RubyGems - hoodoo - Versions diffs - 1.0.2 - Mend

hoodoo 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (216) hide show

checksums.yaml +7 -0
data/bin/hoodoo +5 -0
data/lib/hoodoo.rb +27 -0
data/lib/hoodoo/active.rb +32 -0
data/lib/hoodoo/active/active_model/uuid_validator.rb +45 -0
data/lib/hoodoo/active/active_record/base.rb +81 -0
data/lib/hoodoo/active/active_record/creator.rb +134 -0
data/lib/hoodoo/active/active_record/dated.rb +343 -0
data/lib/hoodoo/active/active_record/error_mapping.rb +351 -0
data/lib/hoodoo/active/active_record/finder.rb +606 -0
data/lib/hoodoo/active/active_record/search_helper.rb +189 -0
data/lib/hoodoo/active/active_record/secure.rb +431 -0
data/lib/hoodoo/active/active_record/support.rb +106 -0
data/lib/hoodoo/active/active_record/translated.rb +87 -0
data/lib/hoodoo/active/active_record/uuid.rb +80 -0
data/lib/hoodoo/active/active_record/writer.rb +321 -0
data/lib/hoodoo/client.rb +23 -0
data/lib/hoodoo/client/augmented_array.rb +29 -0
data/lib/hoodoo/client/augmented_base.rb +168 -0
data/lib/hoodoo/client/augmented_hash.rb +23 -0
data/lib/hoodoo/client/client.rb +354 -0
data/lib/hoodoo/client/endpoint/endpoint.rb +427 -0
data/lib/hoodoo/client/endpoint/endpoints/amqp.rb +180 -0
data/lib/hoodoo/client/endpoint/endpoints/auto_session.rb +194 -0
data/lib/hoodoo/client/endpoint/endpoints/http.rb +203 -0
data/lib/hoodoo/client/endpoint/endpoints/http_based.rb +367 -0
data/lib/hoodoo/client/endpoint/endpoints/not_found.rb +59 -0
data/lib/hoodoo/client/headers.rb +269 -0
data/lib/hoodoo/communicators.rb +23 -0
data/lib/hoodoo/communicators/fast.rb +44 -0
data/lib/hoodoo/communicators/pool.rb +601 -0
data/lib/hoodoo/communicators/slow.rb +84 -0
data/lib/hoodoo/data.rb +51 -0
data/lib/hoodoo/data/resources/caller.rb +39 -0
data/lib/hoodoo/data/resources/errors.rb +28 -0
data/lib/hoodoo/data/resources/log.rb +31 -0
data/lib/hoodoo/data/resources/session.rb +26 -0
data/lib/hoodoo/data/types/error_primitive.rb +27 -0
data/lib/hoodoo/data/types/permissions.rb +40 -0
data/lib/hoodoo/data/types/permissions_defaults.rb +32 -0
data/lib/hoodoo/data/types/permissions_full.rb +28 -0
data/lib/hoodoo/data/types/permissions_resources.rb +31 -0
data/lib/hoodoo/discovery.rb +20 -0
data/lib/hoodoo/errors.rb +19 -0
data/lib/hoodoo/errors/error_descriptions.rb +229 -0
data/lib/hoodoo/errors/errors.rb +322 -0
data/lib/hoodoo/generator.rb +139 -0
data/lib/hoodoo/logger.rb +23 -0
data/lib/hoodoo/logger/fast_writer.rb +27 -0
data/lib/hoodoo/logger/flattener_mixin.rb +36 -0
data/lib/hoodoo/logger/logger.rb +387 -0
data/lib/hoodoo/logger/slow_writer.rb +49 -0
data/lib/hoodoo/logger/writer_mixin.rb +52 -0
data/lib/hoodoo/logger/writers/file_writer.rb +45 -0
data/lib/hoodoo/logger/writers/log_entries_dot_com_writer.rb +64 -0
data/lib/hoodoo/logger/writers/stream_writer.rb +43 -0
data/lib/hoodoo/middleware.rb +33 -0
data/lib/hoodoo/presenters.rb +45 -0
data/lib/hoodoo/presenters/base.rb +281 -0
data/lib/hoodoo/presenters/base_dsl.rb +519 -0
data/lib/hoodoo/presenters/common_resource_fields.rb +31 -0
data/lib/hoodoo/presenters/embedding.rb +232 -0
data/lib/hoodoo/presenters/types/array.rb +118 -0
data/lib/hoodoo/presenters/types/boolean.rb +26 -0
data/lib/hoodoo/presenters/types/date.rb +26 -0
data/lib/hoodoo/presenters/types/date_time.rb +26 -0
data/lib/hoodoo/presenters/types/decimal.rb +47 -0
data/lib/hoodoo/presenters/types/enum.rb +55 -0
data/lib/hoodoo/presenters/types/field.rb +158 -0
data/lib/hoodoo/presenters/types/float.rb +26 -0
data/lib/hoodoo/presenters/types/hash.rb +361 -0
data/lib/hoodoo/presenters/types/integer.rb +26 -0
data/lib/hoodoo/presenters/types/object.rb +117 -0
data/lib/hoodoo/presenters/types/string.rb +53 -0
data/lib/hoodoo/presenters/types/tags.rb +24 -0
data/lib/hoodoo/presenters/types/text.rb +26 -0
data/lib/hoodoo/presenters/types/uuid.rb +54 -0
data/lib/hoodoo/services.rb +34 -0
data/lib/hoodoo/services/discovery/discoverers/by_consul.rb +66 -0
data/lib/hoodoo/services/discovery/discoverers/by_convention.rb +173 -0
data/lib/hoodoo/services/discovery/discoverers/by_drb/by_drb.rb +195 -0
data/lib/hoodoo/services/discovery/discoverers/by_drb/drb_server.rb +166 -0
data/lib/hoodoo/services/discovery/discoverers/by_drb/drb_server_start.rb +37 -0
data/lib/hoodoo/services/discovery/discovery.rb +186 -0
data/lib/hoodoo/services/discovery/results/for_amqp.rb +58 -0
data/lib/hoodoo/services/discovery/results/for_http.rb +85 -0
data/lib/hoodoo/services/discovery/results/for_local.rb +85 -0
data/lib/hoodoo/services/discovery/results/for_remote.rb +57 -0
data/lib/hoodoo/services/middleware/amqp_log_message.rb +186 -0
data/lib/hoodoo/services/middleware/amqp_log_writer.rb +119 -0
data/lib/hoodoo/services/middleware/endpoints/inter_resource_local.rb +130 -0
data/lib/hoodoo/services/middleware/endpoints/inter_resource_remote.rb +202 -0
data/lib/hoodoo/services/middleware/exception_reporting/base_reporter.rb +105 -0
data/lib/hoodoo/services/middleware/exception_reporting/exception_reporting.rb +115 -0
data/lib/hoodoo/services/middleware/exception_reporting/reporters/airbrake_reporter.rb +64 -0
data/lib/hoodoo/services/middleware/exception_reporting/reporters/raygun_reporter.rb +63 -0
data/lib/hoodoo/services/middleware/interaction.rb +127 -0
data/lib/hoodoo/services/middleware/middleware.rb +2705 -0
data/lib/hoodoo/services/middleware/rack_monkey_patch.rb +73 -0
data/lib/hoodoo/services/services/context.rb +153 -0
data/lib/hoodoo/services/services/implementation.rb +132 -0
data/lib/hoodoo/services/services/interface.rb +934 -0
data/lib/hoodoo/services/services/permissions.rb +250 -0
data/lib/hoodoo/services/services/request.rb +189 -0
data/lib/hoodoo/services/services/response.rb +316 -0
