| Page Properties | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
OVERVIEW
Increasing automated testing is necessary in order to increase the effectiveness, efficiency and coverage of software testing. Currently testing SAML is a manual process that only occurs during release and feature testing. Because testing SAML is a manual process we only test against OneLogin and Okta.
Creating reusable automated tests will make testing and supporting additional SAML providers a much easier process. These tests will ensure a base level of supported functionality. As test coverage increases, supporting a new provider could be as simple as writing the test harness for the given provider.
GOALS
Define the testing architecture for Automated SAML testing.
Define the necessary APIs for manipulating SAML data.
Define the base set of required tests
SCOPE
In scope:
Define a pluggable architecture to test SAML Environment.
Provide a proof of concept.
...
Defining implementation details for specific providers.
Define all tests and all potential data.
Define implementation details for all required tests.
BACKGROUND READING
SPECIFICATIONS
There are three different pieces of functionality to make this work.
Architecture Definition
Define test structure
Define test data
Define base tests to be implemented.
Provider Creation and Setup
Provider Test Creation and API definition
Architectural Definition
Test Structure
The test structure should be configured so that each provider can share the same test. Each provider will have to some of its own provisioning such as Setting up its configuration. At a minimum the SAML Configuration will need to be provided. A sample test flow is shown below. This test is doing a basic SAML login.
...
The okta_login_spec.js file is the test file specific to the Okta provider. This file will control the test flow for Okta tests. This file will be created specifically for the SAML provider being tested.
The okta_api_commands.js file will contain the apis for creating, modifying users and other settings required in the Okta system. This file will be created specifically for the SAML provider being tested.
The loginsaml_test_commands.js file will contain the shared testing logic. Depending on the test some of these steps may not be necessary or others required.
verifyProviderData - verify ProviderData is setup as expected.
setConfiguration A single test may call one or many commands to complete the test.
resetProviderData - Create, Reset, or Verify the data is correct on the SAML provider. If data is static and pre-created in the SAML provider, this step may not be necessary. Depending on the needs, the test will use a combination of apis from okta_api_commands.js.
updateConfiguration - set the Mattermost “SAML Settings” Configuration as required for specific provided.
runLoginTests(testParameters) doSAMLLoginClick - call the shared test
visit() … find(‘a’).click - perform shared test operations
testParameters.samlLoginPage() - call back into the provider specific file in order to fill out and login via the providers page.
verifyLogin()...logout() - perform shared test operations
samlLogout() - logout of SAML Provider, if necessary.
resetData() - if data was modified for test, reset data if necessary.
command to visit Mattermost Login and click the “SAML” button.
oktaSAMLLogin - Each specific provider will provide test steps for ensuring the Provider’s login page is displayed correctly, and the user is logged in successfully.
verifyMMLogin() - call the shared command to make sure the Mattermost user is successfully logged in and the correct page is displayed.
samlLogout() - logout MM user and ensure login page is displayed
Test Data
The SAML providers will have to have specific users with specific fields to be set appropriately for the accompanying test. Rather than creating that data upfront, it is each test suites responsibility to create the provider . This can be accomplished a couple different ways. That data can be created upfront in the SAML provider or each test suite can be responsible to create its own test data prior to each test. Since If the data will need to be verified and possibly reset before each test run, there doesn’t not seem to be a reason in the SAML provider is static, that is it won’t be updated during a test run and be the same from test run to test run. It is suggested to create that data up frontupfront. However, this could differ from provider to provider, if the test requires the update of the SAML data, for instance to test if SAML fields update properly. Then the data should be either be verified or deleted and recreated before the test run.
If test data is required to be added to the Mattermost database. That data can be added in the following file - ../mattermost-server/cmd/mattermost/commands/sampledata.go.
Base Tests
SAML User Login - New user
SAML User Login - Existing user
SAML Guest Login - New user
SAML Guest Login - Existing user
SAML Admin Login - New user
SAML Admin Login - Existing user
Once the base tests have been completed, the manual release tests will be next.
https://docs.google.com/spreadsheets/d/18nQEYeHRQCkHPRmiDZLd-z8DyMg1TlDfDu-c0qlK8Vs/edit#gid=932310946
Required SAML APIs
Create User - create a new user in SAML Server
...
Config Settings
SAMLSettings.Enable = true
API Functions (separate file)
CreateUser
UpdateUser
DeactivateUser
RetrieveUser
ResetUser
Properties
signin-submit textbox name
SAMLProviderLogin()
Known Issues
These tests may have to run as separate suites from the current tests. The reason is that these tests will require the cypress.json file to have the following setting. "chromeWebSecurity": false
"chromeWebSecurity": false
For SAML we have to turn off chromeWebSecurity to allow us to go to another website, otherwise Cypress will not allow this to protect against cross-site scripting. This config setting will need to be reset before/after our tests. From the POC testing, it appears this setting cannot be set at runtime and we don’t want this setting = false for most testing
...
. These tests may therefore need to be a separate test suite.
ExperimentalSettings.UseNewSAMLLibrary
...
For completeness, all of the tests should be run twice, once using the existing SAML Library and one using the New SAML Library. However, that configuration setting is only loaded on server start, it does not change on the fly. Therefore, the base configuration will need to be updated and the server restarted. Running against a “true” setting may be all that is required for automated testing. As long as we can reset the setting and run the tests manually.Certificates
Certificates will need to be created, stored and installed as part of configuration setup. We don’t want new certificates for each run as that would require setting up providers prior to each test run.
Ad-hoc servers - Known Issues
Supporting ad-hoc servers brings its own set of tasks.
Certificates - will need loaded
SAML Provider settings may need updated, for server name to callback.
Proof of Concept
In order to ensure that the above specification is at least feasible, a proof of concept was developed.
https://github.com/sbishel/mattermost-webapp/tree/saml-test-pocpoc2
The main files for the POC are located in the directory as follows -
..e2e/cypress.json
..e2e/cypress/fixtures/saml_users.json
e2e/cypress/integration/enterprise/login.saml/okta_login_testsspec.js
contains the tests that are shared across providers.
./okta_logine2e/cypress/support/index.js
e2e/cypress/support/okta_api_commands.js
contains the api functions for Okta administration.
./okta_login/okta_login_spec.js
...
e2e/cypress/support/saml_test_commands.js
The test expects the user to already exist in Mattermost, it won’t. Therefore, the first time through, select the default team. The next time the test will pass. It’s just a POC.