Add Markitect adapter contract tests

internal/markitect/decision_test.go

@@ -0,0 +1,111 @@
+package markitect_test
+
+import (
+	"testing"
+
+	"github.com/netkingdom/flex-auth/internal/markitect"
+	"github.com/netkingdom/flex-auth/pkg/api"
+)
+
+func TestGatewayDecisionAllowContract(t *testing.T) {
+	got := markitect.ToGatewayDecision(baseEnvelope(api.DecisionEffectAllow))
+
+	if got.Effect != markitect.GatewayEffectAllow {
+		t.Fatalf("Effect = %q; want allow", got.Effect)
+	}
+	if got.Reason != "reader_group" || got.RuleID != "reader_group" {
+		t.Fatalf("reason/rule = %q/%q; want reader_group", got.Reason, got.RuleID)
+	}
+	if got.PolicyVersion != "markitect-gateway-v1" {
+		t.Fatalf("PolicyVersion = %q", got.PolicyVersion)
+	}
+	if got.ResourceMetadata["trust_zone"] != "internal" {
+		t.Fatalf("ResourceMetadata = %+v; want trust_zone", got.ResourceMetadata)
+	}
+	if got.CaringDescriptor == nil || got.CaringDescriptor.CanonicalRole != api.CanonicalRoleDoer {
+		t.Fatalf("CaringDescriptor = %+v; want Doer descriptor", got.CaringDescriptor)
+	}
+}
+
+func TestGatewayDecisionDenyContract(t *testing.T) {
+	got := markitect.ToGatewayDecision(baseEnvelope(api.DecisionEffectDeny))
+	if got.Effect != markitect.GatewayEffectDeny {
+		t.Fatalf("Effect = %q; want deny", got.Effect)
+	}
+}
+
+func TestGatewayDecisionRedactContract(t *testing.T) {
+	envelope := baseEnvelope(api.DecisionEffectRedact)
+	envelope.Obligations = []api.Obligation{
+		{Type: "mask_fields", Parameters: map[string]any{"fields": []string{"email"}}},
+	}
+
+	got := markitect.ToGatewayDecision(envelope)
+	if got.Effect != markitect.GatewayEffectRedact {
+		t.Fatalf("Effect = %q; want redact", got.Effect)
+	}
+	if len(got.Obligations) != 1 || got.Obligations[0].Type != "mask_fields" {
+		t.Fatalf("Obligations = %+v; want mask_fields", got.Obligations)
+	}
+}
+
+func TestGatewayDecisionAuditDeniedContract(t *testing.T) {
+	envelope := baseEnvelope(api.DecisionEffectDeny)
+	envelope.Diagnostics["audit_denied"] = true
+
+	got := markitect.ToGatewayDecision(envelope)
+	if got.Effect != markitect.GatewayEffectAuditDenied {
+		t.Fatalf("Effect = %q; want audit_denied", got.Effect)
+	}
+
+	envelope = baseEnvelope(api.DecisionEffectAuditOnly)
+	got = markitect.ToGatewayDecision(envelope)
+	if got.Effect != markitect.GatewayEffectAuditDenied {
+		t.Fatalf("audit_only Effect = %q; want audit_denied", got.Effect)
+	}
+}
+
+func baseEnvelope(effect api.DecisionEffect) api.DecisionEnvelope {
+	return api.DecisionEnvelope{
+		ID:                   "decision:markitect",
+		Effect:               effect,
+		Reason:               "reader_group",
+		MatchedRule:          "reader_group",
+		MatchedPolicyVersion: "markitect-gateway-v1",
+		Resource: api.ResourceRef{
+			ID:     "document:internal-note",
+			Type:   "document",
+			System: markitect.SystemID,
+			Attributes: map[string]any{
+				"trust_zone": "internal",
+				"labels":     []string{"internal"},
+			},
+		},
+		Subject: api.SubjectRef{ID: "user:alice"},
+		Diagnostics: map[string]any{
+			"policy_package": "markitect.gateway.check-fixtures",
+		},
+		Provenance: api.DecisionProvenance{
+			PolicyVersion: "markitect-gateway-v1",
+		},
+		Caring: &api.CaringDecisionMetadata{
+			Descriptor: &api.CaringAccessDescriptor{
+				ID:                   "descriptor:internal-document-reader",
+				Profile:              api.CaringProfileCaring040RC2,
+				SubjectType:          api.SubjectTypeHuman,
+				OrganizationRelation: api.OrganizationRelationCustomer,
+				CanonicalRole:        api.CanonicalRoleDoer,
+				Scope: api.CaringScope{
+					Level: api.ScopeLevelResource,
+					ID:    "document:internal-note",
+				},
+				Planes:       []api.Plane{api.PlaneData},
+				Capabilities: []api.Capability{api.CapabilityView},
+			},
+			ExposureModes: []api.ExposureMode{api.ExposureModeMasked},
+			ConformanceFindings: []api.CaringConformanceFinding{
+				{Code: "MARKITECT-INTERNAL-READER", Severity: "info", Message: "reader group matched"},
+			},
+		},
+	}
+}