Testing

Overview

Testing has two aspects

• ​ Functional
• ​ Security

Both are contained within the same Test Plan which is defined in a Java file with annotations

Test Definition

The tests are

    title - Description of the test
    description - Longer description of the test 
    actions = Action to perform
    result = Expected result to pass the test
    category = Category 
    execution = Execution type e.g. Manual/Automatic
    reference = Typically the Jira
    id = A unique ID for the test, security IDs must be prefixed with an S

A test is created in the Java file as following format

The images must be stored as resources

Test Plan

During the build the Test Plan will be generated in the target area

Functional Testing

Functional testing is important to assess how new or changed code is working as expected. This includes regression testing to ensure stability. Developers must ensure that any feature or capability of the extension can be tested before it is passed to the QA team.

Initial tests will be created by the developer based on the requirements of the extension and what features are implemented. Tests after the initial release version can include any bugs that may have appeared in previous versions and additional features.

Developers need to add tests and fill in the definitions. Definitions should include the title such as critical path testing, and the description such as to ensure that the basic functionality of the extension works. Another example would be configuration testing, to ensure that certain configuration is applied correctly. Actions will be filled out with required steps needed to perform the test. Each test plan must have an ID, and if applicable, a reference to a Jira ticket.

The test plan will then be executed by the QA who will assess the expected result with the outcome.

Security Testing

The security report will generate the End Points that the system has and the following table will be used to determine the minimum required testing

[TODO - EDKB-49]

The testing with a XSS tool is required, XSStrike is the approved tool

Testing CSRF

To test CSRF (Cross-Site Request Forgery) NONCE in Java, you'll typically want to follow a structured approach to ensure that the token is generated, validated, and protected correctly

A CSRF token (also called a NONCE) is a unique, random string that is added to forms or requests to protect against CSRF attacks.

To test it, you must ensure: - The token is present in the form or request. - The token is unique per user session or request.

Steps:

1. Open DevTools by clicking F12.
2. Go to Network - Fetch/XHR - Ctrl + R (To refresh the page)
3. Do the Action that needs to be test.
4. Check the jsp in DevTools and go to the payload tab.
5. Inspect CSRF Token is generated.