configuration_service 2.3.1 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5547c75cb69883e74a7327fe86914d6b9294b3db
-  data.tar.gz: b53686e2e3557309781fa691081fbbde1682b2c7
+  metadata.gz: e4a468a73fdaa5ac4d860611af3fe7f60bbb8533
+  data.tar.gz: 1c7cd9e09bf66113b28950938b00299a420d0cc4
 SHA512:
-  metadata.gz: f925edffb72981b4d10ebfb4330d89ff4065361a9091bf41f8aa05107a25c602c7ef22a2598cae704c2d40c55e9aedf06d7ce94e606b4ca98fe91ce6d3549425
-  data.tar.gz: bd35e4fdf79ea9cfe602c51b74a3fa24dca6318fd9975b2e61a2728bd8441ea13df555fd47ce1d3b2d91bf212265d985cc9cf747af57067239e4abc4d29c01a3
+  metadata.gz: 7475e17b49bd4430c01850923eebd2ad3e4d1b5cf764e2c1f16d21552cefd5d854cf1c963edf2942568ad42b2d9917db052e0bf223f149fe27815878c97f90fc
+  data.tar.gz: f024394e9df43fb5dfdc026c5cef4132f1529a85ae075af7c8205a264acb8d119f64eda80d646fc20e5950e5a5d9917276efcc5e88a0a9527c9320ca98711a2d

data/.rspec

@@ -1,2 +1,3 @@
 --color
 --require spec_helper
+--format documentation

data/.ruby-gemset

@@ -0,0 +1 @@
+configuration_service

data/.ruby-version

@@ -0,0 +1 @@
+ruby-2.3.0

data/Rakefile

@@ -7,6 +7,18 @@ RSpec::Core::RakeTask.new(:spec)
 
 desc "Test the stub test orchestrator"
 task :test => :spec do
+
   ENV["TEST_ORCHESTRATION_PROVIDER"] ||= "stub"
   sh %{bundle exec cucumber}
 end
+
+namespace :test do
+  desc "Test includes"
+  task :includes do
+    sh %{cd lib && for i in configuration_service.rb $(find configuration_service -name '*.rb'); do
+           i=${i%.rb}
+           ruby -e '$LOAD_PATH.unshift("."); '"require '$i'; "'exit 0' || break
+         done}
+  end
+end
+

data/features/authorization.feature

@@ -1,46 +1,38 @@
 @authorization @authorize
 Feature: Authorization
-  In order to ensure I am who I say I am
-  As a CS Client
-  I want to be authenticated
-
-  Scenario: Token request with no credentials
-    Given I have no credentials
-    When I request a token
-    Then I should not receive a token
-
-  Scenario: Token request with invalid credentials
-    Given I have invalid credentials
-    When I request a token
-    Then I should not receive a token
-
-  Scenario: Token request with valid credentials
-    Given I have valid credentials
-    When I request a token
-    Then I should receive a token
-
-  Scenario: Allowed request
-    Given I have a token that allows requesting configurations
-    When I request a configuration
+  As the configuration service 
+  I want to enforce authorization policies
+  In order to regulate client actions
+
+  Scenario: Allowed consumption
+    Given the specified configuration exists
+    And I am allowed to request configuration
+    When I request configuration data
     Then I should be allowed to request configurations
 
-  Scenario: Denied request
-    Given I have a token that does not allow requesting configurations
-    When I request a configuration
+  Scenario: Denied consumption
+    Given I am not allowed to request configuration
+    When I request configuration data
     Then I should be notified that my request is 'not authorized'
 
   Scenario: Allowed publication
-    Given I have a token that allows publishing configurations
-    When I request publication of a configuration
+    Given I am allowed to publish configurations
+    When I request publication of the configuration data
     Then I should be allowed to publish configurations
 
   Scenario: Denied publication
-    Given I have a token that does not allow publishing configurations
-    When I request publication of a configuration
+    Given I am not allowed to publish configurations
+    When I request publication of the configuration data
     Then I should be notified that my request is 'not authorized'
 
+  Scenario: Allowed to create credentials for consuming configuration
+    Given the specified configuration exists
+    And I am allowed to authorize consumption of configuration 
+    When I authorize consumption of the configuration
+    Then I receive credentials that only allow consumption of the configuration
+
   Scenario: Token-less request
     Given I do not have a token
-    When I request a configuration
+    When I request configuration data
     Then I should be notified that my request is 'not authorized'
 

data/features/consuming.feature

@@ -5,16 +5,14 @@ Feature: Consuming configuration data
   I want to request access to configuration data
 
   Scenario: Metadata-free hit
-    Given an identifier
-    And no meta data filter
-    And configuration data at the index is present
+    Given I am allowed to request configuration
+    And the specified configuration exists
     When I request configuration data
-    Then the configuration data should be returned for the identifier
+    Then the specified configuration should be returned
 
   Scenario: Metadata-free miss
-    Given an identifier
-    And no meta data filter
-    And configuration data at the index is not present
+    Given I am allowed to request configuration
+    And the specified configuration does not exist
     When I request configuration data
     Then I should receive a 'not found' indication
 
@@ -37,7 +35,8 @@ Feature: Consuming configuration data
     Then I should receive a 'no match' indication
 
   Scenario: CS request failure
-    Given a CS request failure
+    Given I am allowed to request configuration
+    And a CS request failure
     When I request configuration data
     Then I should receive a 'request failure' notification
 

data/features/publishing.feature

@@ -5,39 +5,37 @@ Feature: Publishing configuration data
   I want to publish configuration data
 
   Scenario: Revision added to metadata
-    Given an identifier
-    And some configuration data
+    Given I am allowed to publish configurations
     When I request publication of the configuration data
     Then I receive a unique revision for my publication
     And the metadata is updated with the revision by the CS
 
   Scenario: Metadata saved with data
-    Given an identifier
+    Given I am allowed to publish configurations
     And some metadata
-    And some configuration data
     When I request publication of the configuration data
     Then the metadata is also remembered
 
   Scenario: Timestamp added to metadata
-    Given an identifier
-    And some metadata
-    And some configuration data
+    Given I am allowed to publish configurations
     When I request publication of the configuration data
     Then the entry is timestamped
 
   Scenario: New revision for publication to existing identifier
-    Given existing configuration data
-    When I request publication of configuration data using the existing identifier
+    Given I am allowed to publish configurations
+    And the specified configuration exists
+    When I request publication of the configuration data
     Then I receive a new unique revision for the publication
 
   Scenario: Invalid data
-    Given an identifier
+    Given I am allowed to publish configurations
     And invalid configuration data
     When I request publication of the configuration data
     Then I receive an 'invalid data' notification
 
   Scenario: CS publication failure
-    Given a CS publication failure
+    Given I am allowed to publish configurations
+    And a CS publication failure
     When I request publication of the configuration data
     Then I should receive a 'publication failure' notification
 

data/features/step_definitions/authorization_steps.rb

@@ -1,32 +1,8 @@
-Given(/^I have no credentials$/) do
-  pending "Use case supported by Vault command-line client"
-end
-
-When(/^I request a token$/) do
-  pending "Use case supported by Vault command-line client"
-end
-
-Then(/^I should not receive a token$/) do
-  pending "Use case supported by Vault command-line client"
-end
-
-Given(/^I have invalid credentials$/) do
-  pending "Use case supported by Vault command-line client"
-end
-
-Given(/^I have valid credentials$/) do
-  pending "Use case supported by Vault command-line client"
-end
-
-Then(/^I should receive a token$/) do
-  pending "Use case supported by Vault command-line client"
-end
-
 Given(/^I do not have a token$/) do
   @test.deauthorize
 end
 
-Given(/^I have a token that allows requesting configurations$/) do
+Given(/^I am allowed to request configuration$/) do
   @test.authorize(:requesting_configurations)
 end
 
@@ -38,7 +14,7 @@ Then(/^I should be allowed to request configurations$/) do
   expect(@test.request_allowed?).to eq true
 end
 
-Given(/^I have a token that does not allow requesting configurations$/) do
+Given(/^I am not allowed to request configuration$/) do
   @test.authorize(:nothing)
 end
 
@@ -46,7 +22,7 @@ Then(/^I should be notified that my request is 'not authorized'$/) do
   expect(@test.request_allowed?).to eq false
 end
 
-Given(/^I have a token that allows publishing configurations$/) do
+Given(/^I am allowed to publish configurations$/) do
   @test.authorize(:publishing_configurations)
 end
 
@@ -58,6 +34,19 @@ Then(/^I should be allowed to publish configurations$/) do
   expect(@test.request_allowed?).to eq true
 end
 
-Given(/^I have a token that does not allow publishing configurations$/) do
+Given(/^I am not allowed to publish configurations$/) do
   @test.authorize(:requesting_configurations)
 end
+
+Given(/^I am allowed to authorize consumption of configuration$/) do
+  @test.authorize(:admin)
+end
+
+When(/^I authorize consumption of the configuration$/) do
+  @test.authorize_consumption
+end
+
+Then(/^I receive credentials that only allow consumption of the configuration$/) do
+  expect(@test.credentials_allow_consumption?).to eq true
+  expect(@test.credentials_allow_publication?).to eq false
+end

data/features/step_definitions/consuming_steps.rb

@@ -6,19 +6,18 @@ Then(/^I should receive a 'no match' indication$/) do
   expect(@test.request_not_matched?).to eq true
 end
 
-Then(/^the configuration data should be returned for the identifier$/) do
+Then(/^the specified configuration should be returned$/) do
   expect(@test.configuration_found_for_identifier?).to eq true
 end
 
 Given(/^no meta data filter$/) do
 end
 
-Given(/^configuration data at the index is present$/) do
+Given(/^the specified configuration exists$/) do
   @test.given_existing_configuration
 end
 
 When(/^I request configuration data$/) do
-  @test.authorize(:requesting_configurations)
   @test.request_configuration
 end
 
@@ -26,7 +25,7 @@ Then(/^the configuration data should be returned for the index and meta data fil
   pending "Searching with metadata filters not yet supported"
 end
 
-Given(/^configuration data at the index is not present$/) do
+Given(/^the specified configuration does not exist$/) do
   @test.given_missing_configuration
 end
 

data/features/step_definitions/publishing_steps.rb

@@ -1,11 +1,4 @@
-Given(/^an identifier$/) do
-end
-
-Given(/^some configuration data$/) do
-end
-
 When(/^I request publication of the configuration data$/) do
-  @test.authorize(:publishing_configurations)
   @test.publish_configuration
 end
 
@@ -33,11 +26,6 @@ Given(/^existing configuration data$/) do
   @test.given_existing_configuration
 end
 
-When(/^I request publication of configuration data using the existing identifier$/) do
-  @test.authorize(:publishing_configurations)
-  @test.publish_configuration
-end
-
 Then(/^I receive a new unique revision for the publication$/) do
   expect(@test.published_revision).to_not eq @test.existing_revision
 end

data/lib/configuration_service/admin_client.rb

@@ -1,16 +1,17 @@
-require "configuration_service/utils"
+require "configuration_service/client"
 
 module ConfigurationService
   class AdminClient
 
     ##
+    # @deprecated use ConfigurationService::Client instead
     # @param [String] token
     # @param [String] provider
     # @return [ConfigurationService::AdminClient] object
     #
     def initialize(token, provider)
-      @token = token
-      @provider = provider
+      warn "[DEPRECATION] 'ConfigurationService::AdminClient' is deprecated.  Please use 'ConfigurationService::Client'."
+      @client = ConfigurationService::Client.new(token, provider)
     end
 
     ##
@@ -19,8 +20,7 @@ module ConfigurationService
     # @raise [ConfigurationService::ConfigurationNotFoundError]
     #
     def request_configuration(identifier)
-      @provider.request_configuration(identifier, @token) or 
-        raise ConfigurationNotFoundError, "configuration not found for identifier: #{identifier}"
+      @client.request_configuration(identifier)
     end
 
     ##
@@ -31,14 +31,9 @@ module ConfigurationService
     # @raise [ConfigurationaService::Error] if data or metadata is not a hash
     #
     def publish_configuration(identifier, data, metadata = {})
-      Utils.dictionary?(data) or raise ConfigurationService::Error, "data must be a dictionary"
-      Utils.dictionary?(metadata) or raise ConfigurationService::Error, "metadata must be a dictionary"
-
-      metadata = Utils.decorate(metadata)
-      configuration = Configuration.new(identifier, data, metadata)
-      @provider.publish_configuration(configuration, @token)
+      @client.publish_configuration(identifier, data, metadata)
     end
-
+    
   end
 
 end

data/lib/configuration_service/base.rb

@@ -1,5 +1,4 @@
-require "securerandom"
-require "configuration_service/utils"
+require "configuration_service/client"
 
 module ConfigurationService
 
@@ -15,6 +14,8 @@ module ConfigurationService
     ##
     # Creates a new configuration service API instance
     #
+    # @deprecated use ConfigurationService::Client instead
+    #
     # @param [String] identifier
     #   the unique identity of some configuration data and its associated metadata.
     #   It might be the name of a service or service component. It might include an environment label
@@ -30,9 +31,9 @@ module ConfigurationService
     #   a configured service provider instance, to which requests will be delegated.
     #
     def initialize(identifier, token, provider)
+      warn "[DEPRECATION] 'ConfigurationService::Base' is deprecated.  Please use 'ConfigurationService::Client'."
       @identifier = identifier
-      @token = token
-      @provider = provider
+      @client = ConfigurationService::Client.new(token, provider)
     end
 
     ##
@@ -45,8 +46,7 @@ module ConfigurationService
     # @raise [ConfigurationService::Error] if the request failed
     #
     def request_configuration
-      @provider.request_configuration(@identifier, @token) or
-        raise ConfigurationNotFoundError, "configuration not found for identifier: #{@identifier}"
+      @client.request_configuration(@identifier) 
     end
 
     ##
@@ -70,13 +70,8 @@ module ConfigurationService
     # @return [ConfigurationService::Configuration] object containing the configuration data, decorated metadata and identifier
     # @raise [ConfigurationService::Error] if publication failed
     #
-    def publish_configuration(data, metadata = {})
-      Utils.dictionary?(data) or raise ConfigurationService::Error, "data must be a dictionary"
-      Utils.dictionary?(metadata) or raise ConfigurationService::Error, "metadata must be a dictionary"
-
-      metadata = Utils.decorate(metadata)
-      configuration = Configuration.new(@identifier, data, metadata)
-      @provider.publish_configuration(configuration, @token)
+    def publish_configuraion(data, metadata = {})
+      @client.publish_configuration(@identifier, data, metadata = {})
     end
 
   end

data/lib/configuration_service/client.rb

@@ -0,0 +1,82 @@
+require "configuration_service/utils"
+
+module ConfigurationService
+  class Client
+
+    ##
+    # Creates a new instance of configuration service client 
+    #
+    # @param [String] credentials
+    #   opaque string representing authority to access the configuration data and associated metadata.
+    #   Interpretation of the credentials is provider-dependent; it is opaque to the API and client.
+    # @param [Object] provider 
+    #   a configured service provider instance, to which requests will be delegated.
+    # @return [ConfigurationService::Client] client to interact with Configuration::Service
+    #
+    def initialize(credentials, provider)
+      @credentials = credentials 
+      @provider = provider
+    end
+
+    ##
+    # Requests the configuration data and metadata
+    # Delegates the request to the configured +provider+.
+    #
+    # @param [String] identifier unique identifier of configuration
+    # @return [ConfigurationService::Configuration] object containing the configuration data, metadata and identifier
+    # @raise [ConfigurationService::ConfigurationNotFoundError] if no configuration was found for the configured +identifier+
+    # @raise [ConfigurationService::Error] if the request failed
+    #
+    def request_configuration(identifier)
+      @provider.request_configuration(identifier, @credentials) or 
+        raise ConfigurationNotFoundError, "configuration not found for identifier: #{identifier}"
+    end
+    
+    ##
+    # Publishes configuration data and metadata
+    #
+    # The +metadata+ is decorated with the following keys:
+    #
+    # * "timestamp" - the current UTC time in ISO8601 format
+    # * "revision"  - a UUID for this publication
+    #
+    # Delegates the request to the configured +provider+. The provider may further decorate the +metadata+.
+    #
+    # It is recommended that both the +data+ and +metadata+ dictionaries use strings as keys,
+    # and that values be limited to those that can be serialized to JSON.
+    #
+    # @param [String] identifier
+    #   unique configuration identifier
+    # @param [Hash] data
+    #   dictionary of probably sensitive configuration data intended for an application, which providers are expected to secure
+    # @param [Hash] metadata 
+    #   dictionary of data about the configuration data, which providers are not expected to secure
+    # @return [ConfigurationService::Configuration] object containing the configuration data, decorated metadata and identifier
+    # @raise [ConfigurationService::Error] if publication failed
+    #
+    def publish_configuration(identifier, data, metadata = {})
+      Utils.dictionary?(data) or raise ConfigurationService::Error, "data must be a dictionary"
+      Utils.dictionary?(metadata) or raise ConfigurationService::Error, "metadata must be a dictionary"
+
+      metadata = Utils.decorate(metadata)
+      configuration = Configuration.new(identifier, data, metadata)
+      @provider.publish_configuration(configuration, @credentials)
+    end
+    
+    ##
+    # Authorize consumption of a configuration ie. get credentials to consume configurations ie. get a token to consume configurations
+    # 
+    # @param [String] identifier
+    #   unique identifier of configuration
+    # @return [String] credentials allowing consumption of the provided configuration
+    # @raise [ConfigurationService::ConfigurationNotFoundError] if no configuration was found for the configured +identifier+
+    # @raise [ConfigurationService::Error] if the request failed
+    ##
+    def authorize_consumption(identifier)
+      @provider.authorize_consumption(identifier, @credentials) or
+        raise ConfigurationNotFoundError, "configuration not found for identifier: #{identifier}"
+    end
+
+  end
+
+end

data/lib/configuration_service/factory.rb

@@ -1,4 +1,6 @@
-Dir.glob(File.expand_path("../factory/**/*.rb", __FILE__), &method(:require))
+require "configuration_service/factory/context"
+require "configuration_service/factory/environment_context"
+require "configuration_service/factory/yaml_file_context"
 
 module ConfigurationService
 
@@ -60,32 +62,17 @@ module ConfigurationService
     def self.create_client(context = EnvironmentContext.new)
       context = Context.new(context) if context.is_a?(Hash)
       provider = create_provider(context)
-      ConfigurationService::Base.new(context.identifier, context.token, provider)
+      ConfigurationService::Client.new(context.token, provider)
     ensure
       context.scrub!
     end
 
     ##
-    # Create a configuration service admin client
-    #
-    # @param [ConfigurationService::Factory::EnvironmentContext, ConfigurationService::Factory::Context, Hash] context
-    #   the factory context
-    # @return [ConfigurationService::AdminClient] the configuration service admin client created
-    #
-    # When the +context+ is a Hash, it is wrapped in a {ConfigurationService::Factory::Context}, which does not scrub
-    # sources after the configuration service client is created. For this reason, the process +ENV+ should never
-    # be given as the +context+; rather give no +context+, so that the default {ConfigurationService::Factory::EnvironmentContext}
-    # will be used to safely scrub the process +ENV+ and (on JRuby) system properties after the configuration service client is created.
-    #
-    # Because the {ConfigurationService::AdminClient} operates over multiple configuration identifiers,
-    # it does not require an +identifier+ property from the context.
-    #
+    # @deprecated use create_client()
+    # @ see create_client()
+    ##
     def self.create_admin_client(context = EnvironmentContext.new)
-      context = Context.new(context) if context.is_a?(Hash)
-      provider = create_provider(context)
-      ConfigurationService::AdminClient.new(context.token, provider)
-    ensure
-      context.scrub!
+      create_client(context)
     end
 
     private

data/lib/configuration_service/factory/context.rb

@@ -1,3 +1,5 @@
+require "configuration_service/factory/context/symbolic_access_wrapper"
+
 module ConfigurationService
 
   module Factory

data/lib/configuration_service/factory/environment_context.rb

@@ -71,7 +71,7 @@ module ConfigurationService
           .select { |envvar| envvar.start_with?(config_prefix) && @scrub_keys << envvar }
           .map { |envvar, value| [envvar.sub(config_prefix, "").downcase.intern, value] }
           .to_h
-        @env = SymbolicAccessWrapper.new(env)
+        @env = Context::SymbolicAccessWrapper.new(env)
       end
 
       ##

data/lib/configuration_service/factory/yaml_file_context.rb

@@ -19,7 +19,7 @@ module ConfigurationService
       #
       def initialize(filename)
         @filename = File.expand_path(filename)
-        @env = SymbolicAccessWrapper.new(YAML.load_file(@filename))
+        @env = Context::SymbolicAccessWrapper.new(YAML.load_file(@filename))
       end
 
       ##

data/lib/configuration_service/provider/stub.rb

@@ -22,7 +22,7 @@ module ConfigurationService
         :admin => 'b72b9ae7-3849-a335-67b6-administrator',
         :consumer  => '64867ebd-6364-0bd3-3fda-81-requestor',
         :publisher => 'f53606cb-7f3c-4432-afe8-44-publisher',
-        :nothing   => '2972abd7-b055-4841-8ad1-4a34-nothing',
+        :none   => '2972abd7-b055-4841-8ad1-4a34-nothing',
       } unless defined?(BUILTIN_TOKENS)
 
       ##
@@ -41,14 +41,19 @@ module ConfigurationService
       #
       # Fetches configuration from the singleton {ConfigurationService::StubStore}.
       #
+      # @param [String] identifier
+      #   unique configuration identifier
+      # @param [String] credentials
+      #   token for authentication and authorization
+      #
       # @return [ConfigurationService::Configuration] if authorized and found
       # @return [nil] if not found
       # @raise [ConfigurationService::AuthorizationError] if not authorized for the +:consumer+ role
       #
       # @see ConfigurationService::Base#request_configuration
       #
-      def request_configuration(identifier, token)
-        authorize_request(:consumer, token)
+      def request_configuration(identifier, credentials)
+        authorize_request(:consumer, credentials)
         data, metadata = @configurations.fetch(identifier)
         Configuration.new(identifier, data, metadata)
       rescue KeyError
@@ -58,25 +63,41 @@ module ConfigurationService
       ##
       # Publish configuration
       #
-      # @param [ConfigurationService::Configuration] configuration configuration to publish
+      # @param [ConfigurationService::Configuration] configuration
+      #   configuration to publish
+      # @param [String] credentials
+      #   token to authenticate and authorize
       #
       # @return [ConfigurationService::Configuration] published configuration
       # @raise [ConfigurationService::Error] on failure.
       #
       # @see ConfigurationService::Base#publish_configuration
       #
-      def publish_configuration(configuration, token)
-        authorize_request(:publisher, token)
+      def publish_configuration(configuration, credentials)
+        authorize_request(:publisher, credentials) 
         @configurations.store(configuration.identifier, configuration.data, configuration.metadata)
         configuration
       end
 
+      ##
+      # Authorizes consumption of configuration
+      #
+      # @param [String] identifier of configuration to be consumed
+      # @param [String] credentials that allow me to authorize consumption of the configuration
+      #
+      # @return [String] credentials allowing consumption of the configuration
+      ##
+      def authorize_consumption(identifier, credentials)
+        authorize_request(:admin, credentials)
+        BUILTIN_TOKENS[:consumer]
+      end
+
       private
 
-        def authorize_request(role, token)
-          raise AuthorizationError.new("missing token") unless token
-          raise AuthorizationError.new("authorization failed") unless token == BUILTIN_TOKENS[role] or token == BUILTIN_TOKENS[:admin]
-        end
+      def authorize_request(role, credentials)
+        raise AuthorizationError.new("missing credentials") unless credentials
+        raise AuthorizationError.new("authorization failed") unless credentials == BUILTIN_TOKENS[role] or credentials == BUILTIN_TOKENS[:admin]
+      end
 
     end
 

data/lib/configuration_service/test/orchestration_provider.rb

@@ -21,12 +21,13 @@ module ConfigurationService
     #   * {#service_provider_configuration}
     #   * {#service_provider}
     #   * {#broken_service_provider}
-    #   * {#token_for}
+    #   * {#credentials_for}
     #   * {#delete_configuration}
     #
     class OrchestrationProvider
 
       ACTIVITY_ROLE_MAP = {
+        :admin => :admin,
         :requesting_configurations => :consumer,
         :publishing_configurations => :publisher,
         :nothing => :none # if possible, provide credentials that don't allow operations on the configuration identifier
@@ -84,7 +85,7 @@ module ConfigurationService
       #
       # Deleting non-existent configuration should not produce an error.
       # The +@identifier+ instance variable may be used to identify the configuration to delete,
-      # but +@token+ should not be used, because it may not be sufficiently authorized.
+      # but +@credentials+ should not be used, because it may not be sufficiently authorized.
       #
       # @return [nil] always
       #
@@ -93,7 +94,7 @@ module ConfigurationService
       end
 
       ##
-      # Provide a token that authorizes a role
+      # Provide a credentials that authorizes a role
       #
       # Valid roles are:
       #
@@ -101,27 +102,27 @@ module ConfigurationService
       # * +:publisher+
       # * +:nothing+
       #
-      # Note that a token should be returned for +:nothing+, but the token should
+      # Note that a credentials should be returned for +:nothing+, but the credentials should
       # not be authorized to consume or publish to the +identifier+.
       #
-      # @return [String] a token
+      # @return [String] a credentials
       #
-      def token_for(role)
-        raise NotImplementedError, "#{self.class} must implement token_for(role)"
+      def credentials_for(role)
+        raise NotImplementedError, "#{self.class} must implement credentials_for(role)"
       end
 
       ##
       # @see ConfigurationService::Test::Orchestrator#authorize
       #
       def authorize(role)
-        @token = token_for(role)
+        @credentials = credentials_for(role)
       end
 
       ##
       # @see ConfigurationService::Test::Orchestrator#deauthorize
       #
       def deauthorize
-        @token = nil
+        @credentials = nil
       end
 
       ##
@@ -178,10 +179,27 @@ module ConfigurationService
       #
       def request_configuration
         wrap_response do
-          @requested_configuration = service.request_configuration
+          @requested_configuration = service.request_configuration(@identifier)
         end
       end
 
+      ##
+      # Authorize consumption of a configuration
+      #
+      # @return [String] credentials allowing consumption of a configuration
+      ##
+      def authorize_consumption
+        @credentials = service.authorize_consumption(@identifier)
+      end
+
+      def credentials_allow_consumption?
+        request_configuration
+      end
+      
+      def credentials_allow_publication?
+        publish_configuration
+      end
+
       ##
       # Publish configuration
       #
@@ -197,9 +215,9 @@ module ConfigurationService
       def publish_configuration
         wrap_response do
           if @metadata
-            service.publish_configuration(configuration, @metadata)
+            service.publish_configuration(@identifier, configuration, @metadata)
           else
-            service.publish_configuration(configuration)
+            service.publish_configuration(@identifier, configuration)
           end
         end
       end
@@ -241,37 +259,39 @@ module ConfigurationService
 
       private
 
-        def configuration
-          @configuration ||= {"verbose" => true}
-        end
+      def configuration
+        @configuration ||= {"verbose" => true}
+      end
+
+      def service
 
-        def service
-          provider = if @fail_next
-                       @fail_next = false
-                       broken_service_provider
-                     else
-                       service_provider
-                     end
-          ConfigurationService.new(@identifier, @token, provider)
+        provider = service_provider
+
+        if @fail_next
+          @fail_next = false
+          provider = broken_service_provider
         end
+    
+        ConfigurationService::Client.new(@credentials, provider)
+      end
 
-        def authorized_as(role)
-          restore_token = @token
-          authorize(role)
-          yield.tap do
-            @token = restore_token
-          end
+      def authorized_as(role)
+        restore_credentials = @credentials
+        authorize(role)
+        yield.tap do
+          @credentials = restore_credentials
         end
+      end
 
-        def wrap_response # :nodoc:
-          begin
-            ConfigurationService::Test::Response::Success.new(yield)
-          rescue ConfigurationService::ConfigurationNotFoundError
-            ConfigurationService::Test::Response::Success.new(nil)
-          rescue ConfigurationService::Error => e
-            ConfigurationService::Test::Response::Failure.new(e)
-          end
+      def wrap_response # :nodoc:
+        begin
+          ConfigurationService::Test::Response::Success.new(yield)
+        rescue ConfigurationService::ConfigurationNotFoundError
+          ConfigurationService::Test::Response::Success.new(nil)
+        rescue ConfigurationService::Error => e
+          ConfigurationService::Test::Response::Failure.new(e)
         end
+      end
 
     end
 

data/lib/configuration_service/test/orchestrator.rb

@@ -124,6 +124,23 @@ module ConfigurationService
         @response = @provider.publish_configuration
       end
 
+      ##
+      # Get credentials to consume a configuration
+      ##
+      def authorize_consumption
+        @provider.authorize_consumption
+      end
+
+      def credentials_allow_consumption?
+        @response = @provider.credentials_allow_consumption?
+        request_allowed?
+      end
+
+      def credentials_allow_publication?
+        @response = @provider.credentials_allow_publication?
+        request_allowed?
+      end
+
       ##
       # Configuration for the requested identifier was found
       #
@@ -263,10 +280,10 @@ module ConfigurationService
       #
       def bootstrapped_configuration_service_functional?
         response = begin
-          ConfigurationService::Test::Response::Success.new(@service.request_configuration)
-        rescue ConfigurationService::Error => e
-          ConfigurationService::Test::Response::Failure.new(e)
-        end
+                     ConfigurationService::Test::Response::Success.new(@service.request_configuration('test'))
+                   rescue ConfigurationService::Error => e
+                     ConfigurationService::Test::Response::Failure.new(e)
+                   end
         !response.failed?
       end
 
@@ -281,9 +298,10 @@ module ConfigurationService
 
       private
 
-        def role_for(activity)
-          ConfigurationService::Test::OrchestrationProvider::ACTIVITY_ROLE_MAP[activity]
-        end
+      def role_for(activity)
+        ConfigurationService::Test::OrchestrationProvider::ACTIVITY_ROLE_MAP[activity]
+      end
+
     end
 
   end

data/lib/configuration_service/test/response.rb

@@ -19,6 +19,8 @@ module ConfigurationService
       #
       class Success
 
+        attr_reader :response
+
         ##
         # @param [ConfigurationService::Configuration, nil] response
         #   a configuration service response, or +nil+ if a {ConfigurationService::ConfigurationNotFoundError} was raised

data/lib/configuration_service/test/stub_orchestration_provider.rb

@@ -51,13 +51,13 @@ module ConfigurationService
       end
 
       ##
-      # Provide a token that authorizes a role
+      # Provide credentials that authorizes a role
       #
-      # The token is taken from {ConfigurationService::Provider::Stub::BUILTIN_TOKENS}
+      # The credentials are taken from {ConfigurationService::Provider::Stub::BUILTIN_TOKENS}
       #
-      # @see ConfigurationService::Test::OrchestrationProvider#token_for
+      # @see ConfigurationService::Test::OrchestrationProvider#credentials_for
       #
-      def token_for(role)
+      def credentials_for(role)
         ConfigurationService::Provider::Stub::BUILTIN_TOKENS[role]
       end
 

data/lib/configuration_service/version.rb

@@ -1,5 +1,5 @@
 module ConfigurationService
 
-  VERSION = "2.3.1"
+  VERSION = "3.0.0"
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: configuration_service
 version: !ruby/object:Gem::Version
-  version: 2.3.1
+  version: 3.0.0
 platform: ruby
 authors:
 - Sheldon Hearn
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-06-20 00:00:00.000000000 Z
+date: 2016-08-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -90,6 +90,8 @@ files:
 - ".gemspec"
 - ".gitignore"
 - ".rspec"
+- ".ruby-gemset"
+- ".ruby-version"
 - ".travis.yml"
 - ".yardopts"
 - Gemfile
@@ -109,6 +111,7 @@ files:
 - lib/configuration_service.rb
 - lib/configuration_service/admin_client.rb
 - lib/configuration_service/base.rb
+- lib/configuration_service/client.rb
 - lib/configuration_service/configuration.rb
 - lib/configuration_service/errors.rb
 - lib/configuration_service/factory.rb
@@ -155,4 +158,3 @@ signing_key:
 specification_version: 4
 summary: Configuration service
 test_files: []
-has_rdoc: