[uss_qualifier] expand the authentication validation scenario to incl…

…ude constraint reference endpoints (#690) * [uss_qualifier] constraint reference endpoint authentication checks * comments * correct spec number
interuss · Aug 27, 2024 · 4f4a63a · 4f4a63a
1 parent 0383583
commit 4f4a63a
Show file tree

Hide file tree

Showing 10 changed files with 869 additions and 14 deletions.
diff --git a/monitoring/uss_qualifier/resources/astm/f3548/v21/dss.py b/monitoring/uss_qualifier/resources/astm/f3548/v21/dss.py
@@ -717,7 +717,7 @@ def participant_id(self) -> str:
     def base_url(self) -> str:
         return self._specification.base_url
 
-    def get_authorized_scope_not_in(self, ignored_scopes: List[str]) -> Optional[str]:
+    def get_authorized_scope_not_in(self, ignored_scopes: List[str]) -> Optional[Scope]:
         """Returns a scope that this DSS Resource is allowed to use but that is not any of the ones that are passed
         in 'ignored_scopes'. If no such scope is found, None is returned.
 

diff --git a/...ss_qualifier/scenarios/astm/utm/dss/authentication/authentication_validation.md b/...ss_qualifier/scenarios/astm/utm/dss/authentication/authentication_validation.md
@@ -22,6 +22,7 @@ At least one of the following scopes needs to be available for this scenario to
 
 - `utm.strategic_coordination`
 - `utm.availability_arbitration`
+- `utm.constraint_management`
 
 In order to verify each endpoint group, all scopes above must be available.
 
@@ -387,6 +388,158 @@ it is in violation of **[astm.f3548.v21.DSS0100,1](../../../../../requirements/a
 The response to a successful USS Availability Set request is expected to conform to the format defined by the OpenAPI specification under the `A3.1` Annex of ASTM F3548−21,
 otherwise, the DSS is failing to implement **[astm.f3548.v21.DSS0100,1](../../../../../requirements/astm/f3548/v21.md)**.
 
+### Constraint reference endpoints authentication test step
+
+#### 🛑 Unauthorized requests return the proper error message body check
+
+If the DSS under test does not return a proper error message body when an unauthorized request is received,
+it fails to properly implement the OpenAPI specification that is part of **[astm.f3548.v21.DSS0005,3](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Create constraint reference with missing credentials check
+
+If the DSS under test allows the creation of a constraint reference without any credentials being presented,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Create constraint reference with invalid credentials check
+
+If the DSS under test allows the creation of a constraint reference with credentials that are well-formed but invalid,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Create constraint reference with missing scope check
+
+If the DSS under test allows the creation of a constraint reference with valid credentials but a missing scope,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Create constraint reference with incorrect scope check
+
+If the DSS under test allows the creation of a constraint reference with valid credentials but an incorrect scope,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Create constraint reference with valid credentials check
+
+If the DSS does not allow the creation of a constraint reference when valid credentials are presented,
+it is in violation of **[astm.f3548.v21.DSS0005,3](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### [Create response format](../fragments/cr/crud/create_format.md)
+
+Check response format of a creation request.
+
+#### 🛑 Get constraint reference with missing credentials check
+
+If the DSS under test allows the fetching of a constraint reference without any credentials being presented,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Get constraint reference with invalid credentials check
+
+If the DSS under test allows the fetching of a constraint reference with credentials that are well-formed but invalid,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Get constraint reference with missing scope check
+
+If the DSS under test allows the fetching of a constraint reference with valid credentials but a missing scope,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Get constraint reference with incorrect scope check
+
+If the DSS under test allows the fetching of a constraint reference with valid credentials but an incorrect scope,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Get constraint reference with valid credentials check
+
+If the DSS does not allow fetching a constraint reference when valid credentials are presented,
+it is in violation of **[astm.f3548.v21.DSS0005,3](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### [Read response format](../fragments/cr/crud/read_format.md)
+
+Check response format of a mutation.
+
+#### 🛑 Mutate constraint reference with missing credentials check
+
+If the DSS under test allows the mutation of a constraint reference without any credentials being presented,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Mutate constraint reference with invalid credentials check
+
+If the DSS under test allows the mutation of a constraint reference with credentials that are well-formed but invalid,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Mutate constraint reference with missing scope check
+
+If the DSS under test allows the mutation of a constraint reference with valid credentials but a missing scope,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Mutate constraint reference with incorrect scope check
+
+If the DSS under test allows the mutation of a constraint reference with valid credentials but an incorrect scope,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Mutate constraint reference with valid credentials check
+
+If the DSS does not allow the mutation of a constraint reference when valid credentials are presented,
+it is in violation of **[astm.f3548.v21.DSS0005,3](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### [Mutate response format](../fragments/cr/crud/update_format.md)
+
+Check response format of a mutation.
+
+#### 🛑 Delete constraint reference with missing credentials check
+
+If the DSS under test allows the deletion of a constraint reference without any credentials being presented,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Delete constraint reference with invalid credentials check
+
+If the DSS under test allows the deletion of a constraint reference with credentials that are well-formed but invalid,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Delete constraint reference with missing scope check
+
+If the DSS under test allows the deletion of a constraint reference with valid credentials but a missing scope,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Delete constraint reference with incorrect scope check
+
+If the DSS under test allows the deletion of a constraint reference with valid credentials but an incorrect scope,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Delete constraint reference with valid credentials check
+
+If the DSS does not allow the deletion of a constraint reference when valid credentials are presented,
+it is in violation of **[astm.f3548.v21.DSS0005,3](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### [Delete response format](../fragments/cr/crud/delete_format.md)
+
+Check response format of a deletion.
+
+#### 🛑 Search constraint references with missing credentials check
+
+If the DSS under test allows searching for constraint references without any credentials being presented,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Search constraint references with invalid credentials check
+
+If the DSS under test allows searching for constraint references with credentials that are well-formed but invalid,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Search constraint references with missing scope check
+
+If the DSS under test allows searching for constraint references with valid credentials but a missing scope,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Search constraint references with incorrect scope check
+
+If the DSS under test allows searching for constraint references with valid credentials but an incorrect scope,
+it is in violation of **[astm.f3548.v21.DSS0210,A2-7-2,7](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### 🛑 Search constraint references with valid credentials check
+
+If the DSS does not allow searching for constraint references when valid credentials are presented,
+it is in violation of **[astm.f3548.v21.DSS0005,4](../../../../../requirements/astm/f3548/v21.md)**.
+
+#### [Search response format](../fragments/cr/crud/search_format.md)
+
+Check response format of a search.
+
 ## [Cleanup](../clean_workspace.md)
 
 ### [Availability can be requested](../fragments/availability/read.md)

diff --git a/monitoring/uss_qualifier/scenarios/astm/utm/dss/authentication/authentication_validation.py b/monitoring/uss_qualifier/scenarios/astm/utm/dss/authentication/authentication_validation.py
@@ -24,6 +24,9 @@
 from monitoring.uss_qualifier.scenarios.astm.utm.dss.authentication.availability_api_validator import (
     AvailabilityAuthValidator,
 )
+from monitoring.uss_qualifier.scenarios.astm.utm.dss.authentication.cr_api_validator import (
+    ConstraintRefAuthValidator,
+)
 from monitoring.uss_qualifier.scenarios.astm.utm.dss.authentication.generic import (
     GenericAuthValidator,
 )
@@ -59,6 +62,7 @@ class AuthenticationValidation(TestScenario):
 
     _scd_dss: Optional[DSSInstance] = None
     _availability_dss: Optional[DSSInstance] = None
+    _constraints_dss: Optional[DSSInstance] = None
 
     def __init__(
         self,
@@ -119,6 +123,27 @@ def __init__(
             availability_scopes = None
             self._wrong_scope_for_availability = None
 
+        if dss.can_use_scope(Scope.ConstraintManagement):
+            constraints_scopes = {
+                Scope.ConstraintManagement: "Create, update, and delete constraints",
+            }
+
+            self._wrong_scope_for_constraints = dss.get_authorized_scope_not_in(
+                [
+                    Scope.ConstraintManagement,  # Allowed to get and update
+                    Scope.ConstraintProcessing,  # Allowed to get
+                    "",  # Already Used for empty scope testing
+                ]
+            )
+
+            if self._wrong_scope_for_constraints is not None:
+                constraints_scopes[
+                    self._wrong_scope_for_constraints
+                ] = "Attempt to query constraints with wrong scope"
+        else:
+            constraints_scopes = None
+            self._wrong_scope_for_constraints = None
+
         self._test_missing_scope = False
         if dss.can_use_scope(""):
             # Add empty scope to every map when they are non-empty:
@@ -131,6 +156,10 @@ def __init__(
                 availability_scopes[
                     ""
                 ] = "Attempt to query availability with missing scope"
+            if constraints_scopes:
+                constraints_scopes[
+                    ""
+                ] = "Attempt to query constraints with missing scope"
             self._test_missing_scope = True
 
         # Note: .get_instance should be called once we know every scope we will need,
@@ -139,6 +168,8 @@ def __init__(
         # and skip .get_instance altogether (otherwise the scenario would not be run)
         if scd_scopes:
             self._scd_dss = dss.get_instance(scd_scopes)
+        if constraints_scopes:
+            self._constraints_dss = dss.get_instance(constraints_scopes)
         if availability_scopes:
             self._availability_dss = dss.get_instance(availability_scopes)
 
@@ -162,7 +193,11 @@ def __init__(
             self._scd_dss.base_url, auth_adapter=InvalidTokenSignatureAuth()
         )
 
-        if not self._scd_dss and not self._availability_dss:
+        if (
+            not self._scd_dss
+            and not self._constraints_dss
+            and not self._availability_dss
+        ):
             raise MissingResourceError(
                 f"AuthAdapterResource provided to {fullname(type(self))} has none of the required scopes for this scenario.",
                 "<unknown>",
@@ -269,6 +304,37 @@ def run(self, context: ExecutionContext):
         else:
             self.record_note("availability", "Skipping Availability endpoints")
 
+        if self._constraints_dss:
+            self.record_note("constraints", "Testing Constraint Reference endpoints")
+            self.begin_test_step("Constraint reference endpoints authentication")
+            if self._wrong_scope_for_constraints:
+                self.record_note(
+                    "constraints_wrong_scope",
+                    f"Incorrect scope testing enabled with scope {self._wrong_scope_for_constraints}.",
+                )
+            else:
+                self.record_note(
+                    "constraints_wrong_scope", "Incorrect scope testing disabled."
+                )
+            cr_validator = ConstraintRefAuthValidator(
+                scenario=self,
+                generic_validator=GenericAuthValidator(
+                    self, self._constraints_dss, Scope.ConstraintManagement
+                ),
+                dss=self._constraints_dss,
+                test_id=self._test_id,
+                planning_area=self._planning_area,
+                planning_area_volume4d=self._planning_area_volume4d,
+                no_auth_session=self._no_auth_session,
+                invalid_token_session=self._invalid_token_session,
+                test_wrong_scope=self._wrong_scope_for_constraints,
+                test_missing_scope=self._test_missing_scope,
+            )
+            cr_validator.verify_cr_endpoints_authentication()
+            self.end_test_step()
+        else:
+            self.record_note("constraints", "Skipping Constraint Reference endpoints")
+
         self.end_test_case()
         self.end_test_scenario()