ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects 1 Releases Wiki Activity
ef5c223172
TenantAtlas/app/Http/Controllers/AdminConsentCallbackController.php
ahmido ef5c223172 fix(onboarding): preserve workspace scope and consent flow (#117) 
## Summary
<!-- Kurz: Was ändert sich und warum? -->

## Spec-Driven Development (SDD)
- [ ] Es gibt eine Spec unter `specs/<NNN>-<feature>/`
- [ ] Enthaltene Dateien: `plan.md`, `tasks.md`, `spec.md`
- [ ] Spec beschreibt Verhalten/Acceptance Criteria (nicht nur Implementation)
- [ ] Wenn sich Anforderungen während der Umsetzung geändert haben: Spec/Plan/Tasks wurden aktualisiert

## Implementation
- [ ] Implementierung entspricht der Spec
- [ ] Edge cases / Fehlerfälle berücksichtigt
- [ ] Keine unbeabsichtigten Änderungen außerhalb des Scopes

## Tests
- [ ] Tests ergänzt/aktualisiert (Pest/PHPUnit)
- [ ] Relevante Tests lokal ausgeführt (`./vendor/bin/sail artisan test` oder `php artisan test`)

## Migration / Config / Ops (falls relevant)
- [ ] Migration(en) enthalten und getestet
- [ ] Rollback bedacht (rückwärts kompatibel, sichere Migration)
- [ ] Neue Env Vars dokumentiert (`.env.example` / Doku)
- [ ] Queue/cron/storage Auswirkungen geprüft

## UI (Filament/Livewire) (falls relevant)
- [ ] UI-Flows geprüft
- [ ] Screenshots/Notizen hinzugefügt

## Notes
<!-- Links, Screenshots, Follow-ups, offene Punkte -->

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #117
2026-02-15 22:27:55 +00:00

168 lines
5.4 KiB
PHP
Raw Blame History

<?php
namespace App\Http\Controllers;
use App\Models\ProviderConnection;
use App\Models\Tenant;
use App\Services\Intune\AuditLogger;
use App\Support\Providers\ProviderReasonCodes;
use Illuminate\Http\Request;
use Illuminate\View\View;
use Symfony\Component\HttpFoundation\Response as ResponseAlias;
class AdminConsentCallbackController extends Controller
{
/**
* Handle the incoming request.
*/
public function __invoke(
Request $request,
AuditLogger $auditLogger,
): View {
$expectedState = $request->session()->pull('tenant_onboard_state');
$workspaceId = $request->session()->pull('tenant_onboard_workspace_id');
$tenantKey = $request->string('tenant')->toString();
$state = $request->string('state')->toString();
$tenantIdentifier = $tenantKey ?: $this->parseState($state);
if ($expectedState && $expectedState !== $state) {
abort(ResponseAlias::HTTP_FORBIDDEN, 'Invalid consent state');
}
abort_if(empty($tenantIdentifier), 404);
$tenant = $this->resolveTenant($tenantIdentifier, is_numeric($workspaceId) ? (int) $workspaceId : null);
$error = $request->string('error')->toString() ?: null;
$consentGranted = $request->has('admin_consent')
? filter_var($request->input('admin_consent'), FILTER_VALIDATE_BOOLEAN)
: null;
$status = match (true) {
$error !== null => 'error',
$consentGranted === false => 'consent_denied',
$consentGranted === true => 'ok',
default => 'pending',
};
$connection = $this->upsertProviderConnectionForConsent(
tenant: $tenant,
status: $status,
error: $error,
);
$auditLogger->log(
tenant: $tenant,
action: 'tenant.consent.callback',
context: [
'metadata' => [
'status' => $status,
'state' => $state,
'error' => $error,
'consent' => $consentGranted,
'provider_connection_id' => (int) $connection->getKey(),
],
],
status: $status === 'ok' ? 'success' : 'error',
resourceType: 'tenant',
resourceId: (string) $tenant->id,
);
return view('admin-consent-callback', [
'tenant' => $tenant,
'status' => $status,
'error' => $error,
'consentGranted' => $consentGranted,
]);
}
private function resolveTenant(string $tenantIdentifier, ?int $workspaceId): Tenant
{
/** @var Tenant|null $tenant */
$tenant = Tenant::withTrashed()
->forTenant($tenantIdentifier)
->first();
if ($tenant?->trashed()) {
$tenant->restore();
}
if ($tenant instanceof Tenant) {
if ($tenant->workspace_id === null && $workspaceId !== null) {
$tenant->forceFill(['workspace_id' => $workspaceId])->save();
}
return $tenant;
}
abort_if($workspaceId === null, ResponseAlias::HTTP_FORBIDDEN, 'Missing workspace context');
return Tenant::create([
'tenant_id' => $tenantIdentifier,
'name' => 'New Tenant',
'workspace_id' => $workspaceId,
]);
}
private function upsertProviderConnectionForConsent(Tenant $tenant, string $status, ?string $error): ProviderConnection
{
$hasDefault = ProviderConnection::query()
->where('tenant_id', (int) $tenant->getKey())
->where('provider', 'microsoft')
->where('is_default', true)
->exists();
$connectionStatus = match ($status) {
'ok' => 'connected',
'error' => 'error',
'consent_denied' => 'needs_consent',
default => 'needs_consent',
};
$reasonCode = match ($status) {
'ok' => null,
'consent_denied' => ProviderReasonCodes::ProviderConsentMissing,
'error' => ProviderReasonCodes::ProviderAuthFailed,
default => ProviderReasonCodes::ProviderConsentMissing,
};
$connection = ProviderConnection::query()->updateOrCreate(
[
'tenant_id' => (int) $tenant->getKey(),
'provider' => 'microsoft',
'entra_tenant_id' => (string) ($tenant->graphTenantId() ?? $tenant->tenant_id ?? $tenant->external_id),
],
[
'workspace_id' => (int) $tenant->workspace_id,
'display_name' => (string) ($tenant->name ?? 'Microsoft Connection'),
'status' => $connectionStatus,
'health_status' => $connectionStatus === 'connected' ? 'unknown' : 'degraded',
'last_error_reason_code' => $reasonCode,
'last_error_message' => $error,
'is_default' => $hasDefault ? false : true,
],
);
if (! $hasDefault && ! $connection->is_default) {
$connection->makeDefault();
}
return $connection;
}
private function parseState(?string $state): ?string
{
if (empty($state)) {
return null;
}
if (str_contains($state, '|')) {
[, $value] = explode('|', $state, 2);
return $value;
}
return $state;
}
}
Reference in New Issue View Git Blame Copy Permalink