TenantAtlas/apps/platform/tests/Unit/Verification/ManagedEnvironmentPermissionCapabilityMappingTest.php
ahmido 9374260ae1 feat: add Exchange PowerShell invocation gate (#498)
## Summary
- Adds the Spec 431 Exchange PowerShell invocation gate and operation registration slice.
- Introduces trusted provider operation start handling and read-only Exchange PowerShell runner abstractions.
- Updates provider capability/readiness evaluation and coverage for Exchange PowerShell invocation safety.

## Verification
- `cd apps/platform && ./vendor/bin/sail artisan test tests/Feature/Providers/ProviderCapabilityEvaluationTest.php tests/Feature/Providers/ProviderOperationCapabilityGateTest.php tests/Feature/TenantConfiguration/Spec431ExchangePowerShellInvocationGateTest.php tests/Unit/Providers/ProviderCapabilityRegistryTest.php tests/Unit/Providers/ProviderOperationStartGateTest.php tests/Unit/Support/TenantConfiguration/Spec430ExchangePowerShellCommandAllowlistTest.php tests/Unit/Support/TenantConfiguration/Spec431ExchangePowerShellOperationRegistrationTest.php tests/Unit/Verification/ManagedEnvironmentPermissionCapabilityMappingTest.php`
- Result: 80 passed, 685 assertions.

## Product Surface / Ops
- Rendered UI surface changed: N/A.
- Filament/Livewire surface changed: N/A.
- Deployment impact: config/runtime service changes only; no migrations, queues, or assets added.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #498
2026-07-07 15:23:29 +00:00

45 lines
1.7 KiB
PHP

<?php
declare(strict_types=1);
use App\Support\Verification\ManagedEnvironmentPermissionCheckClusters;
it('maps configured permission rows to provider requirement keys', function (): void {
$roleDefinitionRow = [
'key' => 'RoleManagement.Read.Directory',
'type' => 'application',
'description' => null,
'features' => ['directory-role-definitions'],
'status' => 'missing',
'details' => null,
];
$groupRow = [
'key' => 'Group.Read.All',
'type' => 'application',
'description' => null,
'features' => ['directory-groups'],
'status' => 'missing',
'details' => null,
];
$exchangePowerShellRow = [
'key' => 'Exchange.ManageAsApp',
'type' => 'application',
'description' => null,
'features' => ['exchange-powershell-invocation'],
'status' => 'missing',
'details' => null,
];
expect(ManagedEnvironmentPermissionCheckClusters::requirementKeysForPermissionRow($roleDefinitionRow))
->toContain('provider.directory_role_definitions', 'permissions.admin_consent')
->and(ManagedEnvironmentPermissionCheckClusters::requirementKeysForPermissionRow($groupRow))
->toContain('permissions.directory_groups', 'permissions.admin_consent')
->and(ManagedEnvironmentPermissionCheckClusters::requirementKeysForPermissionRow($exchangePowerShellRow))
->toContain('permissions.admin_consent')
->not->toContain('provider.exchange_powershell_invocation')
->and(ManagedEnvironmentPermissionCheckClusters::rowsForRequirementKey([$roleDefinitionRow, $groupRow], 'provider.directory_role_definitions'))
->toHaveCount(1);
});