ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
eef85af990
TenantAtlas/specs/062-tenant-rbac-v1/tasks.md
ahmido eef85af990 062-tenant-rbac-v1 (#74) 
Kurzbeschreibung

Implementiert Tenant RBAC v1 (specs/062-tenant-rbac-v1): tenant_memberships, Capability registry/resolver, gates, Filament RelationManager für Tenant→Members, Last‑Owner‑Guard, bootstrap assign/recover (break‑glass), Audit-Logging.
Wichtige Änderungen

Migration: create_tenant_memberships_table (T004) — ausgeführt
Models/Services: TenantMembership, Capabilities, RoleCapabilityMap, CapabilityResolver (T008–T013)
Auth: Gates registriert in AuthServiceProvider.php (T011)
Filament: RelationManager unter Settings → Tenants (Members CRUD + Last‑Owner‑Guard) (T017–T018)
Break‑glass: lokale platform superadmin + persistent banner + bootstrap_recover action (T024–T026)
Audit: Audit‑Einträge für membership actions mit canonical action_ids (T022)
Tests: neue/aktualisierte Feature- und Unit‑Tests (siehe Test‑Abschnitt)
Migrations / Deploy

Run migrations: vendor/bin/sail artisan migrate
Keine neuen Panel‑Assets registriert (kein php artisan filament:assets nötig)
Wenn Frontend nicht sichtbar: vendor/bin/sail npm run dev oder vendor/bin/sail npm run build
Tests (geprüft / neu)

Fokus-Suite ausgeführt für Tenant RBAC (T031).
Neu / aktualisiert:
CapabilitiesRegistryTest
CapabilityResolverTest
TenantSwitcherScopeTest
TenantRouteDenyAsNotFoundTest
TenantMembershipCrudTest
LastOwnerGuardTest
TenantBootstrapAssignTest
MembershipAuditLogTest
BreakGlassRecoveryTest
Befehl zum lokalen Ausführen (minimal): vendor/bin/sail artisan test tests/Feature/TenantRBAC --stop-on-failure
Filament / Sicherheits‑Contract (erforderliche Punkte)

Livewire v4.0+ compliance: bestätigt (Filament v5 target).
Provider registration: keine neue Panel‑Provider-Änderung; falls nötig: providers.php (Laravel 11+).
Globale Suche: keine neuen Ressourcen für Global Search hinzugefügt; vorhandene Ressourcen behalten Edit/View‑Pages unverändert.
Destructive actions: tenant_membership.remove und role‑demote sind destruktive — implemented via Action::make(...)->action(...)->requiresConfirmation() + policy checks.
Asset strategy: keine globalen Assets; on‑demand/load as before. Deployment: filament:assets nicht erforderlich für diese PR.
Testing plan: Livewire/Filament Komponenten + actions abgedeckt — RelationManager CRUD, Last‑Owner‑Guard, BreakGlassRecovery, CapabilityResolver/Registry, Tenant switcher + deny‑as‑not‑found route tests.
Offene/optionale Punkte

T005/T028/T029 (tenant_role_mappings migration + UI + Tests) sind optional und noch nicht umgesetzt.
Checklist (aus tasks.md)

 T001–T003 Discovery
 T004, T006–T007 Migrations (T005 optional)
 T008–T013 Models/Capabilities/Gates
 T014–T016 Tenant isolation & route enforcement
 T017–T021 Membership UI + bootstrap flows
 T022–T023 Audit logging + tests
 T024–T027 Break‑glass flows & tests
 T005, T028, T029 Optional mappings
 T030–T031 Formatting + focused tests
Migration / Test commands to run locally

vendor/bin/sail up -d
vendor/bin/sail artisan migrate
vendor/bin/sail artisan tinker (falls manuell Benutzer/Flags setzen)
vendor/bin/sail artisan test tests/Feature/TenantRBAC --stop-on-failure
Wenn du einen PR‑Titel und Labels willst, schlage ich vor:

Title: feat(062): Tenant RBAC v1 — memberships, capability resolver, break‑glass recovery
Labels: feature, tests, migration

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #74
2026-01-25 15:27:39 +00:00

