ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
9ae98b0705
TenantAtlas/apps/platform/tests/Feature/Rbac/ProviderConnectionAccessBoundaryTest.php
Ahmed Darrazi 9ae98b0705
Some checks failed
PR Fast Feedback / fast-feedback (pull_request) Failing after 1m37s
Details
fix: tighten workspace RBAC access boundaries
2026-05-15 15:59:14 +02:00

82 lines
3.1 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
use App\Models\ManagedEnvironment;
use App\Models\ManagedEnvironmentMembership;
use App\Models\ProviderConnection;
use App\Models\User;
use App\Models\Workspace;
use App\Models\WorkspaceMembership;
use App\Services\Auth\CapabilityResolver;
use App\Services\Auth\ManagedEnvironmentAccessScopeResolver;
use App\Support\Auth\WorkspaceRole;
use App\Support\Workspaces\WorkspaceContext;
use Illuminate\Support\Facades\Gate;
it('keeps provider credential-level authority owner only', function (): void {
$workspace = Workspace::factory()->create();
$tenant = ManagedEnvironment::factory()->active()->create([
'workspace_id' => (int) $workspace->getKey(),
]);
$connection = ProviderConnection::factory()->withCredential()->create([
'workspace_id' => (int) $workspace->getKey(),
'managed_environment_id' => (int) $tenant->getKey(),
]);
foreach (WorkspaceRole::cases() as $role) {
$user = User::factory()->create();
WorkspaceMembership::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'user_id' => (int) $user->getKey(),
'role' => $role->value,
]);
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
app(CapabilityResolver::class)->clearCache();
app(ManagedEnvironmentAccessScopeResolver::class)->clearCache();
expect(Gate::forUser($user)->allows('manageDedicatedCredential', $connection))->toBe($role === WorkspaceRole::Owner);
expect(Gate::forUser($user)->allows('deleteDedicatedCredential', $connection))->toBe($role === WorkspaceRole::Owner);
}
});
it('denies same-workspace wrong-environment provider connections as not found', function (): void {
$workspace = Workspace::factory()->create();
$allowedTenant = ManagedEnvironment::factory()->active()->create([
'workspace_id' => (int) $workspace->getKey(),
]);
$deniedTenant = ManagedEnvironment::factory()->active()->create([
'workspace_id' => (int) $workspace->getKey(),
]);
$user = User::factory()->create();
WorkspaceMembership::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'user_id' => (int) $user->getKey(),
'role' => WorkspaceRole::Manager->value,
]);
ManagedEnvironmentMembership::query()->create([
'managed_environment_id' => (int) $allowedTenant->getKey(),
'user_id' => (int) $user->getKey(),
'role' => WorkspaceRole::Readonly->value,
'source' => 'manual',
]);
app(CapabilityResolver::class)->clearCache();
app(ManagedEnvironmentAccessScopeResolver::class)->clearCache();
$connection = ProviderConnection::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'managed_environment_id' => (int) $deniedTenant->getKey(),
]);
session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());
$response = Gate::forUser($user)->inspect('view', $connection);
expect($response->denied())->toBeTrue()
->and($response->status())->toBe(404);
});
Reference in New Issue View Git Blame Copy Permalink