identity: "apps with access" — per-subject active-grant listing (+7 tests)
Some checks failed
Test, Build, and Deploy / test-build-deploy (push) Failing after 36s
Some checks failed
Test, Build, and Deploy / test-build-deploy (push) Failing after 36s
identity_tokens:grants_for(Subject) lists a subject's active grants as
[{Client, Scope}] (revoked excluded), exposed through the facade as
identity:grants(Subject). Completes the per-subject account-security trio:
sessions (where logged in), grants (which apps have access), history (what
happened). New tests/account.sx. Conformance internal timeout raised to
1200s (22 suites, ~10min — run in background). 229/229.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
74
lib/identity/tests/account.sx
Normal file
74
lib/identity/tests/account.sx
Normal file
@@ -0,0 +1,74 @@
|
||||
;; identity/tests/account.sx — \"apps with access\": per-subject active-grant
|
||||
;; listing, at the token registry (grants_for) and through the facade
|
||||
;; (identity:grants). Completes the per-subject security trio with sessions
|
||||
;; and history.
|
||||
|
||||
(define id-acct-test-count 0)
|
||||
(define id-acct-test-pass 0)
|
||||
(define id-acct-test-fails (list))
|
||||
|
||||
(define
|
||||
id-acct-test
|
||||
(fn
|
||||
(name actual expected)
|
||||
(set! id-acct-test-count (+ id-acct-test-count 1))
|
||||
(if
|
||||
(= actual expected)
|
||||
(set! id-acct-test-pass (+ id-acct-test-pass 1))
|
||||
(append! id-acct-test-fails {:name name :expected expected :actual actual}))))
|
||||
|
||||
(define ida-ev erlang-eval-ast)
|
||||
(define idanm (fn (v) (get v :name)))
|
||||
|
||||
(identity-load-all!)
|
||||
|
||||
;; ── token-level grants_for ───────────────────────────────────────
|
||||
|
||||
(id-acct-test
|
||||
"grants_for lists a subject's active grants"
|
||||
(ida-ev
|
||||
"R = identity_tokens:start(),\n identity_tokens:issue(R, alice, web, read),\n identity_tokens:issue(R, alice, cli, write),\n identity_tokens:issue(R, bob, web, read),\n length(identity_tokens:grants_for(R, alice))")
|
||||
2)
|
||||
|
||||
(id-acct-test
|
||||
"grants_for excludes revoked grants"
|
||||
(ida-ev
|
||||
"R = identity_tokens:start(),\n {ok, A} = identity_tokens:issue(R, alice, web, read),\n identity_tokens:issue(R, alice, cli, write),\n identity_tokens:revoke(R, A),\n length(identity_tokens:grants_for(R, alice))")
|
||||
1)
|
||||
|
||||
(id-acct-test
|
||||
"grants_for is empty for a subject with none"
|
||||
(ida-ev
|
||||
"R = identity_tokens:start(),\n identity_tokens:issue(R, alice, web, read),\n length(identity_tokens:grants_for(R, ghost))")
|
||||
0)
|
||||
|
||||
(id-acct-test
|
||||
"each grant entry carries the client"
|
||||
(idanm
|
||||
(ida-ev
|
||||
"R = identity_tokens:start(),\n identity_tokens:issue(R, alice, web, read),\n case identity_tokens:grants_for(R, alice) of\n [{Client, _Scope}] -> Client;\n _ -> other\n end"))
|
||||
"web")
|
||||
|
||||
;; ── facade-level grants ──────────────────────────────────────────
|
||||
|
||||
(id-acct-test
|
||||
"identity:grants lists apps a subject has logged into"
|
||||
(ida-ev
|
||||
"Svc = identity:start(),\n identity:login(Svc, alice, web, read),\n identity:login(Svc, alice, mobile, read),\n length(identity:grants(Svc, alice))")
|
||||
2)
|
||||
|
||||
(id-acct-test
|
||||
"revoking a token drops it from identity:grants"
|
||||
(ida-ev
|
||||
"Svc = identity:start(),\n {ok, _S1, T1} = identity:login(Svc, alice, web, read),\n identity:login(Svc, alice, mobile, read),\n identity:revoke(Svc, T1),\n length(identity:grants(Svc, alice))")
|
||||
1)
|
||||
|
||||
(id-acct-test
|
||||
"identity:grants is per-subject"
|
||||
(ida-ev
|
||||
"Svc = identity:start(),\n identity:login(Svc, alice, web, read),\n identity:login(Svc, bob, web, read),\n length(identity:grants(Svc, bob))")
|
||||
1)
|
||||
|
||||
(define
|
||||
id-acct-test-summary
|
||||
(str "account " id-acct-test-pass "/" id-acct-test-count))
|
||||
Reference in New Issue
Block a user