@toa.io/extensions.exposition 1.0.0-alpha.14 → 1.0.0-alpha.142

package/features/identity.basic.feature

@@ -8,6 +8,7 @@ Feature: Basic authentication
     When the following request is received:
       """
       POST /identity/basic/ HTTP/1.1
+      host: nex.toa.io
       content-type: application/yaml
 
       username: developer
@@ -20,6 +21,7 @@ Feature: Basic authentication
     When the following request is received:
       """
       POST /identity/basic/ HTTP/1.1
+      host: nex.toa.io
       content-type: application/yaml
       accept: application/yaml
 
@@ -37,7 +39,7 @@ Feature: Basic authentication
       exposition:
         /:
           io:output: true
-          anonymous: true     # checking compatibility with anonymous access
+          anonymous: true       # checking compatibility with anonymous access
           POST:
             incept: id
             endpoint: transit
@@ -49,6 +51,7 @@ Feature: Basic authentication
     When the following request is received:
       """
       POST /users/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic dXNlcjpwYXNzMTIzNA==
       accept: application/yaml
       content-type: application/yaml
@@ -66,6 +69,7 @@ Feature: Basic authentication
       # basic credentials have been created
       """
       GET /users/${{ id }}/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic dXNlcjpwYXNzMTIzNA==
       """
     Then the following reply is sent:
@@ -76,16 +80,19 @@ Feature: Basic authentication
       # valid token has been issued
       """
       GET /users/${{ id }}/ HTTP/1.1
+      host: nex.toa.io
       authorization: Token ${{ token }}
       """
     Then the following reply is sent:
       """
       200 OK
       """
+
     # username is taken
     When the following request is received:
       """
       POST /users/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic dXNlcjphbm90aGVycGFzczEyMzQ=
       accept: application/yaml
       content-type: application/yaml
@@ -96,10 +103,12 @@ Feature: Basic authentication
       """
       409 Conflict
       """
+
     # credentials already exists
     When the following request is received:
       """
       POST /users/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic dXNlcjpwYXNzMTIzNA==
       accept: application/yaml
       content-type: application/yaml
@@ -123,11 +132,12 @@ Feature: Basic authentication
               access: granted!
       """
     And the `identity.basic` database contains:
-      | _id                              | _version | username  | password                                                     |
-      | efe3a65ebbee47ed95a73edd911ea328 | 1        | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+      | _id                              | _version | authority | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | 1        | nex       | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
     When the following request is received:
       """
       PATCH /identity/basic/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: application/yaml
       content-type: application/yaml
@@ -142,6 +152,7 @@ Feature: Basic authentication
       # old password
       """
       GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       """
     Then the following reply is sent:
@@ -152,6 +163,7 @@ Feature: Basic authentication
       # new password
       """
       GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOm5ldy1zZWNyZXQ=
       """
     Then the following reply is sent:
@@ -159,14 +171,15 @@ Feature: Basic authentication
       200 OK
       """
 
-  Scenario: Changing other identity the password
+  Scenario: Changing other identity's password
     Given the `identity.basic` database contains:
-      | _id                              | username  | password                                                     | _version |
-      | efe3a65ebbee47ed95a73edd911ea328 | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O | 1        |
-      | 6c0be50cbfb043acafe69cc7d3895f84 | attacker  | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O | 1        |
+      | _id                              | authority | username  | password                                                     | _version |
+      | efe3a65ebbee47ed95a73edd911ea328 | nex       | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O | 1        |
+      | 6c0be50cbfb043acafe69cc7d3895f84 | nex       | attacker  | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O | 1        |
     When the following request is received:
       """
       PATCH /identity/basic/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic YXR0YWNrZXI6c2VjcmV0
       accept: application/yaml
       content-type: application/yaml
@@ -182,6 +195,7 @@ Feature: Basic authentication
     When the following request is received:
       """
       POST /identity/basic/ HTTP/1.1
+      host: nex.toa.io
       accept: application/yaml
       content-type: application/yaml
 
@@ -190,17 +204,17 @@ Feature: Basic authentication
       """
     Then the following reply is sent:
       """
-      409 Conflict
+      422 Unprocessable Entity
 
       code: <code>
-      message: <problem> is not meeting the requirements.
+      message: <problem> is not meeting the requirements
       """
     Examples:
-      | username        | password    | problem  | code             |
-      | with whitespace | secret#1234 | Username | INVALID_USERNAME |
-      | root            | short       | Password | INVALID_PASSWORD |
+      | username                                                                                                                          | password    | problem  | code             |
+      | zYF8G6obtE3c5ARpZjnMwv0L7lX2dQUyJ1KiHS9ag4fThDPVxCsuIWmNeBqkOrzYF8G6obtE3c5ARpZjnMwv0L7lX2dQUyJ1KiHS9ag4fThDPVxCsuIWmNeBqkOris129 | secret#1234 | Username | INVALID_USERNAME |
+      | root                                                                                                                              | short       | Password | INVALID_PASSWORD |
 
-  Scenario Outline: Given <property> is not meeting one of requirements
+  Scenario Outline: <property> is not meeting one of requirements
     Given the `identity.basic` configuration:
       """yaml
       <property>:
@@ -208,11 +222,12 @@ Feature: Basic authentication
         - ^[^A]{1,16}$  # should not contain 'A'
       """
     And the `identity.basic` database contains:
-      | _id                              | _version | username  | password                                                     |
-      | efe3a65ebbee47ed95a73edd911ea328 | 1        | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+      | _id                              | _version | authority | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | 1        | nex       | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
     When the following request is received:
       """
       PATCH /identity/basic/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: application/yaml
       content-type: application/yaml
@@ -221,7 +236,7 @@ Feature: Basic authentication
       """
     Then the following reply is sent:
       """
-      409 Conflict
+      422 Unprocessable Entity
       """
     Examples:
       | property |
@@ -245,6 +260,7 @@ Feature: Basic authentication
     When the following request is received:
       """
       POST /identity/basic/ HTTP/1.1
+      host: nex.toa.io
       accept: application/yaml
       content-type: application/yaml
 
@@ -262,6 +278,7 @@ Feature: Basic authentication
     When the following request is received:
       """
       GET /identity/roles/${{ id }}/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic cm9vdDpzZWNyZXQjMTIzNA==
       accept: application/yaml
       """
@@ -275,6 +292,7 @@ Feature: Basic authentication
     When the following request is received:
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       authorization: Token ${{ token }}
       accept: application/yaml
       """
@@ -288,6 +306,7 @@ Feature: Basic authentication
     When the following request is received:
       """
       PATCH /identity/basic/${{ id }}/ HTTP/1.1
+      host: nex.toa.io
       authorization: Token ${{ token }}
       accept: application/yaml
       content-type: application/yaml
@@ -296,15 +315,14 @@ Feature: Basic authentication
       """
     Then the following reply is sent:
       """
-      409 Conflict
+      422 Unprocessable Entity
 
       code: PRINCIPAL_LOCKED
-      message: Principal username cannot be changed.
+      message: Principal username cannot be changed
       """
 
   Scenario: Creating an Identity using inception with existing credentials
-    Given the `identity.basic` database is empty
-    And the `users` is running with the following manifest:
+    Given the `users` is running with the following manifest:
       """yaml
       exposition:
         /:
@@ -312,12 +330,14 @@ Feature: Basic authentication
           anonymous: true
           POST:
             incept: id
+            query: false
             endpoint: transit
       """
     When the following request is received:
       # identity inception
       """
       POST /users/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic dXNlcjpwYXNzMTIzNA==
       accept: application/yaml
       content-type: application/yaml
@@ -332,8 +352,9 @@ Feature: Basic authentication
       # same credentials
       """
       POST /users/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic dXNlcjpwYXNzMTIzNA==
-      content-type: text/plain
+      content-type: application/yaml
 
       name: Mary Louis
       """
@@ -341,3 +362,65 @@ Feature: Basic authentication
       """
       403 Forbidden
       """
+
+  Scenario: Incorrect credentials format
+    Given the `identity.basic` database is empty
+    And the `users` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          io:output: true
+          anonymous: true
+          POST:
+            incept: id
+            endpoint: transit
+      """
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic not-base64
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+    When the following request is received:
+      """
+      POST /users/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic not-base64
+      accept: application/yaml
+      content-type: application/yaml
+
+      name: Bill Smith
+      """
+    Then the following reply is sent:
+      """
+      422 Unprocessable Entity
+
+      code: INVALID_CREDENTIALS
+      """
+
+  Scenario: Check if username is available
+    Given the `identity.basic` database contains:
+      | _id                              | authority | username  | password                                                     | _version |
+      | efe3a65ebbee47ed95a73edd911ea328 | nex       | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O | 1        |
+    When the following request is received:
+      """
+      GET /identity/basic/usernames/ZGV2ZWxvcGVy/ HTTP/1.1
+      host: nex.toa.io
+      """
+    Then the following reply is sent:
+      """
+      204 No Content
+      """
+    When the following request is received:
+      """
+      GET /identity/basic/username/bWFuYWdlcg/ HTTP/1.1
+      host: nex.toa.io
+      """
+    Then the following reply is sent:
+      """
+      404 Not Found
+      """

package/features/identity.feature

@@ -2,8 +2,8 @@ Feature: Identity resource
 
   Scenario: Requesting own Identity
     Given the `identity.basic` database contains:
-      | _id                              | username  | password                                                     |
-      | efe3a65ebbee47ed95a73edd911ea328 | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+      | _id                              | authority | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | nex       | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
     And the `identity.roles` database contains:
       | _id                              | identity                         | role            |
       | 9c4702490ff84f2a9e1b1da2ab64bdd4 | efe3a65ebbee47ed95a73edd911ea328 | developer       |
@@ -11,6 +11,7 @@ Feature: Identity resource
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: application/yaml
       """
@@ -27,6 +28,7 @@ Feature: Identity resource
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       authorization: Token ${{ User.token }}
       accept: application/yaml
       """
@@ -43,6 +45,7 @@ Feature: Identity resource
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       authorization: Token ${{ User.token }}
       accept: application/yaml
       """
@@ -56,20 +59,29 @@ Feature: Identity resource
         - system:identity
       """
 
-  Scenario: Requesting Identity with non-existent credentials
-    Given the `identity.basic` database is empty
+  Scenario: Getting transient Identity
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
-      authorization: Basic dXNlcjpwYXNzMTIzNA==
+      host: nex.toa.io
+      accept: application/yaml
       """
     Then the following reply is sent:
       """
-      401 Unauthorized
+      201 Created
+      authorization: Token ${{ token }}
+
+      id: ${{ id }}
+      roles: []
       """
+
+  Scenario: Requesting Identity with non-existent credentials
+    Given the `identity.basic` database is empty
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic dXNlcjpwYXNzMTIzNA==
       """
     Then the following reply is sent:
       """

package/features/identity.federation.feature

@@ -3,22 +3,22 @@ Feature: Identity Federation
 
   Background:
     Given the `identity.federation` database is empty
-    Given local IDP is running
+    And local IDP is running
 
-  Scenario: Getting identity for a new user
+  Scenario: Asymmetric tokens
     Given the `identity.federation` configuration:
       """yaml
-      explicit_identity_creation: false
       trust:
-        - issuer: http://localhost:44444
+        - iss: http://localhost:44444
+      implicit: true
       """
     And the IDP token for User is issued
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       authorization: Bearer ${{ User.id_token }}
       accept: application/yaml
-      content-type: application/yaml
       """
     Then the following reply is sent:
       """
@@ -32,6 +32,7 @@ Feature: Identity Federation
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       accept: application/yaml
       authorization: Token ${{ User.token }}
       """
@@ -45,6 +46,7 @@ Feature: Identity Federation
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       authorization: Bearer ${{ User.id_token }}
       accept: application/yaml
       """
@@ -55,15 +57,15 @@ Feature: Identity Federation
       id: ${{ User.id }}
       """
 
-  Scenario: Getting identity for a user with symmetric tokens
+  Scenario: Symmetric tokens
     Given the `identity.federation` configuration:
       """yaml
-      explicit_identity_creation: false
       trust:
-        - issuer: http://localhost:44444
+        - iss: http://localhost:44444
           secrets:
             HS384:
               k1: the-secret
+      implicit: true
       """
     And the IDP HS384 token for GoodUser is issued with following secret:
       """
@@ -72,9 +74,9 @@ Feature: Identity Federation
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       authorization: Bearer ${{ GoodUser.id_token }}
       accept: application/yaml
-      content-type: application/yaml
       """
     Then the following reply is sent:
       """
@@ -84,11 +86,11 @@ Feature: Identity Federation
       id: ${{ GoodUser.id }}
       """
 
-  Scenario: Creating an Identity using inception with existing credentials
+  Scenario: Creating an Identity using inception
     Given the `identity.federation` configuration:
       """yaml
       trust:
-        - issuer: http://localhost:44444
+        - iss: http://localhost:44444
       """
     Given the `users` is running with the following manifest:
       """yaml
@@ -96,8 +98,8 @@ Feature: Identity Federation
         /:
           anonymous: true
           POST:
-            io:output: true
-            incept: id
+            io:output: [id]
+            auth:incept: id
             endpoint: create
       """
     And the IDP token for Bill is issued
@@ -105,6 +107,7 @@ Feature: Identity Federation
       # identity inception
       """
       POST /users/ HTTP/1.1
+      host: nex.toa.io
       authorization: Bearer ${{ Bill.id_token }}
       accept: application/yaml
       content-type: application/yaml
@@ -122,6 +125,7 @@ Feature: Identity Federation
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       authorization: Token ${{ Bill.token }}
       accept: application/yaml
       """
@@ -133,20 +137,23 @@ Feature: Identity Federation
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       authorization: Bearer ${{ Bill.id_token }}
       accept: application/yaml
       """
     Then the following reply is sent:
       """
       200 OK
+
       id: ${{ Bill.id }}
       """
     And the following request is received:
       # same credentials
       """
       POST /users/ HTTP/1.1
+      host: nex.toa.io
       authorization: Bearer ${{ Bill.id_token }}
-      content-type: text/plain
+      content-type: application/yaml
 
       name: Mary Louis
       """
@@ -158,22 +165,24 @@ Feature: Identity Federation
   Scenario: Granting a `system` role to a Principal
     Given the `identity.federation` configuration:
       """yaml
-      explicit_identity_creation: false
       trust:
-        - issuer: http://localhost:44444
+        - iss: http://localhost:44444
       principal:
         iss: http://localhost:44444
-        sub: root-mock-id
+        sub: root
+      implicit: true
       """
     And the IDP token for root is issued
+
+    # create an identity
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       authorization: Bearer ${{ root.id_token }}
       accept: application/yaml
       content-type: application/yaml
       """
-    # create an identity
     Then the following reply is sent:
       """
       200 OK
@@ -181,10 +190,14 @@ Feature: Identity Federation
 
       id: ${{ root.id }}
       """
+
+    Then after 0.1 seconds
+
     # check the role
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       accept: application/yaml
       authorization: Token ${{ root.token }}
       """
@@ -196,3 +209,97 @@ Feature: Identity Federation
       roles:
         - system
       """
+
+  Scenario: Adding federation to an existing identity
+    Given the `identity.federation` configuration:
+      """yaml
+      trust:
+        - iss: http://localhost:44444
+      """
+    And the `identity.basic` database is empty
+
+    # create an identity
+    When the following request is received:
+      """
+      POST /identity/basic/ HTTP/1.1
+      host: nex.toa.io
+      content-type: application/yaml
+      accept: application/yaml
+
+      username: #{{ id | set Bob.username }}
+      password: #{{ password 8 | set Bob.password }}
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+
+      id: ${{ Bob.id }}
+      """
+
+    When the IDP token for Bob is issued
+
+    # add federation
+    When the following request is received:
+      """
+      POST /identity/federation/${{ Bob.id }}/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic #{{ basic Bob }}
+      content-type: application/yaml
+      accept: application/yaml
+
+      credentials: ${{ Bob.id_token }}
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      """
+    And the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Bearer ${{ Bob.id_token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      id: ${{ Bob.id }}
+      """
+
+  Scenario: Tokens with `jti` are one-time
+    Given the `identity.federation` configuration:
+      """yaml
+      trust:
+        - iss: http://localhost:44444
+      implicit: true
+      """
+    And ID token with jti is issued for User
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Bearer ${{ User.id_token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ User.token }}
+
+      id: ${{ User.id }}
+      roles: []
+      """
+
+    # second use
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Bearer ${{ User.id_token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """