diff --git a/functional_tests/README.md b/functional_tests/README.md new file mode 100644 index 00000000..396790b3 --- /dev/null +++ b/functional_tests/README.md @@ -0,0 +1,19 @@ +# Roost Generated Functional Test + +**Execution Date:** 1/11/2026, 11:51:33 AM + +**Test Unique Identifier:** "roost_test_1768112379" + +**Input(s):** + 1. bankspromot.txt + Path: ../tcs/bankspromot.txt + +**Test Output Folder:** + 1. [roost_test_1768112379.json](roost_test_1768112379/roost_test_1768112379.json) + 2. [roost_test_1768112379.feature](roost_test_1768112379/roost_test_1768112379.feature) + 3. [roost_test_1768112379.csv](roost_test_1768112379/roost_test_1768112379.csv) + 4. [roost_test_1768112379.xlsx](roost_test_1768112379/roost_test_1768112379.xlsx) + 5. [roost_test_1768112379.docx](roost_test_1768112379/roost_test_1768112379.docx) + +--- + diff --git a/functional_tests/roost_test_1768112379/.roost/roost_metadata.json b/functional_tests/roost_test_1768112379/.roost/roost_metadata.json new file mode 100644 index 00000000..63673a6a --- /dev/null +++ b/functional_tests/roost_test_1768112379/.roost/roost_metadata.json @@ -0,0 +1,24 @@ +{ + "project": { + "name": "roost_test_1768112379", + "created_at": "2026-01-11T06:21:33.787Z", + "updated_at": "2026-01-11T06:21:33.787Z" + }, + "files": { + "input_files": [ + { + "fileName": "roost_test_1768112379.txt", + "fileURI": "/var/tmp/Roost/RoostGPT/TCSBaNCS_functional-after-fix/1768112379/functional_tests/roost_test_1768112379/roost_test_1768112379.txt", + "fileSha": "cf83e1357e" + }, + { + "fileName": "bankspromot.txt", + "fileURI": "/var/tmp/Roost/RoostGPT/TCSBaNCS_functional-after-fix/1768112379/functional_tests/roost_test_1768112379/bankspromot.txt", + "fileSha": "14a19da7ed" + } + ] + }, + "api_files": { + "input_files": [] + } +} \ No newline at end of file diff --git a/functional_tests/roost_test_1768112379/roost_test_1768112379.csv b/functional_tests/roost_test_1768112379/roost_test_1768112379.csv new file mode 100644 index 00000000..5f278dc8 --- /dev/null +++ b/functional_tests/roost_test_1768112379/roost_test_1768112379.csv @@ -0,0 +1,11 @@ +Agent Authentication with SSO and MFA +Account Lockout after Failed Login Attempts +RBAC Enforcement for Supervisor Screens +Customer Identification with KBA Verification +PII/PCI Data Masking in Customer Profiles +Session Timeout and Security Handling +Concurrent Session Management +Sensitive Action Audit Trail Verification +Fraud Signal Detection and Additional Verification +Call Recording Access Control Verification +Secure Error Handling and Message Consistency \ No newline at end of file diff --git a/functional_tests/roost_test_1768112379/roost_test_1768112379.feature b/functional_tests/roost_test_1768112379/roost_test_1768112379.feature new file mode 100644 index 00000000..07cf10e8 --- /dev/null +++ b/functional_tests/roost_test_1768112379/roost_test_1768112379.feature @@ -0,0 +1,108 @@ +Feature: Compliance and Security Testing for Agent and Customer Management + + # UI and API Test Scenarios for comprehensive testing + + @authentication @ui @api + Scenario Outline: Agent Authentication with SSO and MFA + Given the agent account is prepared with SSO and MFA + When the agent navigates to the login page + And enters a valid "" and "" + And successfully inputs the MFA code "" + Then the agent should be logged in successfully + And audit logs should contain user ID, timestamp, login attempts, and account lock status + + Examples: + | username | password | mfa_code | + | valid_user | valid_pass | 123456 | + | locked_user | wrong_pass | 123456 | + + @authentication @ui + Scenario Outline: Account Lockout after Failed Login Attempts + Given the agent account is not locked + When the agent repeatedly enters an invalid "" or "" for 5 attempts + Then the account should be locked + And any further login attempts should be prevented + And audit logs should include the account lock status + + Examples: + | username | password | + | valid_user | wrong_pass | + | invalid_user | valid_pass | + + @rbac @ui + Scenario: RBAC Enforcement for Supervisor Screens + Given an agent logs in with basic permissions + When the agent attempts to access a supervisor screen + Then access should be denied and an error message displayed + And audit logs should document the access attempt and role mismatch + + @kba @ui + Scenario Outline: Customer Identification with KBA Verification + Given a customer account exists with KBA setup + When the agent initiates verification and enters the answer "" + Then the system should "" the verification + And audit the session including answer status + + Examples: + | kba_answer | result | + | correct | proceed | + | incorrect | block | + | random | additional | + + @pii @ui + Scenario: PII/PCI Data Masking in Customer Profiles + Given an agent is logged in with access to customer profiles + When visiting a customer profile with PII/PCI data + Then PAN should be partially masked, and CVV completely hidden + And attempts to view masked details should be logged + + @session @ui + Scenario: Session Timeout and Security Handling + Given an agent is logged in with session timeout set to 10 minutes + When the session is idle for over 10 minutes + And the agent attempts any action post-timeout without re-logging + Then the session should end automatically requiring a fresh login + And audit logs must capture session timeout details + + @session @ui @api + Scenario: Concurrent Session Management + Given an agent account is active on Device A + When the same agent logs in on Device B + Then Device B login forces logout from Device A + And an action on Device A should prompt a re-login + And logs should include session terminations and login attempts + + @audit @ui + Scenario: Sensitive Action Audit Trail Verification + Given an agent has permission to change beneficiary details + When a new beneficiary is added + Then the audit log should record the action with full details + And attempts without permissions should be logged for failures + + @fraud @api + Scenario: Fraud Signal Detection and Additional Verification + Given transaction rules are configured to identify high-risk actions + When an agent attempts a transaction exceeding the threshold + Then the system should identify it as high-risk and demand further verification + And audit logs must record the fraud assessment and verification prompt + + @access_control @ui + Scenario: Call Recording Access Control Verification + Given recordings are accessible only by supervisors + When a supervisor searches and plays a recording + Then the action should be successful + And an agent attempting the same should be denied with an error message + And audit trails should log access attempts and roles + + @error_handling @ui + Scenario Outline: Secure Error Handling and Message Consistency + Given an agent has role-based access + When "" triggers a system error + Then the error message should be generic and secure + And should not expose internal system information + + Examples: + | action | + | accessing unauthorized section | + | entering invalid data | + | malicious input for error trigger | diff --git a/functional_tests/roost_test_1768112379/roost_test_1768112379.json b/functional_tests/roost_test_1768112379/roost_test_1768112379.json new file mode 100644 index 00000000..1839d6b2 --- /dev/null +++ b/functional_tests/roost_test_1768112379/roost_test_1768112379.json @@ -0,0 +1 @@ +[{"type":"functional","title":"Agent Authentication with MFA and Account Lockout","description":"Test whether an agent can log in using SSO and MFA, including account lockout after multiple failed attempts.","testId":"TC-001","testDescription":"Agents attempt to log in using SSO credentials and complete MFA. Account lockout handled correctly after failed attempts.","prerequisites":"Agent account exists with SSO and MFA configured. Account not currently locked.","stepsToPerform":"1. Navigate to login page.\n2. Enter valid SSO username and password.\n3. Enter MFA code received.\n4. Repeat steps with invalid password for 5 attempts.\n5. Try logging in again.","expectedResult":"Agent logs in after valid SSO and MFA verification. Account locks after 5 failed attempts, preventing further logins.","negativeVariations":"Attempt login with incorrect SSO/MFA repeatedly to trigger lockout.","auditLogsToVerify":"Log user ID, timestamp, login attempts, and account lock status.","securityAssertions":"Account locks after incorrect attempts, MFA ensures secure login.","priority":"P0","automationFeasibility":"High, Selenium for UI actions, Postman for API verification.","coverageTags":["Authentication","MFA","Account Lockout"]},{"type":"functional","title":"RBAC Enforcement for Supervisor Screens","description":"Ensure that agents cannot access supervisor-only functionalities.","testId":"TC-002","testDescription":"Agents attempting to access supervisor dashboards or screens should be denied.","prerequisites":"Agent account has basic permissions. Supervisor screen URLs available for testing.","stepsToPerform":"1. Login as an agent.\n2. Attempt to access a URL specific to supervisor roles.\n3. Observe the system's response.","expectedResult":"Access to supervisor screens denied to agents, error message displayed.","negativeVariations":"Attempt to access supervisor URLs directly via browser address bar.","auditLogsToVerify":"Documented access attempt, denied action, and role mismatch.","securityAssertions":"Access control policies enforced correctly, preventing unauthorized access.","priority":"P0","automationFeasibility":"Medium, Selenium or Postman depending on access method.","coverageTags":["RBAC","Access Control"]},{"type":"functional","title":"Customer Identification and KBA Verification","description":"Validating customer's identity using KBA during verification processes.","testId":"TC-003","testDescription":"Agents use correct and incorrect answers for KBA questions during customer verification.","prerequisites":"Valid customer account with KBA details set up in the system.","stepsToPerform":"1. Initiate verification for a customer.