TenantAtlas/tests/Feature/Rbac/BackupItemsRelationManagerSemanticsTest.php

<?php

declare(strict_types=1);

use App\Filament\Resources\BackupSetResource;
use App\Filament\Resources\BackupSetResource\Pages\EditBackupSet;
use App\Filament\Resources\BackupSetResource\RelationManagers\BackupItemsRelationManager;
use App\Filament\Resources\PolicyVersionResource;
use App\Models\BackupItem;
use App\Models\BackupSet;
use App\Models\OperationRun;
use App\Models\Policy;
use App\Models\PolicyVersion;
use App\Models\User;
use App\Models\WorkspaceMembership;
use Filament\Facades\Filament;
use Illuminate\Support\Facades\Queue;
use Livewire\Livewire;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;

it('returns 404 for non-members before capability checks on backup item actions', function (): void {
    [$owner, $tenant] = createUserWithTenant(role: 'owner');

    $this->actingAs($owner);
    $tenant->makeCurrent();
    Filament::setTenant($tenant, true);

    $backupSet = BackupSet::factory()->create([
        'tenant_id' => (int) $tenant->getKey(),
    ]);
    $backupItem = BackupItem::factory()->for($backupSet)->for($tenant)->create();

    $outsider = User::factory()->create();
    WorkspaceMembership::factory()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'user_id' => (int) $outsider->getKey(),
        'role' => 'owner',
    ]);

    $this->actingAs($outsider);
    $tenant->makeCurrent();
    Filament::setTenant($tenant, true);

    $this->get(BackupSetResource::getUrl('view', ['record' => $backupSet], tenant: $tenant))
        ->assertNotFound();
});

it('keeps actions visible but disabled for members missing capability', function (): void {
    [$readonlyUser, $tenant] = createUserWithTenant(role: 'readonly');

    $this->actingAs($readonlyUser);
    $tenant->makeCurrent();
    Filament::setTenant($tenant, true);

    $backupSet = BackupSet::factory()->create([
        'tenant_id' => (int) $tenant->getKey(),
    ]);
    $backupItem = BackupItem::factory()->for($backupSet)->for($tenant)->create();

    Livewire::test(BackupItemsRelationManager::class, [
        'ownerRecord' => $backupSet,
        'pageClass' => EditBackupSet::class,
    ])
        ->assertTableActionVisible('remove', $backupItem)
        ->assertTableActionDisabled('remove', $backupItem);
});

it('routes versioned RBAC foundation items to immutable policy version detail', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'owner');

    $this->actingAs($user);
    $tenant->makeCurrent();
    Filament::setTenant($tenant, true);

    $policy = Policy::factory()->create([
        'tenant_id' => (int) $tenant->getKey(),
        'external_id' => 'role-def-1',
        'policy_type' => 'intuneRoleDefinition',
        'platform' => 'all',
        'display_name' => 'Current role label',
        'last_synced_at' => null,
    ]);

    $version = PolicyVersion::factory()->create([
        'tenant_id' => (int) $tenant->getKey(),
        'policy_id' => (int) $policy->getKey(),
        'policy_type' => 'intuneRoleDefinition',
        'platform' => 'all',
        'snapshot' => [
            'displayName' => 'Captured RBAC role',
        ],
    ]);

    $backupSet = BackupSet::factory()->create([
        'tenant_id' => (int) $tenant->getKey(),
    ]);

    $backupItem = BackupItem::factory()->for($backupSet)->for($tenant)->create([
        'policy_id' => (int) $policy->getKey(),
        'policy_version_id' => (int) $version->getKey(),
        'policy_identifier' => 'role-def-1',
        'policy_type' => 'intuneRoleDefinition',
        'platform' => 'all',
        'payload' => [
            'displayName' => 'Captured RBAC role',
        ],
        'metadata' => [
            'displayName' => 'Captured RBAC role',
        ],
    ]);

    $component = Livewire::test(BackupItemsRelationManager::class, [
        'ownerRecord' => $backupSet,
        'pageClass' => EditBackupSet::class,
    ])
        ->assertTableColumnFormattedStateSet('policy.display_name', 'Captured RBAC role', $backupItem);

    $table = $component->instance()->getTable();

    expect($table->getRecordUrl($backupItem))
        ->toBe(PolicyVersionResource::getUrl('view', ['record' => $version], tenant: $tenant));
});

it('returns 404 and queues nothing when a forged foreign-tenant row action record is submitted', function (): void {
    Queue::fake();

    [$user, $tenant] = createUserWithTenant(role: 'owner');

    $this->actingAs($user);
    $tenant->makeCurrent();
    Filament::setTenant($tenant, true);

    $backupSet = BackupSet::factory()->create([
        'tenant_id' => (int) $tenant->getKey(),
    ]);

    $foreignTenant = \App\Models\Tenant::factory()->create();
    $foreignBackupSet = BackupSet::factory()->create([
        'tenant_id' => (int) $foreignTenant->getKey(),
    ]);
    $foreignBackupItem = BackupItem::factory()->for($foreignBackupSet)->for($foreignTenant)->create();

    $component = Livewire::test(BackupItemsRelationManager::class, [
        'ownerRecord' => $backupSet,
        'pageClass' => EditBackupSet::class,
    ]);

    expect(fn () => $component->instance()->mountTableAction('remove', (string) $foreignBackupItem->getKey()))
        ->toThrow(NotFoundHttpException::class);

    Queue::assertNothingPushed();

    expect(OperationRun::query()->where('type', 'backup_set.remove_policies')->exists())->toBeFalse();
});