Add security evidence to the simple trigger tests (#13231)

changelog_begin changelog_end
2024-09-20 01:07:18 +03:00 · 2022-03-22 18:01:35 +01:00 · 2022-03-22 18:01:35 +01:00 · dcd726e113
commit dcd726e113
parent f4580aeeff
4 changed files with 37 additions and 0 deletions
--- a/security-evidence.md
+++ b/security-evidence.md
@ -18,8 +18,15 @@
 - create with non-signatory maintainers is rejected: [AuthorizationSpec.scala](daml-lf/engine/src/test/scala/com/digitalasset/daml/lf/engine/AuthorizationSpec.scala#L73)
 - exercise with no controllers is rejected: [AuthorizationSpec.scala](daml-lf/engine/src/test/scala/com/digitalasset/daml/lf/engine/AuthorizationSpec.scala#L149)
 - fetch fails when readAs not authed, even if prior fetch succeeded: [AbstractHttpServiceIntegrationTest.scala](ledger-service/http-json/src/itlib/scala/http/AbstractHttpServiceIntegrationTest.scala#L1799)
+- forbid a non-authorized party to check the status of a trigger: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L661)
+- forbid a non-authorized party to list triggers: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L651)
+- forbid a non-authorized party to start a trigger: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L640)
+- forbid a non-authorized party to stop a trigger: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L677)
+- forbid a non-authorized user to upload a DAR: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L693)
 - multiple websocket requests over the same WebSocket connection are NOT allowed: [AbstractWebsocketServiceIntegrationTest.scala](ledger-service/http-json/src/itlib/scala/http/AbstractWebsocketServiceIntegrationTest.scala#L111)
+- refresh a token after expiry on the server side: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L718)
 - reject requests with missing auth header: [AbstractHttpServiceIntegrationTest.scala](ledger-service/http-json/src/itlib/scala/http/AbstractHttpServiceIntegrationTest.scala#L1234)
+- request a fresh token after expiry on user request: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L703)
 - websocket request with invalid protocol token should be denied: [AbstractWebsocketServiceIntegrationTest.scala](ledger-service/http-json/src/itlib/scala/http/AbstractWebsocketServiceIntegrationTest.scala#L91)
 - websocket request with valid protocol token should allow client subscribe to stream: [AbstractWebsocketServiceIntegrationTest.scala](ledger-service/http-json/src/itlib/scala/http/AbstractWebsocketServiceIntegrationTest.scala#L79)
 - websocket request without protocol token should be denied: [AbstractWebsocketServiceIntegrationTest.scala](ledger-service/http-json/src/itlib/scala/http/AbstractWebsocketServiceIntegrationTest.scala#L101)
@ -130,6 +137,12 @@
 - contract keys should be evaluated after ensure clause: [ContractKeySpec.scala](daml-lf/engine/src/test/scala/com/digitalasset/daml/lf/engine/ContractKeySpec.scala#L188)
 - contract keys should be evaluated only when executing create: [ContractKeySpec.scala](daml-lf/engine/src/test/scala/com/digitalasset/daml/lf/engine/ContractKeySpec.scala#L149)
 - fromStartupMode should not succeed for any input when the db connection is broken: [FailureTests.scala](ledger-service/http-json/src/failurelib/scala/http/FailureTests.scala#L421)
+- redirect to the configured callback URI after login: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L622)
+- restart trigger on initialization failure due to failed connection: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L424)
+- restart trigger on run-time failure due to dropped connection: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L444)
+- restart triggers after shutdown: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L578)
+- restart triggers with initialization errors: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L466)
+- restart triggers with update errors: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L482)

 ## Performance:
 - Tail call optimization: Tail recursion does not blow the scala JVM stack.: [TailCallTest.scala](daml-lf/interpreter/src/test/scala/com/digitalasset/daml/lf/speedy/TailCallTest.scala#L16)
@ -138,8 +151,13 @@

 ## Input Validation:
 - TLS configuration is parsed correctly from the config file: [CliSpec.scala](ledger-service/http-json/src/test/scala/com/digitalasset/http/CliSpec.scala#L273)
+- auth and auth-* should not be set together for the trigger service: [CliConfigTest.scala](triggers/service/src/test-suite/scala/com/daml/lf/engine/trigger/CliConfigTest.scala#L40)
 - ensure builtin operators have the correct type: [TypingSpec.scala](daml-lf/validation/src/test/scala/com/digitalasset/daml/lf/validation/TypingSpec.scala#L47)
 - ensure expression forms have the correct type: [TypingSpec.scala](daml-lf/validation/src/test/scala/com/digitalasset/daml/lf/validation/TypingSpec.scala#L107)
+- error on specifying both authCommonUri and authInternalUri/authExternalUri for the trigger service: [AuthorizationConfigTest.scala](triggers/service/src/test-suite/scala/com/daml/lf/engine/trigger/AuthorizationConfigTest.scala#L24)
+- error on specifying only authInternalUri and no authExternalUri for the trigger service: [AuthorizationConfigTest.scala](triggers/service/src/test-suite/scala/com/daml/lf/engine/trigger/AuthorizationConfigTest.scala#L52)
+- give a 'not found' response for a stop request on an unknown UUID in the trigger service: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L516)
+- give a 'not found' response for a stop request with an unparseable UUID in the trigger service: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L501)
 - ill-formed create command is rejected: [CommandPreprocessorSpec.scala](daml-lf/engine/src/test/scala/com/digitalasset/daml/lf/engine/CommandPreprocessorSpec.scala#L116)
 - ill-formed create-and-exercise command is rejected: [CommandPreprocessorSpec.scala](daml-lf/engine/src/test/scala/com/digitalasset/daml/lf/engine/CommandPreprocessorSpec.scala#L137)
 - ill-formed exception definitions are rejected: [TypingSpec.scala](daml-lf/validation/src/test/scala/com/digitalasset/daml/lf/validation/TypingSpec.scala#L1597)
--- a/triggers/service/src/test-suite/scala/com/daml/lf/engine/trigger/AuthorizationConfigTest.scala
+++ b/triggers/service/src/test-suite/scala/com/daml/lf/engine/trigger/AuthorizationConfigTest.scala
@ -21,6 +21,7 @@ class AuthorizationConfigTest extends AsyncWordSpec with Matchers {
    }
  }

+  // TEST_EVIDENCE: Input Validation: error on specifying both authCommonUri and authInternalUri/authExternalUri for the trigger service
  "should error on specifying both authCommonUri and authInternalUri/authExternalUri" in {
    val invalidConfigs = List(
      """
@ -48,6 +49,7 @@ class AuthorizationConfigTest extends AsyncWordSpec with Matchers {
    Succeeded
  }

+  // TEST_EVIDENCE: Input Validation: error on specifying only authInternalUri and no authExternalUri for the trigger service
  "should error on specifying only authInternalUri and no authExternalUri" in {
    ConfigSource
      .string("""
--- a/triggers/service/src/test-suite/scala/com/daml/lf/engine/trigger/CliConfigTest.scala
+++ b/triggers/service/src/test-suite/scala/com/daml/lf/engine/trigger/CliConfigTest.scala
@ -36,6 +36,8 @@ class CliConfigTest extends AnyWordSpec with Matchers with OptionValues {
        Set("notcustom"),
      ) should ===(None)
    }
+
+    // TEST_EVIDENCE: Input Validation: auth and auth-* should not be set together for the trigger service
    "auth and auth-* should not be set together" in {
      parse(baseOpts ++ Seq("--auth", "http://example.com"), Set()) should !==(None)
      parse(
--- a/triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala
+++ b/triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala
@ -421,6 +421,7 @@ trait AbstractTriggerServiceTest
    } yield succeed
  }

+  // TEST_EVIDENCE: Semantics: restart trigger on initialization failure due to failed connection
  it should "restart trigger on initialization failure due to failed connection" inClaims withTriggerService(
    List(dar)
  ) { uri: Uri =>
@ -440,6 +441,7 @@ trait AbstractTriggerServiceTest
    } yield succeed
  }

+  // TEST_EVIDENCE: Semantics: restart trigger on run-time failure due to dropped connection
  it should "restart trigger on run-time failure due to dropped connection" inClaims withTriggerService(
    List(dar)
  ) { uri: Uri =>
@ -461,6 +463,7 @@ trait AbstractTriggerServiceTest
    } yield succeed
  }

+  // TEST_EVIDENCE: Semantics: restart triggers with initialization errors
  it should "restart triggers with initialization errors" in withTriggerService(List(dar)) {
    uri: Uri =>
      for {
@ -476,6 +479,7 @@ trait AbstractTriggerServiceTest
      } yield succeed
  }

+  // TEST_EVIDENCE: Semantics: restart triggers with update errors
  it should "restart triggers with update errors" inClaims withTriggerService(List(dar)) {
    uri: Uri =>
      for {
@ -494,6 +498,7 @@ trait AbstractTriggerServiceTest
      } yield succeed
  }

+  // TEST_EVIDENCE: Input Validation: give a 'not found' response for a stop request with an unparseable UUID in the trigger service
  it should "give a 'not found' response for a stop request with an unparseable UUID" in withTriggerService(
    Nil
  ) { uri: Uri =>
@ -508,6 +513,7 @@ trait AbstractTriggerServiceTest
    } yield succeed
  }

+  // TEST_EVIDENCE: Input Validation: give a 'not found' response for a stop request on an unknown UUID in the trigger service
  it should "give a 'not found' response for a stop request on an unknown UUID" in withTriggerService(
    Nil
  ) { uri: Uri =>
@ -569,6 +575,7 @@ trait AbstractTriggerServiceTestWithDatabase extends AbstractTriggerServiceTest
    }
  } yield succeed)

+  // TEST_EVIDENCE: Semantics: restart triggers after shutdown
  it should "restart triggers after shutdown" inClaims (for {
    _ <- withTriggerService(List(dar)) { uri: Uri =>
      for {
@ -612,6 +619,7 @@ trait AbstractTriggerServiceTestAuthMiddleware

  behavior of "authenticated service"

+  // TEST_EVIDENCE: Semantics: redirect to the configured callback URI after login
  it should "redirect to the configured callback URI after login" in withTriggerService(
    Nil,
    authCallback = Some("http://localhost/TRIGGER_CALLBACK"),
@ -629,6 +637,7 @@ trait AbstractTriggerServiceTestAuthMiddleware
    } yield succeed
  }

+  // TEST_EVIDENCE: Authorization: forbid a non-authorized party to start a trigger
  it should "forbid a non-authorized party to start a trigger" inClaims withTriggerService(
    List(dar)
  ) { uri: Uri =>
@ -639,6 +648,7 @@ trait AbstractTriggerServiceTestAuthMiddleware
    } yield succeed
  }

+  // TEST_EVIDENCE: Authorization: forbid a non-authorized party to list triggers
  it should "forbid a non-authorized party to list triggers" inClaims withTriggerService(Nil) {
    uri: Uri =>
      authServer.revokeParty(eve)
@ -648,6 +658,7 @@ trait AbstractTriggerServiceTestAuthMiddleware
      } yield succeed
  }

+  // TEST_EVIDENCE: Authorization: forbid a non-authorized party to check the status of a trigger
  it should "forbid a non-authorized party to check the status of a trigger" inClaims withTriggerService(
    List(dar)
  ) { uri: Uri =>
@ -663,6 +674,7 @@ trait AbstractTriggerServiceTestAuthMiddleware
    } yield succeed
  }

+  // TEST_EVIDENCE: Authorization: forbid a non-authorized party to stop a trigger
  it should "forbid a non-authorized party to stop a trigger" inClaims withTriggerService(
    List(dar)
  ) { uri: Uri =>
@ -678,6 +690,7 @@ trait AbstractTriggerServiceTestAuthMiddleware
    } yield succeed
  }

+  // TEST_EVIDENCE: Authorization: forbid a non-authorized user to upload a DAR
  it should "forbid a non-authorized user to upload a DAR" inClaims withTriggerService(Nil) {
    uri: Uri =>
      authServer.revokeAdmin()
@ -687,6 +700,7 @@ trait AbstractTriggerServiceTestAuthMiddleware
      } yield succeed
  }

+  // TEST_EVIDENCE: Authorization: request a fresh token after expiry on user request
  it should "request a fresh token after expiry on user request" in withTriggerService(Nil) {
    uri: Uri =>
      for {
@ -701,6 +715,7 @@ trait AbstractTriggerServiceTestAuthMiddleware
      } yield succeed
  }

+  // TEST_EVIDENCE: Authorization: refresh a token after expiry on the server side
  it should "refresh a token after expiry on the server side" inClaims withTriggerService(
    List(dar)
  ) { uri: Uri =>