RubyGems - hoodoo - Versions diffs - 1.0.2 - Mend

hoodoo 1.0.2

Files changed (216) hide show

checksums.yaml +7 -0
data/bin/hoodoo +5 -0
data/lib/hoodoo.rb +27 -0
data/lib/hoodoo/active.rb +32 -0
data/lib/hoodoo/active/active_model/uuid_validator.rb +45 -0
data/lib/hoodoo/active/active_record/base.rb +81 -0
data/lib/hoodoo/active/active_record/creator.rb +134 -0
data/lib/hoodoo/active/active_record/dated.rb +343 -0
data/lib/hoodoo/active/active_record/error_mapping.rb +351 -0
data/lib/hoodoo/active/active_record/finder.rb +606 -0
data/lib/hoodoo/active/active_record/search_helper.rb +189 -0
data/lib/hoodoo/active/active_record/secure.rb +431 -0
data/lib/hoodoo/active/active_record/support.rb +106 -0
data/lib/hoodoo/active/active_record/translated.rb +87 -0
data/lib/hoodoo/active/active_record/uuid.rb +80 -0
data/lib/hoodoo/active/active_record/writer.rb +321 -0
data/lib/hoodoo/client.rb +23 -0
data/lib/hoodoo/client/augmented_array.rb +29 -0
data/lib/hoodoo/client/augmented_base.rb +168 -0
data/lib/hoodoo/client/augmented_hash.rb +23 -0
data/lib/hoodoo/client/client.rb +354 -0
data/lib/hoodoo/client/endpoint/endpoint.rb +427 -0
data/lib/hoodoo/client/endpoint/endpoints/amqp.rb +180 -0
data/lib/hoodoo/client/endpoint/endpoints/auto_session.rb +194 -0
data/lib/hoodoo/client/endpoint/endpoints/http.rb +203 -0
data/lib/hoodoo/client/endpoint/endpoints/http_based.rb +367 -0
data/lib/hoodoo/client/endpoint/endpoints/not_found.rb +59 -0
data/lib/hoodoo/client/headers.rb +269 -0
data/lib/hoodoo/communicators.rb +23 -0
data/lib/hoodoo/communicators/fast.rb +44 -0
data/lib/hoodoo/communicators/pool.rb +601 -0
data/lib/hoodoo/communicators/slow.rb +84 -0
data/lib/hoodoo/data.rb +51 -0
data/lib/hoodoo/data/resources/caller.rb +39 -0
data/lib/hoodoo/data/resources/errors.rb +28 -0
data/lib/hoodoo/data/resources/log.rb +31 -0
data/lib/hoodoo/data/resources/session.rb +26 -0
data/lib/hoodoo/data/types/error_primitive.rb +27 -0
data/lib/hoodoo/data/types/permissions.rb +40 -0
data/lib/hoodoo/data/types/permissions_defaults.rb +32 -0
data/lib/hoodoo/data/types/permissions_full.rb +28 -0
data/lib/hoodoo/data/types/permissions_resources.rb +31 -0
data/lib/hoodoo/discovery.rb +20 -0
data/lib/hoodoo/errors.rb +19 -0
data/lib/hoodoo/errors/error_descriptions.rb +229 -0
data/lib/hoodoo/errors/errors.rb +322 -0
data/lib/hoodoo/generator.rb +139 -0
data/lib/hoodoo/logger.rb +23 -0
data/lib/hoodoo/logger/fast_writer.rb +27 -0
data/lib/hoodoo/logger/flattener_mixin.rb +36 -0
data/lib/hoodoo/logger/logger.rb +387 -0
data/lib/hoodoo/logger/slow_writer.rb +49 -0
data/lib/hoodoo/logger/writer_mixin.rb +52 -0
data/lib/hoodoo/logger/writers/file_writer.rb +45 -0
data/lib/hoodoo/logger/writers/log_entries_dot_com_writer.rb +64 -0
data/lib/hoodoo/logger/writers/stream_writer.rb +43 -0
data/lib/hoodoo/middleware.rb +33 -0
data/lib/hoodoo/presenters.rb +45 -0
data/lib/hoodoo/presenters/base.rb +281 -0
data/lib/hoodoo/presenters/base_dsl.rb +519 -0
data/lib/hoodoo/presenters/common_resource_fields.rb +31 -0
data/lib/hoodoo/presenters/embedding.rb +232 -0
data/lib/hoodoo/presenters/types/array.rb +118 -0
data/lib/hoodoo/presenters/types/boolean.rb +26 -0
data/lib/hoodoo/presenters/types/date.rb +26 -0
data/lib/hoodoo/presenters/types/date_time.rb +26 -0
data/lib/hoodoo/presenters/types/decimal.rb +47 -0
data/lib/hoodoo/presenters/types/enum.rb +55 -0
data/lib/hoodoo/presenters/types/field.rb +158 -0
data/lib/hoodoo/presenters/types/float.rb +26 -0
data/lib/hoodoo/presenters/types/hash.rb +361 -0
data/lib/hoodoo/presenters/types/integer.rb +26 -0
data/lib/hoodoo/presenters/types/object.rb +117 -0
data/lib/hoodoo/presenters/types/string.rb +53 -0
data/lib/hoodoo/presenters/types/tags.rb +24 -0
data/lib/hoodoo/presenters/types/text.rb +26 -0
data/lib/hoodoo/presenters/types/uuid.rb +54 -0
data/lib/hoodoo/services.rb +34 -0
data/lib/hoodoo/services/discovery/discoverers/by_consul.rb +66 -0
data/lib/hoodoo/services/discovery/discoverers/by_convention.rb +173 -0
data/lib/hoodoo/services/discovery/discoverers/by_drb/by_drb.rb +195 -0
data/lib/hoodoo/services/discovery/discoverers/by_drb/drb_server.rb +166 -0
data/lib/hoodoo/services/discovery/discoverers/by_drb/drb_server_start.rb +37 -0
data/lib/hoodoo/services/discovery/discovery.rb +186 -0
data/lib/hoodoo/services/discovery/results/for_amqp.rb +58 -0
data/lib/hoodoo/services/discovery/results/for_http.rb +85 -0
data/lib/hoodoo/services/discovery/results/for_local.rb +85 -0
data/lib/hoodoo/services/discovery/results/for_remote.rb +57 -0
data/lib/hoodoo/services/middleware/amqp_log_message.rb +186 -0
data/lib/hoodoo/services/middleware/amqp_log_writer.rb +119 -0
data/lib/hoodoo/services/middleware/endpoints/inter_resource_local.rb +130 -0
data/lib/hoodoo/services/middleware/endpoints/inter_resource_remote.rb +202 -0
data/lib/hoodoo/services/middleware/exception_reporting/base_reporter.rb +105 -0
data/lib/hoodoo/services/middleware/exception_reporting/exception_reporting.rb +115 -0
data/lib/hoodoo/services/middleware/exception_reporting/reporters/airbrake_reporter.rb +64 -0
data/lib/hoodoo/services/middleware/exception_reporting/reporters/raygun_reporter.rb +63 -0
data/lib/hoodoo/services/middleware/interaction.rb +127 -0
data/lib/hoodoo/services/middleware/middleware.rb +2705 -0
data/lib/hoodoo/services/middleware/rack_monkey_patch.rb +73 -0
data/lib/hoodoo/services/services/context.rb +153 -0
data/lib/hoodoo/services/services/implementation.rb +132 -0
data/lib/hoodoo/services/services/interface.rb +934 -0
data/lib/hoodoo/services/services/permissions.rb +250 -0
data/lib/hoodoo/services/services/request.rb +189 -0
data/lib/hoodoo/services/services/response.rb +316 -0
data/lib/hoodoo/services/services/service.rb +141 -0
data/lib/hoodoo/services/services/session.rb +729 -0
data/lib/hoodoo/utilities.rb +12 -0
data/lib/hoodoo/utilities/string_inquirer.rb +54 -0
data/lib/hoodoo/utilities/utilities.rb +380 -0
data/lib/hoodoo/utilities/uuid.rb +44 -0
data/lib/hoodoo/version.rb +17 -0
data/spec/active/active_record/base_spec.rb +57 -0
data/spec/active/active_record/creator_spec.rb +88 -0
data/spec/active/active_record/dated_spec.rb +248 -0
data/spec/active/active_record/error_mapping_spec.rb +360 -0
data/spec/active/active_record/finder_spec.rb +744 -0
data/spec/active/active_record/search_helper_spec.rb +384 -0
data/spec/active/active_record/secure_spec.rb +435 -0
data/spec/active/active_record/support_spec.rb +225 -0
data/spec/active/active_record/translated_spec.rb +19 -0
data/spec/active/active_record/uuid_spec.rb +72 -0
data/spec/active/active_record/writer_spec.rb +272 -0
data/spec/alchemy/alchemy-amq.rb +33 -0
data/spec/client/augmented_array_spec.rb +15 -0
data/spec/client/augmented_base_spec.rb +50 -0
data/spec/client/augmented_hash_spec.rb +15 -0
data/spec/client/client_spec.rb +955 -0
data/spec/client/endpoint/endpoint_spec.rb +70 -0
data/spec/client/endpoint/endpoints/amqp_spec.rb +16 -0
data/spec/client/endpoint/endpoints/auto_session_spec.rb +9 -0
data/spec/client/endpoint/endpoints/http_based_spec.rb +9 -0
data/spec/client/endpoint/endpoints/http_spec.rb +103 -0
data/spec/client/endpoint/endpoints/not_found_spec.rb +35 -0
data/spec/client/headers_spec.rb +172 -0
data/spec/communicators/fast_spec.rb +9 -0
data/spec/communicators/pool_spec.rb +339 -0
data/spec/communicators/slow_spec.rb +15 -0
data/spec/data/resources/caller_spec.rb +156 -0
data/spec/data/resources/errors_spec.rb +22 -0
data/spec/data/resources/log_spec.rb +20 -0
data/spec/data/resources/session_spec.rb +15 -0
data/spec/data/types/error_primitive_spec.rb +15 -0
data/spec/data/types/permissions_defaults_spec.rb +25 -0
data/spec/data/types/permissions_full_spec.rb +44 -0
data/spec/data/types/permissions_resources_spec.rb +34 -0
data/spec/data/types/permissions_spec.rb +37 -0
data/spec/errors/error_descriptions_spec.rb +98 -0
data/spec/errors/errors_spec.rb +346 -0
data/spec/integration/service_actions_spec.rb +112 -0
data/spec/logger/fast_writer_spec.rb +18 -0
data/spec/logger/logger_spec.rb +259 -0
data/spec/logger/slow_writer_spec.rb +144 -0
data/spec/logger/writers/file_writer_spec.rb +37 -0
data/spec/logger/writers/log_entries_dot_com_writer_spec.rb +29 -0
data/spec/logger/writers/stream_writer_spec.rb +38 -0
data/spec/presenters/base_dsl_spec.rb +111 -0
data/spec/presenters/base_spec.rb +871 -0
data/spec/presenters/common_resource_fields_spec.rb +30 -0
data/spec/presenters/embedding_spec.rb +87 -0
data/spec/presenters/types/array_spec.rb +249 -0
data/spec/presenters/types/boolean_spec.rb +51 -0
data/spec/presenters/types/date_spec.rb +57 -0
data/spec/presenters/types/date_time_spec.rb +59 -0
data/spec/presenters/types/decimal_spec.rb +58 -0
data/spec/presenters/types/enum_spec.rb +71 -0
data/spec/presenters/types/field_spec.rb +77 -0
data/spec/presenters/types/float_spec.rb +50 -0
data/spec/presenters/types/hash_spec.rb +1069 -0
data/spec/presenters/types/integer_spec.rb +50 -0
data/spec/presenters/types/object_spec.rb +177 -0
data/spec/presenters/types/string_spec.rb +65 -0
data/spec/presenters/types/tags_spec.rb +56 -0
data/spec/presenters/types/text_spec.rb +50 -0
data/spec/presenters/types/uuid_spec.rb +46 -0
data/spec/presenters/walk_spec.rb +198 -0
data/spec/services/discovery/discoverers/by_consul_spec.rb +29 -0
data/spec/services/discovery/discoverers/by_convention_spec.rb +67 -0
data/spec/services/discovery/discoverers/by_drb/by_drb_spec.rb +80 -0
data/spec/services/discovery/discoverers/by_drb/drb_server_spec.rb +205 -0
data/spec/services/discovery/discovery_spec.rb +73 -0
data/spec/services/discovery/results/for_amqp_spec.rb +17 -0
data/spec/services/discovery/results/for_http_spec.rb +37 -0
data/spec/services/discovery/results/for_local_spec.rb +21 -0
data/spec/services/discovery/results/for_remote_spec.rb +15 -0
data/spec/services/middleware/amqp_log_message_spec.rb +60 -0
data/spec/services/middleware/amqp_log_writer_spec.rb +95 -0
data/spec/services/middleware/endpoints/inter_resource_local_spec.rb +9 -0
data/spec/services/middleware/endpoints/inter_resource_remote_spec.rb +9 -0
data/spec/services/middleware/exception_reporting/base_reporter_spec.rb +16 -0
data/spec/services/middleware/exception_reporting/exception_reporting_spec.rb +92 -0
data/spec/services/middleware/exception_reporting/reporters/airbrake_reporter_spec.rb +24 -0
data/spec/services/middleware/exception_reporting/reporters/raygun_reporter_spec.rb +23 -0
data/spec/services/middleware/middleware_cors_spec.rb +93 -0
data/spec/services/middleware/middleware_create_update_spec.rb +489 -0
data/spec/services/middleware/middleware_dated_at_spec.rb +186 -0
data/spec/services/middleware/middleware_exotic_communication_spec.rb +560 -0
data/spec/services/middleware/middleware_logging_spec.rb +356 -0
data/spec/services/middleware/middleware_multi_local_spec.rb +1094 -0
data/spec/services/middleware/middleware_multi_remote_spec.rb +1440 -0
data/spec/services/middleware/middleware_permissions_spec.rb +1014 -0
data/spec/services/middleware/middleware_public_spec.rb +238 -0
data/spec/services/middleware/middleware_spec.rb +1569 -0
data/spec/services/middleware/string_inquirer_spec.rb +30 -0
data/spec/services/services/application_spec.rb +74 -0
data/spec/services/services/context_spec.rb +48 -0
data/spec/services/services/implementation_spec.rb +45 -0
data/spec/services/services/interface_spec.rb +262 -0
data/spec/services/services/permissions_spec.rb +249 -0
