flex-auth/internal/audit/log_test.go

package audit_test

import (
	"path/filepath"
	"testing"

	"github.com/netkingdom/flex-auth/internal/audit"
	"github.com/netkingdom/flex-auth/pkg/api"
)

func TestJSONLDecisionLogRoundTripsDecisions(t *testing.T) {
	log := audit.NewJSONLDecisionLog(filepath.Join(t.TempDir(), "decisions.jsonl"))

	first := api.DecisionEnvelope{
		ID:     "decision:allow",
		Effect: api.DecisionEffectAllow,
		Reason: "reader_relation",
		Subject: api.SubjectRef{
			ID: "user:alice",
		},
		Resource: api.ResourceRef{
			ID: "document:internal-note",
		},
		Provenance: api.DecisionProvenance{
			Evaluator: "flex-auth/local",
			Mode:      "standalone",
		},
	}
	second := first
	second.ID = "decision:deny"
	second.Effect = api.DecisionEffectDeny
	second.Reason = "no_matching_rule"

	if err := log.Append(first); err != nil {
		t.Fatalf("Append first: %v", err)
	}
	if err := log.Append(second); err != nil {
		t.Fatalf("Append second: %v", err)
	}

	got, err := log.ReadAll()
	if err != nil {
		t.Fatalf("ReadAll: %v", err)
	}
	if len(got) != 2 {
		t.Fatalf("len(got) = %d; want 2", len(got))
	}
	if got[0].ID != first.ID || got[1].ID != second.ID {
		t.Fatalf("ids = %q/%q; want %q/%q", got[0].ID, got[1].ID, first.ID, second.ID)
	}

	found, ok, err := log.Find("decision:deny")
	if err != nil {
		t.Fatalf("Find: %v", err)
	}
	if !ok || found.Effect != api.DecisionEffectDeny {
		t.Fatalf("Find decision:deny = %+v, %v; want deny", found, ok)
	}
}