@toa.io/extensions.exposition 1.0.0-alpha.0 → 1.0.0-alpha.100

package/features/identity.federation.feature

@@ -0,0 +1,268 @@
+@security
+Feature: Identity Federation
+
+  Background:
+    Given the `identity.federation` database is empty
+    And local IDP is running
+
+  Scenario: Asymmetric tokens
+    Given the `identity.federation` configuration:
+      """yaml
+      trust:
+        - iss: http://localhost:44444
+      implicit: true
+      """
+    And the IDP token for User is issued
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Bearer ${{ User.id_token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ User.token }}
+
+      id: ${{ User.id }}
+      roles: []
+      """
+    # validate TOKEN
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      accept: application/yaml
+      authorization: Token ${{ User.token }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      id: ${{ User.id }}
+      """
+    # ensuring identity idempotency
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Bearer ${{ User.id_token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      id: ${{ User.id }}
+      """
+
+  Scenario: Symmetric tokens
+    Given the `identity.federation` configuration:
+      """yaml
+      trust:
+        - iss: http://localhost:44444
+          secrets:
+            HS384:
+              k1: the-secret
+      implicit: true
+      """
+    And the IDP HS384 token for GoodUser is issued with following secret:
+      """
+      the-secret
+      """
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Bearer ${{ GoodUser.id_token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ GoodUser.token }}
+
+      id: ${{ GoodUser.id }}
+      """
+
+  Scenario: Creating an Identity using inception
+    Given the `identity.federation` configuration:
+      """yaml
+      trust:
+        - iss: http://localhost:44444
+      """
+    Given the `users` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          anonymous: true
+          POST:
+            io:output: [id]
+            auth:incept: id
+            endpoint: create
+      """
+    And the IDP token for Bill is issued
+    When the following request is received:
+      # identity inception
+      """
+      POST /users/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Bearer ${{ Bill.id_token }}
+      accept: application/yaml
+      content-type: application/yaml
+
+      name: Bill Smith
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      authorization: Token ${{ Bill.token }}
+
+      id: ${{ Bill.id }}
+      """
+    # check that both tokens corresponds to the same id
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ Bill.token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      id: ${{ Bill.id }}
+      """
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Bearer ${{ Bill.id_token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      id: ${{ Bill.id }}
+      """
+    And the following request is received:
+      # same credentials
+      """
+      POST /users/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Bearer ${{ Bill.id_token }}
+      content-type: application/yaml
+
+      name: Mary Louis
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
+
+  Scenario: Granting a `system` role to a Principal
+    Given the `identity.federation` configuration:
+      """yaml
+      trust:
+        - iss: http://localhost:44444
+      principal:
+        iss: http://localhost:44444
+        sub: root
+      implicit: true
+      """
+    And the IDP token for root is issued
+
+    # create an identity
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Bearer ${{ root.id_token }}
+      accept: application/yaml
+      content-type: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ root.token }}
+
+      id: ${{ root.id }}
+      """
+
+    Then after 0.1 seconds
+
+    # check the role
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      accept: application/yaml
+      authorization: Token ${{ root.token }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      id: ${{ root.id }}
+      roles:
+        - system
+      """
+
+  Scenario: Adding federation to an existing identity
+    Given the `identity.federation` configuration:
+      """yaml
+      trust:
+        - iss: http://localhost:44444
+      """
+    And the `identity.basic` database is empty
+
+    # create an identity
+    When the following request is received:
+      """
+      POST /identity/basic/ HTTP/1.1
+      host: nex.toa.io
+      content-type: application/yaml
+      accept: application/yaml
+
+      username: #{{ id | set Bob.username }}
+      password: #{{ password 8 | set Bob.password }}
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+
+      id: ${{ Bob.id }}
+      """
+
+    When the IDP token for Bob is issued
+
+    # add federation
+    When the following request is received:
+      """
+      POST /identity/federation/${{ Bob.id }}/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic #{{ basic Bob }}
+      content-type: application/yaml
+      accept: application/yaml
+
+      credentials: ${{ Bob.id_token }}
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      """
+    And the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Bearer ${{ Bob.id_token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      id: ${{ Bob.id }}
+      """

