feat: Permettre au super admin de se connecter et accéder à son dashboard

Le super admin (table super_admins, master DB) ne pouvait pas se connecter via /api/login car ce firewall n'utilisait que le provider tenant. De même, le JWT n'était pas enrichi pour les super admins, l'endpoint /api/me/roles les rejetait, et le frontend redirigeait systématiquement vers /dashboard. Un chain provider (super_admin + tenant) résout l'authentification, le JwtPayloadEnricher et MyRolesProvider gèrent désormais les deux types d'utilisateurs, et le frontend redirige selon le rôle après login.
2026-02-17 10:07:10 +01:00
parent c856dfdcda
commit 0951322d71
68 changed files with 4049 additions and 8 deletions
--- a/backend/tests/Unit/Administration/Infrastructure/Api/Provider/MyRolesProviderTest.php
+++ b/backend/tests/Unit/Administration/Infrastructure/Api/Provider/MyRolesProviderTest.php
@@ -0,0 +1,129 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Administration\Infrastructure\Api\Provider;
+
+use ApiPlatform\Metadata\Get;
+use App\Administration\Application\Port\ActiveRoleStore;
+use App\Administration\Application\Service\RoleContext;
+use App\Administration\Domain\Model\User\Email;
+use App\Administration\Domain\Model\User\Role;
+use App\Administration\Domain\Model\User\StatutCompte;
+use App\Administration\Domain\Model\User\User;
+use App\Administration\Domain\Model\User\UserId;
+use App\Administration\Domain\Repository\UserRepository;
+use App\Administration\Infrastructure\Api\Provider\MyRolesProvider;
+use App\Administration\Infrastructure\Security\SecurityUser;
+use App\Shared\Domain\Tenant\TenantId;
+use App\SuperAdmin\Domain\Model\SuperAdmin\SuperAdminId;
+use App\SuperAdmin\Infrastructure\Security\SecuritySuperAdmin;
+use DateTimeImmutable;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\TestCase;
+use Symfony\Bundle\SecurityBundle\Security;
+use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
+
+final class MyRolesProviderTest extends TestCase
+{
+    #[Test]
+    public function provideReturnsSuperAdminRoleForSecuritySuperAdmin(): void
+    {
+        $security = $this->createMock(Security::class);
+        $security->method('getUser')->willReturn(
+            new SecuritySuperAdmin(
+                superAdminId: SuperAdminId::generate(),
+                email: 'sadmin@test.com',
+                hashedPassword: 'hashed',
+            )
+        );
+
+        $userRepository = $this->createMock(UserRepository::class);
+        $roleContext = new RoleContext(new NullActiveRoleStore());
+
+        $provider = new MyRolesProvider($security, $userRepository, $roleContext);
+        $output = $provider->provide(new Get());
+
+        self::assertSame('ROLE_SUPER_ADMIN', $output->activeRole);
+        self::assertSame('Super Admin', $output->activeRoleLabel);
+        self::assertCount(1, $output->roles);
+        self::assertSame('ROLE_SUPER_ADMIN', $output->roles[0]['value']);
+        self::assertSame('Super Admin', $output->roles[0]['label']);
+    }
+
+    #[Test]
+    public function provideReturnsUserRolesForSecurityUser(): void
+    {
+        $userId = UserId::generate();
+        $tenantId = TenantId::fromString('550e8400-e29b-41d4-a716-446655440002');
+
+        $securityUser = new SecurityUser(
+            userId: $userId,
+            email: 'user@example.com',
+            hashedPassword: 'hashed',
+            tenantId: $tenantId,
+            roles: ['ROLE_PARENT'],
+        );
+
+        $security = $this->createMock(Security::class);
+        $security->method('getUser')->willReturn($securityUser);
+
+        $user = User::reconstitute(
+            id: $userId,
+            email: new Email('user@example.com'),
+            roles: [Role::PARENT],
+            tenantId: $tenantId,
+            schoolName: 'Test',
+            statut: StatutCompte::ACTIF,
+            dateNaissance: null,
+            createdAt: new DateTimeImmutable(),
+            hashedPassword: 'hashed',
+            activatedAt: new DateTimeImmutable(),
+            consentementParental: null,
+        );
+
+        $userRepository = $this->createMock(UserRepository::class);
+        $userRepository->method('get')->willReturn($user);
+
+        $roleContext = new RoleContext(new NullActiveRoleStore());
