diff --git a/functional_tests/README.md b/functional_tests/README.md new file mode 100644 index 00000000..39bbc28b --- /dev/null +++ b/functional_tests/README.md @@ -0,0 +1,22 @@ +# Roost Generated Functional Test + +**Execution Date:** 6/1/2026, 9:15:13 am + +**Test Unique Identifier:** "roost_test_1767670834" + +**Input(s):** + 1. bankspromot.txt + Path: C:\Users\manda\Downloads\bankspromot.txt + 2. TCSBaNCS_ST_BSSB_FSD_CallCenterOperator_v14.2.docx + Path: C:\Users\manda\Downloads\TCSBaNCS_ST_BSSB_FSD_CallCenterOperator_v14.2.docx + 3. TCS BaNCS-Functional Specifications-Securities Back Office Processing-v1.8.1.docx + Path: C:\Users\manda\Downloads\TCS BaNCS-Functional Specifications-Securities Back Office Processing-v1.8.1.docx + +**Test Output Folder:** + 1. [roost_test_1767670834.json](roost_test_1767670834\roost_test_1767670834.json) + 2. [roost_test_1767670834.feature](roost_test_1767670834\roost_test_1767670834.feature) + 3. [roost_test_1767670834.csv](roost_test_1767670834\roost_test_1767670834.csv) + 4. [roost_test_1767670834.xlsx](roost_test_1767670834\roost_test_1767670834.xlsx) + +--- + diff --git a/functional_tests/roost_test_1767670834/.roost/roost_metadata.json b/functional_tests/roost_test_1767670834/.roost/roost_metadata.json new file mode 100644 index 00000000..b73b5db0 --- /dev/null +++ b/functional_tests/roost_test_1767670834/.roost/roost_metadata.json @@ -0,0 +1,34 @@ +{ + "project": { + "name": "roost_test_1767670834", + "created_at": "2026-01-06T03:45:13.331Z", + "updated_at": "2026-01-06T03:45:13.331Z" + }, + "files": { + "input_files": [ + { + "fileName": "roost_test_1767670834.txt", + "fileURI": "C:\\var\\tmp\\Roost\\RoostGPT\\TCSBaNCS_functional-after-fix\\1767670834\\functional_tests\\roost_test_1767670834\\roost_test_1767670834.txt", + "fileSha": "20ce6ae448" + }, + { + "fileName": "bankspromot.txt", + "fileURI": "C:\\var\\tmp\\Roost\\RoostGPT\\TCSBaNCS_functional-after-fix\\1767670834\\functional_tests\\roost_test_1767670834\\bankspromot.txt", + "fileSha": "0664b099ba" + }, + { + "fileName": "TCSBaNCS_ST_BSSB_FSD_CallCenterOperator_v14.2.docx", + "fileURI": "C:\\var\\tmp\\Roost\\RoostGPT\\TCSBaNCS_functional-after-fix\\1767670834\\functional_tests\\roost_test_1767670834\\TCSBaNCS_ST_BSSB_FSD_CallCenterOperator_v14.2.docx", + "fileSha": "55a242034e" + }, + { + "fileName": "TCS BaNCS-Functional Specifications-Securities Back Office Processing-v1.8.1.docx", + "fileURI": "C:\\var\\tmp\\Roost\\RoostGPT\\TCSBaNCS_functional-after-fix\\1767670834\\functional_tests\\roost_test_1767670834\\TCS BaNCS-Functional Specifications-Securities Back Office Processing-v1.8.1.docx", + "fileSha": "2cd5271236" + } + ] + }, + "api_files": { + "input_files": [] + } +} \ No newline at end of file diff --git a/functional_tests/roost_test_1767670834/roost_test_1767670834.csv b/functional_tests/roost_test_1767670834/roost_test_1767670834.csv new file mode 100644 index 00000000..6338d8a0 --- /dev/null +++ b/functional_tests/roost_test_1767670834/roost_test_1767670834.csv @@ -0,0 +1,10 @@ +"Scenario Outline: User Login with MFA Process" +"Scenario: Role-Based Access for Supervisors" +"Scenario Outline: Account Lockout after Multiple Failed Login Attempts" +"Scenario Outline: Customer OTP Verification" +"Scenario: Update Sensitive Profile Information with Required Authorization" +"Scenario Outline: PII Masking in Error Messages" +"Scenario: Ensure Session Timeout After Inactivity" +"Scenario Outline: Unauthorized API Access Attempt" +"Scenario: Secure User Session Termination after Logout" +"Scenario: Audit Log Integrity Check" diff --git a/functional_tests/roost_test_1767670834/roost_test_1767670834.feature b/functional_tests/roost_test_1767670834/roost_test_1767670834.feature new file mode 100644 index 00000000..0cf9be82 --- /dev/null +++ b/functional_tests/roost_test_1767670834/roost_test_1767670834.feature @@ -0,0 +1,116 @@ +Feature: Security-Sensitive User Journeys and System Interactions in TCS BaNCS + + # UI Test Scenarios for Call Center System + @ui @authentication @MFA + Scenario Outline: User Login with MFA Process + Given I am on the "Login" page of the Call Center + When I enter "" and "" + Then I should see an MFA prompt + When I enter the MFA code "" + Then I should be logged into the dashboard + And the successful login and MFA verification should be recorded + + Examples: + | username | password | mfa_code | + | user1 | pass123 | 123456 | + | user2 | pass456 | 654321 | + + @ui @authorization @RBAC + Scenario: Role-Based Access for Supervisors + Given I am logged in as a supervisor + When I attempt to access management and report tools + Then I should be granted access + When I try to initiate high-privilege transactions + Then access should be restricted + + # API Test Scenarios for Backend Core System + @api @authentication @lockout + Scenario Outline: Account Lockout after Multiple Failed Login Attempts + Given the API base URL is '/api/auth' + And the authorization token is set + When I send a POST request to '/api/auth/login' with payload """ + { "username": "", "password": "" } + """ + Then the response status should be 401 + And the response should contain 'account locked' after 3 attempts + + Examples: + | username | wrong_password | + | user1 | wrongpass | + + @api @customer_verification @OTP + Scenario Outline: Customer OTP Verification + Given the API base URL is '/api/verification' + And the authorization token is set + When I send a POST request to '/api/verification/otp' with payload """ + { "customerId": "", "otp": "" } + """ + Then the response status should be + And the response should contain '' + + Examples: + | customer_id | otp_code | status | verification_message | + | CUST001 | 111111 | 200 | otp verified successfully | + | CUST001 | 999999 | 403 | invalid otp, attempts exceeded | + + @api @profile_update @authorization + Scenario: Update Sensitive Profile Information with Required Authorization + Given the API base URL is '/api/customers' + And the authorization token is auth_admin + When I send a PUT request to '/api/customers/profile' with payload """ + { "customerId": "CUST001", "contactInfo": { "phone": "+972*****1234" } } + """ + Then the response status should be 403 + And the request should be pending supervisor approval in logs + + # API Test for Security and Error Handling + @api @secure_error_handling @PII_masking + Scenario Outline: PII Masking in Error Messages + Given the API base URL is '/api/errors' + When I trigger an error with invalid data """ + { "cardNumber": "" } + """ + Then the error message should not contain "" + And only a generic error code should be presented + + Examples: + | invalid_card | sensitive_data | + | 1234-5678-8765 | 1234 | + | 0000-0000-0000 | 0000 | + + # UI Test Scenarios for Session Management + @ui @session_security @timeout + Scenario: Ensure Session Timeout After Inactivity + Given I am logged into the Call Center + When I remain idle for the timeout period + Then I should be prompted to re-login + And the session timeout event should be logged + + # API Test for Unauthorized Access + @api @access_control @audit_trail + Scenario Outline: Unauthorized API Access Attempt + Given the API base URL is '/api/admin' + When I attempt a GET request without authorization + Then the response status should be 401 + And the attempt should be recorded in the audit logs + + Examples: + | endpoint | method | + | /api/admin/logs | GET | + | /api/admin/users | GET | + + # UI Test for Secure Logout and Session Termination + @ui @session_management + Scenario: Secure User Session Termination after Logout + Given I am logged into the Call Center + When I log out explicitly + Then attempting to access the system with previous session data should fail + And the session termination should be logged + + # API Test for Audit Log Integrity + @api @audit_integrity @tamper_proof + Scenario: Audit Log Integrity Check + Given the API base URL is '/api/audit' + When I attempt unauthorized modifications to audit logs + Then modifications should be rejected + And log integrity should remain intact, reflecting original activities diff --git a/functional_tests/roost_test_1767670834/roost_test_1767670834.json b/functional_tests/roost_test_1767670834/roost_test_1767670834.json new file mode 100644 index 00000000..caaa87a7 --- /dev/null +++ b/functional_tests/roost_test_1767670834/roost_test_1767670834.json @@ -0,0 +1 @@ +[{"type":"functional","title":"User Login with MFA","description":"Test the login process with Multi-Factor Authentication.","testId":"TC-001","testDescription":"Ensure user can log in with correct credentials followed by successful MFA.","prerequisites":"User account must exist and be registered for MFA.","stepsToPerform":"1. Navigate to login page on Call Center.\n2. Enter valid username and password.\n3. Submit and wait for MFA prompt.\n4. Enter correct MFA code received.\n5. Verify login success.","expectedResult":"User is logged in to the dashboard, and MFA code is verified correctly.","expectedResultTechnical":"Check audit log for successful login and MFA verification event.","negativeScenarios":["Submit invalid MFA code.","Submit expired MFA code."],"auditLogsToVerify":"Login attempt and MFA challenge logs.","securityAssertions":"MFA code must not be stored. Ensure no excessive retries.","priority":"P0","automationFeasibility":"High - Use Selenium for UI automation and database checks for logs.","coverageTags":["authentication","MFA"]},{"type":"functional","title":"Role-Based Access for Supervisors","description":"Verify that supervisors have access rights as per their roles.","testId":"TC-002","testDescription":"A supervisor tries accessing features exclusive to their role.","prerequisites":"User should be a supervisor.","stepsToPerform":"1. Log in as a supervisor.\n2. Attempt to access management and report tools.\n3. Attempt to initiate high-privilege transactions.","expectedResult":"Access is granted to management tools. Restriction on actions beyond role privilege.","expectedResultTechnical":"Verify role-based access entries in the logs.","negativeScenarios":["Try accessing auditor-exclusive tools.","Attempt unauthorized data access."],"auditLogsToVerify":"Access attempt logs with timestamp and result.","securityAssertions":"Access control definitions must hold per role.","priority":"P1","automationFeasibility":"Medium - Role testing and log verification using automation tools.","coverageTags":["RBAC","authorization"]},{"type":"functional","title":"Sensitive Profile Information Update","description":"Test updates to sensitive customer profile information require appropriate authorization.","testId":"TC-003","testDescription":"Updates to phone number or email in the Call Center system should trigger backend authorization.","prerequisites":"User logged in, customer account selected.","stepsToPerform":"1. Navigate to customer details section.\n2. Edit phone number field.\n3. Submit change request.\n4. Wait for supervisor approval notification.","expectedResult":"Profile changes require supervisor approval to be saved.","expectedResultTechnical":"Check audit logs for change request and authorization status.","negativeScenarios":["Submit change without approval.","Attempt multiple unauthorized changes."],"auditLogsToVerify":"Authorization request logs with change details.","securityAssertions":"Sensitive data changes must be logged and authorized.","priority":"P0","automationFeasibility":"Medium - Automate UI interactions and backend validations.","coverageTags":["PII","profile update"]},{"type":"functional","title":"Session Security - Idle Timeout","description":"Ensure sessions are invalidated after a period of inactivity.","testId":"TC-004","testDescription":"User session should expire after a specified period of inactivity.","prerequisites":"User logged in to the Call Center platform.","stepsToPerform":"1. Log in to the system.\n2. Remain idle for specified timeout period.\n3. Try performing an action post timeout.","expectedResult":"User is logged out automatically, and prompted for re-login.","expectedResultTechnical":"Session timeout events must be recorded in the log.","negativeScenarios":["Attempt accessing system post timeout without reauthentication."],"auditLogsToVerify":"Check logs for idle timeout event capturing.","securityAssertions":"Sessions must expire securely, preventing unauthorized access.","priority":"P1","automationFeasibility":"High - Automate with headless browser and monitor session status.","coverageTags":["session security","timeout"]},{"type":"functional","title":"Customer Identification and OTP Verification","description":"Verify that OTP is required and correctly processed for customer identification.","testId":"TC-005","testDescription":"A customer attempts to perform critical actions requiring OTP verification for security.","prerequisites":"Customer account must be active with a registered mobile number.","stepsToPerform":"1. Initiate a transaction requiring identification.\n2. Receive OTP on registered mobile.\n3. Enter OTP in the verification screen.\n4. Submit the transaction request.","expectedResult":"Customer identification is successfully verified with OTP, allowing transaction processing.","expectedResultTechnical":"OTP entry and verification status must be logged.","negativeScenarios":["Enter incorrect OTP multiple times.","Attempt transaction with expired OTP."],"auditLogsToVerify":"Audit logs should capture OTP generation, sent status, and verification outcome.","securityAssertions":"OTP must be unique per transaction and not reused.","priority":"P0","automationFeasibility":"Medium - Automation with test harness simulating OTP requests and validation.","coverageTags":["OTP","customer verification"]},{"type":"functional","title":"PII Masking in Error Messages","description":"Ensure no sensitive PII or PCI data is revealed in error messages.","testId":"TC-006","testDescription":"Test system error messages for leaks of sensitive information.","prerequisites":"Access to error-generating scenarios in the system.","stepsToPerform":"1. Trigger an error by entering incorrect details, e.g., invalid card number.\n2. Observe error message displayed.\n3. Repeat for multiple error scenarios.","expectedResult":"Error messages must not contain sensitive information such as full PAN or personal details.","expectedResultTechnical":"System logs should not store sensitive data in plaintext. Error handling should record error IDs.","negativeScenarios":["Message reveals partial card number.","Error exposes user email address."],"auditLogsToVerify":"Logs must capture error codes without sensitive details.","securityAssertions":"Error handling must obfuscate sensitive information.","priority":"P0","automationFeasibility":"High - Use scripts to trigger errors and parse message outputs.","coverageTags":["secure error handling","PII masking"]},{"type":"functional","title":"Privilege Escalation Attempt","description":"Check system's resilience against unauthorized privilege escalation attempts.","testId":"TC-007","testDescription":"Simulate scenarios where a lower-privilege user attempts actions restricted to higher roles.","prerequisites":"User with lower privilege level account.","stepsToPerform":"1. Log in as a low-level user.\n2. Attempt actions restricted to supervisors, e.g., approving transactions.\n3. Monitor system response.","expectedResult":"User is prevented from performing unauthorized actions, with appropriate alerts generated.","expectedResultTechnical":"Unauthorized access attempts must be logged with user ID and action details.","negativeScenarios":["Bypass RBAC controls using direct URL/Elevated API access."],"auditLogsToVerify":"Verify logs for attempted privilege escalation events and system response.","securityAssertions":"RBAC enforcement must prevent unauthorized access.","priority":"P0","automationFeasibility":"Medium - Automated tests simulating user actions using role-specific credentials.","coverageTags":["RBAC","privilege escalation"]},{"type":"functional","title":"Simultaneous Login Attempt","description":"Verify that multiple simultaneous logins across devices are correctly handled.","testId":"TC-008","testDescription":"Attempt to log in to multiple instances at the same time and test session handling.","prerequisites":"User account with known credentials.","stepsToPerform":"1. Log in to the Call Center portal on Device A.\n2. Simultaneously attempt login on Device B with same credentials.\n3. Analyze session handling.","expectedResult":"System manages simultaneous logins based on defined policies, such as logging out older sessions or blocking concurrent access.","expectedResultTechnical":"Concurrent session attempts and outcomes logged with details.","negativeScenarios":["Device A session terminated without notification.","Unrestricted concurrent access."],"auditLogsToVerify":"Login events should record device instances and outcomes.","securityAssertions":"Must ensure session integrity and control.","priority":"P1","automationFeasibility":"Medium - Use automation scripts for concurrent session attempts.","coverageTags":["authentication","session management"]},{"type":"functional","title":"Card Block/Unblock Process","description":"Ensure that card block and unblock workflows are secure and require proper authorization.","testId":"TC-009","testDescription":"Test the block/unblock functionality for a credit/debit card, ensuring authorized access and logging.","prerequisites":"Account with active card linked to customer profile.","stepsToPerform":"1. Log in to the account.\n2. Navigate to card settings.\n3. Initiate card block request.\n4. Check for authorization requirement.\n5. Repeat for unblock request.","expectedResult":"Blocking/unblocking cards requires authorization and is logged with detail.","expectedResultTechnical":"Verify that block/unblock actions are logged with authorization trail.","negativeScenarios":["Attempt to block/unblock without approval.","Replay attack on card operations."],"auditLogsToVerify":"Check for action logs, including auditor interventions.","securityAssertions":"Card operations must follow strict authorization protocols.","priority":"P0","automationFeasibility":"High - Automate via scripts for UI and backend checks.","coverageTags":["financial transactions","authorization"]},{"type":"functional","title":"Case/Dispute Creation","description":"Test creation of disputes ensuring correct audit and permission workflows.","testId":"TC-010","testDescription":"User raises a dispute on a transaction, testing permission check and logging.","prerequisites":"User account with eligible transaction for dispute.","stepsToPerform":"1. Identify eligible transaction.\n2. Initiate dispute creation.\n3. Submit with mandatory information.\n4. Confirm creation and follow-up workflow initiation.","expectedResult":"Dispute is logged, workflow initiated, and user receives confirmation.","expectedResultTechnical":"Verify log entries for creation and status updates.","negativeScenarios":["Submit dispute without mandatory fields.","Duplicate dispute creation."],"auditLogsToVerify":"Dispute lifecycle logs verifying creation and handling.","securityAssertions":"Dispute creation must be tracked and restricted to permissible transactions.","priority":"P1","automationFeasibility":"Medium - Test automation for end-to-end dispute workflow.","coverageTags":["dispute management","logging"]},{"type":"functional","title":"Asynchronous Data Synchronization","description":"Check data sync behavior across systems when delays and retries are involved.","testId":"TC-011","testDescription":"Ensure data consistency and updates propagate correctly with potential delays.","prerequisites":"Operational data feed between call center and backend.","stepsToPerform":"1. Initiate data update on Call Center.\n2. Simulate delay and check state consistency.\n3. Verify data propagation to backend.","expectedResult":"Data syncs respecting retry windows, maintaining consistency.","expectedResultTechnical":"Log entries for each sync attempt and status.","negativeScenarios":["Data update fails post retry interval.","Mismatched data states post-sync."],"auditLogsToVerify":"Review sync logs for any anomalies in state consistency.","securityAssertions":"Data synchronization must maintain integrity, respecting defined delay policies.","priority":"P2","automationFeasibility":"Low - Requires bespoke tooling to simulate delays and check outcomes.","coverageTags":["data sync","consistency"]},{"type":"functional","title":"Unauthorized Access to Audit Trail","description":"Verify that only authorized users can access audit logs and trail information.","testId":"TC-012","testDescription":"Ensure that access to audit logs is restricted and monitored.","prerequisites":"User account with admin privileges.","stepsToPerform":"1. Log in as an admin user.\n2. Attempt to access audit logs.\n3. Verify permissions and access rights.\n4. Check logs for access attempts.","expectedResult":"Audit logs are accessible only to authorized users, and unauthorized attempts are logged.","negativeScenarios":["Unauthorized user attempts to access audit logs."],"auditLogsToVerify":"Access attempts and outcomes for audit logs.","securityAssertions":"Audit trail access must be logged and restricted.","expectedResultTechnical":"Audit entries for access attempts must be detailed.","priority":"P0","automationFeasibility":"Medium - Automation tools for log analysis.","coverageTags":["audit","access control"]},{"type":"functional","title":"Secure Financial Transaction Log","description":"Ensure secure logging practices for financial transactions.","testId":"TC-013","testDescription":"Verify that financial transactions are logged securely with all necessary details.","prerequisites":"Financial transaction data and logging module access.","stepsToPerform":"1. Perform a financial transaction.\n2. Verify that transaction details are securely logged.\n3. Attempt to access logs and verify security.","expectedResult":"All transaction logs must contain detailed and secure information.","negativeScenarios":["Log entry missing crucial details like amount or transaction ID."],"auditLogsToVerify":"Transaction details like ID, amount, and timestamp.","securityAssertions":"Transaction logs must not expose sensitive data directly.","expectedResultTechnical":"Log entries comply with PCI standards.","priority":"P0","automationFeasibility":"High - Scripted verification of log entries.","coverageTags":["financial transactions","logging"]},{"type":"functional","title":"Exporting Sensitive Data","description":"Test that exporting sensitive data requires authorization and logs all actions.","testId":"TC-014","testDescription":"Validate the export process and ensure controls are in place for sensitive data.","prerequisites":"User account with export permissions.","stepsToPerform":"1. Initiate export of sensitive customer data.\n2. Verify necessary authorizations.\n3. Check logs for export details.","expectedResult":"Sensitive data export requires approval and logs include export details.","negativeScenarios":["Export initiated without mandatory authorizations."],"auditLogsToVerify":"Log entries should include user ID and data exported.","securityAssertions":"Data export must be controlled and logged.","expectedResultTechnical":"Export logs must show timestamps and originating user.","priority":"P1","automationFeasibility":"Medium - Automation scripts for export verification.","coverageTags":["data export","authorization"]},{"type":"functional","title":"Invalid Data Entry Handling","description":"Check how system handles invalid data entries and ensures they don't affect workflows.","testId":"TC-015","testDescription":"Test response to invalid data submissions in various fields.","prerequisites":"Access to data entry modules.","stepsToPerform":"1. Enter invalid data (e.g., wrong date format) into form fields.\n2. Attempt to submit or proceed.\n3. Monitor system response and error messaging.","expectedResult":"System prevents continuation and provides informative error messages.","negativeScenarios":["Submission succeeds with malformed data."],"auditLogsToVerify":"Logs should capture validation failures and reject reasons.","securityAssertions":"Data validation should prevent malformed submissions.","expectedResultTechnical":"System captures each validation failure for audit.","priority":"P1","automationFeasibility":"High - Easy scripting for input variations.","coverageTags":["input validation","error handling"]},{"type":"functional","title":"Financial Calculation Validation","description":"Verify correctness and accuracy of complex financial calculations.","testId":"TC-016","testDescription":"Test key financial calculations for edge cases and boundary conditions.","prerequisites":"Access to financial calculation modules, test data.","stepsToPerform":"1. Input edge-case financial data values.\n2. Execute calculation functions.\n3. Validate outputs against expected results.","expectedResult":"Calculations must be correct and handle edge cases without error.","negativeScenarios":["Overflow or calculation error with extreme input values."],"auditLogsToVerify":"Log inputs and outputs of calculations for review.","securityAssertions":"Financial processing must maintain integrity and accuracy.","expectedResultTechnical":"Calculation results logged for traceability.","priority":"P0","automationFeasibility":"High - Calculate expected results programmatically.","coverageTags":["financial calculations","accuracy"]},{"type":"functional","title":"Data Provenance Verification","description":"Ensure consistent data provenance across updates.","testId":"TC-017","testDescription":"Test data trail integrity during updates.","prerequisites":"Historical data access and update tools.","stepsToPerform":"1. Update historical data records.\n2. Trace data provenance before and after update.\n3. Verify data integrity and audit trail.","expectedResult":"Data provenance maintains integrity post-update.","negativeScenarios":["Update breaks historical data trail."],"auditLogsToVerify":"Provenance logs must reflect accurate historical data lineage.","securityAssertions":"Provenance must be immutable and comprehensive.","expectedResultTechnical":"Detailed audit logs capture all changes and the original data state.","priority":"P1","automationFeasibility":"Low - Complex data matching across states.","coverageTags":["data provenance","integrity"]},{"type":"functional","title":"Unauthorized Access Blocking on Multi-Step Requests","description":"Ensure that unauthorized multi-step requests are blocked at each step.","testId":"TC-018","testDescription":"Simulate unauthorized access attempts during multi-step transaction processes.","prerequisites":"User account with limited access permissions.","stepsToPerform":"1. Log in as a low-privilege user.\n2. Attempt a multi-step transaction process such as fund transfer.\n3. Try to proceed at each step without necessary permissions.","expectedResult":"Unauthorized attempts are blocked at each step and logged for review.","negativeScenarios":["Bypass initial checks using indirect API calls.","Attempt escalation to modify transaction limits mid-process."],"auditLogsToVerify":"Each unauthorized access attempt should be logged detailing the step and the user.","securityAssertions":"The system must enforce access control at each process step.","priority":"P1","automationFeasibility":"Medium - Requires detailed script configuration to simulate stepwise access.","coverageTags":["authorization","access control"]},{"type":"functional","title":"Secure User Session Termination","description":"Verify that user sessions are terminated correctly upon logout and cannot be reused.","testId":"TC-019","testDescription":"Ensure user sessions are terminated securely during explicit logouts.","prerequisites":"Active user session on the Call Center platform.","stepsToPerform":"1. Log in to the platform.\n2. Perform various actions.\n3. Log out explicitly.\n4. Attempt to access the system with the previous session data.","expectedResult":"Previous session data should not grant access post-logout.","negativeScenarios":["Session remains active in new tabs after logout.","Logging out doesn't invalidate session tokens."],"auditLogsToVerify":"Logs should capture session termination event and associated actions.","securityAssertions":"Sessions must be invalidated immediately on logout.","priority":"P0","automationFeasibility":"High - Automate using scripts to manage session states.","coverageTags":["session management","security"]},{"type":"functional","title":"Audit Log Integrity Check","description":"Validate the integrity of audit logs to ensure they are tamper-proof.","testId":"TC-020","testDescription":"Audit logs must remain unchanged and provide a reliable trace of activities.","prerequisites":"Access to the audit log management module.","stepsToPerform":"1. Generate audit log entries by executing sample transactions.\n2. Attempt unauthorized modifications to audit logs.\n3. Verify log content integrity.","expectedResult":"Audit logs should be unalterable post-creation, capturing all attempts to modify.","negativeScenarios":["Unauthorized user alters log entries directly.","Log entries do not accurately reflect actions taken."],"auditLogsToVerify":"Logs should reflect all access and modification attempts, failing which indicates a breach.","securityAssertions":"Audit logs must be immutable and protected from unauthorized alterations.","priority":"P0","automationFeasibility":"Medium - Scripts for log entry verification and alteration attempts.","coverageTags":["audit integrity","tamper-proofing"]},{"type":"functional","title":"Enhanced Role-Based Access Enforcement","description":"Ensure strict adherence to role-based access controls throughout the application.","testId":"TC-021","testDescription":"Test access restrictions across multiple roles and functionalities.","prerequisites":"Multiple user accounts configured with different roles.","stepsToPerform":"1. Log in with various role accounts.\n2. Try accessing features exclusive to other roles.\n3. Validate access requests against expected permissions.","expectedResult":"Access should be granted or denied based on the user's assigned role.","negativeScenarios":["Access gained through privilege misconfigurations.","Role switch using session tampering."],"auditLogsToVerify":"Each access attempt and its result should be logged with user details and timestamps.","securityAssertions":"RBAC must strictly enforce defined permissions; anomalies must be addressed promptly.","priority":"P0","automationFeasibility":"High - Automated testing for role access with simulated user roles.","coverageTags":["RBAC","authorization"]},{"type":"functional","title":"Multiple Failed Login Alerting System","description":"Implement and verify alerting mechanisms for multiple failed login attempts.","testId":"TC-022","testDescription":"Test alert generation after several failed login attempts within a short period.","prerequisites":"User account with logging capabilities and no prior lockout.","stepsToPerform":"1. Enter incorrect passwords repeatedly until lockout occurs.\n2. Monitor alert system for triggered notifications.\n3. Check if account is temporarily suspended post multiple failures.","expectedResult":"Alert is triggered to admin/support team, and account lockout is enacted.","negativeScenarios":["False lockout due to legitimate rapid login attempts.","Lack of alerts even after multiple failures."],"auditLogsToVerify":"Log files should show the count of failed attempts and alert triggers.","securityAssertions":"Brute force attempts must be mitigated with alerts and temporary locks.","priority":"P1","automationFeasibility":"Medium - Scripted failure attempts with automated alert verification.","coverageTags":["security alerts","login security"]},{"type":"functional","title":"Data Integrity Check During System Updates","description":"Verify that data integrity is maintained during system updates or patches.","testId":"TC-023","testDescription":"Ensure transactions and user data remain consistent across system updates.","prerequisites":"Active system with pending updates, test accounts with known balances.","stepsToPerform":"1. Capture a snapshot of current data state.\n2. Apply system update/patch.\n3. Verify post-update data state against snapshot.\n4. Conduct random transaction checks for consistency.","expectedResult":"Data remains unchanged and consistent post-update.","negativeScenarios":["Data corruption post-update.","Transaction inconsistencies detected."],"auditLogsToVerify":"Logs should show update process and data integrity checks without errors.","securityAssertions":"Updates must not alter data integrity; correct state must be maintained.","priority":"P0","automationFeasibility":"Medium - Requires snapshot and comparison tool integration.","coverageTags":["system updates","data integrity"]},{"type":"functional","title":"Replay Attack Protection on Transactions","description":"Test the system's protection mechanisms against replay attacks on transactions.","testId":"TC-024","testDescription":"Ensure that duplicate transaction requests using old data are prevented.","prerequisites":"Access to transaction initiation tools and monitoring.","stepsToPerform":"1. Record a valid transaction request.\n2. Attempt to replay the transaction using the same request data.\n3. Monitor system response for rejection.","expectedResult":"The replayed transaction should be blocked and logged as a security incident.","negativeScenarios":["System processes duplicate transaction.","Log fails to show replay attempt."],"auditLogsToVerify":"Transaction logs must indicate attempt and rejection of replayed request.","securityAssertions":"Transaction requests must be timestamped and one-time use.","priority":"P0","automationFeasibility":"High - Ability to script replay attempts and verify logs.","coverageTags":["replay attack","transaction security"]},{"type":"functional","title":"System Response to Unauthorized API Access","description":"Verify system's handling of unauthorized direct API access attempts.","testId":"TC-025","testDescription":"Test system resilience to API requests made without valid authentication tokens.","prerequisites":"Access to API endpoints and a testing account.","stepsToPerform":"1. Attempt API call without authentication.\n2. Observe and record system response.\n3. Check for log entry on the access attempt.","expectedResult":"API access is denied, and a detailed log entry is created.","negativeScenarios":["API returns data without authentication.","No log entry for unauthorized access."],"auditLogsToVerify":"Logs must capture each unauthorized API access attempt with details.","securityAssertions":"APIs must enforce authentication for all requests.","priority":"P0","automationFeasibility":"Medium - Requires API tooling for attempt simulation.","coverageTags":["API security","authentication"]},{"type":"functional","title":"Endpoint Security Against SQL Injection","description":"Ensure that all data input endpoints are secure from SQL injection threats.","testId":"TC-026","testDescription":"Validate SQL protection mechanisms across various input fields.","prerequisites":"Access to endpoint testing tools and database logs.","stepsToPerform":"1. Select an input field vulnerable to SQL injection.\n2. Inject SQL payloads to test response.\n3. Verify input processing and database interactions.","expectedResult":"System should sanitize inputs, rejecting malicious payloads without SQL execution.","negativeScenarios":["SQL payload executes successfully.","Error messages reveal database details."],"auditLogsToVerify":"Logs should not show SQL execution from inputs; sanitize errors should be logged.","securityAssertions":"Inputs must be validated and sanitized against injections.","priority":"P0","automationFeasibility":"High - Use automated tools for injection testing.","coverageTags":["SQL injection","input validation"]}] \ No newline at end of file diff --git a/functional_tests/roost_test_1767670834/roost_test_1767670834.xlsx b/functional_tests/roost_test_1767670834/roost_test_1767670834.xlsx new file mode 100644 index 00000000..5c00e800 Binary files /dev/null and b/functional_tests/roost_test_1767670834/roost_test_1767670834.xlsx differ