ahmido
c7b38606a9
Implements platform feature branch `285-workspace-rbac-environment-access`. Summary: - switch managed environment authorization to workspace-first role resolution with explicit environment-scope narrowing - rewire Filament pages, resources, policies, and user tenant access helpers to the shared access-scope resolver - add Spec 285 coverage across unit, feature, and browser tests plus full spec artifacts Validation: - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Auth/WorkspaceFirstCapabilityResolverTest.php tests/Unit/Auth/ManagedEnvironmentAccessScopeResolverTest.php` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Auth/WorkspaceFirstManagedEnvironmentAccessTest.php tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php tests/Feature/Filament/WorkspaceMembershipRoleManagementTest.php tests/Feature/Rbac/GovernanceArtifactsWorkspaceFirstAuthorizationTest.php tests/Feature/Rbac/OperationRunWorkspaceFirstAuthorizationTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Verification/ProviderExecutionReauthorizationTest.php tests/Feature/ProviderConnections/ProviderConnectionHealthCheckStartSurfaceTest.php tests/Feature/Tenants/TenantProviderBackedActionStartTest.php` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Audit/TenantMembershipAuditLogTest.php tests/Feature/Filament/TenantMembersTest.php tests/Feature/TenantRBAC/TenantMembershipCrudTest.php tests/Feature/TenantRBAC/TenantSwitcherScopeTest.php` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php` - `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent` Target branch: `platform-dev`. Follow-up integration path after merge: - `platform-dev` -> `dev`. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #344
239 lines
9.4 KiB
PHP
239 lines
9.4 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Filament\Resources\FindingExceptionResource\Pages;
|
|
|
|
use App\Filament\Resources\FindingExceptionResource;
|
|
use App\Models\FindingException;
|
|
use App\Models\ManagedEnvironment;
|
|
use App\Models\User;
|
|
use App\Services\Auth\ManagedEnvironmentAccessScopeResolver;
|
|
use App\Services\Findings\FindingExceptionService;
|
|
use App\Support\Auth\Capabilities;
|
|
use App\Support\Navigation\CanonicalNavigationContext;
|
|
use App\Support\Ui\GovernanceActions\GovernanceActionCatalog;
|
|
use Filament\Actions\Action;
|
|
use Filament\Forms\Components\DateTimePicker;
|
|
use Filament\Forms\Components\Repeater;
|
|
use Filament\Forms\Components\Select;
|
|
use Filament\Forms\Components\Textarea;
|
|
use Filament\Forms\Components\TextInput;
|
|
use Filament\Notifications\Notification;
|
|
use Filament\Resources\Pages\ViewRecord;
|
|
use Illuminate\Database\Eloquent\Builder;
|
|
use Illuminate\Database\Eloquent\Model;
|
|
use InvalidArgumentException;
|
|
|
|
class ViewFindingException extends ViewRecord
|
|
{
|
|
protected static string $resource = FindingExceptionResource::class;
|
|
|
|
protected function resolveRecord(int|string $key): Model
|
|
{
|
|
return FindingExceptionResource::resolveScopedRecordOrFail($key);
|
|
}
|
|
|
|
protected function getHeaderActions(): array
|
|
{
|
|
$renewRule = GovernanceActionCatalog::rule('renew_exception');
|
|
$revokeRule = GovernanceActionCatalog::rule('revoke_exception');
|
|
|
|
$actions = [];
|
|
$navigationContext = $this->navigationContext();
|
|
|
|
if ($navigationContext?->backLinkLabel !== null && $navigationContext->backLinkUrl !== null) {
|
|
$actions[] = Action::make('return_to_decision_register')
|
|
->label($navigationContext->backLinkLabel)
|
|
->icon('heroicon-o-arrow-left')
|
|
->color('gray')
|
|
->url($navigationContext->backLinkUrl);
|
|
}
|
|
|
|
return array_merge($actions, [
|
|
Action::make('renew_exception')
|
|
->label($renewRule->canonicalLabel)
|
|
->icon('heroicon-o-arrow-path')
|
|
->color('primary')
|
|
->visible(fn (): bool => $this->canManageRecord() && $this->getRecord() instanceof FindingException && $this->getRecord()->canBeRenewed())
|
|
->fillForm(fn (): array => [
|
|
'owner_user_id' => $this->getRecord() instanceof FindingException ? $this->getRecord()->owner_user_id : null,
|
|
])
|
|
->requiresConfirmation()
|
|
->modalHeading($renewRule->modalHeading)
|
|
->modalDescription($renewRule->modalDescription)
|
|
->form([
|
|
Select::make('owner_user_id')
|
|
->label('Owner')
|
|
->required()
|
|
->options(fn (): array => FindingExceptionResource::canViewAny() ? $this->tenantMemberOptions() : [])
|
|
->searchable(),
|
|
Textarea::make('request_reason')
|
|
->label('Renewal reason')
|
|
->rows(4)
|
|
->required()
|
|
->maxLength(2000),
|
|
DateTimePicker::make('review_due_at')
|
|
->label('Review due at')
|
|
->required()
|
|
->seconds(false),
|
|
DateTimePicker::make('expires_at')
|
|
->label('Requested expiry')
|
|
->seconds(false),
|
|
Repeater::make('evidence_references')
|
|
->label('Evidence references')
|
|
->schema([
|
|
TextInput::make('label')
|
|
->label('Label')
|
|
->required()
|
|
->maxLength(255),
|
|
TextInput::make('source_type')
|
|
->label('Source type')
|
|
->required()
|
|
->maxLength(255),
|
|
TextInput::make('source_id')
|
|
->label('Source ID')
|
|
->maxLength(255),
|
|
TextInput::make('source_fingerprint')
|
|
->label('Fingerprint')
|
|
->maxLength(255),
|
|
DateTimePicker::make('measured_at')
|
|
->label('Measured at')
|
|
->seconds(false),
|
|
])
|
|
->defaultItems(0)
|
|
->collapsed(),
|
|
])
|
|
->action(function (array $data, FindingExceptionService $service) use ($renewRule): void {
|
|
$record = $this->getRecord();
|
|
$user = auth()->user();
|
|
|
|
if (! $record instanceof FindingException || ! $user instanceof User) {
|
|
abort(404);
|
|
}
|
|
|
|
try {
|
|
$service->renew($record, $user, $data);
|
|
} catch (InvalidArgumentException $exception) {
|
|
Notification::make()
|
|
->title('Renewal request failed')
|
|
->body($exception->getMessage())
|
|
->danger()
|
|
->send();
|
|
|
|
return;
|
|
}
|
|
|
|
Notification::make()
|
|
->title($renewRule->successTitle)
|
|
->success()
|
|
->send();
|
|
|
|
$this->refreshFormData(['status', 'current_validity_state', 'review_due_at']);
|
|
}),
|
|
Action::make('revoke_exception')
|
|
->label($revokeRule->canonicalLabel)
|
|
->icon('heroicon-o-no-symbol')
|
|
->color('danger')
|
|
->visible(fn (): bool => $this->canManageRecord() && $this->getRecord() instanceof FindingException && $this->getRecord()->canBeRevoked())
|
|
->requiresConfirmation()
|
|
->modalHeading($revokeRule->modalHeading)
|
|
->modalDescription($revokeRule->modalDescription)
|
|
->form([
|
|
Textarea::make('revocation_reason')
|
|
->label('Revocation reason')
|
|
->rows(4)
|
|
->required()
|
|
->maxLength(2000),
|
|
])
|
|
->action(function (array $data, FindingExceptionService $service) use ($revokeRule): void {
|
|
$record = $this->getRecord();
|
|
$user = auth()->user();
|
|
|
|
if (! $record instanceof FindingException || ! $user instanceof User) {
|
|
abort(404);
|
|
}
|
|
|
|
try {
|
|
$service->revoke($record, $user, $data);
|
|
} catch (InvalidArgumentException $exception) {
|
|
Notification::make()
|
|
->title('Exception revocation failed')
|
|
->body($exception->getMessage())
|
|
->danger()
|
|
->send();
|
|
|
|
return;
|
|
}
|
|
|
|
Notification::make()
|
|
->title($revokeRule->successTitle)
|
|
->success()
|
|
->send();
|
|
|
|
$this->refreshFormData(['status', 'current_validity_state', 'revocation_reason', 'revoked_at']);
|
|
}),
|
|
]);
|
|
}
|
|
|
|
public function getSubheading(): ?string
|
|
{
|
|
$navigationContext = $this->navigationContext();
|
|
|
|
if ($navigationContext?->sourceSurface === 'governance.decision_register') {
|
|
return 'Opened from the workspace decision register. Use the back action to return to the same register scope.';
|
|
}
|
|
|
|
return null;
|
|
}
|
|
|
|
/**
|
|
* @return array<int, string>
|
|
*/
|
|
private function tenantMemberOptions(): array
|
|
{
|
|
$record = $this->getRecord();
|
|
|
|
if (! $record instanceof FindingException) {
|
|
return [];
|
|
}
|
|
|
|
$tenant = $record->tenant;
|
|
|
|
if (! $tenant instanceof ManagedEnvironment) {
|
|
return [];
|
|
}
|
|
|
|
/** @var ManagedEnvironmentAccessScopeResolver $scopeResolver */
|
|
$scopeResolver = app(ManagedEnvironmentAccessScopeResolver::class);
|
|
|
|
return User::query()
|
|
->whereHas('workspaceMemberships', fn (Builder $query): Builder => $query->where('workspace_id', (int) $tenant->workspace_id))
|
|
->orderBy('name')
|
|
->orderBy('email')
|
|
->get(['id', 'name', 'email'])
|
|
->filter(fn (User $user): bool => $scopeResolver->canAccess($user, $tenant))
|
|
->mapWithKeys(fn (User $user): array => [
|
|
(int) $user->id => trim((string) ($user->name ?: $user->email)),
|
|
])
|
|
->all();
|
|
}
|
|
|
|
private function canManageRecord(): bool
|
|
{
|
|
$record = $this->getRecord();
|
|
$user = auth()->user();
|
|
|
|
return $record instanceof FindingException
|
|
&& $record->tenant instanceof ManagedEnvironment
|
|
&& $user instanceof User
|
|
&& $user->canAccessTenant($record->tenant)
|
|
&& $user->can(Capabilities::FINDING_EXCEPTION_MANAGE, $record->tenant);
|
|
}
|
|
|
|
private function navigationContext(): ?CanonicalNavigationContext
|
|
{
|
|
return CanonicalNavigationContext::fromRequest(request());
|
|
}
|
|
}
|