Roukmoute/Classeo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Gestion des utilisateurs (invitation, blocage, déblocage)

Browse Source 
Permet aux administrateurs d'un établissement de gérer le cycle de vie
des comptes utilisateurs : inviter de nouveaux membres, bloquer/débloquer
des comptes actifs, et renvoyer des invitations en attente.

Chaque mutation vérifie l'appartenance au tenant courant pour empêcher
les accès cross-tenant. Le blocage est restreint aux comptes actifs
uniquement et un administrateur ne peut pas bloquer son propre compte.

Les comptes suspendus reçoivent une erreur 403 spécifique au login
(sans déclencher l'escalade du rate limiting) et les tentatives sont
tracées dans les métriques Prometheus.
This commit is contained in:
Mathias STRASSER
2026-02-07 16:44:30 +01:00
parent ff18850a43
commit 4005c70082
58 changed files with 4443 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

114
backend/tests/Unit/Administration/Application/Command/BlockUser/BlockUserHandlerTest.php Normal file
View File

@@ -0,0 +1,114 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Application\Command\BlockUser;
use App\Administration\Application\Command\BlockUser\BlockUserCommand;
use App\Administration\Application\Command\BlockUser\BlockUserHandler;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Exception\UtilisateurNonBlocableException;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Policy\ConsentementParentalPolicy;
use App\Administration\Infrastructure\Persistence\InMemory\InMemoryUserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class BlockUserHandlerTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private InMemoryUserRepository $userRepository;
private Clock $clock;
private BlockUserHandler $handler;
protected function setUp(): void
{
$this->userRepository = new InMemoryUserRepository();
$this->clock = new class implements Clock {
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-02-10 15:00:00');
}
};
$this->handler = new BlockUserHandler($this->userRepository, $this->clock);
}
#[Test]
public function blocksUserSuccessfully(): void
{
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable('2026-02-02 10:00:00'),
new ConsentementParentalPolicy($this->clock),
);
$this->userRepository->save($user);
$command = new BlockUserCommand(
userId: (string) $user->id,
reason: 'Comportement inapproprié',
);
($this->handler)($command);
$updated = $this->userRepository->get($user->id);
self::assertSame(StatutCompte::SUSPENDU, $updated->statut);
self::assertSame('Comportement inapproprié', $updated->blockedReason);
self::assertNotNull($updated->blockedAt);
}
#[Test]
public function throwsWhenUserAlreadySuspendu(): void
{
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable('2026-02-02 10:00:00'),
new ConsentementParentalPolicy($this->clock),
);
$user->bloquer('Première raison', new DateTimeImmutable('2026-02-08 10:00:00'));
$this->userRepository->save($user);
$this->expectException(UtilisateurNonBlocableException::class);
($this->handler)(new BlockUserCommand(
userId: (string) $user->id,
reason: 'Seconde raison',
));
}
#[Test]
public function throwsWhenUserNotFound(): void
{
$this->expectException(UserNotFoundException::class);
($this->handler)(new BlockUserCommand(
userId: (string) UserId::generate(),
reason: 'Raison',
));
}
}

109
backend/tests/Unit/Administration/Application/Command/InviteUser/InviteUserHandlerTest.php Normal file
View File

