RubyGems - haveapi - Versions diffs - 0.27.3 → 0.28.0 - Mend

haveapi 0.27.3 → 0.28.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (66) hide show

checksums.yaml +4 -4
data/Gemfile +1 -1
data/haveapi.gemspec +1 -1
data/lib/haveapi/action.rb +125 -36
data/lib/haveapi/actions/paginable.rb +3 -1
data/lib/haveapi/authentication/basic/provider.rb +2 -0
data/lib/haveapi/authentication/chain.rb +11 -7
data/lib/haveapi/authentication/oauth2/config.rb +25 -3
data/lib/haveapi/authentication/oauth2/provider.rb +92 -11
data/lib/haveapi/authentication/oauth2/revoke_endpoint.rb +44 -3
data/lib/haveapi/authentication/token/provider.rb +53 -15
data/lib/haveapi/authorization.rb +42 -18
data/lib/haveapi/client_examples/php_client.rb +1 -1
data/lib/haveapi/client_examples/ruby_client.rb +1 -1
data/lib/haveapi/context.rb +10 -4
data/lib/haveapi/example.rb +15 -16
data/lib/haveapi/extensions/action_exceptions.rb +6 -6
data/lib/haveapi/model_adapters/active_record.rb +140 -68
data/lib/haveapi/model_adapters/hash.rb +1 -1
data/lib/haveapi/parameters/resource.rb +35 -3
data/lib/haveapi/parameters/typed.rb +26 -7
data/lib/haveapi/params.rb +27 -8
data/lib/haveapi/resource.rb +4 -1
data/lib/haveapi/resources/action_state.rb +8 -1
data/lib/haveapi/route.rb +2 -2
data/lib/haveapi/server.rb +137 -45
data/lib/haveapi/validator.rb +2 -2
data/lib/haveapi/validator_chain.rb +1 -0
data/lib/haveapi/validators/confirmation.rb +1 -0
data/lib/haveapi/validators/format.rb +6 -2
data/lib/haveapi/validators/length.rb +2 -0
data/lib/haveapi/validators/numericality.rb +2 -0
data/lib/haveapi/validators/presence.rb +1 -1
data/lib/haveapi/version.rb +1 -1
data/lib/haveapi/views/version_page/client_auth.erb +1 -1
data/lib/haveapi/views/version_page/client_example.erb +3 -3
data/lib/haveapi/views/version_page/client_init.erb +1 -1
data/lib/haveapi/views/version_page.erb +2 -2
data/lib/haveapi/views/version_sidebar.erb +4 -2
data/spec/action/authorize_spec.rb +99 -0
data/spec/action/runtime_spec.rb +426 -0
data/spec/action_state_spec.rb +52 -0
data/spec/authentication/basic_spec.rb +29 -0
data/spec/authentication/oauth2_spec.rb +329 -0
data/spec/authentication/token_spec.rb +195 -0
data/spec/authentication/token_version_routes_spec.rb +164 -0
data/spec/authorization_spec.rb +66 -0
data/spec/documentation/auth_filtering_spec.rb +195 -1
data/spec/documentation/current_user_html_escaping_spec.rb +47 -0
data/spec/documentation/examples_spec.rb +97 -0
data/spec/documentation/host_html_escaping_spec.rb +41 -0
data/spec/documentation_spec.rb +13 -0
data/spec/extensions/action_exceptions_spec.rb +30 -0
data/spec/model_adapters/active_record_spec.rb +406 -1
data/spec/parameters/typed_spec.rb +42 -0
data/spec/params_spec.rb +41 -0
data/spec/server/integration_spec.rb +90 -0
data/spec/validator_chain_spec.rb +39 -0
data/spec/validators/confirmation_spec.rb +14 -0
data/spec/validators/format_spec.rb +7 -0
data/spec/validators/length_spec.rb +6 -0
data/spec/validators/numericality_spec.rb +7 -0
data/spec/validators/presence_spec.rb +2 -0
data/test_support/client_test_api.rb +28 -0
metadata +8 -4
data/shell.nix +0 -20

data/spec/extensions/action_exceptions_spec.rb CHANGED Viewed

@@ -93,6 +93,27 @@ describe HaveAPI::Extensions::ActionExceptions do
     )
   end
+  def with_action_exceptions_without_handlers
+    hooks = HaveAPI::Hooks.hooks
+    action_hooks = hooks[HaveAPI::Action][:exec_exception]
+    original_listeners = action_hooks[:listeners].dup
+    original_exceptions =
+      HaveAPI::Extensions::ActionExceptions.instance_variable_get(:@exceptions)
