ahmido
da1adbdeb5
Implements Spec 119 (Drift Golden Master Cutover): - Baseline Compare is the only drift writer (`source = baseline.compare`). - Drift findings now store diff-compatible `evidence_jsonb` (summary.kind, baseline/current policy_version_id refs, fidelity + provenance). - Findings UI renders one-sided diffs for `missing_policy`/`unexpected_policy` when a single ref exists; otherwise shows explicit “diff unavailable”. - Removes legacy drift generator runtime (jobs/services/UI) and related tests. - Adds one-time migration to delete legacy drift findings (`finding_type=drift` where source is null or != baseline.compare). - Scopes baseline capture & landing duplicate warnings to latest completed inventory sync. - Canonicalizes compliance `scheduledActionsForRule` drift signal and keeps legacy snapshots comparable. Tests: - `vendor/bin/sail artisan test --compact` (full suite per tasks) - Focused pack: BaselinePolicyVersionResolverTest, BaselineCompareDriftEvidenceContractTest, DriftFindingDiffUnavailableTest, LegacyDriftFindingsCleanupMigrationTest, ComplianceNoncomplianceActionsDriftTest Notes: - Livewire v4+ / Filament v5 compatible (no legacy APIs). - No new external dependencies. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #144
155 lines
5.5 KiB
PHP
155 lines
5.5 KiB
PHP
<?php
|
|
|
|
use App\Filament\Pages\ChooseTenant;
|
|
use App\Filament\Pages\TenantDashboard;
|
|
use App\Filament\Resources\TenantResource\Pages\ListTenants;
|
|
use App\Models\Tenant;
|
|
use App\Support\Auth\UiTooltips;
|
|
use Filament\Facades\Filament;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Illuminate\Support\Facades\Gate;
|
|
use Illuminate\Support\Facades\Http;
|
|
use Livewire\Livewire;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
beforeEach(function (): void {
|
|
Http::preventStrayRequests();
|
|
});
|
|
|
|
test('readonly users may switch current tenant via ChooseTenant', function () {
|
|
[$user, $tenantA] = createUserWithTenant(role: 'readonly');
|
|
|
|
$tenantB = Tenant::factory()->create([
|
|
'status' => 'active',
|
|
'is_current' => false,
|
|
]);
|
|
|
|
$user->tenants()->syncWithoutDetaching([
|
|
$tenantB->getKey() => ['role' => 'readonly'],
|
|
]);
|
|
|
|
$tenantB->makeCurrent();
|
|
|
|
expect($tenantA->fresh()->is_current)->toBeFalse();
|
|
expect($tenantB->fresh()->is_current)->toBeTrue();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ChooseTenant::class)
|
|
->call('selectTenant', $tenantA->getKey())
|
|
->assertRedirect(TenantDashboard::getUrl(tenant: $tenantA));
|
|
});
|
|
|
|
test('users cannot switch to a tenant they are not a member of', function () {
|
|
[$user] = createUserWithTenant(role: 'readonly');
|
|
|
|
$tenant = Tenant::factory()->create([
|
|
'status' => 'active',
|
|
]);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ChooseTenant::class)
|
|
->call('selectTenant', $tenant->getKey())
|
|
->assertStatus(404);
|
|
});
|
|
|
|
test('readonly users cannot deactivate tenants (archive)', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_DELETE, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('archive', $tenant)
|
|
->assertTableActionExists('archive', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $tenant)
|
|
->callTableAction('archive', $tenant);
|
|
|
|
expect($tenant->fresh()->trashed())->toBeFalse();
|
|
});
|
|
|
|
test('readonly users cannot force delete tenants', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
$tenant->delete();
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_DELETE, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('forceDelete', $tenant)
|
|
->assertTableActionExists('forceDelete', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $tenant)
|
|
->callTableAction('forceDelete', $tenant);
|
|
|
|
expect(Tenant::withTrashed()->find($tenant->getKey()))->not->toBeNull();
|
|
});
|
|
|
|
test('readonly users cannot verify tenant configuration', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_MANAGE, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('verify', $tenant)
|
|
->assertTableActionExists('verify', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $tenant)
|
|
->callTableAction('verify', $tenant);
|
|
});
|
|
|
|
test('readonly users cannot setup intune rbac', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_MANAGE, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('setup_rbac', $tenant);
|
|
});
|
|
|
|
test('readonly users cannot edit tenants', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_MANAGE, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('edit', $tenant)
|
|
->assertTableActionExists('edit', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $tenant);
|
|
});
|
|
|
|
test('readonly users cannot open admin consent', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(\App\Filament\Resources\TenantResource::adminConsentUrl($tenant))->not->toBeNull();
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_MANAGE, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('admin_consent', $tenant)
|
|
->assertTableActionExists('admin_consent', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $tenant);
|
|
});
|
|
|
|
test('readonly users cannot start tenant sync from tenant menu', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_SYNC, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('syncTenant', $tenant)
|
|
->assertTableActionExists('syncTenant', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $tenant);
|
|
});
|