TenantAtlas/apps/platform/tests/Feature/TenantConfiguration/Spec417IdentityClaimGuardFeatureTest.php

<?php

declare(strict_types=1);

use App\Models\ProviderConnection;
use App\Models\TenantConfigurationResourceType;
use App\Services\TenantConfiguration\CoverageResourceUpserter;
use App\Services\TenantConfiguration\CoverageSourceContractResolver;
use App\Services\TenantConfiguration\ResourceTypeRegistry;
use App\Support\TenantConfiguration\ClaimState;
use App\Support\TenantConfiguration\IdentityState;

it('Spec417 stores blocked or limited claim state from identity evaluation during upsert', function (): void {
    [, $tenant] = createMinimalUserWithTenant(role: 'owner');
    $connection = spec417ClaimConnection($tenant);
    $resourceType = spec417ClaimResourceType('deviceAndAppManagementAssignmentFilter');
    $decision = app(CoverageSourceContractResolver::class)->resolve($resourceType);

    $derived = app(CoverageResourceUpserter::class)->upsert(
        tenant: $tenant,
        providerConnection: $connection,
        resourceType: $resourceType,
        payload: [
            'platform' => 'windows10AndLater',
            'assignmentFilterManagementType' => 'devices',
            'rule' => '(device.deviceId -ne null)',
            'displayName' => 'Derived',
        ],
        sourceMetadata: $decision->sourceMetadata,
    );
    $missing = app(CoverageResourceUpserter::class)->upsert(
        tenant: $tenant,
        providerConnection: $connection,
        resourceType: $resourceType,
        payload: ['displayName' => 'Missing id'],
        sourceMetadata: $decision->sourceMetadata,
    );

    expect($derived->latest_identity_state)->toBe(IdentityState::Derived)
        ->and($derived->latest_claim_state)->toBe(ClaimState::ClaimLimited)
        ->and($missing->latest_identity_state)->toBe(IdentityState::MissingExternalId)
        ->and($missing->latest_claim_state)->toBe(ClaimState::ClaimBlocked);
});

it('Spec417 keeps beta identity internal or claim-blocked by default', function (): void {
    [, $tenant] = createMinimalUserWithTenant(role: 'owner');
    $connection = spec417ClaimConnection($tenant);
    $resourceType = spec417ClaimResourceType('roleScopeTag');

    $resource = app(CoverageResourceUpserter::class)->upsert(
        tenant: $tenant,
        providerConnection: $connection,
        resourceType: $resourceType,
        payload: ['id' => 'scope-tag-1', 'displayName' => 'Pilot'],
        sourceMetadata: [
            'source_contract_key' => 'roleScopeTag',
            'source_version' => 'beta',
        ],
    );

    expect($resource->latest_identity_state)->toBe(IdentityState::Derived)
        ->and($resource->latest_claim_state)->toBe(ClaimState::InternalOnly);
});

function spec417ClaimResourceType(string $canonicalType): TenantConfigurationResourceType
{
    app(ResourceTypeRegistry::class)->syncDefaults();

    return TenantConfigurationResourceType::query()
        ->where('canonical_type', $canonicalType)
        ->firstOrFail();
}

function spec417ClaimConnection($tenant): ProviderConnection
{
    return ProviderConnection::factory()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'managed_environment_id' => (int) $tenant->getKey(),
    ]);
}