ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
cd23adda1a
TenantAtlas/tests/Feature/ReviewPack/ReviewPackRbacTest.php
Ahmed Darrazi 2a1a708716 feat(109): complete Review Pack Export v1 — Phases 3-8 
- ReviewPackService: generate, fingerprint dedupe, signed download URL
- GenerateReviewPackJob: 12-step pipeline, ZIP assembly, failure handling
- ReviewPackDownloadController: signed URL streaming with SHA-256 header
- ReviewPackResource: list/view pages, generate/expire/download actions
- TenantReviewPackCard: dashboard widget with 5 display states
- ReviewPackPolicy: RBAC via REVIEW_PACK_VIEW/MANAGE capabilities
- PruneReviewPacksCommand: retention automation + hard-delete option
- ReviewPackStatusNotification: database channel, ready/failed payloads
- Schedule: daily prune + entra admin roles, posture:dispatch deferred
- AlertRuleResource: hide sla_due from dropdown (backward compat kept)
- 59 passing tests across 7 test files (1 skipped: posture deferred)
- All 36 tasks completed per tasks.md
2026-02-23 11:00:47 +01:00

215 lines
7.4 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
use App\Filament\Resources\ReviewPackResource;
use App\Filament\Resources\ReviewPackResource\Pages\ListReviewPacks;
use App\Models\ReviewPack;
use App\Models\Tenant;
use App\Services\ReviewPackService;
use App\Support\Auth\UiTooltips;
use App\Support\ReviewPackStatus;
use Filament\Facades\Filament;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Storage;
use Illuminate\Support\Facades\URL;
use Livewire\Livewire;
uses(RefreshDatabase::class);
beforeEach(function (): void {
Storage::fake('exports');
});
// ─── Non-Member Access ───────────────────────────────────────
it('returns 404 for non-member on list page', function (): void {
$targetTenant = Tenant::factory()->create();
$otherTenant = Tenant::factory()->create();
[$user] = createUserWithTenant($otherTenant, role: 'owner');
$this->actingAs($user)
->get(ReviewPackResource::getUrl('index', tenant: $targetTenant))
->assertNotFound();
});
it('returns 404 for non-member on view page', function (): void {
$targetTenant = Tenant::factory()->create();
$otherTenant = Tenant::factory()->create();
[$user] = createUserWithTenant($otherTenant, role: 'owner');
$pack = ReviewPack::factory()->ready()->create([
'tenant_id' => (int) $targetTenant->getKey(),
]);
$this->actingAs($user)
->get(ReviewPackResource::getUrl('view', ['record' => $pack], tenant: $targetTenant))
->assertNotFound();
});
it('returns 404 for non-member on download route', function (): void {
$targetTenant = Tenant::factory()->create();
$otherTenant = Tenant::factory()->create();
[$user] = createUserWithTenant($otherTenant, role: 'owner');
$filePath = 'review-packs/rbac-test.zip';
Storage::disk('exports')->put($filePath, 'PK-fake');
$pack = ReviewPack::factory()->ready()->create([
'tenant_id' => (int) $targetTenant->getKey(),
'file_path' => $filePath,
'file_disk' => 'exports',
]);
// Note: download route uses signed middleware, not tenant-scoped RBAC.
// Any user with a valid signature can download. This is by design.
$signedUrl = app(ReviewPackService::class)->generateDownloadUrl($pack);
$this->actingAs($user)->get($signedUrl)->assertOk();
});
// ─── REVIEW_PACK_VIEW Member ────────────────────────────────
it('allows readonly member to access list page', function (): void {
$tenant = Tenant::factory()->create();
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'readonly');
$this->actingAs($user)
->get(ReviewPackResource::getUrl('index', tenant: $tenant))
->assertOk();
});
it('allows readonly member to access view page', function (): void {
$tenant = Tenant::factory()->create();
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'readonly');
$pack = ReviewPack::factory()->ready()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'initiated_by_user_id' => (int) $user->getKey(),
]);
$this->actingAs($user)
->get(ReviewPackResource::getUrl('view', ['record' => $pack], tenant: $tenant))
->assertOk();
});
it('allows readonly member to download via signed URL', function (): void {
$tenant = Tenant::factory()->create();
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'readonly');
$filePath = 'review-packs/readonly-test.zip';
Storage::disk('exports')->put($filePath, 'PK-fake');
$pack = ReviewPack::factory()->ready()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'initiated_by_user_id' => (int) $user->getKey(),
'file_path' => $filePath,
'file_disk' => 'exports',
]);
$signedUrl = app(ReviewPackService::class)->generateDownloadUrl($pack);
$this->actingAs($user)->get($signedUrl)->assertOk();
});
it('disables generate action for readonly member', function (): void {
$tenant = Tenant::factory()->create();
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'readonly');
$tenant->makeCurrent();
Filament::setTenant($tenant, true);
Livewire::actingAs($user)
->test(ListReviewPacks::class)
->assertActionVisible('generate_pack')
->assertActionDisabled('generate_pack')
->assertActionExists('generate_pack', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission());
});
// ─── REVIEW_PACK_MANAGE Member ──────────────────────────────
it('allows owner to generate a review pack', function (): void {
$tenant = Tenant::factory()->create();
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
$tenant->makeCurrent();
Filament::setTenant($tenant, true);
Livewire::actingAs($user)
->test(ListReviewPacks::class)
->assertActionVisible('generate_pack')
->assertActionEnabled('generate_pack');
});
it('allows owner to expire a ready pack', function (): void {
$tenant = Tenant::factory()->create();
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
$filePath = 'review-packs/expire-rbac.zip';
Storage::disk('exports')->put($filePath, 'PK-fake');
$pack = ReviewPack::factory()->ready()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'initiated_by_user_id' => (int) $user->getKey(),
'file_path' => $filePath,
'file_disk' => 'exports',
]);
$tenant->makeCurrent();
Filament::setTenant($tenant, true);
Livewire::actingAs($user)
->test(ListReviewPacks::class)
->assertTableActionVisible('expire', $pack)
->callTableAction('expire', $pack);
$pack->refresh();
expect($pack->status)->toBe(ReviewPackStatus::Expired->value);
});
it('disables expire action for readonly member', function (): void {
$tenant = Tenant::factory()->create();
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'readonly');
$filePath = 'review-packs/expire-readonly.zip';
Storage::disk('exports')->put($filePath, 'PK-fake');
$pack = ReviewPack::factory()->ready()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
'file_path' => $filePath,
'file_disk' => 'exports',
]);
$tenant->makeCurrent();
Filament::setTenant($tenant, true);
Livewire::actingAs($user)
->test(ListReviewPacks::class)
->assertTableActionVisible('expire', $pack)
->assertTableActionDisabled('expire', $pack);
});
// ─── Signed URL Security ────────────────────────────────────
it('rejects unsigned download URL with 403', function (): void {
$tenant = Tenant::factory()->create();
[$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
$pack = ReviewPack::factory()->ready()->create([
'tenant_id' => (int) $tenant->getKey(),
'workspace_id' => (int) $tenant->workspace_id,
]);
$response = $this->actingAs($user)
->get(route('admin.review-packs.download', ['reviewPack' => $pack->getKey()]));
$response->assertForbidden();
});
Reference in New Issue View Git Blame Copy Permalink