From 597f51de750fb50f60ddc9429c012ea47c564e04 Mon Sep 17 00:00:00 2001 From: Fernando Prado Date: Thu, 19 Jun 2025 15:37:53 +0200 Subject: [PATCH 1/2] update verify operation --- ...ber-verification-phoneNumberVerify.feature | 180 ++++++++++++++++ .../number-verification-verify.feature | 200 ------------------ 2 files changed, 180 insertions(+), 200 deletions(-) create mode 100644 code/Test_Definitions/number-verification-phoneNumberVerify.feature delete mode 100644 code/Test_Definitions/number-verification-verify.feature diff --git a/code/Test_Definitions/number-verification-phoneNumberVerify.feature b/code/Test_Definitions/number-verification-phoneNumberVerify.feature new file mode 100644 index 0000000..aa80c47 --- /dev/null +++ b/code/Test_Definitions/number-verification-phoneNumberVerify.feature @@ -0,0 +1,180 @@ +Feature: CAMARA Number Verification API, vwip - Operation phoneNumberVerify + + # Input to be provided by the implementation to the tester + # + # References to OAS spec schemas refer to schemas specified in + # /code/API_definitions/number-verification.yaml + # + # Testing assets: + # * a valid testing phone number supported by the service + # * a valid testing hashed phone number supported by the service + + + Background: Common phoneNumberVerify setup + Given the resource "/number-verification/vwip" as base url + And the header "Content-Type" is set to "application/json" + And the header "Authorization" is set to a valid access token + And the header "x-correlator" complies with the schema at "#/components/schemas/XCorrelator" + And the request body is set by default to a request body compliant with the schema + + # Generic success scenario + + @phone_number_verify_01_generic_success_scenario + Scenario: Common validations for any success scenario + Given a valid phone number identified by the token and provided in the request body + When the request "phoneNumberVerify" is sent + Then the response status code is 200 + And the response header "Content-Type" is "application/json" + And the response header "x-correlator" has same value as the request header "x-correlator" + And the response body complies with the OAS schema at "#/components/schemas/NumberVerificationMatchResponse" + + + # Scenarios testing specific situations + + @phone_number_verify.02_validate_phone_number_success_true + Scenario: Validate success with phone number when response is true + Given a valid phone number supported by the service, identified by the token + And the token has been obtained by a supported authentication method + And the body property "$.phoneNumber" is set to the phone number identified by the access token + When the request "phoneNumberVerify" is sent + Then the response status code is 200 + And the response property "$.devicePhoneNumberVerified" == true + + @phone_number_verify.03_validate_phone_number_success_false + Scenario: Validate success with phone number when response is false + Given a valid phone number supported by the service, identified by the token + And the token has been obtained by a supported authentication method + And the body property "$.phoneNumber" is set to a valid phone number different from the one identified by the access token + When the request "phoneNumberVerify" is sent + Then the response status code is 200 + And the response property "$.devicePhoneNumberVerified" == false + + @phone_number_verify.04_validate_hashed_phone_number_success_true + Scenario: Validate success with hashed phone number when response is true + Given a valid phone number supported by the service, identified by the token + And the token has been obtained by a supported authentication method + And the body property "$.hashedPhoneNumber" is set to the phone number identified by the access token, hashed in SHA-256 (in hexadecimal representation) + When the request "phoneNumberVerify" is sent + Then the response status code is 200 + And the response property "$.devicePhoneNumberVerified" == true + + @phone_number_verify.05_validate_hashed_phone_number_success_false + Scenario: Validate success with hashed phone number when response is false + Given a valid phone number supported by the service, identified by the token + And the token has been obtained by a supported authentication method + And the body property "$.hashedPhoneNumber" is set to a valid phone number different from the one identified by the access token, hashed in SHA-256 (in hexadecimal representation) + When the request "phoneNumberVerify" is sent + Then the response status code is 200 + And the response property "$.devicePhoneNumberVerified" == false + + + # Generic 400 errors + + @phone_number_verify_400.1_no_request_body + Scenario: Missing request body + Given the request body is not included + When the request "phoneNumberVerify" is sent + Then the response status code is 400 + And the response property "$.status" is 400 + And the response property "$.code" is "INVALID_ARGUMENT" + And the response property "$.message" contains a user friendly text + + @phone_number_verify_400.2_empty_request_body + Scenario: Empty object as request body + Given the request body is set to "{}" + When the request "phoneNumberVerify" is sent + Then the response status code is 400 + And the response property "$.status" is 400 + And the response property "$.code" is "INVALID_ARGUMENT" + And the response property "$.message" contains a user friendly text + + @phone_number_verify_400.3_invalid_request_non_existing_property + Scenario: Error when request body contains a property but it is neither phoneNumber nor hashedPhoneNumber + Given a valid testing phoneNumber supported by the service, identified by the token + And the request body property "$.additional_property" is set to "foo_value" + And the request body does not contain neither "$.phoneNumber" nor "$.hashedPhoneNumber" + Then the response status code is 400 + And the response property "$.status" is 400 + And the response property "$.code" is "INVALID_ARGUMENT" + And the response property "$.message" contains a user friendly text + + # Other specific 400 errors + + @phone_number_verify_400.4_both_phone_number_and_hashed_in_request + Scenario: Response error when phoneNumber and hashedPhoneNumber are provided together in the request body + Given the request body property "$.phoneNumber" is set to a valid phone number + And the same phone number is compliant with OAS schema at "#/components/schemas/PhoneNumber" + And the request body property "$.hashedPhoneNumber" is set to a valid phone number compliant with OAS schema at "#/components/schemas/HashedPhoneNumber" + When the request "phoneNumberVerify" is sent + Then the response status code is 400 + And the response property "$.status" is 400 + And the response property "$.code" is "INVALID_ARGUMENT" + And the response property "$.message" contains a user friendly text + + # Generic 401 errors + + @phone_number_verify_401.1_no_authorization_header + Scenario: No Authorization header + Given the header "Authorization" is removed + And the request body is set to a valid request body + When the request "phoneNumberVerify" is sent + Then the response status code is "401" + And the response property "$.status" is 401 + And the response property "$.code" is "UNAUTHENTICATED" + And the response property "$.message" contains a user friendly text + + @phone_number_verify_401.2_expired_access_token + Scenario: Expired access token + Given the header "Authorization" is set to an expired access token + And the request body is set to a valid request body + When the request "phoneNumberVerify" is sent + Then the response status code is "401" + And the response property "$.status" is 401 + And the response property "$.code" is "UNAUTHENTICATED" + And the response property "$.message" contains a user friendly text + + @phone_number_verify_401.3_invalid_access_token + Scenario: Invalid access token + Given the header "Authorization" is set to an invalid access token + And the request body is set to a valid request body + When the request "phoneNumberVerify" is sent + Then the response status code is "401" + And the response property "$.status" is 401 + And the response property "$.code" is "UNAUTHENTICATED" + And the response property "$.message" contains a user friendly text + + # Generic 403 errors + + @phoneNumberVerify_403.1_invalid_token_permissions + Scenario: Access token does not have the required permissions + Given the header "Authorization" is set to an access token without the required scope + And the request body is set to a valid request body + When the request "phoneNumberVerify" is sent + Then the response status code is "403" + And the response property "$.status" is 403 + And the response property "$.code" is "PERMISSION_DENIED" + And the response property "$.message" contains a user friendly text + + # Other specific 403 errors + + @phoneNumberVerify_403.2_not_authenticated_using_network_or_sim_based_authentication + Scenario: Response error when the token has not been obtained by a supported authentication method + Given the header "Authorization" is set to a token for which neither Network-based nor SIM-based authentication was used + And the request body is set to a valid request body + When the request "phoneNumberVerify" is sent + Then the response status code is "403" + And the response property "$.status" is 403 + And the response property "$.code" is "NUMBER_VERIFICATION.USER_NOT_AUTHENTICATED_BY_MOBILE_NETWORK" + And the response property "$.message" contains a user friendly text + + # Error scenarios for management of input parameter phoneNumber + + @phone_number_verify_C02.01_phone_number_not_schema_compliant + Scenario: Phone number value does not comply with the schema + Given the header "Authorization" is set to a valid access token which does not identify a single phone number + And the request body property "$.phoneNumber" does not comply with the OAS schema at "#/components/schemas/PhoneNumber" + When the request "phoneNumberVerify" is sent + Then the response status code is 400 + And the response property "$.status" is 400 + And the response property "$.code" is "INVALID_ARGUMENT" + And the response property "$.message" contains a user friendly text diff --git a/code/Test_Definitions/number-verification-verify.feature b/code/Test_Definitions/number-verification-verify.feature deleted file mode 100644 index 7846a2d..0000000 --- a/code/Test_Definitions/number-verification-verify.feature +++ /dev/null @@ -1,200 +0,0 @@ -Feature: CAMARA Number Verification API, vwip - Operation phoneNumberVerify - -# Input to be provided by the implementation to the tests -# References to OAS spec schemas refer to schemas specified in -# /code/API_definitions/number-verification.yaml -# -# Implementation indications: -# * api_root: API root of the server URL -# -# Testing assets: -# * a mobile device with SIM card with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 -# * a mobile device with SIM card with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER2 -# * a mobile device with SIM card with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER_HASHED1 -# * a mobile device with SIM card with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER_HASHED2 - - Background: Common Number Verification verify setup - Given the resource "/number-verification/vwip" as base url - And the header "Content-Type" is set to "application/json" - And the header "Authorization" is set to a valid access token - And the header "x-correlator" is set to a UUID value - And the request body is compliant with the schema NumberVerificationRequestBody - And the response body is compliant with the schema NumberVerificationMatchResponse - And the header "x-correlator" is set to a UUID value - And NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 is compliant with the schema DevicePhoneNumber - And NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER2 is compliant with the schema DevicePhoneNumber - And NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 is different to NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER2 - - @NumberVerification_verify0_phoneNumber_does_not_match_schema - Scenario Outline: phoneNumber value does not comply with the schema - Given the request body property "$.phoneNumber" is set to: - When the HTTP "POST" request is sent - Then the response status code is 400 - And the response property "$.status" is 400 - And the response property "$.code" is "INVALID_ARGUMENT" - And the response property "$.message" contains a user friendly text - And they acquired a valid access token associated with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 through OIDC authorization code flow - - Examples: - | phone_number_value | - | string_value | - | 1234567890 | - | +12334foo22222 | - | +00012230304913849 | - | 123 | - | ++49565456787 | - - @NumberVerification_verify100_match_true - Scenario: verify phone number NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1, network connection and access token matches NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 - Given they use the base url - And the resource is "/verify" - And one of the scopes associated with the access token is number-verification:verify - When the HTTPS "POST" request is sent - And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 - And the request body has the field phoneNumber with a value of NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 - And the response header "x-correlator" has same value as the request header "x-correlator" - And the response header "Content-Type" is "application/json" - And the response body complies with the OAS schema at "/components/schemas/NumberVerificationMatchResponse" - Then the response status code is 200 - And the response property "$.devicePhoneNumberVerified" is true - - @NumberVerification_verify300_match_hashed_true - Scenario: verify hashed phone number hashed NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1, network connection and access token matches NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 - Given they use the base url - And the resource is "/verify" - And one of the scopes associated with the access token is number-verification:verify - When the HTTPS "POST" request is sent - And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 - And the request body has the field hashedPhoneNumber with a value of NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER_HASHED1 - And the response header "x-correlator" has same value as the request header "x-correlator" - And the response header "Content-Type" is "application/json" - And the response body complies with the OAS schema at "/components/schemas/NumberVerificationMatchResponse" - Then the response status code is 200 - And the response property "$.devicePhoneNumberVerified" is true - - @NumberVerification_verify101_match_false - Scenario: verify phone number NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 but