TenantAtlas/tests/Feature/Rbac/AdminGlobalSearchContextSafetyTest.php

<?php

declare(strict_types=1);

use App\Filament\Resources\EntraGroupResource;
use App\Filament\Resources\OperationRunResource;
use App\Filament\Resources\PolicyResource;
use App\Filament\Resources\PolicyVersionResource;
use App\Filament\Resources\ProviderConnectionResource;
use App\Filament\Resources\TenantResource;
use App\Models\EntraGroup;
use App\Models\Policy;
use App\Models\PolicyVersion;
use App\Models\Tenant;
use App\Support\WorkspaceIsolation\TenantOwnedModelFamilies;
use App\Support\Workspaces\WorkspaceContext;
use Filament\Facades\Filament;
use Illuminate\Foundation\Testing\RefreshDatabase;

uses(RefreshDatabase::class);

function adminGlobalSearchTitles($results): array
{
    return collect($results)->map(fn ($result): string => (string) $result->title)->all();
}

it('does not collapse administratively discoverable tenant results because remembered tenant context is selector-ineligible', function (): void {
    $activeTenant = Tenant::factory()->active()->create(['name' => 'Search Safety Active']);
    [$user, $activeTenant] = createUserWithTenant(tenant: $activeTenant, role: 'owner');

    $onboardingTenant = Tenant::factory()->onboarding()->create([
        'workspace_id' => (int) $activeTenant->workspace_id,
        'name' => 'Search Safety Onboarding',
    ]);

    createUserWithTenant(tenant: $onboardingTenant, user: $user, role: 'owner', ensureDefaultMicrosoftProviderConnection: false);

    $this->actingAs($user);

    Filament::setCurrentPanel('admin');
    Filament::setTenant(null, true);
    Filament::bootCurrentPanel();

    session()->put(WorkspaceContext::SESSION_KEY, (int) $activeTenant->workspace_id);
    session()->put(WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY, [
        (string) $activeTenant->workspace_id => (int) $onboardingTenant->getKey(),
    ]);

    expect(adminGlobalSearchTitles(TenantResource::getGlobalSearchResults('Search Safety')))
        ->toEqualCanonicalizing([
            'Search Safety Active',
            'Search Safety Onboarding',
        ]);
});

it('keeps operation runs out of admin global search regardless of remembered context state', function (): void {
    expect(OperationRunResource::canGloballySearch())->toBeFalse()
        ->and(ProviderConnectionResource::canGloballySearch())->toBeFalse();
});

it('keeps representative first-slice admin global-search behavior aligned to the family registry postures', function (): void {
    $tenantA = Tenant::factory()->create();
    [$user, $tenantA] = createUserWithTenant(tenant: $tenantA, role: 'owner');

    $tenantB = Tenant::factory()->create([
        'workspace_id' => (int) $tenantA->workspace_id,
    ]);

    createUserWithTenant(tenant: $tenantB, user: $user, role: 'owner');

    EntraGroup::factory()->for($tenantA)->create([
        'display_name' => 'Registry Search Group',
    ]);

    EntraGroup::factory()->for($tenantB)->create([
        'display_name' => 'Registry Search Group',
    ]);

    $policy = Policy::factory()->for($tenantA)->create([
        'display_name' => 'Registry Search Policy',
    ]);

    PolicyVersion::factory()->for($tenantA)->for($policy)->create([
        'version_number' => 77,
    ]);

    $this->actingAs($user);

    Filament::setCurrentPanel('admin');
    Filament::setTenant(null, true);
    Filament::bootCurrentPanel();

    session()->put(WorkspaceContext::SESSION_KEY, (int) $tenantA->workspace_id);
    session()->put(WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY, [
        (string) $tenantA->workspace_id => (int) $tenantA->getKey(),
    ]);

    expect(TenantOwnedModelFamilies::searchPostureForModel(EntraGroup::class))->toBe('scoped');
    expect(TenantOwnedModelFamilies::searchPostureForModel(Policy::class))->toBe('disabled');
    expect(TenantOwnedModelFamilies::searchPostureForModel(PolicyVersion::class))->toBe('disabled');

    expect(adminGlobalSearchTitles(EntraGroupResource::getGlobalSearchResults('Registry Search')))
        ->toBe(['Registry Search Group']);

    expect(PolicyResource::getGlobalSearchResults('Registry Search Policy'))->toHaveCount(0);
    expect(PolicyVersionResource::getGlobalSearchResults('77'))->toHaveCount(0);
});