@toa.io/extensions.exposition 1.0.0-alpha.9 → 1.0.0-alpha.90

package/features/identity.basic.feature

@@ -1,3 +1,4 @@
+@security
 Feature: Basic authentication
 
   Background:
@@ -7,6 +8,7 @@ Feature: Basic authentication
     When the following request is received:
       """
       POST /identity/basic/ HTTP/1.1
+      host: nex.toa.io
       content-type: application/yaml
 
       username: developer
@@ -19,6 +21,7 @@ Feature: Basic authentication
     When the following request is received:
       """
       POST /identity/basic/ HTTP/1.1
+      host: nex.toa.io
       content-type: application/yaml
       accept: application/yaml
 
@@ -28,8 +31,6 @@ Feature: Basic authentication
     Then the following reply is sent:
       """
       409 Conflict
-
-      - username
       """
 
   Scenario: Creating new Identity using inception
@@ -38,18 +39,19 @@ Feature: Basic authentication
       exposition:
         /:
           io:output: true
-          anonymous: true     # checking compatibility with anonymous access
+          anonymous: true       # checking compatibility with anonymous access
           POST:
             incept: id
             endpoint: transit
             query: ~
-        /:id:                 # credential testing route
-          id: id
-          GET: observe
+          /:id:                 # credential testing route
+            id: id
+            GET: observe
       """
     When the following request is received:
       """
       POST /users/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic dXNlcjpwYXNzMTIzNA==
       accept: application/yaml
       content-type: application/yaml
@@ -67,6 +69,7 @@ Feature: Basic authentication
       # basic credentials have been created
       """
       GET /users/${{ id }}/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic dXNlcjpwYXNzMTIzNA==
       """
     Then the following reply is sent:
@@ -77,16 +80,19 @@ Feature: Basic authentication
       # valid token has been issued
       """
       GET /users/${{ id }}/ HTTP/1.1
+      host: nex.toa.io
       authorization: Token ${{ token }}
       """
     Then the following reply is sent:
       """
       200 OK
       """
+
     # username is taken
     When the following request is received:
       """
       POST /users/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic dXNlcjphbm90aGVycGFzczEyMzQ=
       accept: application/yaml
       content-type: application/yaml
@@ -96,8 +102,22 @@ Feature: Basic authentication
     Then the following reply is sent:
       """
       409 Conflict
+      """
+
+    # credentials already exists
+    When the following request is received:
+      """
+      POST /users/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic dXNlcjpwYXNzMTIzNA==
+      accept: application/yaml
+      content-type: application/yaml
 
-      - username
+      name: Bill Smith
+      """
+    Then the following reply is sent:
+      """
+      409 Conflict
       """
 
   Scenario: Changing the password
@@ -112,11 +132,12 @@ Feature: Basic authentication
               access: granted!
       """
     And the `identity.basic` database contains:
-      | _id                              | _version | username  | password                                                     |
-      | efe3a65ebbee47ed95a73edd911ea328 | 1        | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+      | _id                              | _version | authority | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | 1        | nex       | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
     When the following request is received:
       """
       PATCH /identity/basic/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: application/yaml
       content-type: application/yaml
@@ -131,6 +152,7 @@ Feature: Basic authentication
       # old password
       """
       GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       """
     Then the following reply is sent:
@@ -141,6 +163,7 @@ Feature: Basic authentication
       # new password
       """
       GET /efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOm5ldy1zZWNyZXQ=
       """
     Then the following reply is sent:
@@ -148,14 +171,15 @@ Feature: Basic authentication
       200 OK
       """
 
-  Scenario: Changing other identity the password
+  Scenario: Changing other identity's password
     Given the `identity.basic` database contains:
-      | _id                              | username  | password                                                     | _version |
-      | efe3a65ebbee47ed95a73edd911ea328 | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O | 1        |
-      | 6c0be50cbfb043acafe69cc7d3895f84 | attacker  | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O | 1        |
+      | _id                              | authority | username  | password                                                     | _version |
+      | efe3a65ebbee47ed95a73edd911ea328 | nex       | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O | 1        |
+      | 6c0be50cbfb043acafe69cc7d3895f84 | nex       | attacker  | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O | 1        |
     When the following request is received:
       """
       PATCH /identity/basic/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic YXR0YWNrZXI6c2VjcmV0
       accept: application/yaml
       content-type: application/yaml
@@ -171,6 +195,7 @@ Feature: Basic authentication
     When the following request is received:
       """
       POST /identity/basic/ HTTP/1.1
+      host: nex.toa.io
       accept: application/yaml
       content-type: application/yaml
 
@@ -179,17 +204,17 @@ Feature: Basic authentication
       """
     Then the following reply is sent:
       """
-      409 Conflict
+      422 Unprocessable Entity
 
       code: <code>
       message: <problem> is not meeting the requirements.
       """
     Examples:
-      | username        | password    | problem  | code             |
-      | with whitespace | secret#1234 | Username | INVALID_USERNAME |
-      | root            | short       | Password | INVALID_PASSWORD |
+      | username                                                                                                                          | password    | problem  | code             |
+      | zYF8G6obtE3c5ARpZjnMwv0L7lX2dQUyJ1KiHS9ag4fThDPVxCsuIWmNeBqkOrzYF8G6obtE3c5ARpZjnMwv0L7lX2dQUyJ1KiHS9ag4fThDPVxCsuIWmNeBqkOris129 | secret#1234 | Username | INVALID_USERNAME |
+      | root                                                                                                                              | short       | Password | INVALID_PASSWORD |
 
-  Scenario Outline: Given <property> is not meeting one of requirements
+  Scenario Outline: <property> is not meeting one of requirements
     Given the `identity.basic` configuration:
       """yaml
       <property>:
@@ -197,11 +222,12 @@ Feature: Basic authentication
         - ^[^A]{1,16}$  # should not contain 'A'
       """
     And the `identity.basic` database contains:
-      | _id                              | _version | username  | password                                                     |
-      | efe3a65ebbee47ed95a73edd911ea328 | 1        | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+      | _id                              | _version | authority | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | 1        | nex       | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
     When the following request is received:
       """
       PATCH /identity/basic/efe3a65ebbee47ed95a73edd911ea328/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: application/yaml
       content-type: application/yaml
@@ -210,7 +236,7 @@ Feature: Basic authentication
       """
     Then the following reply is sent:
       """
-      409 Conflict
+      422 Unprocessable Entity
       """
     Examples:
       | property |
@@ -234,6 +260,7 @@ Feature: Basic authentication
     When the following request is received:
       """
       POST /identity/basic/ HTTP/1.1
+      host: nex.toa.io
       accept: application/yaml
       content-type: application/yaml
 
@@ -251,6 +278,7 @@ Feature: Basic authentication
     When the following request is received:
       """
       GET /identity/roles/${{ id }}/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic cm9vdDpzZWNyZXQjMTIzNA==
       accept: application/yaml
       """
@@ -264,6 +292,7 @@ Feature: Basic authentication
     When the following request is received:
       """
       GET / HTTP/1.1
+      host: nex.toa.io
       authorization: Token ${{ token }}
       accept: application/yaml
       """
@@ -277,6 +306,7 @@ Feature: Basic authentication
     When the following request is received:
       """
       PATCH /identity/basic/${{ id }}/ HTTP/1.1
+      host: nex.toa.io
       authorization: Token ${{ token }}
       accept: application/yaml
       content-type: application/yaml
@@ -285,15 +315,14 @@ Feature: Basic authentication
       """
     Then the following reply is sent:
       """
-      409 Conflict
+      422 Unprocessable Entity
 
       code: PRINCIPAL_LOCKED
       message: Principal username cannot be changed.
       """
 
   Scenario: Creating an Identity using inception with existing credentials
-    Given the `identity.basic` database is empty
-    And the `users` is running with the following manifest:
+    Given the `users` is running with the following manifest:
       """yaml
       exposition:
         /:
@@ -301,12 +330,14 @@ Feature: Basic authentication
           anonymous: true
           POST:
             incept: id
+            query: false
             endpoint: transit
       """
     When the following request is received:
       # identity inception
       """
       POST /users/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic dXNlcjpwYXNzMTIzNA==
       accept: application/yaml
       content-type: application/yaml
@@ -321,12 +352,52 @@ Feature: Basic authentication
       # same credentials
       """
       POST /users/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic dXNlcjpwYXNzMTIzNA==
-      content-type: text/plain
+      content-type: application/yaml
 
       name: Mary Louis
       """
     Then the following reply is sent:
       """
-      403 Forbidden
+      409 Conflict
+      """
+
+  Scenario: Incorrect credentials format
+    Given the `identity.basic` database is empty
+    And the `users` is running with the following manifest:
+      """yaml
+      exposition:
+        /:
+          io:output: true
+          anonymous: true
+          POST:
+            incept: id
+            endpoint: transit
+      """
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic not-base64
+      """
+    Then the following reply is sent:
+      """
+      401 Unauthorized
+      """
+    When the following request is received:
+      """
+      POST /users/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic not-base64
+      accept: application/yaml
+      content-type: application/yaml
+
+      name: Bill Smith
+      """
+    Then the following reply is sent:
+      """
+      422 Unprocessable Entity
+
+      code: INVALID_CREDENTIALS
       """

package/features/identity.feature

@@ -2,8 +2,8 @@ Feature: Identity resource
 
   Scenario: Requesting own Identity
     Given the `identity.basic` database contains:
-      | _id                              | username  | password                                                     |
-      | efe3a65ebbee47ed95a73edd911ea328 | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
+      | _id                              | authority | username  | password                                                     |
+      | efe3a65ebbee47ed95a73edd911ea328 | nex       | developer | $2b$10$ZRSKkgZoGnrcTNA5w5eCcu3pxDzdTduhteVYXcp56AaNcilNkwJ.O |
     And the `identity.roles` database contains:
       | _id                              | identity                         | role            |
       | 9c4702490ff84f2a9e1b1da2ab64bdd4 | efe3a65ebbee47ed95a73edd911ea328 | developer       |
@@ -11,6 +11,7 @@ Feature: Identity resource
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       authorization: Basic ZGV2ZWxvcGVyOnNlY3JldA==
       accept: application/yaml
       """
@@ -27,6 +28,7 @@ Feature: Identity resource
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       authorization: Token ${{ User.token }}
       accept: application/yaml
       """
@@ -43,6 +45,7 @@ Feature: Identity resource
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       authorization: Token ${{ User.token }}
       accept: application/yaml
       """
@@ -56,20 +59,29 @@ Feature: Identity resource
         - system:identity
       """
 
-  Scenario: Requesting Identity with non-existent credentials
-    Given the `identity.basic` database is empty
+  Scenario: Getting transient Identity
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
-      authorization: Basic dXNlcjpwYXNzMTIzNA==
+      host: nex.toa.io
+      accept: application/yaml
       """
     Then the following reply is sent:
       """
-      401 Unauthorized
+      201 Created
+      authorization: Token ${{ token }}
+
+      id: ${{ id }}
+      roles: []
       """
+
+  Scenario: Requesting Identity with non-existent credentials
+    Given the `identity.basic` database is empty
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Basic dXNlcjpwYXNzMTIzNA==
       """
     Then the following reply is sent:
       """

package/features/identity.federation.feature

@@ -1,20 +1,21 @@
+@security
 Feature: Identity Federation
 
   Background:
     Given the `identity.federation` database is empty
-    Given local IDP is running
+    And local IDP is running
 
   Scenario: Getting identity for a new user
     Given the `identity.federation` configuration:
       """yaml
-      explicit_identity_creation: false
       trust:
-        - issuer: http://localhost:44444
+        - iss: http://localhost:44444
       """
     And the IDP token for User is issued
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       authorization: Bearer ${{ User.id_token }}
       accept: application/yaml
       content-type: application/yaml
@@ -31,33 +32,36 @@ Feature: Identity Federation
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       accept: application/yaml
       authorization: Token ${{ User.token }}
       """
     Then the following reply is sent:
       """
       200 OK
+
       id: ${{ User.id }}
       """
     # ensuring identity idempotency
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       authorization: Bearer ${{ User.id_token }}
       accept: application/yaml
       """
     Then the following reply is sent:
       """
       200 OK
+
       id: ${{ User.id }}
       """
 
   Scenario: Getting identity for a user with symmetric tokens
     Given the `identity.federation` configuration:
       """yaml
-      explicit_identity_creation: false
       trust:
-        - issuer: http://localhost:44444
+        - iss: http://localhost:44444
           secrets:
             HS384:
               k1: the-secret
@@ -69,6 +73,7 @@ Feature: Identity Federation
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       authorization: Bearer ${{ GoodUser.id_token }}
       accept: application/yaml
       content-type: application/yaml
@@ -81,11 +86,11 @@ Feature: Identity Federation
       id: ${{ GoodUser.id }}
       """
 
-  Scenario: Creating an Identity using inception with existing credentials
+  Scenario: Creating an Identity using inception
     Given the `identity.federation` configuration:
       """yaml
       trust:
-        - issuer: http://localhost:44444
+        - iss: http://localhost:44444
       """
     Given the `users` is running with the following manifest:
       """yaml
@@ -93,8 +98,8 @@ Feature: Identity Federation
         /:
           anonymous: true
           POST:
-            io:output: true
-            incept: id
+            io:output: [id]
+            auth:incept: id
             endpoint: create
       """
     And the IDP token for Bill is issued
@@ -102,6 +107,7 @@ Feature: Identity Federation
       # identity inception
       """
       POST /users/ HTTP/1.1
+      host: nex.toa.io
       authorization: Bearer ${{ Bill.id_token }}
       accept: application/yaml
       content-type: application/yaml
@@ -119,6 +125,7 @@ Feature: Identity Federation
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       authorization: Token ${{ Bill.token }}
       accept: application/yaml
       """
@@ -130,24 +137,72 @@ Feature: Identity Federation
     When the following request is received:
       """
       GET /identity/ HTTP/1.1
+      host: nex.toa.io
       authorization: Bearer ${{ Bill.id_token }}
       accept: application/yaml
       """
     Then the following reply is sent:
       """
       200 OK
+
       id: ${{ Bill.id }}
       """
     And the following request is received:
       # same credentials
       """
       POST /users/ HTTP/1.1
+      host: nex.toa.io
       authorization: Bearer ${{ Bill.id_token }}
-      content-type: text/plain
+      content-type: application/yaml
 
       name: Mary Louis
       """
     Then the following reply is sent:
       """
-      403 Forbidden
+      409 Conflict
+      """
+
+  Scenario: Granting a `system` role to a Principal
+    Given the `identity.federation` configuration:
+      """yaml
+      trust:
+        - iss: http://localhost:44444
+      principal:
+        iss: http://localhost:44444
+        sub: root
+      """
+    And the IDP token for root is issued
+
+    # create an identity
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      authorization: Bearer ${{ root.id_token }}
+      accept: application/yaml
+      content-type: application/yaml
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+      authorization: Token ${{ root.token }}
+
+      id: ${{ root.id }}
+      """
+
+    # check the role
+    When the following request is received:
+      """
+      GET /identity/ HTTP/1.1
+      host: nex.toa.io
+      accept: application/yaml
+      authorization: Token ${{ root.token }}
+      """
+    Then the following reply is sent:
+      """
+      200 OK
+
+      id: ${{ root.id }}
+      roles:
+        - system
       """