data/spec/services/services/request_spec.rb +95 -0
data/spec/services/services/response_spec.rb +250 -0
data/spec/services/services/session_spec.rb +432 -0
data/spec/spec_helper.rb +298 -0
data/spec/utilities/utilities_spec.rb +537 -0
data/spec/utilities/uuid_spec.rb +20 -0
metadata +615 -0

data/spec/services/middleware/middleware_permissions_spec.rb ADDED Viewed

@@ -0,0 +1,1014 @@
+# These tests focus on the way that a resource can declare a requirement
+# to gain extra permissions while processing an action, that allow it to
+# call other services. The caller's inbound session only needs to be able
+# to call the 'otuermost' action to succeed.
+#
+# Mock Memcached is used for 'real' (nearly) session management in Hoodoo
+# rather than rely on the allow-all test session. If we used the test
+# session, we'd never test permissions augmentation as it is bypassed in
+# that mode.
+#
+# All the groundwork having been done for permissions testing, this is is
+# also a good place to make sure that interaction IDs are properly passed
+# between both local and remote inter-resource calls, so that's tested in
+# passing here too (there was once a bug where this got broken for local
+# inter-resource calls).
+require 'spec_helper'
+# To show Clock, Clock must call Date which must call Time.
+#
+# (1) These are all in the same app (local inter-resource calls)
+# (2) These are each in different apps (remote calls)
+#
+# Then insofar as possible, (1) and (2) with:
+#
+# (A) Clock does not request permission for Date
+#     - verify that show yields forbidden and date/time not called
+#     - grant session permission for date and verify forbidden
+#       and time not called
+#     - grant permissions through to time and verify 200
+#
+# (B) Date does not request permission for Time
+#     - verify that show yields forbidden, date called, time not
+#     - grant permission for time and verify 200
+#
+# (C) Full request from Date to Time
+#     - verify that show yields 200, date and time called
+#     - use ASK rather than ALLOW for Date -> Time to test #verify
+#
+# Because we don't want same-named resources or same-path resources
+# running concurrently (that counts as platform misconfiguration),
+# we end up with:
+#
+# * Three Clock resource names and endpoints - for with-no-added-permissions
+#   calls no-added-Date calls Time; with-permissions calls no-added-Date
+#   calls Time; and with-permissions calls with-added-Date calls Time.
+#
+# * Thus two Date names and endpoints - with-permissions calls Time and
+#   without-permissions calls Time.
+#
+# * Just one Time resource end endpoint.
+##############################################################################
+# Implementations
+##############################################################################
+class RSpecAddPermTestClockCallsDateNoPermsImplementation < Hoodoo::Services::Implementation
+  def show( context )
+    date_time = context.resource( :RSpecAddPermTestDateNoPerms ).show( 'now' )
+    return if date_time.adds_errors_to?( context.response.errors )
+    context.response.set_resource( date_time )
+  end
+end
+class RSpecAddPermTestClockImplementation < Hoodoo::Services::Implementation
+  # We'll give the top-level Clock a #show and #list action that basically
+  # do the same thing. But in the Clock *interface*, we're only going to
+  # ask for additional permissions to call Date for the #show action. Thus,
+  # attempts to call #list will fail, unless the top-level session already
+  # has permission to call Date.
+  #
+  # Further, #show can be made to call #list and it *does* ask for the
+  # permission to do this. So while #list here does not ask for permission
+  # for #show "there", #show here *does* ask for permission for #list
+  # "there". Thus we test - an action here fails to get permission for a
+  # different-named action downstream; an action here does get permission
+  # for a different-named action downstream.
+  def show( context )
+    if context.request.ident == 'list_instead'
+      date_time = context.resource( :RSpecAddPermTestDate ).list()
+    else
+      date_time = context.resource( :RSpecAddPermTestDate ).show( 'now' )
+    end
+    return if date_time.adds_errors_to?( context.response.errors )
+    context.response.set_resource( date_time )
+  end
+  def list( context )
+    date_time = context.resource( :RSpecAddPermTestDate ).show( 'now' )
+    return if date_time.adds_errors_to?( context.response.errors )
+    context.response.set_resources( [ date_time ] )
+  end
+end
+class RSpecAddPermTestDateImplementation < Hoodoo::Services::Implementation
+  def show( context )
+    time = context.resource( :RSpecAddPermTestTime ).show( 'now' )
+    return if time.adds_errors_to?( context.response.errors )
+    context.response.set_resource( { 'date' => '1999-12-31', 'time' => time[ 'time' ] } )
+  end
+  def list( context )
+    time = context.resource( :RSpecAddPermTestTime ).show( 'now' )
+    return if time.adds_errors_to?( context.response.errors )
+    context.response.set_resources( [ { 'date' => '1999-12-31', 'time' => time[ 'time' ] } ] )
+  end
+end
+class RSpecAddPermTestTimeImplementation < Hoodoo::Services::Implementation
+  def show( context )
+    context.response.set_resource( { 'time' => '23:59:59' } )
+  end
+  # Using ASK in the interfaces later for this specific case lets us check
+  # in tests that the interface's permissions we used when getting through
+  # to this implementation, rather than some other route. We have to be
+  # expecting #verify and return ALLOW. If we aren't expecting it but it's
+  # called anyway, it denis the request to hopefully provoke a test failure.
+  #
+  # Yes, DENY is the default superclass implementation anyway but explicit
+  # code here lets future maintainers read this and know what's happening!
+  #
+  def verify( context, action )
+    Hoodoo::Services::Permissions::DENY
+  end
+end
+# The Interaction ID test "source" (calls to) and "destination" (called
+# by) classes.
+class RSpecTestInteractionIDPassingDestinationImplementation < Hoodoo::Services::Implementation
+  def show( context )
+    context.response.set_resource( { 'interaction_id' => context.owning_interaction.interaction_id } )
+  end
+end
+class RSpecTestInteractionIDPassingSourceImplementation < Hoodoo::Services::Implementation
+  def show( context )
+    destination = context.resource( :RSpecTestInteractionIDPassingDestination )
+    result = destination.show( context.request.ident )
+    return if result.adds_errors_to?( context.response.errors )
+    context.response.set_resource( result )
+  end
+end
+##############################################################################
+# Interfaces
+##############################################################################
+class RSpecAddPermTestClockNoPermsCallsDateNoPermsInterface < Hoodoo::Services::Interface
+  interface :RSpecAddPermTestClockNoPermsCallsDateNoPerms do
+    endpoint :rspec_add_perm_test_clock_no_perms_calls_date_no_perms, RSpecAddPermTestClockCallsDateNoPermsImplementation
+    actions :show
+  end
+end
+class RSpecAddPermTestClockCallsDateNoPermsInterface < Hoodoo::Services::Interface
+  interface :RSpecAddPermTestClockCallsDateNoPerms do
+    endpoint :rspec_add_perm_test_clock_calls_date_no_perms, RSpecAddPermTestClockCallsDateNoPermsImplementation
+    actions :show
+    additional_permissions_for( :show ) do | p |
+      p.set_resource( :RSpecAddPermTestDateNoPerms, :show, Hoodoo::Services::Permissions::ALLOW )
+    end
+  end
+end
+class RSpecAddPermTestClockInterface < Hoodoo::Services::Interface
+  interface :RSpecAddPermTestClock do
+    endpoint :rspec_add_perm_test_clocks, RSpecAddPermTestClockImplementation
+    actions :show, :list
+    additional_permissions_for( :show ) do | p |
+      p.set_resource( :RSpecAddPermTestDate, :show, Hoodoo::Services::Permissions::ALLOW )
+      p.set_resource( :RSpecAddPermTestDate, :list, Hoodoo::Services::Permissions::ALLOW )
+    end
+  end
+end
+class RSpecAddPermTestDateNoPermsInterface < Hoodoo::Services::Interface
+  interface :RSpecAddPermTestDateNoPerms do
+    endpoint :rspec_add_perm_test_date_no_perms, RSpecAddPermTestDateImplementation
+    actions :show
+  end
+end
+class RSpecAddPermTestDateInterface < Hoodoo::Services::Interface
+  interface :RSpecAddPermTestDate do
+    endpoint :dates, RSpecAddPermTestDateImplementation
+    actions :show, :list
+    additional_permissions_for( :show ) do | p |
+      p.set_resource( :RSpecAddPermTestTime, :show, Hoodoo::Services::Permissions::ASK )
+    end
+    additional_permissions_for( :list ) do | p |
+      p.set_resource( :RSpecAddPermTestTime, :show, Hoodoo::Services::Permissions::ASK )
+    end
+  end
+end
+class RSpecAddPermTestTimeInterface < Hoodoo::Services::Interface
+  interface :RSpecAddPermTestTime do
+    endpoint :rspec_add_perm_test_times, RSpecAddPermTestTimeImplementation
+    actions :show
+  end
+end
+class RSpecTestInteractionIDPassingDestinationInterface < Hoodoo::Services::Interface
+  interface :RSpecTestInteractionIDPassingDestination do
+    endpoint :id_passing_destination, RSpecTestInteractionIDPassingDestinationImplementation
+    actions :show
+  end
+end
+class RSpecTestInteractionIDPassingSourceInterface < Hoodoo::Services::Interface
+  interface :RSpecTestInteractionIDPassingSource do
+    endpoint :id_passing_source, RSpecTestInteractionIDPassingSourceImplementation
+    actions :show
+    additional_permissions_for( :show ) do | p |
+      p.set_resource( :RSpecTestInteractionIDPassingDestination, :show, Hoodoo::Services::Permissions::ALLOW )
+    end
+  end
+end
+##############################################################################
+# Service applications for local inter-resource calls
+##############################################################################
+# (See earlier) (A) Clock does not request permission for Date
+class RSpecAddPermTestClockServiceA < Hoodoo::Services::Service
+  comprised_of RSpecAddPermTestClockNoPermsCallsDateNoPermsInterface,
+               RSpecAddPermTestDateNoPermsInterface,
+               RSpecAddPermTestTimeInterface
+end
+# (See earlier) (B) Date does not request permission for Time
+class RSpecAddPermTestClockServiceB < Hoodoo::Services::Service
+  comprised_of RSpecAddPermTestClockCallsDateNoPermsInterface,
+               RSpecAddPermTestDateNoPermsInterface,
+               RSpecAddPermTestTimeInterface
+end
+# (See earlier) (C) Full request from Date to Time
+class RSpecAddPermTestClockServiceC < Hoodoo::Services::Service
+  comprised_of RSpecAddPermTestClockInterface,
+               RSpecAddPermTestDateInterface,
+               RSpecAddPermTestTimeInterface
+end
+# (See earlier) Interaction ID test
+class RSpecTestInteractionIDPassingService < Hoodoo::Services::Service
+  comprised_of RSpecTestInteractionIDPassingSourceInterface,
+               RSpecTestInteractionIDPassingDestinationInterface
+end
+##############################################################################
+# Service applications for remote inter-resource calls
+##############################################################################
+class RSpecAddPermTestClockNoPermsCallsDateNoPermsService < Hoodoo::Services::Service
+  comprised_of RSpecAddPermTestClockNoPermsCallsDateNoPermsInterface
+end
+class RSpecAddPermTestClockCallsDateNoPermsService < Hoodoo::Services::Service
+  comprised_of RSpecAddPermTestClockCallsDateNoPermsInterface
+end
+class RSpecAddPermTestClockService < Hoodoo::Services::Service
+  comprised_of RSpecAddPermTestClockInterface
+end
+class RSpecAddPermTestDateNoPermsService < Hoodoo::Services::Service
+  comprised_of RSpecAddPermTestDateNoPermsInterface
+end
+class RSpecAddPermTestDateService < Hoodoo::Services::Service
+  comprised_of RSpecAddPermTestDateInterface
+end
+class RSpecAddPermTestTimeService < Hoodoo::Services::Service
+  comprised_of RSpecAddPermTestTimeInterface
+end
+class RSpecTestInteractionIDPassingDestinationService < Hoodoo::Services::Service
+  comprised_of RSpecTestInteractionIDPassingDestinationInterface
+end
+class RSpecTestInteractionIDPassingSourceService < Hoodoo::Services::Service
+  comprised_of RSpecTestInteractionIDPassingSourceInterface
+end
+##############################################################################
+describe Hoodoo::Services::Middleware do
+  before :each do
+    @session_id     = Hoodoo::UUID.generate
+    @caller_id      = Hoodoo::UUID.generate
+    @caller_version = 1
+    @session        = Hoodoo::Services::Session.new( {
+      :session_id     => @session_id,
+      :memcached_host => '0.0.0.0:0',
+      :caller_id      => @caller_id,
+      :caller_version => @caller_version
+    } )
+    # Grant top-level access to all of the Clock endpoints
+    @session.permissions = Hoodoo::Services::Permissions.new
+    @session.permissions.set_resource(
+      :RSpecAddPermTestClockNoPermsCallsDateNoPerms,
+      :show,
+      Hoodoo::Services::Permissions::ALLOW
+    )
+    @session.permissions.set_resource(
+      :RSpecAddPermTestClockCallsDateNoPerms,
+      :show,
+      Hoodoo::Services::Permissions::ALLOW
+    )
+    @session.permissions.set_resource(
+      :RSpecAddPermTestClock,
+      :show,
+      Hoodoo::Services::Permissions::ALLOW
+    )
+    @session.permissions.set_resource(
+      :RSpecAddPermTestClock,
+      :list,
+      Hoodoo::Services::Permissions::ALLOW
+    )
+    @session.permissions.set_resource(
+      :RSpecTestInteractionIDPassingSource,
+      :show,
+      Hoodoo::Services::Permissions::ALLOW
+    )
+    Hoodoo::Services::Session::MockDalliClient.reset()
+    result = @session.save_to_memcached
+    raise "Can't save to mock Memcached (result = #{result})" unless result == :ok
+  end
+  after :each do
+    Hoodoo::Services::Session::MockDalliClient.reset()
+  end
+  ############################################################################
+  # Local inter-resource calls
+  ############################################################################
+  context 'with local resources and' do
+    after :all do
+      Hoodoo::Services::Middleware.flush_services_for_test()
+    end
+    context 'Clock with no extra permissions for Date or Time' do
+      def app
+        Rack::Builder.new do
+          use Hoodoo::Services::Middleware
+          run RSpecAddPermTestClockServiceA.new
+        end
+      end
+      it 'cannot call #show in Date or Time by default' do
+        expect_any_instance_of(RSpecAddPermTestClockCallsDateNoPermsImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to_not receive( :show )
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :show )
+        get '/v1/rspec_add_perm_test_clock_no_perms_calls_date_no_perms/any',
+            nil,
+            {
+              'CONTENT_TYPE' => 'application/json; charset=utf-8',
+              'HTTP_X_SESSION_ID' => @session.session_id
+            }
+        expect( last_response.status ).to eq( 403 )
+        result = JSON.parse( last_response.body )
+        expect( result[ 'errors' ][ 0 ][ 'code' ] ).to eq( 'platform.forbidden' )
+        expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'Action not authorized' )
+      end
+      it 'cannot call #show in Time if session only grants Date access' do
+        @session.permissions.set_resource(
+          :RSpecAddPermTestDateNoPerms,
+          :show,
+          Hoodoo::Services::Permissions::ALLOW
+        )
+        result = @session.save_to_memcached
+        raise "Can't save to mock Memcached (result = #{result})" unless result == :ok
+        expect_any_instance_of(RSpecAddPermTestClockCallsDateNoPermsImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :show )
+        get '/v1/rspec_add_perm_test_clock_no_perms_calls_date_no_perms/any',
+            nil,
+            {
+              'CONTENT_TYPE' => 'application/json; charset=utf-8',
+              'HTTP_X_SESSION_ID' => @session.session_id
+            }
+        expect( last_response.status ).to eq( 403 )
+        result = JSON.parse( last_response.body )
+        expect( result[ 'errors' ][ 0 ][ 'code' ] ).to eq( 'platform.forbidden' )
+        expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'Action not authorized' )
+      end
+      it 'can call #show if session grants Date and Time access' do
+        @session.permissions.set_resource(
+          :RSpecAddPermTestDateNoPerms,
+          :show,
+          Hoodoo::Services::Permissions::ALLOW
+        )
+        @session.permissions.set_resource(
+          :RSpecAddPermTestTime,
+          :show,
+          Hoodoo::Services::Permissions::ALLOW
+        )
+        result = @session.save_to_memcached
+        raise "Can't save to mock Memcached (result = #{result})" unless result == :ok
+        expect_any_instance_of(RSpecAddPermTestClockCallsDateNoPermsImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :verify )
+        get '/v1/rspec_add_perm_test_clock_no_perms_calls_date_no_perms/any',
+            nil,
+            {
+              'CONTENT_TYPE' => 'application/json; charset=utf-8',
+              'HTTP_X_SESSION_ID' => @session.session_id
+            }
+        expect( last_response.status ).to eq( 200 )
+        result = JSON.parse( last_response.body )
+        expect( result ).to eq( { 'date' => '1999-12-31', 'time' => '23:59:59' } )
+      end
+    end
+    context 'Clock with extra permissions for Date but no extra permissions for Time' do
+      def app
+        Rack::Builder.new do
+          use Hoodoo::Services::Middleware
+          run RSpecAddPermTestClockServiceB.new
+        end
+      end
+      it 'cannot call #show in Time by default' do
+        expect_any_instance_of(RSpecAddPermTestClockCallsDateNoPermsImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :show )
+        get '/v1/rspec_add_perm_test_clock_calls_date_no_perms/any',
+            nil,
+            {
+              'CONTENT_TYPE' => 'application/json; charset=utf-8',
+              'HTTP_X_SESSION_ID' => @session.session_id
+            }
+        expect( last_response.status ).to eq( 403 )
+        result = JSON.parse( last_response.body )
+        expect( result[ 'errors' ][ 0 ][ 'code' ] ).to eq( 'platform.forbidden' )
+        expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'Action not authorized' )
+      end
+      it 'can call #show if session only grants Time access' do
+        @session.permissions.set_resource(
+          :RSpecAddPermTestTime,
+          :show,
+          Hoodoo::Services::Permissions::ALLOW
+        )
+        result = @session.save_to_memcached
+        raise "Can't save to mock Memcached (result = #{result})" unless result == :ok
+        expect_any_instance_of(RSpecAddPermTestClockCallsDateNoPermsImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :verify )
+        get '/v1/rspec_add_perm_test_clock_calls_date_no_perms/any',
+            nil,
+            {
+              'CONTENT_TYPE' => 'application/json; charset=utf-8',
+              'HTTP_X_SESSION_ID' => @session.session_id
+            }
+        expect( last_response.status ).to eq( 200 )
+        result = JSON.parse( last_response.body )
+        expect( result ).to eq( { 'date' => '1999-12-31', 'time' => '23:59:59' } )
+      end
+    end
+    context 'Clock with extra permissions for Date and Time' do
+      def app
+        Rack::Builder.new do
+          use Hoodoo::Services::Middleware
+          run RSpecAddPermTestClockServiceC.new
+        end
+      end
+      it 'can call #show without any extra session permissions' do
+        expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :verify ).with( anything(), :show ).and_return( Hoodoo::Services::Permissions::ALLOW )
+        get '/v1/rspec_add_perm_test_clocks/any',
+            nil,
+            {
+              'CONTENT_TYPE' => 'application/json; charset=utf-8',
+              'HTTP_X_SESSION_ID' => @session.session_id
+            }
+        expect( last_response.status ).to eq( 200 )
+        result = JSON.parse( last_response.body )
+        expect( result ).to eq( { 'date' => '1999-12-31', 'time' => '23:59:59' } )
+      end
+      it 'can call special case #show leading to #list downstream without any extra session permissions' do
+        expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :list ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :verify ).with( anything(), :show ).and_return( Hoodoo::Services::Permissions::ALLOW )
+        get '/v1/rspec_add_perm_test_clocks/list_instead',
+            nil,
+            {
+              'CONTENT_TYPE' => 'application/json; charset=utf-8',
+              'HTTP_X_SESSION_ID' => @session.session_id
+            }
+        expect( last_response.status ).to eq( 200 )
+        result = JSON.parse( last_response.body )
+        expect( result ).to eq( { '_data' => [ { 'date' => '1999-12-31', 'time' => '23:59:59' } ] } )
+      end
+      it 'cannot call #list without any extra session permissions' do
+        expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :list ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to_not receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :show ).once.and_call_original
+        get '/v1/rspec_add_perm_test_clocks',
+            nil,
+            {
+              'CONTENT_TYPE' => 'application/json; charset=utf-8',
+              'HTTP_X_SESSION_ID' => @session.session_id
+            }
+        expect( last_response.status ).to eq( 403 )
+      end
+      it 'can call #list with one extra session permission' do
+        @session.permissions.set_resource(
+          :RSpecAddPermTestDate,
+          :show,
+          Hoodoo::Services::Permissions::ALLOW
+        )
+        result = @session.save_to_memcached
+        raise "Can't save to mock Memcached (result = #{result})" unless result == :ok
+        expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :list ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :verify ).with( anything(), :show ).and_return( Hoodoo::Services::Permissions::ALLOW )
+        get '/v1/rspec_add_perm_test_clocks',
+            nil,
+            {
+              'CONTENT_TYPE' => 'application/json; charset=utf-8',
+              'HTTP_X_SESSION_ID' => @session.session_id
+            }
+        expect( last_response.status ).to eq( 200 )
+        result = JSON.parse( last_response.body )
+        expect( result ).to eq( { '_data' => [ { 'date' => '1999-12-31', 'time' => '23:59:59' } ] } )
+      end
+      context 'testing for interaction ID passing' do
+        def app
+          Rack::Builder.new do
+            use Hoodoo::Services::Middleware
+            run RSpecTestInteractionIDPassingService.new
+          end
+        end
+        it 'passes the interaction ID' do
+          get '/v1/id_passing_source/any',
+              nil,
+              {
+                'CONTENT_TYPE' => 'application/json; charset=utf-8',
+                'HTTP_X_SESSION_ID' => @session.session_id
+              }
+          expect( last_response.status ).to eq( 200 )
+          result = JSON.parse( last_response.body )
+          expect( result[ 'interaction_id' ] ).to_not be_blank
+          expect( result[ 'interaction_id' ] ).to eq( last_response.headers[ 'X-Interaction-ID' ] )
+        end
+      end
+      context 'for code coverage' do
+        # Top-level "augment session failed"
+        #
+        it 'can deal with inter-resource session errors (1)' do
+          expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :show ).once.and_call_original
+          expect_any_instance_of(Hoodoo::Services::Session).to receive( :augment_with_permissions_for ).once.and_return( false )
+          expect_any_instance_of(RSpecAddPermTestDateImplementation).to_not receive( :show )
+          get '/v1/rspec_add_perm_test_clocks/any',
+              nil,
+              {
+                'CONTENT_TYPE' => 'application/json; charset=utf-8',
+                'HTTP_X_SESSION_ID' => @session.session_id
+              }
+          expect( last_response.status ).to eq( 401 )
+        end
+        # Inside "augment session", attempt to save to Memcached returns 'false'
+        #
+        it 'can deal with inter-resource session errors (2)' do
+          expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :show ).once.and_call_original
+          expect_any_instance_of(Hoodoo::Services::Session).to receive( :save_to_memcached ).once.and_return( :outdated )
+          expect_any_instance_of(RSpecAddPermTestDateImplementation).to_not receive( :show )
+          get '/v1/rspec_add_perm_test_clocks/any',
+              nil,
+              {
+                'CONTENT_TYPE' => 'application/json; charset=utf-8',
+                'HTTP_X_SESSION_ID' => @session.session_id
+              }
+          expect( last_response.status ).to eq( 401 )
+        end
+        # Inside "augment session", attempt to save to Memcached returns 'nil'
+        #
+        it 'can deal with inter-resource session errors (3)' do
+          expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :show ).once.and_call_original
+          expect_any_instance_of(Hoodoo::Services::Session).to receive( :save_to_memcached ).once.and_return( :fail )
+          expect_any_instance_of(RSpecAddPermTestDateImplementation).to_not receive( :show )
+          get '/v1/rspec_add_perm_test_clocks/any',
+              nil,
+              {
+                'CONTENT_TYPE' => 'application/json; charset=utf-8',
+                'HTTP_X_SESSION_ID' => @session.session_id
+              }
+          expect( last_response.status ).to eq( 500 )
+          result = JSON.parse( last_response.body )
+          expect( result[ 'errors' ][ 0 ][ 'code' ] ).to eq( 'platform.fault' )
+          expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'Unable to create interim session for inter-resource call from RSpecAddPermTestClock / show' )
+        end
+        it 'handles nil permissions' do
+          @session.permissions = nil
+          result = @session.save_to_memcached
+          raise "Can't save to mock Memcached (result = #{result})" unless result == :ok
+          expect_any_instance_of(RSpecAddPermTestClockImplementation).to_not receive( :show )
+          get '/v1/rspec_add_perm_test_clocks/any',
+              nil,
+              {
+                'CONTENT_TYPE' => 'application/json; charset=utf-8',
+                'HTTP_X_SESSION_ID' => @session.session_id
+              }
+          expect( last_response.status ).to eq( 403 )
+        end
+        it 'handles empty permissions' do
+          @session.permissions = Hoodoo::Services::Permissions.new( {} )
+          result = @session.save_to_memcached
+          raise "Can't save to mock Memcached (result = #{result})" unless result == :ok
+          expect_any_instance_of(RSpecAddPermTestClockImplementation).to_not receive( :show )
+          get '/v1/rspec_add_perm_test_clocks/any',
+              nil,
+              {
+                'CONTENT_TYPE' => 'application/json; charset=utf-8',
+                'HTTP_X_SESSION_ID' => @session.session_id
+              }
+          expect( last_response.status ).to eq( 403 )
+        end
+        it 'handles default #verify response as deny' do
+          @session.permissions.set_resource( :RSpecAddPermTestClock, :show, Hoodoo::Services::Permissions::ASK )
+          result = @session.save_to_memcached
+          raise "Can't save to mock Memcached (result = #{result})" unless result == :ok
+          expect_any_instance_of(Hoodoo::Services::Implementation).to receive( :verify ).once.and_call_original
+          expect_any_instance_of(RSpecAddPermTestClockImplementation).to_not receive( :show ).once.and_call_original
+          get '/v1/rspec_add_perm_test_clocks/any',
+              nil,
+              {
+                'CONTENT_TYPE' => 'application/json; charset=utf-8',
+                'HTTP_X_SESSION_ID' => @session.session_id
+              }
+          expect( last_response.status ).to eq( 403 )
+        end
+        it 'handles custom #verify response as deny' do
+          expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :show ).once.and_call_original
+          expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+          expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :show )
+          # The Time endpoint already returns DENY out-of-the-box.
+          expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :verify ).once.and_call_original
+          get '/v1/rspec_add_perm_test_clocks/any',
+              nil,
+              {
+                'CONTENT_TYPE' => 'application/json; charset=utf-8',
+                'HTTP_X_SESSION_ID' => @session.session_id
+              }
+          expect( last_response.status ).to eq( 403 )
+        end
+      end
+    end
+  end
+  ############################################################################
+  # Remote inter-resource calls
+  ############################################################################
+  context 'with remote resources and' do
+    before :all do
+      @port_clock_no_perms_calls_date_no_perms = spec_helper_start_svc_app_in_thread_for( RSpecAddPermTestClockNoPermsCallsDateNoPermsService )
+      @port_clock_calls_date_no_perms = spec_helper_start_svc_app_in_thread_for( RSpecAddPermTestClockCallsDateNoPermsService )
+      @port_clock = spec_helper_start_svc_app_in_thread_for( RSpecAddPermTestClockService )
+      @port_iid_source = spec_helper_start_svc_app_in_thread_for( RSpecTestInteractionIDPassingSourceService )
+      spec_helper_start_svc_app_in_thread_for( RSpecAddPermTestDateNoPermsService )
+      spec_helper_start_svc_app_in_thread_for( RSpecAddPermTestDateService )
+      spec_helper_start_svc_app_in_thread_for( RSpecAddPermTestTimeService )
+      spec_helper_start_svc_app_in_thread_for( RSpecTestInteractionIDPassingDestinationService )
+    end
+    after :all do
+      Hoodoo::Services::Middleware.flush_services_for_test()
+    end
+    context 'Clock with no extra permissions for Date or Time' do
+      it 'cannot call #show in Date or Time by default' do
+        expect_any_instance_of(RSpecAddPermTestClockCallsDateNoPermsImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to_not receive( :show )
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :show )
+        response = spec_helper_http(
+          :path => '/v1/rspec_add_perm_test_clock_no_perms_calls_date_no_perms/any',
+          :port => @port_clock_no_perms_calls_date_no_perms,
+          :headers => { 'X-Session-ID' => @session.session_id }
+        )
+        expect( response.code ).to eq( '403' )
+        result = JSON.parse( response.body )
+        expect( result[ 'errors' ][ 0 ][ 'code' ] ).to eq( 'platform.forbidden' )
+        expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'Action not authorized' )
+      end
+      it 'cannot call #show in Time if session only grants Date access' do
+        @session.permissions.set_resource(
+          :RSpecAddPermTestDateNoPerms,
+          :show,
+          Hoodoo::Services::Permissions::ALLOW
+        )
+        result = @session.save_to_memcached
+        raise "Can't save to mock Memcached (result = #{result})" unless result == :ok
+        expect_any_instance_of(RSpecAddPermTestClockCallsDateNoPermsImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :show )
+        response = spec_helper_http(
+          :path => '/v1/rspec_add_perm_test_clock_no_perms_calls_date_no_perms/any',
+          :port => @port_clock_no_perms_calls_date_no_perms,
+          :headers => { 'X-Session-ID' => @session.session_id }
+        )
+        expect( response.code ).to eq( '403' )
+        result = JSON.parse( response.body )
+        expect( result[ 'errors' ][ 0 ][ 'code' ] ).to eq( 'platform.forbidden' )
+        expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'Action not authorized' )
+      end
+      it 'can call #show if session grants Date and Time access' do
+        @session.permissions.set_resource(
+          :RSpecAddPermTestDateNoPerms,
+          :show,
+          Hoodoo::Services::Permissions::ALLOW
+        )
+        @session.permissions.set_resource(
+          :RSpecAddPermTestTime,
+          :show,
+          Hoodoo::Services::Permissions::ALLOW
+        )
+        result = @session.save_to_memcached
+        raise "Can't save to mock Memcached (result = #{result})" unless result == :ok
+        expect_any_instance_of(RSpecAddPermTestClockCallsDateNoPermsImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :verify )
+        response = spec_helper_http(
+          :path => '/v1/rspec_add_perm_test_clock_no_perms_calls_date_no_perms/any',
+          :port => @port_clock_no_perms_calls_date_no_perms,
+          :headers => { 'X-Session-ID' => @session.session_id }
+        )
+        expect( response.code ).to eq( '200' )
+        result = JSON.parse( response.body )
+        expect( result ).to eq( { 'date' => '1999-12-31', 'time' => '23:59:59' } )
+      end
+    end
+    context 'Clock with extra permissions for Date but no extra permissions for Time' do
+      it 'cannot call #show in Time by default' do
+        expect_any_instance_of(RSpecAddPermTestClockCallsDateNoPermsImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :show )
+        response = spec_helper_http(
+          :path => '/v1/rspec_add_perm_test_clock_calls_date_no_perms/any',
+          :port => @port_clock_calls_date_no_perms,
+          :headers => { 'X-Session-ID' => @session.session_id }
+        )
+        expect( response.code ).to eq( '403' )
+        result = JSON.parse( response.body )
+        expect( result[ 'errors' ][ 0 ][ 'code' ] ).to eq( 'platform.forbidden' )
+        expect( result[ 'errors' ][ 0 ][ 'message' ] ).to eq( 'Action not authorized' )
+      end
+      it 'can call #show if session only grants Time access' do
+        @session.permissions.set_resource(
+          :RSpecAddPermTestTime,
+          :show,
+          Hoodoo::Services::Permissions::ALLOW
+        )
+        result = @session.save_to_memcached
+        raise "Can't save to mock Memcached (result = #{result})" unless result == :ok
+        expect_any_instance_of(RSpecAddPermTestClockCallsDateNoPermsImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :verify )
+        response = spec_helper_http(
+          :path => '/v1/rspec_add_perm_test_clock_calls_date_no_perms/any',
+          :port => @port_clock_calls_date_no_perms,
+          :headers => { 'X-Session-ID' => @session.session_id }
+        )
+        expect( response.code ).to eq( '200' )
+        result = JSON.parse( response.body )
+        expect( result ).to eq( { 'date' => '1999-12-31', 'time' => '23:59:59' } )
+      end
+    end
+    context 'Clock with extra permissions for Date and Time' do
+      it 'can call #show without any extra session permissions' do
+        expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :verify ).with( anything(), :show ).and_return( Hoodoo::Services::Permissions::ALLOW )
+        response = spec_helper_http(
+          :path => '/v1/rspec_add_perm_test_clocks/any',
+          :port => @port_clock,
+          :headers => { 'X-Session-ID' => @session.session_id }
+        )
+        expect( response.code ).to eq( '200' )
+        result = JSON.parse( response.body )
+        expect( result ).to eq( { 'date' => '1999-12-31', 'time' => '23:59:59' } )
+      end
+      it 'can call special case #show leading to #list downstream without any extra session permissions' do
+        expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :list ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :verify ).with( anything(), :show ).and_return( Hoodoo::Services::Permissions::ALLOW )
+        response = spec_helper_http(
+          :path => '/v1/rspec_add_perm_test_clocks/list_instead',
+          :port => @port_clock,
+          :headers => { 'X-Session-ID' => @session.session_id }
+        )
+        expect( response.code ).to eq( '200' )
+        result = JSON.parse( response.body )
+        expect( result ).to eq( { '_data' => [ { 'date' => '1999-12-31', 'time' => '23:59:59' } ] } )
+      end
+      it 'cannot call #list without any extra session permissions' do
+        expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :list ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to_not receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to_not receive( :show ).once.and_call_original
+        response = spec_helper_http(
+          :path => '/v1/rspec_add_perm_test_clocks',
+          :port => @port_clock,
+          :headers => { 'X-Session-ID' => @session.session_id }
+        )
+        expect( response.code ).to eq( '403' )
+      end
+      it 'can call #list with one extra session permission' do
+        @session.permissions.set_resource(
+          :RSpecAddPermTestDate,
+          :show,
+          Hoodoo::Services::Permissions::ALLOW
+        )
+        result = @session.save_to_memcached
+        raise "Can't save to mock Memcached (result = #{result})" unless result == :ok
+        expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :list ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestDateImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :show ).once.and_call_original
+        expect_any_instance_of(RSpecAddPermTestTimeImplementation).to receive( :verify ).with( anything(), :show ).and_return( Hoodoo::Services::Permissions::ALLOW )
+        response = spec_helper_http(
+          :path => '/v1/rspec_add_perm_test_clocks',
+          :port => @port_clock,
+          :headers => { 'X-Session-ID' => @session.session_id }
+        )
+        expect( response.code ).to eq( '200' )
+        result = JSON.parse( response.body )
+        expect( result ).to eq( { '_data' => [ { 'date' => '1999-12-31', 'time' => '23:59:59' } ] } )
+      end
+      context 'for code coverage' do
+        # Top-level "augment session failed". Failures inside the "augment
+        # session" code were tested in the previous section dealing with
+        # local inter-resource calls (they use the same back-end method).
+        #
+        it 'can deal with inter-resource session errors' do
+          expect_any_instance_of(RSpecAddPermTestClockImplementation).to receive( :show ).once.and_call_original
+          expect_any_instance_of(Hoodoo::Services::Session).to receive( :augment_with_permissions_for ).once.and_return( false )
+          expect_any_instance_of(RSpecAddPermTestDateImplementation).to_not receive( :show )
+          response = spec_helper_http(
+            :path => '/v1/rspec_add_perm_test_clocks/any',
+            :port => @port_clock,
+            :headers => { 'X-Session-ID' => @session.session_id }
+          )
+          expect( response.code ).to eq( '401' )
+        end
+      end
+    end
+    context 'testing for interaction ID passing' do
+      it 'passes the interaction ID' do
+        response = spec_helper_http(
+          :path => '/v1/id_passing_source/any',
+          :port => @port_iid_source,
+          :headers => { 'X-Session-ID' => @session.session_id }
+        )
+        expect( response.code ).to eq( '200' )
+        result = JSON.parse( response.body )
+        expect( result[ 'interaction_id' ] ).to_not be_blank
+        expect( result[ 'interaction_id' ] ).to eq( response[ 'X-Interaction-ID' ] )
+      end
+    end
+  end
+end