@toa.io/extensions.exposition 1.0.0-alpha.2 → 1.0.0-alpha.21

package/features/identity.roles.feature

@@ -1,6 +1,9 @@
+@security
 Feature: Roles management
 
-  Scenario: Adding a role to an Identity
+  Scenario: Granting a role to an Identity
+    # root:secret
+    # user:pass
     Given the `identity.basic` database contains:
       | _id                              | username | password                                                     |
       | 72cf9b0ab0ac4ab2b8036e4e940ddcae | root     | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
@@ -11,6 +14,7 @@ Feature: Roles management
     And the annotation:
       """yaml
       /:
+        io:output: true
         auth:role: test
         GET:
           dev:stub:
@@ -31,6 +35,7 @@ Feature: Roles management
       """
       POST /identity/roles/4344518184ad44228baffce7a44fd0b1/ HTTP/1.1
       authorization: Basic cm9vdDpzZWNyZXQ=
+      accept: application/yaml
       content-type: application/yaml
 
       role: test
@@ -38,6 +43,8 @@ Feature: Roles management
     Then the following reply is sent:
       """
       201 Created
+
+      grantor: 72cf9b0ab0ac4ab2b8036e4e940ddcae
       """
     When the following request is received:
       # user now have the role
@@ -49,3 +56,200 @@ Feature: Roles management
       """
       200 OK
       """
+
+  Scenario Outline: Delegating roles
+    # moderator:secret
+    # assistant:pass
+    Given the `identity.basic` database contains:
+      | _id                              | username  | password                                                     |
+      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | moderator | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
+      | 4344518184ad44228baffce7a44fd0b1 | assistant | $2b$10$JoiAQUS7tzobDAFIDBWhWeEIJv933dQetyjRzSmfQGaJE5ZlJbmYy |
+    And the `identity.roles` database contains:
+      | _id                              | identity                         | role                             |
+      | 9c4702490ff84f2a9e1b1da2ab64bdd4 | 72cf9b0ab0ac4ab2b8036e4e940ddcae | system:identity:roles:delegation |
+      | 30c969e05ff6437097ed5f07fc52358e | 72cf9b0ab0ac4ab2b8036e4e940ddcae | app:moderation                   |
+    And the annotation:
+      """yaml
+      /:
+        io:output: true
+        auth:role: app:moderation:photos
+        GET:
+          dev:stub:
+            access: granted!
+      """
+    When the following request is received:
+      # assistant doesn't have the required role
+      """
+      GET / HTTP/1.1
+      authorization: Basic YXNzaXN0YW50OnBhc3M=
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
+    When the following request is received:
+      # moderator delegates a role to an assistant
+      """
+      POST /identity/roles/4344518184ad44228baffce7a44fd0b1/ HTTP/1.1
+      authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
+      content-type: application/yaml
+
+      role: <role>
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      """
+    When the following request is received:
+      # assistant has access
+      """
+      GET / HTTP/1.1
+      authorization: Basic YXNzaXN0YW50OnBhc3M=
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    Examples:
+      | role                  |
+      | app:moderation        |
+      | app:moderation:photos |
+
+  Scenario: Delegating role out of own scope
+    Given the `identity.basic` database contains:
+      | _id                              | username  | password                                                     |
+      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | moderator | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
+      | 4344518184ad44228baffce7a44fd0b1 | assistant | $2b$10$JoiAQUS7tzobDAFIDBWhWeEIJv933dQetyjRzSmfQGaJE5ZlJbmYy |
+    And the `identity.roles` database contains:
+      | _id                              | identity                         | role                             |
+      | 9c4702490ff84f2a9e1b1da2ab64bdd4 | 72cf9b0ab0ac4ab2b8036e4e940ddcae | system:identity:roles:delegation |
+      | 30c969e05ff6437097ed5f07fc52358e | 72cf9b0ab0ac4ab2b8036e4e940ddcae | app:moderation                   |
+    And the annotation:
+      """yaml
+      /:
+        io:output: true
+        auth:role: app:moderation:photos
+        GET:
+          dev:stub:
+            access: granted!
+      """
+    When the following request is received:
+      """
+      POST /identity/roles/4344518184ad44228baffce7a44fd0b1/ HTTP/1.1
+      accept: application/yaml
+      content-type: application/yaml
+      authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
+
+      role: app:finance
+      """
+    Then the following reply is sent:
+      """
+      409 Conflict
+
+      code: OUT_OF_SCOPE
+      """
+
+  Scenario: Delegating role without `system:identity:roles:delegation` role
+    Given the `identity.basic` database contains:
+      | _id                              | username  | password                                                     |
+      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | moderator | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
+      | 4344518184ad44228baffce7a44fd0b1 | assistant | $2b$10$JoiAQUS7tzobDAFIDBWhWeEIJv933dQetyjRzSmfQGaJE5ZlJbmYy |
+    And the `identity.roles` database contains:
+      | _id                              | identity                         | role           |
+      | 30c969e05ff6437097ed5f07fc52358e | 72cf9b0ab0ac4ab2b8036e4e940ddcae | app:moderation |
+    And the annotation:
+      """yaml
+      /:
+        io:output: true
+        auth:role: app:moderation:photos
+        GET:
+          dev:stub:
+            access: granted!
+      """
+    When the following request is received:
+      """
+      POST /identity/roles/4344518184ad44228baffce7a44fd0b1/ HTTP/1.1
+      content-type: application/yaml
+      authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
+
+      role: app:moderation
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
+
+  Scenario Outline: Invalid role name
+    Given the `identity.basic` database contains:
+      | _id                              | username | password                                                     |
+      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | root     | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
+    And the `identity.roles` database contains:
+      | _id                              | identity                         | role                  |
+      | 9c4702490ff84f2a9e1b1da2ab64bdd4 | 72cf9b0ab0ac4ab2b8036e4e940ddcae | system:identity:roles |
+    When the following request is received:
+      # root adds a role to a user
+      """
+      POST /identity/roles/4344518184ad44228baffce7a44fd0b1/ HTTP/1.1
+      authorization: Basic cm9vdDpzZWNyZXQ=
+      content-type: application/yaml
+
+      role: <role>
+      """
+    Then the following reply is sent:
+      """
+      400 Bad Request
+      """
+    Examples:
+      | role          |
+      | app!          |
+      | app:          |
+      | app:no spaces |
+
+  Scenario: Dynamic roles
+    Given the `identity.basic` database contains:
+      | _id                              | username  | password                                                     |
+      | 72cf9b0ab0ac4ab2b8036e4e940ddcae | moderator | $2b$10$Qq/qnyyU5wjrbDXyWok14OnqAZv/z.pLhz.UddatjI6eHU/rFof4i |
+    And the `identity.roles` database contains:
+      | _id                              | identity                         | role                    |
+      | 30c969e05ff6437097ed5f07fc52358e | 72cf9b0ab0ac4ab2b8036e4e940ddcae | app:29e54ae1:moderation |
+    And the annotation:
+      """yaml
+      /:
+        /broken:
+          auth:role: app:{org}:moderation
+          GET:
+            dev:stub: never
+        /:org:
+          io:output: true
+          auth:role: app:{org}:moderation
+          GET:
+            dev:stub:
+              access: granted!
+      """
+    When the following request is received:
+      """
+      GET /29e54ae1/ HTTP/1.1
+      authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    When the following request is received:
+      """
+      GET /88584c9b/ HTTP/1.1
+      authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
+    When the following request is received:
+      """
+      GET /broken/ HTTP/1.1
+      authorization: Basic bW9kZXJhdG9yOnNlY3JldA==
+      """
+    Then the following reply is sent:
+      """
+      500 Internal Server Error
+      """

package/features/identity.tokens.feature

@@ -1,3 +1,4 @@
+@security
 Feature: Tokens lifecycle
 
   Scenario: Switching to Token authentication scheme
@@ -7,6 +8,7 @@ Feature: Tokens lifecycle
     Given the annotation:
       """yaml
       /:
+        io:output: true
         /hello/:id:
           auth:id: id
           GET:
@@ -35,6 +37,7 @@ Feature: Tokens lifecycle
     And the annotation:
       """yaml
       /:
+        io:output: true
         /hello/:id:
           auth:id: id
           GET:
@@ -64,6 +67,7 @@ Feature: Tokens lifecycle
       """
       200 OK
       authorization: Token
+      cache-control: no-store
 
       Hello
       """
@@ -72,6 +76,7 @@ Feature: Tokens lifecycle
     Given the annotation:
       """yaml
       /:
+        io:output: true
         /:id:
           id: id
           GET:
@@ -117,3 +122,96 @@ Feature: Tokens lifecycle
       """
       401 Unauthorized
       """
+
+  Scenario: Issuing own token
+    Given the `identity.basic` database contains:
+      | _id                              | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ token }}
+      """
+    When the following request is received:
+      """
+      POST /identity/tokens/ HTTP/1.1
+      authorization: Token ${{ token }}
+      content-type: application/yaml
+
+      lifetime: 0
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      """
+    # Token scheme must be used
+    When the following request is received:
+      """
+      POST /identity/tokens/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      content-type: application/yaml
+
+      lifetime: 60
+      """
+    Then the following reply is sent:
+      """
+      403 Forbidden
+      """
+
+  Scenario: Responses with tokens comes with `no-store`
+    Given the `identity.tokens` configuration:
+      """yaml
+      refresh: 1
+      """
+    And the annotation:
+      """yaml
+      /:
+        io:output: true
+        /hello/:id:
+          auth:id: id
+          GET:
+            dev:stub: Hello
+        /cacheable/:id:
+          auth:id: id
+          cache:control: max-age=10000
+          GET:
+            dev:stub: Keep it
+      """
+    When the following request is received:
+      """
+      GET /hello/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ token }}
+      cache-control: no-store
+      """
+    Then after 1 second
+    When the following request is received:
+      """
+      GET /cacheable/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      authorization: Token ${{ token }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ fresh_token }}
+      cache-control: no-store
+      """
+    When the following request is received:
+      """
+      GET /cacheable/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      authorization: Token ${{ fresh_token }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      cache-control: private, max-age=10000
+      """

package/features/io.feature

@@ -0,0 +1,196 @@
+@security
+Feature: IO restrictions
+
+  Background:
+    Given the `pots` database contains:
+      | _id                              | title      | volume | temperature |
+      | 4c4759e6f9c74da989d64511df42d6f4 | First pot  | 100    | 80          |
+      | 99988d785d7d445cad45dbf8531f560b | Second pot | 200    | 30          |
+
+  Scenario: Output is omitted by default
+    Given the `pots` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          GET: enumerate
+          /:id:
+            GET: observe
+      """
+    When the following request is received:
+      """
+      GET /pots/4c4759e6f9c74da989d64511df42d6f4/ HTTP/1.1
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      content-length: 0
+      """
+    When the following request is received:
+      """
+      GET /pots/ HTTP/1.1
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      content-length: 0
+      """
+
+  Scenario: Output is omitted by intention
+    Given the `pots` is running with the following manifest:
+      """yaml
+      exposition:
+        /:id:
+          io:output: false
+          GET: observe
+      """
+    When the following request is received:
+      """
+      GET /pots/4c4759e6f9c74da989d64511df42d6f4/ HTTP/1.1
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      content-length: 0
+      """
+
+  Scenario: Output permissions
+    Given the `pots` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          io:output: [id, volume]
+          GET: enumerate
+          /:id:
+            GET: observe
+      """
+    When the following request is received:
+      """
+      GET /pots/4c4759e6f9c74da989d64511df42d6f4/ HTTP/1.1
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      id: 4c4759e6f9c74da989d64511df42d6f4
+      volume: 100
+      """
+    And the reply does not contain:
+      """
+      title:
+      temperature:
+      """
+    When the following request is received:
+      """
+      GET /pots/ HTTP/1.1
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      content-type: application/yaml
+
+      - id: 4c4759e6f9c74da989d64511df42d6f4
+        volume: 100
+      - id: 99988d785d7d445cad45dbf8531f560b
+        volume: 200
+      """
+    And the reply does not contain:
+      """
+      title:
+      temperature:
+      """
+
+  Scenario: Input is unrestricted by default
+    Given the `pots` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          io:output: true
+          POST: create
+      """
+    When the following request is received:
+      """
+      POST /pots/ HTTP/1.1
+      accept: application/yaml
+      content-type: application/yaml
+
+      title: Hello
+      volume: 1.5
+      temperature: 80
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+
+      title: Hello
+      volume: 1.5
+      temperature: 80
+      """
+
+  Scenario: Input permissions
+    Given the `pots` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          io:input: [title, volume]
+          io:output: [id]
+          POST: create
+      """
+    When the following request is received:
+      """
+      POST /pots/ HTTP/1.1
+      accept: text/plain
+      content-type: application/yaml
+
+      title: Hello
+      volume: 1.5
+      temperature: 80
+      """
+    Then the following reply is sent:
+      """
+      400 Bad Request
+
+      Unexpected input: temperature
+      """
+    When the following request is received:
+      """
+      POST /pots/ HTTP/1.1
+      content-type: application/yaml
+
+      title: Hello
+      volume: 1.5
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      """
+
+  Scenario: IO shortcuts
+    Given the `pots` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          input: [title, volume]
+          output: [id, title, volume]
+          POST: create
+      """
+    When the following request is received:
+      """
+      POST /pots/ HTTP/1.1
+      accept: application/yaml
+      content-type: application/yaml
+
+      title: Hello
+      volume: 1.5
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+
+      id:
+      title: Hello
+      volume: 1.5
+      """

package/features/octets.entries.feature

@@ -1,9 +1,10 @@
-Feature: Accessing entires
+Feature: Accessing entries
 
   Scenario: Entries are not accessible by default
     Given the annotation:
       """yaml
       /:
+        io:output: true
         auth:anonymous: true
         octets:context: octets
         POST:
@@ -50,6 +51,7 @@ Feature: Accessing entires
     Given the annotation:
       """yaml
       /:
+        io:output: true
         auth:anonymous: true
         octets:context: octets
         POST:

package/features/octets.feature

@@ -4,6 +4,7 @@ Feature: Octets directive family
     Given the annotation:
       """yaml
       /:
+        io:output: true
         auth:anonymous: true
         octets:context: octets
         POST:
@@ -32,6 +33,9 @@ Feature: Octets directive family
             POST:
               octets:store:
                 accept: image/*
+            /*:
+              GET:
+                octets:fetch: ~
       """
 
   Scenario: Basic storage operations
@@ -186,23 +190,40 @@ Feature: Octets directive family
       201 Created
       """
 
-  Scenario Outline: Receiving <format> images
-    When the stream of `sample.<format>` is received with the following headers:
+  Scenario Outline: Detecting `<type>`
+    When the stream of `sample.<ext>` is received with the following headers:
       """
       POST /media/images/ HTTP/1.1
+      accept: application/yaml
       """
     Then the following reply is sent:
       """
       201 Created
+
+      type: <type>
       """
     Examples:
-      | format |
-      | jpeg   |
-      | jxl    |
-      | gif    |
-      | heic   |
-      | avif   |
-      | webp   |
+      | ext  | type       |
+      | jpeg | image/jpeg |
+      | jxl  | image/jxl  |
+      | gif  | image/gif  |
+      | heic | image/heic |
+      | avif | image/avif |
+      | webp | image/webp |
+
+  Scenario: Accepting `image/svg+xml`
+    When the stream of `sample.svg` is received with the following headers:
+      """
+      POST /media/images/ HTTP/1.1
+      content-type: image/svg+xml
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+
+      type: image/svg+xml
+      """
 
   Scenario: Fetching non-existent BLOB
     When the following request is received:
@@ -234,10 +255,11 @@ Feature: Octets directive family
       Trailing slash is redundant.
       """
 
-  Scenario: Original BLOLB is not accessible
+  Scenario: Original BLOB is not accessible
     Given the annotation:
       """yaml
       /:
+        io:output: true
         auth:anonymous: true
         octets:context: octets
         POST:

package/features/octets.meta.feature

@@ -5,6 +5,7 @@ Feature: Octets `content-meta` header
     And the annotation:
       """yaml
       /:
+        io:output: true
         auth:anonymous: true
         octets:context: octets
         /*:
@@ -55,11 +56,11 @@ Feature: Octets `content-meta` header
     When the following request is received:
       """
       OPTIONS / HTTP/1.1
-      origin: http://example.com
+      origin: https://example.com
       """
     Then the following reply is sent:
       """
       204 No Content
-      access-control-allow-origin: http://example.com
-      access-control-allow-headers: accept, authorization, content-type, content-meta
+      access-control-allow-origin: https://example.com
+      access-control-allow-headers: accept, authorization, content-type, etag, if-match, if-none-match, content-meta
       """