[AZ-189] [AZ-190] [AZ-191] [AZ-192] [AZ-193] [AZ-194] [AZ-195] Add e2e blackbox test suite

Made-with: Cursor
2026-04-22 09:26:34 +00:00 · 2026-04-16 06:25:36 +03:00
parent 1b38e888e1
commit d320d6dd59
98 changed files with 6883 additions and 1 deletions
@@ -0,0 +1,104 @@
+# Security Tests
+
+### NFT-SEC-01: Unauthenticated Access to Protected Endpoints
+
+**Summary**: All protected endpoints reject requests without JWT token.
+**Traces to**: AC-18
+
+**Steps**:
+
+| Step | Consumer Action | Expected Response |
+|------|----------------|------------------|
+| 1 | GET /users (no JWT) | HTTP 401 |
+| 2 | POST /resources/get (no JWT) | HTTP 401 |
+| 3 | POST /resources/check (no JWT) | HTTP 401 |
+| 4 | GET /resources/get-installer (no JWT) | HTTP 401 |
+| 5 | PUT /users/role (no JWT) | HTTP 401 |
+| 6 | DELETE /users (no JWT) | HTTP 401 |
+
+**Pass criteria**: All endpoints return HTTP 401 for unauthenticated requests
+
+---
+
+### NFT-SEC-02: Non-Admin Access to Admin Endpoints
+
+**Summary**: Non-ApiAdmin users cannot access admin-only endpoints.
+**Traces to**: AC-9
+
+**Steps**:
+
+| Step | Consumer Action | Expected Response |
+|------|----------------|------------------|
+| 1 | Login as Operator role user | HTTP 200, JWT token |
+| 2 | POST /users (register) with Operator JWT | HTTP 403 |
+| 3 | PUT /users/role with Operator JWT | HTTP 403 |
+| 4 | PUT /users/enable with Operator JWT | HTTP 403 |
+| 5 | DELETE /users with Operator JWT | HTTP 403 |
+
+**Pass criteria**: All admin endpoints return HTTP 403 for non-admin users
+
+---
+
+### NFT-SEC-03: Password Not Returned in User List
+
+**Summary**: User list endpoint does not expose password hashes.
+**Traces to**: AC-17
+
+**Steps**:
+
+| Step | Consumer Action | Expected Response |
+|------|----------------|------------------|
+| 1 | GET /users with ApiAdmin JWT | HTTP 200, JSON array |
+| 2 | Inspect each user object in response | No `passwordHash` or `password` field present |
+
+**Pass criteria**: Password hash is never included in API responses
+
+---
+
+### NFT-SEC-04: Expired JWT Token Rejection
+
+**Summary**: Expired JWT tokens are rejected.
+**Traces to**: AC-4, AC-18
+
+**Steps**:
+
+| Step | Consumer Action | Expected Response |
+|------|----------------|------------------|
+| 1 | Craft a JWT with `exp` set to past timestamp (same signing key) | Token string |
+| 2 | GET /users with expired JWT | HTTP 401 |
+
+**Pass criteria**: Expired token returns HTTP 401
+
+---
+
+### NFT-SEC-05: Encryption Key Uniqueness
+
+**Summary**: Different users produce different encryption keys for the same resource.
+**Traces to**: AC-19
+
+**Steps**:
+
+| Step | Consumer Action | Expected Response |
+|------|----------------|------------------|
+| 1 | Upload test file | HTTP 200 |
+| 2 | Download encrypted file as User A | Encrypted bytes A |
+| 3 | Download same file as User B (different credentials + hardware) | Encrypted bytes B |
+| 4 | Compare encrypted bytes A and B | Different |
+
+**Pass criteria**: Encrypted outputs differ between users
+
+---
+
+### NFT-SEC-06: Disabled User Cannot Login
+
+**Summary**: A disabled user account cannot authenticate.
+**Traces to**: AC-9
+
+**Steps**:
+
+| Step | Consumer Action | Expected Response |
+|------|----------------|------------------|
+| 1 | Register user, disable via PUT /users/enable | HTTP 200 |
+| 2 | Attempt POST /login with disabled user credentials | HTTP 409 or HTTP 403 |
+
+**Pass criteria**: Disabled user cannot obtain a JWT token