ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects 1 Releases Wiki Activity
f7bbea2623
TenantAtlas/apps/platform/tests/Feature/PolicySyncServiceTest.php
ahmido 1655cc481e Spec 188: canonical provider connection state cleanup (#219) 
## Summary
- migrate provider connections to the canonical three-dimension state model: lifecycle via `is_enabled`, consent via `consent_status`, and verification via `verification_status`
- remove legacy provider status and health badge paths, update admin and system directory surfaces, and align onboarding, consent callback, verification, resolver, and mutation flows with the new model
- add the Spec 188 artifact set, schema migrations, guard coverage, and expanded provider-state tests across admin, system, onboarding, verification, and rendering paths

## Verification
- `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent`
- `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Auth/SystemPanelAuthTest.php tests/Feature/Filament/TenantGlobalSearchLifecycleScopeTest.php tests/Feature/ProviderConnections/ProviderConnectionEnableDisableTest.php tests/Feature/ProviderConnections/ProviderConnectionTruthCleanupSpec179Test.php`
- integrated browser smoke: validated admin provider list/detail/edit, tenant provider summary, system directory tenant detail, provider-connection search exclusion, and cleaned up the temporary smoke record afterward

## Filament / implementation notes
- Livewire v4.0+ compliance: preserved; this change targets Filament v5 on Livewire v4 and does not introduce older APIs
- Provider registration location: unchanged; Laravel 11+ panel providers remain registered in `bootstrap/providers.php`
- Globally searchable resources: `ProviderConnectionResource` remains intentionally excluded from global search; tenant global search remains enabled and continues to resolve to view pages
- Destructive actions: no new destructive action surface was introduced without confirmation or authorization; existing capability checks continue to gate provider mutations
- Asset strategy: unchanged; no new Filament assets were added, so deploy behavior for `php artisan filament:assets` remains unchanged
- Testing plan covered: system auth, tenant global search, provider lifecycle enable/disable behavior, and provider truth cleanup cutover behavior

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #219
2026-04-10 11:22:56 +00:00

361 lines
12 KiB
PHP
Raw Blame History

<?php
use App\Models\Policy;
use App\Models\PolicyVersion;
use App\Models\ProviderConnection;
use App\Models\ProviderCredential;
use App\Models\Tenant;
use App\Services\Graph\GraphClientInterface;
use App\Services\Graph\GraphLogger;
use App\Services\Graph\GraphResponse;
use App\Services\Intune\PolicySyncService;
use function Pest\Laravel\mock;
function tenantWithDefaultMicrosoftConnectionForPolicySync(array $attributes = []): Tenant
{
$tenant = Tenant::factory()->create($attributes + [
'status' => 'active',
'app_client_id' => null,
'app_client_secret' => null,
]);
$connection = ProviderConnection::factory()->consentGranted()->create([
'tenant_id' => (int) $tenant->getKey(),
'provider' => 'microsoft',
'is_default' => true,
'consent_status' => 'granted',
'entra_tenant_id' => (string) ($tenant->tenant_id ?: 'tenant-'.$tenant->getKey()),
]);
ProviderCredential::factory()->create([
'provider_connection_id' => (int) $connection->getKey(),
'type' => 'client_secret',
'payload' => [
'client_id' => 'provider-client-'.$tenant->getKey(),
'client_secret' => 'provider-secret-'.$tenant->getKey(),
],
]);
return $tenant;
}
it('marks targeted managed app configurations as ignored during sync', function () {
$tenant = tenantWithDefaultMicrosoftConnectionForPolicySync();
$policy = Policy::factory()->create([
'tenant_id' => $tenant->id,
'external_id' => 'policy-1',
'policy_type' => 'appProtectionPolicy',
'ignored_at' => null,
]);
$logger = mock(GraphLogger::class);
$logger->shouldReceive('logRequest')
->zeroOrMoreTimes()
->andReturnNull();
$logger->shouldReceive('logResponse')
->zeroOrMoreTimes()
->andReturnNull();
mock(GraphClientInterface::class)
->shouldReceive('listPolicies')
->once()
->andReturn(new GraphResponse(
success: true,
data: [
[
'id' => 'policy-1',
'displayName' => 'Ignored policy',
'@odata.type' => '#microsoft.graph.targetedManagedAppConfiguration',
],
],
));
$service = app(PolicySyncService::class);
$synced = $service->syncPolicies($tenant, [
['type' => 'appProtectionPolicy'],
]);
$policy->refresh();
expect($policy->ignored_at)->not->toBeNull();
expect($synced)->toBeArray()->toBeEmpty();
});
it('uses isof filters for windows update rings and supports feature/quality update profiles', function () {
$supported = config('tenantpilot.supported_policy_types');
$byType = collect($supported)->keyBy('type');
expect($byType)->toHaveKeys(['deviceConfiguration', 'windowsUpdateRing', 'windowsFeatureUpdateProfile', 'windowsQualityUpdateProfile', 'windowsDriverUpdateProfile']);
expect($byType['deviceConfiguration']['filter'] ?? null)
->toBe("not isof('microsoft.graph.windowsUpdateForBusinessConfiguration')");
expect($byType['windowsUpdateRing']['filter'] ?? null)
->toBe("isof('microsoft.graph.windowsUpdateForBusinessConfiguration')");
expect($byType['windowsFeatureUpdateProfile']['endpoint'] ?? null)
->toBe('deviceManagement/windowsFeatureUpdateProfiles');
expect($byType['windowsQualityUpdateProfile']['endpoint'] ?? null)
->toBe('deviceManagement/windowsQualityUpdateProfiles');
expect($byType['windowsDriverUpdateProfile']['endpoint'] ?? null)
->toBe('deviceManagement/windowsDriverUpdateProfiles');
});
it('syncs windows driver update profiles from Graph', function () {
$tenant = tenantWithDefaultMicrosoftConnectionForPolicySync();
$logger = mock(GraphLogger::class);
$logger->shouldReceive('logRequest')
->zeroOrMoreTimes()
->andReturnNull();
$logger->shouldReceive('logResponse')
->zeroOrMoreTimes()
->andReturnNull();
mock(GraphClientInterface::class)
->shouldReceive('listPolicies')
->once()
->with('windowsDriverUpdateProfile', mockery::type('array'))
->andReturn(new GraphResponse(
success: true,
data: [
[
'id' => 'wdp-1',
'displayName' => 'Driver Updates A',
'@odata.type' => '#microsoft.graph.windowsDriverUpdateProfile',
'approvalType' => 'automatic',
],
],
));
$service = app(PolicySyncService::class);
$service->syncPolicies($tenant, [
['type' => 'windowsDriverUpdateProfile', 'platform' => 'windows'],
]);
expect(Policy::query()->where('tenant_id', $tenant->id)->where('policy_type', 'windowsDriverUpdateProfile')->count())
->toBe(1);
});
it('includes managed device app configurations in supported types', function () {
$supported = config('tenantpilot.supported_policy_types');
$byType = collect($supported)->keyBy('type');
expect($byType)->toHaveKey('managedDeviceAppConfiguration');
expect($byType['managedDeviceAppConfiguration']['endpoint'] ?? null)
->toBe('deviceAppManagement/mobileAppConfigurations');
expect($byType['managedDeviceAppConfiguration']['filter'] ?? null)
->toBe("microsoft.graph.androidManagedStoreAppConfiguration/appSupportsOemConfig eq false or isof('microsoft.graph.androidManagedStoreAppConfiguration') eq false");
});
it('syncs managed device app configurations from Graph', function () {
$tenant = tenantWithDefaultMicrosoftConnectionForPolicySync();
$logger = mock(GraphLogger::class);
$logger->shouldReceive('logRequest')
->zeroOrMoreTimes()
->andReturnNull();
$logger->shouldReceive('logResponse')
->zeroOrMoreTimes()
->andReturnNull();
mock(GraphClientInterface::class)
->shouldReceive('listPolicies')
->once()
->with('managedDeviceAppConfiguration', mockery::type('array'))
->andReturn(new GraphResponse(
success: true,
data: [
[
'id' => 'madc-1',
'displayName' => 'MAM Device Config',
'@odata.type' => '#microsoft.graph.managedDeviceMobileAppConfiguration',
],
],
));
$service = app(PolicySyncService::class);
$service->syncPolicies($tenant, [
['type' => 'managedDeviceAppConfiguration', 'platform' => 'mobile'],
]);
expect(Policy::query()->where('tenant_id', $tenant->id)->where('policy_type', 'managedDeviceAppConfiguration')->count())
->toBe(1);
});
it('classifies configuration policies into settings catalog, endpoint security, and security baseline types', function () {
$tenant = tenantWithDefaultMicrosoftConnectionForPolicySync();
$logger = mock(GraphLogger::class);
$logger->shouldReceive('logRequest')
->zeroOrMoreTimes()
->andReturnNull();
$logger->shouldReceive('logResponse')
->zeroOrMoreTimes()
->andReturnNull();
$graphResponse = new GraphResponse(
success: true,
data: [
[
'id' => 'scp-1',
'name' => 'Settings Catalog Alpha',
'@odata.type' => '#microsoft.graph.deviceManagementConfigurationPolicy',
'technologies' => ['mdm'],
'templateReference' => null,
],
[
'id' => 'esp-1',
'name' => 'Endpoint Security Beta',
'@odata.type' => '#microsoft.graph.deviceManagementConfigurationPolicy',
'technologies' => 'mdm',
'templateReference' => [
'templateFamily' => 'endpointSecurityDiskEncryption',
'templateDisplayName' => 'BitLocker',
],
],
[
'id' => 'sb-1',
'name' => 'Security Baseline Gamma',
'@odata.type' => '#microsoft.graph.deviceManagementConfigurationPolicy',
'technologies' => ['mdm'],
'templateReference' => [
'templateFamily' => 'securityBaseline',
],
],
],
);
$calledTypes = [];
mock(GraphClientInterface::class)
->shouldReceive('listPolicies')
->times(3)
->andReturnUsing(function (string $policyType) use (&$calledTypes, $graphResponse) {
$calledTypes[] = $policyType;
return $graphResponse;
});
$service = app(PolicySyncService::class);
$service->syncPolicies($tenant, [
['type' => 'settingsCatalogPolicy', 'platform' => 'windows'],
['type' => 'endpointSecurityPolicy', 'platform' => 'windows'],
['type' => 'securityBaselinePolicy', 'platform' => 'windows'],
]);
expect($calledTypes)->toMatchArray([
'settingsCatalogPolicy',
'endpointSecurityPolicy',
'securityBaselinePolicy',
]);
expect(Policy::query()->where('tenant_id', $tenant->id)->where('policy_type', 'settingsCatalogPolicy')->count())
->toBe(1);
expect(Policy::query()->where('tenant_id', $tenant->id)->where('policy_type', 'endpointSecurityPolicy')->count())
->toBe(1);
expect(Policy::query()->where('tenant_id', $tenant->id)->where('policy_type', 'securityBaselinePolicy')->count())
->toBe(1);
});
it('reclassifies configuration policies when canonical type changes', function () {
$tenant = tenantWithDefaultMicrosoftConnectionForPolicySync();
$policy = Policy::factory()->create([
'tenant_id' => $tenant->id,
'external_id' => 'esp-1',
'policy_type' => 'settingsCatalogPolicy',
'platform' => 'windows',
'display_name' => 'Misclassified',
'ignored_at' => null,
]);
$version = PolicyVersion::factory()->create([
'tenant_id' => $tenant->id,
'policy_id' => $policy->id,
'policy_type' => 'settingsCatalogPolicy',
'platform' => 'windows',
]);
$logger = mock(GraphLogger::class);
$logger->shouldReceive('logRequest')
->zeroOrMoreTimes()
->andReturnNull();
$logger->shouldReceive('logResponse')
->zeroOrMoreTimes()
->andReturnNull();
$graphResponse = new GraphResponse(
success: true,
data: [
[
'id' => 'esp-1',
'name' => 'Endpoint Security Beta',
'@odata.type' => '#microsoft.graph.deviceManagementConfigurationPolicy',
'technologies' => 'mdm',
'templateReference' => [
'templateFamily' => 'endpointSecurityDiskEncryption',
'templateDisplayName' => 'BitLocker',
],
],
],
);
mock(GraphClientInterface::class)
->shouldReceive('listPolicies')
->times(3)
->andReturn($graphResponse);
$service = app(PolicySyncService::class);
$service->syncPolicies($tenant, [
['type' => 'settingsCatalogPolicy', 'platform' => 'windows'],
['type' => 'endpointSecurityPolicy', 'platform' => 'windows'],
['type' => 'securityBaselinePolicy', 'platform' => 'windows'],
]);
expect(Policy::query()
->where('tenant_id', $tenant->id)
->where('external_id', 'esp-1')
->whereNull('ignored_at')
->count())->toBe(1);
expect(Policy::query()
->where('tenant_id', $tenant->id)
->where('external_id', 'esp-1')
->where('policy_type', 'endpointSecurityPolicy')
->whereNull('ignored_at')
->count())->toBe(1);
expect(Policy::query()
->where('tenant_id', $tenant->id)
->where('external_id', 'esp-1')
->where('policy_type', 'settingsCatalogPolicy')
->whereNull('ignored_at')
->count())->toBe(0);
$version->refresh();
expect($version->policy_type)->toBe('endpointSecurityPolicy');
});
Reference in New Issue View Git Blame Copy Permalink