diff --git a/changelog.d/5-internal/sqservices-1118-2 b/changelog.d/5-internal/sqservices-1118-2 new file mode 100644 index 0000000000..0d24028303 --- /dev/null +++ b/changelog.d/5-internal/sqservices-1118-2 @@ -0,0 +1 @@ +Tag integration tests for certification. diff --git a/libs/zauth/test/ZAuth.hs b/libs/zauth/test/ZAuth.hs index 67729073b4..65dbd8b4c8 100644 --- a/libs/zauth/test/ZAuth.hs +++ b/libs/zauth/test/ZAuth.hs @@ -105,6 +105,8 @@ testExpired p = do x <- liftIO $ runValidate p $ check t liftIO $ Left Expired @=? x +-- @END + testSignAndVerify :: V.Env -> Create () testSignAndVerify p = do u <- liftIO nextRandom diff --git a/services/brig/test/integration/API/User/Account.hs b/services/brig/test/integration/API/User/Account.hs index f09af13c4a..7c4959d9b9 100644 --- a/services/brig/test/integration/API/User/Account.hs +++ b/services/brig/test/integration/API/User/Account.hs @@ -177,6 +177,8 @@ testCreateUserWithInvalidVerificationCode brig = do ] postUserRegister' regEmail brig !!! const 404 === statusCode +-- @END + testUpdateUserEmailByTeamOwner :: Brig -> Http () testUpdateUserEmailByTeamOwner brig = do (_, teamOwner, emailOwner : otherTeamMember : _) <- createPopulatedBindingTeamWithNamesAndHandles brig 2 @@ -305,6 +307,8 @@ testCreateUserEmptyName brig = do post (brig . path "/register" . contentJson . body p) !!! const 400 === statusCode +-- @END + -- The testCreateUserLongName test conforms to the following testing standards: -- @SF.Provisioning @TSFI.RESTfulAPI @S2 -- @@ -319,6 +323,8 @@ testCreateUserLongName brig = do post (brig . path "/register" . contentJson . body p) !!! const 400 === statusCode +-- @END + testCreateUserAnon :: Brig -> Galley -> Http () testCreateUserAnon brig galley = do let p = @@ -437,6 +443,8 @@ testCreateUserConflict _ brig = do const 409 === statusCode const (Just "key-exists") === fmap Error.label . responseJsonMaybe +-- @END + -- The testCreateUserInvalidEmailOrPhone test conforms to the following testing standards: -- @SF.Provisioning @TSFI.RESTfulAPI @S2 -- @@ -468,6 +476,8 @@ testCreateUserInvalidEmailOrPhone _ brig = do post (brig . path "/register" . contentJson . body reqPhone) !!! const 400 === statusCode +-- @END + testCreateUserBlacklist :: Opt.Opts -> Brig -> AWS.Env -> Http () testCreateUserBlacklist (Opt.setRestrictUserCreation . Opt.optSettings -> Just True) _ _ = pure () testCreateUserBlacklist _ brig aws = diff --git a/services/brig/test/integration/API/User/Auth.hs b/services/brig/test/integration/API/User/Auth.hs index 22ed0ea735..f4ee97ea3f 100644 --- a/services/brig/test/integration/API/User/Auth.hs +++ b/services/brig/test/integration/API/User/Auth.hs @@ -377,6 +377,8 @@ testLoginFailure brig = do login brig (PasswordLogin (LoginByEmail badmail) defPassword Nothing) PersistentCookie !!! const 403 === statusCode +-- @END + testThrottleLogins :: Opts.Opts -> Brig -> Http () testThrottleLogins conf b = do -- Get the maximum amount of times we are allowed to login before @@ -455,6 +457,8 @@ testLimitRetries conf brig = do liftIO $ threadDelay (1000000 * 2) login brig (defEmailLogin email) SessionCookie !!! const 200 === statusCode +-- @END + ------------------------------------------------------------------------------- -- LegalHold Login @@ -599,6 +603,8 @@ testInvalidCookie z b = do const 403 === statusCode const (Just "expired") =~= responseBody +-- @END + testInvalidToken :: Brig -> Http () testInvalidToken b = do -- Syntactically invalid @@ -967,6 +973,8 @@ testTooManyCookies config b = do ) xxx -> error ("Unexpected status code when logging in: " ++ show xxx) +-- @END + testLogout :: Brig -> Http () testLogout b = do Just email <- userEmail <$> randomUser b diff --git a/services/brig/test/integration/API/User/Client.hs b/services/brig/test/integration/API/User/Client.hs index 27a20c4c3e..0a2e131569 100644 --- a/services/brig/test/integration/API/User/Client.hs +++ b/services/brig/test/integration/API/User/Client.hs @@ -444,6 +444,8 @@ testTooManyClients opts brig = do const (Just "too-many-clients") === fmap Error.label . responseJsonMaybe const (Just "application/json;charset=utf-8") === getHeader "Content-Type" +-- @END + -- The testRemoveClient test conforms to the following testing standards: -- @SF.Provisioning @TSFI.RESTfulAPI @S2 -- @@ -489,6 +491,8 @@ testRemoveClient hasPwd brig cannon = do newClientCookie = Just defCookieLabel } +-- @END + -- The testRemoveClientShortPwd test conforms to the following testing standards: -- @SF.Provisioning @TSFI.RESTfulAPI @S2 -- @@ -521,6 +525,8 @@ testRemoveClientShortPwd brig = do newClientCookie = Just defCookieLabel } +-- @END + -- The testRemoveClientIncorrectPwd test conforms to the following testing standards: -- @SF.Provisioning @TSFI.RESTfulAPI @S2 -- @@ -553,6 +559,8 @@ testRemoveClientIncorrectPwd brig = do newClientCookie = Just defCookieLabel } +-- @END + testUpdateClient :: Opt.Opts -> Brig -> Http () testUpdateClient opts brig = do uid <- userId <$> randomUser brig @@ -760,6 +768,8 @@ testAddMultipleTemporary brig galley = do . zUser u return $ Vec.length <$> (preview _Array =<< responseJsonMaybe @Value r) +-- @END + testPreKeyRace :: Brig -> Http () testPreKeyRace brig = do uid <- userId <$> randomUser brig diff --git a/services/brig/test/integration/API/User/Handles.hs b/services/brig/test/integration/API/User/Handles.hs index a339199128..5ea8fce5b7 100644 --- a/services/brig/test/integration/API/User/Handles.hs +++ b/services/brig/test/integration/API/User/Handles.hs @@ -138,6 +138,8 @@ testHandleUpdate brig cannon = do put (brig . path "/self/handle" . contentJson . zUser uid2 . zConn "c" . body update) !!! const 200 === statusCode +-- @END + testHandleRace :: Brig -> Http () testHandleRace brig = do us <- replicateM 10 (userId <$> randomUser brig) diff --git a/services/galley/test/integration/API.hs b/services/galley/test/integration/API.hs index 0186f3448d..13d41e2b80 100644 --- a/services/galley/test/integration/API.hs +++ b/services/galley/test/integration/API.hs @@ -452,6 +452,8 @@ postCryptoMessageVerifyMsgSentAndRejectIfMissingClient = do liftIO $ assertBool "unexpected equal clients" (bc /= bc2) assertNoMsg wsB2 (wsAssertOtr qconv qalice ac bc cipher) +-- @END + -- @SF.Separation @TSFI.RESTfulAPI @S2 -- This test verifies basic mismatch behavior of the the JSON endpoint. postCryptoMessageVerifyRejectMissingClientAndRepondMissingPrekeysJson :: TestM () @@ -478,6 +480,8 @@ postCryptoMessageVerifyRejectMissingClientAndRepondMissingPrekeysJson = do Map.keys (userClientMap (getUserClientPrekeyMap p)) @=? [eve] Map.keys <$> Map.lookup eve (userClientMap (getUserClientPrekeyMap p)) @=? Just [ec] +-- @END + -- @SF.Separation @TSFI.RESTfulAPI @S2 -- This test verifies basic mismatch behaviour of the protobuf endpoint. postCryptoMessageVerifyRejectMissingClientAndRepondMissingPrekeysProto :: TestM () @@ -506,6 +510,8 @@ postCryptoMessageVerifyRejectMissingClientAndRepondMissingPrekeysProto = do Map.keys (userClientMap (getUserClientPrekeyMap p)) @=? [eve] Map.keys <$> Map.lookup eve (userClientMap (getUserClientPrekeyMap p)) @=? Just [ec] +-- @END + -- | This test verifies behaviour when an unknown client posts the message. Only -- tests the Protobuf endpoint. postCryptoMessageNotAuthorizeUnknownClient :: TestM () @@ -547,6 +553,8 @@ postMessageClientNotInGroupDoesNotReceiveMsg = do checkEveGetsMsg checkChadDoesNotGetMsg +-- @END + -- @SF.Separation @TSFI.RESTfulAPI @S2 -- This test verifies that when a client sends a message not to all clients of a group then the server should reject the message and sent a notification to the sender (412 Missing clients). -- The test is somewhat redundant because this is already tested as part of other tests already. This is a stand alone test that solely tests the behavior described above. @@ -575,6 +583,8 @@ postMessageRejectIfMissingClients = do mkMsg :: ByteString -> (UserId, ClientId) -> (UserId, ClientId, Text) mkMsg text (userId, clientId) = (userId, clientId, toBase64Text text) +-- @END + -- @SF.Separation @TSFI.RESTfulAPI @S2 -- This test verifies behaviour under various values of ignore_missing and -- report_missing. Only tests the JSON endpoint. @@ -633,6 +643,8 @@ postCryptoMessageVerifyCorrectResponseIfIgnoreAndReportMissingQueryParam = do where listToByteString = BS.intercalate "," . map toByteString' +-- @END + -- | Sets up a conversation on Backend A known as "owning backend". All user's -- on this backend have names begining with 'A'. The conversation has a couple -- of users from backend B and one user from backend C. @@ -832,6 +844,8 @@ postMessageQualifiedLocalOwningBackendMissingClients = do assertMismatchQualified mempty expectedMissing mempty mempty WS.assertNoEvent (1 # Second) [wsBob, wsChad] +-- @END + -- | Sets up a conversation on Backend A known as "owning backend". One of the -- users from Backend A will send the message, it is expected that message will -- be sent successfully. @@ -1056,6 +1070,8 @@ postMessageQualifiedLocalOwningBackendIgnoreMissingClients = do assertMismatchQualified mempty expectedMissing mempty mempty WS.assertNoEvent (1 # Second) [wsBob, wsChad] +-- @END + postMessageQualifiedLocalOwningBackendFailedToSendClients :: TestM () postMessageQualifiedLocalOwningBackendFailedToSendClients = do -- WS receive timeout diff --git a/services/spar/test-integration/Test/Spar/APISpec.hs b/services/spar/test-integration/Test/Spar/APISpec.hs index 272674dac7..af466b1650 100644 --- a/services/spar/test-integration/Test/Spar/APISpec.hs +++ b/services/spar/test-integration/Test/Spar/APISpec.hs @@ -200,9 +200,8 @@ specInitiateLogin = do specFinalizeLogin :: SpecWith TestEnv specFinalizeLogin = do describe "POST /sso/finalize-login" $ do - -- @SF.CHANNEL@TSFI.RESTfulAPI @S2 @S3 - -- Receiving an invalid SAML token from client should not give the user a valid access token - context "access denied" $ do + -- @SF.Channel @TSFI.RESTfulAPI @S2 @S3 + context "rejectsSAMLResponseSayingAccessNotGranted" $ do it "responds with a very peculiar 'forbidden' HTTP response" $ do (_, tid, idp, (_, privcreds)) <- registerTestIdPWithMeta authnreq <- negotiateAuthnRequest idp @@ -222,6 +221,8 @@ specFinalizeLogin = do bdy `shouldContain` "}, receiverOrigin)" hasPersistentCookieHeader sparresp `shouldBe` Left "no set-cookie header" + -- @END + context "access granted" $ do let loginSuccess :: HasCallStack => ResponseLBS -> TestSpar () loginSuccess sparresp = liftIO $ do @@ -295,9 +296,8 @@ specFinalizeLogin = do authnresp <- runSimpleSP $ mkAuthnResponse privcreds idp3 spmeta authnreq True loginSuccess =<< submitAuthnResponse tid3 authnresp - -- @SF.CHANNEL@TSFI.RESTfulAPI @S2 @S3 - -- Receiving an invalid SAML token from client should not give the user a valid access token - context "idp sends user to two teams with same issuer, nameid" $ do + -- @SF.Channel @TSFI.RESTfulAPI @S2 @S3 + context "rejectsSAMLResponseInWrongTeam" $ do it "fails" $ do skipIdPAPIVersions [ WireIdPAPIV1 @@ -321,6 +321,8 @@ specFinalizeLogin = do authnresp <- runSimpleSP $ mkAuthnResponseWithSubj subj privcreds idp2 spmeta authnreq True loginFailure =<< submitAuthnResponse tid2 authnresp + -- @END + context "user is created once, then deleted in team settings, then can login again." $ do it "responds with 'allowed'" $ do (ownerid, teamid, idp, (_, privcreds)) <- registerTestIdPWithMeta @@ -414,8 +416,8 @@ specFinalizeLogin = do g (c : s) = c : g s g "" = "" - -- @SF.CHANNEL@TSFI.RESTfulAPI @S2 @S3 - it "rejects saml responses with invalid issuer entity id" $ do + -- @SF.Channel @TSFI.RESTfulAPI @S2 @S3 + it "rejectsSAMLResponseFromWrongIssuer" $ do let mkareq = negotiateAuthnRequest mkaresp privcreds idp spmeta authnreq = mkAuthnResponse @@ -433,8 +435,10 @@ specFinalizeLogin = do (cs . fromJust . responseBody $ sparresp) `shouldContainInBase64` "Input {iName = \"SAMLResponse\"" check mkareq mkaresp submitaresp checkresp - -- @SF.CHANNEL@TSFI.RESTfulAPI @S2 @S3 - it "rejects saml responses signed with the wrong private key" $ do + -- @END + + -- @SF.Channel @TSFI.RESTfulAPI @S2 @S3 + it "rejectsSAMLResponseSignedWithWrongKey" $ do (_, _, _, (_, badprivcreds)) <- registerTestIdPWithMeta let mkareq = negotiateAuthnRequest mkaresp _ idp spmeta authnreq = @@ -448,8 +452,10 @@ specFinalizeLogin = do checkresp sparresp = statusCode sparresp `shouldBe` 400 check mkareq mkaresp submitaresp checkresp - -- @SF.CHANNEL@TSFI.RESTfulAPI @S2 @S3 - it "rejects saml responses to requests not in cassandra:spar.authreq" $ do + -- @END + + -- @SF.Channel @TSFI.RESTfulAPI @S2 @S3 + it "rejectsSAMLResponseIfRequestIsStale" $ do let mkareq idp = do req <- negotiateAuthnRequest idp runSpar $ AReqIDStore.unStore (req ^. SAML.rqID) @@ -462,8 +468,10 @@ specFinalizeLogin = do (cs . fromJust . responseBody $ sparresp) `shouldContain` "bad InResponseTo attribute(s)" check mkareq mkaresp submitaresp checkresp - -- @SF.CHANNEL@TSFI.RESTfulAPI @S2 @S3 - it "rejects saml responses already seen (and recorded in cassandra:spar.authresp)" $ do + -- @END + + -- @SF.Channel @TSFI.RESTfulAPI @S2 @S3 + it "rejectsSAMLResponseIfResponseIsStale" $ do let mkareq = negotiateAuthnRequest mkaresp privcreds idp spmeta authnreq = mkAuthnResponse privcreds idp spmeta authnreq True submitaresp teamid authnresp = do @@ -474,6 +482,8 @@ specFinalizeLogin = do (cs . fromJust . responseBody $ sparresp) `shouldContain` "wire:sso:error:forbidden" check mkareq mkaresp submitaresp checkresp + -- @END + context "IdP changes response format" $ do it "treats NameId case-insensitively" $ do (_ownerid, tid, idp, (_, privcreds)) <- registerTestIdPWithMeta diff --git a/services/spar/test-integration/Test/Spar/Scim/AuthSpec.hs b/services/spar/test-integration/Test/Spar/Scim/AuthSpec.hs index 8d100b1545..bee95ef511 100644 --- a/services/spar/test-integration/Test/Spar/Scim/AuthSpec.hs +++ b/services/spar/test-integration/Test/Spar/Scim/AuthSpec.hs @@ -178,6 +178,8 @@ testCreateTokenAuthorizesOnlyAdmins = do (mkUser Galley.RoleAdmin >>= createToken') !!! const 200 === statusCode +-- @END + -- | Test that for a user with a password, token creation requires reauthentication (i.e. the -- field @"password"@ should be provided). -- @@ -362,7 +364,7 @@ testDeletedTokensAreUnlistable = do ---------------------------------------------------------------------------- -- Miscellaneous tests --- @SF.PROVISIONING @TSFI.RESTfulAPI @S2 +-- @SF.Provisioning @TSFI.RESTfulAPI @S2 -- This test verifies that the SCIM API responds with an authentication error -- and can't be used if it receives an invalid secret token -- or if no token is provided at all @@ -374,3 +376,5 @@ testAuthIsNeeded = do listUsers_ (Just invalidToken) Nothing (env ^. teSpar) !!! checkErr 401 Nothing -- Try to do @GET /Users@ without a token and check that it fails listUsers_ Nothing Nothing (env ^. teSpar) !!! checkErr 401 Nothing + +-- @END diff --git a/services/spar/test-integration/Test/Spar/Scim/UserSpec.hs b/services/spar/test-integration/Test/Spar/Scim/UserSpec.hs index ef91c6fd2f..118ecc6745 100644 --- a/services/spar/test-integration/Test/Spar/Scim/UserSpec.hs +++ b/services/spar/test-integration/Test/Spar/Scim/UserSpec.hs @@ -479,6 +479,8 @@ testCreateRejectsInvalidHandle = do createUser_ (Just tok) (user {Scim.User.userName = "#invalid name"}) (env ^. teSpar) !!! const 400 === statusCode +-- @END + -- | Test that user creation fails if handle is already in use (even on different team). testCreateRejectsTakenHandle :: TestSpar () testCreateRejectsTakenHandle = do