TenantAtlas/apps/platform/app/Services/Providers/ProviderConnectionResolver.php
ahmido 9374260ae1 feat: add Exchange PowerShell invocation gate (#498)
## Summary
- Adds the Spec 431 Exchange PowerShell invocation gate and operation registration slice.
- Introduces trusted provider operation start handling and read-only Exchange PowerShell runner abstractions.
- Updates provider capability/readiness evaluation and coverage for Exchange PowerShell invocation safety.

## Verification
- `cd apps/platform && ./vendor/bin/sail artisan test tests/Feature/Providers/ProviderCapabilityEvaluationTest.php tests/Feature/Providers/ProviderOperationCapabilityGateTest.php tests/Feature/TenantConfiguration/Spec431ExchangePowerShellInvocationGateTest.php tests/Unit/Providers/ProviderCapabilityRegistryTest.php tests/Unit/Providers/ProviderOperationStartGateTest.php tests/Unit/Support/TenantConfiguration/Spec430ExchangePowerShellCommandAllowlistTest.php tests/Unit/Support/TenantConfiguration/Spec431ExchangePowerShellOperationRegistrationTest.php tests/Unit/Verification/ManagedEnvironmentPermissionCapabilityMappingTest.php`
- Result: 80 passed, 685 assertions.

## Product Surface / Ops
- Rendered UI surface changed: N/A.
- Filament/Livewire surface changed: N/A.
- Deployment impact: config/runtime service changes only; no migrations, queues, or assets added.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #498
2026-07-07 15:23:29 +00:00

143 lines
5.6 KiB
PHP

<?php
namespace App\Services\Providers;
use App\Models\ManagedEnvironment;
use App\Models\ProviderConnection;
use App\Support\Providers\ProviderConsentStatus;
use App\Support\Providers\ProviderReasonCodes;
use App\Support\Providers\TargetScope\ProviderConnectionTargetScopeNormalizer;
final class ProviderConnectionResolver
{
public function __construct(
private readonly ProviderIdentityResolver $identityResolver,
private readonly ProviderConnectionTargetScopeNormalizer $targetScopeNormalizer,
) {}
public function resolveDefault(ManagedEnvironment $tenant, string $provider): ProviderConnectionResolution
{
$defaults = ProviderConnection::query()
->where('managed_environment_id', (int) $tenant->getKey())
->where('provider', $provider)
->where('is_default', true)
->orderBy('id')
->get();
if ($defaults->count() === 0) {
return ProviderConnectionResolution::blocked(
ProviderReasonCodes::ProviderConnectionMissing,
'No default provider connection is configured for this tenant/provider.',
);
}
if ($defaults->count() > 1) {
return ProviderConnectionResolution::blocked(
ProviderReasonCodes::ProviderConnectionInvalid,
'Multiple default provider connections were detected.',
'ext.multiple_defaults_detected',
);
}
/** @var ProviderConnection $connection */
$connection = $defaults->first();
return $this->validateConnection($tenant, $provider, $connection);
}
public function validateConnection(
ManagedEnvironment $tenant,
string $provider,
ProviderConnection $connection,
bool $requireIdentity = true,
): ProviderConnectionResolution {
if ((int) $connection->managed_environment_id !== (int) $tenant->getKey() || (string) $connection->provider !== $provider) {
return ProviderConnectionResolution::blocked(
ProviderReasonCodes::ProviderConnectionInvalid,
'Provider connection does not match tenant/provider scope.',
'ext.connection_scope_mismatch',
$connection,
);
}
if (! (bool) $connection->is_enabled) {
return ProviderConnectionResolution::blocked(
ProviderReasonCodes::ProviderConnectionInvalid,
'Provider connection is disabled.',
'ext.connection_disabled',
$connection,
);
}
$targetScope = $this->targetScopeNormalizer->normalizeConnection($connection);
if ($targetScope['status'] !== ProviderConnectionTargetScopeNormalizer::STATUS_NORMALIZED) {
$failureCode = $targetScope['failure_code'] ?? ProviderConnectionTargetScopeNormalizer::FAILURE_MISSING_PROVIDER_CONTEXT;
return ProviderConnectionResolution::blocked(
$failureCode === ProviderConnectionTargetScopeNormalizer::FAILURE_UNSUPPORTED_PROVIDER_SCOPE_COMBINATION
? ProviderReasonCodes::ProviderBindingUnsupported
: ProviderReasonCodes::ProviderConnectionInvalid,
$targetScope['message'] ?? 'Provider connection target scope is invalid.',
$failureCode === ProviderConnectionTargetScopeNormalizer::FAILURE_UNSUPPORTED_PROVIDER_SCOPE_COMBINATION
? 'ext.connection_scope_unsupported'
: 'ext.connection_scope_missing',
$connection,
);
}
$consentBlocker = $this->consentBlocker($connection);
if ($consentBlocker instanceof ProviderConnectionResolution) {
return $consentBlocker;
}
if (! $requireIdentity) {
return ProviderConnectionResolution::resolved($connection);
}
$identity = $this->identityResolver->resolve($connection);
if (! $identity->resolved) {
return ProviderConnectionResolution::blocked(
$identity->effectiveReasonCode(),
$identity->message,
connection: $connection,
);
}
return ProviderConnectionResolution::resolved($connection);
}
private function consentBlocker(ProviderConnection $connection): ?ProviderConnectionResolution
{
$consentStatus = $connection->consent_status;
if (! $consentStatus instanceof ProviderConsentStatus && is_string($consentStatus)) {
$consentStatus = ProviderConsentStatus::tryFrom(trim($consentStatus));
}
return match ($consentStatus) {
ProviderConsentStatus::Required => ProviderConnectionResolution::blocked(
ProviderReasonCodes::ProviderConsentMissing,
'Provider connection requires admin consent before use.',
'ext.connection_needs_consent',
$connection,
),
ProviderConsentStatus::Failed => ProviderConnectionResolution::blocked(
ProviderReasonCodes::ProviderConsentFailed,
'Provider connection consent failed. Retry admin consent before use.',
'ext.connection_consent_failed',
$connection,
),
ProviderConsentStatus::Revoked => ProviderConnectionResolution::blocked(
ProviderReasonCodes::ProviderConsentRevoked,
'Provider connection consent was revoked. Grant admin consent again before use.',
'ext.connection_consent_revoked',
$connection,
),
default => null,
};
}
}