diff --git a/.github/workflows/megalinter.yml b/.github/workflows/megalinter.yml deleted file mode 100644 index 6bda700..0000000 --- a/.github/workflows/megalinter.yml +++ /dev/null @@ -1,78 +0,0 @@ ---- -# MegaLinter GitHub Action configuration file -# More info at https://megalinter.io -# CAMARA Project - Github Action for Pull Reqests -# 31.01.2024 - initial version - -name: MegaLinter - -on: # yamllint disable-line rule:truthy - # Pull Requests to main - pull_request: - branches: [master, main] - -env: # Comment env block if you do not want to apply fixes - # Apply linter fixes configuration - APPLY_FIXES: all # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool) - APPLY_FIXES_EVENT: pull_request # Decide which event triggers application of fixes in a commit or a PR (pull_request, push, all) - APPLY_FIXES_MODE: commit # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR (pull_request) - -concurrency: - group: ${{ github.ref }}-${{ github.workflow }} - cancel-in-progress: true - -jobs: - build: - name: MegaLinter - runs-on: ubuntu-latest - permissions: - # Give the default GITHUB_TOKEN write permission to commit and push, comment issues & post new PR - # Remove the ones you do not need - contents: write - issues: write - pull-requests: write - steps: - # Git Checkout - - name: Checkout Code - uses: actions/checkout@v4 - with: - token: ${{ secrets.GITHUB_TOKEN }} - fetch-depth: 0 # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to improve performances - - name: Install Spectral - run: npm install -g @stoplight/spectral - - name: Install Spectral functions - run: npm install -g @stoplight/spectral-functions - # - name: Run spectral:oas Spectral Linting - # run: spectral lint code/API_definitions/*.yaml --verbose --ruleset .spectral.yml - # Replace openapi.yaml file with your API specification file - - # MegaLinter - - name: MegaLinter - id: ml - # You can override MegaLinter flavor used to have faster performances - # More info at https://megalinter.io/flavors/ - uses: oxsecurity/megalinter/flavors/java@v7.3.0 - env: - # All available variables are described in documentation - # https://megalinter.io/configuration/ - PRINT_ALPACA: false - # VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} # Validates all source when push on main, else just the git diff with main. Override with true if you always want to lint all sources - VALIDATE_ALL_CODEBASE: true - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY - DISABLE: COPYPASTE,MARKDOWN - DISABLE_LINTERS: SPELL_CSPELL,SPELL_LYCHEE,YAML_PRETTIER,REPOSITORY_GRYPE, REPOSITORY_SEMGREP,REPOSITORY_DEVSKIM,REPOSITORY_KICS,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,REPOSITORY_CHECKOV,REPOSITORY_GITLEAKS,YAML_V8R,JAVA_PMD,JAVA_CHECKSTYLE - YAML_YAMLLINT_CONFIG_FILE: ".yamllint.yaml" - OPENAPI_SPECTRAL_CONFIG_FILE: ".spectral.yml" - YAML_YAMLLINT_FILTER_REGEX_INCLUDE: "(code/)" - OPENAPI_SPECTRAL_FILTER_REGEX_INCLUDE: "(code/)" - - # Upload MegaLinter artifacts - - name: Archive production artifacts - if: ${{ success() }} || ${{ failure() }} - uses: actions/upload-artifact@v4 - with: - name: MegaLinter reports - path: | - megalinter-reports - mega-linter.log diff --git a/.github/workflows/pr_validation_caller.yml b/.github/workflows/pr_validation_caller.yml new file mode 100644 index 0000000..d847f6e --- /dev/null +++ b/.github/workflows/pr_validation_caller.yml @@ -0,0 +1,49 @@ +# ========================================================================================= +# CAMARA Project - Pull Request Validation Workflow Caller +# +# This GitHub Actions workflow is responsible for invoking a reusable PR validation workflow +# from the camaraproject/tooling repository. It is intended to ensure consistent validation +# steps for all PRs targeting the main branch in this repository. +# +# CHANGELOG: +# - 2025-08-01: Initial version for v0 +# +# USAGE: +# - Automatically triggers on pull requests targeting main. +# - Can be triggered manually via workflow_dispatch. +# - Calls by default the reusable workflow at +# camaraproject/tooling/.github/workflows/pr_validation.yml@v0 +# +# DOCUMENTATION: +# see https://github.com/camaraproject/tooling/tree/main/linting/docs +# ========================================================================================= + +name: Caller for PR validation workflow + +on: + # Trigger on pull requests to the main branch only + pull_request: + branches: main + # Enable manual trigger via the GitHub UI + workflow_dispatch: + +concurrency: + group: ${{ github.ref }}-${{ github.workflow }} + cancel-in-progress: true + +permissions: + # Grant necessary write permissions for PRs, contents, and issues + pull-requests: write + contents: write + issues: write + statuses: write + +jobs: + pr_validation: + # Invoke the reusable PR validation workflow from "v0" tag of camaraproject/tooling + uses: camaraproject/tooling/.github/workflows/pr_validation.yml@v0 + secrets: inherit +# Tools configuration from the tooling repository subfolder of /linting/config/ indicated by `configurations` variable +# If needed, you can specify a configuration from another subfolder of camaraproject/tooling/linting/config/ (uncomment below) +# with: +# configurations: api-name diff --git a/.github/workflows/spectral-oas-caller.yml b/.github/workflows/spectral-oas-caller.yml new file mode 100644 index 0000000..05cde3f --- /dev/null +++ b/.github/workflows/spectral-oas-caller.yml @@ -0,0 +1,42 @@ +# ========================================================================================= +# CAMARA Project - Linting OpenAPI Specification with CAMARA Ruleset Caller +# +# This GitHub Actions workflow is responsible for invoking a reusable "Spectral linting with +# CAMARA ruleset" workflow from the camaraproject/tooling repository. It is intended to +# provide more detailed output from Spectral tool (warnings, hints) +# +# CHANGELOG: +# - 2025-08-01: Initial version for v0 +# +# USAGE: +# - Can be triggered manually via workflow_dispatch. +# - Calls by default the reusable workflow at +# camaraproject/tooling/.github/workflows/spectral-oas.yml@v0 +# +# DOCUMENTATION: +# see https://github.com/camaraproject/tooling/tree/main/linting/docs +# ========================================================================================= + +name: Caller for Spectral linting with CAMARA ruleset + +on: + workflow_dispatch: + +concurrency: + group: ${{ github.ref }}-${{ github.workflow }} + cancel-in-progress: true + +permissions: + # Grant necessary write permissions for PRs and issues + pull-requests: write + contents: read + issues: write + +jobs: + spectral: + # Invoke the reusable PR validation workflow from the main branch of camaraproject/tooling + uses: camaraproject/tooling/.github/workflows/spectral-oas.yml@v0 +# Spectral configuration from the tooling repository subfolder of /linting/config/ indicated by `configurations` variable +# If needed, you can specify a configuration from another subfolder of camaraproject/tooling/linting/config/ (uncomment below) +# with: +# configurations: api-name diff --git a/.github/workflows/spectral_oas_lint.yml b/.github/workflows/spectral_oas_lint.yml deleted file mode 100644 index a828fd5..0000000 --- a/.github/workflows/spectral_oas_lint.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -# CAMARA Project - workflow configuration to manually run CAMARA OAS rules -# see https://docs.github.com/en/actions/using-workflows/manually-running-a-workflow -# 31.01.2024 - initial version - -name: Spectral manual run - -on: workflow_dispatch - -concurrency: - group: ${{ github.ref }}-${{ github.workflow }} - cancel-in-progress: true - -jobs: - build: - name: Spectral linting - runs-on: ubuntu-latest - permissions: - # Give the default GITHUB_TOKEN write permission to commit and push, comment issues & post new PR - # Remove the ones you do not need - contents: write - issues: write - pull-requests: write - steps: - # Git Checkout - - name: Checkout Code - uses: actions/checkout@v4 - with: - token: ${{ secrets.GITHUB_TOKEN }} - fetch-depth: 0 # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to improve performances - - name: Install Spectral - run: npm install -g @stoplight/spectral - - name: Install Spectral functions - run: npm install -g @stoplight/spectral-functions - - name: Run Spectral linting - run: spectral lint code/API_definitions/*.yaml --verbose --ruleset .spectral.yml diff --git a/.spectral.yml b/.spectral.yml deleted file mode 100644 index 0b16508..0000000 --- a/.spectral.yml +++ /dev/null @@ -1,258 +0,0 @@ -# CAMARA Project - linting ruleset - documentation avaialable here: -# https://github.com/camaraproject/Commonalities/blob/main/documentation/Linting-rules.md -# 31.01.2024 - initial version - -extends: "spectral:oas" -functions: - - camara-reserved-words - - camara-language-avoid-telco - - camara-security-no-secrets-in-path-or-query-parameters -functionsDir: "./lint_function" -rules: - # Built-in OpenAPI Specification ruleset. Each rule then can be enabled individually. - # The severity keyword is optional in rule definition and can be error, warn, info, hint, or off. The default value is warn. - contact-properties: false - duplicated-entry-in-enum: true - info-contact: true - info-description: true - info-license: true - license-url: true - no-$ref-siblings: error - no-eval-in-markdown: true - no-script-tags-in-markdown: true - openapi-tags: false - openapi-tags-alphabetical: false - openapi-tags-uniqueness: error - operation-description: true - operation-operationId: true - operation-operationId-unique: error - operation-operationId-valid-in-url: true - operation-parameters: true - operation-singular-tag: true - operation-success-response: true - operation-tags: true - operation-tag-defined: true - path-declarations-must-exist: true - path-keys-no-trailing-slash: true - path-not-include-query: true - path-params: error - tag-description: false - typed-enum: true - oas3-api-servers: true - oas3-examples-value-or-externalValue: true - oas3-operation-security-defined: false - oas3-parameter-description: false - oas3-schema: true - oas3-server-not-example.com: false - oas3-server-trailing-slash: true - oas3-unused-component: true - oas3-valid-media-example: true - oas3-valid-schema-example: true - # oas3-server-variables: true - - # Custom Rules Utilizing Spectral's Built-in Functions and JavaScript Implementations - - camara-language-avoid-telco: - message: "{{error}}" - severity: hint - description: | - This rule checks for telco-specific terminology in your API definitions and suggests more inclusive terms. - given: "$..*.*" - then: - function: camara-language-avoid-telco - recommended: false # Set to true/false to enable/disable this rule - - camara-oas-version: - message: "OpenAPI Version Error: The OpenAPI specification must adhere to version 3.0.3." - severity: error - description: | - This rule validates the OpenAPI version in your specification and requires compliance with version 3.0.3. - given: "$" - then: - field: openapi - function: pattern - functionOptions: - match: 3.0.3 - recommended: true # Set to true/false to enable/disable this rule - - camara-path-param-id: - message: "Path Parameter Naming Warning: Use 'resource_id' instead of just 'id' in path parameters." - severity: warn - description: | - This rule ensures consistent and descriptive naming for path parameters in your OpenAPI specification. - Please use 'resource_id' instead of just 'id' for your path parameters. - given: "$..parameters[?(@.in == 'path')]" - then: - field: name - function: pattern - functionOptions: - notMatch: \b(id|Id|ID|iD)\b - recommended: true # Set to true/false to enable/disable this rule - - camara-security-no-secrets-in-path-or-query-parameters: - message: "Sensitive data found in path: {{error}} Consider avoiding the use of Sesentive data " - severity: warn - description: | - This rule checks for sensitive data ('MSISDN' and 'IMSI') in API paths and suggests avoiding their use. - given: - - "$.paths" - then: - function: camara-security-no-secrets-in-path-or-query-parameters - recommended: true # Set to true/false to enable/disable this rule - - camara-http-methods: - description: "Ensure that all path URLs have valid HTTP methods (GET, PUT, POST, DELETE, PATCH, OPTIONS)." - message: "Invalid HTTP method for '{{path}}'. Must be one of get, put, post, delete, patch, options." - severity: error - given: $.paths[*][*]~ - then: - function: pattern - functionOptions: - match: "^(get|put|post|delete|patch|options)$" - recommended: true # Set to true/false to enable/disable this rule - - camara-get-no-request-body: - message: There must be no request body for Get and DELETE - severity: error - given: - - "$.paths.*.get" - - "$.paths.*.delete" - then: - field: requestBody - function: falsy - recommended: true # Set to true/false to enable/disable this rule - - camara-reserved-words: - message: "Reserved words found {{error}} Consider avoiding the use of reserved word " - severity: warn - description: | - This rule checks Reserved words must not be used in the following parts of an API specification [Paths, Request Body properties, Component, Operation Id, Security Schema] - given: - - "$.paths" # Paths - - "$..parameters[*]" # Path or Query Parameter Names: - - "$..components.schemas.*.properties.*" # Request and Response body parameter - - "$.paths.*." # Path and Operation Names: - - "$.components.securitySchemes" # Security Schemes: - - "$.components.*.*" # Component Names: - - "$.paths.*.*.operationId" # OperationIds: - then: - function: camara-reserved-words - recommended: true # Set to true/false to enable/disable this rule - - camara-routes-description: - message: "Functionality method description Warning: Each method should have description." - severity: warn - description: | - This rule checks if each operation (POST, GET, DELETE, PUT, PATCH, OPTIONS) in your API specification has a description. - Ensure that you have added a 'summary' field for each operation in your OpenAPI specification. - given: - - "$.paths.*.post" - - "$.paths.*.get" - - "$.paths.*.delete" - - "$.paths.*.put" - - "$.paths.*.patch" - - "$.paths.*.options" - then: - field: description - function: truthy - recommended: true # Set to true/false to enable/disable this rule - - camara-parameters-descriptions: - message: "Parameter description is missing or empty: {{error}}" - severity: warn - description: | - This Spectral rule ensures that each path parameter in the API specification has a descriptive and meaningful description. - given: - - "$.paths..parameters.*" - then: - field: description - function: truthy - recommended: true # Set to true/false to enable/disable this rule - - camara-response-descriptions: - message: "Parameter description is missing or empty: {{error}}" - severity: warn - description: | - This Spectral rule ensures that each responese object in the API specification has a descriptive and meaningful description. - given: - - "$.paths..responses.*" - then: - field: description - function: truthy - recommended: true # Set to true/false to enable/disable this rule - - camara-properties-descriptions: - message: "Property description is missing or empty: {{error}}" - severity: warn - description: | - This Spectral rule ensures that each propoerty within objects in the API specification has a descriptive and meaningful description. - given: - - "$.components.*.*" - - "$.components.*.*.properties.*" - then: - field: description - function: truthy - recommended: true # Set to true/false to enable/disable this rule - - camara-operation-summary: - message: "Operation Summary Warning: Each operation should include a short summary for better understanding." - severity: warn - description: | - This rule checks if each operation (POST, GET, DELETE, PUT, PATCH, OPTIONS) in your API specification has a meaningful summary. - Ensure that you have added a 'summary' field for each operation in your OpenAPI specification. - given: - - "$.paths.*.post" - - "$.paths.*.get" - - "$.paths.*.delete" - - "$.paths.*.put" - - "$.paths.*.patch" - - "$.paths.*.options" - then: - field: summary - function: truthy - recommended: true # Set to true/false to enable/disable this rule - - camara-discriminator-use: - description: | - Ensure that API definition YAML files with oneOf or anyOf sections include a discriminator object for serialization, deserialization, and validation. - severity: hint - given: "$..[?(@.oneOf || @.anyOf)]" - then: - field: discriminator - function: truthy - description: "Discriminator object is required when using oneOf or anyOf." - recommended: true # Set to true/false to enable/disable this rule - - camara-operationid-casing-convention: - message: Operation Id must be in Camel case "{{error}}" - severity: hint - description: | - This rule checks Operation ids should follow a specific case convention: camel case. - given: "$.paths.*.*.operationId" - then: - function: casing - functionOptions: - type: camel - recommended: true # Set to true/false to enable/disable this rule - - camara-schema-casing-convention: - description: This rule checks schema should follow a specific case convention pascal case. - message: "{{property}} should be pascal case (UppperCamelCase)" - severity: warn - given: $.components.schemas[*]~ - then: - function: casing - functionOptions: - type: pascal - recommended: true # Set to true/false to enable/disable this rule - - camara-parameter-casing-convention: - description: Paths should be kebab-case. - severity: error - message: "{{property}} is not kebab-case: {{error}}" - given: $.paths[*]~ - then: - function: pattern - functionOptions: - match: "^\/([a-z0-9]+(-[a-z0-9]+)*)?(\/[a-z0-9]+(-[a-z0-9]+)*|\/{.+})*$" # doesn't allow /asasd{asdas}sadas pattern or not closed braces - recommended: true # Set to true/false to enable/disable this rule diff --git a/.yamllint.yaml b/.yamllint.yaml deleted file mode 100644 index 081ef09..0000000 --- a/.yamllint.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -# CAMARA Project - YAML linting configuration for yamllint https://yamllint.readthedocs.io/en/latest/rules.html -# 31.01.2024 - initial version - -yaml-files: - - '*.yaml' - - '*.yml' - - '.yamllint' - -rules: - braces: enable - brackets: enable - colons: enable - commas: enable - comments: - min-spaces-from-content: 1 - level: error - comments-indentation: - level: error - document-end: disable - document-start: disable - empty-lines: enable - empty-values: disable - hyphens: enable - indentation: enable - key-duplicates: enable - key-ordering: disable - line-length: disable - new-line-at-end-of-file: enable - new-lines: disable - octal-values: disable - quoted-strings: disable - trailing-spaces: enable - truthy: - level: error diff --git a/code/Test_definitions/one-time-password-sms-sendCode.feature b/code/Test_definitions/one-time-password-sms-sendCode.feature index 5d01c07..b423707 100644 --- a/code/Test_definitions/one-time-password-sms-sendCode.feature +++ b/code/Test_definitions/one-time-password-sms-sendCode.feature @@ -1,6 +1,5 @@ Feature: one-time-password-sms, v1.1.1-rc.3 - Operation sendCode - # Environment variables: # * api_root: API root of the server URL # * phone_number: A public identifier (MSISDN) addressing a telephone subscriptionable to receive SMS. Accordingly to E.164 standard, must be prefixed with '+'. @@ -8,11 +7,9 @@ Feature: one-time-password-sms, v1.1.1-rc.3 - Operation sendCode # * message: Message template used to compose the content of the SMS sent to the phone number. It must include the following label indicating where to include the short code {{code}}. Operator could specified a max_lenght for the message. # References to OAS spec schemas refer to schemas specifies in one-time-password-sms.yaml -Background: Common OTPvalidation sendCode setup - + Background: Common OTPvalidation sendCode setup Given an environment at "apiRoot" - and the resource "/one-time-password-sms/v1rc3/send-code" | - + And the resource "/one-time-password-sms/v1rc3/send-code" | And the header "Content-Type" is set to "application/json" And the header "Authorization" is set to a valid access token And the header "x-correlator" complies with the schema at "#/components/schemas/XCorrelator" @@ -22,8 +19,8 @@ Background: Common OTPvalidation sendCode setup # Happy path scenarios for send-code #################################### -@OTPvalidationAPI_01_send_code_success_scenario -Scenario: Validation for sucess send-code scenario + @OTPvalidationAPI_01_send_code_success_scenario + Scenario: Validation for sucess send-code scenario Given the request body property "$.phoneNumber" is set to config_var: "phone_number" And the request body property "$.message" is set to config_var: "message" When the HTTP "POST" request is sent @@ -32,8 +29,8 @@ Scenario: Validation for sucess send-code scenario And the response header "x-correlator" has same value as the request header "x-correlator" And the response body complies with the OAS schema at "/components/schemas/SendCodeResponse" -@OTPvalidationAPI_02_send_code_success_scenario_without_x-correlator -Scenario: Validation for sucess send-code scenario without x-correlator + @OTPvalidationAPI_02_send_code_success_scenario_without_x-correlator + Scenario: Validation for sucess send-code scenario without x-correlator Given the request body property "$.phoneNumber" is set to config_var: "phone_number" And the request body property "$.message" is set to config_var: "message" And the header "Authorization" is set @@ -42,8 +39,6 @@ Scenario: Validation for sucess send-code scenario without x-correlator And the response header "Content-Type" is "application/json" And the response body complies with the OAS schema at "/components/schemas/SendCodeResponse" - - ################################################################################ # Rainy path scenarios for send-code ################################################################################ @@ -58,8 +53,8 @@ Scenario: Validation for sucess send-code scenario without x-correlator # 400 errors for send-code ########################### -@OTPvalidationAPI_400.1_send_code_no_request_body -Scenario: Missing request body for send_code + @OTPvalidationAPI_400.1_send_code_no_request_body + Scenario: Missing request body for send_code Given the request body is not included When the HTTP "POST" request is sent Then the response property "$.status" is 400 @@ -67,8 +62,8 @@ Scenario: Missing request body for send_code And the response property "$.message" contains a user friendly text And the response header "x-correlator" has same value as the request header "x-correlator" -@OTPvalidationAPI_400.2_send_code_empty_request_body -Scenario: Empty object as request body for send_code + @OTPvalidationAPI_400.2_send_code_empty_request_body + Scenario: Empty object as request body for send_code Given the request body is set to "{}" When the HTTP "POST" request is sent Then the response property "$.status" is 400 @@ -76,8 +71,8 @@ Scenario: Empty object as request body for send_code And the response property "$.message" contains a user friendly text And the response header "x-correlator" has same value as the request header "x-correlator" -@OTPvalidationAPI_400.4_send_code_incorrect_phone_number_request_body -Scenario: Incorrect phone number in the request + @OTPvalidationAPI_400.4_send_code_incorrect_phone_number_request_body + Scenario: Incorrect phone number in the request Given the request body property "$.phoneNumber" is set to "3301" And the request body property "$.message" is set to config_var: "message" When the HTTP "POST" request is sent @@ -86,8 +81,8 @@ Scenario: Incorrect phone number in the request And the response property "$.message" contains a user friendly text And the response header "x-correlator" has same value as the request header "x-correlator" -@OTPvalidationAPI_400.5_send_code_missing_message -Scenario: Missing message request attribute + @OTPvalidationAPI_400.5_send_code_missing_message + Scenario: Missing message request attribute Given the request body property "$.phoneNumber" is set to config_var: "phone_number" And the request body property "$.message" is not valued When the HTTP "POST" request is sent @@ -96,8 +91,8 @@ Scenario: Missing message request attribute And the response property "$.message" contains a user friendly text And the response header "x-correlator" has same value as the request header "x-correlator" -@OTPvalidationAPI_400.6_send_code_missing_code_request_body -Scenario: Missing {{code}} in message request attribute + @OTPvalidationAPI_400.6_send_code_missing_code_request_body + Scenario: Missing {{code}} in message request attribute Given the request body property "$.phoneNumber" is set to config_var: "phone_number" And the request body property "$.message" is set to "message without code" When the HTTP "POST" request is sent @@ -106,8 +101,8 @@ Scenario: Missing {{code}} in message request attribute And the response property "$.message" contains a user friendly text And the response header "x-correlator" has same value as the request header "x-correlator" -@OTPvalidationAPI_400.7_send_code_message_too_long -Scenario: message attribute exceed maximum lenght authorized + @OTPvalidationAPI_400.7_send_code_message_too_long + Scenario: message attribute exceed maximum lenght authorized Given the request body property "$.phoneNumber" is set to config_var: "phone_number" And the request body property "$.message" is longer than config_var:"max_lenght" When the HTTP "POST" request is sent @@ -120,8 +115,8 @@ Scenario: message attribute exceed maximum lenght authorized # 401 errors for send-code ########################### -@OTPvalidationAPI_401.1_send_code_no_authorization_header -Scenario: No Authorization header for send-code + @OTPvalidationAPI_401.1_send_code_no_authorization_header + Scenario: No Authorization header for send-code Given the header "Authorization" is removed When the HTTP "POST" request is sent Then the response property "$.status" is 401 @@ -129,17 +124,17 @@ Scenario: No Authorization header for send-code And the response property "$.message" contains a user friendly text And the response header "x-correlator" has same value as the request header "x-correlator" -@OTPvalidationAPI_401.2_send_code_expired_access_token -Scenario: Expired for send-code - Given the header "Authorization" is set to an expired + @OTPvalidationAPI_401.2_send_code_expired_access_token + Scenario: Expired for send-code + Given the header "Authorization" is set to an expired When the HTTP "POST" request is sent Then the response property "$.status" is 401 And the response property "$.code" is "UNAUTHENTICATED" And the response property "$.message" contains a user friendly text And the response header "x-correlator" has same value as the request header "x-correlator" -@OTPvalidationAPI_401.3_send_code_invalid_access_token -Scenario: Invalid access token for send-code + @OTPvalidationAPI_401.3_send_code_invalid_access_token + Scenario: Invalid access token for send-code Given the header "Authorization" is set to an invalid access token When the HTTP "POST" request is sent Then the response property "$.status" is 401 @@ -151,8 +146,8 @@ Scenario: Invalid access token for send-code # 403 errors for send-code ########################### -@OTPvalidationAPI_03_send_code_max_otp_code -Scenario: Validation for failed scenario too many codes have been requested + @OTPvalidationAPI_03_send_code_max_otp_code + Scenario: Validation for failed scenario too many codes have been requested Given the request body property "$.phoneNumber" is set to config_var: "phone_number" And the request body property "$.message" is set to config_var: "message" And (config_var:"max_send"-1) of send-code requests for this phone number has been submitted @@ -162,8 +157,8 @@ Scenario: Validation for failed scenario too many codes have been requested And the response property "$.message" contains a user friendly text And the response header "x-correlator" has same value as the request header "x-correlator" -@OTPvalidationAPI_04_send_code_phone_number_not_allowed -Scenario: Validation for failed scenario for a phone number that cannot receive SMS + @OTPvalidationAPI_04_send_code_phone_number_not_allowed + Scenario: Validation for failed scenario for a phone number that cannot receive SMS Given the request body property "$.phoneNumber" is set to a phone number that cannot receive SMS And the request body property "$.message" is set to config_var: "message" When the HTTP "POST" request is sent @@ -172,8 +167,8 @@ Scenario: Validation for failed scenario for a phone number that cannot receive And the response property "$.message" contains a user friendly text And the response header "x-correlator" has same value as the request header "x-correlator" -@OTPvalidationAPI_05_send_code_phone_number_not_allowed_3 -Scenario: Validation for failed scenario for a phone number that target a landline + @OTPvalidationAPI_05_send_code_phone_number_not_allowed_3 + Scenario: Validation for failed scenario for a phone number that target a landline Given the request body property "$.phoneNumber" is set to a phone number that target a landline And the request body property "$.message" is set to config_var: "message" When the HTTP "POST" request is sent @@ -182,8 +177,8 @@ Scenario: Validation for failed scenario for a phone number that target a landli And the response property "$.message" contains a user friendly text And the response header "x-correlator" has same value as the request header "x-correlator" -@OTPvalidationAPI_06_send_code_phone_number_blocked -Scenario: Validation for failed scenario for a phone number that block SMS reception + @OTPvalidationAPI_06_send_code_phone_number_blocked + Scenario: Validation for failed scenario for a phone number that block SMS reception Given the request body property "$.phoneNumber" is set to a phone number that that has an active SMS barring And the request body property "$.message" is set to config_var: "message" When the HTTP "POST" request is sent @@ -196,8 +191,8 @@ Scenario: Validation for failed scenario for a phone number that block SMS recep # 404 errors for send-code ########################### -@OTPvalidationAPI_404.1_send_code_phone_number_not_belong_to_operator -Scenario: Validation for failed scenario for a phone number that did not belong to the operator + @OTPvalidationAPI_404.1_send_code_phone_number_not_belong_to_operator + Scenario: Validation for failed scenario for a phone number that did not belong to the operator Given the request body property "$.phoneNumber" is set to a phone number that did not belong to the operator And the request body property "$.message" is set to config_var: "message" When the HTTP "POST" request is sent diff --git a/code/Test_definitions/one-time-password-sms-validateCode.feature b/code/Test_definitions/one-time-password-sms-validateCode.feature index 15a2f6d..03050b8 100644 --- a/code/Test_definitions/one-time-password-sms-validateCode.feature +++ b/code/Test_definitions/one-time-password-sms-validateCode.feature @@ -9,8 +9,7 @@ Feature: one-time-password-sms, v1.1.1-rc.3 - operation validateCode # * max_try: Maximum allowed try to validate the code for a given autorisation request. # References to OAS spec schemas refer to schemas specifies in one-time-password-sms.yaml -Background: Common OTPvalidation validateCode setup - + Background: Common OTPvalidation validateCode setup Given an environment at "apiRoot" And the resource "/one-time-password-sms/v1rc3/validate-code" | And the header "Content-Type" is set to "application/json" @@ -18,21 +17,20 @@ Background: Common OTPvalidation validateCode setup And the header "x-correlator" complies with the schema at "#/components/schemas/XCorrelator" And the request body is set by default to a request body compliant with the schema - ######################################## # Happy path scenarios for validate-code ######################################## -@OTPvalidationAPI_01_validate_code_sucess_scenario -Scenario: Validation for sucess validate-code scenario + @OTPvalidationAPI_01_validate_code_sucess_scenario + Scenario: Validation for sucess validate-code scenario Given an authenticationId has been retrieved from a send-code request And the request body property "$.code" is set to the value received in the SMS When the HTTP "POST" request is sent Then the response property "$.status" is 204 And the response header "x-correlator" has same value as the request header "x-correlator" -@OTPvalidationAPI_02_validate_code_sucess_scenario_without_x-correlator -Scenario: Validation for sucess validate-code scenario without x-correlator + @OTPvalidationAPI_02_validate_code_sucess_scenario_without_x-correlator + Scenario: Validation for sucess validate-code scenario without x-correlator Given an authenticationId has been retrieved from a send-code request And the request body property "$.code" is set to the value received in the SMS And the header "Authorization" is set @@ -54,18 +52,18 @@ Scenario: Validation for sucess validate-code scenario without x-correlator # 400 errors for validate-code ############################### -@OTPvalidationAPI_400.1_validate_code_no_request_body -Scenario: Missing request body + @OTPvalidationAPI_400.1_validate_code_no_request_body + Scenario: Missing request body Given the request body is not included When the HTTP "POST" request is sent Then the response status code is 400 And the response property "$.status" is 400 And the response property "$.code" is "INVALID_ARGUMENT" And the response property "$.message" contains a user friendly text - And the response header "x-correlator" has same value as the request header "x-correlator" + And the response header "x-correlator" has same value as the request header "x-correlator" -@OTPvalidationAPI_400.2_validate_code_empty_request_body -Scenario: Empty object as request body for validate-code + @OTPvalidationAPI_400.2_validate_code_empty_request_body + Scenario: Empty object as request body for validate-code Given the request body is set to "{}" When the HTTP "POST" request is sent Then the response status code is 400 @@ -74,8 +72,8 @@ Scenario: Empty object as request body for validate-code And the response property "$.message" contains a user friendly text And the response header "x-correlator" has same value as the request header "x-correlator" -@OTPvalidationAPI_400.3_validate_code_missing_authenticationId -Scenario: missing authenticationId as request parameter + @OTPvalidationAPI_400.3_validate_code_missing_authenticationId + Scenario: missing authenticationId as request parameter Given the request body property "$.authenticationId" is not valued And the request body property "$.code" is set to a format valid value When the HTTP "POST" request is sent @@ -85,8 +83,8 @@ Scenario: missing authenticationId as request parameter And the response property "$.message" contains a user friendly text And the response header "x-correlator" has same value as the request header "x-correlator" -@OTPvalidationAPI_400.3_validate_code_missing_code -Scenario: missing code as request parameter + @OTPvalidationAPI_400.3_validate_code_missing_code + Scenario: missing code as request parameter Given an authenticationId has been retrieved from a send-code request And the request body property "$.code" is not valued When the HTTP "POST" request is sent @@ -96,8 +94,8 @@ Scenario: missing code as request parameter And the response property "$.message" contains a user friendly text And the response header "x-correlator" has same value as the request header "x-correlator" -@OTPvalidationAPI_400.4_validate_code_exceed_code_max_length -Scenario: exceed the maxLength for code + @OTPvalidationAPI_400.4_validate_code_exceed_code_max_length + Scenario: exceed the maxLength for code Given request body property "$.authenticationId" is set to the value from send-code request And the request body property "$.code" is set to "thisCodeExceedsTenCharacters" When the HTTP "POST" request is sent @@ -107,8 +105,8 @@ Scenario: exceed the maxLength for code And the response property "$.message" contains a user friendly text And the response header "x-correlator" has same value as the request header "x-correlator" -@OTPvalidationAPI_400.5_validate_code_invalid_otp_scenario -Scenario: Validations for invalid otp validate-code scenario + @OTPvalidationAPI_400.5_validate_code_invalid_otp_scenario + Scenario: Validations for invalid otp validate-code scenario Given request body property "$.authenticationId" is set to the value from send-code request And the request body property "$.code" is set to a value distinct from the value received in the SMS When the HTTP "POST" request is sent @@ -117,8 +115,8 @@ Scenario: Validations for invalid otp validate-code scenario And the response property "$.message" contains a user friendly text And the response header "x-correlator" has same value as the request header "x-correlator" -@OTPvalidationAPI_400.6_validate_code_verification_expired_scenario_1 -Scenario: Validations for verification expired validate-code scenario + @OTPvalidationAPI_400.6_validate_code_verification_expired_scenario_1 + Scenario: Validations for verification expired validate-code scenario Given request body property "$.authenticationId" is set to the value from send-code request And the request body property "$.code" is set to the received in the SMS And the time elapsed since the send-code exceed the allowed time @@ -128,8 +126,8 @@ Scenario: Validations for verification expired validate-code scenario And the response property "$.message" contains a user friendly text And the response header "x-correlator" has same value as the request header "x-correlator" -@OTPvalidationAPI_400.7_validate_code_verification_expired_scenario_2 -Scenario: Validations for verification expired because a new one has been requested for the same phone number + @OTPvalidationAPI_400.7_validate_code_verification_expired_scenario_2 + Scenario: Validations for verification expired because a new one has been requested for the same phone number Given Two send-code request has been sequentially triggered for the same phoneNumber And request body property "$.authenticationId" is set to the value got for the first send-code request And the request body property "$.code" is set to the received in the SMS for this first request @@ -139,8 +137,8 @@ Scenario: Validations for verification expired because a new one has been reque And the response property "$.message" contains a user friendly text And the response header "x-correlator" has same value as the request header "x-correlator" -@OTPvalidationAPI_400.8_validate_code_verification_expired_scenario_3 -Scenario: Validations for verification expired because authenticationId is no longer valid because it has already been used + @OTPvalidationAPI_400.8_validate_code_verification_expired_scenario_3 + Scenario: Validations for verification expired because authenticationId is no longer valid because it has already been used Given a validate-code has been succesfully performed for a authenticationId And request body property "$.authenticationId" is valued again with this authenticationId And the request body property "$.code" is set to the code received in the SMS @@ -150,8 +148,8 @@ Scenario: Validations for verification expired because authenticationId is no l And the response property "$.message" contains a user friendly text And the response header "x-correlator" has same value as the request header "x-correlator" -@OTPvalidationAPI_400.9_validate_code_verification_failed_scenario -Scenario: Validations for verification failed validate-code scenario whe maximum number of attempts for this authenticationId was exceeded without providing a valid OTP + @OTPvalidationAPI_400.9_validate_code_verification_failed_scenario + Scenario: Validations for verification failed validate-code scenario whe maximum number of attempts for this authenticationId was exceeded without providing a valid OTP Given an authenticationId has been retrieved from a send-code request And (config_var:"max_try"-1) calls with the request body property "$.code" set to a value distinct from the value received in the SMS were performed When the HTTP "POST" request is sent @@ -164,8 +162,8 @@ Scenario: Validations for verification failed validate-code scenario whe maximu # 401 errors for validate-code ############################### -@OTPvalidationAPI_401.1_validate_code_no_authorization_header -Scenario: No Authorization header for calidate-code + @OTPvalidationAPI_401.1_validate_code_no_authorization_header + Scenario: No Authorization header for calidate-code Given the header "Authorization" is removed When the HTTP "POST" request is sent Then the response property "$.status" is 401 @@ -173,8 +171,8 @@ Scenario: No Authorization header for calidate-code And the response property "$.message" contains a user friendly text And the response header "x-correlator" has same value as the request header "x-correlator" -@OTPvalidationAPI_401.2_validate_code_expired_access_token -Scenario: Expired access token for validate-code + @OTPvalidationAPI_401.2_validate_code_expired_access_token + Scenario: Expired access token for validate-code Given the header "Authorization" is set to an expired access token When the HTTP "POST" request is sent Then the response property "$.status" is 401 @@ -182,8 +180,8 @@ Scenario: Expired access token for validate-code And the response property "$.message" contains a user friendly text And the response header "x-correlator" has same value as the request header "x-correlator" -@OTPvalidationAPI_401.3_validate_code_invalid_access_token -Scenario: Invalid access token for validate-code + @OTPvalidationAPI_401.3_validate_code_invalid_access_token + Scenario: Invalid access token for validate-code Given the header "Authorization" is set to an invalid access token When the HTTP "POST" request is sent Then the response property "$.status" is 401 @@ -195,11 +193,11 @@ Scenario: Invalid access token for validate-code # 404 errors for validate-code ############################### -@OTPvalidationAPI_404_validate_code_resource_not_found -Scenario: resource not found - Given the request body property "$.authenticationId" is set to an unknown value - When the HTTP "POST" request is sent - Then the response property "$.status" is 404 - And the response property "$.code" is "NOT_FOUND" - And the response header "x-correlator" has same value as the request header "x-correlator" - And the response property "$.message" contains a user friendly text + @OTPvalidationAPI_404_validate_code_resource_not_found + Scenario: resource not found + Given the request body property "$.authenticationId" is set to an unknown value + When the HTTP "POST" request is sent + Then the response property "$.status" is 404 + And the response property "$.code" is "NOT_FOUND" + And the response header "x-correlator" has same value as the request header "x-correlator" + And the response property "$.message" contains a user friendly text diff --git a/lint_function/camara-language-avoid-telco.js b/lint_function/camara-language-avoid-telco.js deleted file mode 100644 index 061b543..0000000 --- a/lint_function/camara-language-avoid-telco.js +++ /dev/null @@ -1,40 +0,0 @@ -// CAMARA Project - support function for Spectral linter -// 31.01.2024 - initial version - -const replacements = [ - { original: 'UE', recommended: 'device' }, - { original: 'MSISDN', recommended: 'phone number' }, - { original: 'mobile network', recommended: 'network' } -]; - -export default async function (input) { - const errors = []; - const suggestions = []; - - // Iterate over properties of the input object - for (const path in input) { - const value = input[path]; - - // Check if the value is a string - if (typeof value === 'string') { - for (const replacement of replacements) { - const original = replacement.original; - const recommended = replacement.recommended; - - // Use a regular expression to match 'original' as a standalone word - const regex = new RegExp(`\\b${original}\\b`, 'g'); - - // Check if 'original' exists in the value - if (regex.test(value)) { - errors.push(replacement); - suggestions.push(` Telco-specific terminology found in input: Consider replacing '${original}' with '${recommended}'.`); - } - } - } - } - - // Check if any word from 'replacements' is in the suggestions - if (errors.length > 0) { - console.log(`Hint camara-language-avoid-telco ` + suggestions.join(', ')); - } -}; diff --git a/lint_function/camara-reserved-words.js b/lint_function/camara-reserved-words.js deleted file mode 100644 index c28e63a..0000000 --- a/lint_function/camara-reserved-words.js +++ /dev/null @@ -1,98 +0,0 @@ -// CAMARA Project - support function for Spectral linter -// 31.01.2024 - initial version - -const reservedWords = [ - 'abstract', - 'apiclient', - 'apiexception', - 'apiresponse', - 'assert', - 'boolean', - 'break', - 'byte', - 'case', - 'catch', - 'char', - 'class', - 'configuration', - 'const', - 'continue', - 'do', - 'double', - 'else', - 'extends', - 'file', - 'final', - 'finally', - 'float', - 'for', - 'goto', - 'if', - 'implements', - 'import', - 'instanceof', - 'int', - 'interface', - 'list', - 'localdate', - 'localreturntype', - 'localtime', - 'localvaraccept', - 'localvaraccepts', - 'localvarauthnames', - 'localvarcollectionqueryparams', - 'localvarcontenttype', - 'localvarcontenttypes', - 'localvarcookieparams', - 'localvarformparams', - 'localvarheaderparams', - 'localvarpath', - 'localvarpostbody', - 'localvarqueryparams', - 'long', - 'native', - 'new', - 'null', - 'object', - 'offsetdatetime', - 'package', - 'private', - 'protected', - 'public', - 'return', - 'short', - 'static', - 'strictfp', - 'stringutil', - 'super', - 'switch', - 'synchronized', - 'this', - 'throw', - 'throws', - 'transient', - 'try', - 'void', - 'volatile', - 'while' -]; -// Reserved word 'enum' and 'default' are removed from above reserved word array as they are common in openAPI keyword -export default async function lintReservedWords(input) { - // Iterate over properties of the input object - for (const path in input) { - if (typeof path === 'string') { - - for (const word of reservedWords) { - const regex = new RegExp(`\\b${word}\\b`, 'g'); // Use a regular expression to match 'word' as a standalone word - - if (regex.test(path)) { - const warningRuleName = 'camara-reserved-words'; - const description = `Reserved words found in input: Consider avoiding the use of reserved word '${word}'`; - // const location = `${path}`; - - console.log(`warning ${warningRuleName} ${description} ${path}`); - } - } - } - } -} diff --git a/lint_function/camara-security-no-secrets-in-path-or-query-parameters.js b/lint_function/camara-security-no-secrets-in-path-or-query-parameters.js deleted file mode 100644 index ebbff2a..0000000 --- a/lint_function/camara-security-no-secrets-in-path-or-query-parameters.js +++ /dev/null @@ -1,26 +0,0 @@ -// CAMARA Project - support function for Spectral linter -// 31.01.2024 - initial version - -const sensitiveData = ['MSISDN','IMSI','phoneNumber']; - -export default async function (input) { - - // Iterate over properties of the input object - for (const path in input) { - - if (typeof path === 'string') { - for (const word of sensitiveData ) { - const regex = new RegExp(`\\b${word}\\b`, 'g'); // Use a regular expression to match 'word' as a standalone word - - if (regex.test(path)) { - - const warningRuleName = 'camara-security-no-secrets-in-path-or-query-parameters'; - const description = `sensitiveData Data found in path: Consider avoiding the use of sensitiveData data '${word}'`; - const location = `paths.${path}`; - console.log(`warning ${warningRuleName} ${description} ${location}`); - - } - } - } - } -}