@toa.io/extensions.exposition 1.0.0-alpha.21 → 1.0.0-alpha.23

package/components/identity.tokens/source/authenticate.test.ts

@@ -8,6 +8,7 @@ let output: DecryptOutput
 let authenticate: Authenticate
 
 const identity: Identity = { id: generate() }
+const authority = generate()
 
 beforeEach(() => {
   configuration = {
@@ -36,9 +37,12 @@ it.each([
   const iat = new Date(now - configuration.refresh * 1000 + shift).toISOString()
   const exp = new Date(now + 1000).toISOString()
 
-  output = { identity, exp, iat, refresh: false }
+  output = { authority, identity, exp, iat, refresh: false }
 
-  const result = await authenticate.execute('')
+  const result = await authenticate.execute({
+    authority,
+    credentials: ''
+  })
 
   expect(result).toEqual({ identity, refresh: expected })
 })
@@ -48,9 +52,12 @@ it.each([true, false])('should return stale: %s',
     const iat = new Date().toISOString()
     const exp = new Date(Date.now() + 1000).toISOString()
 
-    output = { identity, exp, iat, refresh }
+    output = { authority, identity, exp, iat, refresh }
 
-    const result = await authenticate.execute('')
+    const result = await authenticate.execute({
+      authority,
+      credentials: ''
+    })
 
     expect(result).toEqual({ identity, refresh })
   })

package/components/identity.tokens/source/authenticate.ts

@@ -1,5 +1,5 @@
 import { type Maybe, type Operation } from '@toa.io/types'
-import { type AuthenticateOutput, type Context } from './types'
+import type { AuthenticateInput, AuthenticateOutput, Context } from './types'
 
 export class Computation implements Operation {
   private refresh: number = 0
@@ -12,12 +12,15 @@ export class Computation implements Operation {
     this.observe = context.local.observe
   }
 
-  public async execute (token: string): Promise<Maybe<AuthenticateOutput>> {
-    const claim = await this.decrypt({ input: token })
+  public async execute (input: AuthenticateInput): Promise<Maybe<AuthenticateOutput>> {
+    const claim = await this.decrypt({ input: input.credentials })
 
     if (claim instanceof Error)
       return claim
 
+    if (claim.authority !== input.authority)
+      return ERR_AUTHORITY
+
     const identity = claim.identity
     const iat = new Date(claim.iat).getTime()
     const transient = claim.exp !== undefined
@@ -39,4 +42,5 @@ export class Computation implements Operation {
   }
 }
 
+const ERR_AUTHORITY = new Error('AUTHORITY_MISMATCH')
 const ERR_TOKEN_REVOKED = new Error('TOKEN_REVOKED')

package/components/identity.tokens/source/decrypt.test.ts

@@ -7,6 +7,8 @@ let configuration: Configuration
 let context: Context
 let encrypt: Encrypt
 
+const authority = generate()
+
 beforeEach(() => {
   configuration = {
     key0: 'k3.local.m28p8SrbS467t-2IUjQuSOqmjvi24TbXhyjAW_dOrog',
@@ -25,14 +27,14 @@ it('should decrypt', async () => {
   const identity: Identity = { id: generate() }
   const lifetime = 100
 
-  const reply = await encrypt.execute({ identity, lifetime })
+  const reply = await encrypt.execute({ authority, identity, lifetime })
 
   if (reply === undefined)
     throw new Error('?')
 
   const decrypted = await decrypt(reply, context)
 
-  expect(decrypted).toMatchObject({ identity, refresh: false })
+  expect(decrypted).toMatchObject({ authority, identity, refresh: false })
 })
 
 it('should decrypt with key1', async () => {
@@ -48,7 +50,7 @@ it('should decrypt with key1', async () => {
   const identity: Identity = { id: generate() }
   const lifetime = 100
 
-  const encrypted = await encrypt.execute({ identity, lifetime })
+  const encrypted = await encrypt.execute({ authority, identity, lifetime })
 
   if (encrypted === undefined)
     throw new Error('?')

package/components/identity.tokens/source/decrypt.ts

@@ -2,8 +2,7 @@ import { V3 } from 'paseto'
 import { type Maybe } from '@toa.io/types'
 import { type Context, type Claim, type DecryptOutput } from './types'
 
-export async function computation (token: string, context: Context):
-Promise<Maybe<DecryptOutput>> {
+export async function computation (token: string, context: Context): Promise<Maybe<DecryptOutput>> {
   let refresh = false
   let claim = await decrypt(token, context.configuration.key0)
 
@@ -14,12 +13,14 @@ Promise<Maybe<DecryptOutput>> {
 
   if (claim === null)
     return ERR_INVALID_TOKEN
-  else return {
-    identity: claim.identity,
-    iat: claim.iat,
-    exp: claim.exp,
-    refresh
-  }
+  else
+    return {
+      authority: claim.aud,
+      identity: claim.identity,
+      iat: claim.iat,
+      exp: claim.exp,
+      refresh
+    }
 }
 
 async function decrypt (token: string, key: string): Promise<Claim | null> {

package/components/identity.tokens/source/encrypt.test.ts

@@ -8,6 +8,7 @@ import { type Context, type Identity } from './types'
 let encrypt: Encrypt
 
 const context: Context = {} as unknown as Context
+const authority = generate()
 
 beforeEach(() => {
   context.configuration = {
@@ -25,6 +26,7 @@ it('should encrypt with given lifetime', async () => {
   const lifetime = 0.1
 
   const encrypted = await encrypt.execute({
+    authority,
     identity,
     lifetime
   })
@@ -32,7 +34,7 @@ it('should encrypt with given lifetime', async () => {
   if (encrypted === undefined)
     throw new Error('?')
 
-  await expect(decrypt(encrypted, context)).resolves.toMatchObject({ identity })
+  await expect(decrypt(encrypted, context)).resolves.toMatchObject({ authority, identity })
 
   await timeout(lifetime * 1000)
 
@@ -44,6 +46,7 @@ it('should encrypt without lifetime INSECURE', async () => {
   const lifetime = 0
 
   const encrypted = await encrypt.execute({
+    authority,
     identity,
     lifetime
   })

package/components/identity.tokens/source/encrypt.ts

@@ -20,6 +20,7 @@ export class Effect implements Operation {
 
     const payload: Partial<Claim> = {
       identity: input.identity,
+      aud: input.authority,
       exp
     }
 

package/components/identity.tokens/source/types.ts

@@ -23,17 +23,24 @@ export interface Identity extends Record<string, any> {
   id: string
 }
 
+export interface AuthenticateInput {
+  authority: string
+  credentials: string
+}
+
 export interface AuthenticateOutput {
   identity: Identity
   refresh: boolean
 }
 
 export interface EncryptInput {
+  authority: string
   identity: Identity
   lifetime?: number
 }
 
 export interface DecryptOutput {
+  authority: string
   identity: Identity
   iat: string
   exp?: string
@@ -42,6 +49,7 @@ export interface DecryptOutput {
 
 export interface Claim {
   identity: Identity
+  aud: string
   iat: string
   exp?: string
 }

package/components/octets.storage/manifest.toa.yaml

@@ -19,9 +19,3 @@ operations:
   get: *simple
   list: *simple
   delete: *simple
-  permute:
-    bindings: ~
-    input:
-      storage*: string
-      path*: string
-      list*: [string]

package/documentation/authorities.md

@@ -0,0 +1,53 @@
+# Authorities
+
+Authorities are a mechanism that allows serving multiple domains from a single instance of the
+application.
+
+## Definition
+
+The `authorities` definition is a map of authority identifiers to the `:authority` pseudo-header
+values.
+
+```yaml
+# context.toa.yaml
+
+exposition:
+  authorities:
+    one: the.one.com
+    two: the.two.com
+```
+
+## Ingress
+
+Each host in the authority definition is used to create a Kubernetes Ingress resource.
+
+> If the application is accessed with the `:authority` that does not match the authority definition,
+> the response with `404` status code is returned.
+
+## Embedding
+
+To pass the requested authority to the operation call, [`vary:embed` directive](vary.md#embeddings)
+can be used.
+
+```yaml
+# manifest.toa.yaml
+
+exposition:
+  /:
+    GET:
+      vary:embed:
+        app: authority
+      endpoint: observe
+```
+
+## Identity
+
+Credentials stored or issued by the [authentication system](identity.md) are associated with an
+authority.
+Credentials in one authority are not valid in another,
+or may be associated with a different Identity; in other words, Identity exists in the context of an
+authority.
+
+> :warning:<br/>
+> Changing the authority identifier will break compatibility with existing stored or issued
+> credentials.

package/documentation/components.md

@@ -20,7 +20,7 @@ and pepper.
 configuration:
   identity.basic:
     rounds: 10 # salt rounds
-    peper: ''  # hashing pepper
+    pepper: '' # hashing pepper
 ```
 
 ### Credentials constraints
@@ -111,8 +111,8 @@ secrets.
 configuration:
   identity.federation:
     trust:
-      - issuer: https://token.actions.githubusercontent.com
-        audience:
+      - iss: https://token.actions.githubusercontent.com
+        aud:
           - https://github.com/tinovyatkin
           - https://github.com/temich
 

package/documentation/identity.md

@@ -1,36 +1,30 @@
 # Identity
 
 Identity is the fundamental entity within an authentication system that represents the **unique
-identifier** of an
-individual, organization, application or device.
+identifier** of an individual, organization, application or device.
 
-In order to prove its Identity, the request originator must provide a valid _credentials_ that are
-associated with that
-Identity.
+To prove its Identity, the request originator must provide a valid _credentials_ that are associated
+with that Identity.
 
 Identity is intrinsically linked to credentials, as an Identity is established only when the first
-set of credentials
-for that Identity is created.
+set of credentials for that Identity is created.
 In other words, the creation of credentials marks the inception of an Identity.
 Once the last credentials are removed from the Identity, it ceases to exist.
 Without credentials, there is no basis for defining or asserting an Identity.
 
 ## Authentication
 
-The Authenticaiton system resolves provided credentials to an Identity using one of the supported
-authentication
-schemes.
+The Authentication system resolves provided credentials to an Identity using one of the supported
+authentication schemes.
 
 The Authentication is request-agnostic, meaning it does not depend on the specific URL being
-requested or the content of
-the request body.
+requested or the content of the request body.
 The only information it handles is the value of the `Authorization` header.
 
-> Except for its own [management resources](#persistent-credentials).
+> Except for its own [management resources](components.md).
 
 If the provided credentials are not valid or not associated with an Identity, then Authentication
-interrupts request
-processing and responds with an authentication error.
+interrupts request processing and responds with an authentication error.
 
 ### Basic scheme
 
@@ -52,8 +46,8 @@ Authrization: Token v4.local.eyJzdWIiOiJqb2hu...
 
 The `Token` is the **primary** authentication scheme.
 If request originators use an alternative authentication scheme, they will receive a response
-containing `Token`
-credentials and will be required to switch to the `Token` scheme for any subsequent requests.
+containing `Token`credentials and will be required to switch to the `Token` scheme for any
+subsequent requests.
 Continued use of other authentication schemes will result in temporary blocking of requests.
 
 See [`identity.tokens` component](components.md#stateless-tokens).
@@ -69,7 +63,8 @@ to [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.ht
 Authorization: Bearer eyJhbGciOiJIUzI1...
 ```
 
-Trusted providers are specified using the `identity.federation` property within the configuration annotation.
+Trusted providers are specified using the `identity.federation` property within the configuration
+annotation.
 
 ```yaml
 # context.toa.yaml
@@ -77,13 +72,13 @@ Trusted providers are specified using the `identity.federation` property within
 configuration:
   identity.federation:
     trust:
-      - issuer: https://accounts.google.com
-        audience:
+      - iss: https://accounts.google.com
+        aud:
           - <GOOGLE_CLIENT_ID>
 
-      - issuer: https://appleid.apple.com
+      - iss: https://appleid.apple.com
 
-      - issuer: private.entity
+      - iss: private.entity
         secrets:
           HS384:
             key0: <THE-SECRET-STRING-FOR-HS384>

package/documentation/vary.md

@@ -7,17 +7,15 @@ operation call.
 
 ```yaml
 exposition:
-  realms:
-    toa: the.toa.io
   /:group:
     vary:languages: [en, fr]
     GET:
       vary:embed:
-        lang: language # predefined embeddings
-        realm: realm
+        app: authority # predefined embeddings
+        lang: language
         token: :x-access-token # raw header value
         group: /:group # route parameter
-      endpoint: dummies.get
+      endpoint: observe
 ```
 
 ## Embeddings
@@ -31,13 +29,9 @@ If the value is an array, the first non-empty embedding function's result is use
 > If a property is already present in the input, the embedded value will overwrite its current
 > value.
 
-### Realm
+### Authority
 
-Realm is an identifier of a domain used to access the Exposition.
-The list of domains is defined by the `vary:realms` directive,
-which is a map of realm names to their domain names.
-
-The `realm` embedding substitutes the realm identified based on the `host` request header.
+The `authority` embedding substitutes request [authority identifier](authorities.md).
 
 ### Language
 

package/features/access.feature

@@ -5,9 +5,9 @@ Feature: Access authorization
     Given the `identity.basic` database contains:
       # developer:secret
       # user:12345
-      | _id                              | username  | password                                                     |
-      | efe3a65ebbee47ed95a73edd911ea328 | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
-      | e8e4f9c2a68d419b861403d71fabc915 | user      | $2b$10$Frszmrmsz9iwSXzBbRRMKeDVKsNxozkrLNSsN.SnVC.KPxLtQr/bK |
+      | _id                              | authority | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | nex       | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+      | e8e4f9c2a68d419b861403d71fabc915 | nex       | user      | $2b$10$Frszmrmsz9iwSXzBbRRMKeDVKsNxozkrLNSsN.SnVC.KPxLtQr/bK |
     And the `identity.bans` database is empty
 
   Scenario: Deny by default
@@ -21,6 +21,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       """
     Then the following reply is sent:
       """
@@ -40,6 +41,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       accept: application/yaml
       """
     Then the following reply is sent:
@@ -62,6 +64,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       """
     Then the following reply is sent:
@@ -83,6 +86,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: application/yaml
       """
@@ -96,6 +100,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic dXNlcjoxMjM0NQ==
       accept: application/yaml
       """
@@ -122,6 +127,7 @@ Feature: Access authorization
       # identity with `developer` and `user` roles
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: application/yaml
       """
@@ -136,6 +142,7 @@ Feature: Access authorization
       # identity with no roles
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       authorization: Basic dXNlcjoxMjM0NQ==
       """
     Then the following reply is sent:
@@ -164,6 +171,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET /nested/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: text/plain
       """
@@ -177,6 +185,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET /javascript/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       """
     Then the following reply is sent:
@@ -203,6 +212,7 @@ Feature: Access authorization
       # identity with `developer` and `user` roles
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: application/yaml
       """
@@ -240,6 +250,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET /rust/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: application/yaml
       """
@@ -253,6 +264,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET /javascript/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       """
     Then the following reply is sent:
@@ -273,8 +285,37 @@ Feature: Access authorization
       """
     When the following request is received:
       """
-      GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
-      authorization: Token v3.local.9oEtVJkfRw4cOJ8M4DxuVuAN29dGT26XMYyPAoXtwrkdkiJVSVj46sMNAOdlxwKGszJZV_ReOL26dxDVlsQ7QAIuRhRPlvsHYNOhcD-LApoAXV0S3IK16EMoEv7tE9z70FCLC3WoIW9RIQ8PR3uZhAdhSgBilsVOpWrk4XtnfCIlVwhYMKu79a66oZZhV2Q7Kl3nfYsf84-6rAL_1H0MsqCDUHVXuIg
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ developer.token }}
+
+      id: ${{ developer.id }}
+      """
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic dXNlcjoxMjM0NQ==
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ user.token }}
+
+      id: ${{ user.id }}
+      """
+    When the following request is received:
+      """
+      GET /${{ developer.id }}/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ developer.token }}
       accept: application/yaml
       """
     Then the following reply is sent:
@@ -290,8 +331,9 @@ Feature: Access authorization
       """
     When the following request is received:
       """
-      GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
-      authorization: Token v3.local.cjlxn4IJ9hI92KuksguzDx7_kYxgDFFGFnfNchf0cWnmos34dqX2XpTAUBd-LqgqfuH-lVGfNvjBUkw5JtHRBiIAVaPHF3Ncc0eafwgH2DPme9pndZL92fWryGnJ-sMHA28Q6UcXsIfhgd2JZ0n-585SBhwlosC3gKTcVHK7XNljeaTen4jZPw8uY-pdbsm6dDq3aKMzl8K78_BTTfiNPG2cI_aNuHw
+      GET /${{ user.id }}/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ developer.token }}
       accept: application/yaml
       """
     Then the following reply is sent:
@@ -315,6 +357,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: application/yaml
       """
@@ -329,6 +372,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       authorization: Token ${{ token }}
       accept: application/yaml
       """
@@ -355,6 +399,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: application/yaml
       """
@@ -368,6 +413,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Token v3.local.9oEtVJkfRw4cOJ8M4DxuVuAN29dGT26XMYyPAoXtwrkdkiJVSVj46sMNAOdlxwKGszJZV_ReOL26dxDVlsQ7QAIuRhRPlvsHYNOhcD-LApoAXV0S3IK16EMoEv7tE9z70FCLC3WoIW9RIQ8PR3uZhAdhSgBilsVOpWrk4XtnfCIlVwhYMKu79a66oZZhV2Q7Kl3nfYsf84-6rAL_1H0MsqCDUHVXuIg
       accept: text/plain
       """
@@ -390,6 +436,7 @@ Feature: Access authorization
     When the following request is received:
       """
       POST /identity/roles/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       content-type: application/yaml
 
       role: developer
@@ -414,6 +461,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET /echo/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: application/yaml
       """

package/features/annotation.feature

@@ -18,6 +18,7 @@ Feature: Annotation
     When the following request is received:
       """
       GET /foo/ HTTP/1.1
+      host: nex.toa.io
       accept: application/yaml
       """
     Then the following reply is sent: