ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
69d4ecbbd2
TenantAtlas/apps/platform/tests/Feature/TenantConfiguration/Spec420M365CaptureAuthorizationTest.php
ahmido a73a8f5882 feat: complete m365 generic evidence coverage pack (#487) 
Committing and publishing the current Spec 420 package changes.

Includes updated services, coverage tests, browser smoke coverage, and the spec/plan/tasks artifacts for the package.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #487
2026-06-27 12:24:00 +00:00

99 lines
3.8 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
use App\Jobs\TenantConfiguration\CaptureTenantConfigurationEvidenceJob;
use App\Models\ProviderConnection;
use App\Models\User;
use App\Services\TenantConfiguration\StartTenantConfigurationCapture;
use Illuminate\Auth\Access\AuthorizationException;
use Illuminate\Support\Facades\Queue;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
it('Spec420 allows authorized owners to start selected M365 capture', function (): void {
Queue::fake();
[$user, $environment] = createMinimalUserWithTenant(role: 'owner');
$connection = ProviderConnection::factory()->create([
'workspace_id' => (int) $environment->workspace_id,
'managed_environment_id' => (int) $environment->getKey(),
]);
$run = app(StartTenantConfigurationCapture::class)->start($environment, $connection, $user, [
'conditionalAccessPolicy',
]);
expect(data_get($run->context, 'required_capability'))->toBe('evidence.manage')
->and(data_get($run->context, 'resource_types'))->toBe(['conditionalAccessPolicy']);
Queue::assertPushed(CaptureTenantConfigurationEvidenceJob::class);
});
it('Spec420 allows managers with evidence manage capability to start selected M365 capture', function (): void {
Queue::fake();
[$user, $environment] = createMinimalUserWithTenant(role: 'manager');
$connection = ProviderConnection::factory()->create([
'workspace_id' => (int) $environment->workspace_id,
'managed_environment_id' => (int) $environment->getKey(),
]);
$run = app(StartTenantConfigurationCapture::class)->start($environment, $connection, $user, [
'conditionalAccessPolicy',
]);
expect(data_get($run->context, 'required_capability'))->toBe('evidence.manage')
->and(data_get($run->context, 'resource_types'))->toBe(['conditionalAccessPolicy']);
Queue::assertPushed(CaptureTenantConfigurationEvidenceJob::class);
});
it('Spec420 returns forbidden for operators without evidence manage capability', function (): void {
Queue::fake();
[$user, $environment] = createMinimalUserWithTenant(role: 'operator');
$connection = ProviderConnection::factory()->create([
'workspace_id' => (int) $environment->workspace_id,
'managed_environment_id' => (int) $environment->getKey(),
]);
expect(fn () => app(StartTenantConfigurationCapture::class)->start($environment, $connection, $user, [
'conditionalAccessPolicy',
]))->toThrow(AuthorizationException::class);
Queue::assertNothingPushed();
});
it('Spec420 returns forbidden for readonly users after membership is established', function (): void {
Queue::fake();
[$user, $environment] = createMinimalUserWithTenant(role: 'readonly', workspaceRole: 'readonly');
$connection = ProviderConnection::factory()->create([
'workspace_id' => (int) $environment->workspace_id,
'managed_environment_id' => (int) $environment->getKey(),
]);
expect(fn () => app(StartTenantConfigurationCapture::class)->start($environment, $connection, $user, [
'conditionalAccessPolicy',
]))->toThrow(AuthorizationException::class);
Queue::assertNothingPushed();
});
it('Spec420 hides environments from non-members before capture start', function (): void {
Queue::fake();
$user = User::factory()->create();
[, $environment] = createMinimalUserWithTenant(role: 'owner');
$connection = ProviderConnection::factory()->create([
'workspace_id' => (int) $environment->workspace_id,
'managed_environment_id' => (int) $environment->getKey(),
]);
expect(fn () => app(StartTenantConfigurationCapture::class)->start($environment, $connection, $user, [
'conditionalAccessPolicy',
]))->toThrow(NotFoundHttpException::class);
Queue::assertNothingPushed();
});
Reference in New Issue View Git Blame Copy Permalink