diff --git a/k6_test/create_menu_item.js b/k6_test/create_menu_item.js index b66063f..407c494 100644 --- a/k6_test/create_menu_item.js +++ b/k6_test/create_menu_item.js @@ -27,7 +27,7 @@ export default function () { orderable: true, }); - let createItemRes = http.post('http://localhost:8080/api/v1/menu_items', itemData, { + let createItemRes = http.post('http://brewbucks-485861802.us-east-1.elb.amazonaws.com/api/v1/menu_items', itemData, { headers: { 'Content-Type': 'application/json' }, }); diff --git a/k6_test/create_order.js b/k6_test/create_order.js index 549d70d..e351f58 100644 --- a/k6_test/create_order.js +++ b/k6_test/create_order.js @@ -3,9 +3,9 @@ import { check, sleep } from 'k6'; export const options = { stages: [ - { duration: '1m', target: 20 }, // Ramp-up to 20 users over 1 minute - { duration: '2m', target: 20 }, // Stay at 20 users for 2 minutes - { duration: '1m', target: 0 }, // Ramp-down to 0 users over 1 minute + { duration: '2m', target: 1000 }, // Ramp-up to 20 users over 1 minute + { duration: '2m', target: 2500 }, // Stay at 20 users for 2 minutes + { duration: '2m', target: 0 }, // Ramp-down to 0 users over 1 minute ], }; @@ -19,7 +19,7 @@ export default function () { rewards_added: 5, }); - let createOrderRes = http.post('http://localhost:8080/api/v1/users/orders', orderData, { + let createOrderRes = http.post('http://brewbucks-485861802.us-east-1.elb.amazonaws.com/api/v1/users/orders', orderData, { headers: { 'Content-Type': 'application/json' }, }); diff --git a/k6_test/get_menu_item.js b/k6_test/get_menu_item.js index a51599e..47b1f45 100644 --- a/k6_test/get_menu_item.js +++ b/k6_test/get_menu_item.js @@ -3,20 +3,20 @@ import { check, sleep } from 'k6'; export const options = { stages: [ - { duration: '1m', target: 20 }, - { duration: '2m', target: 20 }, + { duration: '1m', target: 45 }, + { duration: '2m', target: 75 }, { duration: '1m', target: 0 }, ], }; export default function () { - let res = http.get('http://localhost:8080/api/v1/menu_items', { + let res = http.get('http://brewbucks-485861802.us-east-1.elb.amazonaws.com/api/v1/menu_items', { headers: { 'Content-Type': 'application/json' }, }); check(res, { 'status is 200': (r) => r.status === 200, - 'response time is < 500ms': (r) => r.timings.duration < 500, + 'response time is < 750ms': (r) => r.timings.duration < 750, }); sleep(1); diff --git a/k6_test/get_user_info.js b/k6_test/get_user_info.js index 2e29d48..54b3915 100644 --- a/k6_test/get_user_info.js +++ b/k6_test/get_user_info.js @@ -3,14 +3,14 @@ import { check, sleep } from 'k6'; export const options = { stages: [ - { duration: '1m', target: 20 }, - { duration: '2m', target: 20 }, + { duration: '1m', target: 1000 }, + { duration: '2m', target: 2000 }, { duration: '1m', target: 0 }, ], }; export default function () { - let res = http.get('http://localhost:8080/api/v1/users/1', { + let res = http.get('http://brewbucks-485861802.us-east-1.elb.amazonaws.com/api/v1/users/1', { headers: { 'Content-Type': 'application/json' }, }); diff --git a/k6_test/sign_up_and_delete_user.js b/k6_test/sign_up_and_delete_user.js index 406110d..68dc97a 100644 --- a/k6_test/sign_up_and_delete_user.js +++ b/k6_test/sign_up_and_delete_user.js @@ -27,7 +27,7 @@ export default function () { role: 'customer', }); - let createUserRes = http.post('http://localhost:8080/api/v1/users', userData, { + let createUserRes = http.post('http://brewbucks-485861802.us-east-1.elb.amazonaws.com/api/v1/users', userData, { headers: { 'Content-Type': 'application/json' }, }); @@ -37,7 +37,7 @@ export default function () { let userId = createUserRes.json().user_id; - let deleteUserRes = http.del(`http://localhost:8080/api/v1/users/${userId}`); + let deleteUserRes = http.del(`http://brewbucks-485861802.us-east-1.elb.amazonaws.com/api/v1/users/${userId}`); check(deleteUserRes, { 'user deletion status is 200': (r) => r.status === 200, diff --git a/report/report.tex b/report/report.tex index f93c158..31433a0 100644 --- a/report/report.tex +++ b/report/report.tex @@ -359,6 +359,30 @@ \subsubsection*{Scalability} \subsubsection*{Reliability} With 100\% success rates in most critical operations, the system demonstrates high reliability. This is crucial for maintaining user trust and ensuring consistent service availability. +\subsubsection*{Security} +Summary of security considerations in bullet point form below. A more in-depth discussion is in the paragraph below. +\begin{itemize} + \item Role-based access control in form of employee and customer accounts + \item Principle of KISS for user logins and architecture + \begin{itemize} + \item Architecture has no redundant services, intentionally kept simple + \item Omit features where delivery wouldn't be done well, minimising security and design flaws + \end{itemize} + \item Principle of least privilege: customer account does basic ordering, employee account can modify menu items and order status + \item Dependency management for secure software + \begin{itemize} + \item Lock files give the benefit of preventing against dependency injection + \end{itemize} + \item Confidentiality design - masking used for disclosure protection when user enters their password + \item Plans for authentication of employee logins, left out due to time + \item Plans for monitoring and traceability + \item Never store sensitive customer information e.g., payment details +\end{itemize} + +\medskip \noindent The Brewbucks application considers security design principles. Role-based access control has been adopted for users that interact with the application. Two roles have been created to service the users: customer and employee. Employees gain admin privileges by engaging with the administrator's page - a separate user interface. This principle ties with the next security design principle, KISS. The decision to have as few roles as possible helped to simplify access control. Similarly, the architecture and functionality was designed with simplicity in mind as a quality attribute, further supporting the security design principle. Some examples of this include pursuing a service-based architecture and not microservices and dropping the customisable ordering feature. For functionality, the idea was to avoid delivering features that, if not implemented well, could create security and design flaws. A feature that comes to mind is the customisable ordering. If not implemented well, it could be exploited by users. One other aspect to RBAC was the principle of least privilege. Customer accounts were only given privileges to do basic customer operations, such as browse the menu, purchase items. While employee accounts have the ability to create new menu items, edit customer order status etc. Authentication was planned for employee logins. This would have been implemented with npm package express-basic-auth. It would simply add data transfer from server to client to ensure credentials are correct + +\medskip \noindent Brewbucks follows additional practices for secure software. Confidentiality design is followed, whereby masking is used for disclosure protection when a user enters their password. Dependency management is also followed. Lock files give the advantage of protecting against dependency injection. It was also intended for the system to log relevant operational information, such as events handled, packets processed and requests satisfied. This is useful for long term security purposes to diagnose breaches or attacks promptly. + \section{Evaluation} Summarise testing results and justify how well the software achieves its quality attributes. \section{Reflection}