@toa.io/extensions.exposition 1.0.0-alpha.4 → 1.0.0-alpha.41

package/features/access.feature

@@ -1,12 +1,13 @@
+@security
 Feature: Access authorization
 
   Background:
     Given the `identity.basic` database contains:
       # developer:secret
       # user:12345
-      | _id                              | username  | password                                                     |
-      | efe3a65ebbee47ed95a73edd911ea328 | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
-      | e8e4f9c2a68d419b861403d71fabc915 | user      | $2b$10$Frszmrmsz9iwSXzBbRRMKeDVKsNxozkrLNSsN.SnVC.KPxLtQr/bK |
+      | _id                              | authority | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | nex       | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+      | e8e4f9c2a68d419b861403d71fabc915 | nex       | user      | $2b$10$Frszmrmsz9iwSXzBbRRMKeDVKsNxozkrLNSsN.SnVC.KPxLtQr/bK |
     And the `identity.bans` database is empty
 
   Scenario: Deny by default
@@ -20,6 +21,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       """
     Then the following reply is sent:
       """
@@ -30,6 +32,7 @@ Feature: Access authorization
     Given the annotation:
       """yaml
       /:
+        io:output: true
         auth:anonymous: true
         GET:
           dev:stub:
@@ -38,6 +41,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       accept: application/yaml
       """
     Then the following reply is sent:
@@ -60,6 +64,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       """
     Then the following reply is sent:
@@ -71,6 +76,7 @@ Feature: Access authorization
     Given the annotation:
       """yaml
       /:
+        io:output: true
         /:id:
           auth:id: id
           GET:
@@ -80,6 +86,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: application/yaml
       """
@@ -93,6 +100,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic dXNlcjoxMjM0NQ==
       accept: application/yaml
       """
@@ -109,6 +117,7 @@ Feature: Access authorization
     And the annotation:
       """yaml
       /:
+        io:output: true
         auth:role: developer
         GET:
           dev:stub:
@@ -118,6 +127,7 @@ Feature: Access authorization
       # identity with `developer` and `user` roles
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: application/yaml
       """
@@ -132,6 +142,7 @@ Feature: Access authorization
       # identity with no roles
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       authorization: Basic dXNlcjoxMjM0NQ==
       """
     Then the following reply is sent:
@@ -146,6 +157,7 @@ Feature: Access authorization
     And the annotation:
       """yaml
       /:
+        io:output: true
         /:
           auth:role: developer:rust:junior  # role scope matches
           /nested:
@@ -159,6 +171,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET /nested/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: text/plain
       """
@@ -172,6 +185,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET /javascript/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       """
     Then the following reply is sent:
@@ -190,6 +204,7 @@ Feature: Access authorization
           - developer
           - admin
         GET:
+          io:output: true
           dev:stub:
             access: granted!
       """
@@ -197,6 +212,7 @@ Feature: Access authorization
       # identity with `developer` and `user` roles
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: application/yaml
       """
@@ -215,6 +231,7 @@ Feature: Access authorization
     And the annotation:
       """yaml
       /:
+        io:output: true
         /rust/:id:
           auth:rule:
             id: id
@@ -233,6 +250,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET /rust/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: application/yaml
       """
@@ -246,6 +264,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET /javascript/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       """
     Then the following reply is sent:
@@ -257,6 +276,7 @@ Feature: Access authorization
     Given the annotation:
       """yaml
       /:
+        io:output: true
         /:id:
           auth:id: id
           GET:
@@ -265,8 +285,37 @@ Feature: Access authorization
       """
     When the following request is received:
       """
-      GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
-      authorization: Token v3.local.9oEtVJkfRw4cOJ8M4DxuVuAN29dGT26XMYyPAoXtwrkdkiJVSVj46sMNAOdlxwKGszJZV_ReOL26dxDVlsQ7QAIuRhRPlvsHYNOhcD-LApoAXV0S3IK16EMoEv7tE9z70FCLC3WoIW9RIQ8PR3uZhAdhSgBilsVOpWrk4XtnfCIlVwhYMKu79a66oZZhV2Q7Kl3nfYsf84-6rAL_1H0MsqCDUHVXuIg
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ developer.token }}
+
+      id: ${{ developer.id }}
+      """
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic dXNlcjoxMjM0NQ==
+      accept: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ user.token }}
+
+      id: ${{ user.id }}
+      """
+    When the following request is received:
+      """
+      GET /${{ developer.id }}/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ developer.token }}
       accept: application/yaml
       """
     Then the following reply is sent:
@@ -282,8 +331,9 @@ Feature: Access authorization
       """
     When the following request is received:
       """
-      GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
-      authorization: Token v3.local.cjlxn4IJ9hI92KuksguzDx7_kYxgDFFGFnfNchf0cWnmos34dqX2XpTAUBd-LqgqfuH-lVGfNvjBUkw5JtHRBiIAVaPHF3Ncc0eafwgH2DPme9pndZL92fWryGnJ-sMHA28Q6UcXsIfhgd2JZ0n-585SBhwlosC3gKTcVHK7XNljeaTen4jZPw8uY-pdbsm6dDq3aKMzl8K78_BTTfiNPG2cI_aNuHw
+      GET /${{ user.id }}/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ developer.token }}
       accept: application/yaml
       """
     Then the following reply is sent:
@@ -295,6 +345,7 @@ Feature: Access authorization
     Given the annotation:
       """yaml
       /:
+        io:output: true
         auth:role: developer
         GET:
           dev:stub:
@@ -306,6 +357,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: application/yaml
       """
@@ -320,6 +372,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       authorization: Token ${{ token }}
       accept: application/yaml
       """
@@ -335,6 +388,7 @@ Feature: Access authorization
     Given the annotation:
       """yaml
       /:
+        io:output: true
         /:id:
           auth:scheme: basic
           auth:id: id
@@ -345,6 +399,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: application/yaml
       """
@@ -358,6 +413,7 @@ Feature: Access authorization
     When the following request is received:
       """
       GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Token v3.local.9oEtVJkfRw4cOJ8M4DxuVuAN29dGT26XMYyPAoXtwrkdkiJVSVj46sMNAOdlxwKGszJZV_ReOL26dxDVlsQ7QAIuRhRPlvsHYNOhcD-LApoAXV0S3IK16EMoEv7tE9z70FCLC3WoIW9RIQ8PR3uZhAdhSgBilsVOpWrk4XtnfCIlVwhYMKu79a66oZZhV2Q7Kl3nfYsf84-6rAL_1H0MsqCDUHVXuIg
       accept: text/plain
       """
@@ -374,11 +430,13 @@ Feature: Access authorization
 
