@toa.io/extensions.exposition 1.0.0-alpha.11 → 1.0.0-alpha.111

package/features/identity.roles.feature

@@ -1,12 +1,13 @@
+@security
 Feature: Roles management
 
-  Scenario: Adding a role to an Identity
+  Scenario: Granting a role to an Identity
     # root:secret
     # user:pass
     Given the `identity.basic` database contains:
-      | _id                              | username | password                                                     |
-      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | root     | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
-      | 4344518184ad44228baffce7a44fd0b1 | user     | $2b$10$JoiAQUS7tzobDAFIDBWhWeEIJv933dQetyjRzSmfQGaJE5ZlJbmYy |
+      | _id                              | authority | username | password                                                     |
+      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | nex       | root     | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
+      | 4344518184ad44228baffce7a44fd0b1 | nex       | user     | $2b$10$JoiAQUS7tzobDAFIDBWhWeEIJv933dQetyjRzSmfQGaJE5ZlJbmYy |
     And the `identity.roles` database contains:
       | _id                              | identity                         | role                  |
       | 9c4702490ff84f2a9e1b1da2ab64bdd4 | 72cf9b0ab0ac4ab2b8036e4e940ddcae | system:identity:roles |
@@ -14,7 +15,7 @@ Feature: Roles management
       """yaml
       /:
         io:output: true
-        auth:role: test
+        auth:role: foo:bar
         GET:
           dev:stub:
             access: granted!
@@ -23,6 +24,7 @@ Feature: Roles management
       # user doesn't have the required role
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       authorization: Basic dXNlcjpwYXNz
       """
     Then the following reply is sent:
@@ -33,21 +35,54 @@ Feature: Roles management
       # root adds a role to a user
       """
       POST /identity/roles/4344518184ad44228baffce7a44fd0b1/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic cm9vdDpzZWNyZXQ=
+      accept: application/yaml
       content-type: application/yaml
 
-      role: test
+      role: foo:bar
       """
     Then the following reply is sent:
       """
       201 Created
+
+      grantor: 72cf9b0ab0ac4ab2b8036e4e940ddcae
       """
     When the following request is received:
-      # user now have the role
+      # root adds a role to a user
+      """
+      POST /identity/roles/4344518184ad44228baffce7a44fd0b1/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic cm9vdDpzZWNyZXQ=
+      accept: application/yaml
+      content-type: application/yaml
+
+      role: foo:baz
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      """
+
+    # user now have the role
+    When the following request is received:
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       authorization: Basic dXNlcjpwYXNz
       """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ token }}
+      """
+    # repeat with token
+    When the following request is received:
+      """
+      GET / HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      """
     Then the following reply is sent:
       """
       200 OK
@@ -57,9 +92,9 @@ Feature: Roles management
     # moderator:secret
     # assistant:pass
     Given the `identity.basic` database contains:
-      | _id                              | username  | password                                                     |
-      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | moderator | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
-      | 4344518184ad44228baffce7a44fd0b1 | assistant | $2b$10$JoiAQUS7tzobDAFIDBWhWeEIJv933dQetyjRzSmfQGaJE5ZlJbmYy |
+      | _id                              | authority | username  | password                                                     |
+      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | nex       | moderator | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
+      | 4344518184ad44228baffce7a44fd0b1 | nex       | assistant | $2b$10$JoiAQUS7tzobDAFIDBWhWeEIJv933dQetyjRzSmfQGaJE5ZlJbmYy |
     And the `identity.roles` database contains:
       | _id                              | identity                         | role                             |
       | 9c4702490ff84f2a9e1b1da2ab64bdd4 | 72cf9b0ab0ac4ab2b8036e4e940ddcae | system:identity:roles:delegation |
@@ -77,6 +112,7 @@ Feature: Roles management
       # assistant doesn't have the required role
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       authorization: Basic YXNzaXN0YW50OnBhc3M=
       """
     Then the following reply is sent:
@@ -87,6 +123,7 @@ Feature: Roles management
       # moderator delegates a role to an assistant
       """
       POST /identity/roles/4344518184ad44228baffce7a44fd0b1/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
       content-type: application/yaml
 
@@ -100,6 +137,7 @@ Feature: Roles management
       # assistant has access
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       authorization: Basic YXNzaXN0YW50OnBhc3M=
       """
     Then the following reply is sent:
@@ -113,9 +151,9 @@ Feature: Roles management
 
   Scenario: Delegating role out of own scope
     Given the `identity.basic` database contains:
-      | _id                              | username  | password                                                     |
-      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | moderator | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
-      | 4344518184ad44228baffce7a44fd0b1 | assistant | $2b$10$JoiAQUS7tzobDAFIDBWhWeEIJv933dQetyjRzSmfQGaJE5ZlJbmYy |
+      | _id                              | authority | username  | password                                                     |
+      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | nex       | moderator | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
+      | 4344518184ad44228baffce7a44fd0b1 | nex       | assistant | $2b$10$JoiAQUS7tzobDAFIDBWhWeEIJv933dQetyjRzSmfQGaJE5ZlJbmYy |
     And the `identity.roles` database contains:
       | _id                              | identity                         | role                             |
       | 9c4702490ff84f2a9e1b1da2ab64bdd4 | 72cf9b0ab0ac4ab2b8036e4e940ddcae | system:identity:roles:delegation |
@@ -132,6 +170,7 @@ Feature: Roles management
     When the following request is received:
       """
       POST /identity/roles/4344518184ad44228baffce7a44fd0b1/ HTTP/1.1
+      host: nex.toa.io
       accept: application/yaml
       content-type: application/yaml
       authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
@@ -140,16 +179,16 @@ Feature: Roles management
       """
     Then the following reply is sent:
       """
-      409 Conflict
+      422 Unprocessable Entity
 
       code: OUT_OF_SCOPE
       """
 
   Scenario: Delegating role without `system:identity:roles:delegation` role
     Given the `identity.basic` database contains:
-      | _id                              | username  | password                                                     |
-      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | moderator | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
-      | 4344518184ad44228baffce7a44fd0b1 | assistant | $2b$10$JoiAQUS7tzobDAFIDBWhWeEIJv933dQetyjRzSmfQGaJE5ZlJbmYy |
+      | _id                              | authority | username  | password                                                     |
+      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | nex       | moderator | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
+      | 4344518184ad44228baffce7a44fd0b1 | nex       | assistant | $2b$10$JoiAQUS7tzobDAFIDBWhWeEIJv933dQetyjRzSmfQGaJE5ZlJbmYy |
     And the `identity.roles` database contains:
       | _id                              | identity                         | role           |
       | 30c969e05ff6437097ed5f07fc52358e | 72cf9b0ab0ac4ab2b8036e4e940ddcae | app:moderation |
@@ -165,6 +204,7 @@ Feature: Roles management
     When the following request is received:
       """
       POST /identity/roles/4344518184ad44228baffce7a44fd0b1/ HTTP/1.1
+      host: nex.toa.io
       content-type: application/yaml
       authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
 
@@ -177,8 +217,8 @@ Feature: Roles management
 
   Scenario Outline: Invalid role name
     Given the `identity.basic` database contains:
-      | _id                              | username | password                                                     |
-      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | root     | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
+      | _id                              | authority | username | password                                                     |
+      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | nex       | root     | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
     And the `identity.roles` database contains:
       | _id                              | identity                         | role                  |
       | 9c4702490ff84f2a9e1b1da2ab64bdd4 | 72cf9b0ab0ac4ab2b8036e4e940ddcae | system:identity:roles |
@@ -186,6 +226,7 @@ Feature: Roles management
       # root adds a role to a user
       """
       POST /identity/roles/4344518184ad44228baffce7a44fd0b1/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic cm9vdDpzZWNyZXQ=
       content-type: application/yaml
 
@@ -200,3 +241,55 @@ Feature: Roles management
       | app!          |
       | app:          |
       | app:no spaces |
+
+  Scenario: Dynamic roles
+    Given the `identity.basic` database contains:
+      | _id                              | authority | username  | password                                                     |
+      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | nex       | moderator | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
+    And the `identity.roles` database contains:
+      | _id                              | identity                         | role                    |
+      | 30c969e05ff6437097ed5f07fc52358e | 72cf9b0ab0ac4ab2b8036e4e940ddcae | app:29e54ae1:moderation |
+    And the annotation:
+      """yaml
+      /:
+        /broken:
+          auth:role: app:{org}:moderation
+          GET:
+            dev:stub: never
+        /:org:
+          io:output: true
+          auth:role: app:{org}:moderation
+          GET:
+            dev:stub:
+              access: granted!
+      """
+    When the following request is received:
+      """
+      GET /29e54ae1/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    When the following request is received:
+      """
+      GET /88584c9b/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
+    When the following request is received:
+      """
+      GET /broken/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
+      """
+    Then the following reply is sent:
+      """
+      500 Internal Server Error
+      """

package/features/identity.tokens.feature

@@ -1,9 +1,10 @@
+@security
 Feature: Tokens lifecycle
 
   Scenario: Switching to Token authentication scheme
     Given the `identity.basic` database contains:
-      | _id                              | username  | password                                                     |
-      | efe3a65ebbee47ed95a73edd911ea328 | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+      | _id                              | authority | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | nex       | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
     Given the annotation:
       """yaml
       /:
@@ -16,6 +17,7 @@ Feature: Tokens lifecycle
     When the following request is received:
       """
       GET /hello/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: text/plain
       """
@@ -45,6 +47,7 @@ Feature: Tokens lifecycle
     When the following request is received:
       """
       GET /hello/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: text/plain
       """
@@ -52,6 +55,7 @@ Feature: Tokens lifecycle
       """
       200 OK
       authorization: Token ${{ token }}
+      cache-control: no-store
 
       Hello
       """
@@ -59,6 +63,7 @@ Feature: Tokens lifecycle
     When the following request is received:
       """
       GET /hello/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Token ${{ token }}
       accept: text/plain
       """
@@ -66,6 +71,7 @@ Feature: Tokens lifecycle
       """
       200 OK
       authorization: Token
+      cache-control: no-store
 
       Hello
       """
@@ -86,11 +92,12 @@ Feature: Tokens lifecycle
       refresh: 0.1
       """
     And the `identity.basic` database contains:
-      | _id                              | _version | username  | password                                                     |
-      | efe3a65ebbee47ed95a73edd911ea328 | 1        | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+      | _id                              | _version | authority | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | 1        | nex       | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
     When the following request is received:
       """
       GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       """
     Then the following reply is sent:
@@ -101,6 +108,7 @@ Feature: Tokens lifecycle
     When the following request is received:
       """
       PATCH /identity/basic/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       content-type: application/yaml
 
@@ -114,6 +122,7 @@ Feature: Tokens lifecycle
     When the following request is received:
       """
       GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Token ${{ token }}
       """
     Then the following reply is sent:

package/features/identtiy.tokens.custom.feature

@@ -0,0 +1,247 @@
+@security
+Feature: Custom tokens
+
+  Background:
+    Given the `identity.basic` database contains:
+      | _id                              | authority | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | nex       | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+    And the `identity.roles` database contains:
+      | _id                              | identity                         | role      |
+      | 9c4702490ff84f2a9e1b1da2ab64bdd4 | efe3a65ebbee47ed95a73edd911ea328 | app:notes |
+    And the `identity.keys` database is empty
+    And the annotation:
+      """yaml
+      /:
+        /notes:
+          auth:role: app:notes
+          GET:
+            io:output: true
+            dev:stub:
+              access: granted!
+          POST:
+            io:output: true
+            dev:stub:
+              access: granted!
+          /public:
+            GET:
+              auth:role: app:notes:public
+              io:output: true
+              dev:stub:
+                access: granted!
+      """
+
+  Scenario: Issuing a token
+    When the following request is received:
+      """
+      POST /identity/tokens/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      content-type: application/yaml
+      accept: application/yaml
+
+      label: Dev token
+      lifetime: 600
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+
+      kid: ${{ kid }}
+      exp: ${{ exp }}
+      token: ${{ token }}
+      """
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      id: efe3a65ebbee47ed95a73edd911ea328
+      """
+
+    # debug LRU cache
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+
+  Scenario: Token with restricted scopes
+    When the following request is received:
+      """
+      POST /identity/tokens/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      accept: application/yaml
+      content-type: application/yaml
+
+      label: Production token
+      lifetime: 0
+      scopes: [app:notes:public]
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+
+      token: ${{ token }}
+      """
+    When the following request is received:
+      """
+      GET /notes/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
+    When the following request is received:
+      """
+      GET /notes/public/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+
+  Scenario: Token with restricted permissions
+    When the following request is received:
+      """
+      POST /identity/tokens/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      accept: application/yaml
+      content-type: application/yaml
+
+      label: Restricted token
+      lifetime: 0
+      permissions: {
+        /notes/: [GET]
+      }
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+
+      token: ${{ token }}
+      """
+    When the following request is received:
+      """
+      GET /notes/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+
+    # method is not permitted
+    When the following request is received:
+      """
+      POST /notes/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
+
+    # resource is not permitted
+    When the following request is received:
+      """
+      GET /notes/public/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
+
+  Scenario: Token revocation
+    Given the `identity.tokens` configuration:
+      """yaml
+      cache:
+        ttl: 1
+      """
+    When the following request is received:
+      """
+      POST /identity/tokens/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      accept: application/yaml
+      content-type: application/yaml
+
+      label: One-time token
+      lifetime: 60
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+
+      token: ${{ token }}
+      """
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      id: efe3a65ebbee47ed95a73edd911ea328
+      """
+    When the following request is received:
+      """
+      GET /identity/keys/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      - id: ${{ kid }}
+        label: One-time token
+        expires: ${{ expires }}
+        _created: ${{ created }}
+      """
+    When the following request is received:
+      """
+      DELETE /identity/keys/efe3a65ebbee47ed95a73edd911ea328/${{ kid }}/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    And after 1 second
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """