Test Roles & Permissions for the Application - Githubissues

North-Seattle-College / ad440-winter2020-thursday-repo

Repository for AD440 Thursday Class in Winter 2020

Apache License 2.0

10 stars 5 forks source link

Test Roles & Permissions for the Application #199

Open mattyplo opened 4 years ago

mattyplo commented 4 years ago

test #194

mattyplo commented 4 years ago

Test Objective:

The purpose of this test is to test the Roles and permissions that were setup via Cognito and implemented through the API Gateway. There are three roles that were created that need to be test: Admin, Employee, and Keyholder. Each role has a specific level of permissions which allows them to access certain information from the database and that information only.

Test Methodology:

Testing specific roles

AWS conveniently lets you test role based authorized access through API Gateway. This was the method I used to test the three roles mentioned above to see if they were implemented correctly.

Test Suite 1

The first step is to get an authorization token which can be done here
Sign in as the appropriate user (Admin, Employee, or Keyholder)
you are navigated to an example domain. Inside the url, there is an id_token you will copy.
Go to AWS API Gateway
go to Authorizers in lefthand nav bar
click the prod-api-authorizer-cognito box
click test
enter the id-token you copied in the step above
view response

Test 1 - Admin

Expected & Actual Test Results

Sign in as admin
enter token

response: Response Code = 200 Claims =

{
"at_hash": "UHI2_rZg4lVsP77isIs-YA",
"aud": "72glcbibfefumdab16h54lff9q",
"auth_time": "1583854910",
"cognito:groups": "Keyholder,Employee,Administrator",
"cognito:preferred_role": "arn:aws:iam::061431082068:role/cognito_userpool_admin",
"cognito:roles": "arn:aws:iam::061431082068:role/cognito_userpool_admin,arn:aws:iam::061431082068:role/cognito_userpool_keyholder,arn:aws:iam::061431082068:role/cognito_userpool_employee",
"cognito:username": "admin",
"email": "syatwork@outlook.com",
"email_verified": "true",
"event_id": "dc1046a0-a66b-4d9b-a10a-3e1e3d869cd2",
"exp": "Tue Mar 10 16:41:50 UTC 2020",
"iat": "Tue Mar 10 15:41:50 UTC 2020",
"iss": "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_xV6TGf7xl",
"sub": "a4653ad7-8b86-4aa0-bd26-cdfcae45e540",
"token_use": "id"
}

Test 1.2

Expected & Actual Test Results

Under same sign in, try the test with the access_token or other random token.
response: Response Code = 401 Unauthorized request: cc47a671-46b2-44bc-8999-97fc96396cd0

Test 1.3

Expected & Actual Test Results Test #1.3

Try the token again after one hour when it should expire
response: Response Code = 401 Unauthorized request: 12b1fc72-1d22-4c83-8c8e-a4818ab6855f

Test 2 - Employee

Expected & Actual Test Results

Sign in as employee
enter token

response: Response Code = 200 Claims =

{
"at_hash": "z-Fg7tAGhu1_svNMFjxMrw",
"aud": "72glcbibfefumdab16h54lff9q",
"auth_time": "1583942026",
"cognito:groups": "Employee",
"cognito:preferred_role": "arn:aws:iam::061431082068:role/cognito_userpool_employee",
"cognito:roles": "arn:aws:iam::061431082068:role/cognito_userpool_employee",
"cognito:username": "employee",
"email": "e1508340@urhen.com",
"email_verified": "true",
"event_id": "7b4ae765-4ad1-4013-ae9f-c634cf59148c",
"exp": "Wed Mar 11 16:53:46 UTC 2020",
"iat": "Wed Mar 11 15:53:46 UTC 2020",
"iss": "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_xV6TGf7xl",
"sub": "ed14b030-e723-471a-b649-f45679169b93",
"token_use": "id"
}

Test 2.2

Expected & Actual Test Results

Under same sign in, try the test with the access_token or other random token.
response: Response Code = 401 Unauthorized request: ca0eb60e-f976-422c-80be-d5990a4b79b6

Test 2.3

Expected & Actual Test Results

Try the token again after one hour when it should expire
response: Response Code = 401 Unauthorized request: e8641ca8-f2c4-4d1e-b221-a475f852938a

Test 3 - keyholder

Expected & Actual Test Results

Sign in as keyholder
enter token

response: Response Code = 200 Claims =


{
"at_hash": "gNV_0wiMs46wnfczOzKYVA",
"aud": "72glcbibfefumdab16h54lff9q",
"auth_time": "1583856393",
"cognito:groups": "Keyholder",
"cognito:preferred_role": "arn:aws:iam::061431082068:role/cognito_userpool_keyholder",
"cognito:roles": "arn:aws:iam::061431082068:role/cognito_userpool_keyholder",
"cognito:username": "keyholder",
"email": "e1509118@urhen.com",
"email_verified": "true",
"event_id": "a04cb8c3-fa9e-4485-b132-7137b49777c7",
"exp": "Tue Mar 10 17:06:33 UTC 2020",
"iat": "Tue Mar 10 16:06:33 UTC 2020",
"iss": "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_xV6TGf7xl",
"sub": "cf758434-5560-4f9b-b252-4b475fbeb643",
"token_use": "id"
}


##### Test 3.2
_Expected & Actual Test Results_
- Under same sign in, try the test with the access_token or other random token.
- response:
Response Code = 401
Unauthorized request: Unauthorized request: c136079d-473a-4e7f-ade5-b160f99c773f

##### Test 3.3
_Expected & Actual Test Results_
- Try the token again after an hour when it should've expired.
- response:
Response Code = 401
Unauthorized request: 377b03e8-cbf9-4c5c-88d8-875a999f4df5