TenantAtlas/apps/platform/tests/Feature/Navigation/Spec322AdminSurfaceScopeContractTest.php

<?php

declare(strict_types=1);

use App\Filament\Pages\Governance\DecisionRegister;
use App\Filament\Pages\Governance\GovernanceInbox;
use App\Filament\Pages\Monitoring\FindingExceptionsQueue;
use App\Filament\Resources\AlertDeliveryResource;
use App\Filament\Resources\ProviderConnectionResource;
use App\Models\ManagedEnvironment;
use App\Support\Navigation\AdminSurfaceScope;
use App\Support\Navigation\WorkspaceHubRegistry;
use App\Support\OperationRunLinks;
use App\Support\Workspaces\WorkspaceContext;

it('classifies_core_admin_surfaces_without_scope_drift', function (): void {
    $workspaceHubPaths = [
        '/admin',
        '/admin/workspaces/acme/overview',
        '/admin/workspaces/acme/operations',
        '/admin/provider-connections',
        '/admin/finding-exceptions/queue',
        '/admin/evidence/overview',
        '/admin/reviews',
        '/admin/reviews/workspace',
        '/admin/governance/inbox',
        '/admin/governance/decisions',
        '/admin/audit-log',
        '/admin/alerts',
        '/admin/alerts/alert-deliveries',
        '/admin/alerts/alert-rules',
        '/admin/alerts/alert-destinations',
        '/admin/settings/workspace',
    ];

    foreach ($workspaceHubPaths as $path) {
        expect(AdminSurfaceScope::fromPath($path))->toBe(AdminSurfaceScope::WorkspaceWideSurface, $path);
    }

    $workspaceOwnedAnalysisPaths = [
        '/admin/baseline-profiles',
        '/admin/baseline-profiles/42',
        '/admin/baseline-profiles/42/edit',
        '/admin/baseline-profiles/42/compare-matrix',
        '/admin/baseline-snapshots',
        '/admin/baseline-snapshots/42',
        '/admin/findings/my-work',
        '/admin/findings/intake',
        '/admin/findings/hygiene',
        '/admin/cross-environment-compare',
    ];

    foreach ($workspaceOwnedAnalysisPaths as $path) {
        expect(AdminSurfaceScope::fromPath($path))->toBe(AdminSurfaceScope::WorkspaceOwnedAnalysisSurface, $path);
    }

    $environmentOwnedPaths = [
        '/admin/workspaces/acme/environments/prod',
        '/admin/workspaces/acme/environments/prod/baseline-compare',
        '/admin/workspaces/acme/environments/prod/required-permissions',
        '/admin/workspaces/acme/environments/prod/inventory',
        '/admin/workspaces/acme/environments/prod/inventory/inventory-coverage',
        '/admin/workspaces/acme/environments/prod/diagnostics',
    ];

    foreach ($environmentOwnedPaths as $path) {
        expect(AdminSurfaceScope::fromPath($path))->toBe(AdminSurfaceScope::EnvironmentBound, $path);
    }
});

it('workspace_hub_clean_urls_never_emit_environment_or_legacy_query_params', function (): void {
    $environment = ManagedEnvironment::factory()->active()->create();
    [$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner', workspaceRole: 'owner');
    $workspace = $environment->workspace()->firstOrFail();

    $this->actingAs($user);
    setAdminPanelContext();
    session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());

    $cleanUrls = [
        OperationRunLinks::index(workspace: $workspace),
        ProviderConnectionResource::getUrl('index', panel: 'admin'),
        FindingExceptionsQueue::getUrl(panel: 'admin'),
        route('admin.evidence.overview'),
        route('filament.admin.pages.reviews'),
        route('filament.admin.pages.reviews.workspace'),
        GovernanceInbox::getUrl(panel: 'admin'),
        DecisionRegister::getUrl(panel: 'admin'),
        route('admin.monitoring.audit-log'),
        route('filament.admin.alerts'),
        AlertDeliveryResource::getUrl('index', panel: 'admin'),
        route('filament.admin.alerts.resources.alert-rules.index'),
        route('filament.admin.alerts.resources.alert-destinations.index'),
        route('filament.admin.pages.settings.workspace'),
    ];

    foreach ($cleanUrls as $url) {
        expect($url)->not->toContain('environment_id=', $url)
            ->and($url)->not->toContain('tenant=', $url)
            ->and($url)->not->toContain('tenant_id=', $url)
            ->and($url)->not->toContain('managed_environment_id=', $url)
            ->and($url)->not->toContain('environment=', $url)
            ->and($url)->not->toContain('tenant_scope=', $url)
            ->and($url)->not->toContain('tableFilters', $url)
            ->and(WorkspaceHubRegistry::hasForbiddenQuery($url))->toBeFalse($url);
    }
});

it('clear_filter_results_match_clean_workspace_hub_entry_for_filterable_hubs', function (): void {
    $environment = ManagedEnvironment::factory()->active()->create();
    [$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner', workspaceRole: 'owner');
    $workspace = $environment->workspace()->firstOrFail();

    $this->actingAs($user);
    setAdminPanelContext();
    session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());

    $dirtyQuery = [
        'environment_id' => (int) $environment->getKey(),
        'tenant' => (string) $environment->external_id,
        'tenant_id' => (int) $environment->getKey(),
        'managed_environment_id' => (int) $environment->getKey(),
        'environment' => (string) $environment->getRouteKey(),
        'tenant_scope' => 'environment',
        'tableFilters' => [
            'managed_environment_id' => ['value' => (string) $environment->getKey()],
        ],
        'activeTab' => 'failed',
    ];

    $cases = [
        OperationRunLinks::index(workspace: $workspace).'?'.http_build_query($dirtyQuery),
        ProviderConnectionResource::getUrl('index', $dirtyQuery, panel: 'admin'),
        FindingExceptionsQueue::getUrl(panel: 'admin', parameters: $dirtyQuery),
        route('admin.evidence.overview', $dirtyQuery),
        GovernanceInbox::getUrl(panel: 'admin', parameters: $dirtyQuery),
        DecisionRegister::getUrl(panel: 'admin', parameters: $dirtyQuery),
        route('admin.monitoring.audit-log', $dirtyQuery),
        AlertDeliveryResource::getUrl('index', $dirtyQuery, panel: 'admin'),
    ];

    foreach ($cases as $dirtyUrl) {
        $cleanUrl = WorkspaceHubRegistry::cleanUrl($dirtyUrl);
        $query = [];
        parse_str((string) parse_url($cleanUrl, PHP_URL_QUERY), $query);

        expect(WorkspaceHubRegistry::hasForbiddenQuery($cleanUrl))->toBeFalse($cleanUrl)
            ->and($query)->toHaveKey('activeTab', 'failed');
    }
});

it('environment_id_filters_reject_cross_workspace_environment_ids', function (): void {
    $environment = ManagedEnvironment::factory()->active()->create();
    [$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner', workspaceRole: 'owner');
    $workspace = $environment->workspace()->firstOrFail();

    $foreignEnvironment = ManagedEnvironment::factory()->active()->create([
        'name' => 'Spec322 Foreign Environment',
    ]);

    $this->actingAs($user);
    setAdminPanelContext();
    session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());

    $urls = [
        route('admin.operations.index', [
            'workspace' => $workspace,
            'environment_id' => (int) $foreignEnvironment->getKey(),
        ]),
        ProviderConnectionResource::getUrl('index', [
            'environment_id' => (int) $foreignEnvironment->getKey(),
        ], panel: 'admin'),
        AlertDeliveryResource::getUrl('index', [
            'environment_id' => (int) $foreignEnvironment->getKey(),
        ], panel: 'admin'),
        route('admin.monitoring.audit-log', [
            'environment_id' => (int) $foreignEnvironment->getKey(),
        ]),
    ];

    foreach ($urls as $url) {
        $this->get($url)->assertNotFound();
    }
});