wireapp · fisx · Aug 8, 2024 · Aug 7, 2024 · Aug 8, 2024
diff --git a/changelog.d/4-docs/revert-wpb8628 b/changelog.d/4-docs/revert-wpb8628
@@ -0,0 +1 @@
+Re-introduce test case tags for BSI audit (revert #4041)
diff --git a/integration/test/Test/AccessUpdate.hs b/integration/test/Test/AccessUpdate.hs
@@ -38,6 +38,7 @@ testBaz :: HasCallStack => App ()
 testBaz = pure ()
 -}
 
+-- | @SF.Federation @SF.Separation @TSFI.RESTfulAPI @S2
 --
 -- The test asserts that, among others, remote users are removed from a
 -- conversation when an access update occurs that disallows guests from
@@ -73,6 +74,8 @@ testAccessUpdateGuestRemoved = do
     res.status `shouldMatchInt` 200
     res.json %. "members.others.0.qualified_id" `shouldMatch` objQidObject bob
 
+-- @END
+
 testAccessUpdateGuestRemovedUnreachableRemotes :: (HasCallStack) => App ()
 testAccessUpdateGuestRemovedUnreachableRemotes = do
   resourcePool <- asks resourcePool

diff --git a/integration/test/Test/Login.hs b/integration/test/Test/Login.hs
@@ -23,6 +23,7 @@ testLoginVerify6DigitEmailCodeSuccess = do
   bindResponse (loginWith2ndFactor owner email defPassword code) $ \resp -> do
     resp.status `shouldMatchInt` 200
 
+-- @SF.Channel @TSFI.RESTfulAPI @S2
 --
 -- Test that login fails with wrong second factor email verification code
 testLoginVerify6DigitWrongCodeFails :: (HasCallStack) => App ()
@@ -38,6 +39,9 @@ testLoginVerify6DigitWrongCodeFails = do
     resp.status `shouldMatchInt` 403
     resp.json %. "label" `shouldMatch` "code-authentication-failed"
 
+-- @END
+
+-- @SF.Channel @TSFI.RESTfulAPI @S2
 --
 -- Test that login without verification code fails if SndFactorPasswordChallenge feature is enabled in team
 testLoginVerify6DigitMissingCodeFails :: (HasCallStack) => App ()
@@ -50,6 +54,9 @@ testLoginVerify6DigitMissingCodeFails = do
     resp.status `shouldMatchInt` 403
     resp.json %. "label" `shouldMatch` "code-authentication-required"
 
+-- @END
+
+-- @SF.Channel @TSFI.RESTfulAPI @S2
 --
 -- Test that login fails with expired second factor email verification code
 testLoginVerify6DigitExpiredCodeFails :: (HasCallStack) => App ()
@@ -73,6 +80,8 @@ testLoginVerify6DigitExpiredCodeFails = do
         resp.status `shouldMatchInt` 403
         resp.json %. "label" `shouldMatch` "code-authentication-failed"
 
+-- @END
+
 testLoginVerify6DigitResendCodeSuccessAndRateLimiting :: (HasCallStack) => App ()
 testLoginVerify6DigitResendCodeSuccessAndRateLimiting = do
   (owner, team, []) <- createTeam OwnDomain 0

diff --git a/libs/zauth/test/ZAuth.hs b/libs/zauth/test/ZAuth.hs
@@ -56,7 +56,7 @@ tests = do
           ],
         testGroup
           "Signing and Verifying"
-          [ testCase "testExpired - expired" (runCreate z 1 $ testExpired v),
+          [ testCase "expired" (runCreate z 1 $ testExpired v),
             testCase "not expired" (runCreate z 2 $ testNotExpired v),
             testCase "signed access-token is valid" (runCreate z 3 $ testSignAndVerify v)
           ],
@@ -94,6 +94,7 @@ testNotExpired p = do
   liftIO $ assertBool "testNotExpired: validation failed" (isRight x)
 
 -- The testExpired test conforms to the following testing standards:
+-- @SF.Channel @TSFI.RESTfulAPI @TSFI.NTP @S2 @S3
 --
 -- Using an expired access token should fail
 testExpired :: V.Env -> Create ()
@@ -104,6 +105,8 @@ testExpired p = do
   x <- liftIO $ runValidate p $ check t
   liftIO $ Left Expired @=? x
 
+-- @END
+
 testSignAndVerify :: V.Env -> Create ()
 testSignAndVerify p = do
   u <- liftIO nextRandom

diff --git a/services/brig/test/integration/API/User/Account.hs b/services/brig/test/integration/API/User/Account.hs
@@ -100,6 +100,7 @@ tests _ at opts p b c ch g aws userJournalWatcher =
   testGroup
     "account"
     [ test p "post /register - 201 (with preverified)" $ testCreateUserWithPreverified opts b userJournalWatcher,
+      test p "testCreateUserWithInvalidVerificationCode - post /register - 400 (with preverified)" $ testCreateUserWithInvalidVerificationCode b,
       test p "post /register - 201" $ testCreateUser b g,
       test p "post /register - 201 anonymous" $ testCreateUserAnon b g,
       test p "testCreateUserEmptyName - post /register - 400 empty name" $ testCreateUserEmptyName b,
@@ -160,6 +161,25 @@ tests _ at opts p b c ch g aws userJournalWatcher =
         ]
     ]
 
+-- The testCreateUserWithInvalidVerificationCode test conforms to the following testing standards:
+-- @SF.Provisioning @TSFI.RESTfulAPI @S2
+--
+-- Registering with an invalid verification code and valid account details should fail.
+testCreateUserWithInvalidVerificationCode :: Brig -> Http ()
+testCreateUserWithInvalidVerificationCode brig = do
+  -- Attempt to register (pre verified) user with email
+  e <- randomEmail
+  code <- randomActivationCode -- incorrect but syntactically valid activation code
+  let Object regEmail =
+        object
+          [ "name" .= Name "Alice",
+            "email" .= fromEmail e,
+            "email_code" .= code
+          ]
+  postUserRegister' regEmail brig !!! const 404 === statusCode
+
+-- @END
+
 testUpdateUserEmailByTeamOwner :: Opt.Opts -> Brig -> Http ()
 testUpdateUserEmailByTeamOwner opts brig = do
   (_, teamOwner, emailOwner : otherTeamMember : _) <- createPopulatedBindingTeamWithNamesAndHandles brig 2
@@ -270,6 +290,7 @@ assertOnlySelfConversations galley uid = do
     liftIO $ cnvType conv @?= SelfConv
 
 -- The testCreateUserEmptyName test conforms to the following testing standards:
+-- @SF.Provisioning @TSFI.RESTfulAPI @S2
 --
 -- An empty name is not allowed on registration
 testCreateUserEmptyName :: Brig -> Http ()
@@ -281,7 +302,10 @@ testCreateUserEmptyName brig = do
   post (brig . path "/register" . contentJson . body p)
     !!! const 400 === statusCode
 
+-- @END
+
 -- The testCreateUserLongName test conforms to the following testing standards:
+-- @SF.Provisioning @TSFI.RESTfulAPI @S2
 --
 -- a name with > 128 characters is not allowed.
 testCreateUserLongName :: Brig -> Http ()
@@ -294,6 +318,8 @@ testCreateUserLongName brig = do
   post (brig . path "/register" . contentJson . body p)
     !!! const 400 === statusCode
 
+-- @END
+
 testCreateUserAnon :: Brig -> Galley -> Http ()
 testCreateUserAnon brig galley = do
   let p =
@@ -351,6 +377,7 @@ testCreateUserPending _ brig = do
   Search.assertCan'tFind brig suid quid "Mr. Pink"
 
 -- The testCreateUserConflict test conforms to the following testing standards:
+-- @SF.Provisioning @TSFI.RESTfulAPI @S2
 --
 -- email address must not be taken on @/register@.
 testCreateUserConflict :: Opt.Opts -> Brig -> Http ()
@@ -382,7 +409,10 @@ testCreateUserConflict _ brig = do
     const 409 === statusCode
     const (Just "key-exists") === fmap Error.label . responseJsonMaybe
 
+-- @END
+
 -- The testCreateUserInvalidEmail test conforms to the following testing standards:
+-- @SF.Provisioning @TSFI.RESTfulAPI @S2
 --
 -- Test to make sure a new user cannot be created with an invalid email address or invalid phone number.
 testCreateUserInvalidEmail :: Opt.Opts -> Brig -> Http ()
@@ -412,6 +442,8 @@ testCreateUserInvalidEmail _ brig = do
   post (brig . path "/register" . contentJson . body reqPhone)
     !!! const 400 === statusCode
 
+-- @END
+
 testCreateUserBlacklist :: Opt.Opts -> Brig -> AWS.Env -> Http ()
 testCreateUserBlacklist (Opt.setRestrictUserCreation . Opt.optSettings -> Just True) _ _ = pure ()
 testCreateUserBlacklist _ brig aws =

diff --git a/services/brig/test/integration/API/User/Auth.hs b/services/brig/test/integration/API/User/Auth.hs
@@ -376,6 +376,7 @@ testLoginUntrustedDomain brig = do
     !!! const 200 === statusCode
 
 -- The testLoginFailure test conforms to the following testing standards:
+-- @SF.Provisioning @TSFI.RESTfulAPI @S2
 --
 -- Test that trying to log in with a wrong password or non-existent email fails.
 testLoginFailure :: Brig -> Http ()
@@ -397,6 +398,8 @@ testLoginFailure brig = do
     PersistentCookie
     !!! const 403 === statusCode
 
+-- @END
+
 testThrottleLogins :: Opts.Opts -> Brig -> Http ()
 testThrottleLogins conf b = do
   -- Get the maximum amount of times we are allowed to login before
@@ -422,6 +425,7 @@ testThrottleLogins conf b = do
   login b (defEmailLogin e) SessionCookie !!! const 200 === statusCode
 
 -- The testLimitRetries test conforms to the following testing standards:
+-- @SF.Channel @TSFI.RESTfulAPI @TSFI.NTP @S2
 --
 -- The following test tests the login retries. It checks that a user can make
 -- only a prespecified number of attempts to log in with an invalid password,
@@ -476,6 +480,8 @@ testLimitRetries conf brig = do
   liftIO $ threadDelay (1000000 * 2)
   login brig (defEmailLogin email) SessionCookie !!! const 200 === statusCode
 
+-- @END
+
 -------------------------------------------------------------------------------
 -- LegalHold Login
 
@@ -602,6 +608,7 @@ testNoUserSsoLogin brig = do
 -- Token Refresh
 
 -- The testInvalidCookie test conforms to the following testing standards:
+-- @SF.Provisioning @TSFI.RESTfulAPI @TSFI.NTP @S2
 --
 -- Test that invalid and expired tokens do not work.
 testInvalidCookie :: forall u. (ZAuth.UserTokenLike u) => ZAuth.Env -> Brig -> Http ()
@@ -619,6 +626,8 @@ testInvalidCookie z b = do
     const 403 === statusCode
     const (Just "expired") =~= responseBody
 
+-- @END
+
 testInvalidToken :: ZAuth.Env -> Brig -> Http ()
 testInvalidToken z b = do
   user <- Public.userId <$> randomUser b
@@ -1131,6 +1140,7 @@ testRemoveCookiesByLabelAndId b = do
   listCookies b (userId u) >>= liftIO . ([lbl] @=?) . map cookieLabel
 
 -- The testTooManyCookies test conforms to the following testing standards:
+-- @SF.Provisioning @TSFI.RESTfulAPI @S2
 --
 -- The test asserts that there is an upper limit for the number of user cookies
 -- per cookie type. It does that by concurrently attempting to create more
@@ -1180,6 +1190,8 @@ testTooManyCookies config b = do
             )
         xxx -> error ("Unexpected status code when logging in: " ++ show xxx)
 
+-- @END
+
 testLogout :: Brig -> Http ()
 testLogout b = do
   Just email <- userEmail <$> randomUser b

diff --git a/services/brig/test/integration/API/User/Client.hs b/services/brig/test/integration/API/User/Client.hs
@@ -162,6 +162,7 @@ testAddGetClientVerificationCode db brig galley = do
     const 200 === statusCode
     const (Just c) === responseJsonMaybe
 
+-- @SF.Channel @TSFI.RESTfulAPI @S2
 --
 -- Test that device cannot be added with missing second factor email verification code when this feature is enabled
 testAddGetClientMissingCode :: Brig -> Galley -> Http ()
@@ -178,6 +179,9 @@ testAddGetClientMissingCode brig galley = do
     const 403 === statusCode
     const (Just "code-authentication-required") === fmap Error.label . responseJsonMaybe
 
+-- @END
+
+-- @SF.Channel @TSFI.RESTfulAPI @S2
 --
 -- Test that device cannot be added with wrong second factor email verification code when this feature is enabled
 testAddGetClientWrongCode :: Brig -> Galley -> Http ()
@@ -195,6 +199,9 @@ testAddGetClientWrongCode brig galley = do
     const 403 === statusCode
     const (Just "code-authentication-failed") === fmap Error.label . responseJsonMaybe
 
+-- @END
+
+-- @SF.Channel @TSFI.RESTfulAPI @S2
 --
 -- Test that device cannot be added with expired second factor email verification code when this feature is enabled
 testAddGetClientCodeExpired :: DB.ClientState -> Opt.Opts -> Brig -> Galley -> Http ()
@@ -218,6 +225,8 @@ testAddGetClientCodeExpired db opts brig galley = do
     const 403 === statusCode
     const (Just "code-authentication-failed") === fmap Error.label . responseJsonMaybe
 
+-- @END
+
 data AddGetClient = AddGetClient
   { addWithPassword :: Bool,
     addWithMLSKeys :: Bool
@@ -895,6 +904,7 @@ testMultiUserGetPrekeysQualifiedV4 brig opts = do
       const (Right $ expectedUserClientMap) === responseJsonEither
 
 -- The testTooManyClients test conforms to the following testing standards:
+-- @SF.Provisioning @TSFI.RESTfulAPI @S2
 --
 -- The test validates the upper bound on the number of permanent clients per
 -- user. It does so by trying to create one permanent client more than allowed.
@@ -975,7 +985,10 @@ testRegularPrekeysCannotBeSentAsLastPrekeysDuringUpdate brig = do
     !!! const 400
       === statusCode
 
+-- @END
+
 -- The testRemoveClient test conforms to the following testing standards:
+-- @SF.Provisioning @TSFI.RESTfulAPI @S2
 --
 -- This test validates creating and deleting a client. A client is created and
 -- consequently deleted. Deleting a second time yields response 404 not found.
@@ -1021,7 +1034,10 @@ testRemoveClient hasPwd brig cannon = do
           newClientCookie = Just defCookieLabel
         }
 
+-- @END
+
 -- The testRemoveClientShortPwd test conforms to the following testing standards:
+-- @SF.Provisioning @TSFI.RESTfulAPI @S2
 --
 -- The test checks if a client can be deleted by providing a too short password.
 -- This is done by using a single-character password, whereas the minimum is 6
@@ -1054,7 +1070,10 @@ testRemoveClientShortPwd brig = do
           newClientCookie = Just defCookieLabel
         }
 
+-- @END
+
 -- The testRemoveClientIncorrectPwd test conforms to the following testing standards:
+-- @SF.Provisioning @TSFI.RESTfulAPI @S2
 --
 -- The test checks if a client can be deleted by providing a syntax-valid, but
 -- incorrect password. The client deletion attempt fails with a 403 error
@@ -1087,6 +1106,8 @@ testRemoveClientIncorrectPwd brig = do
           newClientCookie = Just defCookieLabel
         }
 
+-- @END
+
 testUpdateClient :: Opt.Opts -> Brig -> Http ()
 testUpdateClient opts brig = do
   uid <- userId <$> randomUser brig
@@ -1279,6 +1300,7 @@ testMissingClient brig = do
         . responseHeaders
 
 -- The testAddMultipleTemporary test conforms to the following testing standards:
+-- @SF.Provisioning @TSFI.RESTfulAPI @S2
 -- Legacy (galley)
 --
 -- Add temporary client, check that all services (both galley and
@@ -1336,6 +1358,8 @@ testAddMultipleTemporary brig galley cannon = do
             . zUser u
       pure $ Vec.length <$> (preview _Array =<< responseJsonMaybe @Value r)
 
+-- @END
+
 testPreKeyRace :: Brig -> Http ()
 testPreKeyRace brig = do
   uid <- userId <$> randomUser brig

diff --git a/services/brig/test/integration/API/User/Handles.hs b/services/brig/test/integration/API/User/Handles.hs
@@ -69,6 +69,7 @@ tests _cl _at conf p b c g =
     ]
 
 -- The next line contains a mapping from the testHandleUpdate test to the following test standards:
+-- @SF.Provisioning @TSFI.RESTfulAPI @S2
 --
 -- The test validates various updates to the user's handle. First, it attempts
 -- to set invalid handles. This fails. Then it successfully sets a valid handle.
@@ -139,6 +140,8 @@ testHandleUpdate brig cannon = do
   put (brig . path "/self/handle" . contentJson . zUser uid2 . zConn "c" . body update)
     !!! const 200 === statusCode
 
+-- @END
+
 testHandleRace :: Brig -> Http ()
 testHandleRace brig = do
   us <- replicateM 10 (userId <$> randomUser brig)

diff --git a/services/federator/test/integration/Test/Federator/IngressSpec.hs b/services/federator/test/integration/Test/Federator/IngressSpec.hs
@@ -75,6 +75,7 @@ spec env = do
 
   it "testRejectRequestsWithoutClientCertIngress" (testRejectRequestsWithoutClientCertIngress env)
 
+-- @SF.Federation @TSFI.RESTfulAPI @S2 @S3 @S7
 --
 -- This test was primarily intended to test that federator is using the API right (header
 -- name etc.), but it is also effectively testing that federator rejects clients without
@@ -110,6 +111,8 @@ testRejectRequestsWithoutClientCertIngress env = runTestFederator env $ do
         expectationFailure "Expected client certificate error, got remote error"
       Left (RemoteErrorResponse _ _ status _) -> status `shouldBe` HTTP.status400
 
+-- @END
+
 liftToCodensity :: (Member (Embed (Codensity IO)) r) => Sem (Embed IO ': r) a -> Sem r a
 liftToCodensity = runEmbedded @IO @(Codensity IO) lift
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Re-introduce test case tags for BSI audit (revert #4041)