TenantAtlas/apps/platform/tests/Unit/Providers/ProviderConnectionTargetScopeDescriptorTest.php

<?php

declare(strict_types=1);

use App\Models\ProviderConnection;
use App\Support\Providers\TargetScope\ProviderConnectionSurfaceSummary;
use App\Support\Providers\TargetScope\ProviderConnectionTargetScopeDescriptor;
use App\Support\Providers\TargetScope\ProviderConnectionTargetScopeNormalizer;
use Illuminate\Foundation\Testing\RefreshDatabase;

uses(RefreshDatabase::class);

it('normalizes provider connections into neutral target-scope descriptors with contextual Microsoft metadata', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'owner', ensureDefaultMicrosoftProviderConnection: false);

    $connection = ProviderConnection::factory()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'tenant_id' => (int) $tenant->getKey(),
        'provider' => 'microsoft',
        'entra_tenant_id' => '11111111-1111-1111-1111-111111111111',
        'display_name' => 'Primary connection',
    ]);

    $descriptor = app(ProviderConnectionTargetScopeNormalizer::class)
        ->descriptorForConnection($connection->fresh(['tenant']));
    $summary = ProviderConnectionSurfaceSummary::forConnection($connection->fresh(['tenant']));

    expect($user)->not->toBeNull()
        ->and($descriptor->provider)->toBe('microsoft')
        ->and($descriptor->scopeKind)->toBe(ProviderConnectionTargetScopeDescriptor::SCOPE_KIND_TENANT)
        ->and($descriptor->scopeIdentifier)->toBe('11111111-1111-1111-1111-111111111111')
        ->and($descriptor->sharedLabel)->toBe('Target scope')
        ->and($descriptor->summary())->toContain((string) $tenant->name)
        ->and($summary->targetScopeSummary())->toContain('11111111-1111-1111-1111-111111111111')
        ->and($summary->contextualIdentityDetails)->toHaveCount(1)
        ->and($summary->contextualIdentityDetails[0]->detailLabel)->toBe('Microsoft tenant ID');
});

it('blocks unsupported provider-scope combinations explicitly instead of inheriting Microsoft defaults', function (): void {
    $result = app(ProviderConnectionTargetScopeNormalizer::class)->normalizeInput(
        provider: 'unknown-provider',
        scopeKind: ProviderConnectionTargetScopeDescriptor::SCOPE_KIND_TENANT,
        scopeIdentifier: 'scope-1',
        scopeDisplayName: 'Scope 1',
    );

    expect($result['status'])->toBe(ProviderConnectionTargetScopeNormalizer::STATUS_BLOCKED)
        ->and($result['failure_code'])->toBe(ProviderConnectionTargetScopeNormalizer::FAILURE_UNSUPPORTED_PROVIDER_SCOPE_COMBINATION)
        ->and($result['message'])->toContain('not supported');
});

it('blocks missing target-scope context with neutral validation language', function (): void {
    $result = app(ProviderConnectionTargetScopeNormalizer::class)->normalizeInput(
        provider: 'microsoft',
        scopeKind: ProviderConnectionTargetScopeDescriptor::SCOPE_KIND_TENANT,
        scopeIdentifier: '',
        scopeDisplayName: 'Missing scope',
    );

    expect($result['status'])->toBe(ProviderConnectionTargetScopeNormalizer::STATUS_BLOCKED)
        ->and($result['failure_code'])->toBe(ProviderConnectionTargetScopeNormalizer::FAILURE_MISSING_PROVIDER_CONTEXT)
        ->and($result['message'])->toBe('A target scope identifier is required for this provider connection.');
});