TenantAtlas/app/Services/Auth/CapabilityResolver.php

<?php

namespace App\Services\Auth;

use App\Models\Tenant;
use App\Models\TenantMembership;
use App\Models\User;
use App\Support\Auth\Capabilities;
use App\Support\TenantRole;
use Illuminate\Support\Facades\Log;

/**
 * Capability Resolver
 *
 * Resolves user memberships and capabilities for a given tenant.
 * Caches results per request to avoid N+1 queries.
 */
class CapabilityResolver
{
    private array $resolvedMemberships = [];

    private array $loggedDenials = [];

    /**
     * Get the user's role for a tenant
     */
    public function getRole(User $user, Tenant $tenant): ?TenantRole
    {
        $membership = $this->getMembership($user, $tenant);

        if ($membership === null) {
            return null;
        }

        return TenantRole::tryFrom($membership['role']);
    }

    /**
     * Check if user can perform a capability on a tenant
     */
    public function can(User $user, Tenant $tenant, string $capability): bool
    {
        if (! Capabilities::isKnown($capability)) {
            throw new \InvalidArgumentException("Unknown capability: {$capability}");
        }

        $role = $this->getRole($user, $tenant);

        if ($role === null) {
            $this->logDenial($user, $tenant, $capability);

            return false;
        }

        if ($this->isLocallyDeniedByBackupHealthBrowserFixture($user, $tenant, $capability)) {
            $this->logDenial($user, $tenant, $capability);

            return false;
        }

        $allowed = RoleCapabilityMap::hasCapability($role, $capability);

        if (! $allowed) {
            $this->logDenial($user, $tenant, $capability);
        }

        return $allowed;
    }

    private function isLocallyDeniedByBackupHealthBrowserFixture(User $user, Tenant $tenant, string $capability): bool
    {
        if (! app()->environment(['local', 'testing'])) {
            return false;
        }

        $fixture = config('tenantpilot.backup_health.browser_smoke_fixture.blocked_drillthrough');

        if (! is_array($fixture)) {
            return false;
        }

        $fixtureUserEmail = config('tenantpilot.backup_health.browser_smoke_fixture.user.email');

        if (! is_string($fixtureUserEmail) || $fixtureUserEmail === '' || $user->email !== $fixtureUserEmail) {
            return false;
        }

        $fixtureTenantExternalId = $fixture['tenant_external_id'] ?? null;

        if (! is_string($fixtureTenantExternalId) || $fixtureTenantExternalId === '' || $tenant->external_id !== $fixtureTenantExternalId) {
            return false;
        }

        $deniedCapabilities = $fixture['capability_denials'] ?? [];

        if (! is_array($deniedCapabilities)) {
            return false;
        }

        return in_array($capability, $deniedCapabilities, true);
    }

    private function logDenial(User $user, Tenant $tenant, string $capability): void
    {
        $key = implode(':', [(string) $user->getKey(), (string) $tenant->getKey(), $capability]);

        if (isset($this->loggedDenials[$key])) {
            return;
        }

        $this->loggedDenials[$key] = true;

        Log::warning('rbac.denied', [
            'capability' => $capability,
            'tenant_id' => (int) $tenant->getKey(),
            'actor_user_id' => (int) $user->getKey(),
        ]);
    }

    /**
     * Check if user has any membership for a tenant
     */
    public function isMember(User $user, Tenant $tenant): bool
    {
        return $this->getMembership($user, $tenant) !== null;
    }

    /**
     * Get membership details (cached per request)
     */
    private function getMembership(User $user, Tenant $tenant): ?array
    {
        $cacheKey = "membership_{$user->id}_{$tenant->id}";

        if (! array_key_exists($cacheKey, $this->resolvedMemberships)) {
            $membership = TenantMembership::query()
                ->where('user_id', $user->id)
                ->where('tenant_id', $tenant->id)
                ->first(['role', 'source', 'source_ref']);

            $this->resolvedMemberships[$cacheKey] = $membership?->toArray();
        }

        return $this->resolvedMemberships[$cacheKey];
    }

    /**
     * Prime membership cache for a set of tenants in one query.
     *
     * Used to avoid N+1 queries for bulk selection authorization while still
     * reflecting membership changes that may have happened earlier in the same
     * request or test process.
     *
     * @param  array<int, int|string>  $tenantIds
     */
    public function primeMemberships(User $user, array $tenantIds): void
    {
        $tenantIds = array_values(array_unique(array_map(static fn ($id): int => (int) $id, $tenantIds)));

        if ($tenantIds === []) {
            return;
        }

        $memberships = TenantMembership::query()
            ->where('user_id', $user->id)
            ->whereIn('tenant_id', $tenantIds)
            ->get(['tenant_id', 'role', 'source', 'source_ref']);

        $byTenantId = $memberships->keyBy('tenant_id');

        foreach ($tenantIds as $tenantId) {
            $cacheKey = "membership_{$user->id}_{$tenantId}";
            $membership = $byTenantId->get($tenantId);
            $this->resolvedMemberships[$cacheKey] = $membership?->toArray();
        }
    }

    /**
     * Clear cached memberships (useful for testing or after membership changes)
     */
    public function clearCache(): void
    {
        $this->resolvedMemberships = [];
    }
}