ahmido
bab01f07a9
## Summary - standardize Microsoft provider connections around explicit platform vs dedicated identity modes - centralize admin-consent URL and runtime identity resolution so platform flows no longer fall back to tenant-local credentials - add migration classification, richer consent and verification state handling, dedicated override management, and focused regression coverage ## Validation - focused repo test coverage was added across provider identity, onboarding, audit, policy, guard, and migration flows - latest explicit passing run in the workspace: `vendor/bin/sail artisan test --compact tests/Feature/AdminConsentCallbackTest.php tests/Feature/Audit/ProviderConnectionConsentAuditTest.php` ## Notes - branch includes the full Spec 137 artifact set under `specs/137-platform-provider-identity/` - target base branch: `dev` Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #166
127 lines
4.8 KiB
PHP
127 lines
4.8 KiB
PHP
<?php
|
|
|
|
namespace App\Services\Providers;
|
|
|
|
use App\Models\ProviderConnection;
|
|
use App\Models\ProviderCredential;
|
|
use App\Support\Providers\ProviderConnectionType;
|
|
use App\Support\Providers\ProviderCredentialSource;
|
|
use App\Support\Providers\ProviderReasonCodes;
|
|
use InvalidArgumentException;
|
|
use RuntimeException;
|
|
|
|
final class ProviderIdentityResolver
|
|
{
|
|
public function __construct(
|
|
private readonly PlatformProviderIdentityResolver $platformResolver,
|
|
private readonly CredentialManager $credentials,
|
|
) {}
|
|
|
|
public function resolve(ProviderConnection $connection): ProviderIdentityResolution
|
|
{
|
|
$tenantContext = trim((string) $connection->entra_tenant_id);
|
|
$connectionType = $this->resolveConnectionType($connection);
|
|
|
|
if ($connectionType === null) {
|
|
return ProviderIdentityResolution::blocked(
|
|
connectionType: ProviderConnectionType::Platform,
|
|
tenantContext: $tenantContext !== '' ? $tenantContext : 'organizations',
|
|
credentialSource: 'unknown',
|
|
reasonCode: ProviderReasonCodes::ProviderConnectionTypeInvalid,
|
|
message: 'Provider connection type is invalid.',
|
|
);
|
|
}
|
|
|
|
if ($tenantContext === '') {
|
|
return ProviderIdentityResolution::blocked(
|
|
connectionType: $connectionType,
|
|
tenantContext: 'organizations',
|
|
credentialSource: $connectionType === ProviderConnectionType::Platform ? 'platform_config' : ProviderCredentialSource::DedicatedManual->value,
|
|
reasonCode: ProviderReasonCodes::ProviderConnectionInvalid,
|
|
message: 'Provider connection is missing target tenant scope.',
|
|
);
|
|
}
|
|
|
|
if ((bool) $connection->migration_review_required) {
|
|
return ProviderIdentityResolution::blocked(
|
|
connectionType: $connectionType,
|
|
tenantContext: $tenantContext,
|
|
credentialSource: $connectionType === ProviderConnectionType::Platform ? 'platform_config' : ProviderCredentialSource::LegacyMigrated->value,
|
|
reasonCode: ProviderReasonCodes::ProviderConnectionReviewRequired,
|
|
message: 'Provider connection requires migration review before use.',
|
|
);
|
|
}
|
|
|
|
if ($connectionType === ProviderConnectionType::Platform) {
|
|
return $this->platformResolver->resolve($tenantContext);
|
|
}
|
|
|
|
return $this->resolveDedicatedIdentity($connection, $tenantContext);
|
|
}
|
|
|
|
private function resolveConnectionType(ProviderConnection $connection): ?ProviderConnectionType
|
|
{
|
|
$value = $connection->connection_type;
|
|
|
|
if ($value instanceof ProviderConnectionType) {
|
|
return $value;
|
|
}
|
|
|
|
if (! is_string($value)) {
|
|
return null;
|
|
}
|
|
|
|
return ProviderConnectionType::tryFrom(trim($value));
|
|
}
|
|
|
|
private function resolveDedicatedIdentity(
|
|
ProviderConnection $connection,
|
|
string $tenantContext,
|
|
): ProviderIdentityResolution {
|
|
try {
|
|
$credentials = $this->credentials->getClientCredentials($connection);
|
|
} catch (InvalidArgumentException|RuntimeException $exception) {
|
|
return ProviderIdentityResolution::blocked(
|
|
connectionType: ProviderConnectionType::Dedicated,
|
|
tenantContext: $tenantContext,
|
|
credentialSource: $this->credentialSource($connection),
|
|
reasonCode: $exception instanceof InvalidArgumentException
|
|
? ProviderReasonCodes::DedicatedCredentialInvalid
|
|
: ProviderReasonCodes::DedicatedCredentialMissing,
|
|
message: $exception->getMessage(),
|
|
);
|
|
}
|
|
|
|
return ProviderIdentityResolution::resolved(
|
|
connectionType: ProviderConnectionType::Dedicated,
|
|
tenantContext: $tenantContext,
|
|
effectiveClientId: $credentials['client_id'],
|
|
credentialSource: $this->credentialSource($connection),
|
|
clientSecret: $credentials['client_secret'],
|
|
authorityTenant: $tenantContext,
|
|
redirectUri: trim((string) route('admin.consent.callback')),
|
|
);
|
|
}
|
|
|
|
private function credentialSource(ProviderConnection $connection): string
|
|
{
|
|
$credential = $connection->credential;
|
|
|
|
if (! $credential instanceof ProviderCredential) {
|
|
return ProviderCredentialSource::DedicatedManual->value;
|
|
}
|
|
|
|
$source = $credential->source;
|
|
|
|
if ($source instanceof ProviderCredentialSource) {
|
|
return $source->value;
|
|
}
|
|
|
|
if (is_string($source) && $source !== '') {
|
|
return $source;
|
|
}
|
|
|
|
return ProviderCredentialSource::DedicatedManual->value;
|
|
}
|
|
}
|