@toa.io/extensions.exposition 0.8.3-dev.9 → 0.20.0-alpha.0

package/features/errors.feature

@@ -0,0 +1,208 @@
+Feature: Errors
+
+  Scenario Outline: Missing routes
+    Given the `greeter` is running with the following manifest:
+      """yaml
+      namespace: basic
+      """
+    When the following request is received:
+      """
+      GET <path> HTTP/1.1
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      404 Not Found
+      """
+    Examples:
+      | path                                 |
+      | /basic/greeter/non-existent-segment/ |
+      | /basic/non-existent-component/       |
+      | /non-existent-namespace/             |
+
+  Scenario: Missing trailing slash
+    Given the `greeter` is running with the following manifest:
+      """yaml
+      namespace: basic
+      """
+    When the following request is received:
+      """
+      GET /basic/greeter HTTP/1.1
+      accept: application/json
+      """
+    Then the following reply is sent:
+      """
+      404 Not Found
+      content-type: application/json
+
+      "Trailing slash is required."
+      """
+
+  Scenario: Missing method
+    Given the `greeter` is running
+    When the following request is received:
+      """
+      PATCH /greeter/ HTTP/1.1
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """http
+      405 Method Not Allowed
+      """
+
+  Scenario: Unsupported method
+    When the following request is received:
+      """
+      COPY /basic/greeter/ HTTP/1.1
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """http
+      501 Not Implemented
+      """
+
+  Scenario: Request body does not match input schema
+    Given the `pots` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          POST: transit
+      """
+    When the following request is received:
+      """
+      POST /pots/ HTTP/1.1
+      accept: application/yaml
+      content-type: application/yaml
+
+      foo: Hello
+      bar: 1.5
+      """
+    Then the following reply is sent:
+      """
+      400 Bad Request
+      content-type: application/yaml
+
+      must have required property 'title'
+      """
+
+  Scenario: Query limit out of range
+    Given the `pots` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          GET: enumerate
+      """
+    When the following request is received:
+      """
+      GET /pots/?limit=1001 HTTP/1.1
+      accept: text/plain
+      """
+    Then the following reply is sent:
+      """
+      400 Bad Request
+      content-type: text/plain
+
+      Query limit must be between 1 and 1000 inclusive.
+      """
+
+  Scenario: Closed query criteria
+    Given the `pots` is running with the following manifest:
+      """yaml
+      exposition:
+        /hot:
+          GET:
+            endpoint: enumerate
+            query:
+              criteria: temerature>60
+      """
+    When the following request is received:
+      """
+      GET /pots/hot/?criteria=volume>500 HTTP/1.1
+      accept: text/plain
+      """
+    Then the following reply is sent:
+      """
+      400 Bad Request
+      content-type: text/plain
+
+      Query criteria is closed.
+      """
+
+  Scenario: Additional query parameters
+    Given the `pots` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          GET:
+            endpoint: enumerate
+      """
+    When the following request is received:
+      """
+      GET /pots/?foo=bar HTTP/1.1
+      accept: text/plain
+      """
+    Then the following reply is sent:
+      """
+      400 Bad Request
+      content-type: text/plain
+
+      Query must NOT have additional properties
+      """
+
+  Scenario: Malformed authorization header
+    Given the annotation:
+      """yaml
+      /:
+        GET: {}
+      """
+    When the following request is received:
+      """
+      GET / HTTP/1.1
+      authorization: Basic
+      accept: text/plain
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+
+      Malformed authorization header.
+      """
+
+  Scenario: Creating an Identity using inception with existing credentials
+    Given the `identity.basic` database is empty
+    And the `users` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          anonymous: true
+          POST:
+            incept: id
+            endpoint: transit
+      """
+    When the following request is received:
+      # identity inception
+      """
+      POST /users/ HTTP/1.1
+      authorization: Basic dXNlcjpwYXNzMTIzNA==
+      accept: application/yaml
+      content-type: application/yaml
+
+      name: Bill Smith
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      """
+    And the following request is received:
+      # same credentials
+      """
+      POST /users/ HTTP/1.1
+      authorization: Basic dXNlcjpwYXNzMTIzNA==
+      content-type: text/plain
+
+      name: Mary Louis
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """

package/features/identity.basic.feature

@@ -0,0 +1,235 @@
+Feature: Basic authentication
+
+  Background:
+    Given the `identity.basic` database is empty
+
+  Scenario: Creating new Identity with basic credentials
+    When the following request is received:
+      """
+      POST /identity/basic/ HTTP/1.1
+      content-type: application/yaml
+
+      username: developer
+      password: secret#1234
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      """
+
+  Scenario: Creating new Identity using inception
+    Given the `users` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          anonymous: true     # checking compatibility with anonymous access
+          POST:
+            incept: id
+            endpoint: transit
+        /:id:                 # credential testing route
+          id: id
+          GET: observe
+      """
+    When the following request is received:
+      """
+      POST /users/ HTTP/1.1
+      authorization: Basic dXNlcjpwYXNzMTIzNA==
+      accept: application/yaml
+      content-type: application/yaml
+
+      name: Bill Smith
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      authorization: Token ${{ token }}
+
+      id: ${{ id }}
+      """
+    When the following request is received:
+      # basic credentials have been created
+      """
+      GET /users/${{ id }}/ HTTP/1.1
+      authorization: Basic dXNlcjpwYXNzMTIzNA==
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    When the following request is received:
+      # valid token has been issued
+      """
+      GET /users/${{ id }}/ HTTP/1.1
+      authorization: Token ${{ token }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+
+  Scenario: Changing the password
+    Given the annotation:
+      """
+      /:id:
+        id: id
+        GET:
+          dev:stub:
+            access: granted!
+      """
+    And the `identity.basic` database contains:
+      | _id                              | _version | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | 1        | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+    When the following request is received:
+      """
+      PATCH /identity/basic/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      accept: application/yaml
+      content-type: application/yaml
+
+      password: new-secret
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    When the following request is received:
+      # old password
+      """
+      GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+    When the following request is received:
+      # new password
+      """
+      GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOm5ldy1zZWNyZXQ=
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+
+  Scenario Outline: <problem> not meeting the requirements
+    When the following request is received:
+      """
+      POST /identity/basic/ HTTP/1.1
+      accept: application/yaml
+      content-type: application/yaml
+
+      username: <username>
+      password: <password>
+      """
+    Then the following reply is sent:
+      """
+      409 Conflict
+
+      code: <code>
+      message: <problem> is not meeting the requirements.
+      """
+    Examples:
+      | username        | password    | problem  | code             |
+      | with whitespace | secret#1234 | Username | INVALID_USERNAME |
+      | root            | short       | Password | INVALID_PASSWORD |
+
+  Scenario Outline: Given <property> is not meeting one of requirements
+    Given the `identity.basic` configuration:
+      """yaml
+      <property>:
+        - ^\S{1,16}$
+        - ^[^A]{1,16}$  # should not contain 'A'
+      """
+    And the `identity.basic` database contains:
+      | _id                              | _version | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | 1        | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+    When the following request is received:
+      """
+      PATCH /identity/basic/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      accept: application/yaml
+      content-type: application/yaml
+
+      <property>: hasAinside
+      """
+    Then the following reply is sent:
+      """
+      409 Conflict
+      """
+    Examples:
+      | property |
+      | username |
+      | password |
+
+  Scenario: Granting a `system` role to a Principal
+    Given the `identity.basic` configuration:
+      """yaml
+      principal: root
+      """
+    And the annotation:
+      """yaml
+      /:
+        GET:
+          auth:role: system:stub
+          dev:stub:
+            access: granted!
+      """
+    When the following request is received:
+      """
+      POST /identity/basic/ HTTP/1.1
+      content-type: application/yaml
+
+      username: root
+      password: secret#1234
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+
+      id: ${{ id }}
+      """
+    # role granting is eventual
+    Then after 0.1 seconds
+    When the following request is received:
+      """
+      GET /identity/roles/${{ id }}/ HTTP/1.1
+      authorization: Basic cm9vdDpzZWNyZXQjMTIzNA==
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ token }}
+
+      - system
+      """
+    When the following request is received:
+      """
+      GET / HTTP/1.1
+      authorization: Token ${{ token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      access: granted!
+      """
+    # Principal username cannot be changed
+    When the following request is received:
+      """
+      PATCH /identity/basic/${{ id }}/ HTTP/1.1
+      authorization: Token ${{ token }}
+      content-type: application/yaml
+
+      username: admin
+      """
+    Then the following reply is sent:
+      """
+      409 Conflict
+
+      code: PRINCIPAL_LOCKED
+      message: Principal username cannot be changed.
+      """

package/features/identity.feature

@@ -0,0 +1,61 @@
+Feature: Identity resource
+
+  Scenario: Requesting own Identity
+    Given the `identity.basic` database contains:
+      | _id                              | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+    And the `identity.roles` database contains:
+      | _id                              | identity                         | role            |
+      | 9c4702490ff84f2a9e1b1da2ab64bdd4 | efe3a65ebbee47ed95a73edd911ea328 | developer       |
+      | 88ec8e348a5c48aaa2d25faa904cd9ff | efe3a65ebbee47ed95a73edd911ea328 | system:identity |
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ token }}
+
+      id: efe3a65ebbee47ed95a73edd911ea328
+      roles:
+        - developer
+        - system:identity
+      """
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      authorization: Token ${{ token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      id: efe3a65ebbee47ed95a73edd911ea328
+      roles:
+        - developer
+        - system:identity
+      """
+
+  Scenario: Requesting Identity with non-existent credentials
+    Given the `identity.basic` database is empty
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      authorization: Basic dXNlcjpwYXNzMTIzNA==
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """

package/features/identity.roles.feature

@@ -0,0 +1,51 @@
+Feature: Roles management
+
+  Scenario: Adding a role to an Identity
+    Given the `identity.basic` database contains:
+      | _id                              | username | password                                                     |
+      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | root     | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
+      | 4344518184ad44228baffce7a44fd0b1 | user     | $2b$10$JoiAQUS7tzobDAFIDBWhWeEIJv933dQetyjRzSmfQGaJE5ZlJbmYy |
+    And the `identity.roles` database contains:
+      | _id                              | identity                         | role                  |
+      | 9c4702490ff84f2a9e1b1da2ab64bdd4 | 72cf9b0ab0ac4ab2b8036e4e940ddcae | system:identity:roles |
+    And the annotation:
+      """yaml
+      /:
+        auth:role: test
+        GET:
+          dev:stub:
+            access: granted!
+      """
+    When the following request is received:
+      # user doesn't have the required role
+      """
+      GET / HTTP/1.1
+      authorization: Basic dXNlcjpwYXNz
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
+    When the following request is received:
+      # root adds a role to a user
+      """
+      POST /identity/roles/4344518184ad44228baffce7a44fd0b1/ HTTP/1.1
+      authorization: Basic cm9vdDpzZWNyZXQ=
+      content-type: application/yaml
+
+      role: test
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      """
+    When the following request is received:
+      # user now have the role
+      """
+      GET / HTTP/1.1
+      authorization: Basic dXNlcjpwYXNz
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """

package/features/identity.tokens.feature

@@ -0,0 +1,116 @@
+Feature: Tokens lifecycle
+
+  Scenario: Switching to Token authentication scheme
+    Given the `identity.basic` database contains:
+      | _id                              | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+    And the `greeter` is running with the following manifest:
+      """yaml
+      exposition:
+        /:id:
+          auth:id: id
+          GET: greet
+      """
+    When the following request is received:
+      """
+      GET /greeter/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      accept: text/plain
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      content-type: text/plain
+      authorization: Token ${{ token }}
+
+      Hello
+      """
+
+  Scenario: Refreshing stale token
+    Given the `identity.tokens` configuration:
+      """yaml
+      refresh: 1
+      """
+    And the `greeter` is running with the following manifest:
+      """yaml
+      exposition:
+        /:id:
+          auth:id: id
+          GET: greet
+      """
+    When the following request is received:
+      """
+      GET /greeter/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      accept: text/plain
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ token }}
+
+      Hello
+      """
+    Then after 1 second
+    When the following request is received:
+      """
+      GET /greeter/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      authorization: Token ${{ token }}
+      accept: text/plain
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token
+
+      Hello
+      """
+
+  Scenario: Token revocation on password change
+    Given the annotation:
+      """yaml
+      /:id:
+        id: id
+        GET:
+          dev:stub:
+            access: granted!
+      """
+    And the `identity.tokens` configuration:
+      """yaml
+      refresh: 0.1
+      """
+    And the `identity.basic` database contains:
+      | _id                              | _version | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | 1        | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+    When the following request is received:
+      """
+      GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ token }}
+      """
+    When the following request is received:
+      """
+      PATCH /identity/basic/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      content-type: application/yaml
+
+      password: new-secret
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    Then after 0.2 seconds
+    When the following request is received:
+      """
+      GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      authorization: Token ${{ token }}
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """