TenantAtlas/apps/platform/tests/Feature/TenantConfiguration/Spec423SecurityComplianceCoverageAuthorizationTest.php
Ahmed Darrazi c49acba7cd
Some checks failed
PR Fast Feedback / fast-feedback (pull_request) Failing after 1m20s
feat: complete spec 423 security compliance readiness pack
2026-06-30 13:57:10 +02:00

87 lines
3.1 KiB
PHP

<?php
declare(strict_types=1);
use App\Filament\Pages\TenantConfiguration\CoverageV2Readiness;
use App\Models\ManagedEnvironment;
use App\Models\User;
use App\Models\WorkspaceMembership;
use App\Services\Auth\ManagedEnvironmentAccessDecision;
use App\Services\Auth\ManagedEnvironmentAccessScopeResolver;
use Filament\Facades\Filament;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Str;
it('Spec423 keeps Coverage v2 readiness access deny-as-not-found for non-members', function (): void {
[$owner, $environment] = createUserWithTenant(role: 'owner');
$outsider = User::factory()->create();
$this->actingAs($outsider)
->get(CoverageV2Readiness::getUrl(tenant: $environment))
->assertNotFound();
});
it('Spec423 keeps Coverage v2 readiness access deny-as-not-found for wrong managed environment scope', function (): void {
[$owner, $environment] = createUserWithTenant(role: 'owner');
$otherEnvironment = ManagedEnvironment::factory()->create(['workspace_id' => (int) $environment->workspace_id]);
$outsider = User::factory()->create();
WorkspaceMembership::factory()->create([
'workspace_id' => (int) $environment->workspace_id,
'user_id' => (int) $outsider->getKey(),
'role' => 'owner',
]);
DB::table('managed_environment_memberships')->insert([
'id' => (string) Str::uuid(),
'managed_environment_id' => (int) $otherEnvironment->getKey(),
'user_id' => (int) $outsider->getKey(),
'role' => 'owner',
'source' => 'manual',
'created_at' => now(),
'updated_at' => now(),
]);
$this->actingAs($outsider);
$environment->makeCurrent();
Filament::setTenant($environment, true);
$this->get(CoverageV2Readiness::getUrl(tenant: $environment))
->assertNotFound();
});
it('Spec423 keeps Coverage v2 readiness access forbidden for in-scope members missing capability', function (): void {
[$user, $environment] = createUserWithTenant(role: 'owner');
$this->actingAs($user);
$environment->makeCurrent();
Filament::setTenant($environment, true);
app()->instance(ManagedEnvironmentAccessScopeResolver::class, new class
{
public function decision(User $user, ManagedEnvironment $environment, ?string $requiredCapability = null): ManagedEnvironmentAccessDecision
{
return new ManagedEnvironmentAccessDecision(
workspaceId: (int) $environment->workspace_id,
managedEnvironmentId: (int) $environment->getKey(),
userId: (int) $user->getKey(),
workspaceMember: true,
workspaceRole: 'owner',
explicitScopeRowsPresent: false,
managedEnvironmentAllowed: true,
failedBoundary: 'capability',
requiredCapability: $requiredCapability,
capabilityAllowed: false,
denialHttpStatus: 403,
);
}
});
try {
$this->get(CoverageV2Readiness::getUrl(tenant: $environment))
->assertForbidden();
} finally {
app()->forgetInstance(ManagedEnvironmentAccessScopeResolver::class);
}
});