ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
bd6df1f343
TenantAtlas/tests/Feature/MonitoringOperationsTest.php
ahmido 3030dd9af2 054-unify-runs-suitewide (#63) 
Summary

Kurz: Implementiert Feature 054 — canonical OperationRun-flow, Monitoring UI, dispatch-safety, notifications, dedupe, plus small UX safety clarifications (RBAC group search delegated; Restore group mapping DB-only).
What Changed

Core service: OperationRun lifecycle, dedupe and dispatch helpers — OperationRunService.php.
Model + migration: OperationRun model and migration — OperationRun.php, 2026_01_16_180642_create_operation_runs_table.php.
Notifications: queued + terminal DB notifications (initiator-only) — OperationRunQueued.php, OperationRunCompleted.php.
Monitoring UI: Filament list/detail + Livewire pieces (DB-only render) — OperationRunResource.php and related pages/views.
Start surfaces / Jobs: instrumented start surfaces, job middleware, and job updates to use canonical runs — multiple app/Jobs/* and app/Filament/* updates (see tests for full coverage).
RBAC + Restore UX clarifications: RBAC group search is delegated-Graph-based and disabled without delegated token; Restore group mapping remains DB-only (directory cache) and helper text always visible — TenantResource.php, RestoreRunResource.php.
Specs / Constitution: updated spec & quickstart and added one-line constitution guideline about Graph usage:
spec.md
quickstart.md
constitution.md
Tests & Verification

Unit / Feature tests added/updated for run lifecycle, notifications, idempotency, and UI guards: see tests/Feature/* (notably OperationRunServiceTest, MonitoringOperationsTest, OperationRunNotificationTest, and various Filament feature tests).
Full test run locally: ./vendor/bin/sail artisan test → 587 passed, 5 skipped.
Migrations

Adds create_operation_runs_table migration; run php artisan migrate in staging after review.
Notes / Rationale

Monitoring pages are explicitly DB-only at render time (no Graph calls). Start surfaces enqueue work only and return a “View run” link.
Delegated Graph access is used only for explicit user actions (RBAC group search); restore mapping intentionally uses cached DB data only to avoid render-time Graph calls.
Dispatch wrapper marks runs failed immediately if background dispatch throws synchronously to avoid misleading “queued” states.
Upgrade / Deploy Considerations

Run migrations: ./vendor/bin/sail artisan migrate.
Background workers should be running to process queued jobs (recommended to monitor queue health during rollout).
No secret or token persistence changes.
PR checklist

 Tests updated/added for changed behavior
 Specs updated: 054-unify-runs-suitewide docs + quickstart
 Constitution note added (.specify)
 Pint formatting applied

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.local>
Reviewed-on: #63
2026-01-17 22:25:00 +00:00

141 lines
4.7 KiB
PHP
Raw Blame History

<?php
use App\Filament\Resources\OperationRunResource;
use App\Models\OperationRun;
use App\Models\Tenant;
use App\Models\User;
use App\Services\Graph\GraphClientInterface;
it('allows access to monitoring page for tenant members', function () {
$tenant = Tenant::factory()->create();
$user = User::factory()->create();
$tenant->users()->attach($user);
$run = OperationRun::create([
'tenant_id' => $tenant->id,
'type' => 'test.run',
'status' => 'queued',
'outcome' => 'pending',
'initiator_name' => 'System',
'run_identity_hash' => 'hash123',
]);
$this->actingAs($user)
->get(OperationRunResource::getUrl('index', tenant: $tenant))
->assertSuccessful()
->assertSee('test.run');
});
it('renders monitoring pages DB-only (never calls Graph)', function () {
$tenant = Tenant::factory()->create();
$user = User::factory()->create();
$tenant->users()->attach($user);
$run = OperationRun::create([
'tenant_id' => $tenant->id,
'type' => 'test.run',
'status' => 'queued',
'outcome' => 'pending',
'initiator_name' => 'System',
'run_identity_hash' => 'hash123',
]);
$this->mock(GraphClientInterface::class, function ($mock): void {
$mock->shouldReceive('listPolicies')->never();
$mock->shouldReceive('getPolicy')->never();
$mock->shouldReceive('getOrganization')->never();
$mock->shouldReceive('applyPolicy')->never();
$mock->shouldReceive('getServicePrincipalPermissions')->never();
$mock->shouldReceive('request')->never();
});
$this->actingAs($user)
->get(OperationRunResource::getUrl('index', tenant: $tenant))
->assertSuccessful();
$this->actingAs($user)
->get(OperationRunResource::getUrl('view', ['record' => $run], tenant: $tenant))
->assertSuccessful();
});
it('shows runs only for current tenant', function () {
$tenantA = Tenant::factory()->create();
$tenantB = Tenant::factory()->create();
$user = User::factory()->create();
$tenantA->users()->attach($user);
// We must simulate being in tenant context
$this->actingAs($user);
// Filament::setTenant($tenantA); // This is usually handled by middleware on routes, but in Livewire test we might need manual set or route visit.
// Easier approach: visit the page for tenantA
OperationRun::create([
'tenant_id' => $tenantA->id,
'type' => 'tenantA.run',
'status' => 'queued',
'outcome' => 'pending',
'initiator_name' => 'System',
'run_identity_hash' => 'hashA',
]);
OperationRun::create([
'tenant_id' => $tenantB->id,
'type' => 'tenantB.run',
'status' => 'queued',
'outcome' => 'pending',
'initiator_name' => 'System',
'run_identity_hash' => 'hashB',
]);
// Livewire::test needs to know the tenant if the component relies on it.
// However, the component relies on `Filament::getTenant()`.
// The cleanest way is to just GET the page URL, which runs middleware.
$this->get(OperationRunResource::getUrl('index', tenant: $tenantA))
->assertSee('tenantA.run')
->assertDontSee('tenantB.run');
});
it('allows readonly users to view operations list and detail', function () {
$tenant = Tenant::factory()->create();
$user = User::factory()->create();
$tenant->users()->attach($user, ['role' => 'readonly']);
$run = OperationRun::create([
'tenant_id' => $tenant->id,
'type' => 'test.run',
'status' => 'queued',
'outcome' => 'pending',
'initiator_name' => 'System',
'run_identity_hash' => 'hash123',
]);
$this->actingAs($user)
->get(OperationRunResource::getUrl('index', tenant: $tenant))
->assertSuccessful()
->assertSee('test.run');
$this->actingAs($user)
->get(OperationRunResource::getUrl('view', ['record' => $run], tenant: $tenant))
->assertSuccessful()
->assertSee('test.run');
});
it('denies access to unauthorized users', function () {
$tenant = Tenant::factory()->create();
$user = User::factory()->create();
// Not attached to tenant
// In a multitenant app, if you try to access a tenant route you are not part of,
// Filament typically returns 404 (Not Found) if it can't find the tenant-user relationship, or 403.
// The previous fail said "Received 404". This confirms Filament couldn't find the tenant for this user scope or just hides it.
// We should accept 404 or 403.
$response = $this->actingAs($user)
->get(OperationRunResource::getUrl('index', tenant: $tenant));
// Allow either 403 or 404 as "Denied"
$this->assertTrue(in_array($response->status(), [403, 404]));
});
Reference in New Issue View Git Blame Copy Permalink