README.md

# Test Plan for CAPIF Api Security Service
At this documentation you will have all information and related files and examples of test plan for this API.

## Test Case 1: Create a security context for an API invoker

**Test ID**: ***capif_security_api-1***

**Description**:

  This test case will check that an API Invoker can create a Security context

**Pre-Conditions**:

  * API Invoker is pre-authorised (has valid apiInvokerID from CAPIF Authority)

**Execution Steps**:

  1. Register and onboard Invoker at CCF
  2. Register Provider at CCF, store certificates and Publish Service API **service_1** at CCF.
  4. Create Security Context

**Information of Test**:

  1. Perform [Provider Registration] and [Invoker Onboarding]
  2. Publish Service API at CCF:
     * Send **POST** to ccf_publish_url **https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis**
     * body [service api description] with apiName **service_1**
     * Use **APF Certificate**
  3. Create Security Context for this Invoker
     * Send **PUT** **https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}**
     * body [service security body] with aefId and apiId
     * Use **Invoker Certificate**

**Expected Result**:

  1. Create security context:
     1. **201 Created** response.
     2. body returned must accomplish **ServiceSecurity** data structure.
     3. Location Header must contain the new resource URL **{apiRoot}/capif-security/v1/trustedInvokers/{apiInvokerId}**


## Test Case 2: Create a security context for an API invoker with Provider role

**Test ID**:: ***capif_security_api-2***

**Description**:

  This test case will check that an Provider cannot create a Security context with valid apiInvokerId.

**Pre-Conditions**:

  * API Invoker is pre-authorised (has valid apiInvokerID), but user that create Security Context with Provider role

**Execution Steps**:

  1. Register and onboard Invoker at CCF.
  2. Register Provider at CCF, store certificates and Publish Service API **service_1** at CCF.
  3. Create Security Context using Provider certificate

**Information of Test**:

  1. Perform [Provider Registration] and [Invoker Onboarding]
  2. Publish Service API at CCF:
     * Send **POST** to ccf_publish_url **https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis**
     * body [service api description] with apiName **service_1**
     * Use **APF Certificate**
  3. Create Security Context for this Invoker but using Provider certificate.
     * Send **PUT** **https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}**
     * body [service security body]
     * Using **AEF Certificate**

**Expected Result**:

  1. Create security context using Provider certificate:
     1. **401 Unauthorized** response.
     2. body returned must accomplish **ProblemDetails** data structure, with:
        * status **401**
        * title with message "Unauthorized"
        * detail with message "Role not authorized for this API route".
        * cause with message "User role must be invoker".

  2. No context stored at DB


## Test Case 3: Create a security context for an API invoker with Provider entity role and invalid apiInvokerId

**Test ID**:: ***capif_security_api-3***

**Description**:

  This test case will check that an Provider cannot create a Security context with invalid apiInvokerID.

**Pre-Conditions**:

  * API Invoker is pre-authorised (has valid apiInvokerID), but user that create Security Context with Provider role

**Execution Steps**:

  1. Register Provider at CCF
  2. Register Provider at CCF, store certificates and Publish Service API **service_1** at CCF.
  3. Create Security Context using Provider certificate

**Information of Test**:

  1. Perform [Provider Registration] and [Invoker Onboarding]
  2. Publish Service API at CCF:
     * Send **POST** to ccf_publish_url **https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis**
     * body [service api description] with apiName **service_1**
     * Use **APF Certificate**
  3. Create Security Context for this not valid apiInvokerId and using Provider certificate.
     * Send **PUT** **https://{CAPIF_HOSTNAME}/trustedInvokers/{API_INVOKER_NOT_VALID}**
     * body [service security body]
     * Using **AEF Certificate**

**Expected Result**:

  1. Create security context using Provider certificate:
     1. **401 Unauthorized** response.
     2. body returned must accomplish **ProblemDetails** data structure, with:
        * status **401**
        * title with message "Unauthorized"
        * detail with message "Role not authorized for this API route".
        * cause with message "User role must be invoker".
  2. No context stored at DB


## Test Case 4: Create a security context for an API invoker with Invoker entity role and invalid apiInvokerId

**Test ID**:: ***capif_security_api-4***

**Description**:

  This test case will check that an Invoker cannot create a Security context with valid apiInvokerId.

**Pre-Conditions**:

  * API Invoker is pre-authorised (has valid apiInvokerID), but user that create Security Context with invalid apiInvokerId

**Execution Steps**:

  1. Register and onboard Invoker at CCF
  2. Register Provider at CCF, store certificates and Publish Service API **service_1** at CCF.
  3. Create Security Context using Provider certificate

**Information of Test**:

  1. Perform [Provider Registration] and [Invoker Onboarding]
  2. Publish Service API at CCF:
     * Send **POST** to ccf_publish_url **https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis**
     * body [service api description] with apiName **service_1**
     * Use **APF Certificate**
  3. Create Security Context for this Invoker:
     * Send **PUT** **https://{CAPIF_HOSTNAME}/trustedInvokers/{API_INVOKER_NOT_VALID}**
     * body [service security body]
     * Use **Invoker Certificate**

**Expected Result**:

  1. Create security context using Provider certificate:
     1. **404 Not Found** response.
     2. body returned must accomplish **ProblemDetails** data structure, with:
        * status **404**
        * title with message "Not Found"
        * detail with message "Invoker not found".
        * cause with message "API Invoker not exists or invalid ID".

  2. No context stored at DB


## Test Case 5: Retrieve the Security Context of an API Invoker

**Test ID**:: ***capif_security_api-5***, ***smoke***

**Description**:

  This test case will check that an provider can retrieve the Security context of an API Invoker

**Pre-Conditions**:

  * Provider is pre-authorised (has valid apfId from CAPIF Authority) and API Invoker has created a valid Security Context

**Execution Steps**:

  1. Register and onboard Invoker at CCF
  2. Register Provider at CCF, store certificates and Publish Service API **service_1** at CCF.
  3. Create Security Context using Provider certificate
  4. Retrieve Security Context by Provider

**Information of Test**:

  1. Perform [Provider Registration] and [Invoker Onboarding]
  2. Publish Service API at CCF:
     * Send **POST** to ccf_publish_url **https://{CAPIF_HOSTNAME}/published-apis/v1/{apfId}/service-apis**
     * body [service api description] with apiName **service_1**
     * Use **APF Certificate**

  2. Create Security Context for this Invoker.
     * Send **PUT** **https://{CAPIF_HOSTNAME}/trustedInvokers/{apiInvokerId}**
     * body [service security body]
     * Using **Invoker Certificate**