ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
845d21db6d
TenantAtlas/tests/Feature/Audit/FindingAuditVisibilityTest.php
ahmido 845d21db6d feat: harden operation lifecycle monitoring (#190) 
## Summary
- harden operation-run lifecycle handling with explicit reconciliation policy, stale-run healing, failed-job bridging, and monitoring visibility
- refactor audit log event inspection into a Filament slide-over and remove the stale inline detail/header-action coupling
- align panel theme asset resolution and supporting Filament UI updates, including the rounded 2xl theme token regression fix

## Testing
- ran focused Pest coverage for the affected audit-log inspection flow and related visibility tests
- ran formatting with `vendor/bin/sail bin pint --dirty --format agent`
- manually verified the updated audit-log slide-over flow in the integrated browser

## Notes
- branch includes the Spec 160 artifacts under `specs/160-operation-lifecycle-guarantees/`
- the full test suite was not rerun as part of this final commit/PR step

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #190
2026-03-23 21:53:19 +00:00

191 lines
7.4 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
use App\Filament\Pages\Monitoring\AuditLog as AuditLogPage;
use App\Models\AuditLog;
use App\Models\Finding;
use App\Models\Tenant;
use App\Support\Workspaces\WorkspaceContext;
use Filament\Facades\Filament;
use Livewire\Livewire;
it('shows finding audit history to authorized viewers and preserves drill-down links for accessible findings', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$finding = Finding::factory()->for($tenant)->create();
$audit = AuditLog::query()->create([
'workspace_id' => (int) $tenant->workspace_id,
'tenant_id' => (int) $tenant->getKey(),
'actor_email' => 'owner@example.com',
'actor_name' => 'Owner',
'actor_type' => 'human',
'action' => 'finding.resolved',
'status' => 'success',
'resource_type' => 'finding',
'resource_id' => (string) $finding->getKey(),
'target_label' => 'Drift finding #'.$finding->getKey(),
'summary' => 'Finding resolved for Drift finding #'.$finding->getKey(),
'metadata' => [
'finding_id' => (int) $finding->getKey(),
'before_status' => Finding::STATUS_TRIAGED,
'after_status' => Finding::STATUS_RESOLVED,
],
'recorded_at' => now(),
]);
$this->actingAs($user);
Filament::setTenant(null, true);
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
Livewire::actingAs($user)->test(AuditLogPage::class)
->assertCanSeeTableRecords([$audit])
->mountTableAction('inspect', $audit)
->assertMountedActionModalSee('Drift finding #'.$finding->getKey())
->assertMountedActionModalSee('Open finding');
});
it('keeps deleted findings readable while suppressing finding drill-down links', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$finding = Finding::factory()->for($tenant)->create();
$findingId = (int) $finding->getKey();
$finding->delete();
$audit = AuditLog::query()->create([
'workspace_id' => (int) $tenant->workspace_id,
'tenant_id' => (int) $tenant->getKey(),
'actor_email' => 'owner@example.com',
'actor_name' => 'Owner',
'actor_type' => 'human',
'action' => 'finding.closed',
'status' => 'success',
'resource_type' => 'finding',
'resource_id' => (string) $findingId,
'target_label' => 'Permission posture finding #'.$findingId,
'summary' => 'Finding closed for Permission posture finding #'.$findingId,
'metadata' => [
'finding_id' => $findingId,
'before_status' => Finding::STATUS_REOPENED,
'after_status' => Finding::STATUS_CLOSED,
'closed_reason' => 'duplicate',
],
'recorded_at' => now(),
]);
$this->actingAs($user);
Filament::setTenant(null, true);
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
Livewire::actingAs($user)->test(AuditLogPage::class)
->assertCanSeeTableRecords([$audit])
