ahmido
eceeee9c5c
## Summary - retire the remaining tenant-scoped provider-connection legacy routes and update canonical verification and link behavior - complete the provider target-scope fallback cleanup so neutral shared scope data falls back to the managed environment when the raw connection tenant identifier is blank - stop mirroring workspace roles into managed-environment scope persistence and cut the targeted admin-panel test helpers over to the post-cutover context path - add and update the Spec 287 artifact package and targeted regression coverage for route retirement, provider-core neutralization, workspace-first RBAC, and helper cutover ## Validation - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/ProviderConnections/LegacyRedirectTest.php tests/Feature/ProviderConnections/TenantlessListRouteTest.php tests/Feature/ProviderConnections/TenantlessListScopingTest.php tests/Feature/Auth/WorkspaceFirstManagedEnvironmentAccessTest.php tests/Feature/Rbac/ProviderConnectionWorkspaceFirstPolicyTest.php tests/Feature/Reviews/CustomerReviewWorkspaceLaunchLinksTest.php tests/Feature/Rbac/TriageReviewStateAuthorizationTest.php` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec281ProviderConnectionScopeSmokeTest.php tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php` - `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent` ## Notes - Filament remains on Livewire v4 and provider registration stays unchanged in `apps/platform/bootstrap/providers.php`. - No new asset registration or deployment-step changes are included in this slice. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #346
95 lines
4.3 KiB
PHP
95 lines
4.3 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Models\ProviderConnection;
|
|
use App\Models\ProviderCredential;
|
|
use App\Models\ManagedEnvironment;
|
|
use App\Services\Providers\ProviderIdentityResolver;
|
|
use App\Support\Providers\ProviderConnectionType;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
it('exposes effective client identity and provider context without shared tenantContext naming', function (): void {
|
|
config()->set('graph.client_id', 'platform-client-id');
|
|
config()->set('graph.client_secret', 'platform-client-secret');
|
|
config()->set('graph.managed_environment_id', 'platform-home-tenant-id');
|
|
|
|
[, $tenant] = createUserWithTenant(role: 'owner', ensureDefaultMicrosoftProviderConnection: false);
|
|
|
|
$connection = ProviderConnection::factory()->platform()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'managed_environment_id' => (int) $tenant->getKey(),
|
|
'provider' => 'microsoft',
|
|
'entra_tenant_id' => '22222222-2222-2222-2222-222222222222',
|
|
]);
|
|
|
|
$resolution = app(ProviderIdentityResolver::class)->resolve($connection->fresh(['tenant']));
|
|
$providerContextDetails = collect($resolution->providerContext()['details']);
|
|
|
|
expect($resolution->resolved)->toBeTrue()
|
|
->and($resolution->connectionType)->toBe(ProviderConnectionType::Platform)
|
|
->and(property_exists($resolution, 'tenantContext'))->toBeFalse()
|
|
->and($resolution->targetScopeIdentifier())->toBe('22222222-2222-2222-2222-222222222222')
|
|
->and($resolution->effectiveClientIdentity())->toBe([
|
|
'client_id' => 'platform-client-id',
|
|
'credential_source' => 'platform_config',
|
|
])
|
|
->and($providerContextDetails->contains(
|
|
fn (array $detail): bool => ($detail['detail_key'] ?? null) === 'microsoft_tenant_id'
|
|
&& ($detail['detail_value'] ?? null) === '22222222-2222-2222-2222-222222222222',
|
|
))->toBeTrue();
|
|
});
|
|
|
|
it('keeps dedicated runtime secrets out of target scope and provider context', function (): void {
|
|
$connection = ProviderConnection::factory()->dedicated()->create([
|
|
'entra_tenant_id' => '33333333-3333-3333-3333-333333333333',
|
|
]);
|
|
|
|
ProviderCredential::factory()->create([
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
'payload' => [
|
|
'client_id' => 'dedicated-client-id',
|
|
'client_secret' => 'dedicated-client-secret',
|
|
],
|
|
]);
|
|
|
|
$resolution = app(ProviderIdentityResolver::class)->resolve($connection->fresh(['tenant', 'credential']));
|
|
$providerContextDetails = collect($resolution->providerContext()['details']);
|
|
|
|
expect($resolution->resolved)->toBeTrue()
|
|
->and($resolution->targetScope?->toArray())->not->toHaveKey('client_secret')
|
|
->and($providerContextDetails->contains(
|
|
fn (array $detail): bool => str_contains((string) ($detail['detail_value'] ?? ''), 'dedicated-client-secret'),
|
|
))->toBeFalse()
|
|
->and($resolution->effectiveClientId)->toBe('dedicated-client-id');
|
|
});
|
|
|
|
it('resolves platform identity from the neutral target scope when the connection tenant identifier is blank', function (): void {
|
|
config()->set('graph.client_id', 'platform-client-id');
|
|
config()->set('graph.client_secret', 'platform-client-secret');
|
|
config()->set('graph.managed_environment_id', 'platform-home-tenant-id');
|
|
|
|
$tenant = ManagedEnvironment::factory()->create([
|
|
'managed_environment_id' => '77777777-7777-7777-7777-777777777777',
|
|
]);
|
|
|
|
$connection = ProviderConnection::factory()->platform()->create([
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'managed_environment_id' => (int) $tenant->getKey(),
|
|
'provider' => 'microsoft',
|
|
'entra_tenant_id' => '',
|
|
]);
|
|
|
|
$resolution = app(ProviderIdentityResolver::class)->resolve($connection->fresh(['tenant']));
|
|
$providerContextDetails = collect($resolution->providerContext()['details']);
|
|
|
|
expect($resolution->resolved)->toBeTrue()
|
|
->and($resolution->targetScopeIdentifier())->toBe('77777777-7777-7777-7777-777777777777')
|
|
->and($providerContextDetails->contains(
|
|
fn (array $detail): bool => ($detail['detail_key'] ?? null) === 'microsoft_tenant_id'
|
|
&& ($detail['detail_value'] ?? null) === '77777777-7777-7777-7777-777777777777',
|
|
))->toBeTrue();
|
|
});
|