Numberverify verify Test definition #124
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,104 @@ | ||
|
|
||
|
|
||
| @NumberVerification_device_phone_number_share | ||
| Feature: Camara Number Verification API device phone number share | ||
|
|
||
| # Input to be provided by the implementation to the tests | ||
| # References to OAS spec schemas refer to schemas specified in | ||
| # https://raw.githubusercontent.com/camaraproject/NumberVerification/main/code/API_definitions/number_verification.yaml | ||
| # | ||
| # Implementation indications: | ||
| # * api_root: API root of the server URL | ||
| # | ||
| # Testing assets: | ||
| # * a mobile device with SIM card with NUMBERVERIFY_SHARE_PHONENUMBER1 | ||
| # * a mobile device with SIM card with NUMBERVERIFY_SHARE_PHONENUMBER2 | ||
|
|
||
| Background: Common Number Verification phone number share setup | ||
| Given the resource "/device-phone-number/v0" as base url | ||
| And the header "Content-Type" is set to "application/json" | ||
| And the header "Authorization" is set to a valid access token | ||
| And the header "x-correlator" is set to a UUID value | ||
| And the request body is compliant with the schema NumberVerificationRequestBody | ||
| And the response body is compliant with the schema NumberVerificationMatchResponse | ||
| And the header "x-correlator" is set to a UUID value | ||
| And NUMBERVERIFY_SHARE_PHONENUMBER1 is compliant with the schema DevicePhoneNumber | ||
| And NUMBERVERIFY_SHARE_PHONENUMBER2 is compliant with the schema DevicePhoneNumber | ||
| And NUMBERVERIFY_SHARE_PHONENUMBER1 is different to NUMBERVERIFY_SHARE_PHONENUMBER2 | ||
| And they acquired a valid access token associated with NUMBERVERIFY_SHARE_PHONENUMBER1 through OIDC authorization code flow | ||
|
|
||
| @NumberVerification_phone_number_share100_match_true | ||
| Scenario: share phone number NUMBERVERIFY_SHARE_PHONENUMBER1, network connection and access token matches NUMBERVERIFY_SHARE_PHONENUMBER1 | ||
| Given they use the base url | ||
| And the resource is "/device-phone-number" | ||
| And one of the scopes associated with the access token is number-verification:device-phone-number:read | ||
| When the HTTPS "GET" request is sent | ||
| And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 | ||
| And the response header "x-correlator" has same value as the request header "x-correlator" | ||
| And the response body complies with the OAS schema at "/components/schemas/NumberVerificationShareResponse" | ||
| Then the response status code is 200 | ||
| And the response property "$.devicePhoneNumber" is set to NUMBERVERIFY_SHARE_PHONENUMBER1 | ||
|
|
||
| @NumberVerification_phone_number_share201_missing_scope | ||
| Scenario: share phone number with valid access token but scope number-verification:device-phone-number:read is missing | ||
| Given they use the base url | ||
| And the resource is "/device-phone-number" | ||
| And none of the scopes associated with the access token is number-verification:device-phone-number:read | ||
| When the HTTPS "GET" request is sent | ||
| And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 | ||
| And the request body has the field phoneNumber with a value of NUMBERVERIFY_SHARE_PHONENUMBER1 | ||
| And the response header "x-correlator" has same value as the request header "x-correlator" | ||
| And the response header "Content-Type" is "application/json" | ||
| And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" | ||
| Then the response status code is 403 | ||
| And the response property "$.status" is 403 | ||
| And the response property "$.code" is "UNAUTHENTICATED" | ||
| And the response property "$.message" is "Request not authenticated due to missing, invalid, or expired credentials." | ||
|
|
||
| @NumberVerification_phone_number_share202_expired_access_token | ||
| Scenario: share phone number with expired access token | ||
| Given they use the base url | ||
| And the resource is "/device-phone-number" | ||
| And one of the scopes associated with the access token is number-verification:device-phone-number:read | ||
| When the HTTPS "GET" request is sent | ||
| And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 | ||
| And the access token has expired | ||
| And the response header "x-correlator" has same value as the request header "x-correlator" | ||
| And the response header "Content-Type" is "application/json" | ||
| And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" | ||
| Then the response status code is 401 | ||
| And the response property "$.status" is 401 | ||
| And the response property "$.code" is "AUTHENTICATION_REQUIRED" | ||
| And the response property "$.message" is "New authentication is required." | ||
|
|
||
| @NumberVerification_phone_number_share203_no_phonenumber_associated_with_access_token | ||
| Scenario: share phone number with valid access token that is not associated with a phone number | ||
| Given they use the base url | ||
| And the resource is "/device-phone-number" | ||
| And one of the scopes associated with the access token is number-verification:device-phone-number:read | ||
| When the HTTPS "GET" request is sent | ||
| And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 | ||
| And the access token is not associated with a phone number | ||
| And the response header "x-correlator" has same value as the request header "x-correlator" | ||
| And the response header "Content-Type" is "application/json" | ||
| And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" | ||
| Then the response status code is 403 | ||
| And the response property "$.status" is 403 | ||
| And the response property "$.code" is "INVALID_TOKEN_CONTEXT" | ||
| And the response property "$.message" is "Phone number cannot be deducted from access token context." | ||
|
|
||
