ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
46b11d3770
TenantAtlas/tests/Feature/Guards/NoAdHocFilamentAuthPatternsTest.php
ahmido 1f3619bd16 feat: tenant-owned query canon and wrong-tenant guards (#180) 
## Summary
- introduce a shared tenant-owned query and record-resolution canon for first-slice Filament resources
- harden direct views, row actions, bulk actions, relation managers, and workspace-admin canonical viewers against wrong-tenant access
- add registry-backed rollout metadata, search posture handling, architectural guards, and focused Pest coverage for scope parity and 404/403 semantics

## Included
- Spec 150 package under `specs/150-tenant-owned-query-canon-and-wrong-tenant-guards/`
- shared support classes: `TenantOwnedModelFamilies`, `TenantOwnedQueryScope`, `TenantOwnedRecordResolver`
- shared Filament concern: `InteractsWithTenantOwnedRecords`
- resource/page/policy hardening across findings, policies, policy versions, backup schedules, backup sets, restore runs, inventory items, and Entra groups
- additional regression coverage for canonical tenant state, wrong-tenant record resolution, relation-manager congruence, and action-surface guardrails

## Validation
- `vendor/bin/sail artisan test --compact` passed
- full suite result: `2733 passed, 8 skipped`
- formatting applied with `vendor/bin/sail bin pint --dirty --format agent`

## Notes
- Livewire v4.0+ compliant via existing Filament v5 stack
- provider registration remains in `bootstrap/providers.php`
- globally searchable first-slice posture: Entra groups scoped; policies and policy versions explicitly disabled
- destructive actions continue to use confirmation and policy authorization
- no new Filament assets added; existing deployment flow remains unchanged, including `php artisan filament:assets` when registered assets are used

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #180
2026-03-18 08:33:13 +00:00

140 lines
4.2 KiB
PHP
Raw Blame History

<?php
use Illuminate\Support\Collection;
it('does not introduce ad-hoc authorization patterns in app/Filament (allowlist-driven)', function () {
$root = base_path();
$self = realpath(__FILE__);
$directories = [
$root.'/app/Filament',
];
$excludedPaths = [
$root.'/vendor',
$root.'/storage',
$root.'/specs',
$root.'/spechistory',
$root.'/references',
$root.'/public/build',
];
$allowlist = [
// NOTE: Shrink this list as files are migrated to UiEnforcement (Feature 066b).
'app/Filament/Pages/ChooseTenant.php',
'app/Filament/Pages/Tenancy/RegisterTenant.php',
'app/Filament/Resources/BackupScheduleResource.php',
'app/Filament/Resources/FindingResource.php',
'app/Filament/Resources/FindingResource/Pages/ListFindings.php',
'app/Filament/Resources/PolicyResource.php',
'app/Filament/Resources/PolicyResource/Pages/ListPolicies.php',
'app/Filament/Resources/PolicyResource/RelationManagers/VersionsRelationManager.php',
'app/Filament/Resources/PolicyVersionResource.php',
'app/Filament/Resources/TenantResource/RelationManagers/TenantMembershipsRelationManager.php',
'app/Filament/System/Pages/Dashboard.php',
];
$forbiddenPatterns = [
'/\\bGate::\\b/',
'/\\babort_(?:if|unless)\\b/',
];
/** @var Collection<int, string> $files */
$files = collect($directories)
->filter(fn (string $dir): bool => is_dir($dir))
->flatMap(function (string $dir): array {
$iterator = new RecursiveIteratorIterator(
new RecursiveDirectoryIterator($dir, FilesystemIterator::SKIP_DOTS)
);
$paths = [];
foreach ($iterator as $file) {
if (! $file->isFile()) {
continue;
}
$path = $file->getPathname();
if (! str_ends_with($path, '.php')) {
continue;
}
$paths[] = $path;
}
return $paths;
})
->filter(function (string $path) use ($excludedPaths, $self): bool {
if ($self && realpath($path) === $self) {
return false;
}
foreach ($excludedPaths as $excluded) {
if (str_starts_with($path, $excluded)) {
return false;
}
}
return true;
})
->values();
$hits = [];
foreach ($files as $path) {
$relative = str_replace($root.'/', '', $path);
if (in_array($relative, $allowlist, true)) {
continue;
}
$contents = file_get_contents($path);
if (! is_string($contents) || $contents === '') {
continue;
}
foreach ($forbiddenPatterns as $pattern) {
if (! preg_match($pattern, $contents)) {
continue;
}
$lines = preg_split('/\R/', $contents) ?: [];
foreach ($lines as $index => $line) {
if (preg_match($pattern, $line)) {
$hits[] = $relative.':'.($index + 1).' -> '.trim($line);
}
}
}
}
expect($hits)->toBeEmpty(
"Ad-hoc Filament auth patterns found (remove allowlist entries as you migrate):\n".implode("\n", $hits)
);
});
it('keeps shared tenant-owned helper entry points free of ad-hoc authorization patterns', function (): void {
$sharedEntryPoints = [
'app/Filament/Concerns/InteractsWithTenantOwnedRecords.php',
'app/Filament/Concerns/ResolvesPanelTenantContext.php',
];
$forbiddenPatterns = [
'/\\bGate::\\b/',
'/\\babort_(?:if|unless)\\b/',
];
foreach ($sharedEntryPoints as $relativePath) {
$contents = file_get_contents(base_path($relativePath));
expect($contents)->not->toBeFalse();
foreach ($forbiddenPatterns as $pattern) {
expect(preg_match($pattern, (string) $contents))
->toBe(0, "Shared tenant-owned helper entry point should stay free of ad-hoc auth patterns: {$relativePath}");
}
}
});
Reference in New Issue View Git Blame Copy Permalink