After having gotten more comfortable in Behaviour-Driven Developement using SpecFlow, I was wondering about having multiple scenarios for the same feature as follows:
Register.feature
Feature: Register a new user
In order to use the system,
one must register with the system
so that one gets authorized and may login
Scenario: Register a new user using valid credentials
Given I am on the registration page
When I have entered my desired username "UserName" and password "password"
And I have confirmed my password "password"
And I click the register button
Then I shall get confirmation that I am now a registered user
Beside the fact that my scenario might have gotten a bit too fat, one must also manage to validate other scenarios within the registration process such as:
Input user name is too short
Input password is too short
Input password doesn't contain numbers
Input password doesn't match the confirm password
Just to name a few. I have read about tags using SpecFlow Feature File so that I could perhaps do as follows:
#shorterPasswordProvided
Scenario: Register a user using a password that is too short
Given I am on the registration page
When I have entered my desired user name
And I have provided a password that is too short "allo"
And I click the Register button
Then I shall get an error message which mentions about the password minimum length
#noCredentialsAtAll
Scenario: Register a user using no credentials at all
Given I am on the registration page
When I click on the Register button with no credentials entered
Then I shall get an error message that says I have to fill all required fields in
Then, using the [BeforeScenario("myTag")] should do the trick.
The hooks allows for the execution of a subset of the tests to be executed following certain rules. So, a When method could then be executed with a predefined context, that is, the hook for which it was meant to be executed, and that is mentioned through the BeforeScenario or the like attribute.
Have I understood correctly, or am I in fog here?
Am I pushing too far?
Am I missing something?
Are all the "too short password", "no credentials provided" considered different usage scenarios, or are they something else which could only fit somewhere else in the code, like the unit tests themselves?
I mean, all those scenarios belongs to the Register feature, and as such, they shall be defined in the same Register.feature SpecFlow Feature File, right?
Ok, you have a couple of questions, so I'll work through them:
Then, using the [BeforeScenario("myTag")] should do the trick.
The BeforeScenario hook attribute is used to run some code before the scenario executes. It's often used to set-up the environment for the scenario (e.g. populate the test database with pertinent data); if used for this purpose, then the use of AfterScenario can also be used to clean-up the result of BeforeScenario.
The hooks allows for the execution of a subset of the tests to be
executed following certain rules. So, a When method could then be
executed with a predefined context
If I understand you correctly, you want to be able to use a tag to control when a step within the scenario can be run/not-run. This is not possible with SpecFlow's hook attributes; there is a BeforeStep hook but this only enables you to execute code before the step is run, it doesn't allow the step to be ignored.
Are all the "too short password", "no credentials provided" considered
different usage scenarios, or are they something else which could only
fit somewhere else in the code, like the unit tests themselves?
In your example, yes these are different scenarios for your "Register a new user" feature. If you are taking a strict BDD approach to your development, then with your "outside-in inside-out" development approach you will also implement unit tests (by falling back to TDD as part of the BDD process) which will also cover the "too short password" and "no credentials provided" validation.
As for your scenario:
When I have entered my desired username "UserName" and password "password"
Instead of using this, use:
When I enter my username "UserName"
And I enter my password "password"
By doing this you will be able to re-use "When I enter my password" in "Register a user using a password that is too short". This leads me onto:
And I have provided a password that is too short "allo"
There is no need to have a separate step which states the password is too short. Just re-use:
When I enter my password "allo"
For the same reason, don't use:
When I click on the Register button with no credentials entered
just reuse:
When I click on the Register button
Related
I have keycloak on docker (v20.0.2) and as you know some versions change some or good part of the UI, so is hard to follow tutorials around the web...
I am trying to follow this particular tuto
https://developers.redhat.com/blog/2020/11/24/authentication-and-authorization-using-the-keycloak-rest-api#keycloak_sso_demo
that seems the more updated. My keycloak is actually behind traeffic and thomseddon/traeffic-fordward-auth with a docker-compose file (but the connection through traeffic is good and I have acces to admin UI)
So on step 10 of the tutorial things change for me, I have to look for that particular view inside:
Click on lateral menu Client Scope
Click on button Create client scope
Give a name to the scope, and click on Tab Mapper
All mappers are predefined... so there is no "New mapper" don't understand this bit
then just follow the tuto
With that series of steps I get an error when retriving the token...
https://keycloak:8443/realms/education/protocol/openid-connect/token
enter image description here
(this are fake local data from the realm I created for testing)
that responds with a or something similar I have also tried to change the grant_type to password, and the same happens can not query the token....
{
"error": "invalid_client",
"error_description": "Invalid client or Invalid client credentials"
}
But if I do not link a user with an scope/role as in the tuto suggest then I get the token, but of course I want to use the role or scope to limit who can see which endpoint and who can not
Any step that I'm missing from this update, do you have the same error?
Thank you in advance
I have tried to run it with different combinations of options to see if there is a toggle that actually allows me to fetch the token
Also with different types of grant_type
I will build an API in Python (I don't know Java and prefer Json instead of XML) that connect to this keycloak to allow users or not based on their scope/role/permission or something
I need to be able to block user so if user Student try to access an url from another Student he get blocked that url. So is based on the role or scope or I don't know which is prefered or easer to accomplish, the mission is to block users or not based on a factor that could be used for this in keycloak.
In our installer we have multiple form components in which we hide some inner options in case the user have choose a specific option.
For example: In this screen - this is the default displayed options.
If the user choose different Authentication than the default SQL Server Authentication (Windows Authentication), than the installer hides the User Name & Password fields.
The problem happens while on upgrade. If the user previously choose the Windows Authentication option - the displayed screen will be like this:
It's not good, because while connecting with Windows Authentication the user input User Name & Password shouldn't be presented.
The Authentication input is defined as Combo-Box & have the Selection change script property like this:
if (selectedItem.equals("Windows Authentication")) {
((JTextField)formEnvironment.getFormComponentById("1418").getConfigurationObject()).setText("");
}
formEnvironment.getFormComponentById("1418").setVisible(!selectedItem.equals("Windows Authentication"));
formEnvironment.getFormComponentById("1677").setVisible(!selectedItem.equals("Windows Authentication"));
Basically I do understand why it won't work on upgrade - since it work by selection trigger, it won't be applied by default by the installer.
Is there any way applying this logic also upon upgrade?
You have to execute the same logic in the "Visibility script" properties of the "User name" and "Password" form components. You don't have the "selectedItem" parameter there, but you can query the variable that is bound to the "Authentication" form component, i.e. context.getVariable("variableName").
I've extended the User model in my loopback application, and added phone number as a login method, I use the username field to do this, the only deal is that on login I get the 'email not verified' error, I have my own phoneNumberVerified field, and have overwritten the confirm method to validate the token against the emailVerificationToken and against the phoneNumberVerificationToken and update the corresponding flag, I thought of overwriting the original login method to not allow login only if both emailVerified and phoneNumberVerified fields are false (not just the email) but I don't know how to actually do the login the way loopback does it (I believe it creates an AccessToken or something), and I'm asking for some help on how to do this, thanks XD. I can do the overwriting and validations myself I just need to know how to do the actual login without using the original login method, since I'll be rewriting it.
So I figured out that I actually don't need email or phone number verified validation at all on login (later on the workflow will be required, but that'll be another use case, so it's irrelevant on login to me now XD). So when I was looking on how to overwrite the login method I realized that all the models code it's on the node_modules folder xD
node_modules/loopback/common/models/user.js
And found there in the login method a flag that validates if should check email verified or not, so on my startup script I just put this:
app.models.MyUser.settings.emailVerificationRequired = false;
That stops the email verified validation on login.
And maybe if some of you would like to override the login method I believe copying the whole method from the original user model up there and attaching it to your model and doing some modifications might work xD, it invokes the createAccessToken from the user model (itself) and that's what I believe creates the 'login', what I came to understand is that there is no "session" data, it creates an accesstoken when you successfully login, and as I've been doing just sending the token id to every request 'authenticates' your logged user.
Thanks for reading, have a nice day :)
I have one test case like,when I forget password in any application like facebook or myAT&T site,i have to click forget password link and then I will enter email and click submit.After that a temporary password is send to the email.My task is that,to get that temporary password and switch to the old tab and paste that text in the temporary password text box.
Is there any solution for this,please help me to solve this.
Thanks in advance,
Santhosh
I'll never do it the way you want to do. Meaning, launching gmail and copying the password from the browser. It consumes more time and i'm not testing gmail. There are two possible solutions I can think of.
In regression environment, set the password generated to a constant value if possible. And use the same in the test. in this approach we are not testing "email send" mechanism of the app, if that is not the intent of the test use this approach. Most simple one.
Use a email client library, they are available in all the languages (eg: https://stackoverflow.com/a/8293945/1520443). Use it to assess the password mail that is sent to your gmail.
Why would you want to open a new tab ? You can create a new instance of the browser,work on it(in your case get the password) and then destroy it.
Having multiple instances will give you more control rather than same instance with multiple tabs (unless you test case really means to do that).
My scenario:
I navigate to a login page.
I put in a known username with a bad password.
ZAP picks this up no issue.
I select the POST to the login page.
I find the lines that contain the Username and password. The password:
ctl00%24ContentPlaceHolder1%24cpLoginAspx%24ctl00%24LoginControl1%24LTLogin%24Password=12345&
I highlight the 12345 and right click to select Fuzz.
I had put in a custom list with the correct password for the test account and I select that.
When I do, it works its way through the list as I expected. Changing the 12345 to the various options in the list.
But, when it gets to the word I KNOW is the correct password. It does nothing different to alert me that it was correct. The password in this case was Password5. I expected that it would reflect or something showing it was directed to a new page. But, that happens for 'password' which is not correct for the test user.
I see this in the Fuzzer tab:
OK, I think the first point you're raising is that ZAP doesnt pick up that you've tried an invalid password. That is not a security risk - you supplied a bad password, the app didnt let you in. Everything's working as it should.
ZAP will only alert you of vulnerabilities via the active or passive scanners.
The fuzzer is for manual testing. If we work out a way to automate the detection of a vulnerability then we put that in the active or passive scanners :)
So you have to interpret the fuzzer results rather than expect ZAP to do that for you.
In any case, successfully logging in is not a vulnerability (in ZAPs terms).
What the fuzzer will tell you is if the string you supplied was included in the response (which is useful when looking for XSSs), the response code, the time taken and the response length.
When logging in I'd expect that the response length would be significantly different, so one option would be to look for a response with a length significantly different to the others.
However the easiest option is probably to search the fuzz results.
To do this go to the Search tab, select 'Fuzz Results' in the pull down and either search for a string that you know will be shown when you successfully log in, or do in inverse search for a string that you know will be shown when you fail to login.
Does that help?
Note that we do have a load of info on the ZAP wiki, including videos, FAQs and much more: http://code.google.com/p/zaproxy/wiki/Introduction
BTW we do have a ZAP user group which is intended for exactly these sort of questions: http://groups.google.com/group/zaproxy-users
You can also access it via the ZAP 'Online / ZAP User Group' menu item.
I try to keep an eye on forums, but there are so many that some questions are bound to slip through.
If anyone can suggest how I can convince people to use the ZAP user group (which all the ZAP developers subscribe to) instead of general purpose forums like this (which is very useful for other questions) then I'd be very grateful :)
Simon (ZAP Project Lead)