TenantAtlas/apps/platform/app/Services/Providers/PlatformProviderIdentityResolver.php

<?php

namespace App\Services\Providers;

use App\Support\Providers\ProviderConnectionType;
use App\Support\Providers\ProviderReasonCodes;
use App\Support\Providers\TargetScope\ProviderConnectionTargetScopeDescriptor;
use App\Support\Providers\TargetScope\ProviderIdentityContextMetadata;

final class PlatformProviderIdentityResolver
{
    /**
     * @param  list<ProviderIdentityContextMetadata>  $contextualIdentityDetails
     */
    public function resolve(
        string $tenantContext,
        ?ProviderConnectionTargetScopeDescriptor $targetScope = null,
        array $contextualIdentityDetails = [],
    ): ProviderIdentityResolution {
        $targetTenant = trim($tenantContext);
        $clientId = trim((string) config('graph.client_id'));
        $clientSecret = trim((string) config('graph.client_secret'));
        $authorityTenant = trim((string) config('graph.managed_environment_id', 'organizations'));
        $redirectUri = trim((string) route('admin.consent.callback'));

        if ($targetTenant === '') {
            return ProviderIdentityResolution::blocked(
                connectionType: ProviderConnectionType::Platform,
                tenantContext: 'organizations',
                credentialSource: 'platform_config',
                reasonCode: ProviderReasonCodes::ProviderConnectionInvalid,
                message: 'Provider connection is missing target tenant scope.',
                targetScope: $targetScope,
                contextualIdentityDetails: $contextualIdentityDetails,
            );
        }

        if ($clientId === '') {
            return ProviderIdentityResolution::blocked(
                connectionType: ProviderConnectionType::Platform,
                tenantContext: $targetTenant,
                credentialSource: 'platform_config',
                reasonCode: ProviderReasonCodes::PlatformIdentityMissing,
                message: 'Platform app identity is not configured.',
                targetScope: $targetScope,
                contextualIdentityDetails: $contextualIdentityDetails,
            );
        }

        if ($clientSecret === '' || $redirectUri === '') {
            return ProviderIdentityResolution::blocked(
                connectionType: ProviderConnectionType::Platform,
                tenantContext: $targetTenant,
                credentialSource: 'platform_config',
                reasonCode: ProviderReasonCodes::PlatformIdentityIncomplete,
                message: 'Platform app identity is incomplete.',
                targetScope: $targetScope,
                contextualIdentityDetails: $contextualIdentityDetails,
            );
        }

        return ProviderIdentityResolution::resolved(
            connectionType: ProviderConnectionType::Platform,
            tenantContext: $targetTenant,
            effectiveClientId: $clientId,
            credentialSource: 'platform_config',
            clientSecret: $clientSecret,
            authorityTenant: $authorityTenant !== '' ? $authorityTenant : 'organizations',
            redirectUri: $redirectUri,
            targetScope: $targetScope,
            contextualIdentityDetails: $contextualIdentityDetails !== []
                ? array_values(array_merge($contextualIdentityDetails, array_filter([
                    ProviderIdentityContextMetadata::authorityTenant($authorityTenant !== '' ? $authorityTenant : 'organizations'),
                    ProviderIdentityContextMetadata::redirectUri($redirectUri),
                ])))
                : [],
        );
    }
}