MALIO-DEV/Lesstime
3
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases 32 Wiki Activity

Migration modular monolith DDD (0.1 → 3.3) (#17)
Auto Tag Develop / tag (push) Successful in 9s
Details

Browse Source 
## Migration modular monolith DDD — Lesstime (0.1 → 3.3)

Cette MR regroupe l'intégralité de la refonte en monolithe modulaire (strangler progressif, additif). Elle remplace les MR stackées de Phase 1 (#12–#16), désormais incluses ici.

**Ne pas merger avant validation fonctionnelle** : branche destinée à être testée telle quelle.

### Périmètre — 9 modules sous `src/Module/`
| Phase | Module | Contenu |
|------|--------|---------|
| 0.1 | (socle) | infrastructure modulaire, `ModuleInterface`, mapping Doctrine par module |
| 0.2 | (socle front) | auto-détection des layers Nuxt sous `frontend/modules/*` |
| 1.1 | **Core** | Identité (User/Auth), Notifications, Notifier |
| 1.2 | Core | RBAC fin (permissions `module.resource.action`, sidebar gated) |
| 1.3 | Core | Audit log (`#[Auditable]`, listener, provider DBAL) |
| 2.1 | **TimeTracking** | TimeEntry + MCP + export |
| 2.2 | **ProjectManagement** | cœur métier Projets/Tâches + 38 MCP tools |
| 2.3 | **Absence** | demandes, soldes, policies, justificatifs |
| 2.4 | **Directory** | Clients (migrés) + **Prospects** (nouveau, conversion → Client) |
| 2.5 | **Mail** | intégration IMAP OVH + liens tâches |
| 2.6 | **Integration** | Gitea / BookStack / Zimbra / Share |
| 3.1 | **Reporting** | rapports transverses (DBAL read-only, 0 import inter-module) |
| 3.2 | **ClientPortal** | portail client (ROLE_CLIENT cloisonné, tickets, notifications) |
| 3.3 | (finition) | nettoyage legacy — `src/Entity` vide, app 100% modulaire |

### Architecture
- Découplage inter-modules par **contrats** (`UserInterface`, `ProjectInterface`, `TaskInterface`, `TaskTagInterface`, `ClientInterface`, `ClientTicketInterface`, `LeaveProfileInterface`) + `resolve_target_entities` 100% modulaire (aucune cible legacy).
- Repositories : interface `Domain/Repository` + implémentation `Infrastructure/Doctrine`, bindées.
- Reporting en DBAL read-only pur (aucun import d'entité d'un autre module).
- Chaque migration de module : déplacement à comportement préservé (API publique et noms d'outils MCP inchangés), migrations **additives** uniquement (zéro destructif).

### Sécurité
- ROLE_CLIENT cloisonné : un utilisateur client n'accède qu'à `/portal` et à ses propres tickets (filtrés par `allowedProjects`), interdit sur toute l'API interne.
- Correctif : interdiction pour un client de créer un lien vers le partage SMB (upload uniquement).

### QA non-régression (branche reconstruite from scratch)
- Migrations from scratch + fixtures : OK.
- Compilation dev + prod : OK.
- **180 tests PHPUnit verts**, php-cs-fixer clean, ~96 routes, **66 outils MCP** tous sous `App\Module\*`.
- Smoke test runtime multi-rôles (admin / ROLE_USER / ROLE_CLIENT) : 44 vérifications HTTP, **0 écart**, cloisonnement client étanche.
- Build Nuxt OK, 9 layers, 0 import legacy résiduel.

### Points à arbitrer (hors périmètre de cette migration)
- Durcissement MCP/IDOR pré-existant (`userId` explicite sans scoping sur certains tools TimeTracking/Absence/TaskDocument) — ticket dédié recommandé.
- Validation fonctionnelle de **Prospect** et **ClientPortal** (conçus depuis les specs disque).
- **Harmonisation visuelle Malio finale** (3.3) — finition esthétique inter-modules laissée au PO.

---

## ⚠️ Déploiement / migration des données — à ne pas oublier

### 1. Resynchroniser les séquences PostgreSQL après tout import/restore de dump
Si la prod (ou tout environnement) est **montée depuis un dump** (`pg_restore` / `COPY`), les lignes sont chargées avec leurs `id` explicites **sans avancer les séquences** → au premier `INSERT` : `duplicate key value violates unique constraint "..._pkey"` (constaté en local sur `notification`, `task`, `time_entry`…).

À lancer **juste après chaque restore/import** :

```sql
DO $$
DECLARE r RECORD; maxid BIGINT; seq TEXT;
BEGIN
  FOR r IN SELECT table_name, column_name FROM information_schema.columns WHERE table_schema='public'
  LOOP
    seq := pg_get_serial_sequence(quote_ident(r.table_name), r.column_name);
    IF seq IS NOT NULL THEN
      EXECUTE format('SELECT COALESCE(MAX(%I),0) FROM %I', r.column_name, r.table_name) INTO maxid;
      PERFORM setval(seq, GREATEST(maxid,1), maxid > 0);
    END IF;
  END LOOP;
END $$;
```

> Ne concerne **pas** une prod qui tourne déjà (séquences avancées organiquement) — uniquement le cas restore/import. Idempotent, sans risque.

### 2. Fix dénormalisation des collections typées-contrat (code, inclus dans la branche)
Les relations **to-many** typées par une interface `Shared\Domain\Contract\*` (`TimeEntry::tags` → `TaskTagInterface`, `Task::collaborators` → `UserInterface`) étaient **indénormalisables par API Platform** (mono-valué OK via IRI, collection KO) → **tout POST/PATCH portant une telle collection renvoyait 400/500**. Corrigé par un dénormaliseur générique `ContractRelationDenormalizer` (réutilise `resolve_target_entities`, zéro couplage par-entité) + test fonctionnel de non-régression.

---------

Co-authored-by: Matthieu <contact@malio.fr>
Reviewed-on: #17
This commit was merged in pull request #17.
This commit is contained in:
THOLOT DECHENE Matthieu
2026-06-23 13:50:42 +00:00
parent d0a49322e1
commit 8313c759c6
622 changed files with 24802 additions and 2864 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/Functional/Module/Core/AuditListenerTest.php
+108
View File
@@ -0,0 +1,108 @@
<?php
declare(strict_types=1);
namespace App\Tests\Functional\Module\Core;
use App\Module\Core\Domain\Entity\User;
use Doctrine\DBAL\Connection;
use Doctrine\ORM\EntityManagerInterface;
use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
/**
* @internal
*/
final class AuditListenerTest extends KernelTestCase
{
private EntityManagerInterface $em;
private Connection $auditConnection;
protected function setUp(): void
{
self::bootKernel();
$container = self::getContainer();
$this->em = $container->get(EntityManagerInterface::class);
$this->auditConnection = $container->get('doctrine.dbal.audit_connection');
// Clean slate for deterministic assertions: these tests are not wrapped
// in a rolled-back transaction, so remove any leftover rows from a
// previous run before each test.
$this->em->getConnection()->executeStatement("DELETE FROM \"user\" WHERE username LIKE 'audit\\_%'");
$this->auditConnection->executeStatement('DELETE FROM audit_log');
}
protected function tearDown(): void
{
parent::tearDown();
unset($this->em, $this->auditConnection);
}
public function testCreateUserIsAudited(): void
{
$user = $this->makeUser('audit_create_user');
$this->em->persist($user);
$this->em->flush();
$rows = $this->fetchLogs('core.User', (string) $user->getId());
self::assertCount(1, $rows);
self::assertSame('create', $rows[0]['action']);
$changes = json_decode((string) $rows[0]['changes'], true);
self::assertArrayHasKey('username', $changes);
self::assertArrayNotHasKey('password', $changes, 'password must be excluded via #[AuditIgnore]');
self::assertArrayNotHasKey('apiToken', $changes, 'apiToken must be excluded via #[AuditIgnore]');
}
public function testUpdateUserIsAuditedWithDiff(): void
{
$user = $this->makeUser('audit_update_user');
$this->em->persist($user);
$this->em->flush();
$this->auditConnection->executeStatement('DELETE FROM audit_log');
$user->setFirstName('Changed');
$this->em->flush();
$rows = $this->fetchLogs('core.User', (string) $user->getId());
self::assertCount(1, $rows);
self::assertSame('update', $rows[0]['action']);
$changes = json_decode((string) $rows[0]['changes'], true);
self::assertArrayHasKey('firstName', $changes);
self::assertSame('Changed', $changes['firstName']['new']);
}
public function testDeleteUserIsAudited(): void
{
$user = $this->makeUser('audit_delete_user');
$this->em->persist($user);
$this->em->flush();
$id = (string) $user->getId();
$this->auditConnection->executeStatement('DELETE FROM audit_log');
$this->em->remove($user);
$this->em->flush();
$rows = $this->fetchLogs('core.User', $id);
self::assertCount(1, $rows);
self::assertSame('delete', $rows[0]['action']);
}
private function makeUser(string $username): User
{
$user = new User();
$user->setUsername($username);
$user->setPassword('hashed-secret');
$user->setRoles(['ROLE_USER']);
return $user;
}
/**
* @return list<array<string, mixed>>
*/
private function fetchLogs(string $entityType, string $entityId): array
{
return $this->auditConnection->fetchAllAssociative(
'SELECT action, changes FROM audit_log WHERE entity_type = :t AND entity_id = :id ORDER BY performed_at ASC',
['t' => $entityType, 'id' => $entityId],
);
}
}
tests/Functional/Module/Core/AuditLogApiTest.php
+140
View File
@@ -0,0 +1,140 @@
<?php
declare(strict_types=1);
namespace App\Tests\Functional\Module\Core;
use App\Module\Core\Domain\Entity\User;
use Doctrine\DBAL\Connection;
use Doctrine\ORM\EntityManagerInterface;
use Symfony\Bundle\FrameworkBundle\KernelBrowser;
use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
use Symfony\Component\Uid\Uuid;
/**
* @internal
*/
final class AuditLogApiTest extends WebTestCase
{
public function testGetCollectionRequiresAuthentication(): void
{
$client = self::createClient();
$this->seedAuditLog();
$client->request('GET', '/api/audit-logs');
self::assertResponseStatusCodeSame(401);
}
public function testUserWithoutPermissionIsForbidden(): void
{
$client = self::createClient();
$this->seedAuditLog();
$this->loginUser($client, 'alice');
$client->request('GET', '/api/audit-logs');
self::assertResponseStatusCodeSame(403);
}
public function testAdminCanListAuditLogs(): void
{
$client = self::createClient();
$this->seedAuditLog();
$this->loginUser($client, 'admin');
$client->request('GET', '/api/audit-logs');
self::assertResponseIsSuccessful();
$data = json_decode($client->getResponse()->getContent(), true);
self::assertArrayHasKey('member', $data);
self::assertArrayHasKey('totalItems', $data);
self::assertGreaterThanOrEqual(3, $data['totalItems']);
}
public function testFilterByActionReturnsOnlyMatchingEntries(): void
{
$client = self::createClient();
$this->seedAuditLog();
$this->loginUser($client, 'admin');
$client->request('GET', '/api/audit-logs?action=update');
self::assertResponseIsSuccessful();
$data = json_decode($client->getResponse()->getContent(), true);
self::assertNotEmpty($data['member']);
foreach ($data['member'] as $entry) {
self::assertSame('update', $entry['action']);
}
}
public function testFilterByEntityType(): void
{
$client = self::createClient();
$this->seedAuditLog();
$this->loginUser($client, 'admin');
$client->request('GET', '/api/audit-logs?entity_type=core.User');
self::assertResponseIsSuccessful();
$data = json_decode($client->getResponse()->getContent(), true);
self::assertNotEmpty($data['member']);
foreach ($data['member'] as $entry) {
self::assertSame('core.User', $entry['entityType']);
}
}
public function testInvalidActionFilterIsRejected(): void
{
$client = self::createClient();
$this->seedAuditLog();
$this->loginUser($client, 'admin');
$client->request('GET', '/api/audit-logs?action=bogus');
self::assertResponseStatusCodeSame(400);
}
/**
* Insert deterministic audit rows directly through the audit connection.
*
* The table audit_log has no ORM entity (written via raw DBAL), so we
* clean and seed it via the dedicated connection. These tests are not
* wrapped in a rolled-back transaction, hence the upfront DELETE.
*/
private function seedAuditLog(): void
{
/** @var Connection $audit */
$audit = self::getContainer()->get('doctrine.dbal.audit_connection');
$audit->executeStatement('DELETE FROM audit_log');
$rows = [
['core.User', 'create', '{"username":"seed-create"}'],
['core.User', 'update', '{"firstName":{"old":"a","new":"b"}}'],
['core.Role', 'delete', '{}'],
];
$performedAt = '2026-04-22 10:00:00';
foreach ($rows as $i => [$entityType, $action, $changes]) {
$audit->insert('audit_log', [
'id' => Uuid::v7()->toRfc4122(),
'entity_type' => $entityType,
'entity_id' => (string) ($i + 1),
'action' => $action,
'changes' => $changes,
'performed_by' => 'admin',
'performed_at' => $performedAt,
'ip_address' => '127.0.0.1',
'request_id' => 'req-'.$i,
]);
}
}
private function loginUser(KernelBrowser $client, string $username): void
{
$em = self::getContainer()->get(EntityManagerInterface::class);
$user = $em->getRepository(User::class)->findOneBy(['username' => $username]);
self::assertInstanceOf(User::class, $user);
$client->loginUser($user);
}
}
tests/Functional/Module/Core/NotifierTest.php
+35
View File
@@ -0,0 +1,35 @@
<?php
declare(strict_types=1);
namespace App\Tests\Functional\Module\Core;
use App\Module\Core\Domain\Entity\User;
use App\Shared\Domain\Contract\NotifierInterface;
use Doctrine\ORM\EntityManagerInterface;
use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
/**
* @internal
*/
final class NotifierTest extends KernelTestCase
{
public function testNotifyPersistsANotificationForTheUser(): void
{
self::bootKernel();
$em = self::getContainer()->get(EntityManagerInterface::class);
$notifier = self::getContainer()->get(NotifierInterface::class);
$user = $em->getRepository(User::class)->findOneBy(['username' => 'alice']);
self::assertNotNull($user);
$title = 'Titre-'.uniqid('', true);
$notifier->notify($user, 'task_assigned', $title, 'Message');
$count = (int) $em->createQuery(
'SELECT COUNT(n.id) FROM App\Module\Core\Domain\Entity\Notification n WHERE n.user = :u AND n.title = :t'
)->setParameter('u', $user)->setParameter('t', $title)->getSingleScalarResult();
self::assertSame(1, $count);
}
}
tests/Functional/Module/Core/RoleApiTest.php
+79
View File
@@ -0,0 +1,79 @@
<?php
declare(strict_types=1);
namespace App\Tests\Functional\Module\Core;
use App\Module\Core\Domain\Entity\Role;
use App\Module\Core\Domain\Entity\User;
use Doctrine\ORM\EntityManagerInterface;
use Symfony\Bundle\FrameworkBundle\KernelBrowser;
use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
/**
* @internal
*/
final class RoleApiTest extends WebTestCase
{
public function testGetCollectionRequiresAuthentication(): void
{
$client = self::createClient();
$client->request('GET', '/api/roles');
self::assertResponseStatusCodeSame(401);
}
public function testAdminCanListRoles(): void
{
$client = self::createClient();
$this->loginAdmin($client);
$client->request('GET', '/api/roles');
self::assertResponseIsSuccessful();
$data = json_decode($client->getResponse()->getContent(), true);
self::assertArrayHasKey('member', $data);
}
public function testAdminCanCreateRole(): void
{
$client = self::createClient();
$this->loginAdmin($client);
$code = 'bureau_'.uniqid();
$client->request('POST', '/api/roles', server: [
'CONTENT_TYPE' => 'application/ld+json',
], content: json_encode(['code' => $code, 'label' => 'Bureau']));
self::assertResponseStatusCodeSame(201);
$data = json_decode($client->getResponse()->getContent(), true);
self::assertSame($code, $data['code']);
self::assertSame('Bureau', $data['label']);
self::assertFalse($data['isSystem']);
}
public function testDeletingSystemRoleIsForbidden(): void
{
$client = self::createClient();
$em = self::getContainer()->get(EntityManagerInterface::class);
$systemRole = new Role('sys_'.uniqid(), 'System role', 'Rôle système', true);
$em->persist($systemRole);
$em->flush();
$id = $systemRole->getId();
$this->loginAdmin($client);
$client->request('DELETE', '/api/roles/'.$id);
self::assertResponseStatusCodeSame(403);
}
private function loginAdmin(KernelBrowser $client): void
{
$em = self::getContainer()->get(EntityManagerInterface::class);
$user = $em->getRepository(User::class)->findOneBy(['username' => 'admin']);
self::assertInstanceOf(User::class, $user);
$client->loginUser($user);
}
}
tests/Functional/Module/Core/SeedRbacCommandTest.php
+35
View File
@@ -0,0 +1,35 @@
<?php
declare(strict_types=1);
namespace App\Tests\Functional\Module\Core;
use App\Module\Core\Domain\Repository\RoleRepositoryInterface;
use App\Module\Core\Domain\Security\SystemRoles;
use Symfony\Bundle\FrameworkBundle\Console\Application;
use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
use Symfony\Component\Console\Tester\CommandTester;
/**
* @internal
*/
final class SeedRbacCommandTest extends KernelTestCase
{
public function testSeedsSystemRolesIdempotently(): void
{
$kernel = self::bootKernel();
$app = new Application($kernel);
$tester = new CommandTester($app->find('app:seed-rbac'));
$tester->execute([]);
$tester->assertCommandIsSuccessful();
$tester->execute([]); // idempotent
$tester->assertCommandIsSuccessful();
$repo = self::getContainer()->get(RoleRepositoryInterface::class);
$admin = $repo->findByCode(SystemRoles::ADMIN_CODE);
self::assertNotNull($admin);
self::assertTrue($admin->isSystem());
self::assertNotNull($repo->findByCode(SystemRoles::USER_CODE));
}
}
tests/Functional/Module/Core/SyncPermissionsCommandTest.php
+29
View File
@@ -0,0 +1,29 @@
<?php
declare(strict_types=1);
namespace App\Tests\Functional\Module\Core;
use App\Module\Core\Domain\Repository\PermissionRepositoryInterface;
use Symfony\Bundle\FrameworkBundle\Console\Application;
use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
use Symfony\Component\Console\Tester\CommandTester;
/**
* @internal
*/
final class SyncPermissionsCommandTest extends KernelTestCase
{
public function testSyncCreatesCorePermissions(): void
{
$kernel = self::bootKernel();
$app = new Application($kernel);
$tester = new CommandTester($app->find('app:sync-permissions'));
$tester->execute([]);
$tester->assertCommandIsSuccessful();
$repo = self::getContainer()->get(PermissionRepositoryInterface::class);
self::assertNotNull($repo->findByCode('core.users.manage'));
self::assertContains('core.roles.manage', $repo->findAllCodes());
}
}
tests/Functional/Module/Core/UserRbacApiTest.php
+134
View File
@@ -0,0 +1,134 @@
<?php
declare(strict_types=1);
namespace App\Tests\Functional\Module\Core;
use App\Module\Core\Domain\Entity\Permission;
use App\Module\Core\Domain\Entity\Role;
use App\Module\Core\Domain\Entity\User;
use Doctrine\ORM\EntityManagerInterface;
use Symfony\Bundle\FrameworkBundle\KernelBrowser;
use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
/**
* @internal
*/
final class UserRbacApiTest extends WebTestCase
{
public function testAdminCanReadUserRbac(): void
{
$client = self::createClient();
$this->loginAdmin($client);
$aliceId = $this->userId('alice');
$client->request('GET', '/api/users/'.$aliceId.'/rbac');
self::assertResponseIsSuccessful();
$data = json_decode($client->getResponse()->getContent(), true);
self::assertArrayHasKey('rbacRoles', $data);
self::assertArrayHasKey('directPermissions', $data);
self::assertArrayHasKey('effectivePermissions', $data);
}
public function testRbacRequiresAuthentication(): void
{
$client = self::createClient();
$aliceId = $this->userId('alice');
$client->request('GET', '/api/users/'.$aliceId.'/rbac');
self::assertResponseStatusCodeSame(401);
}
public function testAdminCanAssignRoleViaPatch(): void
{
$client = self::createClient();
$em = self::getContainer()->get(EntityManagerInterface::class);
$roleCode = 'reviewer_'.uniqid();
$role = new Role($roleCode, 'Reviewer');
$em->persist($role);
$target = $this->createUser($em, 'rbac-assign-'.uniqid());
$em->flush();
$roleId = $role->getId();
$targetId = $target->getId();
$this->loginAdmin($client);
$client->request('PATCH', '/api/users/'.$targetId.'/rbac', server: [
'CONTENT_TYPE' => 'application/merge-patch+json',
], content: json_encode(['rbacRoles' => ['/api/roles/'.$roleId]]));
self::assertResponseIsSuccessful();
$data = json_decode($client->getResponse()->getContent(), true);
self::assertCount(1, $data['rbacRoles']);
$em->clear();
$reloaded = $em->getRepository(User::class)->find($targetId);
self::assertCount(1, $reloaded->getRbacRoles());
self::assertSame($roleCode, $reloaded->getRbacRoles()->first()->getCode());
}
public function testPartialPatchDoesNotWipeOtherCollection(): void
{
$client = self::createClient();
$em = self::getContainer()->get(EntityManagerInterface::class);
$permission = $em->getRepository(Permission::class)->findOneBy(['code' => 'core.users.view']);
self::assertInstanceOf(Permission::class, $permission);
$role = new Role('auditor_'.uniqid(), 'Auditor');
$em->persist($role);
// Dedicated user pre-loaded with a direct permission.
$target = $this->createUser($em, 'rbac-partial-'.uniqid());
$target->addDirectPermission($permission);
$em->flush();
$roleId = $role->getId();
$targetId = $target->getId();
$this->loginAdmin($client);
// PATCH only rbacRoles — directPermissions is absent from the payload.
$client->request('PATCH', '/api/users/'.$targetId.'/rbac', server: [
'CONTENT_TYPE' => 'application/merge-patch+json',
], content: json_encode(['rbacRoles' => ['/api/roles/'.$roleId]]));
self::assertResponseIsSuccessful();
$em->clear();
$reloaded = $em->getRepository(User::class)->find($targetId);
self::assertCount(1, $reloaded->getRbacRoles(), 'Role should have been assigned');
self::assertCount(1, $reloaded->getDirectPermissions(), 'Direct permission must not be wiped by a partial PATCH');
}
private function createUser(EntityManagerInterface $em, string $username): User
{
$user = new User();
$user->setUsername($username);
$user->setPassword('x');
$user->setRoles(['ROLE_USER']);
$em->persist($user);
return $user;
}
private function loginAdmin(KernelBrowser $client): void
{
$em = self::getContainer()->get(EntityManagerInterface::class);
$user = $em->getRepository(User::class)->findOneBy(['username' => 'admin']);
self::assertInstanceOf(User::class, $user);
$client->loginUser($user);
}
private function userId(string $username): int
{
$em = self::getContainer()->get(EntityManagerInterface::class);
$user = $em->getRepository(User::class)->findOneBy(['username' => $username]);
self::assertInstanceOf(User::class, $user);
return $user->getId();
}
}