+
+        $provider = new MyRolesProvider($security, $userRepository, $roleContext);
+        $output = $provider->provide(new Get());
+
+        self::assertSame('ROLE_PARENT', $output->activeRole);
+    }
+
+    #[Test]
+    public function provideThrowsUnauthorizedForUnknownUserType(): void
+    {
+        $security = $this->createMock(Security::class);
+        $security->method('getUser')->willReturn(null);
+
+        $userRepository = $this->createMock(UserRepository::class);
+        $roleContext = new RoleContext(new NullActiveRoleStore());
+
+        $provider = new MyRolesProvider($security, $userRepository, $roleContext);
+
+        $this->expectException(UnauthorizedHttpException::class);
+        $provider->provide(new Get());
+    }
+}
+
+/**
+ * @internal
+ */
+final class NullActiveRoleStore implements ActiveRoleStore
+{
+    public function store(User $user, Role $role): void
+    {
+    }
+
+    public function get(User $user): ?Role
+    {
+        return null;
+    }
+
+    public function clear(User $user): void
+    {
+    }
+}
--- a/backend/tests/Unit/Administration/Infrastructure/Security/JwtPayloadEnricherSuperAdminTest.php
+++ b/backend/tests/Unit/Administration/Infrastructure/Security/JwtPayloadEnricherSuperAdminTest.php
@@ -0,0 +1,71 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\Administration\Infrastructure\Security;
+
+use App\Administration\Infrastructure\Security\JwtPayloadEnricher;
+use App\SuperAdmin\Domain\Model\SuperAdmin\SuperAdminId;
+use App\SuperAdmin\Infrastructure\Security\SecuritySuperAdmin;
+use Lexik\Bundle\JWTAuthenticationBundle\Event\JWTCreatedEvent;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\TestCase;
+
+final class JwtPayloadEnricherSuperAdminTest extends TestCase
+{
+    private JwtPayloadEnricher $enricher;
+
+    protected function setUp(): void
+    {
+        $this->enricher = new JwtPayloadEnricher();
+    }
+
+    #[Test]
+    public function onJWTCreatedAddsSuperAdminClaimsToPayload(): void
+    {
+        $superAdminId = SuperAdminId::generate();
+
+        $securitySuperAdmin = new SecuritySuperAdmin(
+            superAdminId: $superAdminId,
+            email: 'sadmin@test.com',
+            hashedPassword: 'hashed',
+        );
+
+        $initialPayload = ['username' => 'sadmin@test.com'];
+        $event = new JWTCreatedEvent($initialPayload, $securitySuperAdmin);
+
+        $this->enricher->onJWTCreated($event);
+
+        $payload = $event->getData();
+
+        self::assertSame((string) $superAdminId, $payload['user_id']);
+        self::assertSame('super_admin', $payload['user_type']);
+        self::assertSame(['ROLE_SUPER_ADMIN'], $payload['roles']);
+        self::assertArrayNotHasKey('tenant_id', $payload);
+    }
+
+    #[Test]
+    public function onJWTCreatedPreservesExistingPayloadForSuperAdmin(): void
+    {
+        $securitySuperAdmin = new SecuritySuperAdmin(
+            superAdminId: SuperAdminId::generate(),
+            email: 'sadmin@test.com',
+            hashedPassword: 'hashed',
+        );
+
+        $initialPayload = [
+            'username' => 'sadmin@test.com',
+            'iat' => 1706436600,
+            'exp' => 1706438400,
+        ];
+        $event = new JWTCreatedEvent($initialPayload, $securitySuperAdmin);
+
+        $this->enricher->onJWTCreated($event);
+
+        $payload = $event->getData();
+
+        self::assertSame('sadmin@test.com', $payload['username']);
+        self::assertSame(1706436600, $payload['iat']);
+        self::assertSame(1706438400, $payload['exp']);
+    }
+}
--- a/backend/tests/Unit/SuperAdmin/Application/Command/CreateEstablishment/CreateEstablishmentHandlerTest.php
+++ b/backend/tests/Unit/SuperAdmin/Application/Command/CreateEstablishment/CreateEstablishmentHandlerTest.php
@@ -0,0 +1,74 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\SuperAdmin\Application\Command\CreateEstablishment;
+
+use App\Shared\Domain\Clock;
+use App\SuperAdmin\Application\Command\CreateEstablishment\CreateEstablishmentCommand;
+use App\SuperAdmin\Application\Command\CreateEstablishment\CreateEstablishmentHandler;
+use App\SuperAdmin\Infrastructure\Persistence\InMemory\InMemoryEstablishmentRepository;
+use DateTimeImmutable;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\TestCase;
+
+final class CreateEstablishmentHandlerTest extends TestCase
+{
+    private const string SUPER_ADMIN_ID = '550e8400-e29b-41d4-a716-446655440001';
+
+    private InMemoryEstablishmentRepository $repository;
+    private CreateEstablishmentHandler $handler;
+
+    protected function setUp(): void
+    {
+        $this->repository = new InMemoryEstablishmentRepository();
+
+        $clock = new class implements Clock {
+            public function now(): DateTimeImmutable
+            {
+                return new DateTimeImmutable('2026-02-16 10:00:00');
+            }
+        };
+
+        $this->handler = new CreateEstablishmentHandler(
+            $this->repository,
+            $clock,
+        );
+    }
+
+    #[Test]
+    public function createsEstablishmentAndReturnsResult(): void
+    {
+        $command = new CreateEstablishmentCommand(
+            name: 'École Alpha',
+            subdomain: 'ecole-alpha',
+            adminEmail: 'admin@ecole-alpha.fr',
+            superAdminId: self::SUPER_ADMIN_ID,
+        );
+
+        $result = ($this->handler)($command);
+
+        self::assertNotEmpty($result->establishmentId);
+        self::assertNotEmpty($result->tenantId);
+        self::assertSame('École Alpha', $result->name);
+        self::assertSame('ecole-alpha', $result->subdomain);
+        self::assertStringStartsWith('classeo_tenant_', $result->databaseName);
+    }
+
+    #[Test]
+    public function savesEstablishmentToRepository(): void
+    {
+        $command = new CreateEstablishmentCommand(
+            name: 'École Beta',
+            subdomain: 'ecole-beta',
+            adminEmail: 'admin@ecole-beta.fr',
+            superAdminId: self::SUPER_ADMIN_ID,
+        );
+
+        $result = ($this->handler)($command);
+
+        $establishments = $this->repository->findAll();
+        self::assertCount(1, $establishments);
+        self::assertSame($result->establishmentId, (string) $establishments[0]->id);
+    }
+}
--- a/backend/tests/Unit/SuperAdmin/Application/Query/GetEstablishments/GetEstablishmentsHandlerTest.php
+++ b/backend/tests/Unit/SuperAdmin/Application/Query/GetEstablishments/GetEstablishmentsHandlerTest.php
@@ -0,0 +1,61 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\SuperAdmin\Application\Query\GetEstablishments;
+
+use App\SuperAdmin\Application\Query\GetEstablishments\GetEstablishmentsHandler;
+use App\SuperAdmin\Application\Query\GetEstablishments\GetEstablishmentsQuery;
+use App\SuperAdmin\Domain\Model\Establishment\Establishment;
+use App\SuperAdmin\Domain\Model\SuperAdmin\SuperAdminId;
+use App\SuperAdmin\Infrastructure\Persistence\InMemory\InMemoryEstablishmentRepository;
+use DateTimeImmutable;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\TestCase;
+
+final class GetEstablishmentsHandlerTest extends TestCase
+{
+    private const string SUPER_ADMIN_ID = '550e8400-e29b-41d4-a716-446655440001';
+
+    private InMemoryEstablishmentRepository $repository;
+    private GetEstablishmentsHandler $handler;
+
+    protected function setUp(): void
+    {
+        $this->repository = new InMemoryEstablishmentRepository();
+        $this->handler = new GetEstablishmentsHandler($this->repository);
+    }
+
+    #[Test]
+    public function returnsEmptyArrayWhenNoEstablishments(): void
+    {
+        $result = ($this->handler)(new GetEstablishmentsQuery());
+
+        self::assertSame([], $result);
+    }
+
+    #[Test]
+    public function returnsAllEstablishments(): void
+    {
+        $this->repository->save(Establishment::creer(
+            name: 'École Alpha',
+            subdomain: 'ecole-alpha',
+            createdBy: SuperAdminId::fromString(self::SUPER_ADMIN_ID),
+            createdAt: new DateTimeImmutable('2026-02-16 10:00:00'),
+        ));
+
+        $this->repository->save(Establishment::creer(
+            name: 'École Beta',
+            subdomain: 'ecole-beta',
+            createdBy: SuperAdminId::fromString(self::SUPER_ADMIN_ID),
+            createdAt: new DateTimeImmutable('2026-02-16 11:00:00'),
+        ));
+
+        $result = ($this->handler)(new GetEstablishmentsQuery());
+
+        self::assertCount(2, $result);
+        self::assertSame('École Alpha', $result[0]->name);
+        self::assertSame('ecole-alpha', $result[0]->subdomain);
+        self::assertSame('active', $result[0]->status);
+    }
+}
--- a/backend/tests/Unit/SuperAdmin/Domain/Model/Establishment/EstablishmentTest.php
+++ b/backend/tests/Unit/SuperAdmin/Domain/Model/Establishment/EstablishmentTest.php
@@ -0,0 +1,148 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\SuperAdmin\Domain\Model\Establishment;
+
+use App\Shared\Domain\Tenant\TenantId;
+use App\SuperAdmin\Domain\Event\EtablissementCree;
+use App\SuperAdmin\Domain\Event\EtablissementDesactive;
+use App\SuperAdmin\Domain\Exception\EstablishmentDejaInactifException;
+use App\SuperAdmin\Domain\Model\Establishment\Establishment;
+use App\SuperAdmin\Domain\Model\Establishment\EstablishmentId;
+use App\SuperAdmin\Domain\Model\Establishment\EstablishmentStatus;
+use App\SuperAdmin\Domain\Model\SuperAdmin\SuperAdminId;
+use DateTimeImmutable;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\TestCase;
+
+final class EstablishmentTest extends TestCase
+{
+    private const string SUPER_ADMIN_ID = '550e8400-e29b-41d4-a716-446655440001';
+    private const string ESTABLISHMENT_NAME = 'École Alpha';
+    private const string SUBDOMAIN = 'ecole-alpha';
+
+    #[Test]
+    public function creerCreatesActiveEstablishment(): void
+    {
+        $establishment = $this->createEstablishment();
+
+        self::assertSame(EstablishmentStatus::ACTIF, $establishment->status);
+        self::assertSame(self::ESTABLISHMENT_NAME, $establishment->name);
+        self::assertSame(self::SUBDOMAIN, $establishment->subdomain);
+        self::assertNull($establishment->lastActivityAt);
+        self::assertNotEmpty($establishment->databaseName);
+        self::assertStringStartsWith('classeo_tenant_', $establishment->databaseName);
+    }
+
+    #[Test]
+    public function creerRecordsEtablissementCreeEvent(): void
+    {
+        $establishment = $this->createEstablishment();
+
+        $events = $establishment->pullDomainEvents();
+
+        self::assertCount(1, $events);
+        self::assertInstanceOf(EtablissementCree::class, $events[0]);
+        self::assertTrue($establishment->id->equals($events[0]->establishmentId));
+        self::assertTrue($establishment->tenantId->equals($events[0]->tenantId));
+        self::assertSame(self::ESTABLISHMENT_NAME, $events[0]->name);
+        self::assertSame(self::SUBDOMAIN, $events[0]->subdomain);
+    }
+
+    #[Test]
+    public function creerGeneratesTenantIdAndDatabaseName(): void
+    {
+        $establishment = $this->createEstablishment();
+
+        self::assertInstanceOf(TenantId::class, $establishment->tenantId);
+        self::assertStringStartsWith('classeo_tenant_', $establishment->databaseName);
+    }
+
+    #[Test]
+    public function desactiverChangesStatusToInactif(): void
+    {
+        $establishment = $this->createEstablishment();
+
+        $establishment->desactiver(new DateTimeImmutable('2026-02-16 12:00:00'));
+
+        self::assertSame(EstablishmentStatus::INACTIF, $establishment->status);
+    }
+
+    #[Test]
+    public function desactiverRecordsEtablissementDesactiveEvent(): void
+    {
+        $establishment = $this->createEstablishment();
+        $establishment->pullDomainEvents(); // Clear creation event
+
+        $establishment->desactiver(new DateTimeImmutable('2026-02-16 12:00:00'));
+
+        $events = $establishment->pullDomainEvents();
+        self::assertCount(1, $events);
+        self::assertInstanceOf(EtablissementDesactive::class, $events[0]);
+    }
+
+    #[Test]
+    public function desactiverThrowsWhenAlreadyInactive(): void
+    {
+        $establishment = $this->createEstablishment();
+        $establishment->desactiver(new DateTimeImmutable('2026-02-16 12:00:00'));
+
+        $this->expectException(EstablishmentDejaInactifException::class);
+        $establishment->desactiver(new DateTimeImmutable('2026-02-16 13:00:00'));
+    }
+
+    #[Test]
+    public function enregistrerActiviteUpdatesLastActivityAt(): void
+    {
+        $establishment = $this->createEstablishment();
+        $activityAt = new DateTimeImmutable('2026-02-16 15:00:00');
+
+        $establishment->enregistrerActivite($activityAt);
