mirror of
https://github.com/arsvendg/Stirling-PDF.git
synced 2026-07-16 19:33:11 +02:00
cucumber for days (#5766)
This commit is contained in:
@@ -0,0 +1,138 @@
|
||||
@jwt @auth @audit
|
||||
Feature: Audit Dashboard API
|
||||
|
||||
Tests for the audit dashboard REST API endpoints, which provide
|
||||
audit log data, statistics, and export capabilities.
|
||||
|
||||
All endpoints:
|
||||
- Require ROLE_ADMIN (JWT authentication)
|
||||
- Are gated by @EnterpriseEndpoint (may return 403 on non-enterprise builds)
|
||||
|
||||
Responses are therefore expected to be one of: 200 (enterprise enabled)
|
||||
or 403 (enterprise feature not available in this build).
|
||||
|
||||
Admin credentials: username=admin, password=stirling
|
||||
|
||||
# =========================================================================
|
||||
# AUDIT DATA
|
||||
# =========================================================================
|
||||
|
||||
@positive
|
||||
Scenario: Admin can retrieve audit log data
|
||||
Given I am logged in as admin
|
||||
When I send a GET request to "/api/v1/audit/data" with JWT authentication
|
||||
Then the response status code should be one of "200, 403"
|
||||
|
||||
@negative
|
||||
Scenario: Unauthenticated request to audit data returns 401
|
||||
When I send a GET request to "/api/v1/audit/data" with no authentication
|
||||
Then the response status code should be 401
|
||||
|
||||
# =========================================================================
|
||||
# AUDIT STATS
|
||||
# =========================================================================
|
||||
|
||||
@positive
|
||||
Scenario: Admin can retrieve audit statistics
|
||||
Given I am logged in as admin
|
||||
When I send a GET request to "/api/v1/audit/stats" with JWT authentication
|
||||
Then the response status code should be one of "200, 403"
|
||||
|
||||
@negative
|
||||
Scenario: Unauthenticated request to audit stats returns 401
|
||||
When I send a GET request to "/api/v1/audit/stats" with no authentication
|
||||
Then the response status code should be 401
|
||||
|
||||
# =========================================================================
|
||||
# AUDIT TYPES
|
||||
# =========================================================================
|
||||
|
||||
@positive
|
||||
Scenario: Admin can retrieve audit event types
|
||||
Given I am logged in as admin
|
||||
When I send a GET request to "/api/v1/audit/types" with JWT authentication
|
||||
Then the response status code should be one of "200, 403"
|
||||
|
||||
@negative
|
||||
Scenario: Unauthenticated request to audit types returns 401
|
||||
When I send a GET request to "/api/v1/audit/types" with no authentication
|
||||
Then the response status code should be 401
|
||||
|
||||
# =========================================================================
|
||||
# AUDIT EXPORT (CSV)
|
||||
# =========================================================================
|
||||
|
||||
@positive
|
||||
Scenario: Admin can export audit log as CSV
|
||||
Given I am logged in as admin
|
||||
When I send a GET request to "/api/v1/audit/export/csv" with JWT authentication
|
||||
Then the response status code should be one of "200, 403"
|
||||
|
||||
@negative
|
||||
Scenario: Unauthenticated request to audit CSV export returns 401
|
||||
When I send a GET request to "/api/v1/audit/export/csv" with no authentication
|
||||
Then the response status code should be 401
|
||||
|
||||
# =========================================================================
|
||||
# AUDIT EXPORT (JSON)
|
||||
# =========================================================================
|
||||
|
||||
@positive
|
||||
Scenario: Admin can export audit log as JSON
|
||||
Given I am logged in as admin
|
||||
When I send a GET request to "/api/v1/audit/export/json" with JWT authentication
|
||||
Then the response status code should be one of "200, 403"
|
||||
|
||||
@negative
|
||||
Scenario: Unauthenticated request to audit JSON export returns 401
|
||||
When I send a GET request to "/api/v1/audit/export/json" with no authentication
|
||||
Then the response status code should be 401
|
||||
|
||||
# =========================================================================
|
||||
# AUDIT CLEANUP
|
||||
# =========================================================================
|
||||
|
||||
@positive
|
||||
Scenario: Admin can trigger cleanup of old audit records
|
||||
Given I am logged in as admin
|
||||
When I send a DELETE request to "/api/v1/audit/cleanup/before" with JWT authentication and params "date=2020-01-01"
|
||||
Then the response status code should be one of "200, 403"
|
||||
|
||||
@negative
|
||||
Scenario: Unauthenticated request to audit cleanup returns 401
|
||||
When I send a DELETE request to "/api/v1/audit/cleanup/before" with no authentication and params "date=2020-01-01"
|
||||
Then the response status code should be 401
|
||||
|
||||
# =========================================================================
|
||||
# PROPRIETARY UI DATA – AUDIT EVENTS (AuditRestController)
|
||||
# Endpoint base: /api/v1/proprietary/ui-data
|
||||
# =========================================================================
|
||||
|
||||
@positive
|
||||
Scenario: Admin can retrieve paginated audit events from UI data API
|
||||
Given I am logged in as admin
|
||||
When I send a GET request to "/api/v1/proprietary/ui-data/audit-events" with JWT authentication
|
||||
Then the response status code should be one of "200, 403"
|
||||
|
||||
@positive
|
||||
Scenario: Admin can retrieve audit chart data
|
||||
Given I am logged in as admin
|
||||
When I send a GET request to "/api/v1/proprietary/ui-data/audit-charts" with JWT authentication
|
||||
Then the response status code should be one of "200, 403"
|
||||
|
||||
@positive
|
||||
Scenario: Admin can retrieve list of audit event types from UI data API
|
||||
Given I am logged in as admin
|
||||
When I send a GET request to "/api/v1/proprietary/ui-data/audit-event-types" with JWT authentication
|
||||
Then the response status code should be one of "200, 403"
|
||||
|
||||
@positive
|
||||
Scenario: Admin can retrieve list of audited users
|
||||
Given I am logged in as admin
|
||||
When I send a GET request to "/api/v1/proprietary/ui-data/audit-users" with JWT authentication
|
||||
Then the response status code should be one of "200, 403"
|
||||
|
||||
@negative
|
||||
Scenario: Unauthenticated request to proprietary audit events returns 401
|
||||
When I send a GET request to "/api/v1/proprietary/ui-data/audit-events" with no authentication
|
||||
Then the response status code should be 401
|
||||
@@ -0,0 +1,45 @@
|
||||
@jwt @auth @signature
|
||||
Feature: Signatures API
|
||||
|
||||
Tests for the saved signatures REST API, which allows authenticated
|
||||
users to store and retrieve their signature images.
|
||||
|
||||
Endpoints:
|
||||
- GET /api/v1/proprietary/signatures (authenticated)
|
||||
- POST /api/v1/proprietary/signatures (authenticated, multipart)
|
||||
- DELETE /api/v1/proprietary/signatures/{id} (authenticated)
|
||||
|
||||
POST is omitted here because it requires a multipart image upload; the
|
||||
format of SavedSignatureRequest is tested via integration rather than BDD.
|
||||
|
||||
Admin credentials: username=admin, password=stirling
|
||||
|
||||
# =========================================================================
|
||||
# LIST SIGNATURES
|
||||
# =========================================================================
|
||||
|
||||
@positive
|
||||
Scenario: Authenticated user can retrieve their signatures list
|
||||
Given I am logged in as admin
|
||||
When I send a GET request to "/api/v1/proprietary/signatures" with JWT authentication
|
||||
Then the response status code should be one of "200, 403"
|
||||
|
||||
@negative
|
||||
Scenario: Unauthenticated request to signatures list returns 401
|
||||
When I send a GET request to "/api/v1/proprietary/signatures" with no authentication
|
||||
Then the response status code should be 401
|
||||
|
||||
# =========================================================================
|
||||
# DELETE SIGNATURE
|
||||
# =========================================================================
|
||||
|
||||
@negative
|
||||
Scenario: Delete a non-existent signature returns 404 or 403
|
||||
Given I am logged in as admin
|
||||
When I send a DELETE request to "/api/v1/proprietary/signatures/nonexistent-sig-id-xyz" with JWT authentication
|
||||
Then the response status code should be one of "403, 404"
|
||||
|
||||
@negative
|
||||
Scenario: Unauthenticated request to delete signature returns 401
|
||||
When I send a DELETE request to "/api/v1/proprietary/signatures/some-id" with no authentication
|
||||
Then the response status code should be 401
|
||||
@@ -0,0 +1,21 @@
|
||||
"""
|
||||
Re-export all step definitions so that `behave features/enterprise/` works
|
||||
as a standalone run without needing to reference the parent steps directory.
|
||||
|
||||
When running the default suite (`behave` from testing/cucumber/), these
|
||||
enterprise features are excluded via behave.ini. When running enterprise
|
||||
tests explicitly (`python -m behave features/enterprise`), Behave loads
|
||||
steps only from this directory, so we import the parent implementations here.
|
||||
"""
|
||||
|
||||
import os
|
||||
import sys
|
||||
|
||||
# Make the parent steps/ directory importable
|
||||
_parent_steps = os.path.abspath(os.path.join(os.path.dirname(__file__), "../../steps"))
|
||||
if _parent_steps not in sys.path:
|
||||
sys.path.insert(0, _parent_steps)
|
||||
|
||||
from step_definitions import * # noqa: F401, F403
|
||||
from auth_step_definitions import * # noqa: F401, F403
|
||||
from enterprise_step_definitions import * # noqa: F401, F403
|
||||
@@ -0,0 +1,80 @@
|
||||
@jwt @auth @team
|
||||
Feature: Teams API
|
||||
|
||||
Tests for the teams REST API, which provides multi-user grouping
|
||||
functionality (a @PremiumEndpoint feature).
|
||||
|
||||
Endpoints:
|
||||
- POST /api/v1/teams/create (admin only, query param: name)
|
||||
- POST /api/v1/teams/rename (admin only, query params: teamId, name)
|
||||
- POST /api/v1/teams/delete (admin only, query param: teamId)
|
||||
- POST /api/v1/teams/addUser (admin only, query params: teamId, username)
|
||||
|
||||
Because this is a @PremiumEndpoint, responses may be 200 (premium enabled)
|
||||
or 403 (premium not available in this build).
|
||||
|
||||
There is no GET /teams endpoint, so full CRUD lifecycle cannot be verified
|
||||
via ID-based lookup. Tests are limited to exercising each endpoint and
|
||||
checking the response is not a security bypass.
|
||||
|
||||
Admin credentials: username=admin, password=stirling
|
||||
|
||||
# =========================================================================
|
||||
# CREATE TEAM
|
||||
# =========================================================================
|
||||
|
||||
@positive
|
||||
Scenario: Admin can attempt to create a new team
|
||||
Given I am logged in as admin
|
||||
When I send a POST request to "/api/v1/teams/create" with JWT authentication and params "name=bdd_test_team"
|
||||
Then the response status code should be one of "200, 201, 403"
|
||||
|
||||
@negative
|
||||
Scenario: Unauthenticated request to create team returns 401
|
||||
When I send a POST request to "/api/v1/teams/create" with no authentication and params "name=evil_team"
|
||||
Then the response status code should be 401
|
||||
|
||||
# =========================================================================
|
||||
# RENAME TEAM
|
||||
# =========================================================================
|
||||
|
||||
@positive
|
||||
Scenario: Admin can attempt to rename a team
|
||||
Given I am logged in as admin
|
||||
When I send a POST request to "/api/v1/teams/rename" with JWT authentication and params "teamId=1&newName=bdd_renamed_team"
|
||||
Then the response status code should be one of "200, 400, 403, 404"
|
||||
|
||||
@negative
|
||||
Scenario: Unauthenticated request to rename team returns 401
|
||||
When I send a POST request to "/api/v1/teams/rename" with no authentication and params "teamId=1&newName=evil_renamed"
|
||||
Then the response status code should be 401
|
||||
|
||||
# =========================================================================
|
||||
# ADD USER TO TEAM
|
||||
# =========================================================================
|
||||
|
||||
@positive
|
||||
Scenario: Admin can attempt to add a user to a team
|
||||
Given I am logged in as admin
|
||||
When I send a POST request to "/api/v1/teams/addUser" with JWT authentication and params "teamId=1&userId=1"
|
||||
Then the response status code should be one of "200, 400, 403, 404"
|
||||
|
||||
@negative
|
||||
Scenario: Unauthenticated request to add user to team returns 401
|
||||
When I send a POST request to "/api/v1/teams/addUser" with no authentication and params "teamId=1&userId=1"
|
||||
Then the response status code should be 401
|
||||
|
||||
# =========================================================================
|
||||
# DELETE TEAM
|
||||
# =========================================================================
|
||||
|
||||
@positive
|
||||
Scenario: Admin can attempt to delete a team
|
||||
Given I am logged in as admin
|
||||
When I send a POST request to "/api/v1/teams/delete" with JWT authentication and params "teamId=999"
|
||||
Then the response status code should be one of "200, 400, 403, 404"
|
||||
|
||||
@negative
|
||||
Scenario: Unauthenticated request to delete team returns 401
|
||||
When I send a POST request to "/api/v1/teams/delete" with no authentication and params "teamId=1"
|
||||
Then the response status code should be 401
|
||||
Reference in New Issue
Block a user