Manual tests for Security

Guidelines for documenting the manual tests:

• Summarize the elements covered in the test
• Enumerate the steps (ordered list)
• Call out test points with a TEST bullet
• Include screenshots as appropriate; many of the manual tests will be visual, so screenshots are helpful

User Service Application

Tests confirm:

• Basic functionality of the User Service Application
• Works with arbitrary context root
• Works with all supported browsers specifically IE, Firefox and Safari

Steps:

1. Create a Zero application
2. Edit config/ivy.xml within the application and add zero.core.webtools for the appropriate release as a dependency
3. Save ivy.xml
4. If you are using the CLI you will need to run

   zero resolve

5. Start the application
6. Browse to http://localhost:8080/zero/webtools/user/

• TEST: Confirm page shows Zero styling
  
• TEST: Confirm able to add a new user
  
• TEST: Confirm able to update a user's groups (ie add a new group to existing user)
  
• TEST: Confirm able to update a user's password
  
• TEST: Confirm able to delete a user and confirm no users exist after delete
  

1. Set a context root by adding the following to the application's config/zero.config file:
   

/config/contextRoot="/foo/bar"

1. Restart the application
2. TEST: Confirm 400 status code error is returned when browsing to http://localhost:8080/zero/webtools/user/
3. Browse to http://localhost:8080/foo/bar/zero/webtools/user/
4. Revisit test bullets with changed context root.
5. Revisit test bullets with another browser (try safari, firefox and ie)

File Based User Service Command (Command Line Interface)

Steps:

1. Create a Zero application using CLI and run

   zero resolve

2. * TEST: Creation of user
   

todkapMAC:myApp todd$ zero user
CWPZC2114I: Entering interactive mode.

CWPZC2126I: Location of user file [default ./config/zero.users]:

CWPZC2120I: Type 'create' to create user, 'update' to update user or 'exit' when done.
create
CWPZC2121I: Creating new user.

CWPZC2127I: Enter username:
user1
CWPZC2128I: Enter password:
mypwd
CWPZC2129I: Enter group (or enter when done):
GROUP1
CWPZC2129I: Enter group (or enter when done):

CWPZC2115I: User 'user1' was successfully added to the user file.

• TEST: Confirm user is created in zero.users file for application
  

user1:318bcb4be908d0da6448a0db76908d78:GROUP1

• TEST: Update user password
  

todkapMAC:myApp todd$ zero user
CWPZC2114I: Entering interactive mode.

CWPZC2126I: Location of user file [default ./config/zero.users]:

CWPZC2120I: Type 'create' to create user, 'update' to update user or 'exit' when done.
update
CWPZC2122I: Updating user.

CWPZC2127I: Enter username:
user1
CWPZC2128I: Enter password:
newpwd
CWPZC2117I: The password of the user 'user1' was successfully updated.

CWPZC2120I: Type 'create' to create user, 'update' to update user or 'exit' when done.
exit

• TEST: Confirm user is updated in zero.users file and application password changed
  

user1:a5e3094ce553e08de5ba237525b106d5:GROUP1

XOREncoder Command (Command Line Interface)

Steps:

1. Create a Zero application using CLI
2. * TEST: Encoding of password named 'mySpecialPassword' and validate it matches below
   

todkapMAC:myApp todd$ zero encode
Jan 29, 2008 1:36:35 PM zero.core.security.util.EncoderCommand enterInteractiveMode
INFO: CWPZC2026I: Entering interactive mode.

Jan 29, 2008 1:36:36 PM zero.core.security.util.EncoderCommand enterInteractiveMode
INFO: CWPZC2027I: Please type encode or exit to quit.

encode
Jan 29, 2008 1:36:42 PM zero.core.security.util.EncoderCommand enterInteractiveMode
INFO: CWPZC2028I: Enter string to encode
mySpecialPassword

Jan 29, 2008 1:36:50 PM zero.core.security.util.EncoderCommand enterInteractiveMode
INFO: CWPZC2030I: Result
<xor>MiYMLzo8Nj4zDz4sLCgwLTs=
Jan 29, 2008 1:36:50 PM zero.core.security.util.EncoderCommand enterInteractiveMode
INFO: CWPZC2027I: Please type encode or exit to quit.

OpenID support

_Starting with M1 of silverstone, most of the testing for OpenID has been automated. The only area that is not tested in an automated fashion is validating against an actual OpenID Provider.

Steps:

1. Create an OpenID account (for instance: myopenid.com).
2. Install the application openid.demo by using the command line 'zero create openid.demo from zero:openid.demo'.
3. Start application
4. Type the following in the browser: http://<HOSTNAME>:8081/index.gt (note I used localhost and hostname interchangeably)

1. * TEST: Verify the page is redirected to http://<HOSTNAME>:8081/openidlogin.gt
2. * TEST: Type in your openID account in the first form field: for instance my id is http://todkap.myopenid.com and hit submit.
3. * TEST: Verify the page is redirected to the openID provider login page
4. login with the userid you created in step 1
5. Select allow once or allow forever ( this may not be presented and there may be other options depending upon provider)
6. * TEST: Verify the page is redirected back to http://<HOSTNAME>:8081/index.gt
7. * TEST: Verify remoteUser contains your openID user for instance: http://todkap.myopenid.com
8. * TEST: Verify groups is Groups: ["VALID_OPENID_USER"]
9. * TEST: Verify roles is Roles: ["OPENID_ROLE"]
10. * TEST: Add a comment. This is a protected XHR call that should suceed and comment should be appended at bottom of page.
11. restart the tests by clicking on the logout link on the top right hand page
12. * TEST: Access restricted page. Try to add a comment now and error should be appended at bottom of page.

Failure scenarios

Steps:

1. Type the following in the browser: http://<HOSTNAME>:8081/index.gt
2. * TEST: Verify the page is redirected to http://<HOSTNAME>:8081/openidlogin2.gt
3. * TEST: Type in your openID account in the first form field: for instance my id is http://todkap.myopenid.com and hit submit.
4. * TEST: Verify the page is redirected to the openID provider login page
5. * TEST: Hit cancel or deny accepting (may or may not exist depending upon provider) validate error page is shown