ahmido
4db8030f2a
Implements Spec 081 provider-connection cutover. Highlights: - Adds provider connection resolution + gating for operations/verification. - Adds provider credential observer wiring. - Updates Filament tenant verify flow to block with next-steps when provider connection isn’t ready. - Adds spec docs under specs/081-provider-connection-cutover/ and extensive Spec081 test coverage. Tests: - vendor/bin/sail artisan test --compact tests/Feature/Filament/TenantSetupTest.php - Focused suites for ProviderConnections/Verification ran during implementation (see local logs). Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box> Reviewed-on: #98
127 lines
4.6 KiB
PHP
127 lines
4.6 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Models\AuditLog;
|
|
use App\Models\ProviderConnection;
|
|
use App\Models\ProviderCredential;
|
|
use App\Services\Providers\CredentialManager;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
it('Spec081 audits credential creation with stable action and no secret leakage', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$connection = ProviderConnection::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'provider' => 'microsoft',
|
|
]);
|
|
|
|
$secret = 'spec081-secret-created';
|
|
|
|
$this->actingAs($user);
|
|
|
|
app(CredentialManager::class)->upsertClientSecretCredential(
|
|
connection: $connection,
|
|
clientId: 'spec081-client-created',
|
|
clientSecret: $secret,
|
|
);
|
|
|
|
$log = AuditLog::query()
|
|
->where('tenant_id', (int) $tenant->getKey())
|
|
->where('action', 'provider_connection.credentials_created')
|
|
->latest('id')
|
|
->first();
|
|
|
|
expect($log)->not->toBeNull()
|
|
->and($log?->resource_type)->toBe('provider_connection')
|
|
->and($log?->resource_id)->toBe((string) $connection->getKey())
|
|
->and($log?->actor_id)->toBe((int) $user->getKey())
|
|
->and($log?->metadata['provider_connection_id'] ?? null)->toBe((int) $connection->getKey())
|
|
->and($log?->metadata['changed_fields'] ?? [])->toContain('client_id')
|
|
->and($log?->metadata['changed_fields'] ?? [])->toContain('client_secret')
|
|
->and($log?->metadata['redacted_fields'] ?? [])->toContain('client_secret')
|
|
->and((string) json_encode($log?->metadata ?? []))->not->toContain($secret);
|
|
});
|
|
|
|
it('Spec081 audits client id updates as credentials_updated without leaking secrets', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$connection = ProviderConnection::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'provider' => 'microsoft',
|
|
]);
|
|
|
|
ProviderCredential::factory()->create([
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
'payload' => [
|
|
'client_id' => 'spec081-client-before',
|
|
'client_secret' => 'spec081-secret-before',
|
|
],
|
|
]);
|
|
|
|
$this->actingAs($user);
|
|
|
|
app(CredentialManager::class)->updateClientIdPreservingSecret(
|
|
connection: $connection,
|
|
clientId: 'spec081-client-after',
|
|
);
|
|
|
|
$log = AuditLog::query()
|
|
->where('tenant_id', (int) $tenant->getKey())
|
|
->where('action', 'provider_connection.credentials_updated')
|
|
->latest('id')
|
|
->first();
|
|
|
|
expect($log)->not->toBeNull()
|
|
->and($log?->resource_type)->toBe('provider_connection')
|
|
->and($log?->resource_id)->toBe((string) $connection->getKey())
|
|
->and($log?->metadata['changed_fields'] ?? [])->toContain('client_id')
|
|
->and($log?->metadata['changed_fields'] ?? [])->not->toContain('client_secret')
|
|
->and((string) json_encode($log?->metadata ?? []))->not->toContain('spec081-secret-before');
|
|
});
|
|
|
|
it('Spec081 audits secret rotation as credentials_rotated with redacted metadata', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$connection = ProviderConnection::factory()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'provider' => 'microsoft',
|
|
]);
|
|
|
|
ProviderCredential::factory()->create([
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
'payload' => [
|
|
'client_id' => 'spec081-client-stable',
|
|
'client_secret' => 'spec081-secret-before-rotate',
|
|
],
|
|
]);
|
|
|
|
$this->actingAs($user);
|
|
|
|
$rotatedSecret = 'spec081-secret-after-rotate';
|
|
|
|
app(CredentialManager::class)->upsertClientSecretCredential(
|
|
connection: $connection,
|
|
clientId: 'spec081-client-stable',
|
|
clientSecret: $rotatedSecret,
|
|
);
|
|
|
|
$log = AuditLog::query()
|
|
->where('tenant_id', (int) $tenant->getKey())
|
|
->where('action', 'provider_connection.credentials_rotated')
|
|
->latest('id')
|
|
->first();
|
|
|
|
expect($log)->not->toBeNull()
|
|
->and($log?->resource_type)->toBe('provider_connection')
|
|
->and($log?->resource_id)->toBe((string) $connection->getKey())
|
|
->and($log?->metadata['changed_fields'] ?? [])->toContain('client_secret')
|
|
->and($log?->metadata['redacted_fields'] ?? [])->toContain('client_secret')
|
|
->and((string) json_encode($log?->metadata ?? []))->not->toContain($rotatedSecret);
|
|
});
|