@toa.io/extensions.exposition 1.0.0-alpha.2 → 1.0.0-alpha.20

package/features/cache.feature

@@ -14,6 +14,7 @@ Feature: Caching
     Given the annotation:
       """yaml
       /:
+        io:output: true
         anonymous: true
         GET:
           cache:control: max-age=60000
@@ -37,6 +38,7 @@ Feature: Caching
     Given the annotation:
       """yaml
       /:
+        io:output: true
         cache:control: max-age=30000
         GET:
           anonymous: true
@@ -120,6 +122,7 @@ Feature: Caching
     Given the annotation:
       """yaml
       /:
+        io:output: true
         auth:role: developer
         cache:exact: max-age=60000, public
         GET:
@@ -158,3 +161,39 @@ Feature: Caching
       """
       cache-control:
       """
+
+  Scenario: Private responses are sent with `vary: authorization`
+    Given the `identity.basic` database contains:
+      | _id                              | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+    And the annotation:
+      """yaml
+      /:
+        /:id:
+          auth:id: id
+          cache:control: max-age=10000
+          GET:
+            dev:stub: Keep it
+      """
+    When the following request is received:
+      """
+      GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      """
+    # `no-store` when token is issued
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ token }}
+      """
+    When the following request is received:
+      """
+      GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      authorization: Token ${{ token }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      cache-control: private, max-age=10000
+      vary: authorization
+      """

package/features/cors.feature

@@ -19,10 +19,10 @@ Feature: CORS Support
       204 No Content
       access-control-allow-origin: https://hello.world
       access-control-allow-methods: GET, POST, PUT, PATCH, DELETE
-      access-control-allow-headers: accept, authorization, content-type
+      access-control-allow-headers: accept, authorization, content-type, etag, if-match, if-none-match
       access-control-allow-credentials: true
       access-control-max-age: 3600
-      cache-control: public, max-age=3600
+      cache-control: max-age=3600
       vary: origin
       """
     When the following request is received:

package/features/directives.feature

@@ -4,6 +4,7 @@ Feature: Directives
     Given the annotation:
       """yaml
       /:
+        io:output: true
         anonymous: true
         GET:
           dev:stub:
@@ -26,6 +27,7 @@ Feature: Directives
     Given the annotation:
       """yaml
       /:
+        io:output: true
         anonymous: true
         dev:stub:
           hello: again

package/features/dynamic.feature

@@ -11,6 +11,7 @@ Feature: Dynamic tree updates
       """yaml
       exposition:
         /:
+          io:output: true
           isolated: true
           GET: enumerate
       """
@@ -27,6 +28,7 @@ Feature: Dynamic tree updates
       """yaml
       exposition:
         /:
+          io:output: true
           GET: enumerate
       """
     When the following request is received:
@@ -44,19 +46,22 @@ Feature: Dynamic tree updates
       """yaml
       exposition:
         /:id:
+          io:output: true
           GET: observe
       """
     Then the `pots` is stopped
     Then the `pots` is running with the following manifest:
       """yaml
       exposition:
-        /:id:
-          GET: observe
-        /big:
-          GET:
-            endpoint: enumerate
-            query:
-              criteria: volume>200
+        /:
+          io:output: true
+          /:id:
+            GET: observe
+          /big:
+            GET:
+              endpoint: enumerate
+              query:
+                criteria: volume>200
       """
     When the following request is received:
       """
@@ -73,6 +78,7 @@ Feature: Dynamic tree updates
       """yaml
       exposition:
         /big:
+          io:output: true
           GET:
             endpoint: enumerate
             query:
@@ -83,6 +89,7 @@ Feature: Dynamic tree updates
       """yaml
       exposition:
         /big:
+          io:output: true
           GET:
             endpoint: enumerate
             query:

package/features/errors.feature

@@ -8,11 +8,13 @@ Feature: Errors
     When the following request is received:
       """
       GET <path> HTTP/1.1
-      accept: application/yaml
+      accept: text/plain
       """
     Then the following reply is sent:
       """
       404 Not Found
+
+      Route not found
       """
     Examples:
       | path                                 |
@@ -46,7 +48,7 @@ Feature: Errors
       accept: application/yaml
       """
     Then the following reply is sent:
-      """http
+      """
       405 Method Not Allowed
       """
 
@@ -57,7 +59,7 @@ Feature: Errors
       accept: application/yaml
       """
     Then the following reply is sent:
-      """http
+      """
       501 Not Implemented
       """
 
