test: add registration security conformance

2026-06-15 23:59:45 +02:00
parent aaefa48212
commit 2ceecf6463
10 changed files with 846 additions and 11 deletions
--- a/src/user_engine/testing/scenarios.py
+++ b/src/user_engine/testing/scenarios.py
@@ -26,7 +26,67 @@ SCENARIO_MATRIX = (
    "two_applications",
    "sensitive_redaction",
    "audit_event_replay",
+    "identity_canon_context",
    "family_dataspace_onboarding",
+    "registration_onboarding_full",
+    "prepared_account_claim",
+    "privileged_role_requires_approval",
+    "eid_assurance_registration",
+    "tenant_admin_invite",
+    "group_access_hat",
+    "denied_cross_tenant_claim",
+    "ui_registration_access_flow",
+)
+
+REGISTRATION_SCENARIO_MATRIX = (
+    {
+        "id": "self_registration",
+        "actor": "human",
+        "factors": ("email",),
+        "expects": ("registration.completed", "identity_context", "netkingdom_id"),
+    },
+    {
+        "id": "prepared_account_claim",
+        "actor": "human",
+        "factors": ("email",),
+        "expects": ("prepared_account.claimed", "membership", "onboarding_journey"),
+    },
+    {
+        "id": "privileged_role_requires_approval",
+        "actor": "human",
+        "factors": ("email",),
+        "expects": ("authorization_denied", "no_membership_mutation"),
+    },
+    {
+        "id": "eid_assurance_registration",
+        "actor": "human",
+        "factors": ("eid",),
+        "expects": ("registration.completed", "high_assurance_factor"),
+    },
+    {
+        "id": "family_invite",
+        "actor": "family-owner",
+        "factors": ("sso",),
+        "expects": ("family_invitation.accepted", "claims_projection"),
+    },
+    {
+        "id": "tenant_admin_invite",
+        "actor": "tenant-admin",
+        "factors": ("email",),
+        "expects": ("prepared_account.created", "tenant_diagnostics"),
+    },
+    {
+        "id": "group_access",
+        "actor": "human",
+        "factors": ("email",),
+        "expects": ("active_access_context", "access_control_fact"),
+    },
+    {
+        "id": "denied_cross_tenant_claim",
+        "actor": "human",
+        "factors": ("email",),
+        "expects": ("authorization_denied", "audit_record", "no_outbox_event"),
+    },
 )