175 lines
5.3 KiB
PHP
175 lines
5.3 KiB
PHP
<?php
|
|
|
|
use Illuminate\Support\Collection;
|
|
|
|
function trustedStateFirstSliceSurfaces(): array
|
|
{
|
|
return [
|
|
'app/Filament/Pages/Workspaces/ManagedTenantOnboardingWizard.php',
|
|
'app/Filament/Pages/TenantRequiredPermissions.php',
|
|
'app/Filament/System/Pages/Ops/Runbooks.php',
|
|
];
|
|
}
|
|
|
|
it('does not introduce ad-hoc authorization patterns in app/Filament (allowlist-driven)', function () {
|
|
$root = base_path();
|
|
$self = realpath(__FILE__);
|
|
|
|
$directories = [
|
|
$root.'/app/Filament',
|
|
];
|
|
|
|
$excludedPaths = [
|
|
$root.'/vendor',
|
|
$root.'/storage',
|
|
$root.'/specs',
|
|
$root.'/spechistory',
|
|
$root.'/references',
|
|
$root.'/public/build',
|
|
];
|
|
|
|
$allowlist = [
|
|
// NOTE: Shrink this list as files are migrated to UiEnforcement (Feature 066b).
|
|
'app/Filament/Pages/ChooseTenant.php',
|
|
'app/Filament/Pages/Tenancy/RegisterTenant.php',
|
|
'app/Filament/Resources/BackupScheduleResource.php',
|
|
'app/Filament/Resources/FindingResource.php',
|
|
'app/Filament/Resources/FindingResource/Pages/ListFindings.php',
|
|
'app/Filament/Resources/PolicyResource.php',
|
|
'app/Filament/Resources/PolicyResource/Pages/ListPolicies.php',
|
|
'app/Filament/Resources/PolicyResource/RelationManagers/VersionsRelationManager.php',
|
|
'app/Filament/Resources/PolicyVersionResource.php',
|
|
'app/Filament/Resources/TenantResource/RelationManagers/TenantMembershipsRelationManager.php',
|
|
'app/Filament/System/Pages/Dashboard.php',
|
|
];
|
|
|
|
$forbiddenPatterns = [
|
|
'/\\bGate::\\b/',
|
|
'/\\babort_(?:if|unless)\\b/',
|
|
];
|
|
|
|
/** @var Collection<int, string> $files */
|
|
$files = collect($directories)
|
|
->filter(fn (string $dir): bool => is_dir($dir))
|
|
->flatMap(function (string $dir): array {
|
|
$iterator = new RecursiveIteratorIterator(
|
|
new RecursiveDirectoryIterator($dir, FilesystemIterator::SKIP_DOTS)
|
|
);
|
|
|
|
$paths = [];
|
|
|
|
foreach ($iterator as $file) {
|
|
if (! $file->isFile()) {
|
|
continue;
|
|
}
|
|
|
|
$path = $file->getPathname();
|
|
|
|
if (! str_ends_with($path, '.php')) {
|
|
continue;
|
|
}
|
|
|
|
$paths[] = $path;
|
|
}
|
|
|
|
return $paths;
|
|
})
|
|
->filter(function (string $path) use ($excludedPaths, $self): bool {
|
|
if ($self && realpath($path) === $self) {
|
|
return false;
|
|
}
|
|
|
|
foreach ($excludedPaths as $excluded) {
|
|
if (str_starts_with($path, $excluded)) {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
return true;
|
|
})
|
|
->values();
|
|
|
|
$hits = [];
|
|
|
|
foreach ($files as $path) {
|
|
$relative = str_replace($root.'/', '', $path);
|
|
|
|
if (in_array($relative, $allowlist, true)) {
|
|
continue;
|
|
}
|
|
|
|
$contents = file_get_contents($path);
|
|
|
|
if (! is_string($contents) || $contents === '') {
|
|
continue;
|
|
}
|
|
|
|
foreach ($forbiddenPatterns as $pattern) {
|
|
if (! preg_match($pattern, $contents)) {
|
|
continue;
|
|
}
|
|
|
|
$lines = preg_split('/\R/', $contents) ?: [];
|
|
|
|
foreach ($lines as $index => $line) {
|
|
if (preg_match($pattern, $line)) {
|
|
$hits[] = $relative.':'.($index + 1).' -> '.trim($line);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
expect($hits)->toBeEmpty(
|
|
"Ad-hoc Filament auth patterns found (remove allowlist entries as you migrate):\n".implode("\n", $hits)
|
|
);
|
|
});
|
|
|
|
it('keeps shared tenant-owned helper entry points free of ad-hoc authorization patterns', function (): void {
|
|
$sharedEntryPoints = [
|
|
'app/Filament/Concerns/InteractsWithTenantOwnedRecords.php',
|
|
'app/Filament/Concerns/ResolvesPanelTenantContext.php',
|
|
];
|
|
|
|
$forbiddenPatterns = [
|
|
'/\\bGate::\\b/',
|
|
'/\\babort_(?:if|unless)\\b/',
|
|
];
|
|
|
|
foreach ($sharedEntryPoints as $relativePath) {
|
|
$contents = file_get_contents(base_path($relativePath));
|
|
|
|
expect($contents)->not->toBeFalse();
|
|
|
|
foreach ($forbiddenPatterns as $pattern) {
|
|
expect(preg_match($pattern, (string) $contents))
|
|
->toBe(0, "Shared tenant-owned helper entry point should stay free of ad-hoc auth patterns: {$relativePath}");
|
|
}
|
|
}
|
|
});
|
|
|
|
it('keeps first-slice trusted-state surfaces inside the standard Filament auth scan', function (): void {
|
|
$root = base_path();
|
|
|
|
foreach (trustedStateFirstSliceSurfaces() as $relativePath) {
|
|
expect(file_exists($root.'/'.$relativePath))->toBeTrue();
|
|
}
|
|
});
|
|
|
|
it('keeps first-slice trusted-state surfaces free of broad ad-hoc authorization shortcuts', function (): void {
|
|
$forbiddenPatterns = [
|
|
'/\\bGate::\\b/',
|
|
'/\\babort_(?:if|unless)\\b/',
|
|
];
|
|
|
|
foreach (trustedStateFirstSliceSurfaces() as $relativePath) {
|
|
$contents = file_get_contents(base_path($relativePath));
|
|
|
|
expect($contents)->not->toBeFalse();
|
|
|
|
foreach ($forbiddenPatterns as $pattern) {
|
|
expect(preg_match($pattern, (string) $contents))
|
|
->toBe(0, "First-slice trusted-state surface should stay free of broad ad-hoc auth shortcuts: {$relativePath}");
|
|
}
|
|
}
|
|
});
|