ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
d2c7267f3b
TenantAtlas/tests/Feature/Guards/NoPlatformCredentialFallbackTest.php
ahmido bab01f07a9 feat: standardize platform provider identity (#166) 
## Summary
- standardize Microsoft provider connections around explicit platform vs dedicated identity modes
- centralize admin-consent URL and runtime identity resolution so platform flows no longer fall back to tenant-local credentials
- add migration classification, richer consent and verification state handling, dedicated override management, and focused regression coverage

## Validation
- focused repo test coverage was added across provider identity, onboarding, audit, policy, guard, and migration flows
- latest explicit passing run in the workspace: `vendor/bin/sail artisan test --compact tests/Feature/AdminConsentCallbackTest.php tests/Feature/Audit/ProviderConnectionConsentAuditTest.php`

## Notes
- branch includes the full Spec 137 artifact set under `specs/137-platform-provider-identity/`
- target base branch: `dev`

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #166
2026-03-13 16:29:08 +00:00

105 lines
3.3 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
it('prevents platform consent and runtime builders from reading legacy tenant credential fields', function (): void {
$root = base_path();
$files = [
'app/Filament/Resources/TenantResource.php',
'app/Support/Links/RequiredPermissionsLinks.php',
'app/Services/Providers/AdminConsentUrlFactory.php',
'app/Services/Providers/ProviderGateway.php',
'app/Services/Providers/MicrosoftGraphOptionsResolver.php',
];
$patterns = [
'/->app_client_id\b/',
'/->app_client_secret\b/',
];
$hits = [];
foreach ($files as $relativePath) {
$absolutePath = $root.'/'.$relativePath;
if (! is_file($absolutePath)) {
continue;
}
$contents = file_get_contents($absolutePath);
if (! is_string($contents) || $contents === '') {
continue;
}
if ($relativePath === 'app/Filament/Resources/TenantResource.php') {
preg_match('/public static function adminConsentUrl\(Tenant \$tenant\): \?string\s*\{(?P<body>.*?)^ \}/ms', $contents, $matches);
$contents = is_string($matches['body'] ?? null) ? (string) $matches['body'] : '';
}
$lines = preg_split('/\R/', $contents) ?: [];
foreach ($patterns as $pattern) {
foreach ($lines as $index => $line) {
if (preg_match($pattern, $line) === 1) {
$hits[] = $relativePath.':'.($index + 1).' -> '.trim($line);
}
}
}
}
expect($hits)->toBeEmpty("Legacy tenant credential reads detected in platform builders:\n".implode("\n", $hits));
});
it('prevents platform consent and runtime builders from reading provider credential payloads directly', function (): void {
$root = base_path();
$files = [
'app/Filament/Resources/TenantResource.php',
'app/Support/Links/RequiredPermissionsLinks.php',
'app/Services/Providers/AdminConsentUrlFactory.php',
'app/Services/Providers/ProviderConnectionResolver.php',
'app/Services/Providers/ProviderGateway.php',
'app/Services/Providers/MicrosoftGraphOptionsResolver.php',
];
$patterns = [
'/->credential\b/',
'/->payload\b/',
];
$hits = [];
foreach ($files as $relativePath) {
$absolutePath = $root.'/'.$relativePath;
if (! is_file($absolutePath)) {
continue;
}
$contents = file_get_contents($absolutePath);
if (! is_string($contents) || $contents === '') {
continue;
}
if ($relativePath === 'app/Filament/Resources/TenantResource.php') {
preg_match('/public static function adminConsentUrl\(Tenant \$tenant\): \?string\s*\{(?P<body>.*?)^ \}/ms', $contents, $matches);
$contents = is_string($matches['body'] ?? null) ? (string) $matches['body'] : '';
}
$lines = preg_split('/\R/', $contents) ?: [];
foreach ($patterns as $pattern) {
foreach ($lines as $index => $line) {
if (preg_match($pattern, $line) === 1) {
$hits[] = $relativePath.':'.($index + 1).' -> '.trim($line);
}
}
}
}
expect($hits)->toBeEmpty("Provider credential payload fallback detected in platform builders:\n".implode("\n", $hits));
});
Reference in New Issue View Git Blame Copy Permalink