@toa.io/extensions.exposition 0.24.0-alpha.17 → 0.24.0-alpha.19

package/features/identity.federation.feature

@@ -0,0 +1,125 @@
+Feature: Identity Federation
+
+  Background:
+    Given the `identity.federation` database is empty
+    Given local IDP is running
+
+
+  Scenario: Getting identity for a new user
+    Given the `identity.federation` configuration:
+      """yaml
+      explicit_identity_creation: false
+      trust:
+        - issuer: http://localhost:44444
+      """
+    And the IDP token for User is issued
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      authorization: Bearer ${{ User.id_token }}
+      accept: application/yaml
+      content-type: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ User.token }}
+
+      id: ${{ User.id }}
+      roles: []
+      scheme: bearer
+      """
+    # validate token
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      accept: application/yaml
+      authorization: Token ${{ User.token }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      id: ${{ User.id }}
+      """
+    # ensuring identity idemptotency
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      authorization: Bearer ${{ User.id_token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      id: ${{ User.id }}
+      """
+
+  Scenario: Creating an Identity using inception with existing credentials
+    Given the `identity.federation` configuration:
+      """yaml
+      trust:
+        - issuer: http://localhost:44444
+      """
+    Given the `users` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          anonymous: true
+          POST:
+            incept: id
+            endpoint: transit
+      """
+    And the IDP token for Bill is issued
+    When the following request is received:
+      # identity inception
+      """
+      POST /users/ HTTP/1.1
+      authorization: Bearer ${{ Bill.id_token }}
+      accept: application/yaml
+      content-type: application/yaml
+
+      name: Bill Smith
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      authorization: Token ${{ Bill.token }}
+
+      id: ${{ Bill.id }}
+      """
+    # check that both tokens corresponds to the same id
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      authorization: Token ${{ Bill.token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      id: ${{ Bill.id }}
+      """
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      authorization: Bearer ${{ Bill.id_token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      id: ${{ Bill.id }}
+      """
+    And the following request is received:
+      # same credentials
+      """
+      POST /users/ HTTP/1.1
+      authorization: Bearer ${{ Bill.id_token }}
+      content-type: text/plain
+
+      name: Mary Louis
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """

package/features/steps/Captures.ts

@@ -0,0 +1,5 @@
+import * as http from '@toa.io/http'
+import { binding } from 'cucumber-tsflow'
+
+@binding()
+export class Captures extends http.Captures {}

package/features/steps/Components.ts

@@ -1,3 +1,4 @@
+import * as assert from 'node:assert'
 import { after, binding, given } from 'cucumber-tsflow'
 import * as boot from '@toa.io/boot'
 import { timeout } from '@toa.io/generic'
@@ -30,9 +31,13 @@ export class Components {
   @given('the `{word}` is stopped')
   public async stop (_?: string): Promise<void> {
     await this.composition?.disconnect()
+
+    this.composition = null
   }
 
   private async runComponent (name: string, manifest?: object): Promise<void> {
+    assert.ok(this.composition === null, 'Composition is already running')
+
     const path = await this.workspace.addComponent(name, manifest)
 
     this.composition = await boot.composition([path])

package/features/steps/HTTP.ts

@@ -1,22 +1,29 @@
+import * as assert from 'node:assert'
+import * as fs from 'node:fs'
+import * as path from 'node:path'
 import { binding, then, when } from 'cucumber-tsflow'
 import * as http from '@toa.io/http'
-import { open } from '../../../storages/source/test/util'
+import * as msgpack from 'msgpackr'
+import * as YAML from 'js-yaml'
+import { Captures } from './Captures'
 import { Parameters } from './Parameters'
 import { Gateway } from './Gateway'
+import type { Readable } from 'node:stream'
 
-@binding([Gateway, Parameters])
+@binding([Gateway, Parameters, Captures])
 export class HTTP extends http.Agent {
   private readonly gateway: Gateway
+  private fetched: Response | null = null
 
-  public constructor (gateway: Gateway, parameters: Parameters) {
-    super(parameters.origin)
+  public constructor (gateway: Gateway, parameters: Parameters, captures: Captures) {
+    super(parameters.origin, captures)
     this.gateway = gateway
   }
 
   @when('the following request is received:')
   public override async request (input: string): Promise<any> {
     await this.gateway.start()
-    await super.request(input)
+    this.fetched = await super.request(input)
   }
 
   @then('the following reply is sent:')
@@ -24,6 +31,17 @@ export class HTTP extends http.Agent {
     super.responseIncludes(expected)
   }
 
+  @then('response body contains {word}-encoded value:')
+  public async bodyIs (format: string, yaml: string): Promise<void> {
+    assert.ok(this.fetched !== null, 'Response is null')
+
+    const buf = await this.fetched.arrayBuffer()
+    const value = encoders[format]?.(buf as Buffer)
+    const expected = YAML.load(yaml)
+
+    assert.deepEqual(value, expected, 'Values are not equal')
+  }
+
   @then('the reply does not contain:')
   public override responseExcludes (expected: string): void {
     super.responseExcludes(expected)
@@ -44,3 +62,13 @@ export class HTTP extends http.Agent {
     await super.streamMatch(head, stream)
   }
 }
+
+const FILEDIR = path.resolve(__dirname, '../../../storages/source/test')
+
+function open (filename: string): Readable {
+  return fs.createReadStream(path.join(FILEDIR, filename))
+}
+
+const encoders: Record<string, (buf: Buffer | Uint8Array) => any> = {
+  MessagePack: msgpack.decode
+}

package/features/steps/IdP.ts

@@ -0,0 +1,120 @@
+import { once } from 'node:events'
+import * as crypto from 'node:crypto'
+import * as http from 'node:http'
+import * as assert from 'node:assert'
+import * as util from 'node:util'
+import { binding, given, afterAll } from 'cucumber-tsflow'
+import { Captures } from './Captures'
+
+import type { AddressInfo } from 'node:net'
+
+@binding([Captures])
+export class IdP {
+  private static server?: http.Server
+  private static privateKey?: crypto.KeyObject
+  private static issuer?: string
+
+  public constructor (private readonly captures: Captures) {}
+
+  @afterAll()
+  public static async stop (): Promise<void> {
+    if (this.server instanceof http.Server) {
+      this.server.close()
+      await once(this.server, 'close')
+    }
+  }
+
+  @given(/local IDP is running/i)
+  public async start (): Promise<void> {
+    if (IdP.server instanceof http.Server) return
+
+    // creating the key
+    const { publicKey, privateKey } = await util.promisify(crypto.generateKeyPair)('rsa', {
+      modulusLength: 2048
+    })
+
+    IdP.privateKey = privateKey
+
+    const jwk = JSON.stringify({
+      keys: [{ use: 'sig', alg: 'RS256', ...publicKey.export({ format: 'jwk' }) }]
+    })
+
+    const JWK_URL = '/.well-known/jwks'
+
+    const server = http.createServer((request, response) => {
+      switch (request.url) {
+        case JWK_URL:
+          response.writeHead(200, {
+            'Content-Type': 'application/json',
+            'Content-Length': jwk.length,
+            'Cache-Control': 'no-cache, no-store, must-revalidate',
+            Pragma: 'no-cache',
+            Expires: '0'
+          })
+          response.end(jwk)
+          break
+
+        case '/.well-known/openid-configuration':
+          {
+            const openIdConfiguration = JSON.stringify({
+              issuer: IdP.issuer,
+              jwks_uri: IdP.issuer + JWK_URL,
+              response_types_supported: ['id_token'],
+              subject_types_supported: ['public'],
+              id_token_signing_alg_values_supported: ['RS256'],
+              scopes_supported: ['openid']
+            })
+
+            response.writeHead(200, {
+              'Content-Type': 'application/json',
+              'Cache-Control': 'public, max-age=3600',
+              'Content-Length': openIdConfiguration.length
+            })
+            response.end(openIdConfiguration)
+          }
+
+          break
+
+        default:
+          response.writeHead(404, 'Not found')
+          response.end()
+      }
+    })
+
+    server.listen(44444, 'localhost')
+    await once(server, 'listening')
+
+    const address = server.address() as AddressInfo
+
+    console.log('IdP is listening on %s:%s', address.address, address.port)
+    IdP.server = server
+    IdP.issuer = `http://localhost:${address.port}`
+  }
+
+  @given('the IDP token for {word} is issued')
+  public async issueToken (user: string): Promise<void> {
+    assert.ok(IdP.privateKey, 'IdP private key is not available')
+
+    const jwt = [
+      {
+        typ: 'JWT',
+        alg: 'RS256'
+      },
+      {
+        iss: IdP.issuer,
+        sub: `${user}-mock-id`,
+        aud: 'test',
+        iat: Math.floor(Date.now() / 1000),
+        exp: Math.floor((Date.now() + 1000 * 60 * 5) / 1000)
+      }
+    ]
+      .map((v) => Buffer.from(JSON.stringify(v)).toString('base64url'))
+      .join('.')
+
+    const signature = crypto.createSign('RSA-SHA256').end(jwt).sign(IdP.privateKey, 'base64url')
+
+    const idToken = `${jwt}.${signature}`
+
+    this.captures.set(`${user}.id_token`, idToken)
+  }
+}

package/features/steps/Parameters.ts

@@ -1,4 +1,5 @@
 import { setDefaultTimeout } from '@cucumber/cucumber'
+import { encode } from '@toa.io/generic'
 
 export class Parameters {
   public readonly origin: string
@@ -9,7 +10,12 @@ export class Parameters {
 }
 
 setDefaultTimeout(30 * 1000)
+
 process.env.TOA_DEV = '1'
 
-// { octets: tmp:///exposition-octets }
-process.env.TOA_STORAGES = '3gABpm9jdGV0c7h0bXA6Ly8vZXhwb3NpdGlvbi1vY3RldHM='
+process.env.TOA_STORAGES = encode({
+  octets: {
+    provider: 'tmp',
+    prefix: 'test'
+  }
+})

package/features/steps/Workspace.ts

@@ -1,17 +1,17 @@
 import { join } from 'node:path'
-import { tmpdir } from 'node:os'
-import { mkdtemp, copy } from 'fs-extra'
+import { tmpdir, devNull } from 'node:os'
+import { mkdtemp, cp } from 'node:fs/promises'
 import * as yaml from '@toa.io/yaml'
 
 export class Workspace {
-  private root: string = devnull
+  private root: string = devNull
 
   public static exists
   (_0: unknown, _1: unknown, descriptor: PropertyDescriptor): PropertyDescriptor {
     const method = descriptor.value
 
     descriptor.value = async function (this: Workspace, ...args: any[]): Promise<any> {
-      if (this.root === devnull) this.root =
+      if (this.root === devNull) this.root =
         await mkdtemp(join(tmpdir(), Math.random().toString(36).slice(2)))
 
       return method.apply(this, args)
@@ -25,7 +25,7 @@ export class Workspace {
     const source = join(__dirname, 'components', name)
     const target = join(this.root, name)
 
-    await copy(source, target)
+    await cp(source, target, { force: true, recursive: true })
 
     if (patch !== undefined)
       await this.patchManifest(target, patch)
@@ -39,5 +39,3 @@ export class Workspace {
     await yaml.patch(path, patch)
   }
 }
-
-const devnull = '/dev/null'

package/features/vary.feature

@@ -0,0 +1,120 @@
+Feature: The Vary directive family
+
+  Scenario Outline: Embedding a language code
+    Given the `echo` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          vary:languages: [en, fr]
+          GET:
+            vary:embed:
+              name: language  # embed resolved language code as a `name` property of the operation input
+            endpoint: compute
+      """
+    When the following request is received:
+      """
+      GET /echo/ HTTP/1.1
+      accept: application/yaml
+      accept-language: <accept>
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      content-type: application/yaml
+      content-language: <result>
+      vary: accept-language, accept
+
+      Hello <result>
+      """
+    Examples:
+      | accept | result |
+      | en     | en     |
+      | en_US  | en     |
+      | fr     | fr     |
+      | sw     | en     |
+
+  Scenario: Embedding a value of an arbitrary header
+    Given the `echo` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          GET:
+            vary:embed:
+              name: :foo
+            endpoint: compute
+      """
+    When the following request is received:
+      """
+      GET /echo/ HTTP/1.1
+      accept: application/yaml
+      foo: bar
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      content-type: application/yaml
+      vary: foo, accept
+
+      Hello bar
+      """
+
+  Scenario Outline: Embedding a value from the list of options
+    Given the `echo` is running with the following manifest:
+        """yaml
+        exposition:
+          /:
+            vary:languages: [en, fr]
+            GET:
+              vary:embed:
+                name:
+                  - :foo
+                  - :bar
+                  - language
+              endpoint: compute
+        """
+    When the following request is received:
+        """
+        GET /echo/ HTTP/1.1
+        accept: application/yaml
+        <header>: <value>
+        """
+    Then the following reply is sent:
+        """
+        200 OK
+        content-type: application/yaml
+        vary: <header>, accept
+
+        Hello <value>
+        """
+    Examples:
+      | header          | value |
+      | foo             | bar   |
+      | bar             | baz   |
+      | accept-language | en    |
+
+  Scenario: Adding headers used by defined embeddings to CORS permissions
+    Given the `echo` is running with the following manifest:
+        """yaml
+        exposition:
+          /:
+            vary:languages: [en, fr]
+            GET:
+              vary:embed:
+                name:
+                  - language
+                  - :foo
+                  - :FOO
+                  - :bar
+              endpoint: compute
+        """
+    When the following request is received:
+        """
+        OPTIONS / HTTP/1.1
+        origin: http://example.com
+        access-control-request-headers: whatever
+        """
+    Then the following reply is sent:
+        """
+        204 No Content
+        access-control-allow-headers: accept, content-type, accept-language, foo, bar
+        """

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@toa.io/extensions.exposition",
-  "version": "0.24.0-alpha.17",
+  "version": "0.24.0-alpha.19",
   "description": "Toa Exposition",
   "author": "temich <tema.gurtovoy@gmail.com>",
   "homepage": "https://github.com/toa-io/toa#readme",
@@ -17,17 +17,16 @@
     "access": "public"
   },
   "dependencies": {
-    "@toa.io/core": "0.24.0-alpha.17",
-    "@toa.io/generic": "0.24.0-alpha.17",
-    "@toa.io/schemas": "0.24.0-alpha.17",
-    "@toa.io/streams": "0.24.0-alpha.17",
+    "@toa.io/core": "0.24.0-alpha.19",
+    "@toa.io/generic": "0.24.0-alpha.19",
+    "@toa.io/schemas": "0.24.0-alpha.19",
+    "@toa.io/streams": "0.24.0-alpha.19",
     "bcryptjs": "2.4.3",
-    "cors": "2.8.5",
     "error-value": "0.3.0",
     "express": "4.18.2",
     "js-yaml": "4.1.0",
     "matchacho": "0.3.5",
-    "msgpackr": "1.9.5",
+    "msgpackr": "1.10.1",
     "negotiator": "0.6.3",
     "paseto": "3.1.4"
   },
@@ -37,21 +36,21 @@
   },
   "scripts": {
     "test": "jest",
-    "transpile": "npx tsc && npm run transpile:basic && npm run transpile:tokens && npm run transpile:roles",
-    "transpile:basic": "npx tsc -p ./components/identity.basic",
-    "transpile:tokens": "npx tsc -p ./components/identity.tokens",
-    "transpile:roles": "npx tsc -p ./components/identity.roles",
-    "features": "npx cucumber-js"
+    "transpile": "tsc && npm run transpile:basic && npm run transpile:tokens && npm run transpile:roles && npm run transpile:federation",
+    "transpile:basic": "tsc -p ./components/identity.basic",
+    "pretranspile:federation": "js-yaml components/identity.federation/manifest.toa.yaml | jq -M '{ type: \"object\", properties: {configuration: .configuration.schema, entity: .entity.schema }, additionalProperties: false}' > schemas.json && json2ts -i schemas.json -o components/identity.federation/source/schemas.ts && rm schemas.json",
+    "transpile:federation": "tsc -p ./components/identity.federation",
+    "transpile:tokens": "tsc -p ./components/identity.tokens",
+    "transpile:roles": "tsc -p ./components/identity.roles",
+    "features": "cucumber-js"
   },
   "devDependencies": {
-    "@toa.io/extensions.storages": "0.24.0-alpha.17",
-    "@toa.io/http": "0.24.0-alpha.17",
+    "@toa.io/extensions.storages": "0.24.0-alpha.19",
+    "@toa.io/http": "0.24.0-alpha.19",
     "@types/bcryptjs": "2.4.3",
     "@types/cors": "2.8.13",
     "@types/express": "4.17.17",
-    "@types/fs-extra": "11.0.4",
-    "@types/negotiator": "0.6.1",
-    "fs-extra": "11.1.1"
+    "@types/negotiator": "0.6.1"
   },
-  "gitHead": "6eddd2ce5172a38c0ae9c41017f23a28398cf839"
+  "gitHead": "5e251e2f9ec49448c0a038d7aa07b01ba2b8d065"
 }

package/source/Directive.test.ts

@@ -1,10 +1,11 @@
+import assert from 'node:assert'
 import { generate } from 'randomstring'
 import { DirectivesFactory, type Family } from './Directive'
 import { type syntax } from './RTD'
 import { type IncomingMessage } from './HTTP'
 import { type Remotes } from './Remotes'
 
-const families: Array<jest.MockedObject<Family>> = [
+const families: Array<jest.MockedObjectDeep<Family>> = [
   {
     name: 'foo',
     mandatory: true,
@@ -26,6 +27,9 @@ let factory: DirectivesFactory
 beforeEach(() => {
   jest.clearAllMocks()
 
+  assert.ok(families[0].preflight !== undefined)
+  assert.ok(families[1].preflight !== undefined)
+
   families[0].preflight.mockImplementation(() => null)
   families[1].preflight.mockImplementation(() => null)
   factory = new DirectivesFactory(families, {} as unknown as Remotes)
@@ -61,7 +65,7 @@ it('should throw error if directive family is not found', async () => {
   }
 
   expect(() => factory.create([declaration]))
-    .toThrowError(`Directive family '${declaration.family}' not found.`)
+    .toThrowError(`Directive family '${declaration.family}' is not found.`)
 })
 
 it('should apply directive', async () => {
@@ -77,6 +81,8 @@ it('should apply directive', async () => {
 
   await directives.preflight(request, [])
 
+  assert.ok(families[0].preflight !== undefined)
+
   expect(families[0].preflight.mock.calls[0][0]).toStrictEqual([directive])
   expect(families[0].preflight.mock.calls[0][1]).toEqual(request)
 })