ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
4db8030f2a
TenantAtlas/app/Http/Controllers/AdminConsentCallbackController.php
ahmido 4db8030f2a Spec 081: Provider connection cutover (#98) 
Implements Spec 081 provider-connection cutover.

Highlights:
- Adds provider connection resolution + gating for operations/verification.
- Adds provider credential observer wiring.
- Updates Filament tenant verify flow to block with next-steps when provider connection isn’t ready.
- Adds spec docs under specs/081-provider-connection-cutover/ and extensive Spec081 test coverage.

Tests:
- vendor/bin/sail artisan test --compact tests/Feature/Filament/TenantSetupTest.php
- Focused suites for ProviderConnections/Verification ran during implementation (see local logs).

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #98
2026-02-08 11:28:51 +00:00

160 lines
4.9 KiB
PHP
Raw Blame History

<?php
namespace App\Http\Controllers;
use App\Models\ProviderConnection;
use App\Models\Tenant;
use App\Services\Intune\AuditLogger;
use App\Support\Providers\ProviderReasonCodes;
use Illuminate\Http\Request;
use Illuminate\View\View;
use Symfony\Component\HttpFoundation\Response as ResponseAlias;
class AdminConsentCallbackController extends Controller
{
/**
* Handle the incoming request.
*/
public function __invoke(
Request $request,
AuditLogger $auditLogger,
): View {
$expectedState = $request->session()->pull('tenant_onboard_state');
$tenantKey = $request->string('tenant')->toString();
$state = $request->string('state')->toString();
$tenantIdentifier = $tenantKey ?: $this->parseState($state);
if ($expectedState && $expectedState !== $state) {
abort(ResponseAlias::HTTP_FORBIDDEN, 'Invalid consent state');
}
abort_if(empty($tenantIdentifier), 404);
$tenant = $this->resolveTenant($tenantIdentifier);
$error = $request->string('error')->toString() ?: null;
$consentGranted = $request->has('admin_consent')
? filter_var($request->input('admin_consent'), FILTER_VALIDATE_BOOLEAN)
: null;
$status = match (true) {
$error !== null => 'error',
$consentGranted === false => 'consent_denied',
$consentGranted === true => 'ok',
default => 'pending',
};
$connection = $this->upsertProviderConnectionForConsent(
tenant: $tenant,
status: $status,
error: $error,
);
$auditLogger->log(
tenant: $tenant,
action: 'tenant.consent.callback',
context: [
'metadata' => [
'status' => $status,
'state' => $state,
'error' => $error,
'consent' => $consentGranted,
'provider_connection_id' => (int) $connection->getKey(),
],
],
status: $status === 'ok' ? 'success' : 'error',
resourceType: 'tenant',
resourceId: (string) $tenant->id,
);
return view('admin-consent-callback', [
'tenant' => $tenant,
'status' => $status,
'error' => $error,
'consentGranted' => $consentGranted,
]);
}
private function resolveTenant(string $tenantIdentifier): Tenant
{
/** @var Tenant|null $tenant */
$tenant = Tenant::withTrashed()
->forTenant($tenantIdentifier)
->first();
if ($tenant?->trashed()) {
$tenant->restore();
}
if ($tenant instanceof Tenant) {
return $tenant;
}
return Tenant::create([
'tenant_id' => $tenantIdentifier,
'name' => 'New Tenant',
]);
}
private function upsertProviderConnectionForConsent(Tenant $tenant, string $status, ?string $error): ProviderConnection
{
$hasDefault = ProviderConnection::query()
->where('tenant_id', (int) $tenant->getKey())
->where('provider', 'microsoft')
->where('is_default', true)
->exists();
$connectionStatus = match ($status) {
'ok' => 'connected',
'error' => 'error',
'consent_denied' => 'needs_consent',
default => 'needs_consent',
};
$reasonCode = match ($status) {
'ok' => null,
'consent_denied' => ProviderReasonCodes::ProviderConsentMissing,
'error' => ProviderReasonCodes::ProviderAuthFailed,
default => ProviderReasonCodes::ProviderConsentMissing,
};
$connection = ProviderConnection::query()->updateOrCreate(
[
'tenant_id' => (int) $tenant->getKey(),
'provider' => 'microsoft',
'entra_tenant_id' => (string) ($tenant->graphTenantId() ?? $tenant->tenant_id ?? $tenant->external_id),
],
[
'workspace_id' => (int) $tenant->workspace_id,
'display_name' => (string) ($tenant->name ?? 'Microsoft Connection'),
'status' => $connectionStatus,
'health_status' => $connectionStatus === 'connected' ? 'unknown' : 'degraded',
'last_error_reason_code' => $reasonCode,
'last_error_message' => $error,
'is_default' => $hasDefault ? false : true,
],
);
if (! $hasDefault && ! $connection->is_default) {
$connection->makeDefault();
}
return $connection;
}
private function parseState(?string $state): ?string
{
if (empty($state)) {
return null;
}
if (str_contains($state, '|')) {
[, $value] = explode('|', $state, 2);
return $value;
}
return $state;
}
}
Reference in New Issue View Git Blame Copy Permalink