->mountTableAction('inspect', $audit)
->assertMountedActionModalSee('Permission posture finding #'.$findingId)
->assertMountedActionModalDontSee('Open finding');
});
it('does not render internal audit bookkeeping metadata in the inspection view', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$finding = Finding::factory()->for($tenant)->resolved()->create();
$audit = AuditLog::query()->create([
'workspace_id' => (int) $tenant->workspace_id,
'tenant_id' => (int) $tenant->getKey(),
'actor_email' => 'owner@example.com',
'actor_name' => 'Owner',
'actor_type' => 'human',
'action' => 'finding.closed',
'status' => 'success',
'resource_type' => 'finding',
'resource_id' => (string) $finding->getKey(),
'target_label' => 'Drift finding #'.$finding->getKey(),
'summary' => 'Finding closed for Drift finding #'.$finding->getKey(),
'metadata' => [
'finding_id' => (int) $finding->getKey(),
'before_status' => Finding::STATUS_RESOLVED,
'after_status' => Finding::STATUS_CLOSED,
'_actor_type' => 'hidden-actor-marker',
'_dedupe_key' => 'internal-bookkeeping-marker',
],
'recorded_at' => now(),
]);
$this->actingAs($user);
Filament::setTenant(null, true);
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
Livewire::actingAs($user)->test(AuditLogPage::class)
->assertCanSeeTableRecords([$audit])
->mountTableAction('inspect', $audit)
->assertMountedActionModalDontSee('_dedupe_key')
->assertMountedActionModalDontSee('internal-bookkeeping-marker')
->assertMountedActionModalDontSee('_actor_type')
->assertMountedActionModalDontSee('hidden-actor-marker');
});
it('hides finding audit rows for tenants outside the viewer entitlement scope', function (): void {
[$user, $tenantA] = createUserWithTenant(role: 'owner');
$tenantB = Tenant::factory()->create([
'workspace_id' => (int) $tenantA->workspace_id,
]);
$findingA = Finding::factory()->for($tenantA)->create();
$findingB = Finding::factory()->for($tenantB)->create();
$visible = AuditLog::query()->create([
'workspace_id' => (int) $tenantA->workspace_id,
'tenant_id' => (int) $tenantA->getKey(),
'actor_email' => 'owner@example.com',
'actor_name' => 'Owner',
'actor_type' => 'human',
'action' => 'finding.triaged',
'status' => 'success',
'resource_type' => 'finding',
'resource_id' => (string) $findingA->getKey(),
'target_label' => 'Drift finding #'.$findingA->getKey(),
'summary' => 'Finding triaged for Drift finding #'.$findingA->getKey(),
'metadata' => [
'finding_id' => (int) $findingA->getKey(),
'before_status' => Finding::STATUS_NEW,
'after_status' => Finding::STATUS_TRIAGED,
],
'recorded_at' => now(),
]);
$hidden = AuditLog::query()->create([
'workspace_id' => (int) $tenantB->workspace_id,
'tenant_id' => (int) $tenantB->getKey(),
'actor_email' => 'owner@example.com',
'actor_name' => 'Owner',
'actor_type' => 'human',
'action' => 'finding.reopened',
'status' => 'success',
'resource_type' => 'finding',
'resource_id' => (string) $findingB->getKey(),
'target_label' => 'Drift finding #'.$findingB->getKey(),
'summary' => 'Finding reopened for Drift finding #'.$findingB->getKey(),
'metadata' => [
'finding_id' => (int) $findingB->getKey(),
'before_status' => Finding::STATUS_RESOLVED,
'after_status' => Finding::STATUS_REOPENED,
],
'recorded_at' => now(),
]);
$this->actingAs($user)
->withSession([WorkspaceContext::SESSION_KEY => (int) $tenantA->workspace_id])
->get(route('admin.monitoring.audit-log').'?event='.(int) $hidden->getKey())
->assertNotFound();
$this->actingAs($user);
Filament::setTenant(null, true);
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenantA->workspace_id);
Livewire::actingAs($user)->test(AuditLogPage::class)
->assertCanSeeTableRecords([$visible])
->assertCanNotSeeTableRecords([$hidden]);
});
Reference in New Issue View Git Blame Copy Permalink