generated from coulomb/repo-seed
112 lines
3.7 KiB
Go
112 lines
3.7 KiB
Go
package markitect_test
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/netkingdom/flex-auth/internal/markitect"
|
|
"github.com/netkingdom/flex-auth/pkg/api"
|
|
)
|
|
|
|
func TestGatewayDecisionAllowContract(t *testing.T) {
|
|
got := markitect.ToGatewayDecision(baseEnvelope(api.DecisionEffectAllow))
|
|
|
|
if got.Effect != markitect.GatewayEffectAllow {
|
|
t.Fatalf("Effect = %q; want allow", got.Effect)
|
|
}
|
|
if got.Reason != "reader_group" || got.RuleID != "reader_group" {
|
|
t.Fatalf("reason/rule = %q/%q; want reader_group", got.Reason, got.RuleID)
|
|
}
|
|
if got.PolicyVersion != "markitect-gateway-v1" {
|
|
t.Fatalf("PolicyVersion = %q", got.PolicyVersion)
|
|
}
|
|
if got.ResourceMetadata["trust_zone"] != "internal" {
|
|
t.Fatalf("ResourceMetadata = %+v; want trust_zone", got.ResourceMetadata)
|
|
}
|
|
if got.CaringDescriptor == nil || got.CaringDescriptor.CanonicalRole != api.CanonicalRoleDoer {
|
|
t.Fatalf("CaringDescriptor = %+v; want Doer descriptor", got.CaringDescriptor)
|
|
}
|
|
}
|
|
|
|
func TestGatewayDecisionDenyContract(t *testing.T) {
|
|
got := markitect.ToGatewayDecision(baseEnvelope(api.DecisionEffectDeny))
|
|
if got.Effect != markitect.GatewayEffectDeny {
|
|
t.Fatalf("Effect = %q; want deny", got.Effect)
|
|
}
|
|
}
|
|
|
|
func TestGatewayDecisionRedactContract(t *testing.T) {
|
|
envelope := baseEnvelope(api.DecisionEffectRedact)
|
|
envelope.Obligations = []api.Obligation{
|
|
{Type: "mask_fields", Parameters: map[string]any{"fields": []string{"email"}}},
|
|
}
|
|
|
|
got := markitect.ToGatewayDecision(envelope)
|
|
if got.Effect != markitect.GatewayEffectRedact {
|
|
t.Fatalf("Effect = %q; want redact", got.Effect)
|
|
}
|
|
if len(got.Obligations) != 1 || got.Obligations[0].Type != "mask_fields" {
|
|
t.Fatalf("Obligations = %+v; want mask_fields", got.Obligations)
|
|
}
|
|
}
|
|
|
|
func TestGatewayDecisionAuditDeniedContract(t *testing.T) {
|
|
envelope := baseEnvelope(api.DecisionEffectDeny)
|
|
envelope.Diagnostics["audit_denied"] = true
|
|
|
|
got := markitect.ToGatewayDecision(envelope)
|
|
if got.Effect != markitect.GatewayEffectAuditDenied {
|
|
t.Fatalf("Effect = %q; want audit_denied", got.Effect)
|
|
}
|
|
|
|
envelope = baseEnvelope(api.DecisionEffectAuditOnly)
|
|
got = markitect.ToGatewayDecision(envelope)
|
|
if got.Effect != markitect.GatewayEffectAuditDenied {
|
|
t.Fatalf("audit_only Effect = %q; want audit_denied", got.Effect)
|
|
}
|
|
}
|
|
|
|
func baseEnvelope(effect api.DecisionEffect) api.DecisionEnvelope {
|
|
return api.DecisionEnvelope{
|
|
ID: "decision:markitect",
|
|
Effect: effect,
|
|
Reason: "reader_group",
|
|
MatchedRule: "reader_group",
|
|
MatchedPolicyVersion: "markitect-gateway-v1",
|
|
Resource: api.ResourceRef{
|
|
ID: "document:internal-note",
|
|
Type: "document",
|
|
System: markitect.SystemID,
|
|
Attributes: map[string]any{
|
|
"trust_zone": "internal",
|
|
"labels": []string{"internal"},
|
|
},
|
|
},
|
|
Subject: api.SubjectRef{ID: "user:alice"},
|
|
Diagnostics: map[string]any{
|
|
"policy_package": "markitect.gateway.check-fixtures",
|
|
},
|
|
Provenance: api.DecisionProvenance{
|
|
PolicyVersion: "markitect-gateway-v1",
|
|
},
|
|
Caring: &api.CaringDecisionMetadata{
|
|
Descriptor: &api.CaringAccessDescriptor{
|
|
ID: "descriptor:internal-document-reader",
|
|
Profile: api.CaringProfileCaring040RC2,
|
|
SubjectType: api.SubjectTypeHuman,
|
|
OrganizationRelation: api.OrganizationRelationCustomer,
|
|
CanonicalRole: api.CanonicalRoleDoer,
|
|
Scope: api.CaringScope{
|
|
Level: api.ScopeLevelResource,
|
|
ID: "document:internal-note",
|
|
},
|
|
Planes: []api.Plane{api.PlaneData},
|
|
Capabilities: []api.Capability{api.CapabilityView},
|
|
},
|
|
ExposureModes: []api.ExposureMode{api.ExposureModeMasked},
|
|
ConformanceFindings: []api.CaringConformanceFinding{
|
|
{Code: "MARKITECT-INTERNAL-READER", Severity: "info", Message: "reader group matched"},
|
|
},
|
|
},
|
|
}
|
|
}
|