;; identity/tests/dynreg.sx — dynamic client registration (RFC 7591): the
;; server generates the client_id + secret for self-service onboarding.

(define id-dyn-test-count 0)
(define id-dyn-test-pass 0)
(define id-dyn-test-fails (list))

(define
  id-dyn-test
  (fn
    (name actual expected)
    (set! id-dyn-test-count (+ id-dyn-test-count 1))
    (if
      (= actual expected)
      (set! id-dyn-test-pass (+ id-dyn-test-pass 1))
      (append! id-dyn-test-fails {:name name :expected expected :actual actual}))))

(define idd-ev erlang-eval-ast)
(define iddnm (fn (v) (get v :name)))

(identity-load-oauth!)

;; ── self-service registration yields usable credentials ──────────

(id-dyn-test
  "a dynamically registered confidential client can get a token"
  (iddnm
    (idd-ev
      "O = identity_oauth:start(),\n       {ok, Cid, Sec} = identity_oauth:register_dynamic(O, confidential, [uri1]),\n       {ok, T} = identity_oauth:client_credentials(O, Cid, Sec, batch),\n       case identity_oauth:introspect(O, T) of\n         {active, _, _, _} -> active;\n         {inactive} -> inactive\n       end"))
  "active")

(id-dyn-test
  "the token's subject is the generated client id"
  (iddnm
    (idd-ev
      "O = identity_oauth:start(),\n       {ok, Cid, Sec} = identity_oauth:register_dynamic(O, confidential, [uri1]),\n       {ok, T} = identity_oauth:client_credentials(O, Cid, Sec, batch),\n       case identity_oauth:introspect(O, T) of\n         {active, Sub, _, _} ->\n           case Sub =:= Cid of true -> matches; false -> mismatch end;\n         {inactive} -> inactive\n       end"))
  "matches")

;; ── the generated secret is required ─────────────────────────────

(id-dyn-test
  "a wrong secret for a dynamic client is invalid_client"
  (iddnm
    (idd-ev
      "O = identity_oauth:start(),\n       {ok, Cid, _Sec} = identity_oauth:register_dynamic(O, confidential, [uri1]),\n       case identity_oauth:client_credentials(O, Cid, wrongsecret, batch) of\n         {ok, _} -> issued;\n         {error, W} -> W\n       end"))
  "invalid_client")

;; ── uniqueness ───────────────────────────────────────────────────

(id-dyn-test
  "two registrations yield distinct client ids"
  (iddnm
    (idd-ev
      "O = identity_oauth:start(),\n       {ok, C1, _} = identity_oauth:register_dynamic(O, confidential, [uri1]),\n       {ok, C2, _} = identity_oauth:register_dynamic(O, confidential, [uri1]),\n       case C1 =:= C2 of true -> collision; false -> distinct end"))
  "distinct")

;; ── a dynamic public client still cannot use client-credentials ──

(id-dyn-test
  "a dynamic public client is unauthorized for client-credentials"
  (iddnm
    (idd-ev
      "O = identity_oauth:start(),\n       {ok, Cid, Sec} = identity_oauth:register_dynamic(O, public, [uri1]),\n       case identity_oauth:client_credentials(O, Cid, Sec, batch) of\n         {ok, _} -> issued;\n         {error, W} -> W\n       end"))
  "unauthorized_client")

(define
  id-dyn-test-summary
  (str "dynreg " id-dyn-test-pass "/" id-dyn-test-count))