ahmido
eef85af990
Kurzbeschreibung Implementiert Tenant RBAC v1 (specs/062-tenant-rbac-v1): tenant_memberships, Capability registry/resolver, gates, Filament RelationManager für Tenant→Members, Last‑Owner‑Guard, bootstrap assign/recover (break‑glass), Audit-Logging. Wichtige Änderungen Migration: create_tenant_memberships_table (T004) — ausgeführt Models/Services: TenantMembership, Capabilities, RoleCapabilityMap, CapabilityResolver (T008–T013) Auth: Gates registriert in AuthServiceProvider.php (T011) Filament: RelationManager unter Settings → Tenants (Members CRUD + Last‑Owner‑Guard) (T017–T018) Break‑glass: lokale platform superadmin + persistent banner + bootstrap_recover action (T024–T026) Audit: Audit‑Einträge für membership actions mit canonical action_ids (T022) Tests: neue/aktualisierte Feature- und Unit‑Tests (siehe Test‑Abschnitt) Migrations / Deploy Run migrations: vendor/bin/sail artisan migrate Keine neuen Panel‑Assets registriert (kein php artisan filament:assets nötig) Wenn Frontend nicht sichtbar: vendor/bin/sail npm run dev oder vendor/bin/sail npm run build Tests (geprüft / neu) Fokus-Suite ausgeführt für Tenant RBAC (T031). Neu / aktualisiert: CapabilitiesRegistryTest CapabilityResolverTest TenantSwitcherScopeTest TenantRouteDenyAsNotFoundTest TenantMembershipCrudTest LastOwnerGuardTest TenantBootstrapAssignTest MembershipAuditLogTest BreakGlassRecoveryTest Befehl zum lokalen Ausführen (minimal): vendor/bin/sail artisan test tests/Feature/TenantRBAC --stop-on-failure Filament / Sicherheits‑Contract (erforderliche Punkte) Livewire v4.0+ compliance: bestätigt (Filament v5 target). Provider registration: keine neue Panel‑Provider-Änderung; falls nötig: providers.php (Laravel 11+). Globale Suche: keine neuen Ressourcen für Global Search hinzugefügt; vorhandene Ressourcen behalten Edit/View‑Pages unverändert. Destructive actions: tenant_membership.remove und role‑demote sind destruktive — implemented via Action::make(...)->action(...)->requiresConfirmation() + policy checks. Asset strategy: keine globalen Assets; on‑demand/load as before. Deployment: filament:assets nicht erforderlich für diese PR. Testing plan: Livewire/Filament Komponenten + actions abgedeckt — RelationManager CRUD, Last‑Owner‑Guard, BreakGlassRecovery, CapabilityResolver/Registry, Tenant switcher + deny‑as‑not‑found route tests. Offene/optionale Punkte T005/T028/T029 (tenant_role_mappings migration + UI + Tests) sind optional und noch nicht umgesetzt. Checklist (aus tasks.md) T001–T003 Discovery T004, T006–T007 Migrations (T005 optional) T008–T013 Models/Capabilities/Gates T014–T016 Tenant isolation & route enforcement T017–T021 Membership UI + bootstrap flows T022–T023 Audit logging + tests T024–T027 Break‑glass flows & tests T005, T028, T029 Optional mappings T030–T031 Formatting + focused tests Migration / Test commands to run locally vendor/bin/sail up -d vendor/bin/sail artisan migrate vendor/bin/sail artisan tinker (falls manuell Benutzer/Flags setzen) vendor/bin/sail artisan test tests/Feature/TenantRBAC --stop-on-failure Wenn du einen PR‑Titel und Labels willst, schlage ich vor: Title: feat(062): Tenant RBAC v1 — memberships, capability resolver, break‑glass recovery Labels: feature, tests, migration Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box> Reviewed-on: #74
107 lines
3.4 KiB
PHP
107 lines
3.4 KiB
PHP
<?php
|
|
|
|
namespace App\Filament\Pages\Tenancy;
|
|
|
|
use App\Models\Tenant;
|
|
use App\Models\User;
|
|
use App\Services\Intune\AuditLogger;
|
|
use App\Support\TenantRole;
|
|
use Filament\Forms;
|
|
use Filament\Pages\Tenancy\RegisterTenant as BaseRegisterTenant;
|
|
use Filament\Schemas\Schema;
|
|
use Illuminate\Database\Eloquent\Model;
|
|
|
|
class RegisterTenant extends BaseRegisterTenant
|
|
{
|
|
public static function getLabel(): string
|
|
{
|
|
return 'Register tenant';
|
|
}
|
|
|
|
public static function canView(): bool
|
|
{
|
|
return true;
|
|
}
|
|
|
|
public function form(Schema $schema): Schema
|
|
{
|
|
return $schema
|
|
->schema([
|
|
Forms\Components\TextInput::make('name')
|
|
->required()
|
|
->maxLength(255),
|
|
Forms\Components\Select::make('environment')
|
|
->options([
|
|
'prod' => 'PROD',
|
|
'dev' => 'DEV',
|
|
'staging' => 'STAGING',
|
|
'other' => 'Other',
|
|
])
|
|
->default('other')
|
|
->required(),
|
|
Forms\Components\TextInput::make('tenant_id')
|
|
->label('Tenant ID (GUID)')
|
|
->required()
|
|
->maxLength(255)
|
|
->unique(ignoreRecord: true),
|
|
Forms\Components\TextInput::make('domain')
|
|
->label('Primary domain')
|
|
->maxLength(255),
|
|
Forms\Components\TextInput::make('app_client_id')
|
|
->label('App Client ID')
|
|
->maxLength(255),
|
|
Forms\Components\TextInput::make('app_client_secret')
|
|
->label('App Client Secret')
|
|
->password()
|
|
->dehydrateStateUsing(fn ($state) => filled($state) ? $state : null)
|
|
->dehydrated(fn ($state) => filled($state)),
|
|
Forms\Components\TextInput::make('app_certificate_thumbprint')
|
|
->label('Certificate thumbprint')
|
|
->maxLength(255),
|
|
Forms\Components\Textarea::make('app_notes')
|
|
->label('Notes')
|
|
->rows(3),
|
|
]);
|
|
}
|
|
|
|
/**
|
|
* @param array<string, mixed> $data
|
|
*/
|
|
protected function handleRegistration(array $data): Model
|
|
{
|
|
$tenant = Tenant::create($data);
|
|
|
|
$user = auth()->user();
|
|
|
|
if ($user instanceof User) {
|
|
$user->tenants()->syncWithoutDetaching([
|
|
$tenant->getKey() => [
|
|
'role' => TenantRole::Owner->value,
|
|
'source' => 'manual',
|
|
'created_by_user_id' => $user->getKey(),
|
|
],
|
|
]);
|
|
|
|
app(AuditLogger::class)->log(
|
|
tenant: $tenant,
|
|
action: 'tenant_membership.bootstrap_assign',
|
|
context: [
|
|
'metadata' => [
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => TenantRole::Owner->value,
|
|
'source' => 'manual',
|
|
],
|
|
],
|
|
actorId: (int) $user->getKey(),
|
|
actorEmail: $user->email,
|
|
actorName: $user->name,
|
|
status: 'success',
|
|
resourceType: 'tenant',
|
|
resourceId: (string) $tenant->getKey(),
|
|
);
|
|
}
|
|
|
|
return $tenant;
|
|
}
|
|
}
|