@@ -0,0 +1,109 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Application\Command\InviteUser;
use App\Administration\Application\Command\InviteUser\InviteUserCommand;
use App\Administration\Application\Command\InviteUser\InviteUserHandler;
use App\Administration\Domain\Exception\EmailDejaUtiliseeException;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\User;
use App\Administration\Infrastructure\Persistence\InMemory\InMemoryUserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class InviteUserHandlerTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private const string SCHOOL_NAME = 'École Alpha';
private InMemoryUserRepository $userRepository;
private Clock $clock;
private InviteUserHandler $handler;
protected function setUp(): void
{
$this->userRepository = new InMemoryUserRepository();
$this->clock = new class implements Clock {
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-02-07 10:00:00');
}
};
$this->handler = new InviteUserHandler($this->userRepository, $this->clock);
}
#[Test]
public function invitesUserSuccessfully(): void
{
$command = new InviteUserCommand(
tenantId: self::TENANT_ID,
schoolName: self::SCHOOL_NAME,
email: 'teacher@example.com',
role: Role::PROF->value,
firstName: 'Jean',
lastName: 'Dupont',
);
$user = ($this->handler)($command);
self::assertSame(StatutCompte::EN_ATTENTE, $user->statut);
self::assertSame('Jean', $user->firstName);
self::assertSame('Dupont', $user->lastName);
self::assertSame('teacher@example.com', (string) $user->email);
self::assertNotNull($user->invitedAt);
}
#[Test]
public function throwsWhenEmailAlreadyUsedInTenant(): void
{
// Pre-populate with existing user
$existingUser = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: self::SCHOOL_NAME,
firstName: 'Existing',
lastName: 'User',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$this->userRepository->save($existingUser);
$command = new InviteUserCommand(
tenantId: self::TENANT_ID,
schoolName: self::SCHOOL_NAME,
email: 'teacher@example.com',
role: Role::PROF->value,
firstName: 'Jean',
lastName: 'Dupont',
);
$this->expectException(EmailDejaUtiliseeException::class);
($this->handler)($command);
}
#[Test]
public function savesUserToRepository(): void
{
$command = new InviteUserCommand(
tenantId: self::TENANT_ID,
schoolName: self::SCHOOL_NAME,
email: 'teacher@example.com',
role: Role::PROF->value,
firstName: 'Jean',
lastName: 'Dupont',
);
$user = ($this->handler)($command);
$found = $this->userRepository->get($user->id);
self::assertSame((string) $user->id, (string) $found->id);
}
}

96
backend/tests/Unit/Administration/Application/Command/ResendInvitation/ResendInvitationHandlerTest.php Normal file
View File

@@ -0,0 +1,96 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Application\Command\ResendInvitation;
use App\Administration\Application\Command\ResendInvitation\ResendInvitationCommand;
use App\Administration\Application\Command\ResendInvitation\ResendInvitationHandler;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Exception\UtilisateurDejaInviteException;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Policy\ConsentementParentalPolicy;
use App\Administration\Infrastructure\Persistence\InMemory\InMemoryUserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class ResendInvitationHandlerTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private InMemoryUserRepository $userRepository;
private Clock $clock;
private ResendInvitationHandler $handler;
protected function setUp(): void
{
$this->userRepository = new InMemoryUserRepository();
$this->clock = new class implements Clock {
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-02-14 10:00:00');
}
};
$this->handler = new ResendInvitationHandler($this->userRepository, $this->clock);
}
#[Test]
public function resendsInvitationSuccessfully(): void
{
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$this->userRepository->save($user);
$command = new ResendInvitationCommand(userId: (string) $user->id);
($this->handler)($command);
$updated = $this->userRepository->get($user->id);
self::assertEquals(new DateTimeImmutable('2026-02-14 10:00:00'), $updated->invitedAt);
}
#[Test]
public function throwsWhenUserIsActive(): void
{
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable('2026-02-02 10:00:00'),
new ConsentementParentalPolicy($this->clock),
);
$this->userRepository->save($user);
$this->expectException(UtilisateurDejaInviteException::class);
($this->handler)(new ResendInvitationCommand(userId: (string) $user->id));
}
#[Test]
public function throwsWhenUserNotFound(): void
{
$this->expectException(UserNotFoundException::class);
($this->handler)(new ResendInvitationCommand(userId: (string) UserId::generate()));
}
}

107
backend/tests/Unit/Administration/Application/Command/UnblockUser/UnblockUserHandlerTest.php Normal file
View File

@@ -0,0 +1,107 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Application\Command\UnblockUser;
use App\Administration\Application\Command\UnblockUser\UnblockUserCommand;
use App\Administration\Application\Command\UnblockUser\UnblockUserHandler;
use App\Administration\Domain\Exception\UserNotFoundException;
use App\Administration\Domain\Exception\UtilisateurNonDeblocableException;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Administration\Domain\Policy\ConsentementParentalPolicy;
use App\Administration\Infrastructure\Persistence\InMemory\InMemoryUserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class UnblockUserHandlerTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private InMemoryUserRepository $userRepository;
private Clock $clock;
private UnblockUserHandler $handler;
protected function setUp(): void
{
$this->userRepository = new InMemoryUserRepository();
$this->clock = new class implements Clock {
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-02-12 10:00:00');
}
};
$this->handler = new UnblockUserHandler($this->userRepository, $this->clock);
}
#[Test]
public function unblocksUserSuccessfully(): void
{
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable('2026-02-02 10:00:00'),
new ConsentementParentalPolicy($this->clock),
);
$user->bloquer('Comportement inapproprié', new DateTimeImmutable('2026-02-10 15:00:00'));
$this->userRepository->save($user);
$command = new UnblockUserCommand(
userId: (string) $user->id,
);
($this->handler)($command);
$updated = $this->userRepository->get($user->id);
self::assertSame(StatutCompte::ACTIF, $updated->statut);
self::assertNull($updated->blockedAt);
self::assertNull($updated->blockedReason);
}
#[Test]
public function throwsWhenUserNotSuspendu(): void
{
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable('2026-02-02 10:00:00'),
new ConsentementParentalPolicy($this->clock),
);
$this->userRepository->save($user);
$this->expectException(UtilisateurNonDeblocableException::class);
($this->handler)(new UnblockUserCommand(userId: (string) $user->id));
}
#[Test]
public function throwsWhenUserNotFound(): void
{
$this->expectException(UserNotFoundException::class);
($this->handler)(new UnblockUserCommand(userId: (string) UserId::generate()));
}
}

174
backend/tests/Unit/Administration/Application/Query/GetUsers/GetUsersHandlerTest.php Normal file
View File

@@ -0,0 +1,174 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Application\Query\GetUsers;
use App\Administration\Application\Query\GetUsers\GetUsersHandler;
use App\Administration\Application\Query\GetUsers\GetUsersQuery;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Policy\ConsentementParentalPolicy;
use App\Administration\Infrastructure\Persistence\InMemory\InMemoryUserRepository;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class GetUsersHandlerTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private const string OTHER_TENANT_ID = '550e8400-e29b-41d4-a716-446655440099';
private InMemoryUserRepository $userRepository;
private Clock $clock;
private GetUsersHandler $handler;
protected function setUp(): void
{
$this->userRepository = new InMemoryUserRepository();
$this->clock = new class implements Clock {
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-02-07 10:00:00');
}
};
$this->handler = new GetUsersHandler($this->userRepository, $this->clock);
}
#[Test]
public function returnsAllUsersForTenant(): void
{
$this->seedUsers();
$query = new GetUsersQuery(tenantId: self::TENANT_ID);
$result = ($this->handler)($query);
self::assertCount(3, $result);
}
#[Test]
public function filtersUsersByRole(): void
{
$this->seedUsers();
$query = new GetUsersQuery(
tenantId: self::TENANT_ID,
role: Role::PROF->value,
);
$result = ($this->handler)($query);
self::assertCount(2, $result);
foreach ($result as $dto) {
self::assertSame(Role::PROF->value, $dto->role);
}
}
#[Test]
public function filtersUsersByStatut(): void
{
$this->seedUsers();
$query = new GetUsersQuery(
tenantId: self::TENANT_ID,
statut: 'pending',
);
$result = ($this->handler)($query);
self::assertCount(2, $result);
foreach ($result as $dto) {
self::assertSame('pending', $dto->statut);
}
}
#[Test]
public function excludesUsersFromOtherTenants(): void
{
$this->seedUsers();
// Add user to different tenant
$otherUser = User::inviter(
email: new Email('other@example.com'),
role: Role::ADMIN,
tenantId: TenantId::fromString(self::OTHER_TENANT_ID),
schoolName: 'Autre École',
firstName: 'Autre',
lastName: 'User',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$this->userRepository->save($otherUser);
$query = new GetUsersQuery(tenantId: self::TENANT_ID);
$result = ($this->handler)($query);
self::assertCount(3, $result);
}
#[Test]
public function calculatesInvitationExpiree(): void
{
// Invited 10 days ago — should be expired
$user = User::inviter(
email: new Email('old@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: 'École Alpha',
firstName: 'Old',
lastName: 'Invitation',
invitedAt: new DateTimeImmutable('2026-01-25 10:00:00'),
);
$this->userRepository->save($user);
$query = new GetUsersQuery(tenantId: self::TENANT_ID);
$result = ($this->handler)($query);
self::assertCount(1, $result);
self::assertTrue($result[0]->invitationExpiree);
}
private function seedUsers(): void
{
$tenantId = TenantId::fromString(self::TENANT_ID);
$teacher1 = User::inviter(
email: new Email('teacher1@example.com'),
role: Role::PROF,
tenantId: $tenantId,
schoolName: 'École Alpha',
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$this->userRepository->save($teacher1);
$teacher2 = User::inviter(
email: new Email('teacher2@example.com'),
role: Role::PROF,
tenantId: $tenantId,
schoolName: 'École Alpha',
firstName: 'Marie',
lastName: 'Martin',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
// Activate teacher2
$teacher2->activer(
'$argon2id$hashed',
new DateTimeImmutable('2026-02-02 10:00:00'),
new ConsentementParentalPolicy($this->clock),
);
$this->userRepository->save($teacher2);
$parent = User::inviter(
email: new Email('parent@example.com'),
role: Role::PARENT,
tenantId: $tenantId,
schoolName: 'École Alpha',
firstName: 'Pierre',
lastName: 'Parent',
invitedAt: new DateTimeImmutable('2026-02-01 10:00:00'),
);
$this->userRepository->save($parent);
}
}

323
backend/tests/Unit/Administration/Domain/Model/User/UserInvitationTest.php Normal file
View File

@@ -0,0 +1,323 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Domain\Model\User;
use App\Administration\Domain\Event\InvitationRenvoyee;
use App\Administration\Domain\Event\UtilisateurBloque;
use App\Administration\Domain\Event\UtilisateurDebloque;
use App\Administration\Domain\Event\UtilisateurInvite;
use App\Administration\Domain\Exception\UtilisateurDejaInviteException;
use App\Administration\Domain\Exception\UtilisateurNonBlocableException;
use App\Administration\Domain\Exception\UtilisateurNonDeblocableException;
use App\Administration\Domain\Model\User\Email;
use App\Administration\Domain\Model\User\Role;
use App\Administration\Domain\Model\User\StatutCompte;
use App\Administration\Domain\Model\User\User;
use App\Administration\Domain\Model\User\UserId;
use App\Shared\Domain\Clock;
use App\Shared\Domain\Tenant\TenantId;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
final class UserInvitationTest extends TestCase
{
private const string TENANT_ID = '550e8400-e29b-41d4-a716-446655440002';
private const string SCHOOL_NAME = 'École Alpha';
private Clock $clock;
protected function setUp(): void
{
$this->clock = new class implements Clock {
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-02-07 10:00:00');
}
};
}
#[Test]
public function inviterCreatesUserWithPendingStatusAndRecordsInvitedAt(): void
{
$invitedAt = new DateTimeImmutable('2026-02-07 10:00:00');
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: self::SCHOOL_NAME,
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: $invitedAt,
);
self::assertSame(StatutCompte::EN_ATTENTE, $user->statut);
self::assertSame('Jean', $user->firstName);
self::assertSame('Dupont', $user->lastName);
self::assertEquals($invitedAt, $user->invitedAt);
self::assertNull($user->hashedPassword);
self::assertNull($user->activatedAt);
self::assertNull($user->blockedAt);
self::assertNull($user->blockedReason);
}
#[Test]
public function inviterRecordsUtilisateurInviteEvent(): void
{
$user = $this->inviteUser();
$events = $user->pullDomainEvents();
self::assertCount(1, $events);
self::assertInstanceOf(UtilisateurInvite::class, $events[0]);
}
#[Test]
public function renvoyerInvitationUpdatesInvitedAtAndRecordsEvent(): void
{
$user = $this->inviteUser();
$user->pullDomainEvents();
$newInvitedAt = new DateTimeImmutable('2026-02-14 10:00:00');
$user->renvoyerInvitation($newInvitedAt);
self::assertEquals($newInvitedAt, $user->invitedAt);
$events = $user->pullDomainEvents();
self::assertCount(1, $events);
self::assertInstanceOf(InvitationRenvoyee::class, $events[0]);
}
#[Test]
public function renvoyerInvitationThrowsWhenUserIsActive(): void
{
$user = $this->inviteUser();
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable(),
new \App\Administration\Domain\Policy\ConsentementParentalPolicy($this->clock),
);
$this->expectException(UtilisateurDejaInviteException::class);
$user->renvoyerInvitation(new DateTimeImmutable('2026-02-14 10:00:00'));
}
#[Test]
public function bloquerSetsStatusToSuspenduWithReasonAndDate(): void
{
$user = $this->inviteUser();
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable(),
new \App\Administration\Domain\Policy\ConsentementParentalPolicy($this->clock),
);
$user->pullDomainEvents();
$blockedAt = new DateTimeImmutable('2026-02-10 15:00:00');
$user->bloquer('Comportement inapproprié', $blockedAt);
self::assertSame(StatutCompte::SUSPENDU, $user->statut);
self::assertEquals($blockedAt, $user->blockedAt);
self::assertSame('Comportement inapproprié', $user->blockedReason);
self::assertFalse($user->peutSeConnecter());
}
#[Test]
public function bloquerRecordsUtilisateurBloqueEvent(): void
{
$user = $this->inviteUser();
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable(),
new \App\Administration\Domain\Policy\ConsentementParentalPolicy($this->clock),
);
$user->pullDomainEvents();
$user->bloquer('Raison de test', new DateTimeImmutable('2026-02-10 15:00:00'));
$events = $user->pullDomainEvents();
self::assertCount(1, $events);
self::assertInstanceOf(UtilisateurBloque::class, $events[0]);
}
#[Test]
public function bloquerThrowsWhenAlreadySuspendu(): void
{
$user = $this->inviteUser();
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable(),
new \App\Administration\Domain\Policy\ConsentementParentalPolicy($this->clock),
);
$user->bloquer('Première raison', new DateTimeImmutable('2026-02-10 15:00:00'));
$this->expectException(UtilisateurNonBlocableException::class);
$user->bloquer('Seconde raison', new DateTimeImmutable('2026-02-11 15:00:00'));
}
#[Test]
public function bloquerThrowsWhenEnAttente(): void
{
$user = $this->inviteUser();
$this->expectException(UtilisateurNonBlocableException::class);
$user->bloquer('Raison de test', new DateTimeImmutable('2026-02-10 15:00:00'));
}
#[Test]
public function bloquerThrowsWhenConsentementRequis(): void
{
$user = User::reconstitute(
id: UserId::generate(),
email: new Email('minor@example.com'),
role: Role::ELEVE,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: self::SCHOOL_NAME,
statut: StatutCompte::CONSENTEMENT_REQUIS,
dateNaissance: new DateTimeImmutable('2015-01-01'),
createdAt: new DateTimeImmutable('2026-02-01 10:00:00'),
hashedPassword: null,
activatedAt: null,
consentementParental: null,
);
$this->expectException(UtilisateurNonBlocableException::class);
$user->bloquer('Raison de test', new DateTimeImmutable('2026-02-10 15:00:00'));
}
#[Test]
public function debloquerRestoresActiveStatusAndClearsBlockedInfo(): void
{
$user = $this->inviteUser();
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable(),
new \App\Administration\Domain\Policy\ConsentementParentalPolicy($this->clock),
);
$user->bloquer('Raison de test', new DateTimeImmutable('2026-02-10 15:00:00'));
$user->pullDomainEvents();
$user->debloquer(new DateTimeImmutable('2026-02-12 10:00:00'));
self::assertSame(StatutCompte::ACTIF, $user->statut);
self::assertNull($user->blockedAt);
self::assertNull($user->blockedReason);
}
#[Test]
public function debloquerRecordsUtilisateurDebloqueEvent(): void
{
$user = $this->inviteUser();
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable(),
new \App\Administration\Domain\Policy\ConsentementParentalPolicy($this->clock),
);
$user->bloquer('Raison de test', new DateTimeImmutable('2026-02-10 15:00:00'));
$user->pullDomainEvents();
$user->debloquer(new DateTimeImmutable('2026-02-12 10:00:00'));
$events = $user->pullDomainEvents();
self::assertCount(1, $events);
self::assertInstanceOf(UtilisateurDebloque::class, $events[0]);
}
#[Test]
public function debloquerThrowsWhenNotSuspendu(): void
{
$user = $this->inviteUser();
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable(),
new \App\Administration\Domain\Policy\ConsentementParentalPolicy($this->clock),
);
$this->expectException(UtilisateurNonDeblocableException::class);
$user->debloquer(new DateTimeImmutable('2026-02-12 10:00:00'));
}
#[Test]
public function debloquerThrowsWhenEnAttente(): void
{
$user = $this->inviteUser();
$this->expectException(UtilisateurNonDeblocableException::class);
$user->debloquer(new DateTimeImmutable('2026-02-12 10:00:00'));
}
#[Test]
public function estInvitationExpireeReturnsTrueAfter7Days(): void
{
$invitedAt = new DateTimeImmutable('2026-01-30 10:00:00');
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: self::SCHOOL_NAME,
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: $invitedAt,
);
// 8 jours après
$checkAt = new DateTimeImmutable('2026-02-07 10:00:01');
self::assertTrue($user->estInvitationExpiree($checkAt));
}
#[Test]
public function estInvitationExpireeReturnsFalseWithin7Days(): void
{
$invitedAt = new DateTimeImmutable('2026-02-05 10:00:00');
$user = User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: self::SCHOOL_NAME,
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: $invitedAt,
);
// 2 jours après
$checkAt = new DateTimeImmutable('2026-02-07 10:00:00');
self::assertFalse($user->estInvitationExpiree($checkAt));
}
#[Test]
public function estInvitationExpireeReturnsFalseForActiveUser(): void
{
$user = $this->inviteUser();
$user->activer(
'$argon2id$hashed',
new DateTimeImmutable(),
new \App\Administration\Domain\Policy\ConsentementParentalPolicy($this->clock),
);
// Même longtemps après, un utilisateur actif n'a pas d'invitation expirée
$checkAt = new DateTimeImmutable('2027-01-01 10:00:00');
self::assertFalse($user->estInvitationExpiree($checkAt));
}
private function inviteUser(): User
{
return User::inviter(
email: new Email('teacher@example.com'),
role: Role::PROF,
tenantId: TenantId::fromString(self::TENANT_ID),
schoolName: self::SCHOOL_NAME,
firstName: 'Jean',
lastName: 'Dupont',
invitedAt: new DateTimeImmutable('2026-02-07 10:00:00'),
);
}
}

5
backend/tests/Unit/Administration/Infrastructure/Api/Processor/ActivateAccountProcessorTest.php
View File

@@ -172,6 +172,11 @@ final class ActivateAccountProcessorTest extends TestCase
{
throw UserNotFoundException::withId($id);
}
public function findAllByTenant(TenantId $tenantId): array
{
return [];
}
};
$consentementPolicy = new ConsentementParentalPolicy($this->clock);

17
backend/tests/Unit/Administration/Infrastructure/Security/DatabaseUserProviderTest.php
View File

@@ -23,6 +23,7 @@ use PHPUnit\Framework\TestCase;
use stdClass;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
use Symfony\Component\Security\Core\Exception\UserNotFoundException;
final class DatabaseUserProviderTest extends TestCase
@@ -83,6 +84,22 @@ final class DatabaseUserProviderTest extends TestCase
$provider->loadUserByIdentifier('user@example.com');
}
#[Test]
public function loadUserByIdentifierThrowsAccountStatusExceptionForSuspendedUser(): void
{
$tenantId = TenantId::fromString(self::TENANT_ALPHA_ID);
$domainUser = $this->createUser($tenantId, StatutCompte::SUSPENDU, hashedPassword: '$argon2id$hash');
$repository = $this->createMock(UserRepository::class);
$repository->method('findByEmail')->willReturn($domainUser);
$provider = $this->createProvider($repository, 'ecole-alpha.classeo.local');
$this->expectException(CustomUserMessageAccountStatusException::class);
$provider->loadUserByIdentifier('user@example.com');
}
#[Test]
public function loadUserByIdentifierThrowsForUnknownTenant(): void
{

101
backend/tests/Unit/Administration/Infrastructure/Security/LoginFailureHandlerTest.php Normal file
View File

@@ -0,0 +1,101 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Infrastructure\Security;
use App\Administration\Infrastructure\Security\LoginFailureHandler;
use App\Shared\Domain\Clock;
use App\Shared\Infrastructure\Monitoring\MetricsCollector;
use App\Shared\Infrastructure\RateLimit\LoginRateLimiterInterface;
use App\Shared\Infrastructure\RateLimit\LoginRateLimitResult;
use App\Shared\Infrastructure\Tenant\TenantContext;
use App\Shared\Infrastructure\Tenant\TenantNotFoundException;
use App\Shared\Infrastructure\Tenant\TenantResolver;
use DateTimeImmutable;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
use Prometheus\CollectorRegistry;
use Prometheus\Storage\InMemory;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Messenger\Envelope;
use Symfony\Component\Messenger\MessageBusInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
final class LoginFailureHandlerTest extends TestCase
{
private function createMetricsCollector(): MetricsCollector
{
return new MetricsCollector(
new CollectorRegistry(new InMemory()),
new TenantContext(),
);
}
#[Test]
public function suspendedAccountReturns403WithoutRateLimiting(): void
{
$rateLimiter = $this->createMock(LoginRateLimiterInterface::class);
$rateLimiter->expects(self::never())->method('recordFailure');
$eventBus = $this->createMock(MessageBusInterface::class);
$eventBus->expects(self::never())->method('dispatch');
$clock = new class implements Clock {
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-02-07 10:00:00');
}
};
$tenantResolver = $this->createMock(TenantResolver::class);
$handler = new LoginFailureHandler($rateLimiter, $eventBus, $clock, $tenantResolver, $this->createMetricsCollector());
$request = Request::create('/api/login', 'POST', [], [], [], [], json_encode(['email' => 'blocked@example.com', 'password' => 'test']));
$exception = new CustomUserMessageAccountStatusException('Votre compte a été suspendu. Contactez votre établissement.');
$response = $handler->onAuthenticationFailure($request, $exception);
self::assertSame(403, $response->getStatusCode());
$data = json_decode($response->getContent(), true);
self::assertSame('/errors/account-suspended', $data['type']);
self::assertSame('Compte suspendu', $data['title']);
}
#[Test]
public function standardFailureReturns401WithRateLimiting(): void
{
$rateLimiter = $this->createMock(LoginRateLimiterInterface::class);
$rateLimiter->expects(self::once())
->method('recordFailure')
->willReturn(LoginRateLimitResult::allowed(1, 0, false));
$eventBus = $this->createMock(MessageBusInterface::class);
$eventBus->method('dispatch')->willReturnCallback(
static fn (object $message) => new Envelope($message),
);
$clock = new class implements Clock {
public function now(): DateTimeImmutable
{
return new DateTimeImmutable('2026-02-07 10:00:00');
}
};
$tenantResolver = $this->createMock(TenantResolver::class);
$tenantResolver->method('resolve')->willThrowException(TenantNotFoundException::withSubdomain('unknown'));
$handler = new LoginFailureHandler($rateLimiter, $eventBus, $clock, $tenantResolver, $this->createMetricsCollector());
$request = Request::create('/api/login', 'POST', [], [], [], [], json_encode(['email' => 'user@example.com', 'password' => 'wrong']));
$exception = new AuthenticationException('Invalid credentials.');
$response = $handler->onAuthenticationFailure($request, $exception);
self::assertSame(401, $response->getStatusCode());
$data = json_decode($response->getContent(), true);
self::assertSame('/errors/authentication-failed', $data['type']);
}
}

134
backend/tests/Unit/Administration/Infrastructure/Security/UserVoterTest.php Normal file
View File

@@ -0,0 +1,134 @@
<?php
declare(strict_types=1);
namespace App\Tests\Unit\Administration\Infrastructure\Security;
use App\Administration\Infrastructure\Security\UserVoter;
use PHPUnit\Framework\Attributes\Test;
use PHPUnit\Framework\TestCase;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\User\UserInterface;
final class UserVoterTest extends TestCase
{
private UserVoter $voter;
protected function setUp(): void
{
$this->voter = new UserVoter();
}
#[Test]
public function itAbstainsForUnrelatedAttributes(): void
{
$user = $this->createMock(UserInterface::class);
$user->method('getRoles')->willReturn(['ROLE_ADMIN']);
$token = $this->createMock(TokenInterface::class);
$token->method('getUser')->willReturn($user);
$result = $this->voter->vote($token, null, ['SOME_OTHER_ATTRIBUTE']);
self::assertSame(UserVoter::ACCESS_ABSTAIN, $result);
}
#[Test]
public function itDeniesAccessToUnauthenticatedUsers(): void
{
$token = $this->createMock(TokenInterface::class);
$token->method('getUser')->willReturn(null);
$result = $this->voter->vote($token, null, [UserVoter::VIEW]);
self::assertSame(UserVoter::ACCESS_DENIED, $result);
}
#[Test]
public function itGrantsViewToSuperAdmin(): void
{
$result = $this->voteWithRole('ROLE_SUPER_ADMIN', UserVoter::VIEW);
self::assertSame(UserVoter::ACCESS_GRANTED, $result);
}
#[Test]
public function itGrantsViewToAdmin(): void
{
$result = $this->voteWithRole('ROLE_ADMIN', UserVoter::VIEW);
self::assertSame(UserVoter::ACCESS_GRANTED, $result);
}
#[Test]
public function itGrantsViewToSecretariat(): void
{
$result = $this->voteWithRole('ROLE_SECRETARIAT', UserVoter::VIEW);
self::assertSame(UserVoter::ACCESS_GRANTED, $result);
}
#[Test]
public function itDeniesViewToProf(): void
{
$result = $this->voteWithRole('ROLE_PROF', UserVoter::VIEW);
self::assertSame(UserVoter::ACCESS_DENIED, $result);
}
#[Test]
public function itDeniesViewToParent(): void
{
$result = $this->voteWithRole('ROLE_PARENT', UserVoter::VIEW);
self::assertSame(UserVoter::ACCESS_DENIED, $result);
}
#[Test]
public function itGrantsCreateToAdmin(): void
{
$result = $this->voteWithRole('ROLE_ADMIN', UserVoter::CREATE);
self::assertSame(UserVoter::ACCESS_GRANTED, $result);
}
#[Test]
public function itDeniesCreateToSecretariat(): void
{
$result = $this->voteWithRole('ROLE_SECRETARIAT', UserVoter::CREATE);
self::assertSame(UserVoter::ACCESS_DENIED, $result);
}
#[Test]
public function itGrantsBlockToAdmin(): void
{
$result = $this->voteWithRole('ROLE_ADMIN', UserVoter::BLOCK);
self::assertSame(UserVoter::ACCESS_GRANTED, $result);
}
#[Test]
public function itDeniesBlockToProf(): void
{
$result = $this->voteWithRole('ROLE_PROF', UserVoter::BLOCK);
self::assertSame(UserVoter::ACCESS_DENIED, $result);
}
#[Test]
public function itGrantsUnblockToAdmin(): void
{
$result = $this->voteWithRole('ROLE_ADMIN', UserVoter::UNBLOCK);
self::assertSame(UserVoter::ACCESS_GRANTED, $result);
}
#[Test]
public function itDeniesUnblockToProf(): void
{
$result = $this->voteWithRole('ROLE_PROF', UserVoter::UNBLOCK);
self::assertSame(UserVoter::ACCESS_DENIED, $result);
}
private function voteWithRole(string $role, string $attribute): int
{
$user = $this->createMock(UserInterface::class);
$user->method('getRoles')->willReturn([$role]);
$token = $this->createMock(TokenInterface::class);
$token->method('getUser')->willReturn($user);
return $this->voter->vote($token, null, [$attribute]);
}
}