Security/QA/TestPlans/Web Authentication: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
m (Edit to pref names)
m (Updated date)
Line 179: Line 179:
|-
|-
| QA - Nightly Testing  
| QA - Nightly Testing  
|style="text-align:center;" | ||  
|style="text-align:center;" | 2017-09-19 ||  
|-
|-
| QA - Beta Testing  
| QA - Beta Testing  

Revision as of 21:58, 27 September 2017

Approvals Required / Received

The following individuals are required to/have approved this Test Plan:

Name Title Department Approval Date Method
QA Manager Product Integrity Date Email
JC Jones Software Engineer Engineering Date Email
EPM Product Management Date Email


Revision History

This section describes the modifications that have been made to this wiki page. A new row has been completed each time the content of this document is updated (small corrections for typographical errors do not need to be recorded). The description of the modification contains the differences from the prior version, in terms of what sections were updated and to what extent.

Date Version Author Description
2017-08-16 1.0 Matt Wobensmith Created first draft

Overview

Purpose

Detail the purpose of this document. For example:

  • The test scope, focus areas and objectives
  • The test responsibilities
  • The test strategy for the levels and types of test for this release
  • The entry and exit criteria
  • The basis of the test estimates
  • Any risks, issues, assumptions and test dependencies
  • The test schedule and major milestones
  • The test deliverables

Scope

This wiki details the testing that will be performed by the project team for the <project name> project. It defines the overall testing requirements and provides an integrated view of the project test activities. Its purpose is to document:

  • What will be tested
  • How testing will be performed

Ownership

This feature is being tested by both Mozilla and one or more third parties.

  • Yubico is performing smoke tests using hardware keys across a range of hardware and software
  • Adam Powers (FIDO) is creating tests for the web-platform-test suite
  • JC Jones and Tim Taubert have created unit tests for both JS API and hardware interaction
  • The Fuzzing team has been enlisted, initially to test USB interaction, time frame unknown
  • The PI Security team has been requested to perform a security review of both JS API and Rust USB library
  • Mozilla's QA - most likely SoftVision - will use the manual tests for ongoing build certification post-feature-signoff
  • Matt Wobensmith (QA) is responsible for the entire process, as well as creating manual scenario tests

Testing summary

Scope of Testing

In Scope

  • Web Authentication, as well as some U2F.
  • All JS APIs.
  • Fuzzing wherever possible.
  • A range of scenario tests that mirror user interaction, including boundary and error cases.
  • Some USB hardware, including Yubico keys and a few others given to us.


Out of Scope

  • Software token is unsupported, for now.
  • Yubico has provided us with some USB keys to test with, but the full range of keys plus hardware is not something we have available to us.
  • Other hardware vendors will need to certify their products on Firefox, as we cannot guarantee coverage on all third party USB tokens.
  • This feature is not currently supported on Fennec.
  • We will not be shipping U2F on by default, therefore it will not be receiving the full set of tests that WebAuthN has. If that changes, we can easily apply existing WebAuthN test cases to U2F.

Requirements for testing

Environments

We support the same OS and hardware configurations that Firefox supports on desktop only.

Channel dependent settings (configs) and environment setups

The feature is controlled by prefs that are gated to channels at the moment. To control this feature, set the following prefs to true: 

security.webauth.u2f;
security.webauth.webauthn;
security.webauth.webauthn_enable_usbtoken;

Optional: to use unsupported soft token, set to true: 

security.webauth.webauthn_enable_softtoken;

Nightly

Currently set to false.

Beta

Currently set to false.

Post Beta / Release

Depending on ship decisions, will be set to true.

Test Strategy

Risk Assessment and Coverage

ID Description / Threat Description Covered by Test Objective Magnitude Probability Priority Impact Score
RAC-1 Incorrect authentication allows security bypass TO-1, TO-2, TO-3 3-High 1-Unlikely 2-Moderate 6
RAC-2 XSS/information leak TO-1, TO-3 3-High 1-Almost Certain 1-Low 3
RAC-3 Confined to secure context TO-1, TO-3 2-Moderate 2-Possible 1-Low 4
RAC-4 Incorrectly functioning JS API TO-1 3-High 2-Possible 2-Moderate 12
RAC-5 Stability for entire feature TO-1, TO-2 3-High 2-Possible 3-High 18
RAC-6 Interaction with other aspects of normal Firefox usage TO-1, TO-2 3-Moderate 3-Almost Certain 3-High 27
RAC-7 Memory issues in JS API and hardware support code TO-3 3-High 1-Unlikely 2-Moderate 6
RAC-8 Incorrectly functioning hardware TO-2 2-Moderate 1-Unlikely 1-Low 2

