@toa.io/extensions.exposition 1.0.0-alpha.12 → 1.0.0-alpha.14

package/features/identity.bans.feature

@@ -0,0 +1,128 @@
+@security
+Feature: Bans
+
+  Background:
+    Given the `identity.basic` database contains:
+    # developer:secret
+    # user:12345
+      | _id                              | username  | password                                                     | _deleted |
+      | efe3a65ebbee47ed95a73edd911ea328 | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O | null     |
+      | e8e4f9c2a68d419b861403d71fabc915 | user      | $2b$10$Frszmrmsz9iwSXzBbRRMKeDVKsNxozkrLNSsN.SnVC.KPxLtQr/bK | null     |
+    And the `identity.bans` database is empty
+
+  Scenario: Banning an Identity
+    Given the `identity.roles` database contains:
+      | _id                              | identity                         | role                 |
+      | 775a648d054e4ce1a65f8f17e5b51803 | efe3a65ebbee47ed95a73edd911ea328 | system:identity:bans |
+    And the annotation:
+      """yaml
+      /:
+        /:id:
+          io:output: true
+          auth:id: id
+          GET:
+            dev:stub:
+              access: granted!
+      """
+    And the `identity.tokens` configuration:
+      """yaml
+      refresh: 1
+      """
+    When the following request is received:
+      """
+      GET /e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      authorization: Basic dXNlcjoxMjM0NQ==
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ token }}
+      """
+    When the following request is received:
+      """
+      PUT /identity/bans/e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      content-type: application/yaml
+
+      banned: true
+      comment: Bye bye
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    # accessing a resource with a banned Identity
+    When the following request is received:
+      """
+      GET /e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      authorization: Basic dXNlcjoxMjM0NQ==
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+    Then after 1 second
+    When the following request is received:
+      """
+      GET /e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      authorization: Token ${{ token }}
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+    When the following request is received:
+      """
+      PUT /identity/bans/e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      content-type: application/yaml
+
+      banned: false
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    When the following request is received:
+      """
+      GET /e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      authorization: Basic dXNlcjoxMjM0NQ==
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      authorization: Token ${{ new_token }}
+      """
+    # re-ban
+    When the following request is received:
+      """
+      PUT /identity/bans/e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      content-type: application/yaml
+
+      banned: true
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    When the following request is received:
+      """
+      GET /e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      authorization: Basic dXNlcjoxMjM0NQ==
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+    Then after 1 second
+    When the following request is received:
+      """
+      GET /e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      authorization: Token ${{ new_token }}
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """

package/features/identity.basic.feature

@@ -1,3 +1,4 @@
+@security
 Feature: Basic authentication
 
   Background:
@@ -28,8 +29,6 @@ Feature: Basic authentication
     Then the following reply is sent:
       """
       409 Conflict
-
-      - username
       """
 
   Scenario: Creating new Identity using inception
@@ -43,9 +42,9 @@ Feature: Basic authentication
             incept: id
             endpoint: transit
             query: ~
-        /:id:                 # credential testing route
-          id: id
-          GET: observe
+          /:id:                 # credential testing route
+            id: id
+            GET: observe
       """
     When the following request is received:
       """
@@ -96,8 +95,6 @@ Feature: Basic authentication
     Then the following reply is sent:
       """
       409 Conflict
-
-      - username
       """
     # credentials already exists
     When the following request is received:

package/features/identity.federation.feature

@@ -1,3 +1,4 @@
+@security
 Feature: Identity Federation
 
   Background:

package/features/identity.roles.feature

@@ -1,6 +1,7 @@
+@security
 Feature: Roles management
 
-  Scenario: Adding a role to an Identity
+  Scenario: Granting a role to an Identity
     # root:secret
     # user:pass
     Given the `identity.basic` database contains:
@@ -34,6 +35,7 @@ Feature: Roles management
       """
       POST /identity/roles/4344518184ad44228baffce7a44fd0b1/ HTTP/1.1
       authorization: Basic cm9vdDpzZWNyZXQ=
+      accept: application/yaml
       content-type: application/yaml
 