access token is associated with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER2 - Given they use the base url - And the resource is "/verify" - And one of the scopes associated with the access token is number-verification:verify - When the HTTPS "POST" request is sent - And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 - And the request body has the field phoneNumber with a value of NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER2 - And the response header "x-correlator" has same value as the request header "x-correlator" - And the response header "Content-Type" is "application/json" - And the response body complies with the OAS schema at "/components/schemas/NumberVerificationMatchResponse" - Then the response status code is 200 - And the response property "$.devicePhoneNumberVerified" is false - - @NumberVerification_verify301_match_false - Scenario: verify hashed phone number NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 but access token is associated with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER2 - Given they use the base url - And the resource is "/verify" - And one of the scopes associated with the access token is number-verification:verify - When the HTTPS "POST" request is sent - And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 - And the request body has the field hashedPhoneNumber with a value of NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER_HASHED2 - And the response header "x-correlator" has same value as the request header "x-correlator" - And the response header "Content-Type" is "application/json" - And the response body complies with the OAS schema at "/components/schemas/NumberVerificationMatchResponse" - Then the response status code is 200 - And the response property "$.devicePhoneNumberVerified" is false - - @NumberVerification_verify200_missing_phone_number_in_request - Scenario: verify phone number but no phonenumber in request - Given they use the base url - And the resource is "/verify" - And one of the scopes associated with the access token is number-verification:verify - When the HTTPS "POST" request is sent - And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 - And the request body has NO the field phoneNumber or hashedPhoneNumber - And the response header "x-correlator" has same value as the request header "x-correlator" - And the response header "Content-Type" is "application/json" - And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" - Then the response status code is 400 - And the response property "$.status" is 400 - And the response property "$.code" is "INVALID_ARGUMENT" - And the response property "$.message" contains a user friendly text - - @NumberVerification_verify201_missing_scope - Scenario: verify phone number with valid access token but scope number-verification:verify is missing - Given they use the base url - And the resource is "/verify" - And none of the scopes associated with the access token is number-verification:verify - When the HTTPS "POST" request is sent - And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 - And the request body has the field phoneNumber with a value of NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 - And the response header "x-correlator" has same value as the request header "x-correlator" - And the response header "Content-Type" is "application/json" - And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" - Then the response status code is 403 - And the response property "$.status" is 403 - And the response property "$.code" is "PERMISSION_DENIED" - And the response property "$.message" is "Client does not have sufficient permissions to perform this action." - - @NumberVerification_verify202_expired_access_token - Scenario: verify phone number with expired access token - Given they use the base url - And the resource is "/verify" - And one of the scopes associated with the access token is number-verification:verify - When the HTTPS "POST" request is sent - And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 - And the access token has expired - And the request body has the field phoneNumber with a value of NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER - And the response header "x-correlator" has same value as the request header "x-correlator" - And the response header "Content-Type" is "application/json" - And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" - Then the response status code is 401 - And the response property "$.status" is 401 - And the response property "$.code" is "UNAUTHENTICATED" - And the response property "$.message" is "Request not authenticated due to missing, invalid, or expired credentials." - - @NumberVerification_verify203_both_phone_number_and_hashed_in_request - Scenario: verify phone number but providing both plain and hashed phone number in the body - Given they use the base url - And the resource is "/verify" - And one of the scopes associated with the access token is number-verification:verify - When the HTTPS "POST" request is sent - And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 - And the request body has the field phoneNumber with a value of NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 - And the request body has the field hashedPhoneNumber with a value of NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER_HASHED1 - And the response header "x-correlator" has same value as the request header "x-correlator" - And the response header "Content-Type" is "application/json" - And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" - Then the response status code is 400 - And the response property "$.status" is 400 - And the response property "$.code" is "INVALID_ARGUMENT" - And the response property "$.message" contains a user friendly text - -# @NumberVerification_phone_number_verify204_no_phonenumber_associated_with_access_token -# Note: As 403 INVALID_TOKEN_CONTEXT code was removed this test is not anymore relevant. -# Scenario: verify phone number with valid access token that is not associated with a phone number -# Given they use the base url -# And the resource is "/verify" -# And one of the scopes associated with the access token is number-verification:verify -# When the HTTPS "GET" request is sent -# And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 -# And the access token is not associated with a phone number -# And the response header "x-correlator" has same value as the request header "x-correlator" -# And the response header "Content-Type" is "application/json" -# And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" -# Then the response status code is 403 -# And the response property "$.status" is 403 -# And the response property "$.code" is "INVALID_TOKEN_CONTEXT" -# And the response property "$.message" is "Phone number cannot be deducted from access token context." - - @NumberVerification_phone_number_verify205_must_have_used_network_or_sim_based_authentication - Scenario: verify phone number with valid access token but neither Network-Based authentication nor SIM-Based authentication was used - Given they use the base url - And the resource is "/verify" - And one of the scopes associated with the access token is number-verification:verify - When the HTTPS "GET" request is sent - And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 - And the information, e.g. authentication method reference, associated with the access token indicates that neither Network-based nor SIM-based authentication was used - And the response header "x-correlator" has same value as the request header "x-correlator" - And the response header "Content-Type" is "application/json" - And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" - Then the response status code is 403 - And the response property "$.status" is 403 - And the response property "$.code" is "NUMBER_VERIFICATION.USER_NOT_AUTHENTICATED_BY_MOBILE_NETWORK" - And the response property "$.message" is "The subscription must be identified using either Network-based authentication or SIM-based authentication to access this service." From d4bb1bae0d10845697e68c5869ceff42b4f19ce8 Mon Sep 17 00:00:00 2001 From: Fernando Prado Date: Thu, 19 Jun 2025 16:12:52 +0200 Subject: [PATCH 2/2] update phone number share operation --- ...fication-device-phone-number-share.feature | 102 ------------------ ...mber-verification-phoneNumberShare.feature | 89 +++++++++++++++ 2 files changed, 89 insertions(+), 102 deletions(-) delete mode 100644 code/Test_Definitions/number-verification-device-phone-number-share.feature create mode 100644 code/Test_Definitions/number-verification-phoneNumberShare.feature diff --git a/code/Test_Definitions/number-verification-device-phone-number-share.feature b/code/Test_Definitions/number-verification-device-phone-number-share.feature deleted file mode 100644 index c0fc5e2..0000000 --- a/code/Test_Definitions/number-verification-device-phone-number-share.feature +++ /dev/null @@ -1,102 +0,0 @@ -Feature: CAMARA Number Verification API, vwip - Operation phoneNumberShare - -# Input to be provided by the implementation to the tests -# References to OAS spec schemas refer to schemas specified in -# /code/API_definitions/number-verification.yaml -# -# Implementation indications: -# * api_root: API root of the server URL -# -# Testing assets: -# * a mobile device with SIM card with NUMBERVERIFY_SHARE_PHONENUMBER1 -# * a mobile device with SIM card with NUMBERVERIFY_SHARE_PHONENUMBER2 - - Background: Common Number Verification phone number share setup - Given the resource "/device-phone-number/vwip" as base url - And the header "Content-Type" is set to "application/json" - And the header "Authorization" is set to a valid access token - And the header "x-correlator" is set to a UUID value - And the request body is compliant with the schema NumberVerificationRequestBody - And the response body is compliant with the schema NumberVerificationMatchResponse - And the header "x-correlator" is set to a UUID value - And NUMBERVERIFY_SHARE_PHONENUMBER1 is compliant with the schema DevicePhoneNumber - And NUMBERVERIFY_SHARE_PHONENUMBER2 is compliant with the schema DevicePhoneNumber - And NUMBERVERIFY_SHARE_PHONENUMBER1 is different to NUMBERVERIFY_SHARE_PHONENUMBER2 - And they acquired a valid access token associated with NUMBERVERIFY_SHARE_PHONENUMBER1 through OIDC authorization code flow - - @NumberVerification_phone_number_share100_match_true - Scenario: share phone number NUMBERVERIFY_SHARE_PHONENUMBER1, network connection and access token matches NUMBERVERIFY_SHARE_PHONENUMBER1 - Given they use the base url - And the resource is "/device-phone-number" - And one of the scopes associated with the access token is number-verification:device-phone-number:read - When the HTTPS "GET" request is sent - And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 - And the response header "x-correlator" has same value as the request header "x-correlator" - And the response body complies with the OAS schema at "/components/schemas/NumberVerificationShareResponse" - Then the response status code is 200 - And the response property "$.devicePhoneNumber" is set to NUMBERVERIFY_SHARE_PHONENUMBER1 - - @NumberVerification_phone_number_share201_missing_scope - Scenario: share phone number with valid access token but scope number-verification:device-phone-number:read is missing - Given they use the base url - And the resource is "/device-phone-number" - And none of the scopes associated with the access token is number-verification:device-phone-number:read - When the HTTPS "GET" request is sent - And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 - And the request body has the field phoneNumber with a value of NUMBERVERIFY_SHARE_PHONENUMBER1 - And the response header "x-correlator" has same value as the request header "x-correlator" - And the response header "Content-Type" is "application/json" - And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" - Then the response status code is 403 - And the response property "$.status" is 403 - And the response property "$.code" is "PERMISSION_DENIED" - And the response property "$.message" is "Client does not have sufficient permissions to perform this action." - - @NumberVerification_phone_number_share202_expired_access_token - Scenario: share phone number with expired access token - Given they use the base url - And the resource is "/device-phone-number" - And one of the scopes associated with the access token is number-verification:device-phone-number:read - When the HTTPS "GET" request is sent - And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 - And the access token has expired - And the response header "x-correlator" has same value as the request header "x-correlator" - And the response header "Content-Type" is "application/json" - And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" - Then the response status code is 401 - And the response property "$.status" is 401 - And the response property "$.code" is "UNAUTHENTICATED" - And the response property "$.message" is "Request not authenticated due to missing, invalid, or expired credentials." - -# @NumberVerification_phone_number_share203_no_phonenumber_associated_with_access_token -# Note: As 403 INVALID_TOKEN_CONTEXT code was removed this test is not anymore relevant. -# Scenario: share phone number with valid access token that is not associated with a phone number -# Given they use the base url -# And the resource is "/device-phone-number" -# And one of the scopes associated with the access token is number-verification:device-phone-number:read -# When the HTTPS "GET" request is sent -# And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 -# And the access token is not associated with a phone number -# And the response header "x-correlator" has same value as the request header "x-correlator" -# And the response header "Content-Type" is "application/json" -# And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" -# Then the response status code is 403 -# And the response property "$.status" is 403 -# And the response property "$.code" is "INVALID_TOKEN_CONTEXT" -# And the response property "$.message" is "Phone number cannot be deducted from access token context." - - @NumberVerification_phone_number_share205_must_have_used_network_or_sim_based_authentication - Scenario: share phone number with valid access token but neither Network-Based authentication nor SIM-Based authentication was used - Given they use the base url - And the resource is "/device-phone-number" - And one of the scopes associated with the access token is number-verification:verify - When the HTTPS "GET" request is sent - And the connection the request is sent over originates from a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 - And the information, e.g. authentication method reference, associated with the access token indicates that neither Network-based nor SIM-based authentication was used - And the response header "x-correlator" has same value as the request header "x-correlator" - And the response header "Content-Type" is "application/json" - And the response body complies with the OAS schema at "/components/schemas/ErrorInfo" - Then the response status code is 403 - And the response property "$.status" is 403 - And the response property "$.code" is "NUMBER_VERIFICATION.USER_NOT_AUTHENTICATED_BY_MOBILE_NETWORK" - And the response property "$.message" is "The subscription must be identified using either Network-based authentication or SIM-based authentication to access this service." diff --git a/code/Test_Definitions/number-verification-phoneNumberShare.feature b/code/Test_Definitions/number-verification-phoneNumberShare.feature new file mode 100644 index 0000000..92bc21a --- /dev/null +++ b/code/Test_Definitions/number-verification-phoneNumberShare.feature @@ -0,0 +1,89 @@ +Feature: CAMARA Number Verification API, vwip - Operation phoneNumberShare + + # Input to be provided by the implementation to the tester + # + # References to OAS spec schemas refer to schemas specified in + # /code/API_definitions/number-verification.yaml + # + # Testing assets: + # * a valid testing phone number supported by the service + + + Background: Common phoneNumberShare setup + Given the resource "/number-verification/vwip" as base url + And the header "Content-Type" is set to "application/json" + And the header "Authorization" is set to a valid access token + And the header "x-correlator" complies with the schema at "#/components/schemas/XCorrelator" + + + # Generic success scenario + + @phone_number_share_01_generic_success_scenario + Scenario: Common validations for any success scenario + Given a valid phone number supported by the service, identified by the token + When the request "phoneNumberShare" is sent + Then the response status code is 200 + And the response header "Content-Type" is "application/json" + And the response header "x-correlator" has same value as the request header "x-correlator" + And the response body complies with the OAS schema at "#/components/schemas/NumberVerificationShareResponse" + + + # Scenarios testing specific situations + @phone_number_share_02_success_scenario + Scenario: Validate success scenario + Given a valid phone number supported by the service, identified by the token + And the token has been obtained by a supported authentication method + When the request "phoneNumberShare" is sent + Then the response status code is 200 + And the response property "$.devicePhoneNumber" is equal to the phone number associated with the access token + + # Generic 401 errors + + @phone_number_verify_401.1_no_authorization_header + Scenario: No Authorization header + Given the header "Authorization" is removed + When the request "phoneNumberShare" is sent + Then the response status code is "401" + And the response property "$.status" is 401 + And the response property "$.code" is "UNAUTHENTICATED" + And the response property "$.message" contains a user friendly text + + @phone_number_verify_401.2_expired_access_token + Scenario: Expired access token + Given the header "Authorization" is set to an expired access token + When the request "phoneNumberShare" is sent + Then the response status code is "401" + And the response property "$.status" is 401 + And the response property "$.code" is "UNAUTHENTICATED" + And the response property "$.message" contains a user friendly text + + @phone_number_verify_401.3_invalid_access_token + Scenario: Invalid access token + Given the header "Authorization" is set to an invalid access token + When the request "phoneNumberShare" is sent + Then the response status code is "401" + And the response property "$.status" is 401 + And the response property "$.code" is "UNAUTHENTICATED" + And the response property "$.message" contains a user friendly text + + # Generic 403 errors + + @phoneNumberShare_403.1_invalid_token_permissions + Scenario: Access token does not have the required permissions + Given the header "Authorization" is set to an access token without the required scope + When the request "phoneNumberShare" is sent + Then the response status code is "403" + And the response property "$.status" is 403 + And the response property "$.code" is "PERMISSION_DENIED" + And the response property "$.message" contains a user friendly text + + # Other specific 403 errors + + @phoneNumberShare_403.2_not_authenticated_using_network_or_sim_based_authentication + Scenario: Response error when the token has not been obtained by a supported authentication method + Given the header "Authorization" is set to a token for which neither Network-based nor SIM-based authentication was used + When the request "phoneNumberShare" is sent + Then the response status code is "403" + And the response property "$.status" is 403 + And the response property "$.code" is "NUMBER_VERIFICATION.USER_NOT_AUTHENTICATED_BY_MOBILE_NETWORK" + And the response property "$.message" contains a user friendly text