     Given the annotation:
       """yaml
-      anonymous: true
+      /:
+        anonymous: true
       """
     When the following request is received:
       """
       POST /identity/roles/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       content-type: application/yaml
 
       role: developer
@@ -388,62 +446,46 @@ Feature: Access authorization
       401 Unauthorized
       """
 
-  Scenario: Banning an Identity
+  Scenario: Authorization delegation
     Given the `identity.roles` database contains:
-      | _id                              | identity                         | role   |
-      | 775a648d054e4ce1a65f8f17e5b51803 | efe3a65ebbee47ed95a73edd911ea328 | system |
-    And the annotation:
-      """yaml
-      /:
-        /:id:
-          auth:id: id
-          GET:
-            dev:stub:
-              access: granted!
-      """
-    And the `identity.tokens` configuration:
+      | _id                              | identity                         | role      |
+      | 775a648d054e4ce1a65f8f17e5b51803 | efe3a65ebbee47ed95a73edd911ea328 | developer |
+    And the `echo` is running with the following manifest:
       """yaml
-      refresh: 1
+      exposition:
+        /:
+          io:output: true
+          auth:delegate: identity
+          GET: identity
       """
     When the following request is received:
       """
-      GET /e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
-      authorization: Basic dXNlcjoxMjM0NQ==
+      GET /echo/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
+      accept: application/yaml
       """
     Then the following reply is sent:
       """
       200 OK
       authorization: Token ${{ token }}
-      """
-    When the following request is received:
-      """
-      PUT /identity/bans/e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
-      authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
-      content-type: application/yaml
 
-      banned: true
-      """
-    Then the following reply is sent:
-      """
-      204 No Content
+      identity:
+        id: efe3a65ebbee47ed95a73edd911ea328
+        roles:
+          - developer
       """
-    # accessing a resource with a banned Identity
     When the following request is received:
       """
-      GET /e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
-      authorization: Basic dXNlcjoxMjM0NQ==
+      GET /echo/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Token ${{ token }}
       """
     Then the following reply is sent:
       """
-      401 Unauthorized
-      """
-    Then after 1 second
-    When the following request is received:
-      """
-      GET /e8e4f9c2a68d419b861403d71fabc915/ HTTP/1.1
-      authorization: Token ${{ token }}
+      200 OK
       """
-    Then the following reply is sent:
+    And the reply does not contain:
       """
-      401 Unauthorized
+      authorization: Token
       """

package/features/annotation.feature

@@ -4,6 +4,7 @@ Feature: Annotation
     Given the annotation:
       """yaml
       /:
+        io:output: true
         anonymous: true
         /foo:
           GET:
@@ -17,6 +18,7 @@ Feature: Annotation
     When the following request is received:
       """
       GET /foo/ HTTP/1.1
+      host: nex.toa.io
       accept: application/yaml
       """
     Then the following reply is sent:

