot setup intune rbac', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly', fixtureProfile: 'credential-enabled');
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_MANAGE, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('setup_rbac', $tenant);
|
|
});
|
|
|
|
test('readonly users cannot edit tenants', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly', fixtureProfile: 'credential-enabled');
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_MANAGE, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('edit', $tenant)
|
|
->assertTableActionExists('edit', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $tenant);
|
|
});
|
|
|
|
test('readonly users cannot open admin consent', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly', fixtureProfile: 'credential-enabled');
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(\App\Filament\Resources\TenantResource::adminConsentUrl($tenant))->not->toBeNull();
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_MANAGE, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('admin_consent', $tenant)
|
|
->assertTableActionExists('admin_consent', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $tenant);
|
|
});
|
|
|
|
test('readonly users cannot start tenant sync from tenant menu', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly', fixtureProfile: 'credential-enabled');
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_SYNC, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('syncTenant', $tenant)
|
|
->assertTableActionExists('syncTenant', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $tenant);
|
|
});
|