+    if HaveAPI::Extensions::ActionExceptions.instance_variable_defined?(:@exceptions)
+      HaveAPI::Extensions::ActionExceptions.remove_instance_variable(:@exceptions)
+    end
+    HaveAPI::Extensions::ActionExceptions.enabled(app.settings.api_server)
+    yield
+  ensure
+    action_hooks[:listeners] = original_listeners
+    HaveAPI::Extensions::ActionExceptions.instance_variable_set(
+      :@exceptions,
+      original_exceptions
+    )
+  end
   def map_exception(klass, status)
     HaveAPI::Extensions::ActionExceptions.rescue(klass) do |ret, e|
       ret[:status] = false
@@ -151,6 +172,15 @@ describe HaveAPI::Extensions::ActionExceptions do
     end
   end
+  it 'keeps exceptions in a safe envelope when no handlers are registered' do
+    with_action_exceptions_without_handlers do
+      call_test_action(:raise_runtime)
+      expect_failed_json(500)
+      expect(api_response.message).not_to be_empty
+    end
+  end
   it 'does not interfere with successful responses' do
     with_action_exceptions do
       call_test_action(:ok)

data/spec/model_adapters/active_record_spec.rb CHANGED Viewed

@@ -29,6 +29,24 @@ module ARAdapterSpec
     validates :score, numericality: { equal_to: 7 }
     validates :name, presence: true
   end
+  class FilteredMember < ActiveRecord::Base
+    self.table_name = 'users'
+    belongs_to :group, class_name: 'ARAdapterSpec::Group', optional: true
+  end
+  class HiddenAccount < ActiveRecord::Base
+    self.table_name = 'hidden_accounts'
+  end
+  class Invoice < ActiveRecord::Base
+    belongs_to :hidden_account, class_name: 'ARAdapterSpec::HiddenAccount'
+  end
+  class StringAccount < ActiveRecord::Base
+    self.primary_key = 'uuid'
+  end
 end
 describe HaveAPI::ModelAdapters::ActiveRecord do
@@ -94,12 +112,77 @@ describe HaveAPI::ModelAdapters::ActiveRecord do
           resource env_resource
         end
+        def prepare
+          group = self.class.model.find(params['group_id'])
+          error!('access denied') if group.note == 'PRIVATE_GROUP_NOTE'
+        end
         def exec
           self.class.model.find(params['group_id'])
         end
       end
     end
+    filtered_group_resource = define_resource(:FilteredGroup) do
+      version 1
+      auth false
+      model ARAdapterSpec::Group
+      define_action(:Index, superclass: HaveAPI::Actions::Default::Index) do
+        authorize do
+          output blacklist: [:note]
+          allow
+        end
+        output(:object_list) do
+          integer :id
+          string :label
+          string :note
+        end
+        def exec
+          self.class.model.order(id: :asc).to_a
+        end
+      end
+      define_action(:Show, superclass: HaveAPI::Actions::Default::Show) do
+        authorize do
+          output blacklist: [:note]
+          allow
+        end
+        output(:object) do
+          integer :id
+          string :label
+          string :note
+        end
+        def exec
+          self.class.model.find(params['filtered_group_id'])
+        end
+      end
+    end
+    define_resource(:FilteredMember) do
+      version 1
+      auth false
+      model ARAdapterSpec::FilteredMember
+      define_action(:Show, superclass: HaveAPI::Actions::Default::Show) do
+        authorize { allow }
+        output(:object) do
+          integer :id
+          string :name
+          resource filtered_group_resource, name: :group
+        end
+        def exec
+          with_includes(self.class.model.where(id: params['filtered_member_id'])).take!
+        end
+      end
+    end
     define_resource(:User) do
       version 1
       auth false
@@ -147,6 +230,42 @@ describe HaveAPI::ModelAdapters::ActiveRecord do
         end
       end
+      define_action(:PublicShow, superclass: HaveAPI::Actions::Default::Show) do
+        route 'public/{user_id}/show'
+        authorize do
+          output whitelist: [:name]
+          allow
+        end
+        output(:object) do
+          integer :id
+          string :name
+        end
+        def exec
+          self.class.model.find(params['user_id'])
+        end
+      end
+      define_action(:PublicIndex, superclass: HaveAPI::Actions::Default::Index) do
+        route 'public/list'
+        authorize do
+          output whitelist: [:name]
+          allow
+        end
+        output(:object_list) do
+          integer :id
+          string :name
+        end
+        def exec
+          self.class.model.order(id: :asc).to_a
+        end
+      end
       define_action(:Create, superclass: HaveAPI::Actions::Default::Create) do
         authorize { allow }
@@ -164,6 +283,75 @@ describe HaveAPI::ModelAdapters::ActiveRecord do
         end
       end
     end
+    hidden_account_resource = define_resource(:HiddenAccount) do
+      version 1
+      auth false
+      model ARAdapterSpec::HiddenAccount
+      define_action(:Index, superclass: HaveAPI::Actions::Default::Index) do
+        authorize { deny }
+        output(:object_list) do
+          integer :id
+          string :label
+        end
+        def exec
+          self.class.model.order(id: :asc).to_a
+        end
+      end
+      define_action(:Show, superclass: HaveAPI::Actions::Default::Show) do
+        authorize { deny }
+        output(:object) do
+          integer :id
+          string :label
+          string :private_reference
+        end
+        def exec
+          self.class.model.find(params['hidden_account_id'])
+        end
+      end
+    end
+    define_resource(:Invoice) do
+      version 1
+      auth false
+      model ARAdapterSpec::Invoice
+      define_action(:Show, superclass: HaveAPI::Actions::Default::Show) do
+        authorize { allow }
+        output(:object) do
+          integer :id
+          string :label
+          resource hidden_account_resource
+        end
+        def exec
+          self.class.model.find(params['invoice_id'])
+        end
+      end
+      define_action(:Update, superclass: HaveAPI::Actions::Default::Update) do
+        authorize { allow }
+        input(:hash) do
+          resource hidden_account_resource
+        end
+        output(:hash) do
+          bool :assigned
+        end
+        def exec
+          { assigned: input.has_key?(:hidden_account) }
+        end
+      end
+    end
   end
   default_version 1
@@ -193,6 +381,21 @@ describe HaveAPI::ModelAdapters::ActiveRecord do
         t.string :state
         t.integer :group_id
       end
+      create_table :hidden_accounts do |t|
+        t.string :label, null: false
+        t.string :private_reference, null: false
+      end
+      create_table :invoices do |t|
+        t.string :label, null: false
+        t.integer :hidden_account_id, null: false
+      end
+      create_table :string_accounts, id: false do |t|
+        t.string :uuid, primary_key: true
+        t.string :label, null: false
+      end
     end
   end
@@ -200,6 +403,9 @@ describe HaveAPI::ModelAdapters::ActiveRecord do
     ARAdapterSpec::User.delete_all
