feat: harden tenant settings and import pipeline

2025-09-25 11:50:18 +02:00
parent b22d91ed32
commit 9248d7a3f5
29 changed files with 577 additions and 293 deletions
--- a/tests/Feature/Tenant/TenantTestCase.php
+++ b/tests/Feature/Tenant/TenantTestCase.php
@@ -2,11 +2,11 @@

 namespace Tests\Feature\Tenant;

+use App\Models\OAuthClient;
 use App\Models\Tenant;
 use App\Models\User;
 use Illuminate\Foundation\Testing\RefreshDatabase;
-use Illuminate\Http\Request;
-use Illuminate\Support\Facades\Route;
+use Illuminate\Support\Str;
 use Tests\TestCase;

 abstract class TenantTestCase extends TestCase
@@ -15,42 +15,103 @@ abstract class TenantTestCase extends TestCase

    protected Tenant $tenant;
    protected User $tenantUser;
+    protected OAuthClient $oauthClient;
    protected string $token;
+    protected ?string $refreshToken = null;

    protected function setUp(): void
    {
        parent::setUp();

+        $this->initialiseTenantContext();
+    }
+
+    protected function authenticatedRequest(string $method, string $uri, array $data = [], array $headers = [])
+    {
+        $headers = array_merge([
+            'Authorization' => 'Bearer '.$this->token,
+        ], $headers);
+
+        return $this->withHeaders($headers)->json($method, $uri, $data);
+    }
+
+    protected function mockTenantContext(): void
+    {
+        $this->app->instance('tenant', $this->tenant);
+    }
+
+    protected function initialiseTenantContext(array $scopes = ['tenant:read', 'tenant:write']): void
+    {
        $this->tenant = Tenant::factory()->create([
            'name' => 'Test Tenant',
-            'slug' => 'test-tenant',
+            'slug' => 'test-tenant-'.Str::random(6),
        ]);

        $this->tenantUser = User::factory()->create([
            'name' => 'Test User',
-            'email' => 'test@example.com',
+            'email' => 'test-'.Str::random(6).'@example.com',
            'tenant_id' => $this->tenant->id,
            'role' => 'admin',
        ]);

-        $this->token = 'mock-jwt-token-' . $this->tenant->id . '-' . time();
-    }
+        $this->oauthClient = $this->createTenantClient($this->tenant, $scopes);
+        [$this->token, $this->refreshToken] = $this->issueTokens($this->oauthClient, $scopes);

-    protected function authenticatedRequest($method, $uri, array $data = [], array $headers = [])
-    {
-        $headers['Authorization'] = 'Bearer ' . $this->token;
-
-        // Temporarily override the middleware to skip auth and set tenant
-        $this->app['router']->pushMiddlewareToGroup('api', MockTenantMiddleware::class, 'mock-tenant');
-        
-        return $this->withHeaders($headers)->json($method, $uri, $data);
-    }
-
-    protected function mockTenantContext()
-    {
-        $this->actingAs($this->tenantUser);
-        
-        // Set tenant globally for tests
        $this->app->instance('tenant', $this->tenant);
    }
-}
+
+    protected function createTenantClient(Tenant $tenant, array $scopes): OAuthClient
+    {
+        return OAuthClient::create([
+            'id' => (string) Str::uuid(),
+            'client_id' => 'tenant-admin-app-'.$tenant->id,
+            'tenant_id' => $tenant->id,
+            'client_secret' => null,
+            'redirect_uris' => ['http://localhost/callback'],
+            'scopes' => $scopes,
+            'is_active' => true,
+        ]);
+    }
+
+    protected function issueTokens(OAuthClient $client, array $scopes = ['tenant:read', 'tenant:write']): array
+    {
+        $codeVerifier = 'tenant-code-verifier-'.Str::random(32);
+        $codeChallenge = rtrim(strtr(base64_encode(hash('sha256', $codeVerifier, true)), '+/', '-_'), '=');
+        $state = Str::random(10);
+
+        $response = $this->get('/api/v1/oauth/authorize?'.http_build_query([
+            'client_id' => $client->client_id,
+            'redirect_uri' => 'http://localhost/callback',
+            'response_type' => 'code',
+            'scope' => implode(' ', $scopes),
+            'state' => $state,
+            'code_challenge' => $codeChallenge,
+            'code_challenge_method' => 'S256',
+        ]));
+
+        $response->assertRedirect();
+        $location = $response->headers->get('Location');
+        $this->assertNotNull($location);
+
+        $query = [];
+        parse_str(parse_url($location, PHP_URL_QUERY) ?? '', $query);
+        $authorizationCode = $query['code'] ?? null;
+        $this->assertNotNull($authorizationCode, 'Authorization code should be present');
+
+        $tokenResponse = $this->post('/api/v1/oauth/token', [
+            'grant_type' => 'authorization_code',
+            'code' => $authorizationCode,
+            'client_id' => $client->client_id,
+            'redirect_uri' => 'http://localhost/callback',
+            'code_verifier' => $codeVerifier,
+        ]);
+
+        $tokenResponse->assertOk();
+
+        return [
+            $tokenResponse->json('access_token'),
+            $tokenResponse->json('refresh_token'),
+        ];
+    }
+}
+