Feature Test Summary - InstantOn support for Jakarta Authorization

[anjumfatima90]

Test Strategy

Describe the test strategy & approach for this feature, and describe how the approach verifies the functions delivered by this feature.

This the test summary for epic InstantOn support for Jakarta Authorization

The test strategy involves running FATs on test machines that are enabled for InstantOn (checkpoint) testing. Both SOE and the orchestrater builds invoked by PR #build run the checkpoint test buckets on machines/environments that support Liberty InstantOn. We also still maintain a continuous InstantOn build that runs daily using the Open Liberty integration branch with the checkpoint tests running in FULL mode. The checkpoint tests are run across Java 11, 17 and 21 in the continuous InstantOn build as well as in SOE runs. The InstantOn checkpoint FAT tests are identified using the @CheckpointTest annotation. This ensures the test is only executed on host systems that support checkpoint (i.e. Linux systems with the right kernel version and criu installed and running OpenJ9).

List of FAT projects affected

• com.ibm.ws.ejbcontainer.security.jacc_fat.2
• com.ibm.ws.ejbcontainer.security.jacc_fat.2.1

Test strategy

• What functionality is new or modified by this feature?

The following features have been enabled for Liberty InstantOn by adding the WLP-InstantOn-Enabled: true feature manifest header. This allows the features to be enabled when doing a Liberty InstantOn checkpoint action. Without this the checkpoint action would fail when one or more of the following features are enabled.

1. jacc-1.5
2. appAuthorization-2.0
3. appAuthorization-2.1
4. appAuthorization-3.0

• What are the positive and negative tests for that functionality? (Tell me the specific scenarios you tested. What kind of tests do you have for when everything ends up working (positive tests)? What about tests that verify we fail gracefully when things go wrong (negative tests)? See the Positive and negative tests section of the Feature Test Summary Process wiki for more detail.)

• What manual tests are there (if any)? (Note: Automated testing is expected for all features with manual testing considered an exception to the rule.)

None

Confidence Level

Collectively as a team you need to assess your confidence in the testing delivered based on the values below. This should be done as a team and not an individual to ensure more eyes are on it and that pressures to deliver quickly are absorbed by the team as a whole.

Please indicate your confidence in the testing (up to and including FAT) delivered with this feature by selecting one of these values:

0 - No automated testing delivered

1 - We have minimal automated coverage of the feature including golden paths. There is a relatively high risk that defects or issues could be found in this feature.

2 - We have delivered a reasonable automated coverage of the golden paths of this feature but are aware of gaps and extra testing that could be done here. Error/outlying scenarios are not really covered. There are likely risks that issues may exist in the golden paths

3 - We have delivered all automated testing we believe is needed for the golden paths of this feature and minimal coverage of the error/outlying scenarios. There is a risk when the feature is used outside the golden paths however we are confident on the golden path. Note: This may still be a valid end state for a feature... things like Beta features may well suffice at this level.

4 - We have delivered all automated testing we believe is needed for the golden paths of this feature and have good coverage of the error/outlying scenarios. While more testing of the error/outlying scenarios could be added we believe there is minimal risk here and the cost of providing these is considered higher than the benefit they would provide.

5 - We have delivered all automated testing we believe is needed for this feature. The testing covers all golden path cases as well as all the error/outlying scenarios that make sense. We are not aware of any gaps in the testing at this time. No manual testing is required to verify this feature.

Based on your answer above, for any answer other than a 4 or 5 please provide details of what drove your answer. Please be aware, it may be perfectly reasonable in some scenarios to deliver with any value above. We may accept no automated testing is needed for some features, we may be happy with low levels of testing on samples for instance so please don't feel the need to drive to a 5. We need your honest assessment as a team and the reasoning for why you believe shipping at that level is valid. What are the gaps, what is the risk etc. Please also provide links to the follow on work that is needed to close the gaps (should you deem it needed)

We rate our confidence level at 3.5

[anjumfatima90]

General test behavior

The tests encompasses testing AFTER_APP_START phase of checkpoint. This means that the tests primarily focus on verifying the behavior and functionality of the application on restore with a checkpoint being executed after the application has been initialized and is in a running state before the ports are open.

In positive tests, the aim is to verify the successful completion of each step (checkpoint/restore) as expected. This involves ensuring that the expected page, response, and response status are received when a valid user is allowed access.

The negative tests focus on validating the proper handling of error scenarios. This includes verifying that the response contains the correct status code and message or full text. Additionally, the tests check if the server logs display the correct authorization failed exceptions and, if applicable, check for the occurrence of any expected FFDC events.

The tests are repeated to test EE8, EE9, EE10 and EE11 features.

List of FAT projects affected

1. com.ibm.ws.ejbcontainer.security.jacc_fat.2

The below tests are existing tests in the existing FAT which are repeated again to perform checkpoint/restore on different EE levels. Features tested include jacc-1.5, appAuthorization-2.0, appAuthorization-2.1, appAuthorization-3.0.

• EJBJarX01InWarEarTest: Performs testing of EJB with only the ejb-jar.xml deployment descriptor and no annotations.

• PureAnnA01InWarEarTest: Performs testing of EJB pure annotations with a Stateless bean and application-bnd role mappings in server.xml. It tests the class level annotations RunAs (Employee), RolesAllowed (Manager) and DeclareRoles(DeclaredRole01) with a variety of method level annotations.

• PureAnnA07InWarInheritanceTest: This tests covers packaging of EJB in standalone WAR file with EJB and servlet classes in WEB-INF/classes. There is no application.xml or ibm-application-bnd.xml file. It tests the class level annotations RunAs (Employee), RolesAllowed (Manager) and DeclareRoles(DeclaredRole01) with a variety of method level annotations.

• PureAnnAppBndXMLBindingsInWarEarTest: Performs testing of EJB pure annotations with a Stateless bean and role mappings in ibm-application-bnd.xml. It tests the class level annotations RunAs (Employee), RolesAllowed (Manager) and DeclareRoles(DeclaredRole01) with a variety of method level annotations.

• EJBJarMixExtInWarEarMergeConflictXMLBindingsTest: Performs testing of EJB with the extensions file ibm-ejb-jar-ext.xml along with ejb-jar.xml deployment descriptor mixed with annotations.

2. com.ibm.ws.ejbcontainer.security.jacc_fat.2.1

The below tests are existing tests in the existing FAT which are repeated again to perform checkpoint/restore on different EE levels. Features tested include appAuthorization-2.1, appAuthorization-3.0.

• EJBJakarta10Test: Performs testing of EJB with only the ejb-jar.xml deployment descriptor and no annotations.