package/features/identity.roles.feature

@@ -1,17 +1,21 @@
+@security
 Feature: Roles management
 
-  Scenario: Adding a role to an Identity
+  Scenario: Granting a role to an Identity
+    # root:secret
+    # user:pass
     Given the `identity.basic` database contains:
-      | _id                              | username | password                                                     |
-      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | root     | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
-      | 4344518184ad44228baffce7a44fd0b1 | user     | $2b$10$JoiAQUS7tzobDAFIDBWhWeEIJv933dQetyjRzSmfQGaJE5ZlJbmYy |
+      | _id                              | authority | username | password                                                     |
+      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | nex       | root     | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
+      | 4344518184ad44228baffce7a44fd0b1 | nex       | user     | $2b$10$JoiAQUS7tzobDAFIDBWhWeEIJv933dQetyjRzSmfQGaJE5ZlJbmYy |
     And the `identity.roles` database contains:
       | _id                              | identity                         | role                  |
       | 9c4702490ff84f2a9e1b1da2ab64bdd4 | 72cf9b0ab0ac4ab2b8036e4e940ddcae | system:identity:roles |
     And the annotation:
       """yaml
       /:
-        auth:role: test
+        io:output: true
+        auth:role: foo:bar
         GET:
           dev:stub:
             access: granted!
@@ -20,6 +24,7 @@ Feature: Roles management
       # user doesn't have the required role
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       authorization: Basic dXNlcjpwYXNz
       """
     Then the following reply is sent:
@@ -30,22 +35,261 @@ Feature: Roles management
       # root adds a role to a user
       """
       POST /identity/roles/4344518184ad44228baffce7a44fd0b1/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic cm9vdDpzZWNyZXQ=
+      accept: application/yaml
       content-type: application/yaml
 
