diff --git a/code/Test_Definitions/NumberVerification_device_phone_number_share.feature b/code/Test_Definitions/NumberVerification_device_phone_number_share.feature new file mode 100644 index 0000000..4d81091 --- /dev/null +++ b/code/Test_Definitions/NumberVerification_device_phone_number_share.feature @@ -0,0 +1,104 @@ + + +@NumberVerification_device_phone_number_share +Feature: Camara Number Verification API device phone number share + +# Input to be provided by the implementation to the tests +# References to OAS spec schemas refer to schemas specified in +# https://raw.githubusercontent.com/camaraproject/NumberVerification/main/code/API_definitions/number_verification.yaml +# +# Implementation indications: +# * api_root: API root of the server URL +# +# Testing assets: +# * a mobile device with SIM card with NUMBERVERIFY_SHARE_PHONENUMBER1 +# * a mobile device with SIM card with NUMBERVERIFY_SHARE_PHONENUMBER2 + + Background: Common Number Verification phone number share setup + Given the resource "/device-phone-number/v0" as base url + And the header "Content-Type" is set to "application/json" + And the header "Authorization" is set to a valid access token + And the header "x-correlator" is set to a UUID value + And the request body is compliant with the schema NumberVerificationRequestBody + And the response body is compliant with the schema NumberVerificationMatchResponse + And the header "x-correlator" is set to a UUID value + And NUMBERVERIFY_SHARE_PHONENUMBER1 is compliant with the schema DevicePhoneNumber + And NUMBERVERIFY_SHARE_PHONENUMBER2 is compliant with the schema DevicePhoneNumber + And NUMBERVERIFY_SHARE_PHONENUMBER1 is different to NUMBERVERIFY_SHARE_PHONENUMBER2 + And they acquired a valid access token associated with NUMBERVERIFY_SHARE_PHONENUMBER1 through OIDC authorization code flow + + @NumberVerification_phone_number_share100_match_true + Scenario: share phone number NUMBERVERIFY_SHARE_PHONENUMBER1, network connection and access token matches NUMBERVERIFY_SHARE_PHONENUMBER1 + Given they use the base url + And the resource is "/device-phone-number" + And one of the scopes associated with the access token is number-verification:device-phone-number:read + When the HTTPS "GET" request is sent + And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 + And the response header "x-correlator" has same value as the request header "x-correlator" + And the response body complies with the OAS schema at "/components/schemas/NumberVerificationShareResponse" + Then the response status code is 200 + And the response property "$.devicePhoneNumber" is set to NUMBERVERIFY_SHARE_PHONENUMBER1 + + @NumberVerification_phone_number_share201_missing_scope + Scenario: share phone number with valid access token but scope number-verification:device-phone-number:read is missing + Given they use the base url + And the resource is "/device-phone-number" + And none of the scopes associated with the access token is number-verification:device-phone-number:read + When the HTTPS "GET" request is sent + And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 + And the request body has the field phoneNumber with a value of NUMBERVERIFY_SHARE_PHONENUMBER1 + And the response header "x-correlator" has same value as the request header "x-correlator" + And the response header "Content-Type" is "application/json" + And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" + Then the response status code is 403 + And the response property "$.status" is 403 + And the response property "$.code" is "UNAUTHENTICATED" + And the response property "$.message" is "Request not authenticated due to missing, invalid, or expired credentials." + + @NumberVerification_phone_number_share202_expired_access_token + Scenario: share phone number with expired access token + Given they use the base url + And the resource is "/device-phone-number" + And one of the scopes associated with the access token is number-verification:device-phone-number:read + When the HTTPS "GET" request is sent + And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 + And the access token has expired + And the response header "x-correlator" has same value as the request header "x-correlator" + And the response header "Content-Type" is "application/json" + And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" + Then the response status code is 401 + And the response property "$.status" is 401 + And the response property "$.code" is "AUTHENTICATION_REQUIRED" + And the response property "$.message" is "New authentication is required." + + @NumberVerification_phone_number_share203_no_phonenumber_associated_with_access_token + Scenario: share phone number with valid access token that is not associated with a phone number + Given they use the base url + And the resource is "/device-phone-number" + And one of the scopes associated with the access token is number-verification:device-phone-number:read + When the HTTPS "GET" request is sent + And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 + And the access token is not associated with a phone number + And the response header "x-correlator" has same value as the request header "x-correlator" + And the response header "Content-Type" is "application/json" + And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" + Then the response status code is 403 + And the response property "$.status" is 403 + And the response property "$.code" is "INVALID_TOKEN_CONTEXT" + And the response property "$.message" is "Phone number cannot be deducted from access token context." + + @NumberVerification_phone_number_share205_must_have_used_network_authentication + Scenario: share phone number with valid access token but network authentication was not used + Given they use the base url + And the resource is "/device-phone-number" + And one of the scopes associated with the access token is number-verification:verify + When the HTTPS "GET" request is sent + And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 + And the information, e.g. authentication method reference, associated with the access token indicates that network authentication was NOT used + And the response header "x-correlator" has same value as the request header "x-correlator" + And the response header "Content-Type" is "application/json" + And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" + Then the response status code is 403 + And the response property "$.status" is 403 + And the response property "$.code" is "NUMBER_VERIFICATION.USER_NOT_AUTHENTICATED_BY_MOBILE_NETWORK" + And the response property "$.message" is "The subscription must be identified via the mobile network to use this servicet." diff --git a/code/Test_Definitions/NumberVerification_verify.feature b/code/Test_Definitions/NumberVerification_verify.feature new file mode 100644 index 0000000..542cdfb --- /dev/null +++ b/code/Test_Definitions/NumberVerification_verify.feature @@ -0,0 +1,207 @@ + + +@NumberVerification_verify +Feature: Camara Number Verification API verify + +# Input to be provided by the implementation to the tests +# References to OAS spec schemas refer to schemas specified in +# https://raw.githubusercontent.com/camaraproject/NumberVerification/main/code/API_definitions/number_verification.yaml +# +# Implementation indications: +# * api_root: API root of the server URL +# +# Testing assets: +# * a mobile device with SIM card with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 +# * a mobile device with SIM card with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER2 +# * a mobile device with SIM card with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER_HASHED1 +# * a mobile device with SIM card with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER_HASHED2 + + + + Background: Common Number Verification verify setup + Given the resource "/number-verification/v0" as base url + And the header "Content-Type" is set to "application/json" + And the header "Authorization" is set to a valid access token + And the header "x-correlator" is set to a UUID value + And the request body is compliant with the schema NumberVerificationRequestBody + And the response body is compliant with the schema NumberVerificationMatchResponse + And the header "x-correlator" is set to a UUID value + And NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 is compliant with the schema DevicePhoneNumber + And NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER2 is compliant with the schema DevicePhoneNumber + And NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 is different to NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER2 + + @NumberVerification_verify0_phoneNumber_does_not_match_schema + Scenario Outline: phoneNumber value does not comply with the schema + Given the request body property "$.phoneNumber" is set to: + When the HTTP "POST" request is sent + Then the response status code is 400 + And the response property "$.status" is 400 + And the response property "$.code" is "INVALID_ARGUMENT" + And the response property "$.message" contains a user friendly text + And they acquired a valid access token associated with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 through OIDC authorization code flow + + Examples: + | phone_number_value | + | string_value | + | 1234567890 | + | +12334foo22222 | + | +00012230304913849 | + | 123 | + | ++49565456787 | + + + @NumberVerification_verify100_match_true + Scenario: verify phone number NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1, network connection and access token matches NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 + Given they use the base url + And the resource is "/verify" + And one of the scopes associated with the access token is number-verification:verify + When the HTTPS "POST" request is sent + And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 + And the request body has the field phoneNumber with a value of NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 + And the response header "x-correlator" has same value as the request header "x-correlator" + And the response header "Content-Type" is "application/json" + And the response body complies with the OAS schema at "/components/schemas/NumberVerificationMatchResponse" + Then the response status code is 200 + And the response property "$.devicePhoneNumberVerified" is true + + @NumberVerification_verify300_match_hashed_true + Scenario: verify hashed phone number hashed NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1, network connection and access token matches NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 + Given they use the base url + And the resource is "/verify" + And one of the scopes associated with the access token is number-verification:verify + When the HTTPS "POST" request is sent + And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 + And the request body has the field hashedPhoneNumber with a value of NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER_HASHED1 + And the response header "x-correlator" has same value as the request header "x-correlator" + And the response header "Content-Type" is "application/json" + And the response body complies with the OAS schema at "/components/schemas/NumberVerificationMatchResponse" + Then the response status code is 200 + And the response property "$.devicePhoneNumberVerified" is true + + + @NumberVerification_verify101_match_false + Scenario: verify phone number NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 but access token is associated with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER2 + Given they use the base url + And the resource is "/verify" + And one of the scopes associated with the access token is number-verification:verify + When the HTTPS "POST" request is sent + And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 + And the request body has the field phoneNumber with a value of NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER2 + And the response header "x-correlator" has same value as the request header "x-correlator" + And the response header "Content-Type" is "application/json" + And the response body complies with the OAS schema at "/components/schemas/NumberVerificationMatchResponse" + Then the response status code is 200 + And the response property "$.devicePhoneNumberVerified" is false + + @NumberVerification_verify301_match_false + Scenario: verify hashed phone number NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 but access token is associated with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER2 + Given they use the base url + And the resource is "/verify" + And one of the scopes associated with the access token is number-verification:verify + When the HTTPS "POST" request is sent + And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 + And the request body has the field hashedPhoneNumber