# Blackbox Tests ## Positive Scenarios ### FT-P-01: Successful Login **Summary**: User with valid credentials receives a JWT token. **Traces to**: AC-1 **Category**: Authentication **Preconditions**: - Seed user `admin@azaion.com` exists in database **Input data**: Valid email/password for seed admin user **Steps**: | Step | Consumer Action | Expected System Response | |------|----------------|------------------------| | 1 | POST /login with valid email and password | HTTP 200, body contains non-empty `token` string | **Expected outcome**: HTTP 200 with JWT token in response body **Max execution time**: 5s --- ### FT-P-02: Successful User Registration **Summary**: ApiAdmin creates a new user account. **Traces to**: AC-5, AC-6, AC-7 **Category**: User Management **Preconditions**: - Caller authenticated as ApiAdmin **Input data**: `{"email":"newuser@test.com","password":"validpwd1","role":"Operator"}` **Steps**: | Step | Consumer Action | Expected System Response | |------|----------------|------------------------| | 1 | Login as admin to get JWT | HTTP 200, JWT token | | 2 | POST /users with valid registration data and ApiAdmin JWT | HTTP 200 | **Expected outcome**: HTTP 200, user created **Max execution time**: 5s --- ### FT-P-03: JWT Token Structure Validation **Summary**: JWT token contains correct issuer, audience, and lifetime claims. **Traces to**: AC-4 **Category**: Authentication **Preconditions**: - Valid login completed **Input data**: JWT token from login response **Steps**: | Step | Consumer Action | Expected System Response | |------|----------------|------------------------| | 1 | Login to get JWT | HTTP 200, JWT token | | 2 | Decode JWT payload (Base64) | Claims contain `iss`, `aud`, `exp` | | 3 | Validate `iss` == "AzaionApi" | Match | | 4 | Validate `aud` == "Annotators/OrangePi/Admins" | Match | | 5 | Validate `exp` - `iat` ≈ 14400s (4 hours) | Within ± 60s | **Expected outcome**: All JWT claims match expected values **Max execution time**: 5s --- ### FT-P-04: First Hardware Check Stores Fingerprint **Summary**: On first hardware check, the fingerprint is stored for the user. **Traces to**: AC-10 **Category**: Hardware Binding **Preconditions**: - User exists with no hardware bound **Input data**: `{"hardware":"test-hw-fingerprint-001"}` **Steps**: | Step | Consumer Action | Expected System Response | |------|----------------|------------------------| | 1 | Register new user, login to get JWT | HTTP 200 | | 2 | POST /resources/check with hardware string | HTTP 200, body `true` | **Expected outcome**: HTTP 200, hardware stored **Max execution time**: 5s --- ### FT-P-05: Subsequent Hardware Check Matches **Summary**: Same hardware fingerprint passes validation on subsequent calls. **Traces to**: AC-11 **Category**: Hardware Binding **Preconditions**: - User with hardware already bound (from FT-P-04) **Input data**: Same hardware string as initial binding **Steps**: | Step | Consumer Action | Expected System Response | |------|----------------|------------------------| | 1 | POST /resources/check with same hardware | HTTP 200, body `true` | **Expected outcome**: HTTP 200 **Max execution time**: 5s --- ### FT-P-06: List All Users **Summary**: ApiAdmin retrieves the user list. **Traces to**: AC-9 **Category**: User Management **Preconditions**: - Caller authenticated as ApiAdmin **Input data**: GET /users with ApiAdmin JWT **Steps**: | Step | Consumer Action | Expected System Response | |------|----------------|------------------------| | 1 | GET /users with ApiAdmin JWT | HTTP 200, JSON array with >= 1 user | **Expected outcome**: HTTP 200, array containing at least seed users **Max execution time**: 5s --- ### FT-P-07: Filter Users by Email **Summary**: ApiAdmin filters users by email substring. **Traces to**: AC-9 **Category**: User Management **Preconditions**: - Caller authenticated as ApiAdmin, seed users exist **Input data**: GET /users?email=admin **Steps**: | Step | Consumer Action | Expected System Response | |------|----------------|------------------------| | 1 | GET /users?email=admin with ApiAdmin JWT | HTTP 200, all returned emails contain "admin" | **Expected outcome**: HTTP 200, filtered list **Max execution time**: 5s --- ### FT-P-08: Upload Resource File **Summary**: Authenticated user uploads a file to a resource folder. **Traces to**: AC-13 **Category**: Resource Distribution **Preconditions**: - Caller authenticated **Input data**: Multipart form upload with 1 KB text file **Steps**: | Step | Consumer Action | Expected System Response | |------|----------------|------------------------| | 1 | POST /resources/testfolder with multipart file | HTTP 200 | **Expected outcome**: HTTP 200, file stored **Max execution time**: 5s --- ### FT-P-09: Download Encrypted Resource **Summary**: Authenticated user downloads an encrypted resource file. **Traces to**: AC-14, AC-18 **Category**: Resource Distribution **Preconditions**: - User authenticated, hardware bound, resource file uploaded **Input data**: `{"password":"validpwd1","hardware":"test-hw-001","fileName":"test.txt"}` **Steps**: | Step | Consumer Action | Expected System Response | |------|----------------|------------------------| | 1 | POST /resources/get with credentials | HTTP 200, Content-Type: application/octet-stream, non-empty body | **Expected outcome**: HTTP 200 with encrypted binary content **Max execution time**: 10s --- ### FT-P-10: Encryption Round-Trip Verification **Summary**: Downloaded encrypted resource decrypts to original file content. **Traces to**: AC-15, AC-19 **Category**: Resource Distribution **Preconditions**: - Known file uploaded, user credentials known **Input data**: Original file content, user email, password, hardware hash **Steps**: | Step | Consumer Action | Expected System Response | |------|----------------|------------------------| | 1 | Upload known file | HTTP 200 | | 2 | Download encrypted file via API | HTTP 200, encrypted bytes | | 3 | Derive AES key from email + password + hwHash | Key bytes | | 4 | Decrypt downloaded content with derived key | Decrypted bytes | | 5 | Compare decrypted bytes with original | Byte-level equality | **Expected outcome**: Decrypted content matches original file exactly **Max execution time**: 10s --- ### FT-P-11: Change User Role **Summary**: ApiAdmin changes a user's role. **Traces to**: AC-9 **Category**: User Management **Preconditions**: - Target user exists, caller is ApiAdmin **Input data**: `{"email":"testuser@test.com","role":"Admin"}` **Steps**: | Step | Consumer Action | Expected System Response | |------|----------------|------------------------| | 1 | PUT /users/role with ApiAdmin JWT | HTTP 200 | **Expected outcome**: HTTP 200, role updated **Max execution time**: 5s --- ### FT-P-12: Disable User Account **Summary**: ApiAdmin disables a user account. **Traces to**: AC-9 **Category**: User Management **Preconditions**: - Target user exists, caller is ApiAdmin **Input data**: `{"email":"testuser@test.com","isEnabled":false}` **Steps**: | Step | Consumer Action | Expected System Response | |------|----------------|------------------------| | 1 | PUT /users/enable with ApiAdmin JWT | HTTP 200 | **Expected outcome**: HTTP 200, account disabled **Max execution time**: 5s --- ### FT-P-13: Delete User **Summary**: ApiAdmin deletes a user account. **Traces to**: AC-9 **Category**: User Management **Preconditions**: - Target user exists, caller is ApiAdmin **Input data**: DELETE /users?email=testuser@test.com **Steps**: | Step | Consumer Action | Expected System Response | |------|----------------|------------------------| | 1 | DELETE /users?email=testuser@test.com with ApiAdmin JWT | HTTP 200 | **Expected outcome**: HTTP 200, user deleted **Max execution time**: 5s --- ## Negative Scenarios ### FT-N-01: Login with Unknown Email **Summary**: Login attempt with non-existent email returns appropriate error. **Traces to**: AC-2 **Category**: Authentication **Preconditions**: - Email does not exist in database **Input data**: `{"email":"nonexistent@test.com","password":"anypass1"}` **Steps**: | Step | Consumer Action | Expected System Response | |------|----------------|------------------------| | 1 | POST /login with unknown email | HTTP 409, ExceptionEnum code 10 (NoEmailFound) | **Expected outcome**: HTTP 409 with error code 10 **Max execution time**: 5s --- ### FT-N-02: Login with Wrong Password **Summary**: Login attempt with correct email but wrong password returns error. **Traces to**: AC-3 **Category**: Authentication **Preconditions**: - User exists in database **Input data**: `{"email":"admin@azaion.com","password":"wrongpassword123"}` **Steps**: | Step | Consumer Action | Expected System Response | |------|----------------|------------------------| | 1 | POST /login with wrong password | HTTP 409, ExceptionEnum code 30 (WrongPassword) | **Expected outcome**: HTTP 409 with error code 30 **Max execution time**: 5s --- ### FT-N-03: Register with Short Email **Summary**: Registration with email shorter than 8 characters is rejected. **Traces to**: AC-5 **Category**: User Management **Preconditions**: - Caller authenticated as ApiAdmin **Input data**: `{"email":"short","password":"validpwd1","role":"Operator"}` **Steps**: | Step | Consumer Action | Expected System Response | |------|----------------|------------------------| | 1 | POST /users with short email | HTTP 400, validation error | **Expected outcome**: HTTP 400 with email length validation error **Max execution time**: 5s --- ### FT-N-04: Register with Invalid Email Format **Summary**: Registration with invalid email format (>= 8 chars but not email) is rejected. **Traces to**: AC-6 **Category**: User Management **Preconditions**: - Caller authenticated as ApiAdmin **Input data**: `{"email":"notanemail","password":"validpwd1","role":"Operator"}` **Steps**: | Step | Consumer Action | Expected System Response | |------|----------------|------------------------| | 1 | POST /users with invalid email format | HTTP 400, validation error | **Expected outcome**: HTTP 400 with email format validation error **Max execution time**: 5s --- ### FT-N-05: Upload Empty File **Summary**: Upload request with no file attached returns error. **Traces to**: AC-16 **Category**: Resource Distribution **Preconditions**: - Caller authenticated **Input data**: POST /resources/testfolder with no file **Steps**: | Step | Consumer Action | Expected System Response | |------|----------------|------------------------| | 1 | POST /resources/testfolder with empty request | HTTP 409, ExceptionEnum code 70 (NoFileProvided) | **Expected outcome**: HTTP 409 with error code 70 **Max execution time**: 5s --- ### FT-N-06: Hardware Mismatch **Summary**: Hardware check with different fingerprint after binding returns error. **Traces to**: AC-12 **Category**: Hardware Binding **Preconditions**: - User has hardware already bound to a different fingerprint **Input data**: `{"hardware":"different-hardware-xyz"}` **Steps**: | Step | Consumer Action | Expected System Response | |------|----------------|------------------------| | 1 | POST /resources/check with different hardware | HTTP 409, ExceptionEnum code 40 (HardwareIdMismatch) | **Expected outcome**: HTTP 409 with error code 40 **Max execution time**: 5s --- ### FT-N-07: Register Duplicate Email **Summary**: Registration with already-existing email returns error. **Traces to**: AC-8 **Category**: User Management **Preconditions**: - User with target email already exists **Input data**: `{"email":"admin@azaion.com","password":"validpwd1","role":"Operator"}` **Steps**: | Step | Consumer Action | Expected System Response | |------|----------------|------------------------| | 1 | POST /users with existing email | HTTP 409, ExceptionEnum code 20 (EmailExists) | **Expected outcome**: HTTP 409 with error code 20 **Max execution time**: 5s --- ### FT-N-08: Register with Short Password **Summary**: Registration with password shorter than 8 characters is rejected. **Traces to**: AC-7 **Category**: User Management **Preconditions**: - Caller authenticated as ApiAdmin **Input data**: `{"email":"newuser@test.com","password":"short","role":"Operator"}` **Steps**: | Step | Consumer Action | Expected System Response | |------|----------------|------------------------| | 1 | POST /users with short password | HTTP 400, validation error | **Expected outcome**: HTTP 400 with password length validation error **Max execution time**: 5s