TenantAtlas/tests/Feature/Filament/PolicyVersionTest.php

<?php

use App\Models\Policy;
use App\Models\PolicyVersion;
use App\Models\Tenant;
use App\Models\User;
use App\Models\WorkspaceMembership;
use App\Services\Intune\VersionService;
use Illuminate\Foundation\Testing\RefreshDatabase;

uses(RefreshDatabase::class);

test('policy versions render with timeline data', function () {
    $tenant = Tenant::factory()->create();

    $policy = Policy::create([
        'tenant_id' => $tenant->id,
        'external_id' => 'policy-1',
        'policy_type' => 'deviceConfiguration',
        'display_name' => 'Policy A',
        'platform' => 'windows',
    ]);

    $service = app(VersionService::class);
    $service->captureVersion($policy, ['value' => 1], 'tester');
    $service->captureVersion($policy, ['value' => 2], 'tester');

    $user = User::factory()->create();
    [$user, $tenant] = createUserWithTenant(tenant: $tenant, user: $user, role: 'owner');

    $this->actingAs($user)
        ->get(route('filament.admin.resources.policy-versions.index', filamentTenantRouteParams($tenant)))
        ->assertOk()
        ->assertSee('Policy A')
        ->assertSee((string) PolicyVersion::max('version_number'));
});

test('policy version detail renders readable normalized RBAC assignment content', function () {
    $tenant = Tenant::factory()->create();

    [$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');

    $policy = Policy::factory()->create([
        'tenant_id' => $tenant->id,
        'external_id' => 'rbac-assign-1',
        'policy_type' => 'intuneRoleAssignment',
        'display_name' => 'Current assignment name',
        'platform' => 'all',
        'last_synced_at' => null,
    ]);

    $version = PolicyVersion::factory()->create([
        'tenant_id' => $tenant->id,
        'policy_id' => $policy->id,
        'policy_type' => 'intuneRoleAssignment',
        'platform' => 'all',
        'snapshot' => [
            '@odata.type' => '#microsoft.graph.deviceAndAppManagementRoleAssignment',
            'displayName' => 'Helpdesk Assignment',
            'description' => 'Delegated access for helpdesk operators',
            'scopeType' => 'allDevicesAssignment',
            'members' => [
                ['displayName' => 'Helpdesk Group', 'id' => 'group-1'],
                'group-2',
            ],
            'scopeMembers' => ['scope-group-1'],
            'resourceScopes' => ['/', '/deviceManagement/managedDevices'],
            'roleDefinition' => [
                'id' => 'role-1',
                'displayName' => 'Policy and Profile Manager',
            ],
        ],
    ]);

    $tenant->makeCurrent();

    $response = $this->actingAs($user)
        ->get(\App\Filament\Resources\PolicyVersionResource::getUrl('view', ['record' => $version]).'?tab=normalized-settings&tenant='.(string) $tenant->external_id);

    $response->assertOk();
    $response->assertSee('Helpdesk Assignment');
    $response->assertSee('Role assignment');
    $response->assertSee('Policy and Profile Manager (role-1)');
    $response->assertSee('Helpdesk Group (group-1)');
    $response->assertSee('group-2');
    $response->assertSee('scope-group-1');
    $response->assertSee('/deviceManagement/managedDevices');
});

test('policy version detail returns 404 for non-members on RBAC versions', function () {
    $tenant = Tenant::factory()->create();

    [$owner, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');

    $policy = Policy::factory()->create([
        'tenant_id' => $tenant->id,
        'external_id' => 'rbac-assign-404',
        'policy_type' => 'intuneRoleAssignment',
        'display_name' => 'Hidden assignment',
        'platform' => 'all',
        'last_synced_at' => null,
    ]);

    $version = PolicyVersion::factory()->create([
        'tenant_id' => $tenant->id,
        'policy_id' => $policy->id,
        'policy_type' => 'intuneRoleAssignment',
        'platform' => 'all',
        'snapshot' => [
            'displayName' => 'Hidden assignment',
        ],
    ]);

    $outsider = User::factory()->create();
    WorkspaceMembership::factory()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'user_id' => (int) $outsider->getKey(),
        'role' => 'owner',
    ]);

    $tenant->makeCurrent();

    $this->actingAs($outsider)
        ->get(\App\Filament\Resources\PolicyVersionResource::getUrl('view', ['record' => $version]).'?tenant='.(string) $tenant->external_id)
        ->assertNotFound();
});