with a value of NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER_HASHED2 + And the response header "x-correlator" has same value as the request header "x-correlator" + And the response header "Content-Type" is "application/json" + And the response body complies with the OAS schema at "/components/schemas/NumberVerificationMatchResponse" + Then the response status code is 200 + And the response property "$.devicePhoneNumberVerified" is false + + @NumberVerification_verify200_missing_phone_number_in_request + Scenario: verify phone number but no phonenumber in request + Given they use the base url + And the resource is "/verify" + And one of the scopes associated with the access token is number-verification:verify + When the HTTPS "POST" request is sent + And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 + And the request body has NO the field phoneNumber or hashedPhoneNumber + And the response header "x-correlator" has same value as the request header "x-correlator" + And the response header "Content-Type" is "application/json" + And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" + Then the response status code is 400 + And the response property "$.status" is 400 + And the response property "$.code" is "INVALID_ARGUMENT" + And the response property "$.message" contains a user friendly text + + @NumberVerification_verify201_missing_scope + Scenario: verify phone number with valid access token but scope number-verification:verify is missing + Given they use the base url + And the resource is "/verify" + And none of the scopes associated with the access token is number-verification:verify + When the HTTPS "POST" request is sent + And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 + And the request body has the field phoneNumber with a value of NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 + And the response header "x-correlator" has same value as the request header "x-correlator" + And the response header "Content-Type" is "application/json" + And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" + Then the response status code is 403 + And the response property "$.status" is 403 + And the response property "$.code" is "UNAUTHENTICATED" + And the response property "$.message" is "Request not authenticated due to missing, invalid, or expired credentials." + + @NumberVerification_verify202_expired_access_token + Scenario: verify phone number with expired access token + Given they use the base url + And the resource is "/verify" + And one of the scopes associated with the access token is number-verification:verify + When the HTTPS "POST" request is sent + And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 + And the access token has expired + And the request body has the field phoneNumber with a value of NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER + And the response header "x-correlator" has same value as the request header "x-correlator" + And the response header "Content-Type" is "application/json" + And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" + Then the response status code is 401 + And the response property "$.status" is 401 + And the response property "$.code" is "AUTHENTICATION_REQUIRED" + And the response property "$.message" is "New authentication is required." + + @NumberVerification_verify203_both_phone_number_and_hashed_in_request + Scenario: verify phone number but no phonenumber in request + Given they use the base url + And the resource is "/verify" + And one of the scopes associated with the access token is number-verification:verify + When the HTTPS "POST" request is sent + And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 + And the request body has the field phoneNumber with a value of NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 + And the request body has the field hashedPhoneNumber with a value of NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER_HASHED1 + And the response header "x-correlator" has same value as the request header "x-correlator" + And the response header "Content-Type" is "application/json" + And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" + Then the response status code is 400 + And the response property "$.status" is 400 + And the response property "$.code" is "INVALID_ARGUMENT" + And the response property "$.message" contains a user friendly text + + @NumberVerification_phone_number_verify204_no_phonenumber_associated_with_access_token + Scenario: verify phone number with valid access token that is not associated with a phone number + Given they use the base url + And the resource is "/verify" + And one of the scopes associated with the access token is number-verification:verify + When the HTTPS "GET" request is sent + And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 + And the access token is not associated with a phone number + And the response header "x-correlator" has same value as the request header "x-correlator" + And the response header "Content-Type" is "application/json" + And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" + Then the response status code is 403 + And the response property "$.status" is 403 + And the response property "$.code" is "INVALID_TOKEN_CONTEXT" + And the response property "$.message" is "Phone number cannot be deducted from access token context." + + + @NumberVerification_phone_number_verify205_must_have_used_network_authentication + Scenario: verify phone number with valid access token but network authentication was not used + Given they use the base url + And the resource is "/verify" + And one of the scopes associated with the access token is number-verification:verify + When the HTTPS "GET" request is sent + And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 + And the information, e.g. authentication method reference, associated with the access token indicates that network authentication was NOT used + And the response header "x-correlator" has same value as the request header "x-correlator" + And the response header "Content-Type" is "application/json" + And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" + Then the response status code is 403 + And the response property "$.status" is 403 + And the response property "$.code" is "NUMBER_VERIFICATION.USER_NOT_AUTHENTICATED_BY_MOBILE_NETWORK" + And the response property "$.message" is "The subscription must be identified via the mobile network to use this servicet."