mirror of
https://github.com/digital-asset/daml.git
synced 2024-09-20 01:07:18 +03:00
Add security evidence to the simple trigger tests (#13231)
changelog_begin changelog_end
This commit is contained in:
parent
f4580aeeff
commit
dcd726e113
@ -18,8 +18,15 @@
|
||||
- create with non-signatory maintainers is rejected: [AuthorizationSpec.scala](daml-lf/engine/src/test/scala/com/digitalasset/daml/lf/engine/AuthorizationSpec.scala#L73)
|
||||
- exercise with no controllers is rejected: [AuthorizationSpec.scala](daml-lf/engine/src/test/scala/com/digitalasset/daml/lf/engine/AuthorizationSpec.scala#L149)
|
||||
- fetch fails when readAs not authed, even if prior fetch succeeded: [AbstractHttpServiceIntegrationTest.scala](ledger-service/http-json/src/itlib/scala/http/AbstractHttpServiceIntegrationTest.scala#L1799)
|
||||
- forbid a non-authorized party to check the status of a trigger: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L661)
|
||||
- forbid a non-authorized party to list triggers: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L651)
|
||||
- forbid a non-authorized party to start a trigger: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L640)
|
||||
- forbid a non-authorized party to stop a trigger: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L677)
|
||||
- forbid a non-authorized user to upload a DAR: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L693)
|
||||
- multiple websocket requests over the same WebSocket connection are NOT allowed: [AbstractWebsocketServiceIntegrationTest.scala](ledger-service/http-json/src/itlib/scala/http/AbstractWebsocketServiceIntegrationTest.scala#L111)
|
||||
- refresh a token after expiry on the server side: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L718)
|
||||
- reject requests with missing auth header: [AbstractHttpServiceIntegrationTest.scala](ledger-service/http-json/src/itlib/scala/http/AbstractHttpServiceIntegrationTest.scala#L1234)
|
||||
- request a fresh token after expiry on user request: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L703)
|
||||
- websocket request with invalid protocol token should be denied: [AbstractWebsocketServiceIntegrationTest.scala](ledger-service/http-json/src/itlib/scala/http/AbstractWebsocketServiceIntegrationTest.scala#L91)
|
||||
- websocket request with valid protocol token should allow client subscribe to stream: [AbstractWebsocketServiceIntegrationTest.scala](ledger-service/http-json/src/itlib/scala/http/AbstractWebsocketServiceIntegrationTest.scala#L79)
|
||||
- websocket request without protocol token should be denied: [AbstractWebsocketServiceIntegrationTest.scala](ledger-service/http-json/src/itlib/scala/http/AbstractWebsocketServiceIntegrationTest.scala#L101)
|
||||
@ -130,6 +137,12 @@
|
||||
- contract keys should be evaluated after ensure clause: [ContractKeySpec.scala](daml-lf/engine/src/test/scala/com/digitalasset/daml/lf/engine/ContractKeySpec.scala#L188)
|
||||
- contract keys should be evaluated only when executing create: [ContractKeySpec.scala](daml-lf/engine/src/test/scala/com/digitalasset/daml/lf/engine/ContractKeySpec.scala#L149)
|
||||
- fromStartupMode should not succeed for any input when the db connection is broken: [FailureTests.scala](ledger-service/http-json/src/failurelib/scala/http/FailureTests.scala#L421)
|
||||
- redirect to the configured callback URI after login: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L622)
|
||||
- restart trigger on initialization failure due to failed connection: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L424)
|
||||
- restart trigger on run-time failure due to dropped connection: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L444)
|
||||
- restart triggers after shutdown: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L578)
|
||||
- restart triggers with initialization errors: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L466)
|
||||
- restart triggers with update errors: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L482)
|
||||
|
||||
## Performance:
|
||||
- Tail call optimization: Tail recursion does not blow the scala JVM stack.: [TailCallTest.scala](daml-lf/interpreter/src/test/scala/com/digitalasset/daml/lf/speedy/TailCallTest.scala#L16)
|
||||
@ -138,8 +151,13 @@
|
||||
|
||||
## Input Validation:
|
||||
- TLS configuration is parsed correctly from the config file: [CliSpec.scala](ledger-service/http-json/src/test/scala/com/digitalasset/http/CliSpec.scala#L273)
|
||||
- auth and auth-* should not be set together for the trigger service: [CliConfigTest.scala](triggers/service/src/test-suite/scala/com/daml/lf/engine/trigger/CliConfigTest.scala#L40)
|
||||
- ensure builtin operators have the correct type: [TypingSpec.scala](daml-lf/validation/src/test/scala/com/digitalasset/daml/lf/validation/TypingSpec.scala#L47)
|
||||
- ensure expression forms have the correct type: [TypingSpec.scala](daml-lf/validation/src/test/scala/com/digitalasset/daml/lf/validation/TypingSpec.scala#L107)
|
||||
- error on specifying both authCommonUri and authInternalUri/authExternalUri for the trigger service: [AuthorizationConfigTest.scala](triggers/service/src/test-suite/scala/com/daml/lf/engine/trigger/AuthorizationConfigTest.scala#L24)
|
||||
- error on specifying only authInternalUri and no authExternalUri for the trigger service: [AuthorizationConfigTest.scala](triggers/service/src/test-suite/scala/com/daml/lf/engine/trigger/AuthorizationConfigTest.scala#L52)
|
||||
- give a 'not found' response for a stop request on an unknown UUID in the trigger service: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L516)
|
||||
- give a 'not found' response for a stop request with an unparseable UUID in the trigger service: [TriggerServiceTest.scala](triggers/service/src/test/scala/com/digitalasset/daml/lf/engine/trigger/TriggerServiceTest.scala#L501)
|
||||
- ill-formed create command is rejected: [CommandPreprocessorSpec.scala](daml-lf/engine/src/test/scala/com/digitalasset/daml/lf/engine/CommandPreprocessorSpec.scala#L116)
|
||||
- ill-formed create-and-exercise command is rejected: [CommandPreprocessorSpec.scala](daml-lf/engine/src/test/scala/com/digitalasset/daml/lf/engine/CommandPreprocessorSpec.scala#L137)
|
||||
- ill-formed exception definitions are rejected: [TypingSpec.scala](daml-lf/validation/src/test/scala/com/digitalasset/daml/lf/validation/TypingSpec.scala#L1597)
|
||||
|
@ -21,6 +21,7 @@ class AuthorizationConfigTest extends AsyncWordSpec with Matchers {
|
||||
}
|
||||
}
|
||||
|
||||
// TEST_EVIDENCE: Input Validation: error on specifying both authCommonUri and authInternalUri/authExternalUri for the trigger service
|
||||
"should error on specifying both authCommonUri and authInternalUri/authExternalUri" in {
|
||||
val invalidConfigs = List(
|
||||
"""
|
||||
@ -48,6 +49,7 @@ class AuthorizationConfigTest extends AsyncWordSpec with Matchers {
|
||||
Succeeded
|
||||
}
|
||||
|
||||
// TEST_EVIDENCE: Input Validation: error on specifying only authInternalUri and no authExternalUri for the trigger service
|
||||
"should error on specifying only authInternalUri and no authExternalUri" in {
|
||||
ConfigSource
|
||||
.string("""
|
||||
|
@ -36,6 +36,8 @@ class CliConfigTest extends AnyWordSpec with Matchers with OptionValues {
|
||||
Set("notcustom"),
|
||||
) should ===(None)
|
||||
}
|
||||
|
||||
// TEST_EVIDENCE: Input Validation: auth and auth-* should not be set together for the trigger service
|
||||
"auth and auth-* should not be set together" in {
|
||||
parse(baseOpts ++ Seq("--auth", "http://example.com"), Set()) should !==(None)
|
||||
parse(
|
||||
|
@ -421,6 +421,7 @@ trait AbstractTriggerServiceTest
|
||||
} yield succeed
|
||||
}
|
||||
|
||||
// TEST_EVIDENCE: Semantics: restart trigger on initialization failure due to failed connection
|
||||
it should "restart trigger on initialization failure due to failed connection" inClaims withTriggerService(
|
||||
List(dar)
|
||||
) { uri: Uri =>
|
||||
@ -440,6 +441,7 @@ trait AbstractTriggerServiceTest
|
||||
} yield succeed
|
||||
}
|
||||
|
||||
// TEST_EVIDENCE: Semantics: restart trigger on run-time failure due to dropped connection
|
||||
it should "restart trigger on run-time failure due to dropped connection" inClaims withTriggerService(
|
||||
List(dar)
|
||||
) { uri: Uri =>
|
||||
@ -461,6 +463,7 @@ trait AbstractTriggerServiceTest
|
||||
} yield succeed
|
||||
}
|
||||
|
||||
// TEST_EVIDENCE: Semantics: restart triggers with initialization errors
|
||||
it should "restart triggers with initialization errors" in withTriggerService(List(dar)) {
|
||||
uri: Uri =>
|
||||
for {
|
||||
@ -476,6 +479,7 @@ trait AbstractTriggerServiceTest
|
||||
} yield succeed
|
||||
}
|
||||
|
||||
// TEST_EVIDENCE: Semantics: restart triggers with update errors
|
||||
it should "restart triggers with update errors" inClaims withTriggerService(List(dar)) {
|
||||
uri: Uri =>
|
||||
for {
|
||||
@ -494,6 +498,7 @@ trait AbstractTriggerServiceTest
|
||||
} yield succeed
|
||||
}
|
||||
|
||||
// TEST_EVIDENCE: Input Validation: give a 'not found' response for a stop request with an unparseable UUID in the trigger service
|
||||
it should "give a 'not found' response for a stop request with an unparseable UUID" in withTriggerService(
|
||||
Nil
|
||||
) { uri: Uri =>
|
||||
@ -508,6 +513,7 @@ trait AbstractTriggerServiceTest
|
||||
} yield succeed
|
||||
}
|
||||
|
||||
// TEST_EVIDENCE: Input Validation: give a 'not found' response for a stop request on an unknown UUID in the trigger service
|
||||
it should "give a 'not found' response for a stop request on an unknown UUID" in withTriggerService(
|
||||
Nil
|
||||
) { uri: Uri =>
|
||||
@ -569,6 +575,7 @@ trait AbstractTriggerServiceTestWithDatabase extends AbstractTriggerServiceTest
|
||||
}
|
||||
} yield succeed)
|
||||
|
||||
// TEST_EVIDENCE: Semantics: restart triggers after shutdown
|
||||
it should "restart triggers after shutdown" inClaims (for {
|
||||
_ <- withTriggerService(List(dar)) { uri: Uri =>
|
||||
for {
|
||||
@ -612,6 +619,7 @@ trait AbstractTriggerServiceTestAuthMiddleware
|
||||
|
||||
behavior of "authenticated service"
|
||||
|
||||
// TEST_EVIDENCE: Semantics: redirect to the configured callback URI after login
|
||||
it should "redirect to the configured callback URI after login" in withTriggerService(
|
||||
Nil,
|
||||
authCallback = Some("http://localhost/TRIGGER_CALLBACK"),
|
||||
@ -629,6 +637,7 @@ trait AbstractTriggerServiceTestAuthMiddleware
|
||||
} yield succeed
|
||||
}
|
||||
|
||||
// TEST_EVIDENCE: Authorization: forbid a non-authorized party to start a trigger
|
||||
it should "forbid a non-authorized party to start a trigger" inClaims withTriggerService(
|
||||
List(dar)
|
||||
) { uri: Uri =>
|
||||
@ -639,6 +648,7 @@ trait AbstractTriggerServiceTestAuthMiddleware
|
||||
} yield succeed
|
||||
}
|
||||
|
||||
// TEST_EVIDENCE: Authorization: forbid a non-authorized party to list triggers
|
||||
it should "forbid a non-authorized party to list triggers" inClaims withTriggerService(Nil) {
|
||||
uri: Uri =>
|
||||
authServer.revokeParty(eve)
|
||||
@ -648,6 +658,7 @@ trait AbstractTriggerServiceTestAuthMiddleware
|
||||
} yield succeed
|
||||
}
|
||||
|
||||
// TEST_EVIDENCE: Authorization: forbid a non-authorized party to check the status of a trigger
|
||||
it should "forbid a non-authorized party to check the status of a trigger" inClaims withTriggerService(
|
||||
List(dar)
|
||||
) { uri: Uri =>
|
||||
@ -663,6 +674,7 @@ trait AbstractTriggerServiceTestAuthMiddleware
|
||||
} yield succeed
|
||||
}
|
||||
|
||||
// TEST_EVIDENCE: Authorization: forbid a non-authorized party to stop a trigger
|
||||
it should "forbid a non-authorized party to stop a trigger" inClaims withTriggerService(
|
||||
List(dar)
|
||||
) { uri: Uri =>
|
||||
@ -678,6 +690,7 @@ trait AbstractTriggerServiceTestAuthMiddleware
|
||||
} yield succeed
|
||||
}
|
||||
|
||||
// TEST_EVIDENCE: Authorization: forbid a non-authorized user to upload a DAR
|
||||
it should "forbid a non-authorized user to upload a DAR" inClaims withTriggerService(Nil) {
|
||||
uri: Uri =>
|
||||
authServer.revokeAdmin()
|
||||
@ -687,6 +700,7 @@ trait AbstractTriggerServiceTestAuthMiddleware
|
||||
} yield succeed
|
||||
}
|
||||
|
||||
// TEST_EVIDENCE: Authorization: request a fresh token after expiry on user request
|
||||
it should "request a fresh token after expiry on user request" in withTriggerService(Nil) {
|
||||
uri: Uri =>
|
||||
for {
|
||||
@ -701,6 +715,7 @@ trait AbstractTriggerServiceTestAuthMiddleware
|
||||
} yield succeed
|
||||
}
|
||||
|
||||
// TEST_EVIDENCE: Authorization: refresh a token after expiry on the server side
|
||||
it should "refresh a token after expiry on the server side" inClaims withTriggerService(
|
||||
List(dar)
|
||||
) { uri: Uri =>
|
||||
|
Loading…
Reference in New Issue
Block a user