\n2. Present KBA question.\n3. Enter correct answer.\n4. Reinitiate verification and enter incorrect answer.","expectedResult":"Correct answers proceed verification, incorrect answers block or initiate additional steps.","negativeVariations":"Enter random answers to KBA questions to test resilience.","auditLogsToVerify":"Log customer ID, timestamp, KBA answers passed/failed, session ID.","securityAssertions":"KBA must confirm verified identity securely.","priority":"P1","automationFeasibility":"Medium, Selenium for UI and API verification with mock data.","coverageTags":["KBA Verification","Customer Identification"]},{"type":"functional","title":"PII/PCI Data Masking in Customer Profiles","description":"Verify compliance with PII/PCI data masking rules within customer interfaces.","testId":"TC-004","testDescription":"Check that sensitive information like PAN and CVV are masked in agent interfaces.","prerequisites":"Agent logged in with access to customer profiles containing PII/PCI fields.","stepsToPerform":"1. Access customer profile containing card information.\n2. Observe the visibility of PAN, CVV, and other sensitive data.","expectedResult":"PAN should be partially masked, and CVV completely hidden.","negativeVariations":"Attempt to view masked details through browser inspection tools.","auditLogsToVerify":"Log fields accessed, user role, and masking status confirmed in audit.","securityAssertions":"Data masking prevents unauthorized access to plain data.","priority":"P0","automationFeasibility":"High, Selenium to check UI masking and penetration testing.","coverageTags":["PII","PCI","Data Masking"]},{"type":"functional","title":"Session Timeout and Security Handling","description":"Implement and verify session timeout controls and validity of session tokens post timeout.","testId":"TC-005","testDescription":"Test idle session timeout and subsequent logout handling.","prerequisites":"Agent logged in, session timeout set to configured period (e.g., 10 minutes).","stepsToPerform":"1. Log in as an agent.\n2. Remain idle until timeout period elapses.\n3. Attempt any action post timeout without re-logging.","expectedResult":"Session ends automatically after idle period, requiring fresh login for any action.","negativeVariations":"Leave session idle, then use browser back button to test session resume.","auditLogsToVerify":"Log when the session timed out, attempted actions post-timeout.","securityAssertions":"Automatic logout ensures session is secure from unauthorized activity.","priority":"P1","automationFeasibility":"High, automated scripts to time session discrepancies.","coverageTags":["Session Management","Security"]},{"type":"functional","title":"Concurrent Session Management","description":"Verify that concurrent sessions are not allowed for agents, enforcing a single active session at a time.","testId":"TC-006","testDescription":"Test system behavior when an agent attempts to log in from two different devices simultaneously.","prerequisites":"Agent account is active and currently logged in on a primary device.","stepsToPerform":"1. Log in to the agent account on Device A.\n2. Log in to the same agent account on Device B.\n3. Attempt any action on Device A post Device B login.","expectedResult":"Device B login forces logout from Device A. Actions attempted on Device A should prompt a re-login.","negativeVariations":"Attempt multiple logins from different IPs to test session consistency.","auditLogsToVerify":"Log user ID, timestamp, device ID, session terminations, and login attempts.","securityAssertions":"Sessions should be valid only for one active login per agent.","priority":"P0","automationFeasibility":"High, using Selenium for UI interaction and session API verification.","coverageTags":["Session Management","Concurrency"]},{"type":"functional","title":"Sensitive Action Log and Audit Trail","description":"Ensure sensitive actions like beneficiary management are correctly logged for audit purposes.","testId":"TC-007","testDescription":"Perform a sensitive change in the system and check the audit log for accuracy.","prerequisites":"Agent account with permission to change beneficiary details.","stepsToPerform":"1. Log in to the system as an authorized agent.\n2. Navigate to the beneficiary management section.\n3. Add a new beneficiary.\n4. Save changes.","expectedResult":"New beneficiary addition is successful. Audit log contains user ID, role, timestamp, action, and relevant details.","negativeVariations":"Attempt to add a beneficiary without required permissions to test audit entry on failure.","auditLogsToVerify":"Verify that beneficiary additions are recorded with complete details including who, when, and what was changed.","securityAssertions":"All sensitive actions must be irrevocably logged in the audit trail.","priority":"P0","automationFeasibility":"Medium, because audit log verification may require backend database access.","coverageTags":["Audit Trail","Sensitive Actions"]},{"type":"functional","title":"Fraud Signal Detection and Handling","description":"Ensure that the system correctly detects and handles fraud signals, necessitating additional verification.","testId":"TC-008","testDescription":"Simulate a high-risk transaction to verify if additional fraud checks are invoked.","prerequisites":"Agent account with permission to conduct transactions, fraud rules configured in the system.","stepsToPerform":"1. Log in to the system as an agent.\n2. Attempt a high-value transaction exceeding the defined threshold.\n3. Observe the system prompts for additional verification.","expectedResult":"The system identifies the transaction as high-risk and requires additional steps for verification, such as OTP or approval.","negativeVariations":"Attempt lower-value transactions to verify no unnecessary fraud checks are triggered.","auditLogsToVerify":"Ensure there are logs detailing the risk assessment, user action, and additional verification prompted.","securityAssertions":"High-risk transactions must trigger appropriate security measures.","priority":"P1","automationFeasibility":"High, simulate transactions using test environments.","coverageTags":["Fraud Detection","Risk Management"]},{"type":"functional","title":"Call Recording Access Control Verification","description":"Check if access to call recordings is appropriately restricted to authorized roles.","testId":"TC-009","testDescription":"Verify access controls surrounding the search and play functions for call recordings.","prerequisites":"Recordings available in the system, supervisor role established with necessary permissions.","stepsToPerform":"1. Log in as a supervisor.\n2. Attempt to search for a specific call recording.\n3. Play the call recording.\n4. Log in as an agent and attempt the same actions.","expectedResult":"Supervisor can search and play recordings successfully; agent access is denied with an appropriate message.","negativeVariations":"Try accessing recordings from a role lacking permission to ensure access is blocked.","auditLogsToVerify":"Check logs for attempts to access recordings, user role, time of access, and success/failure indication.","securityAssertions":"Only authorized roles should access sensitive call recordings.","priority":"P0","automationFeasibility":"Medium, require both UI and backend log validations.","coverageTags":["Access Control","Call Recording"]},{"type":"functional","title":"Secure Error Handling and Message Consistency","description":"Ensure that error messages do not leak sensitive system information.","testId":"TC-010","testDescription":"Trigger various errors intentionally and validate that error messages are generic and do not expose internal details.","prerequisites":"Agent role with access to systems prone to standard errors.","stepsToPerform":"1. Log in as an agent.\n2. Intentionally cause system errors by entering invalid data or accessing unauthorized areas.\n3. Observe the error messages produced.","expectedResult":"Error messages should be consistent across different scenarios and should not divulge any system internals or sensitive information.","negativeVariations":"Attempt unauthorized access with malicious input to test error handling response.","auditLogsToVerify":"Review logs for handled errors and confirm error message outputs.","securityAssertions":"Errors must be handled securely to prevent information disclosure.","priority":"P1","automationFeasibility":"High, as errors can be simulated and validated through automated scripts.","coverageTags":["Error Handling","Security"]},{"type":"functional","title":"Concurrent Session Management for Agent Accounts","description":"Verify that concurrent sessions are not allowed for agents, ensuring a single active session at a time.","testId":"TC-006","testDescription":"Test system behavior when an agent attempts to log in from two different devices simultaneously.","prerequisites":"Agent account is active and currently logged in on a primary device.","stepsToPerform":"1. Log in to the agent account on Device A.\n2. Log in to the same agent account on Device B.\n3. Attempt any action on Device A post Device B login.","expectedResult":"Device B login forces logout from Device A. Actions attempted on Device A should prompt a re-login.","negativeVariations":"Attempt multiple logins from different IPs to test session consistency.","auditLogsToVerify":"Log user ID, timestamp, device ID, session terminations, and login attempts.","securityAssertions":"Sessions should be valid only for one active login per agent.","priority":"P0","automationFeasibility":"High, using Selenium for UI interaction and session API verification.","coverageTags":["Session Management","Concurrency"]},{"type":"functional","title":"Sensitive Action Audit Trail Verification","description":"Ensure sensitive actions like beneficiary management are correctly logged for audit purposes.","testId":"TC-007","testDescription":"Perform a sensitive change in the system and check the audit log for accuracy.","prerequisites":"Agent account with permission to change beneficiary details.","stepsToPerform":"1. Log in to the system as an authorized agent.\n2. Navigate to the beneficiary management section.\n3. Add a new beneficiary.\n4. Save changes.","expectedResult":"New beneficiary addition is successful. Audit log contains user ID, role, timestamp, action, and relevant details.","negativeVariations":"Attempt to add a beneficiary without required permissions to test audit entry on failure.","auditLogsToVerify":"Verify that beneficiary additions are recorded with complete details including who, when, and what was changed.","securityAssertions":"All sensitive actions must be irrevocably logged in the audit trail.","priority":"P0","automationFeasibility":"Medium, because audit log verification may require backend database access.","coverageTags":["Audit Trail","Sensitive Actions"]},{"type":"functional","title":"Fraud Signal Detection and Handling","description":"Ensure that the system correctly detects and handles fraud signals, necessitating additional verification.","testId":"TC-008","testDescription":"Simulate a high-risk transaction to verify if additional fraud checks are invoked.","prerequisites":"Agent account with permission to conduct transactions, fraud rules configured in the system.","stepsToPerform":"1. Log in to the system as an agent.\n2. Attempt a high-value transaction exceeding the defined threshold.\n3. Observe the system prompts for additional verification.","expectedResult":"The system identifies the transaction as high-risk and requires additional steps for verification, such as OTP or approval.","negativeVariations":"Attempt lower-value transactions to verify no unnecessary fraud checks are triggered.","auditLogsToVerify":"Ensure there are logs detailing the risk assessment, user action, and additional verification prompted.","securityAssertions":"High-risk transactions must trigger appropriate security measures.","priority":"P1","automationFeasibility":"High, simulate transactions using test environments.","coverageTags":["Fraud Detection","Risk Management"]},{"type":"functional","title":"Call Recording Access Control Verification","description":"Check if access to call recordings is appropriately restricted to authorized roles.","testId":"TC-009","testDescription":"Verify access controls surrounding the search and play functions for call recordings.","prerequisites":"Recordings available in the system, supervisor role established with necessary permissions.","stepsToPerform":"1. Log in as a supervisor.\n2. Attempt to search for a specific call recording.\n3. Play the call recording.\n4. Log in as an agent and attempt the same actions.","expectedResult":"Supervisor can search and play recordings successfully; agent access is denied with an appropriate message.","negativeVariations":"Try accessing recordings from a role lacking permission to ensure access is blocked.","auditLogsToVerify":"Check logs for attempts to access recordings, user role, time of access, and success/failure indication.","securityAssertions":"Only authorized roles should access sensitive call recordings.","priority":"P0","automationFeasibility":"Medium, require both UI and backend log validations.","coverageTags":["Access Control","Call Recording"]},{"type":"functional","title":"Secure Error Handling and Message Consistency","description":"Ensure that error messages do not leak sensitive system information.","testId":"TC-010","testDescription":"Trigger various errors intentionally and validate that error messages are generic and do not expose internal details.","prerequisites":"Agent role with access to systems prone to standard errors.","stepsToPerform":"1. Log in as an agent.\n2. Intentionally cause system errors by entering invalid data or accessing unauthorized areas.\n3. Observe the error messages produced.","expectedResult":"Error messages should be consistent across different scenarios and should not divulge any system internals or sensitive information.","negativeVariations":"Attempt unauthorized access with malicious input to test error handling response.","auditLogsToVerify":"Review logs for handled errors and confirm error message outputs.","securityAssertions":"Errors must be handled securely to prevent information disclosure.","priority":"P1","automationFeasibility":"High, as errors can be simulated and validated through automated scripts.","coverageTags":["Error Handling","Security"]}] \ No newline at end of file diff --git a/functional_tests/roost_test_1768112379/roost_test_1768112379.xlsx b/functional_tests/roost_test_1768112379/roost_test_1768112379.xlsx new file mode 100644 index 00000000..7d1548b5 Binary files /dev/null and b/functional_tests/roost_test_1768112379/roost_test_1768112379.xlsx differ