@authorization @authorize Feature: Authorization

As the configuration service 
I want to enforce authorization policies
In order to regulate client actions

Scenario: Allowed consumption
  Given the specified configuration exists
  And I am allowed to request configuration
  When I request configuration data
  Then I should be allowed to request configurations

Scenario: Denied consumption
  Given I am not allowed to request configuration
  When I request configuration data
  Then I should be notified that my request is 'not authorized'

Scenario: Allowed publication
  Given I am allowed to publish configurations
  When I request publication of the configuration data
  Then I should be allowed to publish configurations

Scenario: Denied publication
  Given I am not allowed to publish configurations
  When I request publication of the configuration data
  Then I should be notified that my request is 'not authorized'

Scenario: Allowed to create credentials for consuming configuration
  Given the specified configuration exists
  And I am allowed to authorize consumption of configuration 
  When I authorize consumption of the configuration
  Then I receive credentials that allow consumption of the configuration

Scenario: Allowed to create credentials for consuming referenced configurations
  Given existing configuration data containing references 
  And the referenced configuration exists
  And I am allowed to authorize consumption of configuration 
  When I authorize consumption of the configuration
  Then I receive credentials that allow consumption of the referenced configurations

Scenario: Token-less request
  Given I do not have a token
  When I request configuration data
  Then I should be notified that my request is 'not authorized'