@toa.io/extensions.exposition 0.24.0-alpha.2 → 0.24.0-alpha.21

package/components/identity.tokens/operations/types.d.ts

@@ -0,0 +1,40 @@
+import { type Call, type Maybe, type Observation } from '@toa.io/types';
+export interface Context {
+    local: {
+        observe: Observation<Entity>;
+        decrypt: Call<Maybe<DecryptOutput>, string>;
+    };
+    configuration: Configuration;
+}
+export interface Configuration {
+    readonly key0: string;
+    readonly key1?: string;
+    readonly lifetime: number;
+    readonly refresh: number;
+}
+export interface Entity {
+    identity: string;
+    revokedAt: number;
+}
+export interface Identity extends Record<string, any> {
+    id: string;
+}
+export interface AuthenticateOutput {
+    identity: Identity;
+    refresh: boolean;
+}
+export interface EncryptInput {
+    identity: Identity;
+    lifetime?: number;
+}
+export interface DecryptOutput {
+    identity: Identity;
+    iat: string;
+    exp?: string;
+    refresh: boolean;
+}
+export interface Claim {
+    identity: Identity;
+    iat: string;
+    exp?: string;
+}

package/components/identity.tokens/operations/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/components/identity.tokens/operations/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../source/types.ts"],"names":[],"mappings":""}

package/cucumber.js

@@ -1,6 +1,5 @@
 module.exports = {
   default: {
-    paths: ['features/**/*.feature'],
     requireModule: ['ts-node/register'],
     require: ['./features/**/*.ts'],
     failFast: true

package/documentation/components.md

@@ -34,7 +34,7 @@ them).
 configuration:
   identity.basic:
     username:
-      - ^\S{1,16}$
+      - ^\S{1,128}$
     password:
       - ^\S{8,32}$
 ```
@@ -89,9 +89,32 @@ password?: string
 
 Access requires basic credentials of the modified Identity or `system:identity:basic` role.
 
+## Identity federation (OpenID connect)
+
+The `identity.federation` component manages OpenID Connect federated identities.
+
+Both implicit identities creation and forced [identity inception](./identity.md) are supported
+as in case with basic credentials. `principal` is also working in the same way.
+
+The configuration schema alongside default values is described in the [component manifest](../components/identity.federation/manifest.toa.yaml).
+
+No federated tokens are accepted by default until at least one entry is added to the `trust` configuration.
+
+```yaml
+# context.toa.yaml
+
+configuration:
+  identity.federation:
+    trust:
+      - issuer: https://token.actions.githubusercontent.com
+        audience:
+          - https://github.com/tinovyatkin
+          - https://github.com/temich
+```
+
 ## Stateless tokens
 
-The `identity.tokens` component manages statless authentication tokens.
+The `identity.tokens` component manages stateless authentication tokens.
 
 These tokens carry the information required to authenticate the Identity and authorize access.
 

package/documentation/identity.md

@@ -69,20 +69,20 @@ to [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.ht
 Authorization: Bearer eyJhbGciOiJIUzI1...
 ```
 
-Trusted providers are specified using the `idenity.trust` property within the Exposition annotation.
+Trusted providers are specified using the `identity.federation` property within the configuration annotation.
 
 ```yaml
 # context.toa.yaml
 
-exposition:
-  identity:
+configuration:
+  identity.federation:
     trust:
-      - https://accounts.google.com
-      - https://appleid.apple.com
+      - issuer: https://accounts.google.com
+        audience:
+          - <GOOGLE_CLIENT_ID>
+      - issuer: https://appleid.apple.com
 ```
 
-The example above demonstrates the default list of trusted providers.
-
 ## Identity inception
 
 The simplest way to establish a relationship between an Identity and an entity representing a user

package/documentation/protocol.md

@@ -27,7 +27,8 @@ foo: bar
 ### Multipart types
 
 Multipart responses are endoded using content negotiation,
-and the `content-type` of the response is set to one of the custom `multipart/` subtypes, corresponding to the type of
+and the `content-type` of the response is set to one of the custom `multipart/` subtypes,
+corresponding to the type of
 the parts:
 
 | Response type       | Part type             |
@@ -60,3 +61,22 @@ See also:
 - [Multipart Content-Type](https://www.w3.org/Protocols/rfc1341/7_2_Multipart.html) at W3C
 - [Content-Type: multipart](https://learn.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2010/aa493937(v=exchg.140))
   at Microsoft
+
+## CORS
+
+[CORS](https://www.w3.org/TR/2020/SPSD-cors-20200602/) is supported,
+credentials, any `origin`, and any request header fields are allowed.
+
+The following request headers are allowed:
+
+- `accept`
+- `authorization`
+- `content-type`
+- headers used by the [`vary:embed` directive](vary.md#embeddings)
+
+The following response headers are exposed:
+
+- `authorization`
+- `content-type`
+- `content-length`
+- `etag`

package/documentation/query.md

@@ -107,7 +107,7 @@ Operation call will have the following query criteria:
 criteria: state==hot;type==cool;rank=5
 ```
 
-### POST method
+#### POST method
 
 `POST` method semantically used to create a new entity instance, that is, calling a Transition
 without Query.

package/documentation/vary.md

@@ -0,0 +1,69 @@
+# HTTP request details
+
+The `vary` directives family provides the capability to include HTTP request details as input for an
+operation call.
+
+## TL;DR
+
+```yaml
+exposition:
+  realms:
+    toa: the.toa.io
+  /:
+    vary:languages: [en, fr]
+    GET:
+      vary:embed:
+        lang: language # predefined embeddings
+        realm: realm
+        token: :x-access-token # raw header value
+      endpoint: dummies.get
+```
+
+## Embeddings
+
+Request parts are embedded into the operation call according to the mapping
+defined by the `vary:embed` directive.
+The keys in the embedding map are the names of the input properties details to be embedded to,
+and the values are the names of the embedding functions.
+If the value is an array, the first non-empty embedding function's result is used.
+
+> If a property is already present in the input, the embedded value will overwrite its current
+> value.
+
+### Realm
+
+Realm is an identifier of a domain used to access the Exposition.
+The list of domains is defined by the `vary:realms` directive,
+which is a map of realm names to their domain names.
+
+The `realm` embedding substitutes the realm identified based on the `host` request header.
+
+### Language
+
+The `language` embedding substitutes the most matching language code based on the `accept-language`
+request header and a list of supported languages defined by the `vary:languages` directive, and also
+adds `accept-language` to the `vary` HTTP response header value.
+If neither of the supported languages matches, the first supported language is used.
+
+### Raw header values
+
+Keys in the embedding map starting with a semicolon (:) are the names of HTTP request headers whose
+values to be embedded into an operation call.
+The names of these headers are then included in the `vary` HTTP response header
+and [Access-Control-Allow-Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers)
+of the [CORS](protocol.md#cors).
+
+[Multiple header fields](https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2) are embedded
+as a comma-separated list.
+
+### Fallbacks
+
+If the embedding function is an array, the first non-empty resolved value is used.
+
+```yaml
+vary:embed:
+  ip: # fallbacks
+    - :CloudFront-Viewer-Address
+    - :CF-Connecting-IP
+    - :X-Appengine-User-IP
+```

package/features/cors.feature

@@ -0,0 +1,39 @@
+Feature: CORS Support
+
+  Scenario: Using CORS
+    Given the annotation:
+      """yaml
+      /:
+        anonymous: true
+        /foo:
+          GET:
+            dev:stub: Hello
+      """
+    When the following request is received:
+      """
+      OPTIONS / HTTP/1.1
+      origin: https://hello.world
+      """
+    Then the following reply is sent:
+      """
+      204 No Content
+      access-control-allow-origin: https://hello.world
+      access-control-allow-methods: GET, POST, PUT, PATCH, DELETE
+      access-control-allow-headers: accept, authorization, content-type
+      access-control-allow-credentials: true
+      access-control-max-age: 3600
+      cache-control: public, max-age=3600
+      vary: origin
+      """
+    When the following request is received:
+      """
+      GET /foo/ HTTP/1.1
+      origin: https://hello.world
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      access-control-allow-origin: https://hello.world
+      access-control-expose-headers: authorization, content-type, content-length, etag
+      vary: origin
+      """

package/features/identity.feature

@@ -17,7 +17,7 @@ Feature: Identity resource
     Then the following reply is sent:
       """
       200 OK
-      authorization: Token ${{ token }}
+      authorization: Token ${{ User.token }}
 
       id: efe3a65ebbee47ed95a73edd911ea328
       roles:
@@ -27,14 +27,30 @@ Feature: Identity resource
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
-      authorization: Token ${{ token }}
+      authorization: Token ${{ User.token }}
       accept: application/yaml
       """
     Then the following reply is sent:
       """
       200 OK
 
-      id: efe3a65ebbee47ed95a73edd911ea328
+      id: ${{ User.id }}
+      roles:
+        - developer
+        - system:identity
+      """
+    # checking that it returns the same id for given token
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      authorization: Token ${{ User.token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      id: ${{ User.id }}
       roles:
         - developer
         - system:identity

package/features/identity.federation.feature

@@ -0,0 +1,125 @@
+Feature: Identity Federation
+
+  Background:
+    Given the `identity.federation` database is empty
+    Given local IDP is running
+
+
+  Scenario: Getting identity for a new user
+    Given the `identity.federation` configuration:
+      """yaml
+      explicit_identity_creation: false
+      trust:
+        - issuer: http://localhost:44444
+      """
+    And the IDP token for User is issued
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      authorization: Bearer ${{ User.id_token }}
+      accept: application/yaml
+      content-type: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ User.token }}
+
+      id: ${{ User.id }}
+      roles: []
+      scheme: bearer
+      """
+    # validate token
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      accept: application/yaml
+      authorization: Token ${{ User.token }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      id: ${{ User.id }}
+      """
+    # ensuring identity idemptotency
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      authorization: Bearer ${{ User.id_token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      id: ${{ User.id }}
+      """
+
+  Scenario: Creating an Identity using inception with existing credentials
+    Given the `identity.federation` configuration:
+      """yaml
+      trust:
+        - issuer: http://localhost:44444
+      """
+    Given the `users` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          anonymous: true
+          POST:
+            incept: id
+            endpoint: transit
+      """
+    And the IDP token for Bill is issued
+    When the following request is received:
+      # identity inception
+      """
+      POST /users/ HTTP/1.1
+      authorization: Bearer ${{ Bill.id_token }}
+      accept: application/yaml
+      content-type: application/yaml
+
+      name: Bill Smith
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      authorization: Token ${{ Bill.token }}
+
+      id: ${{ Bill.id }}
+      """
+    # check that both tokens corresponds to the same id
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      authorization: Token ${{ Bill.token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      id: ${{ Bill.id }}
+      """
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      authorization: Bearer ${{ Bill.id_token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      id: ${{ Bill.id }}
+      """
+    And the following request is received:
+      # same credentials
+      """
+      POST /users/ HTTP/1.1
+      authorization: Bearer ${{ Bill.id_token }}
+      content-type: text/plain
+
+      name: Mary Louis
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """

package/features/octets.feature

@@ -248,7 +248,6 @@ Feature: Octets directive family
   Scenario: Accessing an Entry and the original BLOLB
     Given the annotation:
       """yaml
-      debug: true
       /:
         auth:anonymous: true
         octets:context: octets
@@ -286,6 +285,7 @@ Feature: Octets directive family
     When the following request is received:
       """
       GET /10cf16b458f759e0d617f2f3d83599ff HTTP/1.1
+      accept: text/plain
       """
     Then the following reply is sent:
       """

package/features/response.feature

@@ -0,0 +1,65 @@
+Feature: Response
+
+  Scenario: Content negotiation
+    Given the annotation:
+      """yaml
+      /:
+        GET:
+          anonymous: true
+          dev:stub: hello
+      """
+    When the following request is received:
+      """
+      GET / HTTP/1.1
+      accept: application/json
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      content-type: application/json
+      vary: accept
+      """
+
+  Scenario: Error as YAML
+    Given the `echo` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          GET: error
+      """
+    When the following request is received:
+      """
+      GET /echo/ HTTP/1.1
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      409 Conflict
+      content-type: application/yaml
+
+      code: CODE
+      message: message
+      """
+
+  Scenario: Error as MessagePack
+    Given the `echo` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          GET: error
+      """
+    When the following request is received:
+      """
+      GET /echo/ HTTP/1.1
+      accept: application/msgpack
+      """
+    Then the following reply is sent:
+      """
+      409 Conflict
+      content-type: application/msgpack
+      """
+    And response body contains MessagePack-encoded value:
+      """yaml
+      code: CODE
+      message: message
+      """

package/features/steps/Captures.ts

@@ -0,0 +1,5 @@
+import * as http from '@toa.io/http'
+import { binding } from 'cucumber-tsflow'
+
+@binding()
+export class Captures extends http.Captures {}

package/features/steps/Components.ts

@@ -1,3 +1,4 @@
+import * as assert from 'node:assert'
 import { after, binding, given } from 'cucumber-tsflow'
 import * as boot from '@toa.io/boot'
 import { timeout } from '@toa.io/generic'
@@ -30,9 +31,13 @@ export class Components {
   @given('the `{word}` is stopped')
   public async stop (_?: string): Promise<void> {
     await this.composition?.disconnect()
+
+    this.composition = null
   }
 
   private async runComponent (name: string, manifest?: object): Promise<void> {
+    assert.ok(this.composition === null, 'Composition is already running')
+
     const path = await this.workspace.addComponent(name, manifest)
 
     this.composition = await boot.composition([path])

package/features/steps/Gateway.ts

@@ -18,8 +18,7 @@ export class Gateway {
     const annotation = parse(yaml)
 
     if ('/' in annotation) {
-      const node = { '/': annotation['/'] }
-      const tree = syntax.parse(node, shortcuts)
+      const tree = syntax.parse(annotation['/'], shortcuts)
 
       process.env.TOA_EXPOSITION = encode(tree)
     }