TenantAtlas/apps/platform/app/Services/Providers/PlatformProviderIdentityResolver.php

<?php

namespace App\Services\Providers;

use App\Support\Providers\ProviderConnectionType;
use App\Support\Providers\ProviderReasonCodes;
use App\Support\Providers\TargetScope\ProviderConnectionTargetScopeDescriptor;
use App\Support\Providers\TargetScope\ProviderIdentityContextMetadata;

final class PlatformProviderIdentityResolver
{
    /**
     * @param  list<ProviderIdentityContextMetadata>  $providerContextDetails
     */
    public function resolve(
        string $targetScopeIdentifier,
        ?ProviderConnectionTargetScopeDescriptor $targetScope = null,
        array $providerContextDetails = [],
    ): ProviderIdentityResolution {
        $targetScopeIdentifier = trim($targetScopeIdentifier);
        $clientId = trim((string) config('graph.client_id'));
        $clientSecret = trim((string) config('graph.client_secret'));
        $authorityTenant = trim((string) config('graph.managed_environment_id', 'organizations'));
        $redirectUri = trim((string) route('admin.consent.callback'));

        if ($targetScopeIdentifier === '') {
            return ProviderIdentityResolution::blocked(
                connectionType: ProviderConnectionType::Platform,
                credentialSource: 'platform_config',
                reasonCode: ProviderReasonCodes::ProviderConnectionInvalid,
                message: 'Provider connection is missing target tenant scope.',
                targetScope: $targetScope,
                providerContextDetails: $providerContextDetails,
            );
        }

        $targetScope ??= ProviderConnectionTargetScopeDescriptor::fromInput(
            provider: 'microsoft',
            scopeKind: ProviderConnectionTargetScopeDescriptor::SCOPE_KIND_TENANT,
            scopeIdentifier: $targetScopeIdentifier,
        );

        if ($clientId === '') {
            return ProviderIdentityResolution::blocked(
                connectionType: ProviderConnectionType::Platform,
                credentialSource: 'platform_config',
                reasonCode: ProviderReasonCodes::PlatformIdentityMissing,
                message: 'Platform app identity is not configured.',
                targetScope: $targetScope,
                providerContextDetails: $providerContextDetails,
            );
        }

        if ($clientSecret === '' || $redirectUri === '') {
            return ProviderIdentityResolution::blocked(
                connectionType: ProviderConnectionType::Platform,
                credentialSource: 'platform_config',
                reasonCode: ProviderReasonCodes::PlatformIdentityIncomplete,
                message: 'Platform app identity is incomplete.',
                targetScope: $targetScope,
                providerContextDetails: $providerContextDetails,
            );
        }

        return ProviderIdentityResolution::resolved(
            connectionType: ProviderConnectionType::Platform,
            targetScope: $targetScope,
            effectiveClientId: $clientId,
            credentialSource: 'platform_config',
            clientSecret: $clientSecret,
            authorityTenant: $authorityTenant !== '' ? $authorityTenant : 'organizations',
            redirectUri: $redirectUri,
            providerContextDetails: array_values(array_merge($providerContextDetails, array_filter([
                ProviderIdentityContextMetadata::authorityTenant($authorityTenant !== '' ? $authorityTenant : 'organizations'),
                ProviderIdentityContextMetadata::redirectUri($redirectUri),
            ]))),
        );
    }
}