data/lib/hoodoo/services/services/service.rb +141 -0
data/lib/hoodoo/services/services/session.rb +729 -0
data/lib/hoodoo/utilities.rb +12 -0
data/lib/hoodoo/utilities/string_inquirer.rb +54 -0
data/lib/hoodoo/utilities/utilities.rb +380 -0
data/lib/hoodoo/utilities/uuid.rb +44 -0
data/lib/hoodoo/version.rb +17 -0
data/spec/active/active_record/base_spec.rb +57 -0
data/spec/active/active_record/creator_spec.rb +88 -0
data/spec/active/active_record/dated_spec.rb +248 -0
data/spec/active/active_record/error_mapping_spec.rb +360 -0
data/spec/active/active_record/finder_spec.rb +744 -0
data/spec/active/active_record/search_helper_spec.rb +384 -0
data/spec/active/active_record/secure_spec.rb +435 -0
data/spec/active/active_record/support_spec.rb +225 -0
data/spec/active/active_record/translated_spec.rb +19 -0
data/spec/active/active_record/uuid_spec.rb +72 -0
data/spec/active/active_record/writer_spec.rb +272 -0
data/spec/alchemy/alchemy-amq.rb +33 -0
data/spec/client/augmented_array_spec.rb +15 -0
data/spec/client/augmented_base_spec.rb +50 -0
data/spec/client/augmented_hash_spec.rb +15 -0
data/spec/client/client_spec.rb +955 -0
data/spec/client/endpoint/endpoint_spec.rb +70 -0
data/spec/client/endpoint/endpoints/amqp_spec.rb +16 -0
data/spec/client/endpoint/endpoints/auto_session_spec.rb +9 -0
data/spec/client/endpoint/endpoints/http_based_spec.rb +9 -0
data/spec/client/endpoint/endpoints/http_spec.rb +103 -0
data/spec/client/endpoint/endpoints/not_found_spec.rb +35 -0
data/spec/client/headers_spec.rb +172 -0
data/spec/communicators/fast_spec.rb +9 -0
data/spec/communicators/pool_spec.rb +339 -0
data/spec/communicators/slow_spec.rb +15 -0
data/spec/data/resources/caller_spec.rb +156 -0
data/spec/data/resources/errors_spec.rb +22 -0
data/spec/data/resources/log_spec.rb +20 -0
data/spec/data/resources/session_spec.rb +15 -0
data/spec/data/types/error_primitive_spec.rb +15 -0
data/spec/data/types/permissions_defaults_spec.rb +25 -0
data/spec/data/types/permissions_full_spec.rb +44 -0
data/spec/data/types/permissions_resources_spec.rb +34 -0
data/spec/data/types/permissions_spec.rb +37 -0
data/spec/errors/error_descriptions_spec.rb +98 -0
data/spec/errors/errors_spec.rb +346 -0
data/spec/integration/service_actions_spec.rb +112 -0
data/spec/logger/fast_writer_spec.rb +18 -0
data/spec/logger/logger_spec.rb +259 -0
data/spec/logger/slow_writer_spec.rb +144 -0
data/spec/logger/writers/file_writer_spec.rb +37 -0
data/spec/logger/writers/log_entries_dot_com_writer_spec.rb +29 -0
data/spec/logger/writers/stream_writer_spec.rb +38 -0
data/spec/presenters/base_dsl_spec.rb +111 -0
data/spec/presenters/base_spec.rb +871 -0
data/spec/presenters/common_resource_fields_spec.rb +30 -0
data/spec/presenters/embedding_spec.rb +87 -0
data/spec/presenters/types/array_spec.rb +249 -0
data/spec/presenters/types/boolean_spec.rb +51 -0
data/spec/presenters/types/date_spec.rb +57 -0
data/spec/presenters/types/date_time_spec.rb +59 -0
data/spec/presenters/types/decimal_spec.rb +58 -0
data/spec/presenters/types/enum_spec.rb +71 -0
data/spec/presenters/types/field_spec.rb +77 -0
data/spec/presenters/types/float_spec.rb +50 -0
data/spec/presenters/types/hash_spec.rb +1069 -0
data/spec/presenters/types/integer_spec.rb +50 -0
data/spec/presenters/types/object_spec.rb +177 -0
data/spec/presenters/types/string_spec.rb +65 -0
data/spec/presenters/types/tags_spec.rb +56 -0
data/spec/presenters/types/text_spec.rb +50 -0
data/spec/presenters/types/uuid_spec.rb +46 -0
data/spec/presenters/walk_spec.rb +198 -0
data/spec/services/discovery/discoverers/by_consul_spec.rb +29 -0
data/spec/services/discovery/discoverers/by_convention_spec.rb +67 -0
data/spec/services/discovery/discoverers/by_drb/by_drb_spec.rb +80 -0
data/spec/services/discovery/discoverers/by_drb/drb_server_spec.rb +205 -0
data/spec/services/discovery/discovery_spec.rb +73 -0
data/spec/services/discovery/results/for_amqp_spec.rb +17 -0
data/spec/services/discovery/results/for_http_spec.rb +37 -0
data/spec/services/discovery/results/for_local_spec.rb +21 -0
data/spec/services/discovery/results/for_remote_spec.rb +15 -0
data/spec/services/middleware/amqp_log_message_spec.rb +60 -0
data/spec/services/middleware/amqp_log_writer_spec.rb +95 -0
data/spec/services/middleware/endpoints/inter_resource_local_spec.rb +9 -0
data/spec/services/middleware/endpoints/inter_resource_remote_spec.rb +9 -0
data/spec/services/middleware/exception_reporting/base_reporter_spec.rb +16 -0
data/spec/services/middleware/exception_reporting/exception_reporting_spec.rb +92 -0
data/spec/services/middleware/exception_reporting/reporters/airbrake_reporter_spec.rb +24 -0
data/spec/services/middleware/exception_reporting/reporters/raygun_reporter_spec.rb +23 -0
data/spec/services/middleware/middleware_cors_spec.rb +93 -0
data/spec/services/middleware/middleware_create_update_spec.rb +489 -0
data/spec/services/middleware/middleware_dated_at_spec.rb +186 -0
data/spec/services/middleware/middleware_exotic_communication_spec.rb +560 -0
data/spec/services/middleware/middleware_logging_spec.rb +356 -0
data/spec/services/middleware/middleware_multi_local_spec.rb +1094 -0
data/spec/services/middleware/middleware_multi_remote_spec.rb +1440 -0
data/spec/services/middleware/middleware_permissions_spec.rb +1014 -0
data/spec/services/middleware/middleware_public_spec.rb +238 -0
data/spec/services/middleware/middleware_spec.rb +1569 -0
data/spec/services/middleware/string_inquirer_spec.rb +30 -0
data/spec/services/services/application_spec.rb +74 -0
data/spec/services/services/context_spec.rb +48 -0
data/spec/services/services/implementation_spec.rb +45 -0
data/spec/services/services/interface_spec.rb +262 -0
data/spec/services/services/permissions_spec.rb +249 -0
