ahmido
7541b1eb41
## Summary - introduce the governance subject taxonomy registry and canonical Baseline Scope V2 normalization and persistence - update baseline profile Filament surfaces, validation, capture/compare gating, and add the optional scope backfill command with audit logging - add focused unit, feature, Filament, and browser smoke coverage for save-forward behavior, operation truth, authorization continuity, and invalid-scope rendering - remove the duplicate legacy spec plan under `specs/001-governance-subject-taxonomy/plan.md` ## Verification - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec202GovernanceSubjectTaxonomySmokeTest.php` - focused Spec 202 regression pack: `56 passed (300 assertions)` - `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent` ## Notes - no schema migration required - no new Filament asset registration required - branch includes the final browser smoke test coverage for the current feature Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #232
208 lines
7.8 KiB
PHP
208 lines
7.8 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Filament\Resources\BaselineProfileResource;
|
|
use App\Filament\Resources\BaselineProfileResource\Pages\ViewBaselineProfile;
|
|
use App\Jobs\CaptureBaselineSnapshotJob;
|
|
use App\Models\BaselineProfile;
|
|
use App\Models\OperationRun;
|
|
use App\Support\Baselines\BaselineCaptureMode;
|
|
use App\Support\Workspaces\WorkspaceContext;
|
|
use Filament\Actions\Action;
|
|
use Filament\Actions\ActionGroup;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Illuminate\Support\Facades\DB;
|
|
use Illuminate\Support\Facades\Queue;
|
|
use Livewire\Features\SupportTesting\Testable;
|
|
use Livewire\Livewire;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
function baselineProfileCaptureHeaderActions(Testable $component): array
|
|
{
|
|
$instance = $component->instance();
|
|
|
|
if ($instance->getCachedHeaderActions() === []) {
|
|
$instance->cacheInteractsWithHeaderActions();
|
|
}
|
|
|
|
return $instance->getCachedHeaderActions();
|
|
}
|
|
|
|
it('redirects unauthenticated users (302) when accessing the capture start surface', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$profile = BaselineProfile::factory()->active()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
]);
|
|
|
|
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
|
|
|
|
$this->get(BaselineProfileResource::getUrl('view', ['record' => $profile], panel: 'admin'))
|
|
->assertStatus(302);
|
|
});
|
|
|
|
it('returns 404 for authenticated users accessing a baseline profile from another workspace', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
[$otherUser, $otherTenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$profile = BaselineProfile::factory()->active()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
]);
|
|
|
|
session()->put(WorkspaceContext::SESSION_KEY, (int) $otherTenant->workspace_id);
|
|
|
|
$this->actingAs($otherUser)
|
|
->get(BaselineProfileResource::getUrl('view', ['record' => $profile], panel: 'admin'))
|
|
->assertNotFound();
|
|
});
|
|
|
|
it('does not start capture for workspace members missing workspace_baselines.manage', function (): void {
|
|
Queue::fake();
|
|
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
$profile = BaselineProfile::factory()->active()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
]);
|
|
|
|
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ViewBaselineProfile::class, ['record' => $profile->getKey()])
|
|
->assertActionVisible('capture')
|
|
->assertActionHasLabel('capture', 'Capture baseline')
|
|
->assertActionDisabled('capture')
|
|
->callAction('capture', data: ['source_tenant_id' => (int) $tenant->getKey()])
|
|
->assertStatus(200);
|
|
|
|
Queue::assertNotPushed(CaptureBaselineSnapshotJob::class);
|
|
});
|
|
|
|
it('starts capture successfully for authorized workspace members', function (): void {
|
|
Queue::fake();
|
|
config()->set('tenantpilot.baselines.full_content_capture.enabled', true);
|
|
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$profile = BaselineProfile::factory()->active()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'capture_mode' => BaselineCaptureMode::FullContent->value,
|
|
]);
|
|
|
|
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
|
|
|
|
$component = Livewire::actingAs($user)
|
|
->test(ViewBaselineProfile::class, ['record' => $profile->getKey()])
|
|
->assertActionVisible('capture')
|
|
->assertActionHasLabel('capture', 'Capture baseline (full content)')
|
|
->assertActionEnabled('capture')
|
|
->callAction('capture', data: ['source_tenant_id' => (int) $tenant->getKey()])
|
|
->assertStatus(200);
|
|
|
|
$topLevelActionNames = collect(baselineProfileCaptureHeaderActions($component))
|
|
->reject(static fn ($action): bool => $action instanceof ActionGroup)
|
|
->filter(static fn ($action): bool => ! method_exists($action, 'isVisible') || $action->isVisible())
|
|
->map(static fn ($action): ?string => $action instanceof Action ? $action->getName() : null)
|
|
->filter()
|
|
->values()
|
|
->all();
|
|
|
|
expect($topLevelActionNames)->toBe(['capture']);
|
|
|
|
Queue::assertPushed(CaptureBaselineSnapshotJob::class);
|
|
|
|
$run = OperationRun::query()
|
|
->where('tenant_id', (int) $tenant->getKey())
|
|
->where('type', 'baseline_capture')
|
|
->latest('id')
|
|
->first();
|
|
|
|
expect($run)->not->toBeNull();
|
|
expect($run?->status)->toBe('queued');
|
|
});
|
|
|
|
it('does not start full-content capture when rollout is disabled', function (): void {
|
|
Queue::fake();
|
|
config()->set('tenantpilot.baselines.full_content_capture.enabled', false);
|
|
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$profile = BaselineProfile::factory()->active()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'capture_mode' => BaselineCaptureMode::FullContent->value,
|
|
]);
|
|
|
|
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ViewBaselineProfile::class, ['record' => $profile->getKey()])
|
|
->assertActionVisible('capture')
|
|
->assertActionHasLabel('capture', 'Capture baseline (full content)')
|
|
->assertActionEnabled('capture')
|
|
->callAction('capture', data: ['source_tenant_id' => (int) $tenant->getKey()])
|
|
->assertNotified('Cannot start capture')
|
|
->assertStatus(200);
|
|
|
|
Queue::assertNotPushed(CaptureBaselineSnapshotJob::class);
|
|
expect(OperationRun::query()->where('type', 'baseline_capture')->count())->toBe(0);
|
|
});
|
|
|
|
it('shows readiness copy without exposing raw canonical scope json on the capture start surface', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$profile = BaselineProfile::factory()->active()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'scope_jsonb' => ['policy_types' => ['deviceConfiguration'], 'foundation_types' => []],
|
|
]);
|
|
|
|
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ViewBaselineProfile::class, ['record' => $profile->getKey()])
|
|
->assertSee('Support readiness')
|
|
->assertSee('Capture: ready. Compare: ready.')
|
|
->assertDontSee('subject_type_keys')
|
|
->assertDontSee('canonical_scope');
|
|
});
|
|
|
|
it('does not start capture when the stored canonical scope is invalid', function (): void {
|
|
Queue::fake();
|
|
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$profile = BaselineProfile::factory()->active()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
]);
|
|
|
|
DB::table('baseline_profiles')
|
|
->where('id', (int) $profile->getKey())
|
|
->update([
|
|
'scope_jsonb' => json_encode([
|
|
'version' => 2,
|
|
'entries' => [
|
|
[
|
|
'domain_key' => 'platform_foundation',
|
|
'subject_class' => 'configuration_resource',
|
|
'subject_type_keys' => ['intuneRoleAssignment'],
|
|
'filters' => [],
|
|
],
|
|
],
|
|
], JSON_THROW_ON_ERROR),
|
|
'updated_at' => now(),
|
|
]);
|
|
|
|
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ViewBaselineProfile::class, ['record' => $profile->getKey()])
|
|
->assertActionVisible('capture')
|
|
->callAction('capture', data: ['source_tenant_id' => (int) $tenant->getKey()])
|
|
->assertNotified('Cannot start capture')
|
|
->assertStatus(200);
|
|
|
|
Queue::assertNotPushed(CaptureBaselineSnapshotJob::class);
|
|
expect(OperationRun::query()->where('type', 'baseline_capture')->count())->toBe(0);
|
|
});
|