ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
cc93329672
TenantAtlas/tests/Feature/RequiredPermissions/RequiredPermissionsSidebarTest.php
ahmido cc93329672 feat: canonical tenant context resolution (#164) 
## Summary
- introduce a canonical admin tenant filter-state helper and route all in-scope workspace-admin tenant resolution through `OperateHubShell::activeEntitledTenant()`
- align operations monitoring, operation-run deep links, Entra group admin list/view/search behavior, and shared context-bar rendering with the documented scope contract
- add the Spec 135 design artifacts, architecture note, focused guardrail coverage, and non-regression tests for filter persistence, direct-record access, and global search safety

## Validation
- `vendor/bin/sail bin pint --dirty --format agent`
- `vendor/bin/sail artisan test --compact tests/Feature/Monitoring/OperationsKpiHeaderTenantContextTest.php tests/Feature/Monitoring/OperationsTenantScopeTest.php tests/Feature/Monitoring/OperationsCanonicalUrlsTest.php tests/Feature/Spec085/OperationsIndexHeaderTest.php tests/Feature/Spec085/RunDetailBackAffordanceTest.php tests/Feature/Filament/OperationRunListFiltersTest.php tests/Feature/Filament/EntraGroupAdminScopeTest.php tests/Feature/Filament/EntraGroupGlobalSearchScopeTest.php tests/Feature/DirectoryGroups/BrowseGroupsTest.php tests/Feature/Filament/EntraGroupEnterpriseDetailPageTest.php tests/Feature/Filament/PolicyVersionResolvedReferenceLinksTest.php tests/Feature/Filament/EntraGroupResolvedReferencePresentationTest.php tests/Feature/Guards/AdminTenantResolverGuardTest.php tests/Feature/OpsUx/OperateHubShellTest.php tests/Feature/Filament/Alerts/AlertsKpiHeaderTest.php tests/Feature/Alerts/AlertDeliveryDeepLinkFiltersTest.php`
- `vendor/bin/sail artisan test --compact tests/Feature/Filament/TableStatePersistenceTest.php tests/Feature/Filament/TenantScopingTest.php tests/Feature/Filament/Alerts/AlertDeliveryViewerTest.php tests/Unit/Support/References/CapabilityAwareReferenceResolverTest.php`

## Notes
- Filament v5 remains on Livewire v4.0+ compliant surfaces only.
- No provider registration changes were needed; Laravel 12 provider registration remains in `bootstrap/providers.php`.
- Entra group global search remains enabled and is now scoped to the canonical admin tenant contract.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #164
2026-03-11 21:24:28 +00:00

191 lines
6.9 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
use App\Models\Tenant;
use App\Models\User;
use App\Models\Workspace;
use App\Models\WorkspaceMembership;
use App\Support\Workspaces\WorkspaceContext;
/*
|--------------------------------------------------------------------------
| T001 — Sidebar context tests for Required Permissions page
|--------------------------------------------------------------------------
|
| Verifies that the Required Permissions page (a workspace-scoped page
| that uses {tenant} for data display only) always renders the workspace
| sidebar — never the tenant sidebar. Also verifies FR-002: authorization
| (404 for non-members) still works after the middleware change.
|
*/
it('renders workspace navigation items on the required permissions page', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'readonly');
$response = $this->actingAs($user)
->get("/admin/tenants/{$tenant->external_id}/required-permissions");
$response->assertOk();
// Workspace nav items from configureNavigationForRequest() workspace builder
$response->assertSee('Operations', false);
$response->assertSee('Audit Log', false);
});
it('does not render tenant navigation items on the required permissions page', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'readonly');
$response = $this->actingAs($user)
->get("/admin/tenants/{$tenant->external_id}/required-permissions");
$response->assertOk();
// Tenant-scoped nav groups/items must NOT appear
$response->assertDontSee('>Inventory</span>', false);
$response->assertDontSee('>Backups &amp; Restore</span>', false);
});
it('shows workspace sidebar when navigating directly via URL', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'readonly');
$response = $this->actingAs($user)
->get("/admin/tenants/{$tenant->external_id}/required-permissions");
$response->assertOk();
// Workspace nav present (Operations is always visible in workspace nav)
$response->assertSee('Operations', false);
$response->assertSee('Audit Log', false);
// Tenant nav absent
$response->assertDontSee('>Directory</span>', false);
$response->assertDontSee('>Governance</span>', false);
});
it('redirects non-workspace-members with stale session (FR-002 regression guard)', function (): void {
$user = User::factory()->create();
$workspace = Workspace::factory()->create();
$tenant = Tenant::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
]);
// User is NOT a workspace member — middleware clears stale session and redirects
$this->actingAs($user)
->withSession([
WorkspaceContext::SESSION_KEY => (int) $workspace->getKey(),
])
->get("/admin/tenants/{$tenant->external_id}/required-permissions")
->assertRedirect();
});
it('returns 404 for workspace members without tenant entitlement after middleware change (FR-002 regression guard)', function (): void {
$user = User::factory()->create();
$workspace = Workspace::factory()->create();
$tenant = Tenant::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
]);
WorkspaceMembership::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'user_id' => (int) $user->getKey(),
'role' => 'owner',
]);
// User IS a workspace member but NOT entitled to this tenant
$this->actingAs($user)
->withSession([
WorkspaceContext::SESSION_KEY => (int) $workspace->getKey(),
])
->get("/admin/tenants/{$tenant->external_id}/required-permissions")
->assertNotFound();
});
/*
|--------------------------------------------------------------------------
| T002 — Regression: tenant-scoped pages still show tenant sidebar
|--------------------------------------------------------------------------
|
| Verifies that the middleware change does NOT affect tenant-scoped pages.
| Pages under /admin/t/{tenant}/ must continue to show tenant sidebar.
|
*/
it('still renders tenant sidebar on tenant-scoped pages (regression guard)', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
// Use the tenant dashboard — a known tenant-scoped URL
$response = $this->actingAs($user)
->get("/admin/t/{$tenant->external_id}");
$response->assertOk();
// Tenant-scoped nav groups MUST be present on tenant pages (Inventory group)
$response->assertSee('Inventory', false);
});
/*
|--------------------------------------------------------------------------
| T007 — Context bar: tenant name is visible on the page
|--------------------------------------------------------------------------
|
| The page's $scopedTenant is resolved from the route param via
| resolveScopedTenant() — NOT from Filament::getTenant(). So the tenant
| data is available even though Filament::setTenant() is skipped.
| Verify the page renders successfully and that the tenant's data is used.
|
*/
it('resolves scoped tenant correctly with workspace sidebar (context bar / US2)', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'readonly');
$response = $this->actingAs($user)
->get("/admin/tenants/{$tenant->external_id}/required-permissions");
$response->assertOk();
// The page resolves $scopedTenant from route param and uses it for visible page context.
$response->assertSee($tenant->getFilamentName(), false);
$response->assertSee('Required permissions', false);
// The page uses $scopedTenant for links (e.g., "Re-run verification" links back to TenantResource)
// If $scopedTenant were null, the page would abort(404) in mount().
// The fact that we get 200 proves $scopedTenant resolved correctly despite setTenant() being skipped.
// Workspace nav present (sidebar fix working)
$response->assertSee('Operations', false);
// Tenant nav absent (sidebar fix working)
$response->assertDontSee('>Inventory</span>', false);
});
it('shows the routed tenant context even when another tenant is current', function (): void {
$workspace = Workspace::factory()->create();
$user = User::factory()->create();
$currentTenant = Tenant::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'name' => 'YPTW2',
'environment' => 'dev',
'status' => 'active',
]);
$routedTenant = Tenant::factory()->create([
'workspace_id' => (int) $workspace->getKey(),
'name' => 'Phoenicon',
'environment' => 'dev',
'status' => 'active',
]);
createUserWithTenant($currentTenant, $user, role: 'owner');
createUserWithTenant($routedTenant, $user, role: 'owner');
$currentTenant->makeCurrent();
$this->actingAs($user)
->get("/admin/tenants/{$routedTenant->external_id}/required-permissions")
->assertOk()
->assertSee($routedTenant->getFilamentName(), false)
->assertSee('Required permissions', false);
});
Reference in New Issue View Git Blame Copy Permalink