ahmido
5bcb4f6ab8
## Summary
- add a canonical queued execution legitimacy contract for actor-bound and system-authority operation runs
- enforce legitimacy before queued jobs transition runs to running across provider, inventory, restore, bulk, sync, and scheduled backup flows
- surface blocked execution outcomes consistently in Monitoring, notifications, audit data, and the tenantless operation viewer
- add Spec 149 artifacts and focused Pest coverage for legitimacy decisions, middleware ordering, blocked presentation, retry behavior, and cross-family adoption
## Testing
- vendor/bin/sail artisan test --compact tests/Unit/Operations/QueuedExecutionLegitimacyGateTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/QueuedExecutionMiddlewareOrderingTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Verification/ProviderExecutionReauthorizationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/RunInventorySyncExecutionReauthorizationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/ExecuteRestoreRunExecutionReauthorizationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/SystemRunBlockedExecutionNotificationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/BulkOperationExecutionReauthorizationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/QueuedExecutionRetryReauthorizationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/QueuedExecutionContractMatrixTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/OperationRunBlockedExecutionPresentationTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/QueuedExecutionAuditTrailTest.php
- vendor/bin/sail artisan test --compact tests/Feature/Operations/TenantlessOperationRunViewerTest.php
- vendor/bin/sail bin pint --dirty --format agent
## Manual validation
- validated queued provider execution blocking for tenant operability drift in the integrated browser on /admin/operations and /admin/operations/{run}
- validated 404 vs 403 route behavior for non-membership vs in-scope capability denial
- validated initiator-null blocked system-run behavior without creating a user terminal notification
Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #179
124 lines
3.5 KiB
PHP
124 lines
3.5 KiB
PHP
<?php
|
|
|
|
use App\Jobs\SyncPoliciesJob;
|
|
use App\Models\Policy;
|
|
use App\Models\Tenant;
|
|
use App\Models\User;
|
|
use App\Services\Graph\GraphClientInterface;
|
|
use App\Services\Graph\GraphResponse;
|
|
use App\Services\OperationRunService;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
test('policy sync updates selected policies from graph and updates the operation run', function () {
|
|
$tenant = Tenant::factory()->create([
|
|
'status' => 'active',
|
|
]);
|
|
$tenant->makeCurrent();
|
|
|
|
$user = User::factory()->create();
|
|
createUserWithTenant(tenant: $tenant, user: $user, role: 'owner');
|
|
|
|
ensureDefaultProviderConnection($tenant);
|
|
|
|
$policies = Policy::factory()
|
|
->count(3)
|
|
->create([
|
|
'tenant_id' => $tenant->id,
|
|
'policy_type' => 'deviceConfiguration',
|
|
'platform' => 'windows10AndLater',
|
|
'last_synced_at' => null,
|
|
'ignored_at' => null,
|
|
]);
|
|
|
|
app()->instance(GraphClientInterface::class, new class implements GraphClientInterface
|
|
{
|
|
public function listPolicies(string $policyType, array $options = []): GraphResponse
|
|
{
|
|
return new GraphResponse(true, []);
|
|
}
|
|
|
|
public function getPolicy(string $policyType, string $policyId, array $options = []): GraphResponse
|
|
{
|
|
return new GraphResponse(true, [
|
|
'payload' => [
|
|
'id' => $policyId,
|
|
'displayName' => "Synced {$policyId}",
|
|
'platform' => $options['platform'] ?? null,
|
|
'example' => 'value',
|
|
],
|
|
]);
|
|
}
|
|
|
|
public function getOrganization(array $options = []): GraphResponse
|
|
{
|
|
return new GraphResponse(true, []);
|
|
}
|
|
|
|
public function applyPolicy(string $policyType, string $policyId, array $payload, array $options = []): GraphResponse
|
|
{
|
|
return new GraphResponse(true, []);
|
|
}
|
|
|
|
public function getServicePrincipalPermissions(array $options = []): GraphResponse
|
|
{
|
|
return new GraphResponse(true, []);
|
|
}
|
|
|
|
public function request(string $method, string $path, array $options = []): GraphResponse
|
|
{
|
|
return new GraphResponse(true, []);
|
|
}
|
|
});
|
|
|
|
/** @var OperationRunService $runs */
|
|
$runs = app(OperationRunService::class);
|
|
|
|
$selectedIds = $policies
|
|
->pluck('id')
|
|
->map(static fn ($id): int => (int) $id)
|
|
->sort()
|
|
->values()
|
|
->all();
|
|
|
|
$opRun = $runs->ensureRun(
|
|
tenant: $tenant,
|
|
type: 'policy.sync',
|
|
inputs: [
|
|
'scope' => 'subset',
|
|
'policy_ids' => $selectedIds,
|
|
],
|
|
initiator: $user,
|
|
);
|
|
|
|
SyncPoliciesJob::dispatchSync(
|
|
tenantId: (int) $tenant->getKey(),
|
|
types: null,
|
|
policyIds: $selectedIds,
|
|
operationRun: $opRun,
|
|
);
|
|
|
|
$opRun->refresh();
|
|
|
|
expect($opRun->status)->toBe('completed');
|
|
expect($opRun->outcome)->toBe('succeeded');
|
|
expect($opRun->summary_counts)->toMatchArray([
|
|
'total' => 3,
|
|
'processed' => 3,
|
|
'succeeded' => 3,
|
|
'failed' => 0,
|
|
'skipped' => 0,
|
|
]);
|
|
|
|
$policies->each(function (Policy $policy) {
|
|
$policy->refresh();
|
|
|
|
expect($policy->last_synced_at)->not->toBeNull();
|
|
expect($policy->display_name)->toBe("Synced {$policy->external_id}");
|
|
expect($policy->metadata)->toMatchArray([
|
|
'example' => 'value',
|
|
]);
|
|
});
|
|
});
|