@toa.io/extensions.exposition 0.9.0-canary.2 → 0.20.0-alpha.0

package/features/access.feature

@@ -0,0 +1,442 @@
+Feature: Access authorization
+
+  Background:
+    Given the `identity.basic` database contains:
+      # developer:secret
+      # user:12345
+      | _id                              | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+      | e8e4f9c2a68d419b861403d71fabc915 | user      | $2b$10$Frszmrmsz9iwSXzBbRRMKeDVKsNxozkrLNSsN.SnVC.KPxLtQr/bK |
+    And the `identity.bans` database is empty
+
+  Scenario: Deny by default
+    Given the annotation:
+      """yaml
+      /:
+        GET:
+          dev:stub:
+            access: granted!
+      """
+    When the following request is received:
+      """
+      GET / HTTP/1.1
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+
+  Scenario: Allow anonymous access
+    Given the annotation:
+      """yaml
+      /:
+        auth:anonymous: true
+        GET:
+          dev:stub:
+            access: granted!
+      """
+    When the following request is received:
+      """
+      GET / HTTP/1.1
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      content-type: application/yaml
+
+      access: granted!
+      """
+
+  Scenario: Deny access with credentials to a resource with anonymous access
+    Given the annotation:
+      """yaml
+      /:
+        auth:anonymous: true
+        GET:
+          dev:stub:
+            access: granted!
+      """
+    When the following request is received:
+      """
+      GET / HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
+
+  Scenario: Using `auth:id` directive
+    Given the annotation:
+      """yaml
+      /:id:
+        auth:id: id
+        GET:
+          dev:stub:
+            access: granted!
+      """
+    When the following request is received:
+      """
+      GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      content-type: application/yaml
+
+      access: granted!
+      """
+    When the following request is received:
+      """
+      GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      authorization: Basic dXNlcjoxMjM0NQ==
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
+
+  Scenario: Using `auth:role` directive
+    Given the `identity.roles` database contains:
+      | _id                              | identity                         | role      |
+      | 775a648d054e4ce1a65f8f17e5b51803 | efe3a65ebbee47ed95a73edd911ea328 | developer |
+      | 1d95bd2c764142818f6ece5e084015b5 | efe3a65ebbee47ed95a73edd911ea328 | user      |
+    And the annotation:
+      """yaml
+      /:
+        auth:role: developer
+        GET:
+          dev:stub:
+            access: granted!
+      """
+    When the following request is received:
+      # identity with `developer` and `user` roles
+      """
+      GET / HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      content-type: application/yaml
+
+      access: granted!
+      """
+    When the following request is received:
+      # identity with no roles
+      """
+      GET / HTTP/1.1
+      authorization: Basic dXNlcjoxMjM0NQ==
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
+
+  Scenario: Using `auth:role` directive with scope matching
+    Given the `identity.roles` database contains:
+      | _id                              | identity                         | role           |
+      | 775a648d054e4ce1a65f8f17e5b51803 | efe3a65ebbee47ed95a73edd911ea328 | developer:rust |
+    And the annotation:
+      """yaml
+      /:
+        auth:role: developer:rust:junior  # role scope matches
+        /nested:
+          GET:
+            dev:stub: good!
+      /javascript:
+        auth:role: developer:javascript   # role scope does not match
+        GET:
+          dev:stub: no good!
+      """
+    When the following request is received:
+      """
+      GET /nested/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      accept: text/plain
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      content-type: text/plain
+
+      good!
+      """
+    When the following request is received:
+      """
+      GET /javascript/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
+
+  Scenario: Allow by `auth:role` matching one of the roles
+    Given the `identity.roles` database contains:
+      | _id                              | identity                         | role      |
+      | 775a648d054e4ce1a65f8f17e5b51803 | efe3a65ebbee47ed95a73edd911ea328 | developer |
+    And the annotation:
+      """yaml
+      /:
+        role:
+          - developer
+          - admin
+        GET:
+          dev:stub:
+            access: granted!
+      """
+    When the following request is received:
+      # identity with `developer` and `user` roles
+      """
+      GET / HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      content-type: application/yaml
+
+      access: granted!
+      """
+
+  Scenario: Using `auth:rule` directive
+    Given the `identity.roles` database contains:
+      | _id                              | identity                         | role           |
+      | 775a648d054e4ce1a65f8f17e5b51803 | efe3a65ebbee47ed95a73edd911ea328 | developer:rust |
+    And the annotation:
+      """yaml
+      /rust/:id:
+        auth:rule:
+          id: id
+          role: developer:rust
+        GET:
+          dev:stub:
+            access: granted!
+      /javascript/:id:
+        rule:
+          id: id
+          role: developer:javascript
+        GET:
+          dev:stub:
+            access: granted!
+      """
+    When the following request is received:
+      """
+      GET /rust/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      content-type: application/yaml
+
+      access: granted!
+      """
+    When the following request is received:
+      """
+      GET /javascript/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
+
+  Scenario: Token authentication scheme
+    Given the annotation:
+      """yaml
+      /:id:
+        auth:id: id
+        GET:
+          dev:stub:
+            access: granted!
+      """
+    When the following request is received:
+      """
+      GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      authorization: Token v3.local.9oEtVJkfRw4cOJ8M4DxuVuAN29dGT26XMYyPAoXtwrkdkiJVSVj46sMNAOdlxwKGszJZV_ReOL26dxDVlsQ7QAIuRhRPlvsHYNOhcD-LApoAXV0S3IK16EMoEv7tE9z70FCLC3WoIW9RIQ8PR3uZhAdhSgBilsVOpWrk4XtnfCIlVwhYMKu79a66oZZhV2Q7Kl3nfYsf84-6rAL_1H0MsqCDUHVXuIg
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      content-type: application/yaml
+
+      access: granted!
+      """
+    And the reply does not contain:
+      """
+      authorization: Token
+      """
+    When the following request is received:
+      """
+      GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      authorization: Token v3.local.cjlxn4IJ9hI92KuksguzDx7_kYxgDFFGFnfNchf0cWnmos34dqX2XpTAUBd-LqgqfuH-lVGfNvjBUkw5JtHRBiIAVaPHF3Ncc0eafwgH2DPme9pndZL92fWryGnJ-sMHA28Q6UcXsIfhgd2JZ0n-585SBhwlosC3gKTcVHK7XNljeaTen4jZPw8uY-pdbsm6dDq3aKMzl8K78_BTTfiNPG2cI_aNuHw
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
+
+  Scenario: Using token with roles
+    Given the annotation:
+      """yaml
+      /:
+        auth:role: developer
+        GET:
+          dev:stub:
+            access: granted!
+      """
+    And the `identity.roles` database contains:
+      | _id                              | identity                         | role      |
+      | 775a648d054e4ce1a65f8f17e5b51803 | efe3a65ebbee47ed95a73edd911ea328 | developer |
+    When the following request is received:
+      """
+      GET / HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      content-type: application/yaml
+      authorization: Token ${{ token }}
+
+      access: granted!
+      """
+    When the following request is received:
+      """
+      GET / HTTP/1.1
+      authorization: Token ${{ token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      content-type: application/yaml
+
+      access: granted!
+      """
+
+  Scenario: Using `auth:scheme` directive
+    Given the annotation:
+      """yaml
+      /:id:
+        auth:scheme: basic
+        auth:id: id
+        GET:
+          dev:stub:
+            access: granted!
+      """
+    When the following request is received:
+      """
+      GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      content-type: application/yaml
+
+      access: granted!
+      """
+    When the following request is received:
+      """
+      GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      authorization: Token v3.local.9oEtVJkfRw4cOJ8M4DxuVuAN29dGT26XMYyPAoXtwrkdkiJVSVj46sMNAOdlxwKGszJZV_ReOL26dxDVlsQ7QAIuRhRPlvsHYNOhcD-LApoAXV0S3IK16EMoEv7tE9z70FCLC3WoIW9RIQ8PR3uZhAdhSgBilsVOpWrk4XtnfCIlVwhYMKu79a66oZZhV2Q7Kl3nfYsf84-6rAL_1H0MsqCDUHVXuIg
+      accept: text/plain
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+
+      Basic authentication scheme is required to access this resource.
+      """
+
+  Scenario: Adding a role without required permissions
+
+  Trunk directives should not be applied to the Identity management resources.
+
+    Given the annotation:
+      """yaml
+      anonymous: true
+      """
+    When the following request is received:
+      """
+      POST /identity/roles/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      content-type: application/yaml
+
+      role: developer
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+
+  Scenario: Banning an Identity
+    Given the `identity.roles` database contains:
+      | _id                              | identity                         | role   |
+      | 775a648d054e4ce1a65f8f17e5b51803 | efe3a65ebbee47ed95a73edd911ea328 | system |
+    And the annotation:
+      """yaml
+      /:id:
+        auth:id: id
+        GET:
+          dev:stub:
+            access: granted!
+      """
+    And the `identity.tokens` configuration:
+      """yaml
+      refresh: 1
+      """
+    When the following request is received:
+      """
+      GET /e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      authorization: Basic dXNlcjoxMjM0NQ==
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ token }}
+      """
+    When the following request is received:
+      """
+      PUT /identity/bans/e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      content-type: application/yaml
+
+      banned: true
+      """
+    Then the following reply is sent:
+      """
+      204 No Content
+      """
+    # accessing a resource with a banned Identity
+    When the following request is received:
+      """
+      GET /e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      authorization: Basic dXNlcjoxMjM0NQ==
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+    Then after 1 second
+    When the following request is received:
+      """
+      GET /e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      authorization: Token ${{ token }}
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """

package/features/annotation.feature

@@ -0,0 +1,28 @@
+Feature: Annotation
+
+  Scenario: Simple annotation
+    Given the annotation:
+      """yaml
+      anonymous: true
+      /foo:
+        GET:
+          endpoint: pots.enumerate
+      """
+    And the `pots` is running
+    And the `pots` database contains:
+      | _id                              | title     | volume |
+      | 4c4759e6f9c74da989d64511df42d6f4 | First pot | 100    |
+    When the following request is received:
+      """
+      GET /foo/ HTTP/1.1
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      content-type: application/yaml
+
+      - id: 4c4759e6f9c74da989d64511df42d6f4
+        title: First pot
+        volume: 100
+      """

package/features/body.feature

@@ -0,0 +1,21 @@
+Feature: Request body
+
+  Scenario: Creating an entity
+    Given the `pots` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          POST: transit
+      """
+    When the following request is received:
+      """
+      POST /pots/ HTTP/1.1
+      content-type: application/yaml
+
+      title: Hello
+      volume: 1.5
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      """

package/features/directives.feature

@@ -0,0 +1,56 @@
+Feature: Directives
+
+  Scenario: Basic directive
+    Given the annotation:
+      """yaml
+      anonymous: true
+      /:
+        GET:
+          dev:stub:
+            hello: world
+      """
+    When the following request is received:
+      """
+      GET / HTTP/1.1
+      accept: application/json
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      content-type: application/json
+
+      {"hello":"world"}
+      """
+
+  Scenario: Nested routes
+    Given the annotation:
+      """yaml
+      anonymous: true
+      /:
+        dev:stub:
+          hello: again
+        GET: {}
+        /pots:
+          GET: {}
+      """
+    When the following request is received:
+      """
+      GET /pots/ HTTP/1.1
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      content-type: application/yaml
+
+      hello: again
+      """
+    When the following request is received:
+      """
+      GET /pots/non-existent/ HTTP/1.1
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      404 Not Found
+      """

package/features/dynamic.feature

@@ -0,0 +1,89 @@
+Feature: Dynamic tree updates
+
+  Background:
+    Given the `pots` database contains:
+      | _id                              | title     | volume | temperature |
+      | 4c4759e6f9c74da989d64511df42d6f4 | First pot | 100    | 80          |
+
+  Scenario: Updating routes
+    And the `pots` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          POST: transit
+      """
+    Then the `pots` is stopped
+    Then the `pots` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          GET: enumerate
+      """
+    When the following request is received:
+      """
+      GET /pots/ HTTP/1.1
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+
+  Scenario: Updating routes with conflict
+    And the `pots` is running with the following manifest:
+      """yaml
+      exposition:
+        /:id:
+          GET: observe
+      """
+    Then the `pots` is stopped
+    Then the `pots` is running with the following manifest:
+      """yaml
+      exposition:
+        /:id:
+          GET: observe
+        /big:
+          GET:
+            endpoint: enumerate
+            query:
+              criteria: volume>200
+      """
+    When the following request is received:
+      """
+      GET /pots/big/ HTTP/1.1
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+
+  Scenario: Updating method mapping
+    Given the `pots` is running with the following manifest:
+      """yaml
+      exposition:
+        /big:
+          GET:
+            endpoint: enumerate
+            query:
+              criteria: volume>200 # closed
+      """
+    Then the `pots` is stopped
+    Then the `pots` is running with the following manifest:
+      """yaml
+      exposition:
+        /big:
+          GET:
+            endpoint: enumerate
+            query:
+              criteria: volume>200; # open
+      """
+    When the following request is received:
+      """
+      GET /pots/big/?criteria=temperature>50 HTTP/1.1
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """