127 lines
4.4 KiB
PHP
127 lines
4.4 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Filament\Resources\FindingResource;
|
|
use App\Models\Finding;
|
|
use App\Models\ManagedEnvironment;
|
|
use App\Models\ProviderConnection;
|
|
use App\Models\User;
|
|
use App\Support\Workspaces\WorkspaceContext;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
|
|
pest()->browser()->timeout(60_000);
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
it('Spec412 smokes finding detail hash demotion and provider no-access clarity', function (): void {
|
|
[$operator, $environment] = createUserWithTenant(
|
|
role: 'owner',
|
|
workspaceRole: 'owner',
|
|
clearCapabilityCaches: true,
|
|
);
|
|
|
|
$finding = Finding::factory()->for($environment)->create([
|
|
'workspace_id' => (int) $environment->workspace_id,
|
|
'fingerprint' => 'spec412-browser-fingerprint-hidden',
|
|
'scope_key' => 'spec412-browser-scope-hidden',
|
|
'subject_external_id' => 'spec412-browser-subject-hidden',
|
|
'evidence_jsonb' => [
|
|
'display_name' => 'Spec412 Browser Human Finding',
|
|
'summary' => [
|
|
'source_fingerprint' => 'spec412-browser-source-hidden',
|
|
'affected_scope' => 'Human-readable pilot scope',
|
|
],
|
|
'artifact' => [
|
|
'detector_key' => 'spec412-browser-detector-hidden',
|
|
],
|
|
],
|
|
]);
|
|
|
|
spec412AuthenticateBrowser($this, $operator, $environment);
|
|
|
|
visit(FindingResource::getUrl('view', ['record' => $finding], tenant: $environment, panel: 'admin'))
|
|
->resize(1440, 1100)
|
|
->waitForText('Spec412 Browser Human Finding')
|
|
->assertSee('Technical identifiers')
|
|
->assertSee('Support identifiers stay collapsed by default and are intended for authorized troubleshooting.')
|
|
->assertSee('Evidence (Sanitized)')
|
|
->assertSee('Sanitized evidence JSON is collapsed so technical payload shape does not become default finding content.')
|
|
->assertDontSee('spec412-browser-fingerprint-hidden')
|
|
->assertDontSee('spec412-browser-scope-hidden')
|
|
->assertDontSee('spec412-browser-source-hidden')
|
|
->assertDontSee('spec412-browser-subject-hidden')
|
|
->assertNoJavaScriptErrors()
|
|
->assertNoConsoleLogs();
|
|
|
|
$connection = ProviderConnection::factory()
|
|
->platform()
|
|
->verifiedHealthy()
|
|
->create([
|
|
'workspace_id' => (int) $environment->workspace_id,
|
|
'managed_environment_id' => (int) $environment->getKey(),
|
|
'display_name' => 'Spec412 Browser Provider',
|
|
]);
|
|
|
|
[$readonly] = createUserWithTenant(
|
|
tenant: $environment,
|
|
role: 'readonly',
|
|
workspaceRole: 'readonly',
|
|
clearCapabilityCaches: true,
|
|
);
|
|
|
|
visit(spec412BrowserLoginUrl($readonly, $environment, '/admin/no-access?surface=provider-connections&reason=permission'))
|
|
->resize(1440, 1000)
|
|
->waitForText('You do not have access to provider connections.')
|
|
->assertSee('You are signed in, but your current workspace or environment role does not include provider connection access.')
|
|
->assertDontSee('You do not have access to a workspace yet.')
|
|
->assertDontSee('Ask an administrator to add you to a workspace, then sign in again.')
|
|
->assertDontSee('Spec412 Browser Provider')
|
|
->assertNoJavaScriptErrors()
|
|
->assertNoConsoleLogs();
|
|
});
|
|
|
|
function spec412AuthenticateBrowser(
|
|
mixed $test,
|
|
User $user,
|
|
ManagedEnvironment $environment,
|
|
): void {
|
|
$workspaceId = (int) $environment->workspace_id;
|
|
|
|
$session = [
|
|
WorkspaceContext::SESSION_KEY => $workspaceId,
|
|
WorkspaceContext::LAST_ENVIRONMENT_IDS_SESSION_KEY => [
|
|
(string) $workspaceId => (int) $environment->getKey(),
|
|
],
|
|
];
|
|
|
|
$test->actingAs($user)->withSession($session);
|
|
|
|
foreach ($session as $key => $value) {
|
|
session()->put($key, $value);
|
|
}
|
|
|
|
setAdminPanelContext($environment);
|
|
}
|
|
|
|
function spec412BrowserLoginUrl(User $user, ManagedEnvironment $environment, string $redirect): string
|
|
{
|
|
return route('admin.local.smoke-login', [
|
|
'email' => $user->email,
|
|
'tenant' => $environment->external_id,
|
|
'workspace' => $environment->workspace->slug,
|
|
'redirect' => spec412RelativeBrowserPath($redirect),
|
|
]);
|
|
}
|
|
|
|
function spec412RelativeBrowserPath(string $url): string
|
|
{
|
|
$parts = parse_url($url);
|
|
|
|
if ($parts === false) {
|
|
return '/admin';
|
|
}
|
|
|
|
return ($parts['path'] ?? '/admin').(isset($parts['query']) ? '?'.$parts['query'] : '');
|
|
}
|