TenantAtlas/tests/Feature/Guards/NoAdHocFilamentAuthPatternsTest.php

<?php

use Illuminate\Support\Collection;

it('does not introduce ad-hoc authorization patterns in app/Filament (allowlist-driven)', function () {
    $root = base_path();
    $self = realpath(__FILE__);

    $directories = [
        $root.'/app/Filament',
    ];

    $excludedPaths = [
        $root.'/vendor',
        $root.'/storage',
        $root.'/specs',
        $root.'/spechistory',
        $root.'/references',
        $root.'/public/build',
    ];

    $allowlist = [
        // NOTE: Shrink this list as files are migrated to UiEnforcement (Feature 066b).
        'app/Filament/Pages/ChooseTenant.php',
        'app/Filament/Pages/DriftLanding.php',
        'app/Filament/Pages/Tenancy/RegisterTenant.php',
        'app/Filament/Resources/BackupScheduleResource.php',
        'app/Filament/Resources/FindingResource.php',
        'app/Filament/Resources/FindingResource/Pages/ListFindings.php',
        'app/Filament/Resources/PolicyResource.php',
        'app/Filament/Resources/PolicyResource/Pages/ListPolicies.php',
        'app/Filament/Resources/PolicyResource/RelationManagers/VersionsRelationManager.php',
        'app/Filament/Resources/PolicyVersionResource.php',
        'app/Filament/Resources/TenantResource/RelationManagers/TenantMembershipsRelationManager.php',
        'app/Filament/System/Pages/Dashboard.php',
    ];

    $forbiddenPatterns = [
        '/\\bGate::\\b/',
        '/\\babort\\s*\\(/',
        '/\\babort_(?:if|unless)\\b/',
    ];

    /** @var Collection<int, string> $files */
    $files = collect($directories)
        ->filter(fn (string $dir): bool => is_dir($dir))
        ->flatMap(function (string $dir): array {
            $iterator = new RecursiveIteratorIterator(
                new RecursiveDirectoryIterator($dir, FilesystemIterator::SKIP_DOTS)
            );

            $paths = [];

            foreach ($iterator as $file) {
                if (! $file->isFile()) {
                    continue;
                }

                $path = $file->getPathname();

                if (! str_ends_with($path, '.php')) {
                    continue;
                }

                $paths[] = $path;
            }

            return $paths;
        })
        ->filter(function (string $path) use ($excludedPaths, $self): bool {
            if ($self && realpath($path) === $self) {
                return false;
            }

            foreach ($excludedPaths as $excluded) {
                if (str_starts_with($path, $excluded)) {
                    return false;
                }
            }

            return true;
        })
        ->values();

    $hits = [];

    foreach ($files as $path) {
        $relative = str_replace($root.'/', '', $path);

        if (in_array($relative, $allowlist, true)) {
            continue;
        }

        $contents = file_get_contents($path);

        if (! is_string($contents) || $contents === '') {
            continue;
        }

        foreach ($forbiddenPatterns as $pattern) {
            if (! preg_match($pattern, $contents)) {
                continue;
            }

            $lines = preg_split('/\R/', $contents) ?: [];

            foreach ($lines as $index => $line) {
                if (preg_match($pattern, $line)) {
                    $hits[] = $relative.':'.($index + 1).' -> '.trim($line);
                }
            }
        }
    }

    expect($hits)->toBeEmpty(
        "Ad-hoc Filament auth patterns found (remove allowlist entries as you migrate):\n".implode("\n", $hits)
    );
});