ahmido
c7b38606a9
Implements platform feature branch `285-workspace-rbac-environment-access`. Summary: - switch managed environment authorization to workspace-first role resolution with explicit environment-scope narrowing - rewire Filament pages, resources, policies, and user tenant access helpers to the shared access-scope resolver - add Spec 285 coverage across unit, feature, and browser tests plus full spec artifacts Validation: - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Unit/Auth/WorkspaceFirstCapabilityResolverTest.php tests/Unit/Auth/ManagedEnvironmentAccessScopeResolverTest.php` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Auth/WorkspaceFirstManagedEnvironmentAccessTest.php tests/Feature/Filament/ManagedEnvironmentAccessScopeManagementTest.php tests/Feature/Filament/WorkspaceMembershipRoleManagementTest.php tests/Feature/Rbac/GovernanceArtifactsWorkspaceFirstAuthorizationTest.php tests/Feature/Rbac/OperationRunWorkspaceFirstAuthorizationTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Verification/ProviderExecutionReauthorizationTest.php tests/Feature/ProviderConnections/ProviderConnectionHealthCheckStartSurfaceTest.php tests/Feature/Tenants/TenantProviderBackedActionStartTest.php` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Audit/TenantMembershipAuditLogTest.php tests/Feature/Filament/TenantMembersTest.php tests/Feature/TenantRBAC/TenantMembershipCrudTest.php tests/Feature/TenantRBAC/TenantSwitcherScopeTest.php` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php` - `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent` Target branch: `platform-dev`. Follow-up integration path after merge: - `platform-dev` -> `dev`. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #344
133 lines
5.3 KiB
PHP
133 lines
5.3 KiB
PHP
<?php
|
|
|
|
namespace App\Services\Auth;
|
|
|
|
use App\Support\Auth\Capabilities;
|
|
use App\Support\Auth\WorkspaceRole;
|
|
|
|
/**
|
|
* Workspace Role to Capability Mapping (Single Source of Truth)
|
|
*
|
|
* This class defines which capabilities each workspace role has.
|
|
* All capability strings MUST be references from the Capabilities registry.
|
|
*/
|
|
class WorkspaceRoleCapabilityMap
|
|
{
|
|
/**
|
|
* @var array<string, array<int, string>>
|
|
*/
|
|
private static array $roleCapabilities = [
|
|
WorkspaceRole::Owner->value => [
|
|
Capabilities::WORKSPACE_VIEW,
|
|
Capabilities::WORKSPACE_MANAGE,
|
|
Capabilities::WORKSPACE_ARCHIVE,
|
|
Capabilities::WORKSPACE_MEMBERSHIP_VIEW,
|
|
Capabilities::WORKSPACE_MEMBERSHIP_MANAGE,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_IDENTIFY,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CANCEL,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_VIEW,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_MANAGE,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_MANAGE_DEDICATED,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_VERIFICATION_START,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_INVENTORY_SYNC,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_POLICY_SYNC,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_BACKUP_BOOTSTRAP,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_ACTIVATE,
|
|
Capabilities::WORKSPACE_SETTINGS_VIEW,
|
|
Capabilities::WORKSPACE_SETTINGS_MANAGE,
|
|
Capabilities::ALERTS_VIEW,
|
|
Capabilities::ALERTS_MANAGE,
|
|
Capabilities::WORKSPACE_BASELINES_VIEW,
|
|
Capabilities::WORKSPACE_BASELINES_MANAGE,
|
|
Capabilities::AUDIT_VIEW,
|
|
Capabilities::FINDING_EXCEPTION_APPROVE,
|
|
],
|
|
|
|
WorkspaceRole::Manager->value => [
|
|
Capabilities::WORKSPACE_VIEW,
|
|
Capabilities::WORKSPACE_MEMBERSHIP_VIEW,
|
|
Capabilities::WORKSPACE_MEMBERSHIP_MANAGE,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_IDENTIFY,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CANCEL,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_VIEW,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_MANAGE,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_VERIFICATION_START,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_INVENTORY_SYNC,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_POLICY_SYNC,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_BACKUP_BOOTSTRAP,
|
|
Capabilities::WORKSPACE_SETTINGS_VIEW,
|
|
Capabilities::WORKSPACE_SETTINGS_MANAGE,
|
|
Capabilities::ALERTS_VIEW,
|
|
Capabilities::ALERTS_MANAGE,
|
|
Capabilities::WORKSPACE_BASELINES_VIEW,
|
|
Capabilities::WORKSPACE_BASELINES_MANAGE,
|
|
Capabilities::AUDIT_VIEW,
|
|
Capabilities::FINDING_EXCEPTION_APPROVE,
|
|
],
|
|
|
|
WorkspaceRole::Operator->value => [
|
|
Capabilities::WORKSPACE_VIEW,
|
|
Capabilities::WORKSPACE_MEMBERSHIP_VIEW,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_VIEW,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_VERIFICATION_START,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_INVENTORY_SYNC,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_POLICY_SYNC,
|
|
Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_BACKUP_BOOTSTRAP,
|
|
Capabilities::WORKSPACE_SETTINGS_VIEW,
|
|
Capabilities::ALERTS_VIEW,
|
|
Capabilities::WORKSPACE_BASELINES_VIEW,
|
|
Capabilities::AUDIT_VIEW,
|
|
],
|
|
|
|
WorkspaceRole::Readonly->value => [
|
|
Capabilities::WORKSPACE_VIEW,
|
|
Capabilities::WORKSPACE_SETTINGS_VIEW,
|
|
Capabilities::ALERTS_VIEW,
|
|
Capabilities::WORKSPACE_BASELINES_VIEW,
|
|
Capabilities::AUDIT_VIEW,
|
|
],
|
|
];
|
|
|
|
/**
|
|
* @return array<string>
|
|
*/
|
|
public static function getCapabilities(WorkspaceRole|string $role): array
|
|
{
|
|
$roleValue = $role instanceof WorkspaceRole ? $role->value : $role;
|
|
|
|
$capabilities = array_merge(
|
|
self::$roleCapabilities[$roleValue] ?? [],
|
|
RoleCapabilityMap::getCapabilities($roleValue),
|
|
);
|
|
|
|
if ($roleValue === WorkspaceRole::Manager->value) {
|
|
$capabilities[] = Capabilities::TENANT_MEMBERSHIP_MANAGE;
|
|
}
|
|
|
|
return array_values(array_unique($capabilities));
|
|
}
|
|
|
|
/**
|
|
* @return array<string>
|
|
*/
|
|
public static function rolesWithCapability(string $capability): array
|
|
{
|
|
$roles = [];
|
|
|
|
foreach (array_keys(self::$roleCapabilities) as $role) {
|
|
if (in_array($capability, self::getCapabilities($role), true)) {
|
|
$roles[] = $role;
|
|
}
|
|
}
|
|
|
|
return $roles;
|
|
}
|
|
|
|
public static function hasCapability(WorkspaceRole|string $role, string $capability): bool
|
|
{
|
|
return in_array($capability, self::getCapabilities($role), true);
|
|
}
|
|
}
|