;; identity/tests/federation.sx — federated identity: trust-gated,
;; advisory peer assertions + cross-instance subject mapping.

(define id-fed-test-count 0)
(define id-fed-test-pass 0)
(define id-fed-test-fails (list))

(define
  id-fed-test
  (fn
    (name actual expected)
    (set! id-fed-test-count (+ id-fed-test-count 1))
    (if
      (= actual expected)
      (set! id-fed-test-pass (+ id-fed-test-pass 1))
      (append! id-fed-test-fails {:name name :expected expected :actual actual}))))

(define idf-ev erlang-eval-ast)
(define idfnm (fn (v) (get v :name)))

(identity-load-federation!)

;; ── trust gating ─────────────────────────────────────────────────

(id-fed-test
  "an assertion from an untrusted peer is rejected"
  (idfnm
    (idf-ev
      "F = identity_federation:start(),\n       case identity_federation:assert_id(F, peer1, alice) of\n         {ok, _} -> accepted;\n         {error, Why} -> Why\n       end"))
  "untrusted")

(id-fed-test
  "a trusted peer's assertion is accepted"
  (idfnm
    (idf-ev
      "F = identity_federation:start(),\n       identity_federation:trust(F, peer1),\n       case identity_federation:assert_id(F, peer1, alice) of\n         {ok, _} -> accepted;\n         {error, Why} -> Why\n       end"))
  "accepted")

(id-fed-test
  "untrust closes the door to future assertions"
  (idfnm
    (idf-ev
      "F = identity_federation:start(),\n       identity_federation:trust(F, peer1),\n       identity_federation:untrust(F, peer1),\n       case identity_federation:assert_id(F, peer1, alice) of\n         {ok, _} -> accepted;\n         {error, Why} -> Why\n       end"))
  "untrusted")

(id-fed-test
  "trusted? is true for a trusted peer"
  (idfnm
    (idf-ev
      "F = identity_federation:start(),\n       identity_federation:trust(F, peer1),\n       case identity_federation:trusted(F, peer1) of\n         true -> yes;\n         false -> no\n       end"))
  "yes")

(id-fed-test
  "trusted? is false for an unknown peer"
  (idfnm
    (idf-ev
      "F = identity_federation:start(),\n       identity_federation:trust(F, peer1),\n       case identity_federation:trusted(F, peer2) of\n         true -> yes;\n         false -> no\n       end"))
  "no")

;; ── advisory provenance ──────────────────────────────────────────

(id-fed-test
  "an asserted identity is flagged peer_asserted with its origin"
  (idfnm
    (idf-ev
      "F = identity_federation:start(),\n       identity_federation:trust(F, peer1),\n       {ok, L} = identity_federation:assert_id(F, peer1, alice),\n       case identity_federation:provenance(F, L) of\n         {peer_asserted, P} -> P;\n         {local} -> local\n       end"))
  "peer1")

(id-fed-test
  "a non-federated subject has local provenance"
  (idfnm
    (idf-ev
      "F = identity_federation:start(),\n       case identity_federation:provenance(F, alice) of\n         {peer_asserted, _} -> peer_asserted;\n         {local} -> local\n       end"))
  "local")

;; ── cross-instance subject mapping ───────────────────────────────

(id-fed-test
  "remote subjects are namespaced by peer by default"
  (idfnm
    (idf-ev
      "F = identity_federation:start(),\n       case identity_federation:resolve(F, peer1, alice) of\n         {ok, {federated, _, Remote}} -> Remote;\n         _ -> other\n       end"))
  "alice")

(id-fed-test
  "the same remote name from two peers maps to distinct subjects"
  (idfnm
    (idf-ev
      "F = identity_federation:start(),\n       {ok, L1} = identity_federation:resolve(F, peer1, alice),\n       {ok, L2} = identity_federation:resolve(F, peer2, alice),\n       case L1 =:= L2 of\n         true -> collision;\n         false -> distinct\n       end"))
  "distinct")

(id-fed-test
  "an explicit map aliases a remote subject to a local one"
  (idfnm
    (idf-ev
      "F = identity_federation:start(),\n       identity_federation:trust(F, peer1),\n       identity_federation:map(F, peer1, alice, alice_local),\n       case identity_federation:assert_id(F, peer1, alice) of\n         {ok, alice_local} -> mapped;\n         {ok, _} -> unmapped;\n         {error, W} -> W\n       end"))
  "mapped")

(id-fed-test
  "a mapped subject keeps peer_asserted provenance"
  (idfnm
    (idf-ev
      "F = identity_federation:start(),\n       identity_federation:trust(F, peer1),\n       identity_federation:map(F, peer1, alice, alice_local),\n       identity_federation:assert_id(F, peer1, alice),\n       case identity_federation:provenance(F, alice_local) of\n         {peer_asserted, P} -> P;\n         {local} -> local\n       end"))
  "peer1")

(id-fed-test
  "two peers asserting same name keep separate provenance"
  (idfnm
    (idf-ev
      "F = identity_federation:start(),\n       identity_federation:trust(F, peer1),\n       identity_federation:trust(F, peer2),\n       {ok, L1} = identity_federation:assert_id(F, peer1, alice),\n       {ok, _L2} = identity_federation:assert_id(F, peer2, alice),\n       case identity_federation:provenance(F, L1) of\n         {peer_asserted, P} -> P;\n         {local} -> local\n       end"))
  "peer1")

(define
  id-fed-test-summary
  (str "federation " id-fed-test-pass "/" id-fed-test-count))