data/spec/services/services/request_spec.rb +95 -0
data/spec/services/services/response_spec.rb +250 -0
data/spec/services/services/session_spec.rb +432 -0
data/spec/spec_helper.rb +298 -0
data/spec/utilities/utilities_spec.rb +537 -0
data/spec/utilities/uuid_spec.rb +20 -0
metadata +615 -0

data/spec/services/middleware/middleware_permissions_spec.rb ADDED Viewed

@@ -0,0 +1,1014 @@
+# These tests focus on the way that a resource can declare a requirement
+# to gain extra permissions while processing an action, that allow it to
+# call other services. The caller's inbound session only needs to be able
+# to call the 'otuermost' action to succeed.
+#
+# Mock Memcached is used for 'real' (nearly) session management in Hoodoo
+# rather than rely on the allow-all test session. If we used the test
+# session, we'd never test permissions augmentation as it is bypassed in
+# that mode.
+#
+# All the groundwork having been done for permissions testing, this is is
+# also a good place to make sure that interaction IDs are properly passed
+# between both local and remote inter-resource calls, so that's tested in
+# passing here too (there was once a bug where this got broken for local
+# inter-resource calls).
+require 'spec_helper'
+# To show Clock, Clock must call Date which must call Time.
+#
+# (1) These are all in the same app (local inter-resource calls)
+# (2) These are each in different apps (remote calls)
+#
+# Then insofar as possible, (1) and (2) with:
+#
+# (A) Clock does not request permission for Date
+#     - verify that show yields forbidden and date/time not called
+#     - grant session permission for date and verify forbidden
+#       and time not called
+#     - grant permissions through to time and verify 200
+#
+# (B) Date does not request permission for Time
+#     - verify that show yields forbidden, date called, time not
+#     - grant permission for time and verify 200
+#
+# (C) Full request from Date to Time
+#     - verify that show yields 200, date and time called
+#     - use ASK rather than ALLOW for Date -> Time to test #verify
+#
+# Because we don't want same-named resources or same-path resources
+# running concurrently (that counts as platform misconfiguration),
+# we end up with:
+#
+# * Three Clock resource names and endpoints - for with-no-added-permissions
+#   calls no-added-Date calls Time; with-permissions calls no-added-Date
+#   calls Time; and with-permissions calls with-added-Date calls Time.
+#
+# * Thus two Date names and endpoints - with-permissions calls Time and
+#   without-permissions calls Time.
+#
+# * Just one Time resource end endpoint.
+##############################################################################
+# Implementations
+##############################################################################
+class RSpecAddPermTestClockCallsDateNoPermsImplementation < Hoodoo::Services::Implementation
+  def show( context )
+    date_time = context.resource( :RSpecAddPermTestDateNoPerms ).show( 'now' )
+    return if date_time.adds_errors_to?( context.response.errors )
+    context.response.set_resource( date_time )
+  end
+end
+class RSpecAddPermTestClockImplementation < Hoodoo::Services::Implementation
+  # We'll give the top-level Clock a #show and #list action that basically
+  # do the same thing. But in the Clock *interface*, we're only going to
+  # ask for additional permissions to call Date for the #show action. Thus,
+  # attempts to call #list will fail, unless the top-level session already
+  # has permission to call Date.
+  #
+  # Further, #show can be made to call #list and it *does* ask for the
+  # permission to do this. So while #list here does not ask for permission
+  # for #show "there", #show here *does* ask for permission for #list
+  # "there". Thus we test - an action here fails to get permission for a
+  # different-named action downstream; an action here does get permission
+  # for a different-named action downstream.
+  def show( context )
+    if context.request.ident == 'list_instead'
+      date_time = context.resource( :RSpecAddPermTestDate ).list()
+    else
+      date_time = context.resource( :RSpecAddPermTestDate ).show( 'now' )
+    end
+    return if date_time.adds_errors_to?( context.response.errors )
+    context.response.set_resource( date_time )
+  end
+  def list( context )
+    date_time = context.resource( :RSpecAddPermTestDate ).show( 'now' )
+    return if date_time.adds_errors_to?( context.response.errors )
+    context.response.set_resources( [ date_time ] )
+  end
+end
+class RSpecAddPermTestDateImplementation < Hoodoo::Services::Implementation
+  def show( context )
+    time = context.resource( :RSpecAddPermTestTime ).show( 'now' )
+    return if time.adds_errors_to?( context.response.errors )
+    context.response.set_resource( { 'date' => '1999-12-31', 'time' => time[ 'time' ] } )
+  end
+  def list( context )
+    time = context.resource( :RSpecAddPermTestTime ).show( 'now' )
+    return if time.adds_errors_to?( context.response.errors )
+    context.response.set_resources( [ { 'date' => '1999-12-31', 'time' => time[ 'time' ] } ] )
+  end
+end
+class RSpecAddPermTestTimeImplementation < Hoodoo::Services::Implementation
+  def show( context )
+    context.response.set_resource( { 'time' => '23:59:59' } )
+  end
+  # Using ASK in the interfaces later for this specific case lets us check
+  # in tests that the interface's permissions we used when getting through
+  # to this implementation, rather than some other route. We have to be
+  # expecting #verify and return ALLOW. If we aren't expecting it but it's
+  # called anyway, it denis the request to hopefully provoke a test failure.