-      role: test
+      role: foo:bar
       """
     Then the following reply is sent:
       """
       201 Created
+
+      grantor: 72cf9b0ab0ac4ab2b8036e4e940ddcae
+      """
+    When the following request is received:
+      # root adds a role to a user
+      """
+      POST /identity/roles/4344518184ad44228baffce7a44fd0b1/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic cm9vdDpzZWNyZXQ=
+      accept: application/yaml
+      content-type: application/yaml
+
+      role: foo:baz
       """
+    Then the following reply is sent:
+      """
+      201 Created
+      """
+
+    # user now have the role
     When the following request is received:
-      # user now have the role
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       authorization: Basic dXNlcjpwYXNz
       """
     Then the following reply is sent:
       """
       200 OK
+      authorization: Token ${{ token }}
+      """
+    # repeat with token
+    When the following request is received:
+      """
+      GET / HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+
+  Scenario Outline: Delegating roles
+    # moderator:secret
+    # assistant:pass
+    Given the `identity.basic` database contains:
+      | _id                              | authority | username  | password                                                     |
+      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | nex       | moderator | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
+      | 4344518184ad44228baffce7a44fd0b1 | nex       | assistant | $2b$10$JoiAQUS7tzobDAFIDBWhWeEIJv933dQetyjRzSmfQGaJE5ZlJbmYy |
+    And the `identity.roles` database contains:
+      | _id                              | identity                         | role                             |
+      | 9c4702490ff84f2a9e1b1da2ab64bdd4 | 72cf9b0ab0ac4ab2b8036e4e940ddcae | system:identity:roles:delegation |
+      | 30c969e05ff6437097ed5f07fc52358e | 72cf9b0ab0ac4ab2b8036e4e940ddcae | app:moderation                   |
+    And the annotation:
+      """yaml
+      /:
+        io:output: true
+        auth:role: app:moderation:photos
+        GET:
+          dev:stub:
+            access: granted!
+      """
+    When the following request is received:
+      # assistant doesn't have the required role
+      """
+      GET / HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic YXNzaXN0YW50OnBhc3M=
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
+    When the following request is received:
+      # moderator delegates a role to an assistant
+      """
+      POST /identity/roles/4344518184ad44228baffce7a44fd0b1/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
+      content-type: application/yaml
+
+      role: <role>
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      """
+    When the following request is received:
+      # assistant has access
+      """
+      GET / HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic YXNzaXN0YW50OnBhc3M=
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    Examples:
+      | role                  |
+      | app:moderation        |
+      | app:moderation:photos |
+
+  Scenario: Delegating role out of own scope
+    Given the `identity.basic` database contains:
+      | _id                              | authority | username  | password                                                     |
+      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | nex       | moderator | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
+      | 4344518184ad44228baffce7a44fd0b1 | nex       | assistant | $2b$10$JoiAQUS7tzobDAFIDBWhWeEIJv933dQetyjRzSmfQGaJE5ZlJbmYy |
+    And the `identity.roles` database contains:
+      | _id                              | identity                         | role                             |
+      | 9c4702490ff84f2a9e1b1da2ab64bdd4 | 72cf9b0ab0ac4ab2b8036e4e940ddcae | system:identity:roles:delegation |
+      | 30c969e05ff6437097ed5f07fc52358e | 72cf9b0ab0ac4ab2b8036e4e940ddcae | app:moderation                   |
+    And the annotation:
+      """yaml
+      /:
+        io:output: true
+        auth:role: app:moderation:photos
+        GET:
+          dev:stub:
+            access: granted!
+      """
+    When the following request is received:
+      """
+      POST /identity/roles/4344518184ad44228baffce7a44fd0b1/ HTTP/1.1
+      host: nex.toa.io
+      accept: application/yaml
+      content-type: application/yaml
+      authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
+
+      role: app:finance
+      """
+    Then the following reply is sent:
+      """
+      422 Unprocessable Entity
+
+      code: OUT_OF_SCOPE
+      """
+
+  Scenario: Delegating role without `system:identity:roles:delegation` role
+    Given the `identity.basic` database contains:
+      | _id                              | authority | username  | password                                                     |
+      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | nex       | moderator | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
+      | 4344518184ad44228baffce7a44fd0b1 | nex       | assistant | $2b$10$JoiAQUS7tzobDAFIDBWhWeEIJv933dQetyjRzSmfQGaJE5ZlJbmYy |
+    And the `identity.roles` database contains:
+      | _id                              | identity                         | role           |
+      | 30c969e05ff6437097ed5f07fc52358e | 72cf9b0ab0ac4ab2b8036e4e940ddcae | app:moderation |
+    And the annotation:
+      """yaml
+      /:
+        io:output: true
+        auth:role: app:moderation:photos
+        GET:
+          dev:stub:
+            access: granted!
+      """
+    When the following request is received:
+      """
+      POST /identity/roles/4344518184ad44228baffce7a44fd0b1/ HTTP/1.1
+      host: nex.toa.io
+      content-type: application/yaml
+      authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
+
+      role: app:moderation
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
+
+  Scenario Outline: Invalid role name
+    Given the `identity.basic` database contains:
+      | _id                              | authority | username | password                                                     |
+      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | nex       | root     | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
+    And the `identity.roles` database contains:
+      | _id                              | identity                         | role                  |
+      | 9c4702490ff84f2a9e1b1da2ab64bdd4 | 72cf9b0ab0ac4ab2b8036e4e940ddcae | system:identity:roles |
+    When the following request is received:
+      # root adds a role to a user
+      """
+      POST /identity/roles/4344518184ad44228baffce7a44fd0b1/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic cm9vdDpzZWNyZXQ=
+      content-type: application/yaml
+
+      role: <role>
+      """
+    Then the following reply is sent:
+      """
+      400 Bad Request
+      """
+    Examples:
+      | role          |
+      | app!          |
+      | app:          |
+      | app:no spaces |
+
+  Scenario: Dynamic roles
+    Given the `identity.basic` database contains:
+      | _id                              | authority | username  | password                                                     |
+      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | nex       | moderator | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
+    And the `identity.roles` database contains:
+      | _id                              | identity                         | role                    |
+      | 30c969e05ff6437097ed5f07fc52358e | 72cf9b0ab0ac4ab2b8036e4e940ddcae | app:29e54ae1:moderation |
+    And the annotation:
+      """yaml
+      /:
+        /broken:
+          auth:role: app:{org}:moderation
+          GET:
+            dev:stub: never
+        /:org:
+          io:output: true
+          auth:role: app:{org}:moderation
+          GET:
+            dev:stub:
+              access: granted!
+      """
+    When the following request is received:
+      """
+      GET /29e54ae1/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    When the following request is received:
+      """
+      GET /88584c9b/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
+    When the following request is received:
+      """
+      GET /broken/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
+      """
+    Then the following reply is sent:
+      """
+      500 Internal Server Error
       """

package/features/identity.tokens.feature

@@ -1,12 +1,14 @@
+@security
 Feature: Tokens lifecycle
 
   Scenario: Switching to Token authentication scheme
     Given the `identity.basic` database contains:
-      | _id                              | username  | password                                                     |
-      | efe3a65ebbee47ed95a73edd911ea328 | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+      | _id                              | authority | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | nex       | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
     Given the annotation:
       """yaml
       /:
+        io:output: true
         /hello/:id:
           auth:id: id
           GET:
@@ -15,6 +17,7 @@ Feature: Tokens lifecycle
     When the following request is received:
       """
       GET /hello/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: text/plain
       """
@@ -35,6 +38,7 @@ Feature: Tokens lifecycle
     And the annotation:
       """yaml
       /:
+        io:output: true
         /hello/:id:
           auth:id: id
           GET:
@@ -43,6 +47,7 @@ Feature: Tokens lifecycle
     When the following request is received:
       """
       GET /hello/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: text/plain
       """
@@ -57,6 +62,7 @@ Feature: Tokens lifecycle
     When the following request is received:
       """
       GET /hello/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Token ${{ token }}
       accept: text/plain
       """
@@ -72,6 +78,7 @@ Feature: Tokens lifecycle
     Given the annotation:
       """yaml
       /:
+        io:output: true
         /:id:
           id: id
           GET:
@@ -83,11 +90,12 @@ Feature: Tokens lifecycle
       refresh: 0.1
       """
     And the `identity.basic` database contains:
-      | _id                              | _version | username  | password                                                     |
-      | efe3a65ebbee47ed95a73edd911ea328 | 1        | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+      | _id                              | _version | authority | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | 1        | nex       | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
     When the following request is received:
       """
       GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       """
     Then the following reply is sent:
@@ -98,6 +106,7 @@ Feature: Tokens lifecycle
     When the following request is received:
       """
       PATCH /identity/basic/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       content-type: application/yaml
 
@@ -111,9 +120,53 @@ Feature: Tokens lifecycle
     When the following request is received:
       """
       GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Token ${{ token }}
       """
     Then the following reply is sent:
       """
       401 Unauthorized
       """
+
+  Scenario: Issuing own token
+    Given the `identity.basic` database contains:
+      | _id                              | authority | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | nex       | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ token }}
+      """
+    When the following request is received:
+      """
+      POST /identity/tokens/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      content-type: application/yaml
+
+      lifetime: 0
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      """
+    # Token scheme must be used
+    When the following request is received:
+      """
+      POST /identity/tokens/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      content-type: application/yaml
+
+      lifetime: 60
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """