## Summary - Adds the Spec 431 Exchange PowerShell invocation gate and operation registration slice. - Introduces trusted provider operation start handling and read-only Exchange PowerShell runner abstractions. - Updates provider capability/readiness evaluation and coverage for Exchange PowerShell invocation safety. ## Verification - `cd apps/platform && ./vendor/bin/sail artisan test tests/Feature/Providers/ProviderCapabilityEvaluationTest.php tests/Feature/Providers/ProviderOperationCapabilityGateTest.php tests/Feature/TenantConfiguration/Spec431ExchangePowerShellInvocationGateTest.php tests/Unit/Providers/ProviderCapabilityRegistryTest.php tests/Unit/Providers/ProviderOperationStartGateTest.php tests/Unit/Support/TenantConfiguration/Spec430ExchangePowerShellCommandAllowlistTest.php tests/Unit/Support/TenantConfiguration/Spec431ExchangePowerShellOperationRegistrationTest.php tests/Unit/Verification/ManagedEnvironmentPermissionCapabilityMappingTest.php` - Result: 80 passed, 685 assertions. ## Product Surface / Ops - Rendered UI surface changed: N/A. - Filament/Livewire surface changed: N/A. - Deployment impact: config/runtime service changes only; no migrations, queues, or assets added. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #498
45 lines
1.7 KiB
PHP
45 lines
1.7 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Support\Verification\ManagedEnvironmentPermissionCheckClusters;
|
|
|
|
it('maps configured permission rows to provider requirement keys', function (): void {
|
|
$roleDefinitionRow = [
|
|
'key' => 'RoleManagement.Read.Directory',
|
|
'type' => 'application',
|
|
'description' => null,
|
|
'features' => ['directory-role-definitions'],
|
|
'status' => 'missing',
|
|
'details' => null,
|
|
];
|
|
|
|
$groupRow = [
|
|
'key' => 'Group.Read.All',
|
|
'type' => 'application',
|
|
'description' => null,
|
|
'features' => ['directory-groups'],
|
|
'status' => 'missing',
|
|
'details' => null,
|
|
];
|
|
|
|
$exchangePowerShellRow = [
|
|
'key' => 'Exchange.ManageAsApp',
|
|
'type' => 'application',
|
|
'description' => null,
|
|
'features' => ['exchange-powershell-invocation'],
|
|
'status' => 'missing',
|
|
'details' => null,
|
|
];
|
|
|
|
expect(ManagedEnvironmentPermissionCheckClusters::requirementKeysForPermissionRow($roleDefinitionRow))
|
|
->toContain('provider.directory_role_definitions', 'permissions.admin_consent')
|
|
->and(ManagedEnvironmentPermissionCheckClusters::requirementKeysForPermissionRow($groupRow))
|
|
->toContain('permissions.directory_groups', 'permissions.admin_consent')
|
|
->and(ManagedEnvironmentPermissionCheckClusters::requirementKeysForPermissionRow($exchangePowerShellRow))
|
|
->toContain('permissions.admin_consent')
|
|
->not->toContain('provider.exchange_powershell_invocation')
|
|
->and(ManagedEnvironmentPermissionCheckClusters::rowsForRequirementKey([$roleDefinitionRow, $groupRow], 'provider.directory_role_definitions'))
|
|
->toHaveCount(1);
|
|
});
|