at-container-registry/pkg/auth/token/claims_test.go

package token

import (
	"testing"
	"time"

	"atcr.io/pkg/auth"
)

func TestNewClaims(t *testing.T) {
	subject := "did:plc:user123"
	issuer := "atcr.io"
	audience := "registry"
	expiration := 15 * time.Minute
	access := []auth.AccessEntry{
		{
			Type:    "repository",
			Name:    "alice/myapp",
			Actions: []string{"pull", "push"},
		},
	}

	claims := NewClaims(subject, issuer, audience, expiration, access, AuthMethodOAuth)

	if claims.Subject != subject {
		t.Errorf("Expected subject %q, got %q", subject, claims.Subject)
	}

	if claims.Issuer != issuer {
		t.Errorf("Expected issuer %q, got %q", issuer, claims.Issuer)
	}

	if len(claims.Audience) != 1 || claims.Audience[0] != audience {
		t.Errorf("Expected audience [%q], got %v", audience, claims.Audience)
	}

	if claims.IssuedAt == nil {
		t.Error("Expected IssuedAt to be set")
	}

	if claims.NotBefore == nil {
		t.Error("Expected NotBefore to be set")
	}

	if claims.ExpiresAt == nil {
		t.Error("Expected ExpiresAt to be set")
	}

	// Check expiration is approximately correct (within 1 second)
	expectedExpiry := time.Now().Add(expiration)
	actualExpiry := claims.ExpiresAt.Time
	diff := actualExpiry.Sub(expectedExpiry)
	if diff < -time.Second || diff > time.Second {
		t.Errorf("Expected expiry around %v, got %v (diff: %v)", expectedExpiry, actualExpiry, diff)
	}

	if len(claims.Access) != 1 {
		t.Errorf("Expected 1 access entry, got %d", len(claims.Access))
	}

	if len(claims.Access) > 0 {
		if claims.Access[0].Type != "repository" {
			t.Errorf("Expected type %q, got %q", "repository", claims.Access[0].Type)
		}
		if claims.Access[0].Name != "alice/myapp" {
			t.Errorf("Expected name %q, got %q", "alice/myapp", claims.Access[0].Name)
		}
	}
}

func TestNewClaims_EmptyAccess(t *testing.T) {
	claims := NewClaims("did:plc:user123", "atcr.io", "registry", 15*time.Minute, nil, AuthMethodOAuth)

	if claims.Access != nil {
		t.Error("Expected Access to be nil when not provided")
	}
}