@toa.io/extensions.exposition 1.0.0-alpha.15 → 1.0.0-alpha.150

package/features/identity.federation.feature

@@ -3,22 +3,21 @@ Feature: Identity Federation
 
   Background:
     Given the `identity.federation` database is empty
-    Given local IDP is running
+    And local IDP is running
 
-  Scenario: Getting identity for a new user
+  Scenario: Asymmetric tokens
     Given the `identity.federation` configuration:
       """yaml
-      explicit_identity_creation: false
       trust:
-        - issuer: http://localhost:44444
+        - iss: http://localhost:44444
       """
     And the IDP token for User is issued
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       authorization: Bearer ${{ User.id_token }}
       accept: application/yaml
-      content-type: application/yaml
       """
     Then the following reply is sent:
       """
@@ -28,10 +27,10 @@ Feature: Identity Federation
       id: ${{ User.id }}
       roles: []
       """
-    # validate TOKEN
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       accept: application/yaml
       authorization: Token ${{ User.token }}
       """
@@ -45,6 +44,7 @@ Feature: Identity Federation
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       authorization: Bearer ${{ User.id_token }}
       accept: application/yaml
       """
@@ -55,40 +55,12 @@ Feature: Identity Federation
       id: ${{ User.id }}
       """
 
-  Scenario: Getting identity for a user with symmetric tokens
+  Scenario: Creating an Identity using inception
     Given the `identity.federation` configuration:
       """yaml
-      explicit_identity_creation: false
       trust:
-        - issuer: http://localhost:44444
-          secrets:
-            HS384:
-              k1: the-secret
-      """
-    And the IDP HS384 token for GoodUser is issued with following secret:
-      """
-      the-secret
-      """
-    When the following request is received:
-      """
-      GET /identity/ HTTP/1.1
-      authorization: Bearer ${{ GoodUser.id_token }}
-      accept: application/yaml
-      content-type: application/yaml
-      """
-    Then the following reply is sent:
-      """
-      200 OK
-      authorization: Token ${{ GoodUser.token }}
-
-      id: ${{ GoodUser.id }}
-      """
-
-  Scenario: Creating an Identity using inception with existing credentials
-    Given the `identity.federation` configuration:
-      """yaml
-      trust:
-        - issuer: http://localhost:44444
+        - iss: http://localhost:44444
+      assert: false
       """
     Given the `users` is running with the following manifest:
       """yaml
@@ -96,8 +68,8 @@ Feature: Identity Federation
         /:
           anonymous: true
           POST:
-            io:output: true
-            incept: id
+            io:output: [id]
+            auth:incept: id
             endpoint: create
       """
     And the IDP token for Bill is issued
@@ -105,6 +77,7 @@ Feature: Identity Federation
       # identity inception
       """
       POST /users/ HTTP/1.1
+      host: nex.toa.io
       authorization: Bearer ${{ Bill.id_token }}
       accept: application/yaml
       content-type: application/yaml
@@ -122,6 +95,7 @@ Feature: Identity Federation
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       authorization: Token ${{ Bill.token }}
       accept: application/yaml
       """
@@ -133,20 +107,23 @@ Feature: Identity Federation
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       authorization: Bearer ${{ Bill.id_token }}
       accept: application/yaml
       """
     Then the following reply is sent:
       """
       200 OK
+
       id: ${{ Bill.id }}
       """
     And the following request is received:
       # same credentials
       """
       POST /users/ HTTP/1.1
+      host: nex.toa.io
       authorization: Bearer ${{ Bill.id_token }}
-      content-type: text/plain
+      content-type: application/yaml
 
       name: Mary Louis
       """
@@ -158,22 +135,23 @@ Feature: Identity Federation
   Scenario: Granting a `system` role to a Principal
     Given the `identity.federation` configuration:
       """yaml
-      explicit_identity_creation: false
       trust:
-        - issuer: http://localhost:44444
+        - iss: http://localhost:44444
       principal:
         iss: http://localhost:44444
-        sub: root-mock-id
+        sub: root
       """
     And the IDP token for root is issued
+
+    # create an identity
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       authorization: Bearer ${{ root.id_token }}
       accept: application/yaml
       content-type: application/yaml
       """
-    # create an identity
     Then the following reply is sent:
       """
       200 OK
@@ -181,10 +159,14 @@ Feature: Identity Federation
 
       id: ${{ root.id }}
       """
+
+    Then after 0.2 seconds
+
     # check the role
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       accept: application/yaml
       authorization: Token ${{ root.token }}
       """
@@ -196,3 +178,147 @@ Feature: Identity Federation
       roles:
         - system
       """
+
+  Scenario: Adding federation to an existing identity
+    Given the `identity.federation` configuration:
+      """yaml
+      trust:
+        - iss: http://localhost:44444
+      """
+    And the `identity.basic` database is empty
+
+    # create an identity
+    When the following request is received:
+      """
+      POST /identity/basic/ HTTP/1.1
+      host: nex.toa.io
+      content-type: application/yaml
+      accept: application/yaml
+
+      username: #{{ id | set Bob.username }}
+      password: #{{ password 8 | set Bob.password }}
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+
+      id: ${{ Bob.id }}
+      """
+
+    When the IDP token for Bob is issued
+
+    # add federation
+    When the following request is received:
+      """
+      POST /identity/federation/${{ Bob.id }}/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic #{{ basic Bob }}
+      content-type: application/yaml
+      accept: application/yaml
+
+      credentials: ${{ Bob.id_token }}
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      """
+    And the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Bearer ${{ Bob.id_token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      id: ${{ Bob.id }}
+      """
+
+  Scenario: Tokens with `jti` are one-time
+    Given the `identity.federation` configuration:
+      """yaml
+      trust:
+        - iss: http://localhost:44444
+      """
+    And ID token with jti is issued for User
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Bearer ${{ User.id_token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ User.token }}
+
+      id: ${{ User.id }}
+      roles: []
+      """
+
+    # second use
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Bearer ${{ User.id_token }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+
+  Scenario: Authorization code flow with secret
+    Given the `identity.federation` configuration:
+      """yaml
+      trust:
+        - iss: http://localhost:44444
+          aud: nex
+          secret: secret
+      """
+    And auth code for Alice is issued for https://web.toa.io/callback/
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      authorization: Code ${{ Alice.code_credentials }}
+      host: nex.toa.io
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ Alice.token }}
+
+      id: ${{ Alice.id }}
+      """
+
+  Scenario: Authorization code flow with signature
+    Given the `identity.federation` configuration:
+      """yaml
+      trust:
+        - iss: http://localhost:44444
+          aud: nex
+          signature:
+            iss: io.toa.nex.id
+            kid: key-id
+            key: secret
+      """
+    And auth code for Bob is issued for https://web.toa.io/callback/
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      authorization: Code ${{ Bob.code_credentials }}
+      host: nex.toa.io
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ Bob.token }}
+
+      id: ${{ Bob.id }}
+      """

package/features/identity.otp.feature

@@ -0,0 +1,71 @@
+Feature: OTP authentication
+
+  OTP credentials format is base64(username:password)
+
+  Background:
+    Given the `identity.otp` configuration:
+      """yaml
+      lifetime: 1
+      """
+    And the Gateway is running
+
+  Scenario: Authenticate using OTP
+    Given OTP for `alice` in `nex` authority is issued
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: OTP ${{ alice.otp }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ token }}
+
+      id: ${{ id }}
+      """
+
+    # valid only once
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: OTP ${{ alice.otp }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+
+    # same username is resolved to the same identity
+    Given OTP for `alice` in `nex` authority is issued
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: OTP ${{ alice.otp }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      id: ${{ id }}
+      """
+
+    # expiration
+    Given OTP for `alice` in `nex` authority is issued
+    And after 1 second
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: OTP ${{ alice.otp }}
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """

package/features/identity.roles.feature

@@ -5,9 +5,9 @@ Feature: Roles management
     # root:secret
     # user:pass
     Given the `identity.basic` database contains:
-      | _id                              | username | password                                                     |
-      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | root     | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
-      | 4344518184ad44228baffce7a44fd0b1 | user     | $2b$10$JoiAQUS7tzobDAFIDBWhWeEIJv933dQetyjRzSmfQGaJE5ZlJbmYy |
+      | _id                              | authority | username | password                                                     |
+      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | nex       | root     | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
+      | 4344518184ad44228baffce7a44fd0b1 | nex       | user     | $2b$10$JoiAQUS7tzobDAFIDBWhWeEIJv933dQetyjRzSmfQGaJE5ZlJbmYy |
     And the `identity.roles` database contains:
       | _id                              | identity                         | role                  |
       | 9c4702490ff84f2a9e1b1da2ab64bdd4 | 72cf9b0ab0ac4ab2b8036e4e940ddcae | system:identity:roles |
@@ -15,7 +15,7 @@ Feature: Roles management
       """yaml
       /:
         io:output: true
-        auth:role: test
+        auth:role: foo:bar
         GET:
           dev:stub:
             access: granted!
@@ -24,6 +24,7 @@ Feature: Roles management
       # user doesn't have the required role
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       authorization: Basic dXNlcjpwYXNz
       """
     Then the following reply is sent:
@@ -34,11 +35,12 @@ Feature: Roles management
       # root adds a role to a user
       """
       POST /identity/roles/4344518184ad44228baffce7a44fd0b1/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic cm9vdDpzZWNyZXQ=
       accept: application/yaml
       content-type: application/yaml
 
-      role: test
+      role: foo:bar
       """
     Then the following reply is sent:
       """
@@ -47,11 +49,40 @@ Feature: Roles management
       grantor: 72cf9b0ab0ac4ab2b8036e4e940ddcae
       """
     When the following request is received:
-      # user now have the role
+      # root adds a role to a user
+      """
+      POST /identity/roles/4344518184ad44228baffce7a44fd0b1/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic cm9vdDpzZWNyZXQ=
+      accept: application/yaml
+      content-type: application/yaml
+
+      role: foo:baz
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      """
+
+    # user now have the role
+    When the following request is received:
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       authorization: Basic dXNlcjpwYXNz
       """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ token }}
+      """
+    # repeat with token
+    When the following request is received:
+      """
+      GET / HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      """
     Then the following reply is sent:
       """
       200 OK
@@ -61,9 +92,9 @@ Feature: Roles management
     # moderator:secret
     # assistant:pass
     Given the `identity.basic` database contains:
-      | _id                              | username  | password                                                     |
-      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | moderator | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
-      | 4344518184ad44228baffce7a44fd0b1 | assistant | $2b$10$JoiAQUS7tzobDAFIDBWhWeEIJv933dQetyjRzSmfQGaJE5ZlJbmYy |
+      | _id                              | authority | username  | password                                                     |
+      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | nex       | moderator | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
+      | 4344518184ad44228baffce7a44fd0b1 | nex       | assistant | $2b$10$JoiAQUS7tzobDAFIDBWhWeEIJv933dQetyjRzSmfQGaJE5ZlJbmYy |
     And the `identity.roles` database contains:
       | _id                              | identity                         | role                             |
       | 9c4702490ff84f2a9e1b1da2ab64bdd4 | 72cf9b0ab0ac4ab2b8036e4e940ddcae | system:identity:roles:delegation |
@@ -81,6 +112,7 @@ Feature: Roles management
       # assistant doesn't have the required role
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       authorization: Basic YXNzaXN0YW50OnBhc3M=
       """
     Then the following reply is sent:
@@ -91,6 +123,7 @@ Feature: Roles management
       # moderator delegates a role to an assistant
       """
       POST /identity/roles/4344518184ad44228baffce7a44fd0b1/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
       content-type: application/yaml
 
@@ -104,6 +137,7 @@ Feature: Roles management
       # assistant has access
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       authorization: Basic YXNzaXN0YW50OnBhc3M=
       """
     Then the following reply is sent:
@@ -117,9 +151,9 @@ Feature: Roles management
 
   Scenario: Delegating role out of own scope
     Given the `identity.basic` database contains:
-      | _id                              | username  | password                                                     |
-      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | moderator | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
-      | 4344518184ad44228baffce7a44fd0b1 | assistant | $2b$10$JoiAQUS7tzobDAFIDBWhWeEIJv933dQetyjRzSmfQGaJE5ZlJbmYy |
+      | _id                              | authority | username  | password                                                     |
+      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | nex       | moderator | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
+      | 4344518184ad44228baffce7a44fd0b1 | nex       | assistant | $2b$10$JoiAQUS7tzobDAFIDBWhWeEIJv933dQetyjRzSmfQGaJE5ZlJbmYy |
     And the `identity.roles` database contains:
       | _id                              | identity                         | role                             |
       | 9c4702490ff84f2a9e1b1da2ab64bdd4 | 72cf9b0ab0ac4ab2b8036e4e940ddcae | system:identity:roles:delegation |
@@ -136,6 +170,7 @@ Feature: Roles management
     When the following request is received:
       """
       POST /identity/roles/4344518184ad44228baffce7a44fd0b1/ HTTP/1.1
+      host: nex.toa.io
       accept: application/yaml
       content-type: application/yaml
       authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
@@ -144,16 +179,16 @@ Feature: Roles management
       """
     Then the following reply is sent:
       """
-      409 Conflict
+      422 Unprocessable Entity
 
       code: OUT_OF_SCOPE
       """
 
   Scenario: Delegating role without `system:identity:roles:delegation` role
     Given the `identity.basic` database contains:
-      | _id                              | username  | password                                                     |
-      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | moderator | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
-      | 4344518184ad44228baffce7a44fd0b1 | assistant | $2b$10$JoiAQUS7tzobDAFIDBWhWeEIJv933dQetyjRzSmfQGaJE5ZlJbmYy |
+      | _id                              | authority | username  | password                                                     |
+      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | nex       | moderator | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
+      | 4344518184ad44228baffce7a44fd0b1 | nex       | assistant | $2b$10$JoiAQUS7tzobDAFIDBWhWeEIJv933dQetyjRzSmfQGaJE5ZlJbmYy |
     And the `identity.roles` database contains:
       | _id                              | identity                         | role           |
       | 30c969e05ff6437097ed5f07fc52358e | 72cf9b0ab0ac4ab2b8036e4e940ddcae | app:moderation |
@@ -169,6 +204,7 @@ Feature: Roles management
     When the following request is received:
       """
       POST /identity/roles/4344518184ad44228baffce7a44fd0b1/ HTTP/1.1
+      host: nex.toa.io
       content-type: application/yaml
       authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
 
@@ -181,8 +217,8 @@ Feature: Roles management
 
   Scenario Outline: Invalid role name
     Given the `identity.basic` database contains:
-      | _id                              | username | password                                                     |
-      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | root     | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
+      | _id                              | authority | username | password                                                     |
+      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | nex       | root     | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
     And the `identity.roles` database contains:
       | _id                              | identity                         | role                  |
       | 9c4702490ff84f2a9e1b1da2ab64bdd4 | 72cf9b0ab0ac4ab2b8036e4e940ddcae | system:identity:roles |
@@ -190,6 +226,7 @@ Feature: Roles management
       # root adds a role to a user
       """
       POST /identity/roles/4344518184ad44228baffce7a44fd0b1/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic cm9vdDpzZWNyZXQ=
       content-type: application/yaml
 
@@ -207,8 +244,8 @@ Feature: Roles management
 
   Scenario: Dynamic roles
     Given the `identity.basic` database contains:
-      | _id                              | username  | password                                                     |
-      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | moderator | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
+      | _id                              | authority | username  | password                                                     |
+      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | nex       | moderator | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
     And the `identity.roles` database contains:
       | _id                              | identity                         | role                    |
       | 30c969e05ff6437097ed5f07fc52358e | 72cf9b0ab0ac4ab2b8036e4e940ddcae | app:29e54ae1:moderation |
@@ -229,6 +266,7 @@ Feature: Roles management
     When the following request is received:
       """
       GET /29e54ae1/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
       """
     Then the following reply is sent:
@@ -238,6 +276,7 @@ Feature: Roles management
     When the following request is received:
       """
       GET /88584c9b/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
       """
     Then the following reply is sent:
@@ -247,6 +286,7 @@ Feature: Roles management
     When the following request is received:
       """
       GET /broken/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
       """
     Then the following reply is sent: