ahmido
ce0615a9c1
## Summary - move the Laravel application into `apps/platform` and keep the repository root for orchestration, docs, and tooling - update the local command model, Sail/Docker wiring, runtime paths, and ignore rules around the new platform location - add relocation quickstart/contracts plus focused smoke coverage for bootstrap, command model, routes, and runtime behavior ## Validation - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/PlatformRelocation` - integrated browser smoke validated `/up`, `/`, `/admin`, `/admin/choose-workspace`, and tenant route semantics for `200`, `403`, and `404` ## Remaining Rollout Checks - validate Dokploy build context and working-directory assumptions against the new `apps/platform` layout - confirm web, queue, and scheduler processes all start from the expected working directory in staging/production - verify no legacy volume mounts or asset-publish paths still point at the old root-level `public/` or `storage/` locations Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #213
163 lines
6.0 KiB
PHP
163 lines
6.0 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Models\AuditLog;
|
|
use App\Models\ProviderConnection;
|
|
use App\Models\ProviderCredential;
|
|
use App\Services\Providers\CredentialManager;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
it('Spec081 audits credential creation with stable action and no secret leakage', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$connection = ProviderConnection::factory()->dedicated()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'provider' => 'microsoft',
|
|
]);
|
|
|
|
$secret = 'spec081-secret-created';
|
|
|
|
$this->actingAs($user);
|
|
|
|
app(CredentialManager::class)->upsertClientSecretCredential(
|
|
connection: $connection,
|
|
clientId: 'spec081-client-created',
|
|
clientSecret: $secret,
|
|
);
|
|
|
|
$log = AuditLog::query()
|
|
->where('tenant_id', (int) $tenant->getKey())
|
|
->where('action', 'provider_connection.credentials_created')
|
|
->latest('id')
|
|
->first();
|
|
|
|
expect($log)->not->toBeNull()
|
|
->and($log?->resource_type)->toBe('provider_connection')
|
|
->and($log?->resource_id)->toBe((string) $connection->getKey())
|
|
->and($log?->actor_id)->toBe((int) $user->getKey())
|
|
->and($log?->metadata['provider_connection_id'] ?? null)->toBe((int) $connection->getKey())
|
|
->and($log?->metadata['changed_fields'] ?? [])->toContain('client_id')
|
|
->and($log?->metadata['changed_fields'] ?? [])->toContain('client_secret')
|
|
->and($log?->metadata['redacted_fields'] ?? [])->toContain('client_secret')
|
|
->and((string) json_encode($log?->metadata ?? []))->not->toContain($secret);
|
|
});
|
|
|
|
it('Spec081 audits client id updates as credentials_updated without leaking secrets', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$connection = ProviderConnection::factory()->dedicated()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'provider' => 'microsoft',
|
|
]);
|
|
|
|
ProviderCredential::factory()->create([
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
'payload' => [
|
|
'client_id' => 'spec081-client-before',
|
|
'client_secret' => 'spec081-secret-before',
|
|
],
|
|
]);
|
|
|
|
$this->actingAs($user);
|
|
|
|
app(CredentialManager::class)->updateClientIdPreservingSecret(
|
|
connection: $connection,
|
|
clientId: 'spec081-client-after',
|
|
);
|
|
|
|
$log = AuditLog::query()
|
|
->where('tenant_id', (int) $tenant->getKey())
|
|
->where('action', 'provider_connection.credentials_updated')
|
|
->latest('id')
|
|
->first();
|
|
|
|
expect($log)->not->toBeNull()
|
|
->and($log?->resource_type)->toBe('provider_connection')
|
|
->and($log?->resource_id)->toBe((string) $connection->getKey())
|
|
->and($log?->metadata['changed_fields'] ?? [])->toContain('client_id')
|
|
->and($log?->metadata['changed_fields'] ?? [])->not->toContain('client_secret')
|
|
->and((string) json_encode($log?->metadata ?? []))->not->toContain('spec081-secret-before');
|
|
});
|
|
|
|
it('Spec081 audits secret rotation as credentials_rotated with redacted metadata', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$connection = ProviderConnection::factory()->dedicated()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'provider' => 'microsoft',
|
|
]);
|
|
|
|
ProviderCredential::factory()->create([
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
'payload' => [
|
|
'client_id' => 'spec081-client-stable',
|
|
'client_secret' => 'spec081-secret-before-rotate',
|
|
],
|
|
]);
|
|
|
|
$this->actingAs($user);
|
|
|
|
$rotatedSecret = 'spec081-secret-after-rotate';
|
|
|
|
app(CredentialManager::class)->upsertClientSecretCredential(
|
|
connection: $connection,
|
|
clientId: 'spec081-client-stable',
|
|
clientSecret: $rotatedSecret,
|
|
);
|
|
|
|
$log = AuditLog::query()
|
|
->where('tenant_id', (int) $tenant->getKey())
|
|
->where('action', 'provider_connection.credentials_rotated')
|
|
->latest('id')
|
|
->first();
|
|
|
|
expect($log)->not->toBeNull()
|
|
->and($log?->resource_type)->toBe('provider_connection')
|
|
->and($log?->resource_id)->toBe((string) $connection->getKey())
|
|
->and($log?->metadata['changed_fields'] ?? [])->toContain('client_secret')
|
|
->and($log?->metadata['redacted_fields'] ?? [])->toContain('client_secret')
|
|
->and((string) json_encode($log?->metadata ?? []))->not->toContain($rotatedSecret);
|
|
});
|
|
|
|
it('Spec081 audits dedicated credential deletion without leaking secrets', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$connection = ProviderConnection::factory()->dedicated()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'provider' => 'microsoft',
|
|
]);
|
|
|
|
$credential = ProviderCredential::factory()->create([
|
|
'provider_connection_id' => (int) $connection->getKey(),
|
|
'payload' => [
|
|
'client_id' => 'spec081-client-delete',
|
|
'client_secret' => 'spec081-secret-delete',
|
|
],
|
|
]);
|
|
|
|
$this->actingAs($user);
|
|
|
|
$credential->delete();
|
|
|
|
$log = AuditLog::query()
|
|
->where('tenant_id', (int) $tenant->getKey())
|
|
->where('action', 'provider_connection.credentials_deleted')
|
|
->latest('id')
|
|
->first();
|
|
|
|
expect($log)->not->toBeNull()
|
|
->and($log?->resource_type)->toBe('provider_connection')
|
|
->and($log?->resource_id)->toBe((string) $connection->getKey())
|
|
->and($log?->metadata['changed_fields'] ?? [])->toContain('client_id')
|
|
->and($log?->metadata['changed_fields'] ?? [])->toContain('client_secret')
|
|
->and($log?->metadata['connection_type'] ?? null)->toBe('dedicated')
|
|
->and((string) json_encode($log?->metadata ?? []))->not->toContain('spec081-secret-delete');
|
|
});
|