       role: test
@@ -41,6 +43,8 @@ Feature: Roles management
     Then the following reply is sent:
       """
       201 Created
+
+      grantor: 72cf9b0ab0ac4ab2b8036e4e940ddcae
       """
     When the following request is received:
       # user now have the role
@@ -200,3 +204,52 @@ Feature: Roles management
       | app!          |
       | app:          |
       | app:no spaces |
+
+  Scenario: Dynamic roles
+    Given the `identity.basic` database contains:
+      | _id                              | username  | password                                                     |
+      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | moderator | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
+    And the `identity.roles` database contains:
+      | _id                              | identity                         | role                    |
+      | 30c969e05ff6437097ed5f07fc52358e | 72cf9b0ab0ac4ab2b8036e4e940ddcae | app:29e54ae1:moderation |
+    And the annotation:
+      """yaml
+      /:
+        /broken:
+          auth:role: app:{org}:moderation
+          GET:
+            dev:stub: never
+        /:org:
+          io:output: true
+          auth:role: app:{org}:moderation
+          GET:
+            dev:stub:
+              access: granted!
+      """
+    When the following request is received:
+      """
+      GET /29e54ae1/ HTTP/1.1
+      authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    When the following request is received:
+      """
+      GET /88584c9b/ HTTP/1.1
+      authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
+    When the following request is received:
+      """
+      GET /broken/ HTTP/1.1
+      authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
+      """
+    Then the following reply is sent:
+      """
+      500 Internal Server Error
+      """

package/features/identity.tokens.feature

@@ -1,3 +1,4 @@
+@security
 Feature: Tokens lifecycle
 
   Scenario: Switching to Token authentication scheme
@@ -120,3 +121,43 @@ Feature: Tokens lifecycle
       """
       401 Unauthorized
       """
+
+  Scenario: Issuing own token
+    Given the `identity.basic` database contains:
+      | _id                              | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ token }}
+      """
+    When the following request is received:
+      """
+      POST /identity/tokens/ HTTP/1.1
+      authorization: Token ${{ token }}
+      content-type: application/yaml
+
+      lifetime: 0
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      """
+    # Token scheme must be used
+    When the following request is received:
+      """
+      POST /identity/tokens/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      content-type: application/yaml
+
+      lifetime: 60
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """

package/features/io.feature

@@ -1,3 +1,4 @@
+@security
 Feature: IO restrictions
 
   Background:
@@ -135,6 +136,7 @@ Feature: IO restrictions
       exposition:
         /:
           io:input: [title, volume]
+          io:output: [id]
           POST: create
       """
     When the following request is received:
@@ -165,3 +167,30 @@ Feature: IO restrictions
       """
       201 Created
       """
+
+  Scenario: IO shortcuts
+    Given the `pots` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          input: [title, volume]
+          output: [id, title, volume]
+          POST: create
+      """
+    When the following request is received:
+      """
+      POST /pots/ HTTP/1.1
+      accept: application/yaml
+      content-type: application/yaml
+
+      title: Hello
+      volume: 1.5
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+
+      id:
+      title: Hello
+      volume: 1.5
+      """

package/features/response.feature

@@ -7,7 +7,8 @@ Feature: Response
         io:output: true
         GET:
           anonymous: true
-          dev:stub: hello
+          dev:stub:
+            hello: world
       """
     When the following request is received:
       """
@@ -19,6 +20,8 @@ Feature: Response
       200 OK
       content-type: application/json
       vary: accept
+
+      {"hello":"world"}
       """
 
   Scenario: Error as YAML

package/features/steps/Database.ts

@@ -1,5 +1,6 @@
 import { afterAll, beforeAll, binding, given } from 'cucumber-tsflow'
 import { MongoClient } from 'mongodb'
+import type { Collection } from 'mongodb'
 import type { DataTable } from '@cucumber/cucumber'
 
 @binding()
@@ -8,9 +9,7 @@ export class Database {
 
   @given('the `{word}` database contains:')
   public async upsert (id: string, table: DataTable): Promise<void> {
-    const [name, namespace = 'default'] = id.split('.').reverse()
-    const collection = Database.client.db(namespace).collection(name)
-
+    const collection = this.collection(id)
     const columns = table.raw()[0]
     const rows = table.rows()
     const documents: Document[] = []
@@ -22,7 +21,11 @@ export class Database {
         const str = rows[r][c]
         const int = parseInt(str)
 
-        document[columns[c]] = int.toString() === str ? int : str
+        document[columns[c]] = int.toString() === str
+          ? int
+          : str === 'null'
+            ? null
+            : str
       }
 
       documents.push(document)
@@ -36,10 +39,7 @@ export class Database {
 
   @given('the `{word}` database is empty')
   public async truncate (id: string): Promise<void> {
-    const [name, namespace = 'default'] = id.split('.').reverse()
-    const collection = Database.client.db(namespace).collection(name)
-
-    await collection.deleteMany({})
+    await this.collection(id).deleteMany({})
   }
 
   @beforeAll()
@@ -53,6 +53,13 @@ export class Database {
   public static async disconnect (): Promise<void> {
     await this.client.close()
   }
+
+  private collection (id: string): Collection {
+    const [name, namespace = 'default'] = id.split('.').reverse()
+    const collection = `${namespace}_${name}`.toLowerCase()
+
+    return Database.client.db('toa-dev').collection(collection)
+  }
 }
 