@@ -66,7 +68,7 @@ Feature: Errors
       """yaml
       exposition:
         /:
-          POST: transit
+          POST: create
       """
     When the following request is received:
       """
@@ -197,6 +199,7 @@ Feature: Errors
       """yaml
       /:
         GET:
+          io:output: true
           anonymous: true
           dev:stub: hello
       """

package/features/etag.feature

@@ -0,0 +1,97 @@
+Feature: Optimistic concurrency control
+
+  Scenario: Using `etag`
+    Given the `pots` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          io:output: true
+          POST: create
+          /:id:
+            GET: observe
+            PUT: transit
+      """
+    When the following request is received:
+      """
+      POST /pots/ HTTP/1.1
+      accept: application/yaml
+      content-type: application/yaml
+
+      title: Hello
+      volume: 1.5
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      etag: "1"
+
+      id: ${{ id }}
+      """
+    When the following request is received:
+      """
+      GET /pots/${{ id }}/ HTTP/1.1
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      etag: "1"
+      """
+    When the following request is received:
+      """
+      GET /pots/${{ id }}/ HTTP/1.1
+      if-none-match: "1"
+      """
+    Then the following reply is sent:
+      """
+      304 Not Modified
+      etag: "1"
+      """
+    When the following request is received:
+      """
+      PUT /pots/${{ id }}/ HTTP/1.1
+      content-type: application/yaml
+      if-match: "38"
+
+      volume: 2.5
+      """
+    Then the following reply is sent:
+      """
+      412 Precondition Failed
+      """
+    When the following request is received:
+      """
+      PUT /pots/${{ id }}/ HTTP/1.1
+      content-type: application/yaml
+      if-match: "1"
+
+      volume: 2.5
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      etag: "2"
+      """
+
+  Scenario: Unexpected `if-match` format
+    Given the `pots` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          /:id:
+            PUT: transit
+      """
+    When the following request is received:
+      """
+      PUT /pots/fa177da8393544139915795816ad6b97/ HTTP/1.1
+      accept: text/plain
+      content-type: application/yaml
+      if-match: "oopsie"
+
+      volume: 2.5
+      """
+    Then the following reply is sent:
+      """
+      400 Bad Request
+
+      Invalid ETag.
+      """

package/features/identity.bans.feature

@@ -0,0 +1,128 @@
+@security
+Feature: Bans
+
+  Background:
+    Given the `identity.basic` database contains:
+    # developer:secret
+    # user:12345
+      | _id                              | username  | password                                                     | _deleted |
+      | efe3a65ebbee47ed95a73edd911ea328 | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O | null     |
+      | e8e4f9c2a68d419b861403d71fabc915 | user      | $2b$10$Frszmrmsz9iwSXzBbRRMKeDVKsNxozkrLNSsN.SnVC.KPxLtQr/bK | null     |
+    And the `identity.bans` database is empty
+
+  Scenario: Banning an Identity
+    Given the `identity.roles` database contains:
+      | _id                              | identity                         | role                 |
+      | 775a648d054e4ce1a65f8f17e5b51803 | efe3a65ebbee47ed95a73edd911ea328 | system:identity:bans |
+    And the annotation:
+      """yaml
+      /:
+        /:id:
+          io:output: true
+          auth:id: id
+          GET:
+            dev:stub:
+              access: granted!
+      """
+    And the `identity.tokens` configuration:
+      """yaml
+      refresh: 1
+      """
+    When the following request is received:
+      """
+      GET /e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      authorization: Basic dXNlcjoxMjM0NQ==
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ token }}
+      """
+    When the following request is received:
+      """
+      PUT /identity/bans/e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      content-type: application/yaml
+
+      banned: true
+      comment: Bye bye
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    # accessing a resource with a banned Identity
+    When the following request is received:
+      """
+      GET /e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      authorization: Basic dXNlcjoxMjM0NQ==
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+    Then after 1 second
+    When the following request is received:
+      """
+      GET /e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      authorization: Token ${{ token }}
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+    When the following request is received:
+      """
+      PUT /identity/bans/e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      content-type: application/yaml
+
+      banned: false
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    When the following request is received:
+      """
+      GET /e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      authorization: Basic dXNlcjoxMjM0NQ==
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      authorization: Token ${{ new_token }}
+      """
+    # re-ban
+    When the following request is received:
+      """
+      PUT /identity/bans/e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      content-type: application/yaml
+
+      banned: true
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    When the following request is received:
+      """
+      GET /e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      authorization: Basic dXNlcjoxMjM0NQ==
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+    Then after 1 second
+    When the following request is received:
+      """
+      GET /e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
+      authorization: Token ${{ new_token }}
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """

package/features/identity.basic.feature

@@ -1,3 +1,4 @@
+@security
 Feature: Basic authentication
 
   Background:
@@ -16,20 +17,34 @@ Feature: Basic authentication
       """
       201 Created
       """
+    When the following request is received:
+      """
+      POST /identity/basic/ HTTP/1.1
+      content-type: application/yaml
+      accept: application/yaml
+
+      username: developer
+      password: secret#1234
+      """
+    Then the following reply is sent:
+      """
+      409 Conflict
+      """
 
   Scenario: Creating new Identity using inception
     Given the `users` is running with the following manifest:
       """yaml
       exposition:
         /:
+          io:output: true
           anonymous: true     # checking compatibility with anonymous access
           POST:
             incept: id
             endpoint: transit
             query: ~
-        /:id:                 # credential testing route
-          id: id
-          GET: observe
+          /:id:                 # credential testing route
+            id: id
+            GET: observe
       """
     When the following request is received:
       """
@@ -67,11 +82,40 @@ Feature: Basic authentication
       """
       200 OK
       """
+    # username is taken
+    When the following request is received:
+      """
+      POST /users/ HTTP/1.1
+      authorization: Basic dXNlcjphbm90aGVycGFzczEyMzQ=
+      accept: application/yaml
+      content-type: application/yaml
+
+      name: Bill Smith
+      """
+    Then the following reply is sent:
+      """
+      409 Conflict
+      """
+    # credentials already exists
+    When the following request is received:
+      """
+      POST /users/ HTTP/1.1
+      authorization: Basic dXNlcjpwYXNzMTIzNA==
+      accept: application/yaml
+      content-type: application/yaml
+
+      name: Bill Smith
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
 
   Scenario: Changing the password
     Given the annotation:
       """yaml
       /:
+        io:output: true
         /:id:
           id: id
           GET:
@@ -115,6 +159,25 @@ Feature: Basic authentication
       200 OK
       """
 
+  Scenario: Changing other identity the password
+    Given the `identity.basic` database contains:
+      | _id                              | username  | password                                                     | _version |
+      | efe3a65ebbee47ed95a73edd911ea328 | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O | 1        |
+      | 6c0be50cbfb043acafe69cc7d3895f84 | attacker  | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O | 1        |
+    When the following request is received:
+      """
+      PATCH /identity/basic/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      authorization: Basic YXR0YWNrZXI6c2VjcmV0
+      accept: application/yaml
+      content-type: application/yaml
+
+      password: new-secret
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
+
   Scenario Outline: <problem> not meeting the requirements
     When the following request is received:
       """
@@ -173,6 +236,7 @@ Feature: Basic authentication
     And the annotation:
       """yaml
       /:
+        io:output: true
         GET:
           auth:role: system:stub
           dev:stub:
@@ -244,6 +308,7 @@ Feature: Basic authentication
       """yaml
       exposition:
         /:
+          io:output: true
           anonymous: true
           POST:
             incept: id

package/features/identity.federation.feature

@@ -1,10 +1,10 @@
+@security
 Feature: Identity Federation
 
   Background:
     Given the `identity.federation` database is empty
     Given local IDP is running
 
-
   Scenario: Getting identity for a new user
     Given the `identity.federation` configuration:
       """yaml
@@ -27,9 +27,8 @@ Feature: Identity Federation
 
       id: ${{ User.id }}
       roles: []
-      scheme: bearer
       """
-    # validate token
+    # validate TOKEN
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
@@ -39,9 +38,10 @@ Feature: Identity Federation
     Then the following reply is sent:
       """
       200 OK
+
       id: ${{ User.id }}
       """
-    # ensuring identity idemptotency
+    # ensuring identity idempotency
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
@@ -51,9 +51,39 @@ Feature: Identity Federation
     Then the following reply is sent:
       """
       200 OK
+
       id: ${{ User.id }}
       """
 
+  Scenario: Getting identity for a user with symmetric tokens
+    Given the `identity.federation` configuration:
+      """yaml
+      explicit_identity_creation: false
+      trust:
+        - issuer: http://localhost:44444
+          secrets:
+            HS384:
+              k1: the-secret
+      """
+    And the IDP HS384 token for GoodUser is issued with following secret:
+      """
+      the-secret
+      """
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      authorization: Bearer ${{ GoodUser.id_token }}
+      accept: application/yaml
+      content-type: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ GoodUser.token }}
+
+      id: ${{ GoodUser.id }}
+      """
+
   Scenario: Creating an Identity using inception with existing credentials
     Given the `identity.federation` configuration:
       """yaml
@@ -66,8 +96,9 @@ Feature: Identity Federation
         /:
           anonymous: true
           POST:
+            io:output: true
             incept: id
-            endpoint: transit
+            endpoint: create
       """
     And the IDP token for Bill is issued
     When the following request is received:
@@ -123,3 +154,45 @@ Feature: Identity Federation
       """
       403 Forbidden
       """
+
+  Scenario: Granting a `system` role to a Principal
+    Given the `identity.federation` configuration:
+      """yaml
+      explicit_identity_creation: false
+      trust:
+        - issuer: http://localhost:44444
+      principal:
+        iss: http://localhost:44444
+        sub: root-mock-id
+      """
+    And the IDP token for root is issued
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      authorization: Bearer ${{ root.id_token }}
+      accept: application/yaml
+      content-type: application/yaml
+      """
+    # create an identity
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ root.token }}
+
+      id: ${{ root.id }}
+      """
+    # check the role
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      accept: application/yaml
+      authorization: Token ${{ root.token }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      id: ${{ root.id }}
+      roles:
+        - system
+      """