     ARAdapterSpec::Group.delete_all
     ARAdapterSpec::Environment.delete_all
+    ARAdapterSpec::Invoice.delete_all
+    ARAdapterSpec::HiddenAccount.delete_all
+    ARAdapterSpec::StringAccount.delete_all
   end
   let(:dummy_action) do
@@ -275,7 +481,7 @@ describe HaveAPI::ModelAdapters::ActiveRecord do
   end
   it 'parses nested includes and drops unknown associations' do
-    parsed = dummy_action.ar_parse_includes(%w[group group__environment foo bar__baz])
+    parsed = dummy_action.ar_parse_includes(%w[group group__environment group__missing foo bar__baz])
     expect(parsed).to include(:group)
     expect(parsed.any? { |v| v.is_a?(Hash) && v.has_key?(:group) }).to be(true)
@@ -283,10 +489,17 @@ describe HaveAPI::ModelAdapters::ActiveRecord do
     nested = parsed.detect { |v| v.is_a?(Hash) && v.has_key?(:group) }
     expect(nested[:group].flatten).to include(:environment)
+    expect(nested[:group].flatten).not_to include(:missing)
     expect(parsed).not_to include(:foo)
     expect(parsed).not_to include(:bar)
   end
+  it 'drops overly deep include paths before building ActiveRecord includes' do
+    deep_path = (['missing'] * 5_000).join('__')
+    expect(dummy_action.ar_parse_includes([deep_path])).to eq([])
+  end
   it 'returns unresolved associations without includes' do
     environment = ARAdapterSpec::Environment.create!(label: 'env', note: 'ENV_NOTE')
     group = ARAdapterSpec::Group.create!(label: 'grp', note: 'GRP_NOTE', environment: environment)
@@ -320,6 +533,23 @@ describe HaveAPI::ModelAdapters::ActiveRecord do
     expect(group_data[:environment]).not_to have_key(:note)
   end
+  it 'applies associated show output restrictions when included' do
+    group = ARAdapterSpec::Group.create!(label: 'grp', note: 'GROUP_SECRET')
+    user = create_user(name: 'user', group: group)
+    get "/v1/filtered_groups/#{group.id}", {}, input: ''
+    expect(api_response).to be_ok
+    expect(api_response[:filtered_group]).not_to have_key(:note)
+    get "/v1/filtered_members/#{user.id}", { _meta: { includes: 'group' } }, input: ''
+    expect(api_response).to be_ok
+    group_data = api_response[:filtered_member][:group]
+    expect(group_data[:_meta][:resolved]).to be(true)
+    expect(group_data).to include(id: group.id, label: 'grp')
+    expect(group_data).not_to have_key(:note)
+  end
   it 'resolves nested associations when included' do
     environment = ARAdapterSpec::Environment.create!(label: 'env', note: 'ENV_NOTE')
     group = ARAdapterSpec::Group.create!(label: 'grp', note: 'GRP_NOTE', environment: environment)
@@ -337,6 +567,129 @@ describe HaveAPI::ModelAdapters::ActiveRecord do
     expect(env_data[:note]).to eq('ENV_NOTE')
   end
+  it 'drops invalid nested include paths from requests' do
+    group = ARAdapterSpec::Group.create!(label: 'grp', note: 'GRP_NOTE')
+    user = create_user(name: 'user', group: group)
+    get "/v1/users/#{user.id}", { _meta: { includes: 'group__missing' } }, input: ''
+    expect(last_response.status).to eq(200)
+    expect(api_response).to be_ok
+    expect(api_response[:user][:group][:_meta][:resolved]).to be(false)
+  end
+  it 'does not expose unresolved associated resources denied by their show action' do
+    account = ARAdapterSpec::HiddenAccount.create!(
+      label: 'VIP billing account',
+      private_reference: 'SECRET-ACCOUNT-REF'
+    )
+    invoice = ARAdapterSpec::Invoice.create!(label: 'public invoice', hidden_account: account)
+    get "/v1/hidden_accounts/#{account.id}", {}, input: ''
+    expect(last_response.status).to eq(403)
+    expect(api_response).to be_failed
+    get "/v1/invoices/#{invoice.id}", {}, input: ''
+    expect(last_response.status).to eq(200)
+    expect(api_response).to be_ok
+    account_data = api_response[:invoice][:hidden_account]
+    expect(account_data).to eq(_meta: { resolved: false, authorized: false })
+  end
+  it 'does not resolve associated resources denied by their show action' do
+    account = ARAdapterSpec::HiddenAccount.create!(
+      label: 'VIP billing account',
+      private_reference: 'SECRET-ACCOUNT-REF'
+    )
+    invoice = ARAdapterSpec::Invoice.create!(label: 'public invoice', hidden_account: account)
+    get "/v1/invoices/#{invoice.id}", { _meta: { includes: 'hidden_account' } }, input: ''
+    expect(last_response.status).to eq(200)
+    expect(api_response).to be_ok
+    account_data = api_response[:invoice][:hidden_account]
+    expect(account_data).to eq(_meta: { resolved: false, authorized: false })
+  end
+  it 'does not expose unresolved associated resources denied during show prepare' do
+    group = ARAdapterSpec::Group.create!(
+      label: 'private group',
+      note: 'PRIVATE_GROUP_NOTE'
+    )
+    user = create_user(name: 'user', group: group)
+    get "/v1/groups/#{group.id}", {}, input: ''
+    expect(api_response).to be_failed
+    get "/v1/users/#{user.id}", {}, input: ''
+    expect(last_response.status).to eq(200)
+    expect(api_response).to be_ok
+    group_data = api_response[:user][:group]
+    expect(group_data).to eq(_meta: { resolved: false, authorized: false })
+  end
+  it 'does not resolve associated resources denied during show prepare' do
+    group = ARAdapterSpec::Group.create!(
+      label: 'private group',
+      note: 'PRIVATE_GROUP_NOTE'
+    )
+    user = create_user(name: 'user', group: group)
+    get "/v1/users/#{user.id}", { _meta: { includes: 'group' } }, input: ''
+    expect(last_response.status).to eq(200)
+    expect(api_response).to be_ok
+    group_data = api_response[:user][:group]
+    expect(group_data).to eq(_meta: { resolved: false, authorized: false })
+  end
+  it 'does not expose object path params when id output is filtered' do
+    user = create_user(name: 'user')
+    get "/v1/users/public/#{user.id}/show", {}, input: ''
+    expect(last_response.status).to eq(200)
+    expect(api_response).to be_ok
+    expect(api_response[:user]).to eq(name: 'user')
+    expect(api_response.response[:_meta]).not_to have_key(:path_params)
+  end
+  it 'does not expose object-list path params when id output is filtered' do
+    create_user(id: 1, name: 'user1')
+    create_user(id: 2, name: 'user2')
+    get '/v1/users/public/list', {}, input: ''
+    expect(last_response.status).to eq(200)
+    expect(api_response).to be_ok
+    expect(api_response[:users].map { |user| user[:name] }).to eq(%w[user1 user2])
+    expect(api_response[:users]).to all(satisfy { |user| !user[:_meta].has_key?(:path_params) })
+  end
+  it 'rejects resource input records denied by their show action' do
+    account = ARAdapterSpec::HiddenAccount.create!(
+      label: 'VIP billing account',
+      private_reference: 'SECRET-ACCOUNT-REF'
+    )
+    invoice = ARAdapterSpec::Invoice.create!(label: 'public invoice', hidden_account: account)
+    put "/v1/invoices/#{invoice.id}", {
+      invoice: {
+        hidden_account: account.id
+      }
