ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
ddf8dda525
TenantAtlas/apps/platform/tests/Feature/TenantConfiguration/Spec415CoverageCaptureAuthorizationTest.php
ahmido ca0f54614d feat: add generic content-backed coverage capture (#482) 
Automated PR provided by Codex via Gitea API.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #482
2026-06-25 19:55:52 +00:00

107 lines
3.9 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
use App\Jobs\TenantConfiguration\CaptureTenantConfigurationEvidenceJob;
use App\Models\AuditLog;
use App\Models\ManagedEnvironment;
use App\Models\ProviderConnection;
use App\Models\User;
use App\Services\TenantConfiguration\StartTenantConfigurationCapture;
use App\Support\OperationRunStatus;
use Illuminate\Support\Facades\DB;
use Illuminate\Auth\Access\AuthorizationException;
use Illuminate\Support\Facades\Queue;
use Illuminate\Support\Str;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
it('starts an authorized capture run and queues remote execution', function (): void {
Queue::fake();
[$user, $tenant] = createStandardUserWithTenant(role: 'owner');
$connection = ProviderConnection::factory()->create([
'workspace_id' => (int) $tenant->workspace_id,
'managed_environment_id' => (int) $tenant->getKey(),
]);
$run = app(StartTenantConfigurationCapture::class)->start(
tenant: $tenant,
providerConnection: $connection,
actor: $user,
canonicalTypes: ['deviceAndAppManagementAssignmentFilter'],
);
expect($run->type)->toBe('tenant_configuration.capture')
->and($run->status)->toBe(OperationRunStatus::Queued->value)
->and(data_get($run->context, 'required_capability'))->toBe('evidence.manage')
->and(data_get($run->context, 'target_scope.provider_connection_id'))->toBe((int) $connection->getKey());
Queue::assertPushed(CaptureTenantConfigurationEvidenceJob::class);
expect(AuditLog::query()->where('action', 'tenant_configuration.capture.started')->exists())->toBeTrue();
});
it('returns forbidden when the user lacks the evidence manage capability', function (): void {
Queue::fake();
[$user, $tenant] = createStandardUserWithTenant(role: 'readonly', workspaceRole: 'readonly');
$connection = ProviderConnection::factory()->create([
'workspace_id' => (int) $tenant->workspace_id,
'managed_environment_id' => (int) $tenant->getKey(),
]);
expect(fn () => app(StartTenantConfigurationCapture::class)->start($tenant, $connection, $user))
->toThrow(AuthorizationException::class);
Queue::assertNothingPushed();
});
it('hides managed environments outside the user workspace scope', function (): void {
Queue::fake();
$user = User::factory()->create();
[, $tenant] = createStandardUserWithTenant(role: 'owner');
$connection = ProviderConnection::factory()->create([
'workspace_id' => (int) $tenant->workspace_id,
'managed_environment_id' => (int) $tenant->getKey(),
]);
expect(fn () => app(StartTenantConfigurationCapture::class)->start($tenant, $connection, $user))
->toThrow(NotFoundHttpException::class);
Queue::assertNothingPushed();
});
it('hides managed environments excluded by explicit environment entitlement scope', function (): void {
Queue::fake();
[$user, $tenant] = createMinimalUserWithTenant(role: 'owner');
$allowedTenant = ManagedEnvironment::factory()->create([
'workspace_id' => (int) $tenant->workspace_id,
]);
$connection = ProviderConnection::factory()->create([
'workspace_id' => (int) $tenant->workspace_id,
'managed_environment_id' => (int) $tenant->getKey(),
]);
DB::table('managed_environment_memberships')
->where('managed_environment_id', (int) $tenant->getKey())
->where('user_id', (int) $user->getKey())
->delete();
DB::table('managed_environment_memberships')->insert([
'id' => (string) Str::uuid(),
'managed_environment_id' => (int) $allowedTenant->getKey(),
'user_id' => (int) $user->getKey(),
'role' => 'owner',
'source' => 'manual',
'created_at' => now(),
'updated_at' => now(),
]);
expect(fn () => app(StartTenantConfigurationCapture::class)->start($tenant, $connection, $user))
->toThrow(NotFoundHttpException::class);
Queue::assertNothingPushed();
});
Reference in New Issue View Git Blame Copy Permalink