ahmido
c86b399b43
Some checks failed
Main Confidence / confidence (push) Failing after 53s
## Summary This PR delivers three related improvements: ### 1. Finding Ownership Semantics (Spec 219) - Add responsibility/accountability labels to findings and finding exceptions - `owner_user_id` = accountable party (governance owner) - `assignee_user_id` = responsible party (technical implementer) - Expose Assign/Reassign actions in FindingResource with audit logging - Add ownership columns and filters to finding list - Propagate owner from finding to exception on creation - Tests: ownership semantics, assignment audit, workflow actions ### 2. Constitution v2.7.0 — LEAN-001 Pre-Production Lean Doctrine - New principle forbidding legacy aliases, migration shims, dual-write logic, and compatibility fixtures in a pre-production codebase - AI-agent 4-question verification gate before adding any compatibility path - Review rule: compatibility shims without answering the gate questions = merge blocker - Exit condition: LEAN-001 expires at first production deployment - Spec template: added default "Compatibility posture" block - Agent instructions: added "Pre-production compatibility check" section ### 3. Backup Set Operation Type Unification - Unified `backup_set.add_policies` and `backup_set.remove_policies` into single canonical `backup_set.update` - Removed all legacy aliases, constants, and test fixtures - Added lifecycle coverage for `backup_set.update` in config - Updated all 14+ test files referencing legacy types ### Spec Artifacts - `specs/219-finding-ownership-semantics/` — full spec, plan, tasks, research, data model, contracts, checklist ### Tests - All affected tests pass (OperationCatalog, backup set, finding workflow, ownership semantics) Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #256
255 lines
9.5 KiB
PHP
255 lines
9.5 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Filament\Resources\FindingResource\Pages\ListFindings;
|
|
use App\Models\Finding;
|
|
use App\Models\FindingException;
|
|
use App\Models\Tenant;
|
|
use App\Models\User;
|
|
use App\Support\Workspaces\WorkspaceContext;
|
|
use Filament\Facades\Filament;
|
|
use Filament\Forms\Components\Field;
|
|
use Filament\Forms\Components\Select;
|
|
use Filament\Schemas\Components\Text;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Livewire\Livewire;
|
|
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
it('supports triage start resolve and reopen via row actions', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'manager');
|
|
$this->actingAs($user);
|
|
Filament::setTenant($tenant, true);
|
|
|
|
$finding = Finding::factory()->for($tenant)->create([
|
|
'status' => Finding::STATUS_NEW,
|
|
]);
|
|
|
|
$component = Livewire::test(ListFindings::class);
|
|
|
|
$component
|
|
->callTableAction('triage', $finding)
|
|
->assertHasNoTableActionErrors();
|
|
|
|
$finding->refresh();
|
|
expect($finding->status)->toBe(Finding::STATUS_TRIAGED)
|
|
->and($finding->triaged_at)->not->toBeNull();
|
|
|
|
$component
|
|
->callTableAction('start_progress', $finding)
|
|
->assertHasNoTableActionErrors();
|
|
|
|
$finding->refresh();
|
|
expect($finding->status)->toBe(Finding::STATUS_IN_PROGRESS)
|
|
->and($finding->in_progress_at)->not->toBeNull();
|
|
|
|
$component
|
|
->callTableAction('resolve', $finding, [
|
|
'resolved_reason' => 'patched',
|
|
])
|
|
->assertHasNoTableActionErrors();
|
|
|
|
$finding->refresh();
|
|
expect($finding->status)->toBe(Finding::STATUS_RESOLVED)
|
|
->and($finding->resolved_reason)->toBe('patched')
|
|
->and($finding->resolved_at)->not->toBeNull();
|
|
|
|
$component
|
|
->filterTable('open', false)
|
|
->callTableAction('reopen', $finding, [
|
|
'reopen_reason' => 'The issue recurred in a later scan.',
|
|
])
|
|
->assertHasNoTableActionErrors();
|
|
|
|
$finding->refresh();
|
|
expect($finding->status)->toBe(Finding::STATUS_REOPENED)
|
|
->and($finding->reopened_at)->not->toBeNull()
|
|
->and($finding->due_at)->not->toBeNull();
|
|
});
|
|
|
|
it('supports close and request exception via row actions', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
$this->actingAs($user);
|
|
Filament::setTenant($tenant, true);
|
|
|
|
$closeFinding = Finding::factory()->for($tenant)->create([
|
|
'status' => Finding::STATUS_NEW,
|
|
]);
|
|
|
|
$exceptionFinding = Finding::factory()->for($tenant)->create([
|
|
'status' => Finding::STATUS_NEW,
|
|
]);
|
|
|
|
$component = Livewire::test(ListFindings::class);
|
|
|
|
$component
|
|
->callTableAction('close', $closeFinding, [
|
|
'closed_reason' => 'duplicate ticket',
|
|
])
|
|
->assertHasNoTableActionErrors();
|
|
|
|
$component
|
|
->callTableAction('request_exception', $exceptionFinding, [
|
|
'owner_user_id' => (int) $user->getKey(),
|
|
'request_reason' => 'accepted by security',
|
|
'review_due_at' => now()->addDays(14)->toDateTimeString(),
|
|
'expires_at' => now()->addDays(30)->toDateTimeString(),
|
|
])
|
|
->assertHasNoTableActionErrors();
|
|
|
|
expect($closeFinding->refresh()->status)->toBe(Finding::STATUS_CLOSED)
|
|
->and($closeFinding->closed_reason)->toBe('duplicate ticket');
|
|
|
|
$exception = FindingException::query()
|
|
->where('finding_id', (int) $exceptionFinding->getKey())
|
|
->first();
|
|
|
|
expect($exception)->toBeInstanceOf(FindingException::class)
|
|
->and($exception?->status)->toBe(FindingException::STATUS_PENDING)
|
|
->and($exception?->request_reason)->toBe('accepted by security');
|
|
});
|
|
|
|
it('keeps unchanged roles intact and exposes explicit assignment help text on row actions', function (): void {
|
|
[$manager, $tenant] = createUserWithTenant(role: 'manager');
|
|
$this->actingAs($manager);
|
|
Filament::setTenant($tenant, true);
|
|
|
|
$initialOwner = User::factory()->create();
|
|
createUserWithTenant(tenant: $tenant, user: $initialOwner, role: 'manager');
|
|
|
|
$initialAssignee = User::factory()->create();
|
|
createUserWithTenant(tenant: $tenant, user: $initialAssignee, role: 'operator');
|
|
|
|
$replacementOwner = User::factory()->create();
|
|
createUserWithTenant(tenant: $tenant, user: $replacementOwner, role: 'manager');
|
|
|
|
$replacementAssignee = User::factory()->create();
|
|
createUserWithTenant(tenant: $tenant, user: $replacementAssignee, role: 'operator');
|
|
|
|
$outsider = User::factory()->create();
|
|
|
|
$finding = Finding::factory()->for($tenant)->create([
|
|
'status' => Finding::STATUS_NEW,
|
|
'owner_user_id' => (int) $initialOwner->getKey(),
|
|
'assignee_user_id' => (int) $initialAssignee->getKey(),
|
|
]);
|
|
|
|
$component = Livewire::test(ListFindings::class)
|
|
->mountTableAction('assign', $finding)
|
|
->assertFormFieldExists('owner_user_id', function (Select $field): bool {
|
|
$helperText = collect($field->getChildSchema(Field::BELOW_CONTENT_SCHEMA_KEY)?->getComponents() ?? [])
|
|
->filter(fn (mixed $component): bool => $component instanceof Text)
|
|
->map(fn (Text $component): string => (string) $component->getContent())
|
|
->implode(' ');
|
|
|
|
return $field->getLabel() === 'Accountable owner'
|
|
&& str_contains($helperText, 'accountable for ensuring the finding reaches a governed outcome');
|
|
})
|
|
->assertFormFieldExists('assignee_user_id', function (Select $field): bool {
|
|
$helperText = collect($field->getChildSchema(Field::BELOW_CONTENT_SCHEMA_KEY)?->getComponents() ?? [])
|
|
->filter(fn (mixed $component): bool => $component instanceof Text)
|
|
->map(fn (Text $component): string => (string) $component->getContent())
|
|
->implode(' ');
|
|
|
|
return $field->getLabel() === 'Active assignee'
|
|
&& str_contains($helperText, 'currently expected to perform or coordinate the remediation work');
|
|
});
|
|
|
|
$component
|
|
->callTableAction('assign', $finding, [
|
|
'assignee_user_id' => (int) $replacementAssignee->getKey(),
|
|
'owner_user_id' => (int) $initialOwner->getKey(),
|
|
])
|
|
->assertHasNoTableActionErrors();
|
|
|
|
$finding->refresh();
|
|
expect((int) $finding->assignee_user_id)->toBe((int) $replacementAssignee->getKey())
|
|
->and((int) $finding->owner_user_id)->toBe((int) $initialOwner->getKey());
|
|
|
|
$component
|
|
->callTableAction('assign', $finding, [
|
|
'assignee_user_id' => (int) $replacementAssignee->getKey(),
|
|
'owner_user_id' => (int) $replacementOwner->getKey(),
|
|
])
|
|
->assertHasNoTableActionErrors();
|
|
|
|
$finding->refresh();
|
|
expect((int) $finding->assignee_user_id)->toBe((int) $replacementAssignee->getKey())
|
|
->and((int) $finding->owner_user_id)->toBe((int) $replacementOwner->getKey());
|
|
|
|
$component
|
|
->callTableAction('assign', $finding, [
|
|
'assignee_user_id' => (int) $outsider->getKey(),
|
|
'owner_user_id' => (int) $replacementOwner->getKey(),
|
|
]);
|
|
|
|
$finding->refresh();
|
|
expect((int) $finding->assignee_user_id)->toBe((int) $replacementAssignee->getKey())
|
|
->and((int) $finding->owner_user_id)->toBe((int) $replacementOwner->getKey());
|
|
});
|
|
|
|
it('returns 404 when a forged foreign-tenant assign row action is mounted', function (): void {
|
|
$tenantA = Tenant::factory()->create();
|
|
[$user, $tenantA] = createUserWithTenant(tenant: $tenantA, role: 'owner');
|
|
|
|
$tenantB = Tenant::factory()->create([
|
|
'workspace_id' => (int) $tenantA->workspace_id,
|
|
]);
|
|
|
|
createUserWithTenant(tenant: $tenantB, user: $user, role: 'owner');
|
|
|
|
$foreignFinding = Finding::factory()->for($tenantB)->create([
|
|
'status' => Finding::STATUS_NEW,
|
|
]);
|
|
|
|
$this->actingAs($user);
|
|
Filament::setCurrentPanel('admin');
|
|
Filament::setTenant(null, true);
|
|
Filament::bootCurrentPanel();
|
|
|
|
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenantA->workspace_id);
|
|
session()->put(WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY, [
|
|
(string) $tenantA->workspace_id => (int) $tenantA->getKey(),
|
|
]);
|
|
|
|
$component = Livewire::actingAs($user)->test(ListFindings::class);
|
|
|
|
expect(fn () => $component->instance()->mountTableAction('assign', (string) $foreignFinding->getKey()))
|
|
->toThrow(NotFoundHttpException::class);
|
|
});
|
|
|
|
it('keeps the admin workflow surface scoped to the canonical tenant', function (): void {
|
|
$tenantA = Tenant::factory()->create();
|
|
[$user, $tenantA] = createUserWithTenant(tenant: $tenantA, role: 'owner');
|
|
|
|
$tenantB = Tenant::factory()->create([
|
|
'workspace_id' => (int) $tenantA->workspace_id,
|
|
]);
|
|
|
|
createUserWithTenant(tenant: $tenantB, user: $user, role: 'owner');
|
|
|
|
$visibleFinding = Finding::factory()->for($tenantA)->create([
|
|
'status' => Finding::STATUS_NEW,
|
|
]);
|
|
|
|
$hiddenFinding = Finding::factory()->for($tenantB)->create([
|
|
'status' => Finding::STATUS_NEW,
|
|
]);
|
|
|
|
$this->actingAs($user);
|
|
Filament::setCurrentPanel('admin');
|
|
Filament::setTenant(null, true);
|
|
Filament::bootCurrentPanel();
|
|
|
|
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenantA->workspace_id);
|
|
session()->put(WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY, [
|
|
(string) $tenantA->workspace_id => (int) $tenantA->getKey(),
|
|
]);
|
|
|
|
Livewire::actingAs($user)->test(ListFindings::class)
|
|
->assertCanSeeTableRecords([$visibleFinding])
|
|
->assertCanNotSeeTableRecords([$hiddenFinding]);
|
|
});
|