@toa.io/extensions.exposition 0.24.0-alpha.9 → 1.0.0-alpha.2

package/documentation/vary.md

@@ -0,0 +1,69 @@
+# HTTP request details
+
+The `vary` directives family provides the capability to include HTTP request details as input for an
+operation call.
+
+## TL;DR
+
+```yaml
+exposition:
+  realms:
+    toa: the.toa.io
+  /:
+    vary:languages: [en, fr]
+    GET:
+      vary:embed:
+        lang: language # predefined embeddings
+        realm: realm
+        token: :x-access-token # raw header value
+      endpoint: dummies.get
+```
+
+## Embeddings
+
+Request parts are embedded into the operation call according to the mapping
+defined by the `vary:embed` directive.
+The keys in the embedding map are the names of the input properties details to be embedded to,
+and the values are the names of the embedding functions.
+If the value is an array, the first non-empty embedding function's result is used.
+
+> If a property is already present in the input, the embedded value will overwrite its current
+> value.
+
+### Realm
+
+Realm is an identifier of a domain used to access the Exposition.
+The list of domains is defined by the `vary:realms` directive,
+which is a map of realm names to their domain names.
+
+The `realm` embedding substitutes the realm identified based on the `host` request header.
+
+### Language
+
+The `language` embedding substitutes the most matching language code based on the `accept-language`
+request header and a list of supported languages defined by the `vary:languages` directive, and also
+adds `accept-language` to the `vary` HTTP response header value.
+If neither of the supported languages matches, the first supported language is used.
+
+### Raw header values
+
+Keys in the embedding map starting with a semicolon (:) are the names of HTTP request headers whose
+values to be embedded into an operation call.
+The names of these headers are then included in the `vary` HTTP response header
+and [Access-Control-Allow-Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers)
+of the [CORS](protocol.md#cors).
+
+[Multiple header fields](https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2) are embedded
+as a comma-separated list.
+
+### Fallbacks
+
+If the embedding function is an array, the first non-empty resolved value is used.
+
+```yaml
+vary:embed:
+  ip: # fallbacks
+    - :CloudFront-Viewer-Address
+    - :CF-Connecting-IP
+    - :X-Appengine-User-IP
+```

package/features/cors.feature

@@ -0,0 +1,72 @@
+Feature: CORS Support
+
+  Scenario: Using CORS
+    Given the annotation:
+      """yaml
+      /:
+        anonymous: true
+        /foo:
+          GET:
+            dev:stub: Hello
+      """
+    When the following request is received:
+      """
+      OPTIONS / HTTP/1.1
+      origin: https://hello.world
+      """
+    Then the following reply is sent:
+      """
+      204 No Content
+      access-control-allow-origin: https://hello.world
+      access-control-allow-methods: GET, POST, PUT, PATCH, DELETE
+      access-control-allow-headers: accept, authorization, content-type
+      access-control-allow-credentials: true
+      access-control-max-age: 3600
+      cache-control: public, max-age=3600
+      vary: origin
+      """
+    When the following request is received:
+      """
+      GET /foo/ HTTP/1.1
+      origin: https://hello.world
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      access-control-allow-origin: https://hello.world
+      access-control-expose-headers: authorization, content-type, content-length, etag
+      vary: origin
+      """
+
+  Scenario: Errors contain CORS headers
+    Given the annotation:
+      """yaml
+      /:
+        /foo:
+          GET:
+            dev:stub: Hello
+      """
+    When the following request is received:
+      """
+      GET /bar/ HTTP/1.1
+      origin: https://hello.world
+      """
+    Then the following reply is sent:
+      """
+      404 Not Found
+      access-control-allow-origin: https://hello.world
+      access-control-expose-headers: authorization, content-type, content-length, etag
+      vary: origin
+      """
+    When the following request is received:
+      """
+      GET /foo/ HTTP/1.1
+      origin: https://hello.world
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      access-control-allow-origin: https://hello.world
+      access-control-expose-headers: authorization, content-type, content-length, etag
+      vary: origin
+      """

package/features/identity.feature

@@ -17,7 +17,7 @@ Feature: Identity resource
     Then the following reply is sent:
       """
       200 OK
-      authorization: Token ${{ token }}
+      authorization: Token ${{ User.token }}
 
       id: efe3a65ebbee47ed95a73edd911ea328
       roles:
@@ -27,14 +27,30 @@ Feature: Identity resource
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
-      authorization: Token ${{ token }}
+      authorization: Token ${{ User.token }}
       accept: application/yaml
       """
     Then the following reply is sent:
       """
       200 OK
 
-      id: efe3a65ebbee47ed95a73edd911ea328
+      id: ${{ User.id }}
+      roles:
+        - developer
+        - system:identity
+      """
+    # checking that it returns the same id for given token
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      authorization: Token ${{ User.token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      id: ${{ User.id }}
       roles:
         - developer
         - system:identity

package/features/identity.federation.feature

@@ -0,0 +1,125 @@
+Feature: Identity Federation
+
+  Background:
+    Given the `identity.federation` database is empty
+    Given local IDP is running
+
+
+  Scenario: Getting identity for a new user
+    Given the `identity.federation` configuration:
+      """yaml
+      explicit_identity_creation: false
+      trust:
+        - issuer: http://localhost:44444
+      """
+    And the IDP token for User is issued
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      authorization: Bearer ${{ User.id_token }}
+      accept: application/yaml
+      content-type: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ User.token }}
+
+      id: ${{ User.id }}
+      roles: []
+      scheme: bearer
+      """
+    # validate token
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      accept: application/yaml
+      authorization: Token ${{ User.token }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      id: ${{ User.id }}
+      """
+    # ensuring identity idemptotency
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      authorization: Bearer ${{ User.id_token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      id: ${{ User.id }}
+      """
+
+  Scenario: Creating an Identity using inception with existing credentials
+    Given the `identity.federation` configuration:
+      """yaml
+      trust:
+        - issuer: http://localhost:44444
+      """
+    Given the `users` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          anonymous: true
+          POST:
+            incept: id
+            endpoint: transit
+      """
+    And the IDP token for Bill is issued
+    When the following request is received:
+      # identity inception
+      """
+      POST /users/ HTTP/1.1
+      authorization: Bearer ${{ Bill.id_token }}
+      accept: application/yaml
+      content-type: application/yaml
+
+      name: Bill Smith
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      authorization: Token ${{ Bill.token }}
+
+      id: ${{ Bill.id }}
+      """
+    # check that both tokens corresponds to the same id
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      authorization: Token ${{ Bill.token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      id: ${{ Bill.id }}
+      """
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      authorization: Bearer ${{ Bill.id_token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      id: ${{ Bill.id }}
+      """
+    And the following request is received:
+      # same credentials
+      """
+      POST /users/ HTTP/1.1
+      authorization: Bearer ${{ Bill.id_token }}
+      content-type: text/plain
+
+      name: Mary Louis
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """

package/features/octets.entries.feature

@@ -0,0 +1,121 @@
+Feature: Accessing entires
+
+  Scenario: Entries are not accessible by default
+    Given the annotation:
+      """yaml
+      /:
+        auth:anonymous: true
+        octets:context: octets
+        POST:
+          octets:store: ~
+        GET:
+          octets:list: ~
+        /*:
+          GET:
+            octets:fetch: ~
+      """
+    When the stream of `lenna.ascii` is received with the following headers:
+      """
+      POST / HTTP/1.1
+      content-type: application/octet-stream
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      """
+    When the following request is received:
+      """
+      GET / HTTP/1.1
+      accept: application/vnd.toa.octets.entries+yaml
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+
+      Metadata is not accessible.
+      """
+    When the following request is received:
+      """
+      GET /10cf16b458f759e0d617f2f3d83599ff HTTP/1.1
+      accept: text/vnd.toa.octets.entry+plain
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+
+      Metadata is not accessible.
+      """
+
+  Scenario: Accessing entries
+    Given the annotation:
+      """yaml
+      /:
+        auth:anonymous: true
+        octets:context: octets
+        POST:
+          octets:store: ~
+        GET:
+          octets:list:
+            meta: true
+        /*:
+          GET:
+            octets:fetch:
+              meta: true
+      """
+    When the stream of `lenna.ascii` is received with the following headers:
+      """
+      POST / HTTP/1.1
+      accept: application/yaml
+      content-type: application/octet-stream
+      """
+    And the stream of `lenna.png` is received with the following headers:
+      """
+      POST / HTTP/1.1
+      accept: application/yaml
+      content-type: application/octet-stream
+      """
+    When the following request is received:
+      """
+      GET / HTTP/1.1
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      content-type: application/yaml
+
+      - 10cf16b458f759e0d617f2f3d83599ff
+      - 814a0034f5549e957ee61360d87457e5
+      """
+    When the following request is received:
+      """
+      GET / HTTP/1.1
+      accept: application/vnd.toa.octets.entries+yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      content-type: application/yaml
+
+      - id: 10cf16b458f759e0d617f2f3d83599ff
+        size: 8169
+        type: application/octet-stream
+      - id: 814a0034f5549e957ee61360d87457e5
+        size: 473831
+        type: image/png
+      """
+    When the following request is received:
+      """
+      GET /10cf16b458f759e0d617f2f3d83599ff HTTP/1.1
+      accept: application/vnd.toa.octets.entry+yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      content-type: application/yaml
+      content-length: 124
+
+      id: 10cf16b458f759e0d617f2f3d83599ff
+      type: application/octet-stream
+      size: 8169
+      """

package/features/octets.feature

@@ -70,17 +70,6 @@ Feature: Octets directive family
       """
       304 Not Modified
       """
-    When the following request is received:
-      """
-      GET /10cf16b458f759e0d617f2f3d83599ff:meta HTTP/1.1
-      accept: text/plain
-      """
-    Then the following reply is sent:
-      """
-      403 Forbidden
-
-      Metadata is not accessible.
-      """
     When the following request is received:
       """
       GET / HTTP/1.1
@@ -245,10 +234,9 @@ Feature: Octets directive family
       Trailing slash is redundant.
       """
 
-  Scenario: Accessing an Entry and the original BLOLB
+  Scenario: Original BLOLB is not accessible
     Given the annotation:
       """yaml
-      debug: true
       /:
         auth:anonymous: true
         octets:context: octets
@@ -268,24 +256,10 @@ Feature: Octets directive family
       """
       201 Created
       """
-    When the following request is received:
-      """
-      GET /10cf16b458f759e0d617f2f3d83599ff:meta HTTP/1.1
-      accept: application/yaml
-      """
-    Then the following reply is sent:
-      """
-      200 OK
-      content-type: application/yaml
-      content-length: 124
-
-      id: 10cf16b458f759e0d617f2f3d83599ff
-      type: application/octet-stream
-      size: 8169
-      """
     When the following request is received:
       """
       GET /10cf16b458f759e0d617f2f3d83599ff HTTP/1.1
+      accept: text/plain
       """
     Then the following reply is sent:
       """

package/features/octets.meta.feature

@@ -0,0 +1,65 @@
+Feature: Octets `content-meta` header
+
+  Scenario: Sending `content-meta` header
+    Given the `octets.tester` is running
+    And the annotation:
+      """yaml
+      /:
+        auth:anonymous: true
+        octets:context: octets
+        /*:
+          POST:
+            octets:store: ~
+          /*:
+            GET:
+              octets:fetch:
+                meta: true
+      """
+    When the stream of `lenna.ascii` is received with the following headers:
+      """
+      POST /meta-header/ HTTP/1.1
+      content-type: application/octet-stream
+      content-meta: foo, bar=baz=1
+      content-meta: baz=1
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      """
+    When the following request is received:
+      """
+      GET /meta-header/10cf16b458f759e0d617f2f3d83599ff HTTP/1.1
+      accept: application/vnd.toa.octets.entry+yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      id: 10cf16b458f759e0d617f2f3d83599ff
+      type: application/octet-stream
+      size: 8169
+      meta:
+        foo: 'true'
+        bar: baz=1
+        baz: '1'
+      """
+
+  Scenario: CORS allows `content-meta` header
+    Given the annotation:
+      """yaml
+      /:
+        octets:context: octets
+        POST:
+          octets:store: ~
+      """
+    When the following request is received:
+      """
+      OPTIONS / HTTP/1.1
+      origin: http://example.com
+      """
+    Then the following reply is sent:
+      """
+      204 No Content
+      access-control-allow-origin: http://example.com
+      access-control-allow-headers: accept, authorization, content-type, content-meta
+      """