ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
736e61c73e
TenantAtlas/apps/platform/tests/Feature/Filament/ProviderConnectionsUiEnforcementTest.php
ahmido c5db3ea4d1 feat: add resource policy authorization proof matrix (#473) 
Automated PR provided by Codex via Gitea API.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #473
2026-06-23 07:52:12 +00:00

215 lines
8.7 KiB
PHP
Raw Blame History

<?php
use App\Filament\Resources\ProviderConnectionResource;
use App\Filament\Resources\ProviderConnectionResource\Pages\ListProviderConnections;
use App\Filament\Resources\ProviderConnectionResource\Pages\ViewProviderConnection;
use App\Jobs\ProviderComplianceSnapshotJob;
use App\Jobs\ProviderConnectionHealthCheckJob;
use App\Jobs\ProviderInventorySyncJob;
use App\Models\ManagedEnvironment;
use App\Models\OperationRun;
use App\Models\ProviderConnection;
use App\Support\Auth\UiTooltips;
use Filament\Facades\Filament;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Http;
use Illuminate\Support\Facades\Queue;
use Livewire\Livewire;
uses(RefreshDatabase::class);
beforeEach(function (): void {
Http::preventStrayRequests();
});
test('unauthorized provider-connections route scope resolves deny-as-not-found without leaking metadata', function () {
$tenant = ManagedEnvironment::factory()->create();
$otherTenant = ManagedEnvironment::factory()->create();
[$user] = createUserWithTenant($otherTenant, role: 'owner');
ProviderConnection::factory()->create([
'managed_environment_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'display_name' => 'Unauthorized ManagedEnvironment Connection',
]);
$this->actingAs($user)
->get(ProviderConnectionResource::getUrl('index', tenant: $tenant))
->assertNotFound();
});
test('non-members cannot reach provider connection detail target-scope metadata', function (): void {
$tenant = ManagedEnvironment::factory()->create();
$otherTenant = ManagedEnvironment::factory()->create();
[$user] = createUserWithTenant($otherTenant, role: 'owner');
$connection = ProviderConnection::factory()->create([
'managed_environment_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'display_name' => 'Hidden Scope Connection',
'entra_tenant_id' => '77777777-7777-7777-7777-777777777777',
]);
$this->actingAs($user)
->get(ProviderConnectionResource::getUrl('view', ['record' => $connection], tenant: $tenant))
->assertNotFound();
});
test('members without capability see provider connection actions disabled with standard tooltip', function () {
$tenant = ManagedEnvironment::factory()->create();
[$user] = createUserWithTenant($tenant, role: 'readonly');
$connection = ProviderConnection::factory()->create([
'managed_environment_id' => $tenant->getKey(),
'consent_status' => 'required',
'is_enabled' => true,
'provider' => 'microsoft',
]);
$tenant->makeCurrent();
Filament::setTenant($tenant, true);
Livewire::actingAs($user)
->test(ListProviderConnections::class)
->assertTableActionVisible('check_connection', $connection)
->assertTableActionDisabled('check_connection', $connection)
->assertTableActionExists('check_connection', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $connection);
Livewire::actingAs($user)
->test(ViewProviderConnection::class, ['record' => $connection->getKey()])
->assertActionVisible('check_connection')
->assertActionDisabled('check_connection')
->assertActionExists('check_connection', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission())
->assertActionVisible('inventory_sync')
->assertActionDisabled('inventory_sync')
->assertActionVisible('compliance_snapshot')
->assertActionDisabled('compliance_snapshot')
->assertActionVisible('edit')
->assertActionDisabled('edit')
->assertActionExists('edit', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission());
});
test('members with capability can see provider connection actions enabled', function () {
$tenant = ManagedEnvironment::factory()->create();
[$user] = createUserWithTenant($tenant, role: 'owner');
$connection = ProviderConnection::factory()->create([
'managed_environment_id' => $tenant->getKey(),
