@toa.io/extensions.exposition 1.0.0-alpha.0 → 1.0.0-alpha.100

package/features/identity.bans.feature

@@ -0,0 +1,137 @@
+@security
+Feature: Bans
+
+  Background:
+    Given the `identity.basic` database contains:
+    # developer:secret
+    # user:12345
+      | _id                              | authority | username  | password                                                     | _deleted |
+      | efe3a65ebbee47ed95a73edd911ea328 | nex       | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O | null     |
+      | e8e4f9c2a68d419b861403d71fabc915 | nex       | user      | $2b$10$Frszmrmsz9iwSXzBbRRMKeDVKsNxozkrLNSsN.SnVC.KPxLtQr/bK | null     |
+    And the `identity.bans` database is empty
+
+  Scenario: Banning an Identity
+    Given the `identity.roles` database contains:
+      | _id                              | identity                         | role                 |
+      | 775a648d054e4ce1a65f8f17e5b51803 | efe3a65ebbee47ed95a73edd911ea328 | system:identity:bans |
+    And the annotation:
+      """yaml
+      /:
+        /:id:
+          io:output: true
+          auth:id: id
+          GET:
+            dev:stub:
+              access: granted!
+      """
+    And the `identity.tokens` configuration:
+      """yaml
+      refresh: 1
+      """
+    When the following request is received:
+      """
+      GET /e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic dXNlcjoxMjM0NQ==
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ token }}
+      """
+    When the following request is received:
+      """
+      PUT /identity/bans/e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      content-type: application/yaml
+
+      banned: true
+      comment: Bye bye
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    # accessing a resource with a banned Identity
+    When the following request is received:
+      """
+      GET /e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic dXNlcjoxMjM0NQ==
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+    Then after 1 second
+    When the following request is received:
+      """
+      GET /e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+    When the following request is received:
+      """
+      PUT /identity/bans/e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      content-type: application/yaml
+
+      banned: false
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    When the following request is received:
+      """
+      GET /e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic dXNlcjoxMjM0NQ==
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      authorization: Token ${{ new_token }}
+      """
+    # re-ban
+    When the following request is received:
+      """
+      PUT /identity/bans/e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      content-type: application/yaml
+
+      banned: true
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    When the following request is received:
+      """
+      GET /e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic dXNlcjoxMjM0NQ==
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+    Then after 1 second
+    When the following request is received:
+      """
+      GET /e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ new_token }}
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """

package/features/identity.basic.feature

@@ -1,3 +1,4 @@
+@security
 Feature: Basic authentication
 
   Background:
@@ -7,6 +8,7 @@ Feature: Basic authentication
     When the following request is received:
       """
       POST /identity/basic/ HTTP/1.1
+      host: nex.toa.io
       content-type: application/yaml
 
       username: developer
@@ -16,24 +18,40 @@ Feature: Basic authentication
       """
       201 Created
       """
+    When the following request is received:
+      """
+      POST /identity/basic/ HTTP/1.1
+      host: nex.toa.io
+      content-type: application/yaml
+      accept: application/yaml
+
+      username: developer
+      password: secret#1234
+      """
+    Then the following reply is sent:
+      """
+      409 Conflict
+      """
 
   Scenario: Creating new Identity using inception
     Given the `users` is running with the following manifest:
       """yaml
       exposition:
         /:
-          anonymous: true     # checking compatibility with anonymous access
+          io:output: true
+          anonymous: true       # checking compatibility with anonymous access
           POST:
             incept: id
             endpoint: transit
             query: ~
-        /:id:                 # credential testing route
-          id: id
-          GET: observe
+          /:id:                 # credential testing route
+            id: id
+            GET: observe
       """
     When the following request is received:
       """
       POST /users/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic dXNlcjpwYXNzMTIzNA==
       accept: application/yaml
       content-type: application/yaml
@@ -51,6 +69,7 @@ Feature: Basic authentication
       # basic credentials have been created
       """
       GET /users/${{ id }}/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic dXNlcjpwYXNzMTIzNA==
       """
     Then the following reply is sent:
@@ -61,6 +80,7 @@ Feature: Basic authentication
       # valid token has been issued
       """
       GET /users/${{ id }}/ HTTP/1.1
+      host: nex.toa.io
       authorization: Token ${{ token }}
       """
     Then the following reply is sent:
@@ -68,10 +88,43 @@ Feature: Basic authentication
       200 OK
       """
 