package/features/authorities.basic.feature

@@ -0,0 +1,141 @@
+Feature: Basic credentials with authorities
+
+  Scenario: Basic credentials are scoped to authorities
+    Given the annotation:
+      """yaml
+      authorities:
+        one: the.one.com
+        two: the.two.com
+      /:
+        /:id:
+          auth:id: id
+          io:output: true
+          GET:
+            dev:stub: Hello
+      """
+
+    # create basic credentials within the `one` authority
+    When the following request is received:
+      """
+      POST /identity/basic/ HTTP/1.1
+      host: the.one.com
+      content-type: application/yaml
+      accept: application/yaml
+
+      username: #{{ id | set one.username }}
+      password: #{{ password 8 | set one.password }}
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+
+      id: ${{ one.id }}
+      """
+
+    # create basic credentials within the `two` authority
+    When the following request is received:
+      """
+      POST /identity/basic/ HTTP/1.1
+      host: the.two.com
+      content-type: application/yaml
+      accept: application/yaml
+
+      username: #{{ id | set two.username }}
+      password: #{{ password 8 | set two.password }}
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+
+      id: ${{ two.id }}
+      """
+
+    # access the resource with the `one` authority
+    When the following request is received:
+      """
+      GET /${{ one.id }}/ HTTP/1.1
+      host: the.one.com
+      authorization: Basic #{{ basic one }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    When the following request is received:
+      """
+      GET /${{ two.id }}/ HTTP/1.1
+      host: the.one.com
+      authorization: Basic #{{ basic two }}
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+
+    # access the resource with the `two` authority
+    When the following request is received:
+      """
+      GET /${{ one.id }}/ HTTP/1.1
+      host: the.two.com
+      authorization: Basic #{{ basic one }}
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+    When the following request is received:
+      """
+      GET /${{ two.id }}/ HTTP/1.1
+      host: the.two.com
+      authorization: Basic #{{ basic two }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+
+    # create `one` credentials in the `two` authority
+    When the following request is received:
+      """
+      POST /identity/basic/ HTTP/1.1
+      host: the.one.com
+      content-type: application/yaml
+      accept: application/yaml
+
+      username: ${{ one.username }}
+      password: ${{ one.password }}
+      """
+    Then the following reply is sent:
+      """
+      409 Conflict
+      """
+    When the following request is received:
+      """
+      POST /identity/basic/ HTTP/1.1
+      host: the.two.com
+      content-type: application/yaml
+      accept: application/yaml
+
+      username: ${{ one.username }}
+      password: ${{ one.password }}
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      """
+
+    # create `two` credentials in the `one` authority
+    When the following request is received:
+      """
+      POST /identity/basic/ HTTP/1.1
+      host: the.one.com
+      content-type: application/yaml
+      accept: application/yaml
+
+      username: ${{ two.username }}
+      password: ${{ two.password }}
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+      """

package/features/authorities.feature

@@ -0,0 +1,32 @@
+Feature: Authorities
+
+  Scenario: Accessing an authority
+    Given the annotation:
+      """yaml
+      authorities:
+        example: the.example.com
+      /:
+        anonymous: true
+        GET:
+          dev:stub: Hello
+      """
+    When the following request is received:
+      """
+      GET / HTTP/1.1
+      host: the.example.com
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    When the following request is received:
+      """
+      GET / HTTP/1.1
+      host: the.other.com
+      """
+    Then the following reply is sent:
+      """
+      404 Not Found
+
+      Unknown authority
+      """

package/features/authorities.federation.feature

@@ -0,0 +1,99 @@
+Feature: OIDC tokens with authorities
+
+  Scenario: OIDC tokens are scoped to authorities
+    Given the annotation:
+      """yaml
+      authorities:
+        one: the.one.com
+        two: the.two.com
+      /:
+        /:id:
+          auth:id: id
+          GET:
+            dev:stub: Hello
+      """
+    And local IDP is running
+    And the `identity.federation` database is empty
+    And the `identity.federation` configuration:
+      """yaml
+      trust:
+        - iss: http://localhost:44444
+      """
+    And the IDP token for One is issued
+    And the IDP token for Two is issued
+
+    # create identities
+    When the following request is received:
+      """
+      POST /identity/federation/ HTTP/1.1
+      host: the.one.com
+      accept: application/yaml
+      content-type: application/yaml
+
+      credentials: ${{ One.id_token }}
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+
+      id: ${{ One.id }}
+      """
+    When the following request is received:
+      """
+      POST /identity/federation/ HTTP/1.1
+      host: the.two.com
+      accept: application/yaml
+      content-type: application/yaml
+
+      credentials: ${{ Two.id_token }}
+      """
+    Then the following reply is sent:
+      """
+      201 Created
+
+      id: ${{ Two.id }}
+      """
+
+    # access `one` authority
+    When the following request is received:
+      """
+      GET /${{ One.id }}/ HTTP/1.1
+      host: the.one.com
+      authorization: Bearer ${{ One.id_token }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """
+    When the following request is received:
+      """
+      GET /${{ Two.id }}/ HTTP/1.1
+      host: the.one.com
+      authorization: Bearer ${{ Two.id_token }}
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+
+    # access `two` authority
+    When the following request is received:
+      """
+      GET /${{ One.id }}/ HTTP/1.1
+      host: the.two.com
+      authorization: Bearer ${{ One.id_token }}
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+    When the following request is received:
+      """
+      GET /${{ Two.id }}/ HTTP/1.1
+      host: the.two.com
+      authorization: Bearer ${{ Two.id_token }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      """