TenantAtlas/apps/platform/tests/Unit/Policies/ProviderConnectionPolicyDedicatedTest.php

<?php

declare(strict_types=1);

use App\Models\ProviderConnection;
use App\Models\ManagedEnvironment;
use App\Models\User;
use App\Models\WorkspaceMembership;
use App\Policies\ProviderConnectionPolicy;
use App\Support\Workspaces\WorkspaceContext;
use Illuminate\Auth\Access\Response;
use Illuminate\Foundation\Testing\RefreshDatabase;

uses(RefreshDatabase::class);

it('allows tenant owners to manage dedicated overrides for accessible provider connections', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'owner', ensureDefaultMicrosoftProviderConnection: false);

    $connection = ProviderConnection::factory()->platform()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'managed_environment_id' => (int) $tenant->getKey(),
        'provider' => 'microsoft',
    ]);

    session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);

    $result = app(ProviderConnectionPolicy::class)->manageDedicated($user, $connection);

    expect($result)->toBeTrue();
});

it('forbids tenant managers from dedicated override actions while still allowing standard updates', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'manager', ensureDefaultMicrosoftProviderConnection: false);

    $connection = ProviderConnection::factory()->platform()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'managed_environment_id' => (int) $tenant->getKey(),
        'provider' => 'microsoft',
    ]);

    session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);

    $policy = app(ProviderConnectionPolicy::class);

    expect($policy->update($user, $connection))->toBeTrue();

    $result = $policy->manageDedicated($user, $connection);

    expect($result)->toBeFalse();
});

it('returns not found for non-members on dedicated override authorization checks', function (): void {
    $tenant = ManagedEnvironment::factory()->create();
    $user = User::factory()->create();

    $connection = ProviderConnection::factory()->platform()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'managed_environment_id' => (int) $tenant->getKey(),
        'provider' => 'microsoft',
    ]);

    session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);

    $result = app(ProviderConnectionPolicy::class)->manageDedicated($user, $connection);

    expect($result)->toBeInstanceOf(Response::class)
        ->and($result->allowed())->toBeFalse()
        ->and($result->status())->toBe(404);
});

it('returns not found when the provider connection is outside the active workspace', function (): void {
    [$user, $tenantA] = createUserWithTenant(role: 'owner', ensureDefaultMicrosoftProviderConnection: false);

    $tenantB = ManagedEnvironment::factory()->create();

    WorkspaceMembership::factory()->create([
        'workspace_id' => (int) $tenantB->workspace_id,
        'user_id' => (int) $user->getKey(),
        'role' => 'owner',
    ]);

    $user->tenants()->syncWithoutDetaching([
        (int) $tenantB->getKey() => ['role' => 'owner'],
    ]);

    $connection = ProviderConnection::factory()->platform()->create([
        'workspace_id' => (int) $tenantB->workspace_id,
        'managed_environment_id' => (int) $tenantB->getKey(),
        'provider' => 'microsoft',
    ]);

    session()->put(WorkspaceContext::SESSION_KEY, (int) $tenantA->workspace_id);

    $result = app(ProviderConnectionPolicy::class)->manageDedicated($user, $connection);

    expect($result)->toBeInstanceOf(Response::class)
        ->and($result->allowed())->toBeFalse()
        ->and($result->status())->toBe(404);
});