ahmido
bab01f07a9
## Summary - standardize Microsoft provider connections around explicit platform vs dedicated identity modes - centralize admin-consent URL and runtime identity resolution so platform flows no longer fall back to tenant-local credentials - add migration classification, richer consent and verification state handling, dedicated override management, and focused regression coverage ## Validation - focused repo test coverage was added across provider identity, onboarding, audit, policy, guard, and migration flows - latest explicit passing run in the workspace: `vendor/bin/sail artisan test --compact tests/Feature/AdminConsentCallbackTest.php tests/Feature/Audit/ProviderConnectionConsentAuditTest.php` ## Notes - branch includes the full Spec 137 artifact set under `specs/137-platform-provider-identity/` - target base branch: `dev` Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #166
59 lines
2.3 KiB
PHP
59 lines
2.3 KiB
PHP
<?php
|
|
|
|
namespace App\Services\Providers;
|
|
|
|
use App\Support\Providers\ProviderConnectionType;
|
|
use App\Support\Providers\ProviderReasonCodes;
|
|
|
|
final class PlatformProviderIdentityResolver
|
|
{
|
|
public function resolve(string $tenantContext): ProviderIdentityResolution
|
|
{
|
|
$targetTenant = trim($tenantContext);
|
|
$clientId = trim((string) config('graph.client_id'));
|
|
$clientSecret = trim((string) config('graph.client_secret'));
|
|
$authorityTenant = trim((string) config('graph.tenant_id', 'organizations'));
|
|
$redirectUri = trim((string) route('admin.consent.callback'));
|
|
|
|
if ($targetTenant === '') {
|
|
return ProviderIdentityResolution::blocked(
|
|
connectionType: ProviderConnectionType::Platform,
|
|
tenantContext: 'organizations',
|
|
credentialSource: 'platform_config',
|
|
reasonCode: ProviderReasonCodes::ProviderConnectionInvalid,
|
|
message: 'Provider connection is missing target tenant scope.',
|
|
);
|
|
}
|
|
|
|
if ($clientId === '') {
|
|
return ProviderIdentityResolution::blocked(
|
|
connectionType: ProviderConnectionType::Platform,
|
|
tenantContext: $targetTenant,
|
|
credentialSource: 'platform_config',
|
|
reasonCode: ProviderReasonCodes::PlatformIdentityMissing,
|
|
message: 'Platform app identity is not configured.',
|
|
);
|
|
}
|
|
|
|
if ($clientSecret === '' || $redirectUri === '') {
|
|
return ProviderIdentityResolution::blocked(
|
|
connectionType: ProviderConnectionType::Platform,
|
|
tenantContext: $targetTenant,
|
|
credentialSource: 'platform_config',
|
|
reasonCode: ProviderReasonCodes::PlatformIdentityIncomplete,
|
|
message: 'Platform app identity is incomplete.',
|
|
);
|
|
}
|
|
|
|
return ProviderIdentityResolution::resolved(
|
|
connectionType: ProviderConnectionType::Platform,
|
|
tenantContext: $targetTenant,
|
|
effectiveClientId: $clientId,
|
|
credentialSource: 'platform_config',
|
|
clientSecret: $clientSecret,
|
|
authorityTenant: $authorityTenant !== '' ? $authorityTenant : 'organizations',
|
|
redirectUri: $redirectUri,
|
|
);
|
|
}
|
|
}
|