@toa.io/extensions.exposition 1.0.0-alpha.3 → 1.0.0-alpha.30

package/features/authorities.basic.feature

@@ -0,0 +1,141 @@
+Feature: Basic credentials with authorities
+
+  Scenario: Basic credentials are scoped to authorities
+    Given the annotation:
+      """yaml
+      authorities:
+        one: the.one.com
+        two: the.two.com
+      /:
+        /:id:
+          auth:id: id
+          io:output: true
+          GET:
+            dev:stub: Hello
+      """
+
+    # create basic credentials within the `one` authority
+    When the following request is received:
+      """
+      POST /identity/basic/ HTTP/1.1
+      host: the.one.com
+      content-type: application/yaml
+      accept: application/yaml
+
+      username: #{{ id | set one.username }}
+      password: #{{ password 8 | set one.password }}
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+
+      id: ${{ one.id }}
+      """
+
+    # create basic credentials within the `two` authority
+    When the following request is received:
+      """
+      POST /identity/basic/ HTTP/1.1
+      host: the.two.com
+      content-type: application/yaml
+      accept: application/yaml
+
+      username: #{{ id | set two.username }}
+      password: #{{ password 8 | set two.password }}
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+
+      id: ${{ two.id }}
+      """
+
+    # access the resource with the `one` authority
+    When the following request is received:
+      """
+      GET /${{ one.id }}/ HTTP/1.1
+      host: the.one.com
+      authorization: Basic #{{ basic one }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    When the following request is received:
+      """
+      GET /${{ two.id }}/ HTTP/1.1
+      host: the.one.com
+      authorization: Basic #{{ basic two }}
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+
+    # access the resource with the `two` authority
+    When the following request is received:
+      """
+      GET /${{ one.id }}/ HTTP/1.1
+      host: the.two.com
+      authorization: Basic #{{ basic one }}
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+    When the following request is received:
+      """
+      GET /${{ two.id }}/ HTTP/1.1
+      host: the.two.com
+      authorization: Basic #{{ basic two }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+
+    # create `one` credentials in the `two` authority
+    When the following request is received:
+      """
+      POST /identity/basic/ HTTP/1.1
+      host: the.one.com
+      content-type: application/yaml
+      accept: application/yaml
+
+      username: ${{ one.username }}
+      password: ${{ one.password }}
+      """
+    Then the following reply is sent:
+      """
+      409 Conflict
+      """
+    When the following request is received:
+      """
+      POST /identity/basic/ HTTP/1.1
+      host: the.two.com
+      content-type: application/yaml
+      accept: application/yaml
+
+      username: ${{ one.username }}
+      password: ${{ one.password }}
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      """
+
+    # create `two` credentials in the `one` authority
+    When the following request is received:
+      """
+      POST /identity/basic/ HTTP/1.1
+      host: the.one.com
+      content-type: application/yaml
+      accept: application/yaml
+
+      username: ${{ two.username }}
+      password: ${{ two.password }}
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      """

package/features/authorities.feature

@@ -0,0 +1,32 @@
+Feature: Authorities
+
+  Scenario: Accessing an authority
+    Given the annotation:
+      """yaml
+      authorities:
+        example: the.example.com
+      /:
+        anonymous: true
+        GET:
+          dev:stub: Hello
+      """
+    When the following request is received:
+      """
+      GET / HTTP/1.1
+      host: the.example.com
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    When the following request is received:
+      """
+      GET / HTTP/1.1
+      host: the.other.com
+      """
+    Then the following reply is sent:
+      """
+      404 Not Found
+
+      Unknown authority
+      """

package/features/authorities.federation.feature

@@ -0,0 +1,99 @@
+Feature: OIDC tokens with authorities
+
+  Scenario: OIDC tokens are scoped to authorities
+    Given the annotation:
+      """yaml
+      authorities:
+        one: the.one.com
+        two: the.two.com
+      /:
+        /:id:
+          auth:id: id
+          GET:
+            dev:stub: Hello
+      """
+    And local IDP is running
+    And the `identity.federation` database is empty
+    And the `identity.federation` configuration:
+      """yaml
+      trust:
+        - iss: http://localhost:44444
+      """
+    And the IDP token for One is issued
+    And the IDP token for Two is issued
+
+    # create identities
+    When the following request is received:
+      """
+      POST /identity/federation/ HTTP/1.1
+      host: the.one.com
+      accept: application/yaml
+      content-type: application/yaml
+
+      credentials: ${{ One.id_token }}
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+
+      id: ${{ One.id }}
+      """
+    When the following request is received:
+      """
+      POST /identity/federation/ HTTP/1.1
+      host: the.two.com
+      accept: application/yaml
+      content-type: application/yaml
+
+      credentials: ${{ Two.id_token }}
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+
+      id: ${{ Two.id }}
+      """
+
+    # access `one` authority
+    When the following request is received:
+      """
+      GET /${{ One.id }}/ HTTP/1.1
+      host: the.one.com
+      authorization: Bearer ${{ One.id_token }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    When the following request is received:
+      """
+      GET /${{ Two.id }}/ HTTP/1.1
+      host: the.one.com
+      authorization: Bearer ${{ Two.id_token }}
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+
+    # access `two` authority
+    When the following request is received:
+      """
+      GET /${{ One.id }}/ HTTP/1.1
+      host: the.two.com
+      authorization: Bearer ${{ One.id_token }}
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+    When the following request is received:
+      """
+      GET /${{ Two.id }}/ HTTP/1.1
+      host: the.two.com
+      authorization: Bearer ${{ Two.id_token }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """

package/features/authorities.tokens.feature

@@ -0,0 +1,118 @@
+Feature: Token credentials with authorities
+
+  Scenario: Tokens are scoped to authorities
+    Given the annotation:
+      """yaml
+      authorities:
+        one: the.one.com
+        two: the.two.com
+      /:
+        /:id:
+          auth:id: id
+          GET:
+            dev:stub: Hello
+      """
+
+    # create identity within the `one` authority
+    When the following request is received:
+      """
+      POST /identity/basic/ HTTP/1.1
+      host: the.one.com
+      content-type: application/yaml
+      accept: application/yaml
+
+      username: #{{ id | set one.username }}
+      password: '#{{ password 8 | set one.password }}'
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      """
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: the.one.com
+      accept: application/yaml
+      authorization: Basic #{{ basic one }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ one.token }}
+
+      id: ${{ one.id }}
+      """
+
+    # create identity within the `two` authority
+    When the following request is received:
+      """
+      POST /identity/basic/ HTTP/1.1
+      host: the.two.com
+      content-type: application/yaml
+      accept: application/yaml
+
+      username: #{{ id | set two.username }}
+      password: '#{{ password 8 | set two.password }}'
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      """
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: the.two.com
+      accept: application/yaml
+      authorization: Basic #{{ basic two }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ two.token }}
+
+      id: ${{ two.id }}
+      """
+
+    # access `one` authority
+    When the following request is received:
+      """
+      GET /${{ one.id }}/ HTTP/1.1
+      host: the.one.com
+      authorization: Token ${{ one.token }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    When the following request is received:
+      """
+      GET /${{ two.id }}/ HTTP/1.1
+      host: the.one.com
+      authorization: Token ${{ two.token }}
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+
+    # access `two` authority
+    When the following request is received:
+      """
+      GET /${{ one.id }}/ HTTP/1.1
+      host: the.two.com
+      authorization: Token ${{ one.token }}
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+    When the following request is received:
+      """
+      GET /${{ two.id }}/ HTTP/1.1
+      host: the.two.com
+      authorization: Token ${{ two.token }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """

package/features/body.feature

@@ -5,11 +5,13 @@ Feature: Request body
       """yaml
       exposition:
         /:
-          POST: transit
+          io:output: true
+          POST: create
       """
     When the following request is received:
       """
       POST /pots/ HTTP/1.1
+      host: nex.toa.io
       content-type: application/yaml
 
       title: Hello
@@ -25,11 +27,13 @@ Feature: Request body
       """yaml
       exposition:
         /:name:
+          io:output: true
           GET: <operation>
       """
     When the following request is received:
       """
       GET /echo/world/ HTTP/1.1
+      host: nex.toa.io
       accept: text/plain
       """
     Then the following reply is sent:

package/features/cache.feature

@@ -4,8 +4,8 @@ Feature: Caching
     Given the `identity.basic` database contains:
       # developer:secret
       # user:12345
-      | _id                              | username  | password                                                     |
-      | b70a7dbca6b14a2eaac8a9eb4b2ff4db | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+      | _id                              | authority | username  | password                                                     |
+      | b70a7dbca6b14a2eaac8a9eb4b2ff4db | nex       | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
     Given the `identity.roles` database contains:
       | _id                              | identity                         | role      |
       | 775a648d054e4ce1a65f8f17e5b51803 | b70a7dbca6b14a2eaac8a9eb4b2ff4db | developer |
@@ -14,6 +14,7 @@ Feature: Caching
     Given the annotation:
       """yaml
       /:
+        io:output: true
         anonymous: true
         GET:
           cache:control: max-age=60000
@@ -22,6 +23,7 @@ Feature: Caching
     When the following request is received:
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       accept: text/plain
       """
     Then the following reply is sent:
@@ -37,6 +39,7 @@ Feature: Caching
     Given the annotation:
       """yaml
       /:
+        io:output: true
         cache:control: max-age=30000
         GET:
           anonymous: true
@@ -51,9 +54,22 @@ Feature: Caching
           GET:
             dev:stub: hello
       """
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ token }}
+      cache-control: no-store
+      """
     When the following request is received:
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       accept: text/plain
       """
     Then the following reply is sent:
@@ -67,8 +83,9 @@ Feature: Caching
     When the following request is received:
       """
       GET /foo/ HTTP/1.1
+      host: nex.toa.io
       accept: text/plain
-      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      authorization: Token ${{ token }}
       """
     Then the following reply is sent:
       """
@@ -81,8 +98,9 @@ Feature: Caching
     When the following request is received:
       """
       GET /bar/ HTTP/1.1
+      host: nex.toa.io
       accept: text/plain
-      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      authorization: Token ${{ token }}
       """
     Then the following reply is sent:
       """
@@ -109,6 +127,7 @@ Feature: Caching
     When the following request is received:
       """
       POST / HTTP/1.1
+      host: nex.toa.io
       accept: application/yaml
       """
     Then the reply does not contain:
@@ -120,6 +139,7 @@ Feature: Caching
     Given the annotation:
       """yaml
       /:
+        io:output: true
         auth:role: developer
         cache:exact: max-age=60000, public
         GET:
@@ -127,8 +147,21 @@ Feature: Caching
       """
     When the following request is received:
       """
-      GET / HTTP/1.1
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ token }}
+      cache-control: no-store
+      """
+    When the following request is received:
+      """
+      GET / HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
       accept: text/plain
 
       """
@@ -152,9 +185,49 @@ Feature: Caching
     When the following request is received:
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       accept: text/plain
       """
     Then the reply does not contain:
       """
       cache-control:
       """
+
+  Scenario: Private responses are sent with `vary: authorization`
+    Given the `identity.basic` database contains:
+      | _id                              | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+    And the annotation:
+      """yaml
+      /:
+        /:id:
+          auth:id: id
+          cache:control: max-age=10000
+          GET:
+            dev:stub: Keep it
+      """
+    When the following request is received:
+      """
+      GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      """
+    # `no-store` when token is issued
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ token }}
+      cache-control: no-store
+      """
+    When the following request is received:
+      """
+      GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      cache-control: private, max-age=10000
+      vary: authorization
+      """

package/features/cors.feature

@@ -12,6 +12,7 @@ Feature: CORS Support
     When the following request is received:
       """
       OPTIONS / HTTP/1.1
+      host: nex.toa.io
       origin: https://hello.world
       """
     Then the following reply is sent:
@@ -19,15 +20,16 @@ Feature: CORS Support
       204 No Content
       access-control-allow-origin: https://hello.world
       access-control-allow-methods: GET, POST, PUT, PATCH, DELETE
-      access-control-allow-headers: accept, authorization, content-type
+      access-control-allow-headers: accept, authorization, content-type, etag, if-match, if-none-match
       access-control-allow-credentials: true
       access-control-max-age: 3600
-      cache-control: public, max-age=3600
+      cache-control: max-age=3600
       vary: origin
       """
     When the following request is received:
       """
       GET /foo/ HTTP/1.1
+      host: nex.toa.io
       origin: https://hello.world
       """
     Then the following reply is sent:
@@ -49,6 +51,7 @@ Feature: CORS Support
     When the following request is received:
       """
       GET /bar/ HTTP/1.1
+      host: nex.toa.io
       origin: https://hello.world
       """
     Then the following reply is sent:
@@ -61,6 +64,7 @@ Feature: CORS Support
     When the following request is received:
       """
       GET /foo/ HTTP/1.1
+      host: nex.toa.io
       origin: https://hello.world
       """
     Then the following reply is sent:

package/features/debug.feature

@@ -0,0 +1,34 @@
+Feature: Debugging
+
+  Scenario: Operation call
+    Given the `identity.basic` database contains:
+      | _id                              | authority | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | nex       | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+    And the `identity.roles` database contains:
+      | _id                              | identity                         | role      |
+      | 775a648d054e4ce1a65f8f17e5b51803 | efe3a65ebbee47ed95a73edd911ea328 | developer |
+    And the annotation:
+      """yaml
+      debug: true
+      """
+    And the `greeter` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          auth:role: developer
+          io:output: true
+          GET: greet
+      """
+    When the following request is received:
+      """
+      GET /greeter/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      accept: text/plain
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      Hello
+      """

package/features/directives.feature

@@ -4,6 +4,7 @@ Feature: Directives
     Given the annotation:
       """yaml
       /:
+        io:output: true
         anonymous: true
         GET:
           dev:stub:
@@ -12,6 +13,7 @@ Feature: Directives
     When the following request is received:
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       accept: application/json
       """
     Then the following reply is sent:
@@ -26,6 +28,7 @@ Feature: Directives
     Given the annotation:
       """yaml
       /:
+        io:output: true
         anonymous: true
         dev:stub:
           hello: again
@@ -36,6 +39,7 @@ Feature: Directives
     When the following request is received:
       """
       GET /pots/ HTTP/1.1
+      host: nex.toa.io
       accept: application/yaml
       """
     Then the following reply is sent:
@@ -48,6 +52,7 @@ Feature: Directives
     When the following request is received:
       """
       GET /pots/non-existent/ HTTP/1.1
+      host: nex.toa.io
       accept: application/yaml
       """
     Then the following reply is sent: