🧪 test: add JWT secret rotation BDD scenarios and step implementations #12
@@ -1,44 +1,132 @@
|
||||
Pending BDD Tests Implementation Plan
|
||||
# BDD Implementation Plan for dance-lessons-coach
|
||||
|
||||
Current Status:
|
||||
- 54 scenarios total
|
||||
- 30 scenarios passing
|
||||
- 24 scenarios pending
|
||||
- 0 scenarios undefined
|
||||
## Current Status
|
||||
- **Total Scenarios**: 54
|
||||
- **Passing**: 30 (55%)
|
||||
- **Pending**: 24 (44%)
|
||||
- **Undefined**: 0 (0%)
|
||||
- **Total Steps**: 361
|
||||
- **Passing Steps**: 183
|
||||
- **Pending Steps**: 24
|
||||
- **Skipped Steps**: 154
|
||||
|
||||
Implementation Plan:
|
||||
## Priority Order for Step Function Implementation
|
||||
|
||||
1. **JWT Secret Rotation Tests** (High Priority)
|
||||
- Token validation with multiple valid secrets
|
||||
- Secret rotation scenarios
|
||||
- Graceful rotation during retention period
|
||||
### 🔴 CRITICAL PRIORITY (Blockers for core functionality)
|
||||
1. **JWT Secret Management**
|
||||
- `theServerIsRunningWithMultipleJWTSecrets()` - Setup multiple secrets
|
||||
- `iShouldReceiveAValidJWTTokenSignedWithThePrimarySecret()` - Primary secret validation
|
||||
- `iValidateAJWTTokenSignedWithTheSecondarySecret()` - Secondary secret validation
|
||||
- `iAddANewSecondaryJWTSecretToTheServer()` - Secret addition
|
||||
- `iAddANewSecondaryJWTSecretAndRotateToIt()` - Secret rotation
|
||||
|
||||
2. **JWT Secret Retention Tests** (High Priority)
|
||||
- Automatic cleanup of expired secrets
|
||||
- Secret retention based on TTL factor
|
||||
- Maximum retention period enforcement
|
||||
- Cleanup frequency configuration
|
||||
### 🟡 HIGH PRIORITY (Core JWT functionality)
|
||||
2. **JWT Retention & Cleanup**
|
||||
- `theDefaultJWTTTLIsHours()` - TTL configuration
|
||||
- `theRetentionFactorIs()` - Retention factor setup
|
||||
- `theMaximumRetentionIsHours()` - Max retention limits
|
||||
- `iAddASecondaryJWTSecretWithHourExpiration()` - Expiring secrets
|
||||
- `iWaitForTheRetentionPeriodToElapse()` - Time simulation
|
||||
- `theExpiredSecondarySecretShouldBeAutomaticallyRemoved()` - Auto-cleanup
|
||||
- `thePrimarySecretShouldRemainActive()` - Primary secret protection
|
||||
|
||||
3. **User Authentication Tests** (Medium Priority)
|
||||
- Successful user authentication
|
||||
- Failed authentication scenarios
|
||||
- Admin authentication
|
||||
- User registration
|
||||
- Password reset functionality
|
||||
3. **JWT Validation & Authentication**
|
||||
- `aUserExistsWithPassword()` - User setup
|
||||
- `iAuthenticateWithUsernameAndPassword()` - Login functionality
|
||||
- `theAuthenticationShouldBeSuccessful()` - Success validation
|
||||
- `iShouldReceiveAValidJWTToken()` - Token generation
|
||||
- `iValidateTheReceivedJWTToken()` - Token validation
|
||||
- `theTokenShouldBeValid()` - Token verification
|
||||
- `itShouldContainTheCorrectUserID()` - Claims validation
|
||||
|
||||
4. **Configuration & Monitoring Tests** (Medium Priority)
|
||||
- Configuration validation
|
||||
- Metrics for secret retention
|
||||
- Log masking for security
|
||||
- Monitoring and alerting
|
||||
### 🟢 MEDIUM PRIORITY (Extended functionality)
|
||||
4. **User Management**
|
||||
- `iRegisterANewUserWithPassword()` - User registration
|
||||
- `theRegistrationShouldBeSuccessful()` - Registration validation
|
||||
- `iShouldBeAbleToAuthenticateWithTheNewCredentials()` - Post-registration auth
|
||||
- `iAuthenticateAsAdminWithMasterPassword()` - Admin access
|
||||
- `theTokenShouldContainAdminClaims()` - Admin privileges
|
||||
|
||||
Next Steps:
|
||||
5. **Password Reset**
|
||||
- `iAmAuthenticatedAsAdmin()` - Admin context
|
||||
- `iRequestPasswordResetForUser()` - Reset initiation
|
||||
- `thePasswordResetShouldBeAllowed()` - Reset authorization
|
||||
- `theUserShouldBeFlaggedForPasswordReset()` - Reset state
|
||||
- `iCompletePasswordResetForWithNewPassword()` - Reset completion
|
||||
- `iShouldBeAbleToAuthenticateWithTheNewPassword()` - Post-reset validation
|
||||
|
||||
1. Implement JWT secret rotation logic in the authentication service
|
||||
2. Add JWT secret retention and cleanup functionality
|
||||
3. Implement user authentication and registration endpoints
|
||||
4. Add configuration validation and monitoring
|
||||
5. Implement step definitions for pending scenarios
|
||||
6. Run full test suite to verify all scenarios pass
|
||||
### 🔵 LOW PRIORITY (Edge cases & monitoring)
|
||||
6. **Configuration & Validation**
|
||||
- `iSetRetentionFactorTo()` - Dynamic configuration
|
||||
- `iTryToStartTheServer()` - Server validation
|
||||
- `iShouldReceiveConfigurationValidationError()` - Error handling
|
||||
- `theErrorShouldMention()` - Error message validation
|
||||
|
||||
Estimated Time: 2-3 days
|
||||
7. **Monitoring & Metrics**
|
||||
- `iHaveEnabledPrometheusMetrics()` - Metrics setup
|
||||
- `iShouldSeeMetricIncrement()` - Metric validation
|
||||
- `iShouldSeeMetricDecrease()` - Metric changes
|
||||
- `iShouldSeeHistogramUpdate()` - Histogram metrics
|
||||
|
||||
8. **Security & Logging**
|
||||
- `iAddANewJWTSecret()` - Secret addition with masking
|
||||
- `theLogsShouldShowMaskedSecret()` - Log validation
|
||||
- `theLogsShouldNotExposeTheFullSecret()` - Security validation
|
||||
|
||||
9. **Performance & Scalability**
|
||||
- `iHaveJWTSecrets()` - Bulk secret management
|
||||
- `ofThemAreExpired()` - Expiration tracking
|
||||
- `itShouldCompleteWithinMilliseconds()` - Performance validation
|
||||
- `andNotImpactServerPerformance()` - Performance monitoring
|
||||
|
||||
10. **Advanced Features**
|
||||
- `iEnableAuditLogging()` - Audit trail setup
|
||||
- `iShouldSeeAuditLogEntryWithEventType()` - Audit validation
|
||||
- `iAuthenticateAndReceiveTokenA()` - Token tracking
|
||||
- `iRefreshMyTokenDuringRetentionPeriod()` - Token refresh
|
||||
- `iShouldReceiveNewTokenB()` - New token validation
|
||||
- `andTokenAShouldStillBeValidUntilRetentionExpires()` - Concurrent validation
|
||||
- `givenASecurityIncidentRequiresImmediateRotation()` - Emergency rotation
|
||||
- `iRotateToANewPrimarySecret()` - Emergency secret rotation
|
||||
- `oldTokensShouldBeInvalidatedImmediately()` - Emergency invalidation
|
||||
- `andNewTokensShouldUseTheEmergencySecret()` - Emergency token generation
|
||||
- `andCleanupShouldRemoveCompromisedSecrets()` - Emergency cleanup
|
||||
|
||||
## Implementation Strategy
|
||||
|
||||
### Phase 1: Core JWT Infrastructure (2-3 days)
|
||||
- Implement JWT secret management and rotation
|
||||
- Add retention policy and cleanup functionality
|
||||
- Create basic authentication endpoints
|
||||
- Implement core step definitions
|
||||
|
||||
### Phase 2: User Management (1-2 days)
|
||||
- Implement user registration and authentication
|
||||
- Add password reset functionality
|
||||
- Implement admin authentication
|
||||
- Add user-related step definitions
|
||||
|
||||
### Phase 3: Monitoring & Security (1 day)
|
||||
- Add Prometheus metrics integration
|
||||
- Implement log masking for security
|
||||
- Add audit logging
|
||||
- Implement monitoring step definitions
|
||||
|
||||
### Phase 4: Edge Cases & Testing (1 day)
|
||||
- Implement remaining edge case handlers
|
||||
- Add performance validation
|
||||
- Complete all step definitions
|
||||
- Run full test suite validation
|
||||
|
||||
## Estimation
|
||||
- **Total Effort**: 5-7 days
|
||||
- **Critical Path**: 2-3 days (JWT core functionality)
|
||||
- **Full Completion**: 1 week
|
||||
|
||||
## Success Criteria
|
||||
- All 54 scenarios passing
|
||||
- 0 undefined steps
|
||||
- 0 pending steps
|
||||
- Full test coverage of JWT secret rotation and retention
|
||||
- Complete user authentication workflow
|
||||
- Comprehensive monitoring and security features
|
||||
|
||||
Reference in New Issue
Block a user