+    # username is taken
+    When the following request is received:
+      """
+      POST /users/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic dXNlcjphbm90aGVycGFzczEyMzQ=
+      accept: application/yaml
+      content-type: application/yaml
+
+      name: Bill Smith
+      """
+    Then the following reply is sent:
+      """
+      409 Conflict
+      """
+
+    # credentials already exists
+    When the following request is received:
+      """
+      POST /users/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic dXNlcjpwYXNzMTIzNA==
+      accept: application/yaml
+      content-type: application/yaml
+
+      name: Bill Smith
+      """
+    Then the following reply is sent:
+      """
+      409 Conflict
+      """
+
   Scenario: Changing the password
     Given the annotation:
       """yaml
       /:
+        io:output: true
         /:id:
           id: id
           GET:
@@ -79,11 +132,12 @@ Feature: Basic authentication
               access: granted!
       """
     And the `identity.basic` database contains:
-      | _id                              | _version | username  | password                                                     |
-      | efe3a65ebbee47ed95a73edd911ea328 | 1        | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+      | _id                              | _version | authority | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | 1        | nex       | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
     When the following request is received:
       """
       PATCH /identity/basic/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: application/yaml
       content-type: application/yaml
@@ -98,6 +152,7 @@ Feature: Basic authentication
       # old password
       """
       GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       """
     Then the following reply is sent:
@@ -108,6 +163,7 @@ Feature: Basic authentication
       # new password
       """
       GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOm5ldy1zZWNyZXQ=
       """
     Then the following reply is sent:
@@ -115,10 +171,31 @@ Feature: Basic authentication
       200 OK
       """
 
+  Scenario: Changing other identity's password
+    Given the `identity.basic` database contains:
+      | _id                              | authority | username  | password                                                     | _version |
+      | efe3a65ebbee47ed95a73edd911ea328 | nex       | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O | 1        |
+      | 6c0be50cbfb043acafe69cc7d3895f84 | nex       | attacker  | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O | 1        |
+    When the following request is received:
+      """
+      PATCH /identity/basic/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic YXR0YWNrZXI6c2VjcmV0
+      accept: application/yaml
+      content-type: application/yaml
+
+      password: new-secret
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
+
   Scenario Outline: <problem> not meeting the requirements
     When the following request is received:
       """
       POST /identity/basic/ HTTP/1.1
+      host: nex.toa.io
       accept: application/yaml
       content-type: application/yaml
 
@@ -127,17 +204,17 @@ Feature: Basic authentication
       """
     Then the following reply is sent:
       """
-      409 Conflict
+      422 Unprocessable Entity
 
       code: <code>
-      message: <problem> is not meeting the requirements.
+      message: <problem> is not meeting the requirements
       """
     Examples:
-      | username        | password    | problem  | code             |
-      | with whitespace | secret#1234 | Username | INVALID_USERNAME |
-      | root            | short       | Password | INVALID_PASSWORD |
+      | username                                                                                                                          | password    | problem  | code             |
+      | zYF8G6obtE3c5ARpZjnMwv0L7lX2dQUyJ1KiHS9ag4fThDPVxCsuIWmNeBqkOrzYF8G6obtE3c5ARpZjnMwv0L7lX2dQUyJ1KiHS9ag4fThDPVxCsuIWmNeBqkOris129 | secret#1234 | Username | INVALID_USERNAME |
+      | root                                                                                                                              | short       | Password | INVALID_PASSWORD |
 
-  Scenario Outline: Given <property> is not meeting one of requirements
+  Scenario Outline: <property> is not meeting one of requirements
     Given the `identity.basic` configuration:
       """yaml
       <property>:
@@ -145,11 +222,12 @@ Feature: Basic authentication
         - ^[^A]{1,16}$  # should not contain 'A'
       """
     And the `identity.basic` database contains:
-      | _id                              | _version | username  | password                                                     |
-      | efe3a65ebbee47ed95a73edd911ea328 | 1        | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+      | _id                              | _version | authority | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | 1        | nex       | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
     When the following request is received:
       """
       PATCH /identity/basic/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: application/yaml
       content-type: application/yaml
@@ -158,7 +236,7 @@ Feature: Basic authentication
       """
     Then the following reply is sent:
       """
-      409 Conflict
+      422 Unprocessable Entity
       """
     Examples:
       | property |
@@ -173,6 +251,7 @@ Feature: Basic authentication
     And the annotation:
       """yaml
       /:
+        io:output: true
         GET:
           auth:role: system:stub
           dev:stub:
@@ -181,6 +260,7 @@ Feature: Basic authentication
     When the following request is received:
       """
       POST /identity/basic/ HTTP/1.1
+      host: nex.toa.io
       accept: application/yaml
       content-type: application/yaml
 
@@ -198,6 +278,7 @@ Feature: Basic authentication
     When the following request is received:
       """
       GET /identity/roles/${{ id }}/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic cm9vdDpzZWNyZXQjMTIzNA==
       accept: application/yaml
       """
@@ -211,6 +292,7 @@ Feature: Basic authentication
     When the following request is received:
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       authorization: Token ${{ token }}
       accept: application/yaml
       """
@@ -224,6 +306,7 @@ Feature: Basic authentication
     When the following request is received:
       """
       PATCH /identity/basic/${{ id }}/ HTTP/1.1
+      host: nex.toa.io
       authorization: Token ${{ token }}
       accept: application/yaml
       content-type: application/yaml
@@ -232,27 +315,29 @@ Feature: Basic authentication
       """
     Then the following reply is sent:
       """
-      409 Conflict
+      422 Unprocessable Entity
 
       code: PRINCIPAL_LOCKED
-      message: Principal username cannot be changed.
+      message: Principal username cannot be changed
       """
 
   Scenario: Creating an Identity using inception with existing credentials
-    Given the `identity.basic` database is empty
-    And the `users` is running with the following manifest:
+    Given the `users` is running with the following manifest:
       """yaml
       exposition:
         /:
+          io:output: true
           anonymous: true
           POST:
             incept: id
+            query: false
             endpoint: transit
       """
     When the following request is received:
       # identity inception
       """
       POST /users/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic dXNlcjpwYXNzMTIzNA==
       accept: application/yaml
       content-type: application/yaml
@@ -267,12 +352,52 @@ Feature: Basic authentication
       # same credentials
       """
       POST /users/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic dXNlcjpwYXNzMTIzNA==
-      content-type: text/plain
+      content-type: application/yaml
 
       name: Mary Louis
       """
     Then the following reply is sent:
       """
-      403 Forbidden
+      409 Conflict
+      """
+
+  Scenario: Incorrect credentials format
+    Given the `identity.basic` database is empty
+    And the `users` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          io:output: true
+          anonymous: true
+          POST:
+            incept: id
+            endpoint: transit
+      """
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic not-base64
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+    When the following request is received:
+      """
+      POST /users/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic not-base64
+      accept: application/yaml
+      content-type: application/yaml
+
+      name: Bill Smith
+      """
+    Then the following reply is sent:
+      """
+      422 Unprocessable Entity
+
+      code: INVALID_CREDENTIALS
       """

package/features/identity.feature

@@ -2,8 +2,8 @@ Feature: Identity resource
 
   Scenario: Requesting own Identity
     Given the `identity.basic` database contains:
-      | _id                              | username  | password                                                     |
-      | efe3a65ebbee47ed95a73edd911ea328 | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+      | _id                              | authority | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | nex       | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
     And the `identity.roles` database contains:
       | _id                              | identity                         | role            |
       | 9c4702490ff84f2a9e1b1da2ab64bdd4 | efe3a65ebbee47ed95a73edd911ea328 | developer       |
@@ -11,13 +11,14 @@ Feature: Identity resource
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: application/yaml
       """
     Then the following reply is sent:
       """
       200 OK
-      authorization: Token ${{ token }}
+      authorization: Token ${{ User.token }}
 
       id: efe3a65ebbee47ed95a73edd911ea328
       roles:
@@ -27,33 +28,60 @@ Feature: Identity resource
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
-      authorization: Token ${{ token }}
+      host: nex.toa.io
+      authorization: Token ${{ User.token }}
       accept: application/yaml
       """
     Then the following reply is sent:
       """
       200 OK
 
-      id: efe3a65ebbee47ed95a73edd911ea328
+      id: ${{ User.id }}
       roles:
         - developer
         - system:identity
       """
+    # checking that it returns the same id for given token
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ User.token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
 
-  Scenario: Requesting Identity with non-existent credentials
-    Given the `identity.basic` database is empty
+      id: ${{ User.id }}
+      roles:
+        - developer
+        - system:identity
+      """
+
+  Scenario: Getting transient Identity
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
-      authorization: Basic dXNlcjpwYXNzMTIzNA==
+      host: nex.toa.io
+      accept: application/yaml
       """
     Then the following reply is sent:
       """
-      401 Unauthorized
+      201 Created
+      authorization: Token ${{ token }}
+
+      id: ${{ id }}
+      roles: []
       """
+
+  Scenario: Requesting Identity with non-existent credentials
+    Given the `identity.basic` database is empty
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic dXNlcjpwYXNzMTIzNA==
       """
     Then the following reply is sent:
       """