+
+        self::assertEquals($activityAt, $establishment->lastActivityAt);
+    }
+
+    #[Test]
+    public function reconstituteRestoresAllProperties(): void
+    {
+        $id = EstablishmentId::generate();
+        $tenantId = TenantId::generate();
+        $createdBy = SuperAdminId::fromString(self::SUPER_ADMIN_ID);
+        $createdAt = new DateTimeImmutable('2026-01-01 10:00:00');
+        $lastActivityAt = new DateTimeImmutable('2026-02-16 14:30:00');
+
+        $establishment = Establishment::reconstitute(
+            id: $id,
+            tenantId: $tenantId,
+            name: self::ESTABLISHMENT_NAME,
+            subdomain: self::SUBDOMAIN,
+            databaseName: 'classeo_tenant_abc123',
+            status: EstablishmentStatus::ACTIF,
+            createdAt: $createdAt,
+            createdBy: $createdBy,
+            lastActivityAt: $lastActivityAt,
+        );
+
+        self::assertTrue($id->equals($establishment->id));
+        self::assertTrue($tenantId->equals($establishment->tenantId));
+        self::assertSame(self::ESTABLISHMENT_NAME, $establishment->name);
+        self::assertSame(self::SUBDOMAIN, $establishment->subdomain);
+        self::assertSame('classeo_tenant_abc123', $establishment->databaseName);
+        self::assertSame(EstablishmentStatus::ACTIF, $establishment->status);
+        self::assertEquals($createdAt, $establishment->createdAt);
+        self::assertTrue($createdBy->equals($establishment->createdBy));
+        self::assertEquals($lastActivityAt, $establishment->lastActivityAt);
+        self::assertEmpty($establishment->pullDomainEvents());
+    }
+
+    private function createEstablishment(): Establishment
+    {
+        return Establishment::creer(
+            name: self::ESTABLISHMENT_NAME,
+            subdomain: self::SUBDOMAIN,
+            createdBy: SuperAdminId::fromString(self::SUPER_ADMIN_ID),
+            createdAt: new DateTimeImmutable('2026-02-16 10:00:00'),
+        );
+    }
+}
--- a/backend/tests/Unit/SuperAdmin/Domain/Model/SuperAdmin/SuperAdminTest.php
+++ b/backend/tests/Unit/SuperAdmin/Domain/Model/SuperAdmin/SuperAdminTest.php
@@ -0,0 +1,181 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\SuperAdmin\Domain\Model\SuperAdmin;
+
+use App\SuperAdmin\Domain\Event\SuperAdminCree;
+use App\SuperAdmin\Domain\Event\SuperAdminDesactive;
+use App\SuperAdmin\Domain\Exception\SuperAdminDejaActifException;
+use App\SuperAdmin\Domain\Exception\SuperAdminNonActifException;
+use App\SuperAdmin\Domain\Model\SuperAdmin\SuperAdmin;
+use App\SuperAdmin\Domain\Model\SuperAdmin\SuperAdminId;
+use App\SuperAdmin\Domain\Model\SuperAdmin\SuperAdminStatus;
+use DateTimeImmutable;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\TestCase;
+
+final class SuperAdminTest extends TestCase
+{
+    private const string EMAIL = 'superadmin@classeo.fr';
+    private const string FIRST_NAME = 'Jean';
+    private const string LAST_NAME = 'Dupont';
+    private const string HASHED_PASSWORD = '$argon2id$hashed';
+
+    #[Test]
+    public function creerCreatesActiveSuperAdmin(): void
+    {
+        $superAdmin = $this->createSuperAdmin();
+
+        self::assertSame(SuperAdminStatus::ACTIF, $superAdmin->status);
+        self::assertSame(self::EMAIL, $superAdmin->email);
+        self::assertSame(self::FIRST_NAME, $superAdmin->firstName);
+        self::assertSame(self::LAST_NAME, $superAdmin->lastName);
+        self::assertSame(self::HASHED_PASSWORD, $superAdmin->hashedPassword);
+        self::assertNull($superAdmin->lastLoginAt);
+    }
+
+    #[Test]
+    public function creerRecordsSuperAdminCreeEvent(): void
+    {
+        $superAdmin = $this->createSuperAdmin();
+
+        $events = $superAdmin->pullDomainEvents();
+
+        self::assertCount(1, $events);
+        self::assertInstanceOf(SuperAdminCree::class, $events[0]);
+        self::assertSame($superAdmin->id, $events[0]->superAdminId);
+        self::assertSame(self::EMAIL, $events[0]->email);
+    }
+
+    #[Test]
+    public function enregistrerConnexionUpdatesLastLoginAt(): void
+    {
+        $superAdmin = $this->createSuperAdmin();
+        $loginAt = new DateTimeImmutable('2026-02-16 14:30:00');
+
+        $superAdmin->enregistrerConnexion($loginAt);
+
+        self::assertEquals($loginAt, $superAdmin->lastLoginAt);
+    }
+
+    #[Test]
+    public function enregistrerConnexionThrowsWhenNotActive(): void
+    {
+        $superAdmin = $this->createSuperAdmin();
+        $superAdmin->desactiver(new DateTimeImmutable('2026-02-16 10:00:00'));
+
+        $this->expectException(SuperAdminNonActifException::class);
+        $superAdmin->enregistrerConnexion(new DateTimeImmutable('2026-02-16 14:30:00'));
+    }
+
+    #[Test]
+    public function desactiverChangeStatusToInactif(): void
+    {
+        $superAdmin = $this->createSuperAdmin();
+
+        $superAdmin->desactiver(new DateTimeImmutable('2026-02-16 10:00:00'));
+
+        self::assertSame(SuperAdminStatus::INACTIF, $superAdmin->status);
+    }
+
+    #[Test]
+    public function desactiverRecordsSuperAdminDesactiveEvent(): void
+    {
+        $superAdmin = $this->createSuperAdmin();
+        $superAdmin->pullDomainEvents(); // Clear creation event
+
+        $superAdmin->desactiver(new DateTimeImmutable('2026-02-16 10:00:00'));
+
+        $events = $superAdmin->pullDomainEvents();
+        self::assertCount(1, $events);
+        self::assertInstanceOf(SuperAdminDesactive::class, $events[0]);
+    }
+
+    #[Test]
+    public function desactiverThrowsWhenAlreadyInactive(): void
+    {
+        $superAdmin = $this->createSuperAdmin();
+        $superAdmin->desactiver(new DateTimeImmutable('2026-02-16 10:00:00'));
+
+        $this->expectException(SuperAdminNonActifException::class);
+        $superAdmin->desactiver(new DateTimeImmutable('2026-02-16 11:00:00'));
+    }
+
+    #[Test]
+    public function reactiverChangesStatusToActif(): void
+    {
+        $superAdmin = $this->createSuperAdmin();
+        $superAdmin->desactiver(new DateTimeImmutable('2026-02-16 10:00:00'));
+
+        $superAdmin->reactiver(new DateTimeImmutable('2026-02-16 11:00:00'));
+
+        self::assertSame(SuperAdminStatus::ACTIF, $superAdmin->status);
+    }
+
+    #[Test]
+    public function reactiverThrowsWhenAlreadyActive(): void
+    {
+        $superAdmin = $this->createSuperAdmin();
+
+        $this->expectException(SuperAdminDejaActifException::class);
+        $superAdmin->reactiver(new DateTimeImmutable('2026-02-16 11:00:00'));
+    }
+
+    #[Test]
+    public function peutSeConnecterReturnsTrueWhenActive(): void
+    {
+        $superAdmin = $this->createSuperAdmin();
+
+        self::assertTrue($superAdmin->peutSeConnecter());
+    }
+
+    #[Test]
+    public function peutSeConnecterReturnsFalseWhenInactive(): void
+    {
+        $superAdmin = $this->createSuperAdmin();
+        $superAdmin->desactiver(new DateTimeImmutable('2026-02-16 10:00:00'));
+
+        self::assertFalse($superAdmin->peutSeConnecter());
+    }
+
+    #[Test]
+    public function reconstituteRestoresAllProperties(): void
+    {
+        $id = SuperAdminId::generate();
+        $createdAt = new DateTimeImmutable('2026-01-01 10:00:00');
+        $lastLoginAt = new DateTimeImmutable('2026-02-16 14:30:00');
+
+        $superAdmin = SuperAdmin::reconstitute(
+            id: $id,
+            email: self::EMAIL,
+            hashedPassword: self::HASHED_PASSWORD,
+            firstName: self::FIRST_NAME,
+            lastName: self::LAST_NAME,
+            status: SuperAdminStatus::ACTIF,
+            createdAt: $createdAt,
+            lastLoginAt: $lastLoginAt,
+        );
+
+        self::assertTrue($id->equals($superAdmin->id));
+        self::assertSame(self::EMAIL, $superAdmin->email);
+        self::assertSame(self::HASHED_PASSWORD, $superAdmin->hashedPassword);
+        self::assertSame(self::FIRST_NAME, $superAdmin->firstName);
+        self::assertSame(self::LAST_NAME, $superAdmin->lastName);
+        self::assertSame(SuperAdminStatus::ACTIF, $superAdmin->status);
+        self::assertEquals($createdAt, $superAdmin->createdAt);
+        self::assertEquals($lastLoginAt, $superAdmin->lastLoginAt);
+        self::assertEmpty($superAdmin->pullDomainEvents());
+    }
+
+    private function createSuperAdmin(): SuperAdmin
+    {
+        return SuperAdmin::creer(
+            email: self::EMAIL,
+            hashedPassword: self::HASHED_PASSWORD,
+            firstName: self::FIRST_NAME,
+            lastName: self::LAST_NAME,
+            createdAt: new DateTimeImmutable('2026-02-16 10:00:00'),
+        );
+    }
+}
--- a/backend/tests/Unit/SuperAdmin/Infrastructure/Api/Processor/CreateEstablishmentProcessorTest.php
+++ b/backend/tests/Unit/SuperAdmin/Infrastructure/Api/Processor/CreateEstablishmentProcessorTest.php
@@ -0,0 +1,60 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\SuperAdmin\Infrastructure\Api\Processor;
+
+use ApiPlatform\Metadata\Post;
+use App\Shared\Domain\Clock;
+use App\SuperAdmin\Application\Command\CreateEstablishment\CreateEstablishmentHandler;
+use App\SuperAdmin\Domain\Model\SuperAdmin\SuperAdminId;
+use App\SuperAdmin\Infrastructure\Api\Processor\CreateEstablishmentProcessor;
+use App\SuperAdmin\Infrastructure\Api\Resource\EstablishmentResource;
+use App\SuperAdmin\Infrastructure\Persistence\InMemory\InMemoryEstablishmentRepository;
+use App\SuperAdmin\Infrastructure\Security\SecuritySuperAdmin;
+use DateTimeImmutable;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\TestCase;
+use Symfony\Bundle\SecurityBundle\Security;
+
+final class CreateEstablishmentProcessorTest extends TestCase
+{
+    private const string SUPER_ADMIN_ID = '550e8400-e29b-41d4-a716-446655440001';
+
+    #[Test]
+    public function processCreatesEstablishmentAndReturnsResource(): void
+    {
+        $repository = new InMemoryEstablishmentRepository();
+        $clock = new class implements Clock {
+            public function now(): DateTimeImmutable
+            {
+                return new DateTimeImmutable('2026-02-16 10:00:00');
+            }
+        };
+        $handler = new CreateEstablishmentHandler($repository, $clock);
+
+        $securityUser = new SecuritySuperAdmin(
+            SuperAdminId::fromString(self::SUPER_ADMIN_ID),
+            'superadmin@classeo.fr',
+            'hashed',
+        );
+
+        $security = $this->createMock(Security::class);
+        $security->method('getUser')->willReturn($securityUser);
+
+        $processor = new CreateEstablishmentProcessor($handler, $security);
+
+        $input = new EstablishmentResource();
+        $input->name = 'École Gamma';
+        $input->subdomain = 'ecole-gamma';
+        $input->adminEmail = 'admin@ecole-gamma.fr';
+
+        $result = $processor->process($input, new Post());
+
+        self::assertNotNull($result->id);
+        self::assertNotNull($result->tenantId);
+        self::assertSame('École Gamma', $result->name);
+        self::assertSame('ecole-gamma', $result->subdomain);
+        self::assertSame('active', $result->status);
+    }
+}
--- a/backend/tests/Unit/SuperAdmin/Infrastructure/Api/Provider/EstablishmentCollectionProviderTest.php
+++ b/backend/tests/Unit/SuperAdmin/Infrastructure/Api/Provider/EstablishmentCollectionProviderTest.php
@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\SuperAdmin\Infrastructure\Api\Provider;
+
+use ApiPlatform\Metadata\GetCollection;
+use App\SuperAdmin\Application\Query\GetEstablishments\GetEstablishmentsHandler;
+use App\SuperAdmin\Domain\Model\Establishment\Establishment;
+use App\SuperAdmin\Domain\Model\SuperAdmin\SuperAdminId;
+use App\SuperAdmin\Infrastructure\Api\Provider\EstablishmentCollectionProvider;
+use App\SuperAdmin\Infrastructure\Persistence\InMemory\InMemoryEstablishmentRepository;
+use DateTimeImmutable;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\TestCase;
+
+final class EstablishmentCollectionProviderTest extends TestCase
+{
+    private const string SUPER_ADMIN_ID = '550e8400-e29b-41d4-a716-446655440001';
+
+    #[Test]
+    public function provideReturnsEmptyArrayWhenNoEstablishments(): void
+    {
+        $repository = new InMemoryEstablishmentRepository();
+        $handler = new GetEstablishmentsHandler($repository);
+        $provider = new EstablishmentCollectionProvider($handler);
+
+        $result = $provider->provide(new GetCollection());
+
+        self::assertSame([], $result);
+    }
+
+    #[Test]
+    public function provideReturnsMappedResources(): void
+    {
+        $repository = new InMemoryEstablishmentRepository();
+        $repository->save(Establishment::creer(
+            name: 'École Alpha',
+            subdomain: 'ecole-alpha',
+            createdBy: SuperAdminId::fromString(self::SUPER_ADMIN_ID),
+            createdAt: new DateTimeImmutable('2026-02-16 10:00:00'),
+        ));
+
+        $handler = new GetEstablishmentsHandler($repository);
+        $provider = new EstablishmentCollectionProvider($handler);
+
+        $result = $provider->provide(new GetCollection());
+
+        self::assertCount(1, $result);
+        self::assertSame('École Alpha', $result[0]->name);
+        self::assertSame('ecole-alpha', $result[0]->subdomain);
+        self::assertSame('active', $result[0]->status);
+    }
+}
--- a/backend/tests/Unit/SuperAdmin/Infrastructure/Console/CreateTestSuperAdminCommandTest.php
+++ b/backend/tests/Unit/SuperAdmin/Infrastructure/Console/CreateTestSuperAdminCommandTest.php
@@ -0,0 +1,106 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Tests\Unit\SuperAdmin\Infrastructure\Console;
+
+use App\Administration\Application\Port\PasswordHasher;
+use App\Shared\Domain\Clock;
+use App\SuperAdmin\Infrastructure\Console\CreateTestSuperAdminCommand;
+use App\SuperAdmin\Infrastructure\Persistence\InMemory\InMemorySuperAdminRepository;
+use DateTimeImmutable;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Tester\CommandTester;
+
+final class CreateTestSuperAdminCommandTest extends TestCase
+{
+    private InMemorySuperAdminRepository $repository;
+    private CommandTester $commandTester;
+
+    protected function setUp(): void
+    {
+        $this->repository = new InMemorySuperAdminRepository();
+
+        $clock = new class implements Clock {
+            public function now(): DateTimeImmutable
+            {
+                return new DateTimeImmutable('2026-02-17 10:00:00');
+            }
+        };
+
+        $passwordHasher = new class implements PasswordHasher {
+            public function hash(string $plainPassword): string
+            {
+                return 'hashed_' . $plainPassword;
+            }
+
+            public function verify(string $hashedPassword, string $plainPassword): bool
+            {
+                return $hashedPassword === 'hashed_' . $plainPassword;
+            }
+        };
+
+        $command = new CreateTestSuperAdminCommand(
+            $this->repository,
+            $passwordHasher,
+            $clock,
+        );
+
+        $this->commandTester = new CommandTester($command);
+    }
+
+    #[Test]
+    public function createsNewSuperAdmin(): void
+    {
+        $exitCode = $this->commandTester->execute([
+            '--email' => 'sadmin@test.com',
+            '--password' => 'SuperAdmin123',
+            '--first-name' => 'Super',
+            '--last-name' => 'Admin',
+        ]);
+
+        self::assertSame(Command::SUCCESS, $exitCode);
+        self::assertStringContainsString('Test super admin created successfully', $this->commandTester->getDisplay());
+
+        $superAdmin = $this->repository->findByEmail('sadmin@test.com');
+        self::assertNotNull($superAdmin);
+        self::assertSame('sadmin@test.com', $superAdmin->email);
+        self::assertSame('Super', $superAdmin->firstName);
+        self::assertSame('Admin', $superAdmin->lastName);
+        self::assertSame('hashed_SuperAdmin123', $superAdmin->hashedPassword);
+    }
+
+    #[Test]
+    public function returnsSuccessForExistingEmail(): void
+    {
+        // Create first
+        $this->commandTester->execute([
+            '--email' => 'sadmin@test.com',
+            '--password' => 'SuperAdmin123',
+        ]);
+
+        // Create again with same email
+        $exitCode = $this->commandTester->execute([
+            '--email' => 'sadmin@test.com',
+            '--password' => 'SuperAdmin123',
+        ]);
+
+        self::assertSame(Command::SUCCESS, $exitCode);
+        self::assertStringContainsString('already exists', $this->commandTester->getDisplay());
+    }
+
+    #[Test]
+    public function usesDefaultValues(): void
+    {
+        $exitCode = $this->commandTester->execute([]);
+
+        self::assertSame(Command::SUCCESS, $exitCode);
+
+        $superAdmin = $this->repository->findByEmail('sadmin@test.com');
+        self::assertNotNull($superAdmin);
+        self::assertSame('Super', $superAdmin->firstName);
+        self::assertSame('Admin', $superAdmin->lastName);
+    }
+}