ahmido
110245a9ec
Some checks are pending
Main Confidence / confidence (push) Waiting to run
## Summary - add a shared provider target-scope descriptor, normalizer, identity-context metadata, and surface-summary layer - update provider connection list, detail, create, edit, and onboarding surfaces to use neutral target-scope vocabulary while keeping Microsoft identity contextual - align provider connection audit and resolver output with the neutral target-scope contract and add focused guard/unit/feature coverage for regressions ## Validation - browser smoke: opened the tenant-scoped provider connection list, drilled into detail, and verified the edit/create surfaces in local admin context ## Notes - this PR comes from the session branch created for the active feature work - no additional runtime or persistence layer was introduced in this slice Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #274
135 lines
5.4 KiB
PHP
135 lines
5.4 KiB
PHP
<?php
|
|
|
|
namespace App\Services\Providers;
|
|
|
|
use App\Models\ProviderConnection;
|
|
use App\Models\Tenant;
|
|
use App\Support\Providers\ProviderConsentStatus;
|
|
use App\Support\Providers\ProviderReasonCodes;
|
|
use App\Support\Providers\TargetScope\ProviderConnectionTargetScopeNormalizer;
|
|
|
|
final class ProviderConnectionResolver
|
|
{
|
|
public function __construct(
|
|
private readonly ProviderIdentityResolver $identityResolver,
|
|
private readonly ProviderConnectionTargetScopeNormalizer $targetScopeNormalizer,
|
|
) {}
|
|
|
|
public function resolveDefault(Tenant $tenant, string $provider): ProviderConnectionResolution
|
|
{
|
|
$defaults = ProviderConnection::query()
|
|
->where('tenant_id', (int) $tenant->getKey())
|
|
->where('provider', $provider)
|
|
->where('is_default', true)
|
|
->orderBy('id')
|
|
->get();
|
|
|
|
if ($defaults->count() === 0) {
|
|
return ProviderConnectionResolution::blocked(
|
|
ProviderReasonCodes::ProviderConnectionMissing,
|
|
'No default provider connection is configured for this tenant/provider.',
|
|
);
|
|
}
|
|
|
|
if ($defaults->count() > 1) {
|
|
return ProviderConnectionResolution::blocked(
|
|
ProviderReasonCodes::ProviderConnectionInvalid,
|
|
'Multiple default provider connections were detected.',
|
|
'ext.multiple_defaults_detected',
|
|
);
|
|
}
|
|
|
|
/** @var ProviderConnection $connection */
|
|
$connection = $defaults->first();
|
|
|
|
return $this->validateConnection($tenant, $provider, $connection);
|
|
}
|
|
|
|
public function validateConnection(Tenant $tenant, string $provider, ProviderConnection $connection): ProviderConnectionResolution
|
|
{
|
|
if ((int) $connection->tenant_id !== (int) $tenant->getKey() || (string) $connection->provider !== $provider) {
|
|
return ProviderConnectionResolution::blocked(
|
|
ProviderReasonCodes::ProviderConnectionInvalid,
|
|
'Provider connection does not match tenant/provider scope.',
|
|
'ext.connection_scope_mismatch',
|
|
$connection,
|
|
);
|
|
}
|
|
|
|
if (! (bool) $connection->is_enabled) {
|
|
return ProviderConnectionResolution::blocked(
|
|
ProviderReasonCodes::ProviderConnectionInvalid,
|
|
'Provider connection is disabled.',
|
|
'ext.connection_disabled',
|
|
$connection,
|
|
);
|
|
}
|
|
|
|
$targetScope = $this->targetScopeNormalizer->normalizeConnection($connection);
|
|
|
|
if ($targetScope['status'] !== ProviderConnectionTargetScopeNormalizer::STATUS_NORMALIZED) {
|
|
$failureCode = $targetScope['failure_code'] ?? ProviderConnectionTargetScopeNormalizer::FAILURE_MISSING_PROVIDER_CONTEXT;
|
|
|
|
return ProviderConnectionResolution::blocked(
|
|
$failureCode === ProviderConnectionTargetScopeNormalizer::FAILURE_UNSUPPORTED_PROVIDER_SCOPE_COMBINATION
|
|
? ProviderReasonCodes::ProviderBindingUnsupported
|
|
: ProviderReasonCodes::ProviderConnectionInvalid,
|
|
$targetScope['message'] ?? 'Provider connection target scope is invalid.',
|
|
$failureCode === ProviderConnectionTargetScopeNormalizer::FAILURE_UNSUPPORTED_PROVIDER_SCOPE_COMBINATION
|
|
? 'ext.connection_scope_unsupported'
|
|
: 'ext.connection_scope_missing',
|
|
$connection,
|
|
);
|
|
}
|
|
|
|
$consentBlocker = $this->consentBlocker($connection);
|
|
|
|
if ($consentBlocker instanceof ProviderConnectionResolution) {
|
|
return $consentBlocker;
|
|
}
|
|
|
|
$identity = $this->identityResolver->resolve($connection);
|
|
|
|
if (! $identity->resolved) {
|
|
return ProviderConnectionResolution::blocked(
|
|
$identity->effectiveReasonCode(),
|
|
$identity->message,
|
|
connection: $connection,
|
|
);
|
|
}
|
|
|
|
return ProviderConnectionResolution::resolved($connection);
|
|
}
|
|
|
|
private function consentBlocker(ProviderConnection $connection): ?ProviderConnectionResolution
|
|
{
|
|
$consentStatus = $connection->consent_status;
|
|
|
|
if (! $consentStatus instanceof ProviderConsentStatus && is_string($consentStatus)) {
|
|
$consentStatus = ProviderConsentStatus::tryFrom(trim($consentStatus));
|
|
}
|
|
|
|
return match ($consentStatus) {
|
|
ProviderConsentStatus::Required => ProviderConnectionResolution::blocked(
|
|
ProviderReasonCodes::ProviderConsentMissing,
|
|
'Provider connection requires admin consent before use.',
|
|
'ext.connection_needs_consent',
|
|
$connection,
|
|
),
|
|
ProviderConsentStatus::Failed => ProviderConnectionResolution::blocked(
|
|
ProviderReasonCodes::ProviderConsentFailed,
|
|
'Provider connection consent failed. Retry admin consent before use.',
|
|
'ext.connection_consent_failed',
|
|
$connection,
|
|
),
|
|
ProviderConsentStatus::Revoked => ProviderConnectionResolution::blocked(
|
|
ProviderReasonCodes::ProviderConsentRevoked,
|
|
'Provider connection consent was revoked. Grant admin consent again before use.',
|
|
'ext.connection_consent_revoked',
|
|
$connection,
|
|
),
|
|
default => null,
|
|
};
|
|
}
|
|
}
|