giles
3b782eba8a
Some checks failed
Test, Build, and Deploy / test-build-deploy (push) Failing after 36s
identity_tokens:grants_for(Subject) lists a subject's active grants as
[{Client, Scope}] (revoked excluded), exposed through the facade as
identity:grants(Subject). Completes the per-subject account-security trio:
sessions (where logged in), grants (which apps have access), history (what
happened). New tests/account.sx. Conformance internal timeout raised to
1200s (22 suites, ~10min — run in background). 229/229.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
75 lines
3.0 KiB
Plaintext
75 lines
3.0 KiB
Plaintext
;; identity/tests/account.sx — \"apps with access\": per-subject active-grant
|
|
;; listing, at the token registry (grants_for) and through the facade
|
|
;; (identity:grants). Completes the per-subject security trio with sessions
|
|
;; and history.
|
|
|
|
(define id-acct-test-count 0)
|
|
(define id-acct-test-pass 0)
|
|
(define id-acct-test-fails (list))
|
|
|
|
(define
|
|
id-acct-test
|
|
(fn
|
|
(name actual expected)
|
|
(set! id-acct-test-count (+ id-acct-test-count 1))
|
|
(if
|
|
(= actual expected)
|
|
(set! id-acct-test-pass (+ id-acct-test-pass 1))
|
|
(append! id-acct-test-fails {:name name :expected expected :actual actual}))))
|
|
|
|
(define ida-ev erlang-eval-ast)
|
|
(define idanm (fn (v) (get v :name)))
|
|
|
|
(identity-load-all!)
|
|
|
|
;; ── token-level grants_for ───────────────────────────────────────
|
|
|
|
(id-acct-test
|
|
"grants_for lists a subject's active grants"
|
|
(ida-ev
|
|
"R = identity_tokens:start(),\n identity_tokens:issue(R, alice, web, read),\n identity_tokens:issue(R, alice, cli, write),\n identity_tokens:issue(R, bob, web, read),\n length(identity_tokens:grants_for(R, alice))")
|
|
2)
|
|
|
|
(id-acct-test
|
|
"grants_for excludes revoked grants"
|
|
(ida-ev
|
|
"R = identity_tokens:start(),\n {ok, A} = identity_tokens:issue(R, alice, web, read),\n identity_tokens:issue(R, alice, cli, write),\n identity_tokens:revoke(R, A),\n length(identity_tokens:grants_for(R, alice))")
|
|
1)
|
|
|
|
(id-acct-test
|
|
"grants_for is empty for a subject with none"
|
|
(ida-ev
|
|
"R = identity_tokens:start(),\n identity_tokens:issue(R, alice, web, read),\n length(identity_tokens:grants_for(R, ghost))")
|
|
0)
|
|
|
|
(id-acct-test
|
|
"each grant entry carries the client"
|
|
(idanm
|
|
(ida-ev
|
|
"R = identity_tokens:start(),\n identity_tokens:issue(R, alice, web, read),\n case identity_tokens:grants_for(R, alice) of\n [{Client, _Scope}] -> Client;\n _ -> other\n end"))
|
|
"web")
|
|
|
|
;; ── facade-level grants ──────────────────────────────────────────
|
|
|
|
(id-acct-test
|
|
"identity:grants lists apps a subject has logged into"
|
|
(ida-ev
|
|
"Svc = identity:start(),\n identity:login(Svc, alice, web, read),\n identity:login(Svc, alice, mobile, read),\n length(identity:grants(Svc, alice))")
|
|
2)
|
|
|
|
(id-acct-test
|
|
"revoking a token drops it from identity:grants"
|
|
(ida-ev
|
|
"Svc = identity:start(),\n {ok, _S1, T1} = identity:login(Svc, alice, web, read),\n identity:login(Svc, alice, mobile, read),\n identity:revoke(Svc, T1),\n length(identity:grants(Svc, alice))")
|
|
1)
|
|
|
|
(id-acct-test
|
|
"identity:grants is per-subject"
|
|
(ida-ev
|
|
"Svc = identity:start(),\n identity:login(Svc, alice, web, read),\n identity:login(Svc, bob, web, read),\n length(identity:grants(Svc, bob))")
|
|
1)
|
|
|
|
(define
|
|
id-acct-test-summary
|
|
(str "account " id-acct-test-pass "/" id-acct-test-count))
|