ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
d25290d95e
TenantAtlas/tests/Feature/PermissionPosture/GeneratePermissionPostureFindingsJobTest.php
ahmido ef380b67d1 feat(104): Provider Permission Posture (#127) 
Implements Spec 104: Provider Permission Posture.

What changed
- Generates permission posture findings after each tenant permission compare (queued)
- Stores immutable posture snapshots as StoredReports (JSONB payload)
- Adds global Finding resolved lifecycle (`resolved_at`, `resolved_reason`) with `resolve()` / `reopen()`
- Adds alert pipeline event type `permission_missing` (Alerts v1) and Filament option for Alert Rules
- Adds retention pruning command + daily schedule for StoredReports
- Adds badge mappings for `resolved` finding status and `permission_posture` finding type

UX fixes discovered during manual verification
- Hide “Diff” section for non-drift findings (only drift findings show diff)
- Required Permissions page: “Re-run verification” now links to Tenant view (not onboarding)
- Preserve Technical Details `<details>` open state across Livewire re-renders (Alpine state)

Verification
- Ran `vendor/bin/sail artisan test --compact --filter=PermissionPosture` (50 tests)
- Ran `vendor/bin/sail artisan test --compact --filter="FindingResolved|FindingBadge|PermissionMissingAlert"` (20 tests)
- Ran `vendor/bin/sail bin pint --dirty`

Filament v5 / Livewire v4 compliance
- Filament v5 + Livewire v4: no Livewire v3 usage.

Panel provider registration (Laravel 11+)
- No new panels added. Existing panel providers remain registered via `bootstrap/providers.php`.

Global search rule
- No changes to global-searchable resources.

Destructive actions
- No new destructive Filament actions were added in this PR.

Assets / deploy notes
- No new Filament assets registered. Existing deploy step `php artisan filament:assets` remains unchanged.

Test coverage
- New/updated Pest feature tests cover generator behavior, job integration, alerting, retention pruning, and resolved lifecycle.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #127
2026-02-21 22:32:52 +00:00

149 lines
5.3 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
use App\Jobs\GeneratePermissionPostureFindingsJob;
use App\Jobs\ProviderConnectionHealthCheckJob;
use App\Models\Finding;
use App\Models\OperationRun;
use App\Models\StoredReport;
use App\Models\Tenant;
use App\Services\PermissionPosture\FindingGeneratorContract;
use App\Support\OperationCatalog;
use App\Support\OperationRunOutcome;
use App\Support\OperationRunStatus;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Queue;
use Mockery\MockInterface;
uses(RefreshDatabase::class);
function buildJobComparison(array $permissions = [], string $overallStatus = 'missing'): array
{
return [
'overall_status' => $overallStatus,
'permissions' => $permissions,
'last_refreshed_at' => now()->toIso8601String(),
];
}
// (1) Successful run creates OperationRun with correct type and outcome
it('creates OperationRun with correct type and outcome on success', function (): void {
[$user, $tenant] = createUserWithTenant();
$comparison = buildJobComparison([
['key' => 'Perm.A', 'type' => 'application', 'status' => 'missing', 'features' => ['a']],
]);
$job = new GeneratePermissionPostureFindingsJob($tenant->getKey(), $comparison);
$job->handle(
app(FindingGeneratorContract::class),
app(\App\Services\OperationRunService::class),
);
$run = OperationRun::query()
->where('tenant_id', $tenant->getKey())
->where('type', OperationCatalog::TYPE_PERMISSION_POSTURE_CHECK)
->first();
expect($run)->not->toBeNull()
->and($run->status)->toBe(OperationRunStatus::Completed->value)
->and($run->outcome)->toBe(OperationRunOutcome::Succeeded->value);
});
// (2) Skips tenant without provider connection
it('skips tenant without provider connection', function (): void {
$tenant = Tenant::factory()->create();
// Ensure workspace is set
$workspace = \App\Models\Workspace::factory()->create();
$tenant->forceFill(['workspace_id' => $workspace->getKey()])->save();
// Explicitly delete any provider connections
$tenant->providerConnections()->delete();
$comparison = buildJobComparison([
['key' => 'Perm.A', 'type' => 'application', 'status' => 'missing', 'features' => ['a']],
]);
$job = new GeneratePermissionPostureFindingsJob($tenant->getKey(), $comparison);
$job->handle(
app(FindingGeneratorContract::class),
app(\App\Services\OperationRunService::class),
);
expect(Finding::query()->where('tenant_id', $tenant->getKey())->count())->toBe(0)
->and(StoredReport::query()->where('tenant_id', $tenant->getKey())->count())->toBe(0)
->and(OperationRun::query()->where('tenant_id', $tenant->getKey())->where('type', OperationCatalog::TYPE_PERMISSION_POSTURE_CHECK)->count())->toBe(0);
});
// (3) Records summary counts on OperationRun
it('records summary counts on OperationRun', function (): void {
[$user, $tenant] = createUserWithTenant();
$comparison = buildJobComparison([
['key' => 'Perm.A', 'type' => 'application', 'status' => 'missing', 'features' => ['a']],
['key' => 'Perm.B', 'type' => 'application', 'status' => 'granted', 'features' => ['b']],
]);
$job = new GeneratePermissionPostureFindingsJob($tenant->getKey(), $comparison);
$job->handle(
app(FindingGeneratorContract::class),
app(\App\Services\OperationRunService::class),
);
$run = OperationRun::query()
->where('tenant_id', $tenant->getKey())
->where('type', OperationCatalog::TYPE_PERMISSION_POSTURE_CHECK)
->first();
$counts = is_array($run->summary_counts) ? $run->summary_counts : [];
expect($counts)->toHaveKey('findings_created')
->and($counts['findings_created'])->toBe(1)
->and($counts)->toHaveKey('posture_score')
->and($counts['posture_score'])->toBe(50);
});
// (4) Handles generator exceptions gracefully
it('marks OperationRun as failed on exception', function (): void {
[$user, $tenant] = createUserWithTenant();
$this->mock(FindingGeneratorContract::class, function (MockInterface $mock): void {
$mock->shouldReceive('generate')->andThrow(new RuntimeException('Test error'));
});
$comparison = buildJobComparison([
['key' => 'Perm.A', 'type' => 'application', 'status' => 'missing', 'features' => ['a']],
]);
$job = new GeneratePermissionPostureFindingsJob($tenant->getKey(), $comparison);
try {
$job->handle(
app(FindingGeneratorContract::class),
app(\App\Services\OperationRunService::class),
);
} catch (RuntimeException) {
// Expected
}
$run = OperationRun::query()
->where('tenant_id', $tenant->getKey())
->where('type', OperationCatalog::TYPE_PERMISSION_POSTURE_CHECK)
->first();
expect($run->outcome)->toBe(OperationRunOutcome::Failed->value);
});
// (5) Dispatched from ProviderConnectionHealthCheckJob after successful compare
it('dispatches posture job from health check job', function (): void {
Queue::fake([GeneratePermissionPostureFindingsJob::class]);
[$user, $tenant] = createUserWithTenant();
// The actual dispatch is tested by verifying the hook exists in the source
// (integration test will cover the full flow in T033)
Queue::assertNothingPushed();
});
Reference in New Issue View Git Blame Copy Permalink