'consent_status' => 'required',
'is_enabled' => true,
'provider' => 'microsoft',
]);
$tenant->makeCurrent();
Filament::setTenant($tenant, true);
Livewire::actingAs($user)
->test(ListProviderConnections::class)
->assertTableActionVisible('check_connection', $connection)
->assertTableActionEnabled('check_connection', $connection);
Livewire::actingAs($user)
->test(ViewProviderConnection::class, ['record' => $connection->getKey()])
->assertActionVisible('check_connection')
->assertActionEnabled('check_connection')
->assertActionVisible('inventory_sync')
->assertActionEnabled('inventory_sync')
->assertActionVisible('compliance_snapshot')
->assertActionEnabled('compliance_snapshot')
->assertActionVisible('edit')
->assertActionEnabled('edit');
});
test('members without dedicated provider capability see dedicated override action disabled', function (): void {
$tenant = ManagedEnvironment::factory()->create();
[$user] = createUserWithTenant($tenant, role: 'manager');
$connection = ProviderConnection::factory()
->platform()
->create([
'managed_environment_id' => $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'consent_status' => 'required',
'is_enabled' => true,
'provider' => 'microsoft',
]);
$tenant->makeCurrent();
Filament::setTenant($tenant, true);
Livewire::actingAs($user)
->test(ViewProviderConnection::class, ['record' => $connection->getKey()])
->assertActionVisible('enable_dedicated_override')
->assertActionDisabled('enable_dedicated_override')
->assertActionExists('enable_dedicated_override', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission());
});
test('members without provider run capability cannot directly execute disabled provider operations', function (): void {
Queue::fake();
$tenant = ManagedEnvironment::factory()->create();
[$user] = createUserWithTenant($tenant, role: 'readonly');
$connection = ProviderConnection::factory()
->verifiedHealthy()
->create([
'managed_environment_id' => $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'consent_status' => 'granted',
'is_enabled' => true,
'provider' => 'microsoft',
]);
$tenant->makeCurrent();
Filament::setTenant($tenant, true);
Livewire::actingAs($user)
->test(ListProviderConnections::class)
->assertTableActionVisible('check_connection', $connection)
->assertTableActionDisabled('check_connection', $connection)
->callTableAction('check_connection', $connection)
->assertTableActionVisible('inventory_sync', $connection)
->assertTableActionDisabled('inventory_sync', $connection)
->callTableAction('inventory_sync', $connection);
Livewire::actingAs($user)
->test(ViewProviderConnection::class, ['record' => $connection->getKey()])
->assertActionVisible('compliance_snapshot')
->assertActionDisabled('compliance_snapshot')
->callAction('compliance_snapshot');
Queue::assertNotPushed(ProviderConnectionHealthCheckJob::class);
Queue::assertNotPushed(ProviderInventorySyncJob::class);
Queue::assertNotPushed(ProviderComplianceSnapshotJob::class);
expect(OperationRun::query()
->where('managed_environment_id', (int) $tenant->getKey())
->whereIn('type', ['provider.connection.check', 'inventory.sync', 'compliance.snapshot'])
->exists())->toBeFalse();
});
test('sensitive provider connection mutations remain confirmation and capability gated', function (): void {
$source = (string) file_get_contents(repo_path('apps/platform/app/Filament/Resources/ProviderConnectionResource.php'));
foreach ([
'makeSetDefaultAction',
'makeEnableDedicatedOverrideAction',
'makeRotateDedicatedCredentialAction',
'makeDeleteDedicatedCredentialAction',
'makeRevertToPlatformAction',
'makeEnableConnectionAction',
'makeDisableConnectionAction',
] as $method) {
$start = strpos($source, 'public static function '.$method);
expect($start)->not->toBeFalse();
$next = strpos($source, "\n public static function ", $start + 1);
$block = substr($source, $start, $next === false ? null : $next - $start);
expect($block)->toContain('->requiresConfirmation()')
->and($block)->toContain('->requireCapability(');
}
});
Reference in New Issue View Git Blame Copy Permalink