From 218a2ab108d00ab37735ac9d3bdbbc1f42d11526 Mon Sep 17 00:00:00 2001 From: Marshall Jones Date: Thu, 17 Jul 2014 08:51:38 -1000 Subject: [PATCH 1/8] initial scenario --- features/api_keys.feature | 29 +++++++++++++++++++++++++++++ fixtures/_models/api_key.json | 5 ++++- 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/features/api_keys.feature b/features/api_keys.feature index dc94080..811f65a 100644 --- a/features/api_keys.feature +++ b/features/api_keys.feature @@ -6,6 +6,10 @@ Feature: API Keys API keys are used to make authenticated requests by sending an HTTP Basic Auth header, using the key as the username, with no password. + API keys by default have full access to perform any operation on your + marketplace. You can create API keys with limited permissions that have + restricted access. + Scenario: Create an API Key for a new marketplace To obtain a key, one must be created. This is done through an unauthenticated API request. @@ -48,3 +52,28 @@ Feature: API Keys When I DELETE to /api_keys/:api_key giving the key Then I should get a 204 OK status code And there should be no response body + + Scenario: Create an API key with limited permissions + By specifying permissions for a key you can restrict the operations that + it is able to perform to either being able to write (POST, DELETE, and PUT) + or read (GET) to a set of endpoints. + + Given I have created an API key + When I POST to /api_keys with the body: + """ + { + "api_keys": [{ + "permissions": { + "/customers": "rw", + "/debits": "r" + } + }] + } + """ + Then I should get a 201 Created status code + And the response is valid according to the "api_keys" schema + When I POST to /customers + Then I should get a 201 Created status code + And the response is valid according to the "customers" schema + When I POST to /debits + Then I should get a 401 Unauthorized status code \ No newline at end of file diff --git a/fixtures/_models/api_key.json b/fixtures/_models/api_key.json index 5853fa8..7472290 100644 --- a/fixtures/_models/api_key.json +++ b/fixtures/_models/api_key.json @@ -25,7 +25,10 @@ "type": "object", "properties": {}, "additionalProperties": false - } + }, + "permissions": { + "type": "object", + } }, "required": [ "id", From e3e979e5201f4eded0c8b1e0f05bb3c5e4247776 Mon Sep 17 00:00:00 2001 From: Marshall Jones Date: Wed, 23 Jul 2014 10:45:05 -0700 Subject: [PATCH 2/8] add permissions to the required array --- fixtures/_models/api_key.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fixtures/_models/api_key.json b/fixtures/_models/api_key.json index 7472290..d36eea1 100644 --- a/fixtures/_models/api_key.json +++ b/fixtures/_models/api_key.json @@ -35,7 +35,8 @@ "href", "created_at", "meta", - "links" + "links", + "permissions" ], "additionalProperties": false } \ No newline at end of file From 754336a84abf180d0ee10b8fea79af907cbd4594 Mon Sep 17 00:00:00 2001 From: Marshall Jones Date: Wed, 23 Jul 2014 15:31:41 -0700 Subject: [PATCH 3/8] fix json --- fixtures/_models/api_key.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fixtures/_models/api_key.json b/fixtures/_models/api_key.json index d36eea1..28300d0 100644 --- a/fixtures/_models/api_key.json +++ b/fixtures/_models/api_key.json @@ -27,7 +27,7 @@ "additionalProperties": false }, "permissions": { - "type": "object", + "type": "object" } }, "required": [ From 39039a20a8ab0adbd1c0b9fe5118c5b87d071ba6 Mon Sep 17 00:00:00 2001 From: Marshall Jones Date: Mon, 28 Jul 2014 09:07:16 -0700 Subject: [PATCH 4/8] refactor payload structure --- features/api_keys.feature | 14 ++++++++++---- features/debits.feature | 1 + 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/features/api_keys.feature b/features/api_keys.feature index 811f65a..c6f5891 100644 --- a/features/api_keys.feature +++ b/features/api_keys.feature @@ -63,10 +63,16 @@ Feature: API Keys """ { "api_keys": [{ - "permissions": { - "/customers": "rw", - "/debits": "r" - } + "permissions": [ + { + "path": "/customers", + "permissions": ["read", "write"] + }, + { + "path": "/debits", + "permissions": ["read"] + } + ] }] } """ diff --git a/features/debits.feature b/features/debits.feature index 90fe995..6e7a0b8 100644 --- a/features/debits.feature +++ b/features/debits.feature @@ -152,6 +152,7 @@ Feature: Debit a card or bank account Then I should get a 201 Created status code And the response is valid according to the "debits" schema + @focus Scenario: Debit a verified bank account Given I have a verified bank account When I make a POST request to the link "bank_accounts.debits" with the body: From ae733c82cb1b138c18839598115fa441182da8ff Mon Sep 17 00:00:00 2001 From: Marshall Jones Date: Mon, 28 Jul 2014 09:09:12 -0700 Subject: [PATCH 5/8] scopes makes more sense than permissions - the extent of the area or subject matter that something deals with or to which it is relevant. --- features/api_keys.feature | 2 +- fixtures/_models/api_key.json | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/features/api_keys.feature b/features/api_keys.feature index c6f5891..7565c49 100644 --- a/features/api_keys.feature +++ b/features/api_keys.feature @@ -63,7 +63,7 @@ Feature: API Keys """ { "api_keys": [{ - "permissions": [ + "scopes": [ { "path": "/customers", "permissions": ["read", "write"] diff --git a/fixtures/_models/api_key.json b/fixtures/_models/api_key.json index 28300d0..b80ace8 100644 --- a/fixtures/_models/api_key.json +++ b/fixtures/_models/api_key.json @@ -26,7 +26,7 @@ "properties": {}, "additionalProperties": false }, - "permissions": { + "scopes": { "type": "object" } }, @@ -36,7 +36,7 @@ "created_at", "meta", "links", - "permissions" + "scopes" ], "additionalProperties": false } \ No newline at end of file From dfd20da33ada4fd99f4094f8b2d8baf04fb04158 Mon Sep 17 00:00:00 2001 From: Marshall Jones Date: Tue, 29 Jul 2014 08:01:15 -0700 Subject: [PATCH 6/8] define schema for scopes --- fixtures/_models/api_key.json | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/fixtures/_models/api_key.json b/fixtures/_models/api_key.json index b80ace8..aa6e122 100644 --- a/fixtures/_models/api_key.json +++ b/fixtures/_models/api_key.json @@ -27,7 +27,27 @@ "additionalProperties": false }, "scopes": { - "type": "object" + "type": "array", + "items": { + "type": "object", + "properties": { + "path": { + "description": "A relative path that if matches the path of a request made with this API key will apply the related permissions to the call. Paths can have '*' wildcards but otherwise must match exactly.", + "type": "string", + "pattern": "/(([A-z0-9\\-*])?/?)+" + }, + "permissions": { + "description": "A list of permissions this path is granted. 'read' maps to POST, PUT, DELETE, and PATCH HTTP verbs, 'write' to GET", + "type": "array", + "items": { + "enum": ["read", "write"] + }, + "uniqueItems": true + } + }, + "requiredProperties": ["path", "permissions"], + "additionalProperties": false + } } }, "required": [ From 204645d0c5b3bacc54719af33e776d8d40a2d942 Mon Sep 17 00:00:00 2001 From: Marshall Jones Date: Tue, 29 Jul 2014 08:05:31 -0700 Subject: [PATCH 7/8] engineering grammars --- fixtures/_models/api_key.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fixtures/_models/api_key.json b/fixtures/_models/api_key.json index aa6e122..6b954d0 100644 --- a/fixtures/_models/api_key.json +++ b/fixtures/_models/api_key.json @@ -32,7 +32,7 @@ "type": "object", "properties": { "path": { - "description": "A relative path that if matches the path of a request made with this API key will apply the related permissions to the call. Paths can have '*' wildcards but otherwise must match exactly.", + "description": "A relative path that, if matching the path of a request made with this API key, will apply the related permissions to the call. Paths can have '*' wildcards but otherwise must match exactly.", "type": "string", "pattern": "/(([A-z0-9\\-*])?/?)+" }, From 4a1ed0ab6694c95f15a6e6a13e5c98195415b03e Mon Sep 17 00:00:00 2001 From: Marshall Jones Date: Tue, 5 Aug 2014 18:54:50 -0700 Subject: [PATCH 8/8] include the expected response --- features/api_keys.feature | 3 ++- features/step_definitions/api_keys.rb | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/features/api_keys.feature b/features/api_keys.feature index 7565c49..52beadf 100644 --- a/features/api_keys.feature +++ b/features/api_keys.feature @@ -82,4 +82,5 @@ Feature: API Keys Then I should get a 201 Created status code And the response is valid according to the "customers" schema When I POST to /debits - Then I should get a 401 Unauthorized status code \ No newline at end of file + Then I should get a 401 Unauthorized status code + Then the response should contain "Not permitted to perform create on debits with this API key" diff --git a/features/step_definitions/api_keys.rb b/features/step_definitions/api_keys.rb index 23af468..dcf0aa4 100644 --- a/features/step_definitions/api_keys.rb +++ b/features/step_definitions/api_keys.rb @@ -41,3 +41,7 @@ Given(/^I have created more than one API keys$/) do 2.times { step "I have created an API key" } end + +Then(/^the response should contain "([^"]*)"$/ do |expected_response| + @response.body.should include(expected_response) +end