| @NumberVerification_phone_number_share205_must_have_used_network_authentication | ||
| Scenario: share phone number with valid access token but network authentication was not used | ||
| Given they use the base url | ||
| And the resource is "/device-phone-number" | ||
| And one of the scopes associated with the access token is number-verification:verify | ||
| When the HTTPS "GET" request is sent | ||
| And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 | ||
| And the information, e.g. authentication method reference, associated with the access token indicates that network authentication was NOT used | ||
| And the response header "x-correlator" has same value as the request header "x-correlator" | ||
| And the response header "Content-Type" is "application/json" | ||
| And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" | ||
| Then the response status code is 403 | ||
| And the response property "$.status" is 403 | ||
| And the response property "$.code" is "NUMBER_VERIFICATION.USER_NOT_AUTHENTICATED_BY_MOBILE_NETWORK" | ||
| And the response property "$.message" is "The subscription must be identified via the mobile network to use this servicet." |
|
There was a problem hiding this comment. Test included for veryfy operation:
Pending test to be included:
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,207 @@ | ||
|
|
||
|
|
||
| @NumberVerification_verify | ||
| Feature: Camara Number Verification API verify | ||
|
|
||
| # Input to be provided by the implementation to the tests | ||
| # References to OAS spec schemas refer to schemas specified in | ||
| # https://raw.githubusercontent.com/camaraproject/NumberVerification/main/code/API_definitions/number_verification.yaml | ||
| # | ||
| # Implementation indications: | ||
| # * api_root: API root of the server URL | ||
| # | ||
| # Testing assets: | ||
| # * a mobile device with SIM card with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 | ||
| # * a mobile device with SIM card with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER2 | ||
| # * a mobile device with SIM card with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER_HASHED1 | ||
| # * a mobile device with SIM card with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER_HASHED2 | ||
|
|
||
|
|
||
|
|
||
| Background: Common Number Verification verify setup | ||
| Given the resource "/number-verification/v0" as base url | ||
| And the header "Content-Type" is set to "application/json" | ||
| And the header "Authorization" is set to a valid access token | ||
| And the header "x-correlator" is set to a UUID value | ||
| And the request body is compliant with the schema NumberVerificationRequestBody | ||
| And the response body is compliant with the schema NumberVerificationMatchResponse | ||
| And the header "x-correlator" is set to a UUID value | ||
| And NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 is compliant with the schema DevicePhoneNumber | ||
AxelNennker marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| And NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER2 is compliant with the schema DevicePhoneNumber | ||
| And NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 is different to NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER2 | ||
|
|
||
| @NumberVerification_verify0_phoneNumber_does_not_match_schema | ||
| Scenario Outline: phoneNumber value does not comply with the schema | ||
| Given the request body property "$.phoneNumber" is set to: <phone_number_value> | ||
| When the HTTP "POST" request is sent | ||
| Then the response status code is 400 | ||
| And the response property "$.status" is 400 | ||
| And the response property "$.code" is "INVALID_ARGUMENT" | ||
| And the response property "$.message" contains a user friendly text | ||
| And they acquired a valid access token associated with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 through OIDC authorization code flow | ||
|
|
||
| Examples: | ||
| | phone_number_value | | ||
| | string_value | | ||
| | 1234567890 | | ||
| | +12334foo22222 | | ||
| | +00012230304913849 | | ||
| | 123 | | ||
| | ++49565456787 | | ||
|
|
||
|
|
||
| @NumberVerification_verify100_match_true | ||
| Scenario: verify phone number NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1, network connection and access token matches NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 | ||
| Given they use the base url | ||
| And the resource is "/verify" | ||
| And one of the scopes associated with the access token is number-verification:verify | ||
| When the HTTPS "POST" request is sent | ||
| And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 | ||
| And the request body has the field phoneNumber with a value of NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 | ||
| And the response header "x-correlator" has same value as the request header "x-correlator" | ||
| And the response header "Content-Type" is "application/json" | ||
| And the response body complies with the OAS schema at "/components/schemas/NumberVerificationMatchResponse" | ||
| Then the response status code is 200 | ||
| And the response property "$.devicePhoneNumberVerified" is true | ||
|
|
||
| @NumberVerification_verify300_match_hashed_true | ||
| Scenario: verify hashed phone number hashed NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1, network connection and access token matches NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 | ||
| Given they use the base url | ||
| And the resource is "/verify" | ||
| And one of the scopes associated with the access token is number-verification:verify | ||
| When the HTTPS "POST" request is sent | ||
| And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 | ||
| And the request body has the field hashedPhoneNumber with a value of NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER_HASHED1 | ||
| And the response header "x-correlator" has same value as the request header "x-correlator" | ||
| And the response header "Content-Type" is "application/json" | ||
| And the response body complies with the OAS schema at "/components/schemas/NumberVerificationMatchResponse" | ||
| Then the response status code is 200 | ||
| And the response property "$.devicePhoneNumberVerified" is true | ||
|
|
||
|
|
||
| @NumberVerification_verify101_match_false | ||
| Scenario: verify phone number NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 but access token is associated with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER2 | ||
| Given they use the base url | ||
| And the resource is "/verify" | ||
| And one of the scopes associated with the access token is number-verification:verify | ||
| When the HTTPS "POST" request is sent | ||
| And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 | ||
| And the request body has the field phoneNumber with a value of NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER2 | ||
| And the response header "x-correlator" has same value as the request header "x-correlator" | ||
| And the response header "Content-Type" is "application/json" | ||
| And the response body complies with the OAS schema at "/components/schemas/NumberVerificationMatchResponse" | ||
| Then the response status code is 200 | ||
| And the response property "$.devicePhoneNumberVerified" is false | ||
|
|
||
| @NumberVerification_verify301_match_false | ||
|
There was a problem hiding this comment. i think this one should be match_hashed_false |
||
| Scenario: verify hashed phone number NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 but access token is associated with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER2 | ||
| Given they use the base url | ||
| And the resource is "/verify" | ||
| And one of the scopes associated with the access token is number-verification:verify | ||
| When the HTTPS "POST" request is sent | ||
| And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 | ||
| And the request body has the field hashedPhoneNumber with a value of NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER_HASHED2 | ||
| And the response header "x-correlator" has same value as the request header "x-correlator" | ||
| And the response header "Content-Type" is "application/json" | ||
| And the response body complies with the OAS schema at "/components/schemas/NumberVerificationMatchResponse" | ||
| Then the response status code is 200 | ||
| And the response property "$.devicePhoneNumberVerified" is false | ||
|
|
||
| @NumberVerification_verify200_missing_phone_number_in_request | ||
| Scenario: verify phone number but no phonenumber in request | ||
| Given they use the base url | ||
| And the resource is "/verify" | ||
| And one of the scopes associated with the access token is number-verification:verify | ||
| When the HTTPS "POST" request is sent | ||
| And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 | ||
| And the request body has NO the field phoneNumber or hashedPhoneNumber | ||
| And the response header "x-correlator" has same value as the request header "x-correlator" | ||
| And the response header "Content-Type" is "application/json" | ||
| And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" | ||
| Then the response status code is 400 | ||
| And the response property "$.status" is 400 | ||
| And the response property "$.code" is "INVALID_ARGUMENT" | ||
| And the response property "$.message" contains a user friendly text | ||
|
|
||
| @NumberVerification_verify201_missing_scope | ||
| Scenario: verify phone number with valid access token but scope number-verification:verify is missing | ||
| Given they use the base url | ||
| And the resource is "/verify" | ||
| And none of the scopes associated with the access token is number-verification:verify | ||
| When the HTTPS "POST" request is sent | ||
| And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 | ||
| And the request body has the field phoneNumber with a value of NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 | ||
| And the response header "x-correlator" has same value as the request header "x-correlator" | ||
| And the response header "Content-Type" is "application/json" | ||
| And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" | ||
| Then the response status code is 403 | ||
| And the response property "$.status" is 403 | ||
| And the response property "$.code" is "UNAUTHENTICATED" | ||
| And the response property "$.message" is "Request not authenticated due to missing, invalid, or expired credentials." | ||
|
|
||
| @NumberVerification_verify202_expired_access_token | ||
| Scenario: verify phone number with expired access token | ||
| Given they use the base url | ||
| And the resource is "/verify" | ||
| And one of the scopes associated with the access token is number-verification:verify | ||
| When the HTTPS "POST" request is sent | ||
| And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 | ||
| And the access token has expired | ||
| And the request body has the field phoneNumber with a value of NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER | ||
| And the response header "x-correlator" has same value as the request header "x-correlator" | ||
| And the response header "Content-Type" is "application/json" | ||
| And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" | ||
| Then the response status code is 401 | ||
| And the response property "$.status" is 401 | ||
| And the response property "$.code" is "AUTHENTICATION_REQUIRED" | ||
|
There was a problem hiding this comment. or UNAUTHENTICATED, still don't know which one should apply in this case |
||
| And the response property "$.message" is "New authentication is required." | ||
AxelNennker marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| @NumberVerification_verify203_both_phone_number_and_hashed_in_request | ||
| Scenario: verify phone number but no phonenumber in request | ||
| Given they use the base url | ||
| And the resource is "/verify" | ||
| And one of the scopes associated with the access token is number-verification:verify | ||
| When the HTTPS "POST" request is sent | ||
| And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 | ||
| And the request body has the field phoneNumber with a value of NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 | ||
| And the request body has the field hashedPhoneNumber with a value of NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER_HASHED1 | ||
| And the response header "x-correlator" has same value as the request header "x-correlator" | ||
| And the response header "Content-Type" is "application/json" | ||
| And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" | ||
| Then the response status code is 400 | ||
| And the response property "$.status" is 400 | ||
| And the response property "$.code" is "INVALID_ARGUMENT" | ||
| And the response property "$.message" contains a user friendly text | ||
|
|
||
| @NumberVerification_phone_number_verify204_no_phonenumber_associated_with_access_token | ||
| Scenario: verify phone number with valid access token that is not associated with a phone number | ||
| Given they use the base url | ||
| And the resource is "/verify" | ||
| And one of the scopes associated with the access token is number-verification:verify | ||
| When the HTTPS "GET" request is sent | ||
| And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 | ||
| And the access token is not associated with a phone number | ||
| And the response header "x-correlator" has same value as the request header "x-correlator" | ||
| And the response header "Content-Type" is "application/json" | ||
| And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" | ||
| Then the response status code is 403 | ||
| And the response property "$.status" is 403 | ||
| And the response property "$.code" is "INVALID_TOKEN_CONTEXT" | ||
| And the response property "$.message" is "Phone number cannot be deducted from access token context." | ||
|
|
||
|
|
||
| @NumberVerification_phone_number_verify205_must_have_used_network_authentication | ||
| Scenario: verify phone number with valid access token but network authentication was not used | ||
| Given they use the base url | ||
| And the resource is "/verify" | ||
| And one of the scopes associated with the access token is number-verification:verify | ||
| When the HTTPS "GET" request is sent | ||
| And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 | ||
| And the information, e.g. authentication method reference, associated with the access token indicates that network authentication was NOT used | ||
| And the response header "x-correlator" has same value as the request header "x-correlator" | ||
| And the response header "Content-Type" is "application/json" | ||
| And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" | ||
| Then the response status code is 403 | ||
| And the response property "$.status" is 403 | ||
| And the response property "$.code" is "NUMBER_VERIFICATION.USER_NOT_AUTHENTICATED_BY_MOBILE_NETWORK" | ||
| And the response property "$.message" is "The subscription must be identified via the mobile network to use this servicet." | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Test included for share operation:
Pending test to be included:
cc: @bigludo7 @AxelNennker
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
regarding "pending tests" 1.
Maybe the authorization server should never create an access token if the scope is a "number verification"-scope and never did network authentication?! There is probably no way for the resource server / API endpoint to identify the authentication method used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
regarding "pending tests" 2.
This also sounds like an internal authorization server error and should never happen - like the access token creation without network authentication for nv-scopes.
The resource server / API-endpoint can detect this condition
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://github.com/camaraproject/NumberVerification/blob/main/code/API_definitions/number_verification.yaml#L270 talks about AMR
As Camara does not specify the access token nor the information associated with it other than the API's subject like phoneNumber, this would be a NV requirement on the telco issuing access tokens
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wdyt @bigludo7? I don't know if we can leave that validation to the authserver as something external to the API.
The auth process will validate if a phone number has access to certain scopes but I don't know if it can also check the auth method at token generation time.
And being Auth Code where the authentication is not done by the authserver itself but maybe something like an IDP.
I tend to think that is better to include the test mainly because is an error specified in the API yaml and we should cover it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not as expert that both of you on this specific point but as we have the error in the YAML we must have a test case covered it.
By preference it to have it and then we can always discuss in the future to remove it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a test to "verify" that uses USER_NOT_AUTHENTICATED_BY_MOBILE_NETWORK
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a test to "share" that uses USER_NOT_AUTHENTICATED_BY_MOBILE_NETWORK
https://github.com/camaraproject/NumberVerification/blob/test_definition/code/Test_Definitions/NumberVerification_device_phone_number_share.feature#L90