Spec 423 security compliance readiness pack implementation. Head commit: c49acba7.
Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #490
87 lines
3.1 KiB
PHP
87 lines
3.1 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Filament\Pages\TenantConfiguration\CoverageV2Readiness;
|
|
use App\Models\ManagedEnvironment;
|
|
use App\Models\User;
|
|
use App\Models\WorkspaceMembership;
|
|
use App\Services\Auth\ManagedEnvironmentAccessDecision;
|
|
use App\Services\Auth\ManagedEnvironmentAccessScopeResolver;
|
|
use Filament\Facades\Filament;
|
|
use Illuminate\Support\Facades\DB;
|
|
use Illuminate\Support\Str;
|
|
|
|
it('Spec423 keeps Coverage v2 readiness access deny-as-not-found for non-members', function (): void {
|
|
[$owner, $environment] = createUserWithTenant(role: 'owner');
|
|
$outsider = User::factory()->create();
|
|
|
|
$this->actingAs($outsider)
|
|
->get(CoverageV2Readiness::getUrl(tenant: $environment))
|
|
->assertNotFound();
|
|
});
|
|
|
|
it('Spec423 keeps Coverage v2 readiness access deny-as-not-found for wrong managed environment scope', function (): void {
|
|
[$owner, $environment] = createUserWithTenant(role: 'owner');
|
|
$otherEnvironment = ManagedEnvironment::factory()->create(['workspace_id' => (int) $environment->workspace_id]);
|
|
$outsider = User::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $environment->workspace_id,
|
|
'user_id' => (int) $outsider->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
DB::table('managed_environment_memberships')->insert([
|
|
'id' => (string) Str::uuid(),
|
|
'managed_environment_id' => (int) $otherEnvironment->getKey(),
|
|
'user_id' => (int) $outsider->getKey(),
|
|
'role' => 'owner',
|
|
'source' => 'manual',
|
|
'created_at' => now(),
|
|
'updated_at' => now(),
|
|
]);
|
|
|
|
$this->actingAs($outsider);
|
|
$environment->makeCurrent();
|
|
Filament::setTenant($environment, true);
|
|
|
|
$this->get(CoverageV2Readiness::getUrl(tenant: $environment))
|
|
->assertNotFound();
|
|
});
|
|
|
|
it('Spec423 keeps Coverage v2 readiness access forbidden for in-scope members missing capability', function (): void {
|
|
[$user, $environment] = createUserWithTenant(role: 'owner');
|
|
|
|
$this->actingAs($user);
|
|
$environment->makeCurrent();
|
|
Filament::setTenant($environment, true);
|
|
|
|
app()->instance(ManagedEnvironmentAccessScopeResolver::class, new class
|
|
{
|
|
public function decision(User $user, ManagedEnvironment $environment, ?string $requiredCapability = null): ManagedEnvironmentAccessDecision
|
|
{
|
|
return new ManagedEnvironmentAccessDecision(
|
|
workspaceId: (int) $environment->workspace_id,
|
|
managedEnvironmentId: (int) $environment->getKey(),
|
|
userId: (int) $user->getKey(),
|
|
workspaceMember: true,
|
|
workspaceRole: 'owner',
|
|
explicitScopeRowsPresent: false,
|
|
managedEnvironmentAllowed: true,
|
|
failedBoundary: 'capability',
|
|
requiredCapability: $requiredCapability,
|
|
capabilityAllowed: false,
|
|
denialHttpStatus: 403,
|
|
);
|
|
}
|
|
});
|
|
|
|
try {
|
|
$this->get(CoverageV2Readiness::getUrl(tenant: $environment))
|
|
->assertForbidden();
|
|
} finally {
|
|
app()->forgetInstance(ManagedEnvironmentAccessScopeResolver::class);
|
|
}
|
|
});
|