123 lines
6.0 KiB
Markdown
Raw Blame History

# Actionable Tasks for Tenant RBAC v1
**Feature**: Tenant RBAC v1
**Branch**: `062-tenant-rbac-v1`
**Plan**: `specs/062-tenant-rbac-v1/plan.md`
This task list is dependency-ordered and test-driven. It implements:
- Entra (OIDC) identity (no Entra credentials stored)
- Suite-tenant authorization via `tenant_memberships` (SoT)
- Capabilities-first gates/policies (no role checks in feature code)
- Tenant switcher + direct route enforcement (non-members = 404)
- Audit logging with canonical action_ids
- Break-glass platform superadmin recovery
---
## Phase 0 — Discovery / Fit Check
- [x] T001 [P] Confirm existing auth entrypoints (where OIDC callback/upsert happens) and Filament tenancy resolver (where current tenant is set).
- [x] T002 [P] Confirm existing `User` / `Tenant` models and current schema (do NOT create duplicates). Identify required columns for Entra identity: `entra_tenant_id (tid)`, `entra_object_id (oid)`.
- [x] T003 [P] Identify existing AuditLog service/model and how to write audit entries (target format + redaction).
---
## Phase 1 — Schema (RBAC source of truth)
- [x] T004 Create migration `create_tenant_memberships_table` with:
- `tenant_id`, `user_id`, `role` (`owner|manager|operator|readonly`)
- `source` (`manual|entra_group|entra_app_role|break_glass`)
- `source_ref` (nullable)
- `created_by_user_id` (nullable)
- unique `(tenant_id, user_id)` and index `(tenant_id, role)`
- [ ] T005 (Optional, but supported) Create migration `create_tenant_role_mappings_table` with:
- `tenant_id`, `mapping_type` (`entra_group|entra_app_role`), `external_id`, `role`, `is_enabled`
- unique `(tenant_id, mapping_type, external_id)`
- [x] T006 Add/adjust `users` columns if missing: `entra_tenant_id` (tid), `entra_object_id` (oid) + unique index `(entra_tenant_id, entra_object_id)`.
- [x] T007 Run migrations.
---
## Phase 2 — Models + Capability Registry (capabilities-first)
- [x] T008 Create `app/Support/Auth/Capabilities.php` as the canonical allowlist (constants/enum) of capability strings.
- [x] T009 Create `app/Services/Auth/RoleCapabilityMap.php` (single source of truth) mapping roles → capabilities.
- [x] T010 Create `app/Services/Auth/CapabilityResolver.php`:
- resolves membership for (user, tenant) once per request (no N+1)
- answers `can($capability)` using the registry + map
- [x] T011 Register Gates in `app/Providers/AuthServiceProvider.php` using `CapabilityResolver` (no direct role checks).
- [x] T012 Add model `TenantMembership` and (if used) `TenantRoleMapping` with relationships:
- `Tenant::memberships()`, `User::tenantMemberships()`
- [x] T013 Unit tests:
- `CapabilitiesRegistryTest`: role map only references registry entries
- `CapabilityResolverTest`: Owner/Manager/Operator/Readonly mapping works and is deterministic
---
## Phase 3 — Tenant Isolation (switcher + deny-as-not-found)
- [x] T014 Enforce tenant switcher scoping: only tenants with a membership are listable/selectable for a user.
- [x] T015 Enforce route-level deny-as-not-found:
- direct access to `/t/{tenant}` and tenant-scoped resources returns 404 when user is not a member.
- member without capability returns 403.
- [x] T016 Feature tests:
- `TenantSwitcherScopeTest`: only membership tenants appear
- `TenantRouteDenyAsNotFoundTest`: non-member gets 404 for direct URL
---
## Phase 4 — Suite Tenant Membership Management UI (Tenant → Members)
- [x] T017 Add a Filament Relation Manager (or equivalent) under `Settings → Tenants` to manage memberships:
- list members + role
- add member (select existing user) + role
- edit member role
- remove member
- [x] T018 Implement **Last Owner Guard**:
- prevent removing/demoting last `owner` membership (clear UI message)
- [x] T019 Implement **Bootstrap assign**:
- on tenant creation, creator becomes Owner (action_id `tenant_membership.bootstrap_assign`)
- [x] T020 Implement **Bootstrap recover** (platform superadmin path):
- add/assign Owner when needed (action_id `tenant_membership.bootstrap_recover`)
- [x] T021 Feature tests:
- `TenantMembershipCrudTest`
- `LastOwnerGuardTest`
- `TenantBootstrapAssignTest`
---
## Phase 5 — Audit Logging (canonical action_ids)
- [x] T022 Add audit logging for membership and mapping changes with canonical action_ids:
- `tenant_membership.add`
- `tenant_membership.role_change`
- `tenant_membership.remove`
- `tenant_membership.bootstrap_assign`
- `tenant_membership.bootstrap_recover`
- `tenant_role_mapping.create|update|delete` (if mappings are enabled)
Audit entries must be redacted (no secrets; minimal identity data).
- [x] T023 Feature test `MembershipAuditLogTest` ensures audit entries are written on add/change/remove and contain no sensitive fields.
---
## Phase 6 — Break-glass Platform Superadmin (recovery)
- [x] T024 Implement (or confirm existing) local platform superadmin authentication separate from Entra users.
- [x] T025 Add a persistent UI banner when authenticated as break-glass.
- [x] T026 Ensure platform superadmin can manage memberships across all tenants for recovery (at least to add an Owner).
- [x] T027 Feature test `BreakGlassRecoveryTest`:
- can assign owner to tenant
- actions are audited with bootstrap_recover
---
## Phase 7 — Optional: Entra Mapping (deferred execution in v1)
- [ ] T028 (Optional) Add UI to manage `tenant_role_mappings` (no Graph calls for resolution in v1).
- [ ] T029 (Optional) Test that mapping records are tenant-scoped and audited on create/update/delete.
---
## Phase 8 — Quality Gates
- [x] T030 Run formatting: `./vendor/bin/sail php ./vendor/bin/pint --dirty`
- [x] T031 Run focused tests: `./vendor/bin/sail artisan test tests/Feature/TenantRBAC --stop-on-failure`
---
## Notes / Guardrails
- Non-member access = **404** (deny-as-not-found). Member without capability = **403**.
- No feature code may use `role == ...` checks. Always gates/capabilities.
- Do not add any render-time Graph calls (group/app-role resolution is deferred unless explicitly scheduled as a job in a later feature).
Reference in New Issue View Git Blame Copy Permalink