ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
8cfa5ae2bd
TenantAtlas/app/Services/Verification/StartVerification.php
Ahmed Darrazi 8cfa5ae2bd feat: harden queued execution legitimacy
2026-03-17 22:48:57 +01:00

165 lines
6.1 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace App\Services\Verification;
use App\Jobs\ProviderConnectionHealthCheckJob;
use App\Models\OperationRun;
use App\Models\ProviderConnection;
use App\Models\Tenant;
use App\Models\User;
use App\Services\Providers\ProviderConnectionResolver;
use App\Services\Providers\ProviderConnectionStateProjector;
use App\Services\Providers\ProviderIdentityResolver;
use App\Services\Providers\ProviderOperationStartGate;
use App\Services\Providers\ProviderOperationStartResult;
use App\Support\Auth\Capabilities;
use App\Support\Operations\ExecutionAuthorityMode;
use App\Support\Providers\ProviderVerificationStatus;
use Illuminate\Support\Facades\Gate;
use InvalidArgumentException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
final class StartVerification
{
public function __construct(
private readonly ProviderOperationStartGate $providers,
private readonly ProviderConnectionResolver $connections,
private readonly ProviderIdentityResolver $identityResolver,
private readonly ProviderConnectionStateProjector $stateProjector,
) {}
/**
* Start (or dedupe) a provider-connection verification run.
*
* @param array<string, mixed> $extraContext
*/
public function providerConnectionCheck(
Tenant $tenant,
ProviderConnection $connection,
User $initiator,
array $extraContext = [],
): ProviderOperationStartResult {
return $this->providerConnectionCheckUsingConnection(
tenant: $tenant,
connection: $connection,
initiator: $initiator,
extraContext: $extraContext,
);
}
/**
* Start (or dedupe) a provider-connection verification run for the tenant default connection.
*
* @param array<string, mixed> $extraContext
*/
public function providerConnectionCheckForTenant(
Tenant $tenant,
User $initiator,
array $extraContext = [],
): ProviderOperationStartResult {
if (! $initiator->canAccessTenant($tenant)) {
throw new NotFoundHttpException;
}
Gate::forUser($initiator)->authorize(Capabilities::PROVIDER_RUN, $tenant);
$resolution = $this->connections->resolveDefault($tenant, 'microsoft');
if ($resolution->resolved && $resolution->connection instanceof ProviderConnection) {
return $this->providerConnectionCheckUsingConnection(
tenant: $tenant,
connection: $resolution->connection,
initiator: $initiator,
extraContext: $extraContext,
);
}
return $this->providers->start(
tenant: $tenant,
connection: null,
operationType: 'provider.connection.check',
dispatcher: fn (OperationRun $run): mixed => $this->dispatchConnectionHealthCheck($run, $tenant, $initiator),
initiator: $initiator,
extraContext: array_merge($extraContext, [
'execution_authority_mode' => ExecutionAuthorityMode::ActorBound->value,
'required_capability' => Capabilities::PROVIDER_RUN,
]),
);
}
/**
* Start (or dedupe) a provider-connection verification run for an explicit connection.
*
* @param array<string, mixed> $extraContext
*/
public function providerConnectionCheckUsingConnection(
Tenant $tenant,
ProviderConnection $connection,
User $initiator,
array $extraContext = [],
): ProviderOperationStartResult {
if (! $initiator->canAccessTenant($tenant)) {
throw new NotFoundHttpException;
}
Gate::forUser($initiator)->authorize(Capabilities::PROVIDER_RUN, $tenant);
$identity = $this->identityResolver->resolve($connection);
$result = $this->providers->start(
tenant: $tenant,
connection: $connection,
operationType: 'provider.connection.check',
dispatcher: fn (OperationRun $run): mixed => $this->dispatchConnectionHealthCheck($run, $tenant, $initiator),
initiator: $initiator,
extraContext: array_merge($extraContext, [
'execution_authority_mode' => ExecutionAuthorityMode::ActorBound->value,
'required_capability' => Capabilities::PROVIDER_RUN,
'identity' => [
'connection_type' => $identity->connectionType->value,
'credential_source' => $identity->credentialSource,
'effective_client_id' => $identity->effectiveClientId,
],
]),
);
if ($result->status === 'started') {
$projectedState = $this->stateProjector->project(
connectionType: $connection->connection_type,
consentStatus: $connection->consent_status,
verificationStatus: ProviderVerificationStatus::Pending,
currentStatus: is_string($connection->status) ? $connection->status : null,
);
$connection->update([
'verification_status' => ProviderVerificationStatus::Pending,
'status' => $projectedState['status'],
'health_status' => $projectedState['health_status'],
'last_error_reason_code' => null,
'last_error_message' => null,
]);
}
return $result;
}
private function dispatchConnectionHealthCheck(OperationRun $run, Tenant $tenant, User $initiator): mixed
{
$context = is_array($run->context ?? null) ? $run->context : [];
$providerConnectionId = $context['provider_connection_id'] ?? null;
if (! is_numeric($providerConnectionId)) {
throw new InvalidArgumentException('Provider connection id is missing from run context.');
}
return ProviderConnectionHealthCheckJob::dispatch(
tenantId: (int) $tenant->getKey(),
userId: (int) $initiator->getKey(),
providerConnectionId: (int) $providerConnectionId,
operationRun: $run,
);
}
}
Reference in New Issue View Git Blame Copy Permalink