Values:

  • Magnitude: 1- Low , 2-Moderate, 3-High
  • Probability: 1-Unlikely, 2-Possible, 3-Almost Certain
  • Priority: 1 - Low, 2-Medium, 3-High

Impact Score Breakdown:

  • An impact value of 1, 2, 3, 4 would describe an area which although should be covered there aren't expected any discoveries of critical issues.
  • An impact value of 6, 8, 9, 12 would describe an area in which we expect to find issues but those issues are not expected to be critical.
  • An impact value of 18 or 27 would describe an area on which it is likely to find issues and those issues to be critical or blockers.

Test Objectives

This section details the progression test objectives that will be covered. Please note that this is at a high level. For large projects, a suite of test cases would be created which would reference directly back to this master. This could be documented in bullet form or in a table similar to the one below.

Ref Function Test Objective Evaluation Criteria Test Type RAC Owners
TO1 JS API Verify functionality All tests indicate stable, functional API for using Web Authentication and/or U2F with both hardware and software tokens Manual/ Automation / Usability RAC-1, RAC-2, RAC-3, RAC-4, RAC-5, RAC-6 Eng Team, QA
TO2 Hardware support via USB token Verify functionality All tests indicate stable, functional support of USB hardware keys, as above Manual/ Automation / Usability RAC-1, RAC-5, RAC-6, RAC-8 Eng Team, QA
TO3 Stable, secure code Fuzzing and security review All testing and inspection surfaces known security issues Manual/ Security RAC-1, RAC-2, RAC-3, RAC-7 Eng Team, QA, PI Fuzzing + Sec Review

Builds

This section should contain links for builds with the feature -

  • Links for Nightly builds
  • Links for Beta builds

Test Execution Schedule

The following table identifies the anticipated testing period available for test execution.

Project phase Start Date End Date
Start project 2017-08-01
Study documentation/specs received from developers 2017-08-01
QA - Test plan creation 2017-08-01
QA - Test cases/Env preparation 2017-08-01
QA - Nightly Testing 2017-09-19
QA - Beta Testing
Release Date

Testing Tools

Detail the tools to be used for testing, for example see the following table:

Process Tool
Test plan creation Mozilla wiki
Test case creation TestRail/ Google docs
Test case execution TestRail
Bugs management Bugzilla

Status

Overview

Track the dates and build number where feature was released to Nightly
Track the dates and build number where feature was merged to Release/Beta


References

  • Web Authentication W3C spec
  • Meta bug link
  • Product Integrity Security Assessment link

Testcases

Test Areas

Test Areas Covered Details
Private Window yes Test case
Multi-Process Enabled yes
Multi-process Disabled yes
Theme (high contrast) no n/a
UI
Mouse-only operation no n/a
Keyboard-only operation no n/a
Display (HiDPI) no n/a
Interaction (scroll, zoom) no n/a
Usable with a screen reader no n/a
Usability and/or discoverability testing no n/a
RTL build testing no n/a
Help/Support
Help/support interface required no
Support documents planned(written) no
Install/Upgrade
Feature upgrades/downgrades data as expected no n/a
Does sync work across upgrades no n/a
Requires install testing no n/a
Affects first-run or onboarding no n/a
Does this affect partner builds? Partner build testing no n/a
Enterprise Raise up the topic to developers to see if they are expecting to work different on ESR builds
Enterprise administration no
Network proxies/autoconfig no
ESR behavior changes no
Locked preferences no
Data Monitoring
Temporary or permanent telemetry monitoring no
Telemetry correctness testing no
Server integration testing yes If provided by third parties, yes, otherwise no
Offline and server failure testing no
Load testing no
Add-ons If add-ons are available for testing feature, or is current feature will affect some add-ons, then API testing should be done for the add-on.
Addon API required? no
Comprehensive API testing no
Permissions no
Testing with existing/popular addons no
Security Security is in charge of Matt Wobensmith. We should contact his team to see if security testing is necessary for current feature.
3rd-party security review no In-house security review, yes
Privilege escalation testing yes QA + PI security review
Fuzzing yes Engineering + PI fuzzing team
Web Compatibility depends on the feature
Testing against target sites yes Sample sites are available
Survey of many sites for compatibility yes If we support U2F, we can try to find U2F-enabled sites
Interoperability depends on the feature
Common protocol/data format with other software: specification available. Interop testing with other common clients or servers. yes This is inherent in the feature, w/r/t hardware keys
Coordinated testing/interop across the Firefoxes: Desktop, Android, iOS yes Fennec and Focus support TBD
Interaction of this feature with other browser features yes Largest area of targeted testing by QA

Test suite

Full Test suite - Link to test rail - testcases should be added under Firefox Desktop project link
Smoke Test suite - Link with the tests - if available/needed.
Regression Test suite - Link with the tests - if available/needed.

Bug Work

Logged bugs ( blocking 1294514 )
Full Query
ID Priority Component Assigned to Summary Status Target milestone
1395406 P1 DOM: Device Interfaces J.C. Jones [:jcj] (he/they) Crash when using two USB tokens on U2F test site RESOLVED ---
1398268 P2 DOM: Device Interfaces Tim Taubert [:ttaubert] (inactive) [U2F, WebAuthn] Crash when switching between browsers during many verification attempts VERIFIED mozilla59
1399298 P2 DOM: Device Interfaces J.C. Jones [:jcj] (he/they) [WebAuthn] Browser does not recover if USB verification is interrupted when computer goes to sleep RESOLVED ---
1399669 -- DOM: Device Interfaces Tim Taubert [:ttaubert] (inactive) Credential creation test failure on Linux: signature buffer has incorrect number of bytes RESOLVED ---
1400940 P2 DOM: Device Interfaces Tim Taubert [:ttaubert] (inactive) Deadlock after tab switch during verification process RESOLVED mozilla57
1401019 P2 DOM: Device Interfaces Tim Taubert [:ttaubert] (inactive) [U2F] Crash upon signing credential without registering one first RESOLVED mozilla57
1401802 P2 DOM: Device Interfaces J.C. Jones [:jcj] (he/they) [WebAuth] WebIDL missing extension fields RESOLVED ---
1401803 -- DOM: Device Interfaces J.C. Jones [:jcj] (he/they) [WebAuth] Return ArrayBuffer instead of UInt8Array RESOLVED mozilla58
1402114 P2 DOM: Web Authentication J.C. Jones [:jcj] (he/they) [WebAuth] Feature should not be accessible in iframe by default RESOLVED ---
1403330 P2 DOM: Device Interfaces J.C. Jones [:jcj] (he/they) [WebAuth/U2F] Crash when using specific Yubico test key RESOLVED ---

10 Total; 0 Open (0%); 9 Resolved (90%); 1 Verified (10%);

Bug fix verification
Full Query
ID Priority Component Assigned to Summary Status Resolution Target milestone
1245527 P3 DOM: Device Interfaces J.C. Jones [:jcj] (he/they) Integrate the FIDO U2F JS API with the u2f-hid-rs library RESOLVED FIXED mozilla57

1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);

Sign off

Criteria

Checklist

  • All test cases should be executed
  • Has sufficient automated test coverage (as measured by code coverage tools) - coordinate with RelMan
  • All blockers, criticals must be fixed and verified or have an agreed-upon timeline for being fixed (as determined by engineering/RelMan/QA)

Results

Nightly testing

List of OSes that will be covered by testing

  • Link for the tests run
    • Full Test suite, link to TestRail - Tests Runs and Results link
    • Daily Smoke, if needed/available
    • Regression Test suite, if needed/available


Merge to Beta Sign-off
List of OSes that will be covered by testing

  • Link for the tests run
    • Full Test suite

Checklist

Exit Criteria Status Notes/Details
Testing Prerequisites (specs, use cases)
Testing Infrastructure setup
Test Plan Creation first draft complete
Test Cases Creation complete
Automation Coverage
Performance Testing
All Defects Logged
Critical/Blockers Fixed and Verified
Metrics/Telemetry
Basic/Core functionality Nightly testing
QA mid-Nightly Signoff Email to be sent
QA Nightly - Full Testing
QA pre-Beta Signoff Email to be sent
QA Beta - Full Testing
QA pre-Release Signoff Email to be sent
Retrieved from "https://wiki.allizom.org/index.php?title=Security/QA/TestPlans/Web_Authentication&oldid=1181378"