+  #
+  # Yes, DENY is the default superclass implementation anyway but explicit
+  # code here lets future maintainers read this and know what's happening!
+  #
+  def verify( context, action )
+    Hoodoo::Services::Permissions::DENY
+  end
+end
+# The Interaction ID test "source" (calls to) and "destination" (called
+# by) classes.
+class RSpecTestInteractionIDPassingDestinationImplementation < Hoodoo::Services::Implementation
+  def show( context )
+    context.response.set_resource( { 'interaction_id' => context.owning_interaction.interaction_id } )
+  end
+end
+class RSpecTestInteractionIDPassingSourceImplementation < Hoodoo::Services::Implementation
+  def show( context )
+    destination = context.resource( :RSpecTestInteractionIDPassingDestination )
+    result = destination.show( context.request.ident )
+    return if result.adds_errors_to?( context.response.errors )
+    context.response.set_resource( result )
+  end
+end
+##############################################################################
+# Interfaces
+##############################################################################
+class RSpecAddPermTestClockNoPermsCallsDateNoPermsInterface < Hoodoo::Services::Interface
+  interface :RSpecAddPermTestClockNoPermsCallsDateNoPerms do
+    endpoint :rspec_add_perm_test_clock_no_perms_calls_date_no_perms, RSpecAddPermTestClockCallsDateNoPermsImplementation
+    actions :show
+  end
+end
+class RSpecAddPermTestClockCallsDateNoPermsInterface < Hoodoo::Services::Interface
+  interface :RSpecAddPermTestClockCallsDateNoPerms do
+    endpoint :rspec_add_perm_test_clock_calls_date_no_perms, RSpecAddPermTestClockCallsDateNoPermsImplementation
+    actions :show
+    additional_permissions_for( :show ) do | p |
+      p.set_resource( :RSpecAddPermTestDateNoPerms, :show, Hoodoo::Services::Permissions::ALLOW )
+    end
+  end
+end
+class RSpecAddPermTestClockInterface < Hoodoo::Services::Interface
+  interface :RSpecAddPermTestClock do
+    endpoint :rspec_add_perm_test_clocks, RSpecAddPermTestClockImplementation
+    actions :show, :list
+    additional_permissions_for( :show ) do | p |
+      p.set_resource( :RSpecAddPermTestDate, :show, Hoodoo::Services::Permissions::ALLOW )
+      p.set_resource( :RSpecAddPermTestDate, :list, Hoodoo::Services::Permissions::ALLOW )
+    end
+  end
+end
+class RSpecAddPermTestDateNoPermsInterface < Hoodoo::Services::Interface
+  interface :RSpecAddPermTestDateNoPerms do
+    endpoint :rspec_add_perm_test_date_no_perms, RSpecAddPermTestDateImplementation
+    actions :show
+  end
+end
+class RSpecAddPermTestDateInterface < Hoodoo::Services::Interface
+  interface :RSpecAddPermTestDate do
+    endpoint :dates, RSpecAddPermTestDateImplementation
+    actions :show, :list
+    additional_permissions_for( :show ) do | p |
+      p.set_resource( :RSpecAddPermTestTime, :show, Hoodoo::Services::Permissions::ASK )
+    end
+    additional_permissions_for( :list ) do | p |
+      p.set_resource( :RSpecAddPermTestTime, :show, Hoodoo::Services::Permissions::ASK )
+    end
+  end
+end
+class RSpecAddPermTestTimeInterface < Hoodoo::Services::Interface
+  interface :RSpecAddPermTestTime do
+    endpoint :rspec_add_perm_test_times, RSpecAddPermTestTimeImplementation
+    actions :show
+  end
+end
+class RSpecTestInteractionIDPassingDestinationInterface < Hoodoo::Services::Interface
+  interface :RSpecTestInteractionIDPassingDestination do
+    endpoint :id_passing_destination, RSpecTestInteractionIDPassingDestinationImplementation
+    actions :show
+  end
+end
+class RSpecTestInteractionIDPassingSourceInterface < Hoodoo::Services::Interface
+  interface :RSpecTestInteractionIDPassingSource do
+    endpoint :id_passing_source, RSpecTestInteractionIDPassingSourceImplementation
+    actions :show
+    additional_permissions_for( :show ) do | p |
+      p.set_resource( :RSpecTestInteractionIDPassingDestination, :show, Hoodoo::Services::Permissions::ALLOW )
+    end
+  end
+end
+##############################################################################
+# Service applications for local inter-resource calls
+##############################################################################
+# (See earlier) (A) Clock does not request permission for Date
+class RSpecAddPermTestClockServiceA < Hoodoo::Services::Service
+  comprised_of RSpecAddPermTestClockNoPermsCallsDateNoPermsInterface,
+               RSpecAddPermTestDateNoPermsInterface,
+               RSpecAddPermTestTimeInterface
+end
+# (See earlier) (B) Date does not request permission for Time
+class RSpecAddPermTestClockServiceB < Hoodoo::Services::Service
+  comprised_of RSpecAddPermTestClockCallsDateNoPermsInterface,
+               RSpecAddPermTestDateNoPermsInterface,
+               RSpecAddPermTestTimeInterface
+end
+# (See earlier) (C) Full request from Date to Time
+class RSpecAddPermTestClockServiceC < Hoodoo::Services::Service
+  comprised_of RSpecAddPermTestClockInterface,
+               RSpecAddPermTestDateInterface,
+               RSpecAddPermTestTimeInterface
+end
+# (See earlier) Interaction ID test
+class RSpecTestInteractionIDPassingService < Hoodoo::Services::Service
+  comprised_of RSpecTestInteractionIDPassingSourceInterface,
+               RSpecTestInteractionIDPassingDestinationInterface
+end
+##############################################################################
+# Service applications for remote inter-resource calls
+##############################################################################
+class RSpecAddPermTestClockNoPermsCallsDateNoPermsService < Hoodoo::Services::Service
+  comprised_of RSpecAddPermTestClockNoPermsCallsDateNoPermsInterface
+end
+class RSpecAddPermTestClockCallsDateNoPermsService < Hoodoo::Services::Service
+  comprised_of RSpecAddPermTestClockCallsDateNoPermsInterface
+end
+class RSpecAddPermTestClockService < Hoodoo::Services::Service
+  comprised_of RSpecAddPermTestClockInterface
+end
+class RSpecAddPermTestDateNoPermsService < Hoodoo::Services::Service
+  comprised_of RSpecAddPermTestDateNoPermsInterface
+end
+class RSpecAddPermTestDateService < Hoodoo::Services::Service
+  comprised_of RSpecAddPermTestDateInterface
+end
+class RSpecAddPermTestTimeService < Hoodoo::Services::Service
+  comprised_of RSpecAddPermTestTimeInterface
+end
+class RSpecTestInteractionIDPassingDestinationService < Hoodoo::Services::Service
+  comprised_of RSpecTestInteractionIDPassingDestinationInterface
+end
+class RSpecTestInteractionIDPassingSourceService < Hoodoo::Services::Service
+  comprised_of RSpecTestInteractionIDPassingSourceInterface
+end
+##############################################################################
+describe Hoodoo::Services::Middleware do
+  before :each do
+    @session_id     = Hoodoo::UUID.generate
+    @caller_id      = Hoodoo::UUID.generate
+    @caller_version = 1
+    @session        = Hoodoo::Services::Session.new( {
+      :session_id     => @session_id,
+      :memcached_host => '0.0.0.0:0',
+      :caller_id      => @caller_id,
+      :caller_version => @caller_version
+    } )
+    # Grant top-level access to all of the Clock endpoints
+    @session.permissions = Hoodoo::Services::Permissions.new
+    @session.permissions.set_resource(
+      :RSpecAddPermTestClockNoPermsCallsDateNoPerms,
+      :show,
+      Hoodoo::Services::Permissions::ALLOW
+    )
+    @session.permissions.set_resource(
+      :RSpecAddPermTestClockCallsDateNoPerms,
+      :show,
+      Hoodoo::Services::Permissions::ALLOW
+    )
+    @session.permissions.set_resource(
+      :RSpecAddPermTestClock,
+      :show,
+      Hoodoo::Services::Permissions::ALLOW
+    )
+    @session.permissions.set_resource(
+      :RSpecAddPermTestClock,
+      :list,
+      Hoodoo::Services::Permissions::ALLOW
+    )
+    @session.permissions.set_resource(
+      :RSpecTestInteractionIDPassingSource,
+      :show,
+      Hoodoo::Services::Permissions::ALLOW
+    )
+    Hoodoo::Services::Session::MockDalliClient.reset()
+    result = @session.save_to_memcached
+    raise "Can't save to mock Memcached (result = #{result})" unless result == :ok
+  end
+  after :each do
+    Hoodoo::Services::Session::MockDalliClient.reset()
+  end
+  ############################################################################
+  # Local inter-resource calls
+  ############################################################################
+  context 'with local resources and' do
+    after :all do
+      Hoodoo::Services::Middleware.flush_services_for_test()
+    end
+    context 'Clock with no extra permissions for Date or Time' do
+      def app
+        Rack::Builder.new do
+          use Hoodoo::Services::Middleware
+          run RSpecAddPermTestClockServiceA.new
+        end
+      end
+      it 'cannot call #show in Date or Time by default' do
+        expect_any_instance_of(RSpecAddPermTestClockCallsDateNoPermsImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to_not receive( :show )
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :show )
+        get '/v1/rspec_add_perm_test_clock_no_perms_calls_date_no_perms/any',
+            nil,
+            {
+              'CONTENT_TYPE' => 'application/json; charset=utf-8',
+              'HTTP_X_SESSION_ID' => @session.session_id
+            }
+        expect( last_response.status ).to eq( 403 )
+        result = JSON.parse( last_response.body )
+        expect( result[ 'errors' ][ 0 ][ 'code' ] ).to eq( 'platform.forbidden' )
+        expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'Action not authorized' )
+      end
+      it 'cannot call #show in Time if session only grants Date access' do
+        @session.permissions.set_resource(
+          :RSpecAddPermTestDateNoPerms,
+          :show,
+          Hoodoo::Services::Permissions::ALLOW
+        )
+        result = @session.save_to_memcached
+        raise "Can't save to mock Memcached (result = #{result})" unless result == :ok
+        expect_any_instance_of(RSpecAddPermTestClockCallsDateNoPermsImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :show )
+        get '/v1/rspec_add_perm_test_clock_no_perms_calls_date_no_perms/any',
+            nil,
+            {
+              'CONTENT_TYPE' => 'application/json; charset=utf-8',
+              'HTTP_X_SESSION_ID' => @session.session_id
+            }
+        expect( last_response.status ).to eq( 403 )
+        result = JSON.parse( last_response.body )
+        expect( result[ 'errors' ][ 0 ][ 'code' ] ).to eq( 'platform.forbidden' )
+        expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'Action not authorized' )
+      end
+      it 'can call #show if session grants Date and Time access' do
+        @session.permissions.set_resource(
+          :RSpecAddPermTestDateNoPerms,
+          :show,
+          Hoodoo::Services::Permissions::ALLOW
+        )
+        @session.permissions.set_resource(
+          :RSpecAddPermTestTime,
+          :show,
+          Hoodoo::Services::Permissions::ALLOW
+        )
+        result = @session.save_to_memcached
+        raise "Can't save to mock Memcached (result = #{result})" unless result == :ok
+        expect_any_instance_of(RSpecAddPermTestClockCallsDateNoPermsImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :verify )
+        get '/v1/rspec_add_perm_test_clock_no_perms_calls_date_no_perms/any',
+            nil,
+            {
+              'CONTENT_TYPE' => 'application/json; charset=utf-8',
+              'HTTP_X_SESSION_ID' => @session.session_id
+            }
+        expect( last_response.status ).to eq( 200 )
+        result = JSON.parse( last_response.body )
+        expect( result ).to eq( { 'date' => '1999-12-31', 'time' => '23:59:59' } )
+      end
+    end
+    context 'Clock with extra permissions for Date but no extra permissions for Time' do
+      def app
+        Rack::Builder.new do
+          use Hoodoo::Services::Middleware
+          run RSpecAddPermTestClockServiceB.new
+        end
+      end
+      it 'cannot call #show in Time by default' do
+        expect_any_instance_of(RSpecAddPermTestClockCallsDateNoPermsImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :show )
+        get '/v1/rspec_add_perm_test_clock_calls_date_no_perms/any',
+            nil,
+            {
+              'CONTENT_TYPE' => 'application/json; charset=utf-8',
+              'HTTP_X_SESSION_ID' => @session.session_id
+            }
+        expect( last_response.status ).to eq( 403 )
+        result = JSON.parse( last_response.body )
+        expect( result[ 'errors' ][ 0 ][ 'code' ] ).to eq( 'platform.forbidden' )
+        expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'Action not authorized' )
+      end
+      it 'can call #show if session only grants Time access' do
+        @session.permissions.set_resource(
+          :RSpecAddPermTestTime,
+          :show,
+          Hoodoo::Services::Permissions::ALLOW
+        )
+        result = @session.save_to_memcached
+        raise "Can't save to mock Memcached (result = #{result})" unless result == :ok
+        expect_any_instance_of(RSpecAddPermTestClockCallsDateNoPermsImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :verify )
+        get '/v1/rspec_add_perm_test_clock_calls_date_no_perms/any',
+            nil,
+            {
+              'CONTENT_TYPE' => 'application/json; charset=utf-8',
+              'HTTP_X_SESSION_ID' => @session.session_id
+            }
+        expect( last_response.status ).to eq( 200 )
+        result = JSON.parse( last_response.body )
+        expect( result ).to eq( { 'date' => '1999-12-31', 'time' => '23:59:59' } )
+      end
+    end
+    context 'Clock with extra permissions for Date and Time' do
+      def app
+        Rack::Builder.new do
+          use Hoodoo::Services::Middleware
+          run RSpecAddPermTestClockServiceC.new
+        end
+      end
+      it 'can call #show without any extra session permissions' do
+        expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :verify ).with( anything(), :show ).and_return( Hoodoo::Services::Permissions::ALLOW )
+        get '/v1/rspec_add_perm_test_clocks/any',
+            nil,
+            {
+              'CONTENT_TYPE' => 'application/json; charset=utf-8',
+              'HTTP_X_SESSION_ID' => @session.session_id
+            }
+        expect( last_response.status ).to eq( 200 )
+        result = JSON.parse( last_response.body )
+        expect( result ).to eq( { 'date' => '1999-12-31', 'time' => '23:59:59' } )
+      end
+      it 'can call special case #show leading to #list downstream without any extra session permissions' do
+        expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :list ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :verify ).with( anything(), :show ).and_return( Hoodoo::Services::Permissions::ALLOW )
+        get '/v1/rspec_add_perm_test_clocks/list_instead',
+            nil,
+            {
+              'CONTENT_TYPE' => 'application/json; charset=utf-8',
+              'HTTP_X_SESSION_ID' => @session.session_id
+            }
+        expect( last_response.status ).to eq( 200 )
+        result = JSON.parse( last_response.body )
+        expect( result ).to eq( { '_data' => [ { 'date' => '1999-12-31', 'time' => '23:59:59' } ] } )
+      end
+      it 'cannot call #list without any extra session permissions' do
+        expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :list ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to_not receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :show ).once.and_call_original
+        get '/v1/rspec_add_perm_test_clocks',
+            nil,
+            {
+              'CONTENT_TYPE' => 'application/json; charset=utf-8',
+              'HTTP_X_SESSION_ID' => @session.session_id
+            }
+        expect( last_response.status ).to eq( 403 )
+      end
+      it 'can call #list with one extra session permission' do
+        @session.permissions.set_resource(
+          :RSpecAddPermTestDate,
+          :show,
+          Hoodoo::Services::Permissions::ALLOW
+        )
+        result = @session.save_to_memcached
+        raise "Can't save to mock Memcached (result = #{result})" unless result == :ok
+        expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :list ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :verify ).with( anything(), :show ).and_return( Hoodoo::Services::Permissions::ALLOW )
+        get '/v1/rspec_add_perm_test_clocks',
+            nil,
+            {
+              'CONTENT_TYPE' => 'application/json; charset=utf-8',
+              'HTTP_X_SESSION_ID' => @session.session_id
+            }
+        expect( last_response.status ).to eq( 200 )
+        result = JSON.parse( last_response.body )
+        expect( result ).to eq( { '_data' => [ { 'date' => '1999-12-31', 'time' => '23:59:59' } ] } )
+      end
+      context 'testing for interaction ID passing' do
+        def app
+          Rack::Builder.new do
+            use Hoodoo::Services::Middleware
+            run RSpecTestInteractionIDPassingService.new
+          end
+        end
+        it 'passes the interaction ID' do
+          get '/v1/id_passing_source/any',
+              nil,
+              {
+                'CONTENT_TYPE' => 'application/json; charset=utf-8',
+                'HTTP_X_SESSION_ID' => @session.session_id
+              }
+          expect( last_response.status ).to eq( 200 )
+          result = JSON.parse( last_response.body )
+          expect( result[ 'interaction_id' ] ).to_not be_blank
+          expect( result[ 'interaction_id' ] ).to eq( last_response.headers[ 'X-Interaction-ID' ] )
+        end
+      end
+      context 'for code coverage' do
+        # Top-level "augment session failed"
+        #
+        it 'can deal with inter-resource session errors (1)' do
+          expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :show ).once.and_call_original
+          expect_any_instance_of(Hoodoo::Services::Session).to receive( :augment_with_permissions_for ).once.and_return( false )
+          expect_any_instance_of(RSpecAddPermTestDateImplementation).to_not receive( :show )
+          get '/v1/rspec_add_perm_test_clocks/any',
+              nil,
+              {
+                'CONTENT_TYPE' => 'application/json; charset=utf-8',
+                'HTTP_X_SESSION_ID' => @session.session_id
+              }
+          expect( last_response.status ).to eq( 401 )
+        end
+        # Inside "augment session", attempt to save to Memcached returns 'false'
+        #
+        it 'can deal with inter-resource session errors (2)' do
+          expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :show ).once.and_call_original
+          expect_any_instance_of(Hoodoo::Services::Session).to receive( :save_to_memcached ).once.and_return( :outdated )
+          expect_any_instance_of(RSpecAddPermTestDateImplementation).to_not receive( :show )
+          get '/v1/rspec_add_perm_test_clocks/any',
+              nil,
+              {
+                'CONTENT_TYPE' => 'application/json; charset=utf-8',
+                'HTTP_X_SESSION_ID' => @session.session_id
+              }
+          expect( last_response.status ).to eq( 401 )
+        end
+        # Inside "augment session", attempt to save to Memcached returns 'nil'
+        #
+        it 'can deal with inter-resource session errors (3)' do
+          expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :show ).once.and_call_original
+          expect_any_instance_of(Hoodoo::Services::Session).to receive( :save_to_memcached ).once.and_return( :fail )
+          expect_any_instance_of(RSpecAddPermTestDateImplementation).to_not receive( :show )
+          get '/v1/rspec_add_perm_test_clocks/any',
+              nil,
+              {
+                'CONTENT_TYPE' => 'application/json; charset=utf-8',
+                'HTTP_X_SESSION_ID' => @session.session_id
+              }
+          expect( last_response.status ).to eq( 500 )
+          result = JSON.parse( last_response.body )
+          expect( result[ 'errors' ][ 0 ][ 'code' ] ).to eq( 'platform.fault' )
+          expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'Unable to create interim session for inter-resource call from RSpecAddPermTestClock / show' )
+        end
+        it 'handles nil permissions' do
+          @session.permissions = nil
+          result = @session.save_to_memcached
+          raise "Can't save to mock Memcached (result = #{result})" unless result == :ok
+          expect_any_instance_of(RSpecAddPermTestClockImplementation).to_not receive( :show )
+          get '/v1/rspec_add_perm_test_clocks/any',
+              nil,
+              {
+                'CONTENT_TYPE' => 'application/json; charset=utf-8',
+                'HTTP_X_SESSION_ID' => @session.session_id
+              }
+          expect( last_response.status ).to eq( 403 )
+        end
+        it 'handles empty permissions' do
+          @session.permissions = Hoodoo::Services::Permissions.new( {} )
+          result = @session.save_to_memcached
+          raise "Can't save to mock Memcached (result = #{result})" unless result == :ok
+          expect_any_instance_of(RSpecAddPermTestClockImplementation).to_not receive( :show )
+          get '/v1/rspec_add_perm_test_clocks/any',
+              nil,
+              {
+                'CONTENT_TYPE' => 'application/json; charset=utf-8',
+                'HTTP_X_SESSION_ID' => @session.session_id
+              }
+          expect( last_response.status ).to eq( 403 )
+        end
+        it 'handles default #verify response as deny' do
+          @session.permissions.set_resource( :RSpecAddPermTestClock, :show, Hoodoo::Services::Permissions::ASK )
+          result = @session.save_to_memcached
+          raise "Can't save to mock Memcached (result = #{result})" unless result == :ok
+          expect_any_instance_of(Hoodoo::Services::Implementation).to receive( :verify ).once.and_call_original
+          expect_any_instance_of(RSpecAddPermTestClockImplementation).to_not receive( :show ).once.and_call_original
+          get '/v1/rspec_add_perm_test_clocks/any',
+              nil,
+              {
+                'CONTENT_TYPE' => 'application/json; charset=utf-8',
+                'HTTP_X_SESSION_ID' => @session.session_id
+              }
+          expect( last_response.status ).to eq( 403 )
+        end
+        it 'handles custom #verify response as deny' do
+          expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :show ).once.and_call_original
+          expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+          expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :show )
+          # The Time endpoint already returns DENY out-of-the-box.
+          expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :verify ).once.and_call_original
+          get '/v1/rspec_add_perm_test_clocks/any',
+              nil,
+              {
+                'CONTENT_TYPE' => 'application/json; charset=utf-8',
+                'HTTP_X_SESSION_ID' => @session.session_id
+              }
+          expect( last_response.status ).to eq( 403 )
+        end
+      end
+    end
+  end
+  ############################################################################
+  # Remote inter-resource calls
+  ############################################################################
+  context 'with remote resources and' do
+    before :all do
+      @port_clock_no_perms_calls_date_no_perms = spec_helper_start_svc_app_in_thread_for( RSpecAddPermTestClockNoPermsCallsDateNoPermsService )
+      @port_clock_calls_date_no_perms = spec_helper_start_svc_app_in_thread_for( RSpecAddPermTestClockCallsDateNoPermsService )
+      @port_clock = spec_helper_start_svc_app_in_thread_for( RSpecAddPermTestClockService )
+      @port_iid_source = spec_helper_start_svc_app_in_thread_for( RSpecTestInteractionIDPassingSourceService )
+      spec_helper_start_svc_app_in_thread_for( RSpecAddPermTestDateNoPermsService )
+      spec_helper_start_svc_app_in_thread_for( RSpecAddPermTestDateService )
+      spec_helper_start_svc_app_in_thread_for( RSpecAddPermTestTimeService )
+      spec_helper_start_svc_app_in_thread_for( RSpecTestInteractionIDPassingDestinationService )
+    end
+    after :all do
+      Hoodoo::Services::Middleware.flush_services_for_test()
+    end
+    context 'Clock with no extra permissions for Date or Time' do
+      it 'cannot call #show in Date or Time by default' do
+        expect_any_instance_of(RSpecAddPermTestClockCallsDateNoPermsImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to_not receive( :show )
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :show )
+        response = spec_helper_http(
+          :path => '/v1/rspec_add_perm_test_clock_no_perms_calls_date_no_perms/any',
+          :port => @port_clock_no_perms_calls_date_no_perms,
+          :headers => { 'X-Session-ID' => @session.session_id }
+        )
+        expect( response.code ).to eq( '403' )
+        result = JSON.parse( response.body )
+        expect( result[ 'errors' ][ 0 ][ 'code' ] ).to eq( 'platform.forbidden' )
+        expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'Action not authorized' )
+      end
+      it 'cannot call #show in Time if session only grants Date access' do
+        @session.permissions.set_resource(
+          :RSpecAddPermTestDateNoPerms,
+          :show,
+          Hoodoo::Services::Permissions::ALLOW
+        )
+        result = @session.save_to_memcached
+        raise "Can't save to mock Memcached (result = #{result})" unless result == :ok
+        expect_any_instance_of(RSpecAddPermTestClockCallsDateNoPermsImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :show )
+        response = spec_helper_http(
+          :path => '/v1/rspec_add_perm_test_clock_no_perms_calls_date_no_perms/any',
+          :port => @port_clock_no_perms_calls_date_no_perms,
+          :headers => { 'X-Session-ID' => @session.session_id }
+        )
+        expect( response.code ).to eq( '403' )
+        result = JSON.parse( response.body )
+        expect( result[ 'errors' ][ 0 ][ 'code' ] ).to eq( 'platform.forbidden' )
+        expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'Action not authorized' )
+      end
+      it 'can call #show if session grants Date and Time access' do
+        @session.permissions.set_resource(
+          :RSpecAddPermTestDateNoPerms,
+          :show,
+          Hoodoo::Services::Permissions::ALLOW
+        )
+        @session.permissions.set_resource(
+          :RSpecAddPermTestTime,
+          :show,
+          Hoodoo::Services::Permissions::ALLOW
+        )
+        result = @session.save_to_memcached
+        raise "Can't save to mock Memcached (result = #{result})" unless result == :ok
+        expect_any_instance_of(RSpecAddPermTestClockCallsDateNoPermsImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :verify )
+        response = spec_helper_http(
+          :path => '/v1/rspec_add_perm_test_clock_no_perms_calls_date_no_perms/any',
+          :port => @port_clock_no_perms_calls_date_no_perms,
+          :headers => { 'X-Session-ID' => @session.session_id }
+        )
+        expect( response.code ).to eq( '200' )
+        result = JSON.parse( response.body )
+        expect( result ).to eq( { 'date' => '1999-12-31', 'time' => '23:59:59' } )
+      end
+    end
+    context 'Clock with extra permissions for Date but no extra permissions for Time' do
+      it 'cannot call #show in Time by default' do
+        expect_any_instance_of(RSpecAddPermTestClockCallsDateNoPermsImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :show )
+        response = spec_helper_http(
+          :path => '/v1/rspec_add_perm_test_clock_calls_date_no_perms/any',
+          :port => @port_clock_calls_date_no_perms,
+          :headers => { 'X-Session-ID' => @session.session_id }
+        )
+        expect( response.code ).to eq( '403' )
+        result = JSON.parse( response.body )
+        expect( result[ 'errors' ][ 0 ][ 'code' ] ).to eq( 'platform.forbidden' )
+        expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'Action not authorized' )
+      end
+      it 'can call #show if session only grants Time access' do
+        @session.permissions.set_resource(
+          :RSpecAddPermTestTime,
+          :show,
+          Hoodoo::Services::Permissions::ALLOW
+        )
+        result = @session.save_to_memcached
+        raise "Can't save to mock Memcached (result = #{result})" unless result == :ok
+        expect_any_instance_of(RSpecAddPermTestClockCallsDateNoPermsImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :verify )
+        response = spec_helper_http(
+          :path => '/v1/rspec_add_perm_test_clock_calls_date_no_perms/any',
+          :port => @port_clock_calls_date_no_perms,
+          :headers => { 'X-Session-ID' => @session.session_id }
+        )
+        expect( response.code ).to eq( '200' )
+        result = JSON.parse( response.body )
+        expect( result ).to eq( { 'date' => '1999-12-31', 'time' => '23:59:59' } )
+      end
+    end
+    context 'Clock with extra permissions for Date and Time' do
+      it 'can call #show without any extra session permissions' do
+        expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :verify ).with( anything(), :show ).and_return( Hoodoo::Services::Permissions::ALLOW )
+        response = spec_helper_http(
+          :path => '/v1/rspec_add_perm_test_clocks/any',
+          :port => @port_clock,
+          :headers => { 'X-Session-ID' => @session.session_id }
+        )
+        expect( response.code ).to eq( '200' )
+        result = JSON.parse( response.body )
+        expect( result ).to eq( { 'date' => '1999-12-31', 'time' => '23:59:59' } )
+      end
+      it 'can call special case #show leading to #list downstream without any extra session permissions' do
+        expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :list ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :verify ).with( anything(), :show ).and_return( Hoodoo::Services::Permissions::ALLOW )
+        response = spec_helper_http(
+          :path => '/v1/rspec_add_perm_test_clocks/list_instead',
+          :port => @port_clock,
+          :headers => { 'X-Session-ID' => @session.session_id }
+        )
+        expect( response.code ).to eq( '200' )
+        result = JSON.parse( response.body )
+        expect( result ).to eq( { '_data' => [ { 'date' => '1999-12-31', 'time' => '23:59:59' } ] } )
+      end
+      it 'cannot call #list without any extra session permissions' do
+        expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :list ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to_not receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :show ).once.and_call_original
+        response = spec_helper_http(
+          :path => '/v1/rspec_add_perm_test_clocks',
+          :port => @port_clock,
+          :headers => { 'X-Session-ID' => @session.session_id }
+        )
+        expect( response.code ).to eq( '403' )
+      end
+      it 'can call #list with one extra session permission' do
+        @session.permissions.set_resource(
+          :RSpecAddPermTestDate,
+          :show,
+          Hoodoo::Services::Permissions::ALLOW
+        )
+        result = @session.save_to_memcached
+        raise "Can't save to mock Memcached (result = #{result})" unless result == :ok
+        expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :list ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :verify ).with( anything(), :show ).and_return( Hoodoo::Services::Permissions::ALLOW )
+        response = spec_helper_http(
+          :path => '/v1/rspec_add_perm_test_clocks',
+          :port => @port_clock,
+          :headers => { 'X-Session-ID' => @session.session_id }
+        )
+        expect( response.code ).to eq( '200' )
+        result = JSON.parse( response.body )
+        expect( result ).to eq( { '_data' => [ { 'date' => '1999-12-31', 'time' => '23:59:59' } ] } )
+      end
+      context 'for code coverage' do
+        # Top-level "augment session failed". Failures inside the "augment
+        # session" code were tested in the previous section dealing with
+        # local inter-resource calls (they use the same back-end method).
+        #
+        it 'can deal with inter-resource session errors' do
+          expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :show ).once.and_call_original
+          expect_any_instance_of(Hoodoo::Services::Session).to receive( :augment_with_permissions_for ).once.and_return( false )
+          expect_any_instance_of(RSpecAddPermTestDateImplementation).to_not receive( :show )
+          response = spec_helper_http(
+            :path => '/v1/rspec_add_perm_test_clocks/any',
+            :port => @port_clock,
+            :headers => { 'X-Session-ID' => @session.session_id }
+          )
+          expect( response.code ).to eq( '401' )
+        end
+      end
+    end
+    context 'testing for interaction ID passing' do
+      it 'passes the interaction ID' do
+        response = spec_helper_http(
+          :path => '/v1/id_passing_source/any',
+          :port => @port_iid_source,
+          :headers => { 'X-Session-ID' => @session.session_id }
+        )
+        expect( response.code ).to eq( '200' )
+        result = JSON.parse( response.body )
+        expect( result[ 'interaction_id' ] ).to_not be_blank
+        expect( result[ 'interaction_id' ] ).to eq( response[ 'X-Interaction-ID' ] )
+      end
+    end
+  end
+end