ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
7c492ef6df
TenantAtlas/tests/Feature/Findings/FindingRbacTest.php
ahmido ec71c2d4e7 feat: harden findings workflow and audit backstop (#181) 
## Summary
- harden finding lifecycle changes behind the canonical `FindingWorkflowService` gateway
- route automated resolve and reopen flows through the same audited workflow path
- tighten tenant and workspace scope checks on finding actions and audit visibility
- add focused spec artifacts, workflow regression coverage, automation coverage, and audit visibility tests
- update legacy finding model tests to use the workflow service after direct lifecycle mutators were removed

## Testing
- `vendor/bin/sail bin pint --dirty --format agent`
- focused findings and audit slices passed during implementation
- `vendor/bin/sail artisan test --compact tests/Feature/Models/FindingResolvedTest.php`
- full repository suite passed: `2757 passed`, `8 skipped`, `14448 assertions`

## Notes
- Livewire v4.0+ compliance preserved
- no new Filament assets or panel providers introduced; provider registration remains in `bootstrap/providers.php`
- findings stay on existing Filament action surfaces, with destructive actions still confirmation-gated
- no global search behavior was changed for findings resources

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #181
2026-03-18 12:57:23 +00:00

119 lines
4.2 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
use App\Filament\Resources\FindingResource;
use App\Filament\Resources\FindingResource\Pages\ListFindings;
use App\Models\Finding;
use App\Services\Findings\FindingWorkflowService;
use App\Support\Workspaces\WorkspaceContext;
use Filament\Facades\Filament;
use Illuminate\Auth\Access\AuthorizationException;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Gate;
use Livewire\Livewire;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
uses(RefreshDatabase::class);
it('returns 404 for non-members on findings pages', function (): void {
$tenant = \App\Models\Tenant::factory()->create();
[$user] = createUserWithTenant(role: 'owner');
$finding = Finding::factory()->for($tenant)->create();
$this->actingAs($user)
->get(FindingResource::getUrl('index', tenant: $tenant))
->assertNotFound();
$this->actingAs($user)
->get(FindingResource::getUrl('view', ['record' => $finding], tenant: $tenant))
->assertNotFound();
});
it('shows triage row action disabled for readonly members', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'readonly');
$this->actingAs($user);
Filament::setTenant($tenant, true);
$finding = Finding::factory()->for($tenant)->create([
'status' => Finding::STATUS_NEW,
]);
Livewire::test(ListFindings::class)
->assertTableActionVisible('triage', $finding)
->assertTableActionDisabled('triage', $finding);
});
it('enforces 404 for non-member and 403 for member missing capability in workflow service', function (): void {
[$owner, $tenant] = createUserWithTenant(role: 'owner');
[$readonly] = createUserWithTenant(tenant: $tenant, role: 'readonly');
$outsider = \App\Models\User::factory()->create();
$finding = Finding::factory()->for($tenant)->create([
'status' => Finding::STATUS_NEW,
]);
$service = app(FindingWorkflowService::class);
expect(fn () => $service->triage($finding, $tenant, $outsider))
->toThrow(NotFoundHttpException::class);
expect(fn () => $service->triage($finding, $tenant, $readonly))
->toThrow(AuthorizationException::class);
$triaged = $service->triage($finding, $tenant, $owner);
expect($triaged->status)->toBe(Finding::STATUS_TRIAGED);
});
it('returns 404 and mutates nothing when a forged foreign-tenant finding action is mounted', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$this->actingAs($user);
Filament::setTenant($tenant, true);
$foreignTenant = \App\Models\Tenant::factory()->create();
$foreignFinding = Finding::factory()->for($foreignTenant)->create([
'status' => Finding::STATUS_NEW,
]);
$component = Livewire::test(ListFindings::class);
expect(fn () => $component->instance()->mountTableAction('triage', (string) $foreignFinding->getKey()))
->toThrow(NotFoundHttpException::class);
expect($foreignFinding->fresh()?->status)->toBe(Finding::STATUS_NEW);
});
it('denies finding view and triage as not found when tenant context workspace does not match the record workspace', function (): void {
$tenant = \App\Models\Tenant::factory()->create();
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
$finding = Finding::make([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id + 999,
'status' => Finding::STATUS_NEW,
]);
$this->actingAs($user);
Filament::setCurrentPanel('admin');
Filament::setTenant(null, true);
Filament::bootCurrentPanel();
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
session()->put(WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY, [
(string) $tenant->workspace_id => (int) $tenant->getKey(),
]);
expect(Gate::forUser($user)->allows('view', $finding))->toBeFalse();
try {
Gate::forUser($user)->authorize('triage', $finding);
$this->fail('Expected workspace-mismatched finding authorization to be denied as not found.');
} catch (AuthorizationException $exception) {
expect($exception->status())->toBe(404);
}
});
Reference in New Issue View Git Blame Copy Permalink