ahmido
98e2b5acd9
## Summary - add canonical managed-tenant onboarding draft routing with explicit draft identity and landing vs concrete draft behavior - implement draft lifecycle, authorization, attribution, picker UX, resume-stage resolution, and auditable cancel or completion semantics - add focused feature, unit, and browser coverage plus Spec 138 artifacts for the onboarding draft resume flow ## Validation - `vendor/bin/sail artisan test --compact tests/Feature/ManagedTenantOnboardingWizardTest.php tests/Feature/Audit/OnboardingDraftAuditTest.php tests/Feature/Onboarding/OnboardingDraftAccessTest.php tests/Feature/Onboarding/OnboardingDraftAuthorizationTest.php tests/Feature/Onboarding/OnboardingDraftLifecycleTest.php tests/Feature/Onboarding/OnboardingDraftMultiTabTest.php tests/Feature/Onboarding/OnboardingDraftPickerTest.php tests/Feature/Onboarding/OnboardingDraftRoutingTest.php tests/Feature/Onboarding/OnboardingRbacSemanticsTest.php tests/Feature/Onboarding/OnboardingVerificationClustersTest.php tests/Feature/Onboarding/OnboardingVerificationTest.php tests/Feature/Onboarding/OnboardingVerificationV1_5UxTest.php tests/Feature/Verification/VerificationReportViewerDbOnlyTest.php tests/Unit/Onboarding tests/Unit/VerificationReportSanitizerEvidenceKindsTest.php tests/Browser/OnboardingDraftRefreshTest.php tests/Browser/OnboardingDraftVerificationResumeTest.php` - passed: 69 tests, 251 assertions Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #167
303 lines
11 KiB
PHP
303 lines
11 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Filament\Pages\Workspaces\ManagedTenantOnboardingWizard;
|
|
use App\Models\AuditLog;
|
|
use App\Models\OperationRun;
|
|
use App\Models\ProviderConnection;
|
|
use App\Models\Tenant;
|
|
use App\Models\TenantOnboardingSession;
|
|
use App\Models\User;
|
|
use App\Models\Workspace;
|
|
use App\Models\WorkspaceMembership;
|
|
use App\Support\Audit\AuditActionId;
|
|
use App\Support\OperationRunOutcome;
|
|
use App\Support\OperationRunStatus;
|
|
use App\Support\Verification\VerificationReportWriter;
|
|
use App\Support\Workspaces\WorkspaceContext;
|
|
use Filament\Actions\Testing\TestAction;
|
|
use Illuminate\Support\Facades\Bus;
|
|
use Livewire\Livewire;
|
|
|
|
it('records start and resume audit events for onboarding drafts', function (): void {
|
|
$workspace = Workspace::factory()->create();
|
|
$user = User::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ManagedTenantOnboardingWizard::class)
|
|
->call('identifyManagedTenant', [
|
|
'entra_tenant_id' => '11111111-1111-1111-1111-111111111111',
|
|
'environment' => 'prod',
|
|
'name' => 'Audit Tenant',
|
|
]);
|
|
|
|
$firstDraft = TenantOnboardingSession::query()
|
|
->where('workspace_id', (int) $workspace->getKey())
|
|
->where('entra_tenant_id', '11111111-1111-1111-1111-111111111111')
|
|
->firstOrFail();
|
|
|
|
createOnboardingDraft([
|
|
'workspace' => $workspace,
|
|
'started_by' => $user,
|
|
'updated_by' => $user,
|
|
'entra_tenant_id' => '22222222-2222-2222-2222-222222222222',
|
|
'state' => [
|
|
'entra_tenant_id' => '22222222-2222-2222-2222-222222222222',
|
|
'tenant_name' => 'Stability Draft',
|
|
],
|
|
]);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ManagedTenantOnboardingWizard::class)
|
|
->call('identifyManagedTenant', [
|
|
'entra_tenant_id' => '11111111-1111-1111-1111-111111111111',
|
|
'environment' => 'prod',
|
|
'name' => 'Audit Tenant',
|
|
])
|
|
->assertRedirect(route('admin.onboarding.draft', ['onboardingDraft' => $firstDraft->getKey()]));
|
|
|
|
expect(AuditLog::query()
|
|
->where('workspace_id', (int) $workspace->getKey())
|
|
->where('action', AuditActionId::ManagedTenantOnboardingStart->value)
|
|
->exists())->toBeTrue()
|
|
->and(AuditLog::query()
|
|
->where('workspace_id', (int) $workspace->getKey())
|
|
->where('action', AuditActionId::ManagedTenantOnboardingResume->value)
|
|
->exists())->toBeTrue();
|
|
});
|
|
|
|
it('records explicit draft selection and draft update audit entries', function (): void {
|
|
$workspace = Workspace::factory()->create();
|
|
$user = User::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
|
|
|
|
$draft = createOnboardingDraft([
|
|
'workspace' => $workspace,
|
|
'started_by' => $user,
|
|
'updated_by' => $user,
|
|
'state' => [
|
|
'entra_tenant_id' => '33333333-3333-3333-3333-333333333333',
|
|
'tenant_name' => 'Selectable Draft',
|
|
],
|
|
]);
|
|
|
|
createOnboardingDraft([
|
|
'workspace' => $workspace,
|
|
'started_by' => $user,
|
|
'updated_by' => $user,
|
|
'state' => [
|
|
'entra_tenant_id' => '44444444-4444-4444-4444-444444444444',
|
|
'tenant_name' => 'Other Draft',
|
|
],
|
|
]);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ManagedTenantOnboardingWizard::class)
|
|
->callAction(
|
|
TestAction::make('resume_draft_'.$draft->getKey())
|
|
->schemaComponent('draft_picker_actions_'.$draft->getKey())
|
|
)
|
|
->assertRedirect(route('admin.onboarding.draft', ['onboardingDraft' => $draft->getKey()]));
|
|
|
|
expect(AuditLog::query()
|
|
->where('workspace_id', (int) $workspace->getKey())
|
|
->where('action', AuditActionId::ManagedTenantOnboardingDraftSelected->value)
|
|
->where('resource_id', (string) $draft->getKey())
|
|
->exists())->toBeTrue();
|
|
|
|
$component = Livewire::actingAs($user)->test(ManagedTenantOnboardingWizard::class, [
|
|
'onboardingDraft' => (int) $draft->getKey(),
|
|
]);
|
|
|
|
$touchStep = \Closure::bind(function (string $step): void {
|
|
$this->touchOnboardingSessionStep($step);
|
|
}, $component->instance(), $component->instance()::class);
|
|
|
|
$touchStep('verify');
|
|
|
|
expect(AuditLog::query()
|
|
->where('workspace_id', (int) $workspace->getKey())
|
|
->where('action', AuditActionId::ManagedTenantOnboardingDraftUpdated->value)
|
|
->where('resource_id', (string) $draft->getKey())
|
|
->exists())->toBeTrue();
|
|
});
|
|
|
|
it('records provider, verification, bootstrap, and cancellation audit entries', function (): void {
|
|
Bus::fake();
|
|
|
|
$workspace = Workspace::factory()->create();
|
|
$tenant = Tenant::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'status' => Tenant::STATUS_ONBOARDING,
|
|
]);
|
|
$user = User::factory()->create();
|
|
|
|
createUserWithTenant(
|
|
tenant: $tenant,
|
|
user: $user,
|
|
role: 'owner',
|
|
workspaceRole: 'owner',
|
|
ensureDefaultMicrosoftProviderConnection: false,
|
|
);
|
|
|
|
$connection = ProviderConnection::factory()->platform()->consentGranted()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'provider' => 'microsoft',
|
|
'entra_tenant_id' => (string) $tenant->tenant_id,
|
|
'display_name' => 'Audit Connection',
|
|
'is_default' => true,
|
|
'status' => 'connected',
|
|
]);
|
|
|
|
$draft = createOnboardingDraft([
|
|
'workspace' => $workspace,
|
|
'tenant' => $tenant,
|
|
'started_by' => $user,
|
|
'updated_by' => $user,
|
|
'current_step' => 'connection',
|
|
'state' => [
|
|
'entra_tenant_id' => (string) $tenant->tenant_id,
|
|
'tenant_name' => (string) $tenant->name,
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
],
|
|
]);
|
|
|
|
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
|
|
|
|
$component = Livewire::actingAs($user)->test(ManagedTenantOnboardingWizard::class, [
|
|
'onboardingDraft' => (int) $draft->getKey(),
|
|
]);
|
|
|
|
$component->call('selectProviderConnection', (int) $connection->getKey());
|
|
$component->call('startVerification');
|
|
|
|
$draft->refresh();
|
|
|
|
$verificationRunId = (int) ($draft->state['verification_operation_run_id'] ?? 0);
|
|
$verificationRun = OperationRun::query()->findOrFail($verificationRunId);
|
|
$verificationRun->update([
|
|
'status' => OperationRunStatus::Completed->value,
|
|
'outcome' => OperationRunOutcome::Succeeded->value,
|
|
'context' => array_merge(is_array($verificationRun->context) ? $verificationRun->context : [], [
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
]),
|
|
]);
|
|
|
|
$component->call('startBootstrap', ['inventory_sync']);
|
|
|
|
$component
|
|
->mountAction('cancel_onboarding_draft')
|
|
->callMountedAction()
|
|
->assertNotified('Onboarding draft cancelled');
|
|
|
|
expect(AuditLog::query()
|
|
->where('workspace_id', (int) $workspace->getKey())
|
|
->where('action', AuditActionId::ManagedTenantOnboardingProviderConnectionChanged->value)
|
|
->exists())->toBeTrue()
|
|
->and(AuditLog::query()
|
|
->where('workspace_id', (int) $workspace->getKey())
|
|
->where('action', AuditActionId::ManagedTenantOnboardingVerificationStart->value)
|
|
->exists())->toBeTrue()
|
|
->and(AuditLog::query()
|
|
->where('workspace_id', (int) $workspace->getKey())
|
|
->where('action', AuditActionId::ManagedTenantOnboardingVerificationPersisted->value)
|
|
->exists())->toBeTrue()
|
|
->and(AuditLog::query()
|
|
->where('workspace_id', (int) $workspace->getKey())
|
|
->where('action', AuditActionId::ManagedTenantOnboardingBootstrapStarted->value)
|
|
->exists())->toBeTrue()
|
|
->and(AuditLog::query()
|
|
->where('workspace_id', (int) $workspace->getKey())
|
|
->where('action', AuditActionId::ManagedTenantOnboardingCancelled->value)
|
|
->exists())->toBeTrue();
|
|
});
|
|
|
|
it('records activation override audit entries when activation bypasses a blocked verification result', function (): void {
|
|
$workspace = Workspace::factory()->create();
|
|
$user = User::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
|
|
|
|
$component = Livewire::actingAs($user)->test(ManagedTenantOnboardingWizard::class);
|
|
|
|
$component->call('identifyManagedTenant', [
|
|
'entra_tenant_id' => '55555555-5555-5555-5555-555555555555',
|
|
'environment' => 'prod',
|
|
'name' => 'Override Tenant',
|
|
]);
|
|
|
|
$component->call('createProviderConnection', [
|
|
'display_name' => 'Override Connection',
|
|
'client_id' => '00000000-0000-0000-0000-000000000000',
|
|
'client_secret' => 'super-secret',
|
|
'is_default' => true,
|
|
]);
|
|
|
|
$component->call('startVerification');
|
|
|
|
$tenant = Tenant::query()->where('tenant_id', '55555555-5555-5555-5555-555555555555')->firstOrFail();
|
|
|
|
$run = OperationRun::query()
|
|
->where('tenant_id', (int) $tenant->getKey())
|
|
->where('type', 'provider.connection.check')
|
|
->latest('id')
|
|
->firstOrFail();
|
|
|
|
$run->update([
|
|
'status' => OperationRunStatus::Completed->value,
|
|
'outcome' => OperationRunOutcome::Failed->value,
|
|
'context' => array_merge(is_array($run->context) ? $run->context : [], [
|
|
'verification_report' => VerificationReportWriter::build('provider.connection.check', [
|
|
[
|
|
'key' => 'permission_check',
|
|
'title' => 'Graph permissions',
|
|
'status' => 'fail',
|
|
'severity' => 'high',
|
|
'blocking' => true,
|
|
'reason_code' => 'permission_denied',
|
|
'message' => 'Missing required Graph permissions.',
|
|
'evidence' => [],
|
|
'next_steps' => [],
|
|
],
|
|
]),
|
|
]),
|
|
]);
|
|
|
|
$component
|
|
->set('data.override_blocked', true)
|
|
->set('data.override_reason', 'Approved exception for onboarding continuity')
|
|
->call('completeOnboarding');
|
|
|
|
expect(AuditLog::query()
|
|
->where('workspace_id', (int) $workspace->getKey())
|
|
->where('action', AuditActionId::ManagedTenantOnboardingActivationOverrideUsed->value)
|
|
->exists())->toBeTrue()
|
|
->and(AuditLog::query()
|
|
->where('workspace_id', (int) $workspace->getKey())
|
|
->where('action', AuditActionId::ManagedTenantOnboardingActivation->value)
|
|
->exists())->toBeTrue();
|
|
});
|