Numberverify verify Test definition #124
Conversation
Signed-off-by: Axel Nennker <[email protected]>
Signed-off-by: Axel Nennker <[email protected]>
Signed-off-by: Axel Nennker <[email protected]>
Signed-off-by: Axel Nennker <[email protected]>
Signed-off-by: Axel Nennker <[email protected]>
AxelNennker
requested review from
bigludo7 and
fernandopradocabrillo
as code owners
🦙 MegaLinter status: ✅ SUCCESS
See detailed report in MegaLinter reports MegaLinter is graciously provided by |
|
|
||
| @NumberVerification_verify100_match_true | ||
| Scenario: verify phone number NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1, network connection and access token matches NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1 | ||
| Given they use the base url over a mobile connection |
There was a problem hiding this comment.
It's just the first step of the Authorization Code flow (/auth) that requires a mobile connection, right?
The /token request and the /verify request can be executed from a backend? Flow diagram here.
If so, what do you think about moving the mobile connection requirement to the Background section?
There was a problem hiding this comment.
I think about that. Usually, it is a security issue if several requests are not bound together and/or come from different sources.
https://www.rfc-editor.org/rfc/rfc7636
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-sender-constrained-access-t
https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html
I wanted to add sender-constrained tokens to Camara, but I was told that operators have never heard of that and too few implemented it, so ICM should not demand it.
Same with DPoP.
The slowest boot determines the speed of the convoy.
Thanks for the comment.
There was a problem hiding this comment.
Hello @AxelNennker
Thanks for the contribution.
Few comments for your consideration.
Signed-off-by: Axel Nennker <[email protected]>
Signed-off-by: Axel Nennker <[email protected]>
Signed-off-by: Axel Nennker <[email protected]>
Signed-off-by: Axel Nennker <[email protected]>
…ot match Signed-off-by: Axel Nennker <[email protected]>
Signed-off-by: Axel Nennker <[email protected]>
|
Hi @AxelNennker, Are tests for hashedPhoneNumber TBD too? We could probably repeat most of the plain |
Signed-off-by: Axel Nennker <[email protected]>
Signed-off-by: Axel Nennker <[email protected]>
Signed-off-by: Axel Nennker <[email protected]>
Signed-off-by: Axel Nennker <[email protected]>
Signed-off-by: Axel Nennker <[email protected]>
… a device with NUMBERVERIFY_VERIFY_MATCH_PHONENUMBER1" Signed-off-by: Axel Nennker <[email protected]>
add access token acquiring to the Background section
add access token acquisition to the Background section
|
I added NumberVerification_verify203_both_phone_number_and_hashed_in_request |
code/Test_Definitions/NumberVerification_device_phone_number_share.feature
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
The way of describing the scenarios is a bit different from other test plans of other CAMARA APIs.
The nomenclature of the test is a bit confusing, but that's probably a me problem haha
I think we should include the common 401 test. For example these are the ones from sim swap:
# Generic 401 errors
@check_sim_swap_401.1_no_authorization_header
Scenario: No Authorization header
Given the header "Authorization" is removed
And the request body is set to a valid request body
When the request "checkSimSwap" is sent
Then the response status code is "401"
And the response property "$.status" is 401
And the response property "$.code" is "UNAUTHENTICATED"
And the response property "$.message" contains a user friendly text
@check_sim_swap_401.2_expired_access_token
Scenario: Expired access token
Given the header "Authorization" is set to an expired access token
And the request body is set to a valid request body
When the request "checkSimSwap" is sent
Then the response status code is "401"
And the response property "$.status" is 401
And the response property "$.code" is "UNAUTHENTICATED"
And the response property "$.message" contains a user friendly text
@check_sim_swap_401.3_invalid_access_token
Scenario: Invalid access token
Given the header "Authorization" is set to an invalid access token
And the request body is set to a valid request body
When the request "checkSimSwap" is sent
Then the response status code is "401"
And the response property "$.status" is 401
And the response property "$.code" is "UNAUTHENTICATED"
And the response property "$.message" contains a user friendly text
| Then the response status code is 200 | ||
| And the response property "$.devicePhoneNumberVerified" is false | ||
|
|
||
| @NumberVerification_verify301_match_false |
There was a problem hiding this comment.
i think this one should be match_hashed_false
| And the response body complies with the OAS schema at "/components/schemas/NumberVerificationMatchResponse" | ||
| Then the response status code is 401 | ||
| And the response property "$.status" is 401 | ||
| And the response property "$.code" is "AUTHENTICATION_REQUIRED" |
There was a problem hiding this comment.
or UNAUTHENTICATED, still don't know which one should apply in this case
There was a problem hiding this comment.
Test included for veryfy operation:
- ✅ @NumberVerification_verify0_phoneNumber_does_not_match_schema --> Invalid phone number
- ✅ @NumberVerification_verify100_match_true -->Token associated with phoneNumber1 matches phoneNumber1 sent in the body
- ✅ @NumberVerification_verify300_match_hashed_true --> Token associated with phoneNumber1 matches hashedPhoneNumber1 sent in the body
- ✅ @NumberVerification_verify101_match_false --> Token associated with phoneNumber2 doesn't match phoneNumber1 in the body
⚠️ @NumberVerification_verify301_match_ hashed _false --> Token associated with phoneNumber2 doesn't match hashedPhoneNumber1 in the body⚠️ @NumberVerification_verify200_missing_phone_number_in_request --> neither phoneNumber nor hashedPhoneNumber⚠️ @NumberVerification_verify201_missing_scope⚠️ @NumberVerification_verify202_expired_access_token- ✅ @NumberVerification_verify203_both_phone_number_and_hashed_in_request
Pending test to be included:
- ❌ The access token is valid but it has been generated with an auth method other than network auth (user/password, otp-sms, etc) --> error NUMBER_VERIFICATION.USER_NOT_AUTHENTICATED_BY_MOBILE_NETWORK
- ❌ The phone number cannot be deducted from access token --> error INVALID_TOKEN_CONTEXT
There was a problem hiding this comment.
Test included for share operation:
- ✅ @NumberVerification_phone_number_share100_match_true
⚠️ @NumberVerification_phone_number_share201_missing_scope- ✅ @NumberVerification_phone_number_share202_expired_access_token
Pending test to be included:
- ❌ The access token is valid but it has been generated with an auth method other than network auth (user/password, otp-sms, etc) --> error NUMBER_VERIFICATION.USER_NOT_AUTHENTICATED_BY_MOBILE_NETWORK
- ❌ The phone number cannot be deducted from access token --> error INVALID_TOKEN_CONTEXT
There was a problem hiding this comment.
regarding "pending tests" 1.
Maybe the authorization server should never create an access token if the scope is a "number verification"-scope and never did network authentication?! There is probably no way for the resource server / API endpoint to identify the authentication method used.
There was a problem hiding this comment.
regarding "pending tests" 2.
This also sounds like an internal authorization server error and should never happen - like the access token creation without network authentication for nv-scopes.
The resource server / API-endpoint can detect this condition
There was a problem hiding this comment.
https://github.com/camaraproject/NumberVerification/blob/main/code/API_definitions/number_verification.yaml#L270 talks about AMR
As Camara does not specify the access token nor the information associated with it other than the API's subject like phoneNumber, this would be a NV requirement on the telco issuing access tokens
There was a problem hiding this comment.
wdyt @bigludo7? I don't know if we can leave that validation to the authserver as something external to the API.
The auth process will validate if a phone number has access to certain scopes but I don't know if it can also check the auth method at token generation time.
And being Auth Code where the authentication is not done by the authserver itself but maybe something like an IDP.
I tend to think that is better to include the test mainly because is an error specified in the API yaml and we should cover it.
There was a problem hiding this comment.
I'm not as expert that both of you on this specific point but as we have the error in the YAML we must have a test case covered it.
By preference it to have it and then we can always discuss in the future to remove it.
There was a problem hiding this comment.
I added a test to "verify" that uses USER_NOT_AUTHENTICATED_BY_MOBILE_NETWORK
There was a problem hiding this comment.
Added a test to "share" that uses USER_NOT_AUTHENTICATED_BY_MOBILE_NETWORK
Co-authored-by: Fernando Prado Cabrillo <[email protected]>
…ted_with_access_token
…iated_with_access_token
…rk_authentication Should we add to all success cases that network authentication MUST have been used to identify the subscription?
There was a problem hiding this comment.
LGTM
Plus I've check @fernandopradocabrillo requests and as far as I checked the request change from Fernando are taken into account.
What type of PR is this?
Add one of the following kinds:
What this PR does / why we need it:
This PR provides tests for the path verify.
Tests for path device-phone-number are TBD.
Which issue(s) this PR fixes:
Fixes #104