flex-auth/pkg/api/canonical_test.go

package api_test

import (
	"encoding/json"
	"os"
	"path/filepath"
	"testing"

	"gopkg.in/yaml.v3"

	"github.com/netkingdom/flex-auth/pkg/api"
)

func TestCaringAccessDescriptorExampleParses(t *testing.T) {
	var got api.CaringAccessDescriptor
	loadYAML(t, filepath.Join("..", "..", "examples", "caring", "access_descriptor.yaml"), &got)

	if got.Profile != api.CaringProfileCaring040RC2 {
		t.Fatalf("Profile = %q; want %q", got.Profile, api.CaringProfileCaring040RC2)
	}
	if got.CanonicalRole != api.CanonicalRoleDoer {
		t.Errorf("CanonicalRole = %q; want Doer", got.CanonicalRole)
	}
	if got.Scope.Level != api.ScopeLevelResource || got.Scope.Tenant != "tenant:alpha" {
		t.Errorf("Scope = %+v; want resource scope in tenant:alpha", got.Scope)
	}
	if len(got.Restrictions) != 1 || got.Restrictions[0] != api.RestrictionExportBlocked {
		t.Errorf("Restrictions = %v; want [ExportBlocked]", got.Restrictions)
	}
}

func TestCheckRequestExampleParses(t *testing.T) {
	var got api.CheckRequest
	loadYAML(t, filepath.Join("..", "..", "examples", "caring", "check_request.yaml"), &got)

	if got.Subject.ID != "user:alice" {
		t.Errorf("Subject.ID = %q; want user:alice", got.Subject.ID)
	}
	if got.Resource.ID != "document:internal-note" {
		t.Errorf("Resource.ID = %q; want document:internal-note", got.Resource.ID)
	}
	if got.CaringContext == nil {
		t.Fatal("CaringContext is nil")
	}
	if got.CaringContext.AccessPath != api.AccessPathDirect {
		t.Errorf("CaringContext.AccessPath = %q; want direct", got.CaringContext.AccessPath)
	}
}

func TestRegistryExamplesParse(t *testing.T) {
	var subjects api.SubjectManifest
	loadYAML(t, filepath.Join("..", "..", "examples", "caring", "subject_manifest.yaml"), &subjects)
	if len(subjects.Subjects) != 1 || subjects.Subjects[0].Type != api.SubjectTypeHuman {
		t.Fatalf("subjects did not parse as expected: %+v", subjects.Subjects)
	}

	var relationship api.RelationshipFact
	loadYAML(t, filepath.Join("..", "..", "examples", "caring", "relationship_fact.yaml"), &relationship)
	if relationship.Caring == nil {
		t.Fatal("RelationshipFact.Caring is nil")
	}
	if relationship.Caring.SubjectType != api.SubjectTypeGroup {
		t.Errorf("RelationshipFact.Caring.SubjectType = %q; want Group", relationship.Caring.SubjectType)
	}
}

func TestDecisionAndAuditExamplesParse(t *testing.T) {
	var decision api.DecisionEnvelope
	loadJSON(t, filepath.Join("..", "..", "examples", "caring", "decision_envelope.json"), &decision)
	if decision.Effect != api.DecisionEffectAllow {
		t.Errorf("Decision.Effect = %q; want allow", decision.Effect)
	}
	if decision.Caring == nil || decision.Caring.Profile != api.CaringProfileCaring040RC2 {
		t.Fatalf("Decision.Caring = %+v; want CARING profile metadata", decision.Caring)
	}
	if len(decision.Caring.ConformanceFindings) != 1 {
		t.Errorf("ConformanceFindings len = %d; want 1", len(decision.Caring.ConformanceFindings))
	}

	var audit api.AuditEvent
	loadJSON(t, filepath.Join("..", "..", "examples", "caring", "audit_event.json"), &audit)
	if audit.DecisionID != decision.ID {
		t.Errorf("Audit.DecisionID = %q; want %q", audit.DecisionID, decision.ID)
	}
}

func TestSchemaFilesAreJSON(t *testing.T) {
	schemaDir := filepath.Join("..", "..", "schemas")
	entries, err := os.ReadDir(schemaDir)
	if err != nil {
		t.Fatalf("read schema dir: %v", err)
	}

	for _, entry := range entries {
		if entry.IsDir() || filepath.Ext(entry.Name()) != ".json" {
			continue
		}
		t.Run(entry.Name(), func(t *testing.T) {
			var got map[string]any
			loadJSON(t, filepath.Join(schemaDir, entry.Name()), &got)
			if got["$schema"] == "" || got["$id"] == "" {
				t.Fatalf("%s missing $schema or $id", entry.Name())
			}
		})
	}
}

func loadYAML(t *testing.T, path string, out any) {
	t.Helper()

	data, err := os.ReadFile(path)
	if err != nil {
		t.Fatalf("read %s: %v", path, err)
	}
	if err := yaml.Unmarshal(data, out); err != nil {
		t.Fatalf("unmarshal %s: %v", path, err)
	}
}

func loadJSON(t *testing.T, path string, out any) {
	t.Helper()

	data, err := os.ReadFile(path)
	if err != nil {
		t.Fatalf("read %s: %v", path, err)
	}
	if err := json.Unmarshal(data, out); err != nil {
		t.Fatalf("unmarshal %s: %v", path, err)
	}
}