using BuildingBlock.Identity.Contracts.Requests; using BuildingBlock.Identity.Contracts.Conventions; using Thalos.Domain.Contracts; using Thalos.Domain.Decisions; namespace Thalos.Domain.UnitTests; public class IdentityPolicyDecisionServiceTests { [Fact] public void Evaluate_WhenPermissionMatchedAndContextSatisfied_ReturnsAllowed() { var service = new IdentityPolicyDecisionService(); var request = new EvaluateIdentityPolicyRequest( "user-1", "tenant-1", "identity.token.issue", IdentityAuthProvider.InternalJwt); var context = new IdentityPolicyContextData( request.SubjectId, request.PermissionCode, request.Provider, true, ["identity.token.issue", "identity.policy.evaluate"]); var response = service.Evaluate(request, context); Assert.True(response.IsAllowed); } [Fact] public void Evaluate_WhenPermissionMissing_ReturnsDenied() { var service = new IdentityPolicyDecisionService(); var request = new EvaluateIdentityPolicyRequest( "user-1", "tenant-1", "identity.token.issue", IdentityAuthProvider.InternalJwt); var context = new IdentityPolicyContextData( request.SubjectId, request.PermissionCode, request.Provider, true, ["identity.read"]); var response = service.Evaluate(request, context); Assert.False(response.IsAllowed); } [Fact] public void Evaluate_WhenProviderIsExternalAndPermissionPrefixInvalid_ReturnsDenied() { var service = new IdentityPolicyDecisionService(); var request = new EvaluateIdentityPolicyRequest( "user-2", "tenant-2", "catalog.read", IdentityAuthProvider.AzureAd); var context = new IdentityPolicyContextData( request.SubjectId, request.PermissionCode, request.Provider, true, ["catalog.read"]); var response = service.Evaluate(request, context); Assert.False(response.IsAllowed); } }