TenantAtlas/apps/platform/tests/Feature/Verification/ProviderExecutionReauthorizationTest.php

<?php

declare(strict_types=1);

use App\Filament\Resources\ProviderConnectionResource\Pages\ListProviderConnections;
use App\Jobs\ProviderConnectionHealthCheckJob;
use App\Models\OperationRun;
use App\Models\ProviderConnection;
use App\Services\Auth\CapabilityResolver;
use App\Support\Auth\Capabilities;
use Filament\Facades\Filament;
use Illuminate\Support\Facades\Queue;
use Livewire\Livewire;

function runQueuedJobThroughMiddleware(object $job, Closure $terminal): mixed
{
    $pipeline = array_reduce(
        array_reverse($job->middleware()),
        fn (Closure $next, object $middleware): Closure => fn (object $job): mixed => $middleware->handle($job, $next),
        $terminal,
    );

    return $pipeline($job);
}

it('stores actor-bound execution metadata when verification is queued', function (): void {
    Queue::fake();

    [$user, $tenant] = createUserWithTenant(role: 'operator');
    $this->actingAs($user);

    $tenant->makeCurrent();
    Filament::setTenant($tenant, true);

    $connection = ProviderConnection::factory()->platform()->consentGranted()->create([
        'tenant_id' => $tenant->getKey(),
        'provider' => 'microsoft',
        'entra_tenant_id' => fake()->uuid(),
        'consent_status' => 'granted',
    ]);

    Livewire::test(ListProviderConnections::class)
        ->callTableAction('check_connection', $connection);

    $opRun = OperationRun::query()
        ->where('tenant_id', $tenant->getKey())
        ->where('type', 'provider.connection.check')
        ->latest('id')
        ->first();

    expect($opRun)->not->toBeNull()
        ->and($opRun?->context)->toMatchArray([
            'execution_authority_mode' => 'actor_bound',
            'required_capability' => 'provider.run',
            'provider_connection_id' => (int) $connection->getKey(),
        ]);
});

it('blocks verification execution when the initiator loses provider capability before start', function (): void {
    Queue::fake();

    [$user, $tenant] = createUserWithTenant(role: 'operator');
    $this->actingAs($user);

    $tenant->makeCurrent();
    Filament::setTenant($tenant, true);

    $connection = ProviderConnection::factory()->platform()->consentGranted()->create([
        'tenant_id' => $tenant->getKey(),
        'provider' => 'microsoft',
        'entra_tenant_id' => fake()->uuid(),
        'consent_status' => 'granted',
    ]);

    Livewire::test(ListProviderConnections::class)
        ->callTableAction('check_connection', $connection);

    $capturedJob = null;

    Queue::assertPushed(ProviderConnectionHealthCheckJob::class, function (ProviderConnectionHealthCheckJob $job) use (&$capturedJob): bool {
        $capturedJob = $job;

        return true;
    });

    expect($capturedJob)->toBeInstanceOf(ProviderConnectionHealthCheckJob::class);

    $user->tenantMemberships()->where('tenant_id', $tenant->getKey())->update(['role' => 'readonly']);
    app(CapabilityResolver::class)->clearCache();

    $terminalInvoked = false;

    runQueuedJobThroughMiddleware(
        $capturedJob,
        function (ProviderConnectionHealthCheckJob $job) use (&$terminalInvoked): mixed {
            $terminalInvoked = true;

            return $job;
        },
    );

    $capturedJob->operationRun?->refresh();

    expect($terminalInvoked)->toBeFalse()
        ->and($capturedJob->operationRun?->outcome?->value ?? $capturedJob->operationRun?->outcome)->toBe('blocked')
        ->and($capturedJob->operationRun?->context['reason_code'] ?? null)->toBe('missing_capability')
        ->and($capturedJob->operationRun?->context['execution_legitimacy']['metadata']['required_capability'] ?? null)->toBe(Capabilities::PROVIDER_RUN);
});

it('blocks verification execution when the initiator loses tenant membership before start', function (): void {
    Queue::fake();

    [$user, $tenant] = createUserWithTenant(role: 'operator');
    $this->actingAs($user);

    $tenant->makeCurrent();
    Filament::setTenant($tenant, true);

    $connection = ProviderConnection::factory()->platform()->consentGranted()->create([
        'tenant_id' => $tenant->getKey(),
        'provider' => 'microsoft',
        'entra_tenant_id' => fake()->uuid(),
        'consent_status' => 'granted',
    ]);

    Livewire::test(ListProviderConnections::class)
        ->callTableAction('check_connection', $connection);

    $capturedJob = null;

    Queue::assertPushed(ProviderConnectionHealthCheckJob::class, function (ProviderConnectionHealthCheckJob $job) use (&$capturedJob): bool {
        $capturedJob = $job;

        return true;
    });

    expect($capturedJob)->toBeInstanceOf(ProviderConnectionHealthCheckJob::class);

    $user->tenantMemberships()->where('tenant_id', $tenant->getKey())->delete();
    app(CapabilityResolver::class)->clearCache();

    $terminalInvoked = false;

    runQueuedJobThroughMiddleware(
        $capturedJob,
        function (ProviderConnectionHealthCheckJob $job) use (&$terminalInvoked): mixed {
            $terminalInvoked = true;

            return $job;
        },
    );

    $capturedJob->operationRun?->refresh();

    expect($terminalInvoked)->toBeFalse()
        ->and($capturedJob->operationRun?->outcome?->value ?? $capturedJob->operationRun?->outcome)->toBe('blocked')
        ->and($capturedJob->operationRun?->context['reason_code'] ?? null)->toBe('initiator_not_entitled');
});