ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
69769a4072
TenantAtlas/apps/platform/tests/Feature/ProviderConnections/ScopeHardeningAuthoritySourcesTest.php

198 lines
7.5 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
use App\Models\ManagedEnvironment;
use App\Models\Workspace;
use App\Policies\ProviderConnectionPolicy;
use App\Support\Workspaces\WorkspaceContext;
use Filament\Facades\Filament;
use Illuminate\Auth\Access\Response;
use Illuminate\Http\Request;
it('ScopeHardening requires explicit environment_id for ProviderConnectionPolicy::create even if a remembered environment exists', function (): void {
$environment = ManagedEnvironment::factory()->active()->create([
'external_id' => 'spec339-scopehardening-env-remembered',
]);
[$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner');
$this->actingAs($user);
session()->put(WorkspaceContext::SESSION_KEY, (int) $environment->workspace_id);
session()->put(WorkspaceContext::LAST_ENVIRONMENT_IDS_SESSION_KEY, [
(string) $environment->workspace_id => (int) $environment->getKey(),
]);
/** @var ProviderConnectionPolicy $policy */
$policy = app(ProviderConnectionPolicy::class);
$result = $policy->create($user);
expect($result)->toBeInstanceOf(Response::class);
expect($result->denied())->toBeTrue();
});
it('ScopeHardening requires explicit environment_id for ProviderConnectionPolicy::create even if Filament tenant is set', function (): void {
$environment = ManagedEnvironment::factory()->active()->create([
'external_id' => 'spec339-scopehardening-env-filament',
]);
[$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner');
Filament::setTenant($environment, true);
$this->actingAs($user);
session()->put(WorkspaceContext::SESSION_KEY, (int) $environment->workspace_id);
/** @var ProviderConnectionPolicy $policy */
$policy = app(ProviderConnectionPolicy::class);
$result = $policy->create($user);
expect($result)->toBeInstanceOf(Response::class);
expect($result->denied())->toBeTrue();
});
it('ScopeHardening ignores legacy query aliases for ProviderConnectionPolicy::create authority', function (): void {
$environment = ManagedEnvironment::factory()->active()->create([
'external_id' => 'spec339-scopehardening-env-alias',
]);
[$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner');
$request = Request::create('/admin/provider-connections/create', 'GET', [
'managed_environment_id' => (int) $environment->getKey(),
]);
$this->app->instance('request', $request);
$this->actingAs($user);
session()->put(WorkspaceContext::SESSION_KEY, (int) $environment->workspace_id);
session()->put(WorkspaceContext::LAST_ENVIRONMENT_IDS_SESSION_KEY, [
(string) $environment->workspace_id => (int) $environment->getKey(),
]);
/** @var ProviderConnectionPolicy $policy */
$policy = app(ProviderConnectionPolicy::class);
$result = $policy->create($user);
expect($result)->toBeInstanceOf(Response::class);
expect($result->denied())->toBeTrue();
});
it('ScopeHardening denies ProviderConnectionPolicy::create for environment_id that belongs to another workspace', function (): void {
$environmentA = ManagedEnvironment::factory()->active()->create([
'external_id' => 'spec339-scopehardening-env-a',
]);
[$user, $environmentA] = createUserWithTenant(tenant: $environmentA, role: 'owner');
$workspaceB = Workspace::factory()->create();
$environmentB = ManagedEnvironment::factory()->active()->create([
'workspace_id' => (int) $workspaceB->getKey(),
'external_id' => 'spec339-scopehardening-env-b',
]);
$request = Request::create('/admin/provider-connections/create', 'GET', [
'environment_id' => (int) $environmentB->getKey(),
]);
$this->app->instance('request', $request);
$this->actingAs($user);
session()->put(WorkspaceContext::SESSION_KEY, (int) $environmentA->workspace_id);
/** @var ProviderConnectionPolicy $policy */
$policy = app(ProviderConnectionPolicy::class);
$result = $policy->create($user);
expect($result)->toBeInstanceOf(Response::class);
expect($result->denied())->toBeTrue();
});
it('ScopeHardening returns 403 (not 404) for the create page when environment_id is missing (UI entry behavior)', function (): void {
$environment = ManagedEnvironment::factory()->active()->create([
'external_id' => 'spec339-scopehardening-create-page',
]);
[$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner');
$this->actingAs($user)
->withSession([
WorkspaceContext::SESSION_KEY => (int) $environment->workspace_id,
])
->get('/admin/provider-connections/create')
->assertForbidden();
});
it('ScopeHardening returns 404 for the create page when environment_id belongs to another workspace (UI entry behavior)', function (): void {
$environmentA = ManagedEnvironment::factory()->active()->create([
'external_id' => 'spec339-scopehardening-create-page-a',
]);
[$user, $environmentA] = createUserWithTenant(tenant: $environmentA, role: 'owner');
$workspaceB = Workspace::factory()->create();
$environmentB = ManagedEnvironment::factory()->active()->create([
'workspace_id' => (int) $workspaceB->getKey(),
'external_id' => 'spec339-scopehardening-create-page-b',
]);
$this->actingAs($user)
->withSession([
WorkspaceContext::SESSION_KEY => (int) $environmentA->workspace_id,
])
->get('/admin/provider-connections/create?environment_id='.(int) $environmentB->getKey())
->assertNotFound();
});
it('ScopeHardening returns 403 (not 404) for the create page when legacy alias is provided (UI entry behavior)', function (): void {
$environment = ManagedEnvironment::factory()->active()->create([
'external_id' => 'spec339-scopehardening-create-page-alias',
]);
[$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner');
$this->actingAs($user)
->withSession([
WorkspaceContext::SESSION_KEY => (int) $environment->workspace_id,
])
->get('/admin/provider-connections/create?managed_environment_id='.(int) $environment->getKey())
->assertForbidden();
});
it('ScopeHardening returns 403 (not 404) for the create page even if a remembered environment exists (UI entry behavior)', function (): void {
$environment = ManagedEnvironment::factory()->active()->create([
'external_id' => 'spec339-scopehardening-create-page-remembered',
]);
[$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner');
$this->actingAs($user)
->withSession([
WorkspaceContext::SESSION_KEY => (int) $environment->workspace_id,
WorkspaceContext::LAST_ENVIRONMENT_IDS_SESSION_KEY => [
(string) $environment->workspace_id => (int) $environment->getKey(),
],
])
->get('/admin/provider-connections/create')
->assertForbidden();
});
it('ScopeHardening returns 403 (not 404) for the create page even if Filament tenant is set (UI entry behavior)', function (): void {
$environment = ManagedEnvironment::factory()->active()->create([
'external_id' => 'spec339-scopehardening-create-page-filament',
]);
[$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner');
Filament::setTenant($environment, true);
$this->actingAs($user)
->withSession([
WorkspaceContext::SESSION_KEY => (int) $environment->workspace_id,
])
->get('/admin/provider-connections/create')
->assertForbidden();
});
Reference in New Issue View Git Blame Copy Permalink