-type Document = Record<string, string | number>
+type Document = Record<string, string | number | null>

package/features/steps/IdP.ts

@@ -14,7 +14,8 @@ export class IdP {
   private static privateKey?: crypto.KeyObject
   private static issuer?: string
 
-  public constructor (private readonly captures: Captures) {}
+  public constructor (private readonly captures: Captures) {
+  }
 
   @afterAll()
   public static async stop (): Promise<void> {
@@ -29,14 +30,21 @@ export class IdP {
     if (IdP.server instanceof http.Server) return
 
     // creating the key
-    const { publicKey, privateKey } = await util.promisify(crypto.generateKeyPair)('rsa', {
+    const {
+      publicKey,
+      privateKey
+    } = await util.promisify(crypto.generateKeyPair)('rsa', {
       modulusLength: 2048
     })
 
     IdP.privateKey = privateKey
 
     const jwk = JSON.stringify({
-      keys: [{ use: 'sig', alg: 'RS256', ...publicKey.export({ format: 'jwk' }) }]
+      keys: [{
+        use: 'sig',
+        alg: 'RS256',
+        ...publicKey.export({ format: 'jwk' })
+      }]
     })
 
     const JWK_URL = '/.well-known/jwks'
@@ -54,24 +62,23 @@ export class IdP {
           response.end(jwk)
           break
 
-        case '/.well-known/openid-configuration':
-          {
-            const openIdConfiguration = JSON.stringify({
-              issuer: IdP.issuer,
-              jwks_uri: IdP.issuer + JWK_URL,
-              response_types_supported: ['id_token'],
-              subject_types_supported: ['public'],
-              id_token_signing_alg_values_supported: ['RS256'],
-              scopes_supported: ['openid']
-            })
-
-            response.writeHead(200, {
-              'Content-Type': 'application/json',
-              'Cache-Control': 'public, max-age=3600',
-              'Content-Length': openIdConfiguration.length
-            })
-            response.end(openIdConfiguration)
-          }
+        case '/.well-known/openid-configuration': {
+          const openIdConfiguration = JSON.stringify({
+            issuer: IdP.issuer,
+            jwks_uri: IdP.issuer + JWK_URL,
+            response_types_supported: ['id_token'],
+            subject_types_supported: ['public'],
+            id_token_signing_alg_values_supported: ['RS256'],
+            scopes_supported: ['openid']
+          })
+
+          response.writeHead(200, {
+            'Content-Type': 'application/json',
+            'Cache-Control': 'public, max-age=3600',
+            'Content-Length': openIdConfiguration.length
+          })
+          response.end(openIdConfiguration)
+        }
 
           break
 
@@ -120,8 +127,6 @@ export class IdP {
 
   @given('the IDP {word} token for {word} is issued with following secret:')
   public async issueSymmetricToken (alg: string, user: string, secret: string): Promise<void> {
-    console.log('Sym token for %s with secret "%s"', user, secret)
-
     const jwt = [
       {
         typ: 'JWT',

package/features/steps/components/echo/manifest.toa.yaml

@@ -1,5 +1,4 @@
 name: echo
-version: 0.0.0
 
 operations:
   compute:
@@ -8,3 +7,8 @@ operations:
   affect:
     input:
       name*: string
+  identity:
+    input:
+      identity:
+        id: string
+        roles: [string]

package/features/steps/components/echo/operations/identity.js

@@ -0,0 +1,7 @@
+'use strict'
+
+function computation (input) {
+  return input
+}
+
+exports.computation = computation

package/features/steps/components/users/manifest.toa.yaml

@@ -1,5 +1,4 @@
 name: users
-version: 0.0.0
 
 entity:
   schema:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@toa.io/extensions.exposition",
-  "version": "1.0.0-alpha.12",
+  "version": "1.0.0-alpha.14",
   "description": "Toa Exposition",
   "author": "temich <tema.gurtovoy@gmail.com>",
   "homepage": "https://github.com/toa-io/toa#readme",
@@ -17,9 +17,9 @@
     "access": "public"
   },
   "dependencies": {
-    "@toa.io/core": "1.0.0-alpha.12",
-    "@toa.io/generic": "1.0.0-alpha.12",
-    "@toa.io/schemas": "1.0.0-alpha.12",
+    "@toa.io/core": "1.0.0-alpha.14",
+    "@toa.io/generic": "1.0.0-alpha.14",
+    "@toa.io/schemas": "1.0.0-alpha.14",
     "bcryptjs": "2.4.3",
     "error-value": "0.3.0",
     "js-yaml": "4.1.0",
@@ -34,20 +34,22 @@
   },
   "scripts": {
     "test": "jest",
-    "transpile": "tsc && npm run transpile:basic && npm run transpile:tokens && npm run transpile:roles && npm run transpile:federation",
+    "transpile": "tsc && npm run transpile:bans && npm run transpile:basic && npm run transpile:tokens && npm run transpile:roles && npm run transpile:federation",
+    "transpile:bans": "tsc -p ./components/identity.bans",
     "transpile:basic": "tsc -p ./components/identity.basic",
     "transpile:tokens": "tsc -p ./components/identity.tokens",
     "transpile:roles": "tsc -p ./components/identity.roles",
     "pretranspile:federation": "js-yaml components/identity.federation/manifest.toa.yaml | jq -M '{ type: \"object\", properties: {configuration: .configuration.schema, entity: .entity.schema }, additionalProperties: false}' > schemas.json && json2ts -i schemas.json -o components/identity.federation/source/schemas.ts && rm schemas.json",
     "transpile:federation": "tsc -p ./components/identity.federation",
-    "features": "cucumber-js"
+    "features": "cucumber-js",
+    "features:security": "cucumber-js --tags @security"
   },
   "devDependencies": {
-    "@toa.io/agent": "1.0.0-alpha.12",
-    "@toa.io/extensions.storages": "1.0.0-alpha.12",
+    "@toa.io/agent": "1.0.0-alpha.14",
+    "@toa.io/extensions.storages": "1.0.0-alpha.14",
     "@types/bcryptjs": "2.4.3",
     "@types/cors": "2.8.13",
     "@types/negotiator": "0.6.1"
   },
-  "gitHead": "897206fbcf724fa88f427b6aee35bff571b2a3a1"
+  "gitHead": "8aa52cb97021695885c8dbe64beca26c9665fc8f"
 }

package/source/Directive.ts

@@ -93,5 +93,7 @@ export const shortcuts: RTD.syntax.Shortcuts = new Map([
   ['id', 'auth:id'],
   ['role', 'auth:role'],
   ['rule', 'auth:rule'],
-  ['incept', 'auth:incept']
+  ['incept', 'auth:incept'],
+  ['input', 'io:input'],
+  ['output', 'io:output']
 ])

package/source/Gateway.ts

@@ -31,7 +31,7 @@ export class Gateway extends Connector {
     const match = this.tree.match(context.url.pathname)
 
     if (match === null)
-      throw new http.NotFound()
+      throw new http.NotFound('Route not found')
 
     const {
       node,

package/source/HTTP/exceptions.ts

@@ -37,7 +37,7 @@ export class NotFound extends ClientError {
 }
 
 export class Conflict extends ClientError {
-  public constructor (body: any) {
+  public constructor (body?: any) {
     super(409, body)
   }
 }

package/source/RTD/factory.ts

@@ -33,7 +33,7 @@ function createRoute (route: syntax.Route, context: Context): Route {
 }
 
 function createMethod (method: syntax.Method, context: Context): Method {
-  const stack = context.directives.stack.concat(method.directives.reverse())
+  const stack = method.directives.concat(context.directives.stack)
   const directives = context.directives.factory.create(stack)
 
   const endpoint = method.mapping?.endpoint === undefined

package/source/Tenant.ts

@@ -25,14 +25,6 @@ export class Tenant extends Connector {
   public override async open (): Promise<void> {
     await this.expose()
     await this.broadcast.receive('ping', this.expose.bind(this))
-
-    console.info('Exposition Tenant for ' +
-      `'${this.branch.namespace}.${this.branch.component}' has started.`)
-  }
-
-  public override async dispose (): Promise<void> {
-    console.info('Exposition Tenant for ' +
-      `'${this.branch.namespace}.${this.branch.component}' has been stopped.`)
   }
 
   private async expose (): Promise<void> {

package/source/directives/auth/Authorization.ts

@@ -39,7 +39,7 @@ export class Authorization implements DirectiveFamily<Directive, Extension> {
 
   public create (name: string, value: any, remotes: Remotes): Directive {
     assert.ok(name in constructors,
-      `Directive '${name}' is not provided by the '${this.name}' family.`)
+      `Directive 'auth:${name}' is not implemented.`)
 
     const Class = constructors[name]
 

package/source/directives/auth/Delegate.ts

@@ -19,6 +19,9 @@ export class Delegate implements Directive {
   }
 
   private embed (body: unknown, identity: Identity): Record<string, unknown> {
+    if (body === undefined)
+      body = {}
+
     check(body)
     body[this.property] = identity
 
@@ -28,5 +31,5 @@ export class Delegate implements Directive {
 
 function check (body: unknown): asserts body is Record<string, unknown> {
   if (typeof body !== 'object' || body === null)
-    throw new BadRequest('Invalid request body.')
+    throw new BadRequest('Invalid request body')
 }