+    }.to_json, 'CONTENT_TYPE' => 'application/json'
+    expect(last_response.status).to eq(400)
+    expect(api_response).not_to be_ok
+    expect(api_response.errors[:hidden_account]).to include('resource not found')
+  end
   it 'cleans resource input ids and maps invalid values to validation errors' do
     environment = ARAdapterSpec::Environment.create!(id: 1, label: 'env')
@@ -371,6 +724,48 @@ describe HaveAPI::ModelAdapters::ActiveRecord do
     end.to raise_error(HaveAPI::ValidationError, /resource not found/)
   end
+  it 'rejects nil results from non-nullable custom resource fetchers' do
+    fetch = proc { |id| find_by(id:) }
+    expect do
+      described_class::Input.clean(ARAdapterSpec::Environment, 9999, { fetch: })
+    end.to raise_error(HaveAPI::ValidationError, /resource not found/)
+    cleaned = described_class::Input.clean(
+      ARAdapterSpec::Environment,
+      9999,
+      { fetch:, nullable: true }
+    )
+    expect(cleaned).to be_nil
+  end
+  it 'rejects arrays and hashes for singular string primary-key resources' do
+    ARAdapterSpec::StringAccount.create!(uuid: 'acct-alpha', label: 'Alpha')
+    ARAdapterSpec::StringAccount.create!(uuid: 'acct-beta', label: 'Beta')
+    expect do
+      described_class::Input.clean(ARAdapterSpec::StringAccount, %w[acct-alpha acct-beta], {})
+    end.to raise_error(HaveAPI::ValidationError, /not a valid id/)
+    expect do
+      described_class::Input.clean(ARAdapterSpec::StringAccount, { id: 'acct-alpha' }, {})
+    end.to raise_error(HaveAPI::ValidationError, /not a valid id/)
+  end
+  it 'rejects non-string includes metadata entries' do
+    app
+    show_action = action_class(:User, :show)
+    includes_param = show_action.meta(:global).input[:includes]
+    expect do
+      includes_param.clean([{ bad: 'shape' }])
+    end.to raise_error(HaveAPI::ValidationError, /only strings/)
+  end
+  it 'keeps hash adapter resource cleaning compatible with adapter arguments' do
+    expect(HaveAPI::ModelAdapters::Hash::Input.clean({}, { id: 1 }, {})).to eq({ id: 1 })
+  end
   it 'applies ascending pagination with with_pagination' do
     5.times do |i|
       create_user(
@@ -388,6 +783,16 @@ describe HaveAPI::ModelAdapters::ActiveRecord do
     expect(ids).to eq([3, 4])
   end
+  it 'rejects excessive pagination limits' do
+    get '/v1/users', { user: { limit: HaveAPI::Actions::Paginable::MAX_LIMIT + 1 } }, input: ''
+    expect(last_response.status).to eq(400)
+    expect(api_response).not_to be_ok
+    expect(api_response.errors[:limit].first).to include(
+      "range <0, #{HaveAPI::Actions::Paginable::MAX_LIMIT}>"
+    )
+  end
   it 'applies descending pagination with with_desc_pagination' do
     5.times do |i|
       create_user(

data/spec/parameters/typed_spec.rb CHANGED Viewed

@@ -1,4 +1,6 @@
 require 'time'
+require 'open3'
+require 'rbconfig'
 describe 'Parameters::Typed' do
   def p_type(type)
@@ -133,6 +135,7 @@ describe 'Parameters::Typed' do
     expect { p.clean('bzz') }.to raise_error(HaveAPI::ValidationError)
     expect { p.clean('') }.to raise_error(HaveAPI::ValidationError)
     expect { p.clean(nil) }.to raise_error(HaveAPI::ValidationError)
+    expect { p.clean([]) }.to raise_error(HaveAPI::ValidationError)
     p = p_arg(type: Datetime, required: true)
     expect { p.clean('') }.to raise_error(HaveAPI::ValidationError)
@@ -182,6 +185,24 @@ describe 'Parameters::Typed' do
     expect(p.clean(nil)).to be_nil
   end
+  it 'rejects nil returned by custom cleaners unless nullable' do
+    p = p_arg(type: String, required: true, clean: proc {})
+    expect { p.clean('value') }.to raise_error(HaveAPI::ValidationError, /cannot be null/)
+    p = p_arg(type: String, nullable: true, clean: proc {})
+    expect(p.clean('value')).to be_nil
+  end
+  it 'rejects invalid string encoding during coercion' do
+    invalid = "\xff".b.force_encoding(Encoding::UTF_8)
+    expect { p_type(String).clean(invalid) }.to raise_error(HaveAPI::ValidationError)
+    expect { p_type(Integer).clean(invalid) }.to raise_error(HaveAPI::ValidationError)
+    expect { p_type(Float).clean(invalid) }.to raise_error(HaveAPI::ValidationError)
+    expect { p_type(Boolean).clean(invalid) }.to raise_error(HaveAPI::ValidationError)
+    expect { p_type(Datetime).clean(invalid) }.to raise_error(HaveAPI::ValidationError)
+  end
   it 'can be protected' do
     p = p_arg(protected: true)
     expect(p.describe(nil)[:protected]).to be true
@@ -190,6 +211,27 @@ describe 'Parameters::Typed' do
     expect(p.describe(nil)[:protected]).to be false
   end
+  it 'loads Time#iso8601 for datetime output formatting' do
+    code = <<~RUBY
+      require 'haveapi/types'
+      require 'haveapi/parameters/typed'
+      param = HaveAPI::Parameters::Typed.new(:at, type: Datetime)
+      print param.format_output(Time.utc(1970, 1, 1))
+    RUBY
+    stdout, stderr, status = Open3.capture3(
+      RbConfig.ruby,
+      '-I',
+      File.expand_path('../../lib', __dir__),
+      '-e',
+      code
+    )
+    expect(status).to be_success, stderr
+    expect(stdout).to eq('1970-01-01T00:00:00Z')
+  end
   it 'is unprotected by default' do
     p = p_arg
     expect(p.describe(nil)[:protected]).to be false

data/spec/params_spec.rb CHANGED Viewed

@@ -53,6 +53,18 @@ describe HaveAPI::Params do
     expect(p.params.map(&:name)).to match_array(%i[res_param1 res_param2])
   end
+  it 'normalizes string include and exclude names from shared params' do
+    p = described_class.new(:input, ParamsSpec::MyResource::Index)
+    p.add_block proc { use :all, include: ['res_param1'] }
+    p.exec
+    expect(p.params.map(&:name)).to eq([:res_param1])
+    p = described_class.new(:input, ParamsSpec::MyResource::Index)
+    p.add_block proc { use :all, exclude: ['res_param2'] }
+    p.exec
+    expect(p.params.map(&:name)).to eq([:res_param1])
+  end
   it 'has param requires' do
     p = described_class.new(:input, ParamsSpec::MyResource::Index)
     p.add_block proc { requires :p_required }
@@ -176,6 +188,35 @@ describe HaveAPI::Params do
     end.to raise_error(HaveAPI::ValidationError)
   end
+  it 'rejects present optional namespaces with invalid shapes' do
+    p = described_class.new(:input, ParamsSpec::MyResource::Index)
+    p.add_block(proc do
+      string :param1
+    end)
+    p.exec
+    expect do
+      p.check_layout({
+        my_resource: 'not-a-hash'
+      })
+    end.to raise_error(HaveAPI::ValidationError)
+  end
+  it 'rejects non-hash list elements' do
+    p = described_class.new(:input, ParamsSpec::MyResource::Index)
+    p.layout = :hash_list
+    p.add_block(proc do
+      string :param1
+    end)
+    p.exec
+    expect do
+      p.check_layout({
+        my_resources: ['not-a-hash']
+      })
+    end.to raise_error(HaveAPI::ValidationError)
+  end
   it 'indexes parameters by name' do
     p = described_class.new(:input, ParamsSpec::MyResource::Index)
     p.add_block(proc do