ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
e02799b383
TenantAtlas/apps/platform/tests/Feature/Rbac/ActionSurfaceRbacSemanticsTest.php
ahmido e02799b383 feat: implement spec 198 monitoring page state contract (#238) 
## Summary
- implement Spec 198 monitoring page-state contracts across Operations, Audit Log, Finding Exceptions Queue, Evidence Overview, Baseline Compare Landing, and Baseline Compare Matrix
- align selected-record and draft/apply behavior with query/session restoration semantics, including canonical navigation and tenant-filter normalization helpers
- add Spec 198 feature and browser coverage, update closure/spec artifacts, and refresh affected regression tests that asserted pre-contract behavior

## Verification
- focused Spec 198 feature pack passed through Sail
- Spec 198 browser smoke passed through Sail
- existing Spec 190 and Spec 194 browser smokes passed through Sail
- targeted fallout tests were updated and rerun during full-suite triage

## Notes
- Livewire v4 / Filament v5 compliant only; no legacy API reintroduction
- no provider registration changes; Laravel 11+ provider registration remains in `bootstrap/providers.php`
- no global-search behavior changed for any resource
- destructive queue decision actions remain confirmation-gated and authorization-backed
- no new Filament assets were added; existing deploy step for `php artisan filament:assets` remains unchanged

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #238
2026-04-15 21:59:42 +00:00

191 lines
7.4 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
use App\Filament\Pages\Monitoring\AuditLog as AuditLogPage;
use App\Filament\Pages\Monitoring\FindingExceptionsQueue;
use App\Filament\Pages\Monitoring\Operations;
use App\Models\AuditLog;
use App\Models\Finding;
use App\Models\FindingException;
use App\Models\OperationRun;
use App\Models\Tenant;
use App\Models\User;
use App\Models\Workspace;
use App\Models\WorkspaceMembership;
use App\Support\OperationRunOutcome;
use App\Support\OperationRunStatus;
use Filament\Facades\Filament;
use Livewire\Livewire;
use App\Support\Workspaces\WorkspaceContext;
it('returns 404 for non-members on representative action-surface route', function (): void {
$workspaceA = Workspace::factory()->create();
$workspaceB = Workspace::factory()->create();
$user = User::factory()->create();
WorkspaceMembership::factory()->create([
'workspace_id' => (int) $workspaceA->getKey(),
'user_id' => (int) $user->getKey(),
'role' => 'owner',
]);
$tenantB = Tenant::factory()->create([
'workspace_id' => (int) $workspaceB->getKey(),
]);
$runB = OperationRun::factory()->create([
'tenant_id' => (int) $tenantB->getKey(),
'workspace_id' => (int) $workspaceB->getKey(),
'type' => 'policy.sync',
'status' => 'queued',
'outcome' => 'pending',
]);
$this->actingAs($user)
->withSession([WorkspaceContext::SESSION_KEY => (int) $workspaceA->getKey()])
->get(route('admin.operations.view', ['run' => (int) $runB->getKey()]))
->assertNotFound();
});
it('keeps queue approval and rejection actions behind the approval capability', function (): void {
[$approver, $tenant] = createUserWithTenant(role: 'owner', workspaceRole: 'manager');
$readonly = User::factory()->create();
createUserWithTenant(tenant: $tenant, user: $readonly, role: 'readonly', workspaceRole: 'readonly');
$finding = Finding::factory()->for($tenant)->create();
$exception = FindingException::query()->create([
'workspace_id' => (int) $tenant->workspace_id,
'tenant_id' => (int) $tenant->getKey(),
'finding_id' => (int) $finding->getKey(),
'requested_by_user_id' => (int) $approver->getKey(),
'owner_user_id' => (int) $approver->getKey(),
'status' => FindingException::STATUS_PENDING,
'current_validity_state' => FindingException::VALIDITY_MISSING_SUPPORT,
'request_reason' => 'Authorization continuity test',
'requested_at' => now()->subDay(),
'review_due_at' => now()->addDay(),
'evidence_summary' => ['reference_count' => 0],
]);
$this->actingAs($approver);
Filament::setCurrentPanel('admin');
Filament::setTenant(null, true);
Filament::bootCurrentPanel();
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
Livewire::withQueryParams([
'exception' => (int) $exception->getKey(),
])
->actingAs($approver)
->test(FindingExceptionsQueue::class)
->assertActionVisible('approve_selected_exception')
->assertActionVisible('reject_selected_exception');
$this->actingAs($readonly)
->withSession([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id])
->get(FindingExceptionsQueue::getUrl(panel: 'admin'))
->assertForbidden();
});
it('drops unauthorized requested tenant filters on operations instead of honoring cross-tenant query state', function (): void {
$tenantA = Tenant::factory()->create();
[$user, $tenantA] = createUserWithTenant(tenant: $tenantA, role: 'owner');
$unauthorizedTenant = Tenant::factory()->create([
'workspace_id' => (int) $tenantA->workspace_id,
]);
OperationRun::factory()->create([
'tenant_id' => (int) $tenantA->getKey(),
'workspace_id' => (int) $tenantA->workspace_id,
'type' => 'inventory_sync',
'status' => OperationRunStatus::Running->value,
'outcome' => OperationRunOutcome::Pending->value,
'created_at' => now()->subMinute(),
'started_at' => now()->subMinute(),
]);
$this->actingAs($user);
Filament::setTenant($tenantA, true);
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenantA->workspace_id);
Livewire::withQueryParams([
'tenant_id' => (string) $unauthorizedTenant->getKey(),
'activeTab' => 'active',
])
->actingAs($user)
->test(Operations::class)
->assertSet('tableFilters.tenant_id.value', (string) $tenantA->getKey())
->assertSet('activeTab', 'active');
});
it('falls back to an unselected audit history when the requested event is outside the accessible scope', function (): void {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$foreignTenant = Tenant::factory()->create();
$foreignAudit = AuditLog::query()->create([
'workspace_id' => (int) $foreignTenant->workspace_id,
'tenant_id' => (int) $foreignTenant->getKey(),
'actor_email' => 'owner@example.com',
'actor_name' => 'Owner',
'actor_type' => 'human',
'action' => 'workspace.selected',
'status' => 'success',
'resource_type' => 'workspace',
'resource_id' => (string) $foreignTenant->workspace_id,
'target_label' => 'Foreign workspace',
'summary' => 'Foreign workspace selected',
'recorded_at' => now(),
]);
$this->actingAs($user);
Filament::setTenant(null, true);
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
Livewire::withQueryParams(['event' => (int) $foreignAudit->getKey()])
->actingAs($user)
->test(AuditLogPage::class)
->assertSet('selectedAuditLogId', null)
->assertActionDoesNotExist('close_selected_audit_event');
});
it('falls back to an unselected queue state when the requested exception is outside the accessible tenant set', function (): void {
[$approver, $tenant] = createUserWithTenant(role: 'owner', workspaceRole: 'manager');
$foreignTenant = Tenant::factory()->create();
[$foreignRequester] = createUserWithTenant(tenant: $foreignTenant, role: 'owner');
$foreignFinding = Finding::factory()->for($foreignTenant)->create();
$foreignException = FindingException::query()->create([
'workspace_id' => (int) $foreignTenant->workspace_id,
'tenant_id' => (int) $foreignTenant->getKey(),
'finding_id' => (int) $foreignFinding->getKey(),
'requested_by_user_id' => (int) $foreignRequester->getKey(),
'owner_user_id' => (int) $foreignRequester->getKey(),
'status' => FindingException::STATUS_PENDING,
'current_validity_state' => FindingException::VALIDITY_MISSING_SUPPORT,
'request_reason' => 'Foreign exception',
'requested_at' => now()->subDay(),
'review_due_at' => now()->addDay(),
'evidence_summary' => ['reference_count' => 0],
]);
$this->actingAs($approver);
Filament::setCurrentPanel('admin');
Filament::setTenant(null, true);
Filament::bootCurrentPanel();
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);
Livewire::withQueryParams(['exception' => (int) $foreignException->getKey()])
->actingAs($approver)
->test(FindingExceptionsQueue::class)
->assertSet('selectedFindingExceptionId', null)
->assertActionHidden('clear_selected_exception')
->assertActionHidden('approve_selected_exception')
->assertActionHidden('reject_selected_exception');
});
Reference in New Issue View Git Blame Copy Permalink