diff --git a/functional_tests/README.md b/functional_tests/README.md new file mode 100644 index 00000000..52e597b3 --- /dev/null +++ b/functional_tests/README.md @@ -0,0 +1,19 @@ +# Roost Generated Functional Test + +**Execution Date:** 1/11/2026, 12:01:48 PM + +**Test Unique Identifier:** "roost_test_1768113016" + +**Input(s):** + 1. bankspromot.txt + Path: ../tcs/bankspromot.txt + +**Test Output Folder:** + 1. [roost_test_1768113016.json](roost_test_1768113016/roost_test_1768113016.json) + 2. [roost_test_1768113016.feature](roost_test_1768113016/roost_test_1768113016.feature) + 3. [roost_test_1768113016.csv](roost_test_1768113016/roost_test_1768113016.csv) + 4. [roost_test_1768113016.xlsx](roost_test_1768113016/roost_test_1768113016.xlsx) + 5. [roost_test_1768113016.docx](roost_test_1768113016/roost_test_1768113016.docx) + +--- + diff --git a/functional_tests/roost_test_1768113016/.roost/roost_metadata.json b/functional_tests/roost_test_1768113016/.roost/roost_metadata.json new file mode 100644 index 00000000..42f525e9 --- /dev/null +++ b/functional_tests/roost_test_1768113016/.roost/roost_metadata.json @@ -0,0 +1,24 @@ +{ + "project": { + "name": "roost_test_1768113016", + "created_at": "2026-01-11T06:31:48.279Z", + "updated_at": "2026-01-11T06:31:48.279Z" + }, + "files": { + "input_files": [ + { + "fileName": "roost_test_1768113016.txt", + "fileURI": "/var/tmp/Roost/RoostGPT/TCSBaNCS_functional-after-fix/1768113016/functional_tests/roost_test_1768113016/roost_test_1768113016.txt", + "fileSha": "cf83e1357e" + }, + { + "fileName": "bankspromot.txt", + "fileURI": "/var/tmp/Roost/RoostGPT/TCSBaNCS_functional-after-fix/1768113016/functional_tests/roost_test_1768113016/bankspromot.txt", + "fileSha": "14a19da7ed" + } + ] + }, + "api_files": { + "input_files": [] + } +} \ No newline at end of file diff --git a/functional_tests/roost_test_1768113016/roost_test_1768113016.csv b/functional_tests/roost_test_1768113016/roost_test_1768113016.csv new file mode 100644 index 00000000..397b5877 --- /dev/null +++ b/functional_tests/roost_test_1768113016/roost_test_1768113016.csv @@ -0,0 +1,6 @@ +"Scenario: Agent Login with SSO and MFA" +"Scenario Outline: Supervisor Role-Based Access Control" +"Scenario Outline: Customer Identity Verification via OTP" +"Scenario Outline: Access Control on Transaction Handling by Agents" +"Scenario Outline: Secure Password Reset Process" +"Scenario Outline: Fraudulent Transaction Alerts and Blocking" diff --git a/functional_tests/roost_test_1768113016/roost_test_1768113016.feature b/functional_tests/roost_test_1768113016/roost_test_1768113016.feature new file mode 100644 index 00000000..5e29157f --- /dev/null +++ b/functional_tests/roost_test_1768113016/roost_test_1768113016.feature @@ -0,0 +1,84 @@ +Feature: Security and Access Control Functional Testing + + # UI Test Scenarios + @ui + Scenario: Agent Login with SSO and MFA + Given I navigate to the login page + When I enter "agent****" as username and proceed with SSO + And I complete the MFA step using "****1234" as OTP + Then I should see a success message and access the system dashboard + + @ui + Scenario Outline: Supervisor Role-Based Access Control + Given I log in as + When I attempt to access the supervisor dashboard + Then I should see + + Examples: + | role | access_message | + | supervisor | Access granted | + | agent | Not authorized message | + + # API Test Scenarios + @api + Scenario Outline: Customer Identity Verification via OTP + Given the API base URL is "https://api.example.com" + And the authorization token is set + When I initiate a high-risk transaction for customer with phone "+1*****1234" + And the system sends an OTP "****5678" + Then I send a POST request to "/api/verifyOTP" with payload """ + { + "otp": "" + } + """ + And the response status should be + And the response should contain "" + + Examples: + | otp | status | message | + | ****5678 | 200 | Transaction successful | + | wrongOTP | 401 | Invalid OTP | + + @api + Scenario Outline: Access Control on Transaction Handling by Agents + Given I log in as with appropriate credentials + When I navigate to the transaction handling section + Then I attempt to access a transaction requiring supervisor approval + And the response status should be + And the response should contain "" + + Examples: + | user_type | status | access_message | + | agent | 403 | Not authorized | + | supervisor| 200 | Access granted | + + @api + Scenario Outline: Secure Password Reset Process + Given the API base URL is "https://api.example.com" + When I initiate password reset for "agent****@example.com" + And I verify using "****1234" as OTP + Then I send a PATCH request to "/api/passwordReset" with payload """ + { + "newPassword": "" + } + """ + And the response status should be + And the response should contain "" + + Examples: + | new_password | status | message | + | ****1234 | 200 | Password reset successful | + | short | 400 | Invalid password | + + # Mixed UI and API Scenarios + @ui @api + Scenario Outline: Fraudulent Transaction Alerts and Blocking + Given I execute a transaction with ID "TXN****" that violates fraud detection rules + When the fraud detection system flags the transaction + Then the transaction is blocked + And an alert is sent to designated personnel with details "" + + Examples: + | alert_message | + | Alert: Excessive Amount Detected | + | Alert: Transaction Suspended | diff --git a/functional_tests/roost_test_1768113016/roost_test_1768113016.json b/functional_tests/roost_test_1768113016/roost_test_1768113016.json new file mode 100644 index 00000000..2ba57308 --- /dev/null +++ b/functional_tests/roost_test_1768113016/roost_test_1768113016.json @@ -0,0 +1 @@ +[{"type":"functional","title":"Agent Login with SSO and MFA","description":"Validate agent login process using Single Sign-On (SSO) and Multi-Factor Authentication (MFA).","testId":"TC-001","testDescription":"Ensure that an agent can securely log in to the system using SSO and MFA.","prerequisites":"Agent has valid credentials and MFA setup.","stepsToPerform":"1. Navigate to the login page.\n2. Enter username and proceed with SSO.\n3. Complete MFA step using OTP.\n4. Confirm successful login.","expectedResult":"Agent is logged into the system dashboard and a success message is displayed.","rolesInvolved":"Agent","testData":"Username: agent****, OTP: ****1234","negativeVariations":"Incorrect OTP, account lockout after multiple failed attempts.","auditAndLogsToVerify":"Login timestamp, user ID, MFA status.","securityAssertions":"Login requires SSO and MFA; accounts locked after failed attempts.","priority":"P0","automationFeasibility":"High, Suggested Tooling: Selenium","coverageTags":"authentication, mfa, security"},{"type":"functional","title":"Supervisor Role-Based Access Control","description":"Verify Role-Based Access Control for supervisor-level access.","testId":"TC-002","testDescription":"Ensure supervisors have access to management screens and agents do not.","prerequisites":"User accounts exist with appropriate roles assigned.","stepsToPerform":"1. Log in as supervisor.\n2. Attempt to access supervisor dashboard.\n3. Log in as agent.\n4. Attempt to access supervisor dashboard.","expectedResult":"Supervisor access allowed; agent access denied with a 'not authorized' message.","rolesInvolved":"Supervisor, Agent","testData":"Supervisor credentials: sup****, Agent credentials: ag****","negativeVariations":"Agent attempts unauthorized access.","auditAndLogsToVerify":"Access attempt logs with timestamps and user roles.","securityAssertions":"Access control rules are enforced based on roles.","priority":"P1","automationFeasibility":"Medium, Suggested Tooling: Selenium, Postman","coverageTags":"rbac, access control, security"},{"type":"functional","title":"Customer Identity Verification via OTP","description":"Test customer verification using One-Time Password (OTP) for secure transactions.","testId":"TC-003","testDescription":"Verify that customer identity can be confirmed using OTP during a risky transaction.","prerequisites":"Customer phone number registered in the system.","stepsToPerform":"1. Initiate a high-risk transaction.\n2. System sends OTP to customer's phone.\n3. Enter correct OTP to proceed.","expectedResult":"Transaction proceeds upon correct OTP entry.","rolesInvolved":"Customer, Agent","testData":"Phone: +1*****1234, OTP: ****5678","negativeVariations":"Invalid OTP prevents transaction.","auditAndLogsToVerify":"OTP generation logs, successful/failed authentication attempts.","securityAssertions":"Only correct OTP allows transaction progression.","priority":"P0","automationFeasibility":"High, Suggested Tooling: JMeter, Selenium","coverageTags":"otp, verification, security"},{"type":"functional","title":"PII Data Masking and Display","description":"Ensure PII data such as PAN and DOB are masked correctly.","testId":"TC-004","testDescription":"Verify that sensitive customer data is properly masked on agent screens.","prerequisites":"Customer data available in system with PII fields.","stepsToPerform":"1. Access customer profile as an agent.\n2. View masked fields (PAN, DOB).","expectedResult":"Sensitive fields are masked; only partial data is visible.","rolesInvolved":"Agent","testData":"PAN: 4111********1111, DOB: ****-**-15","negativeVariations":"Full PAN display in error messages.","auditAndLogsToVerify":"Access logs of PII fields.","securityAssertions":"PII masking adheres to regulatory requirements.","priority":"P0","automationFeasibility":"Medium, Suggested Tooling: Selenium","coverageTags":"pii, masking, compliance"},{"type":"functional","title":"Session Management and Timeout","description":"Test session timeout and automatic logout features.","testId":"TC-005","testDescription":"Verify that the system logs out users after a period of inactivity.","prerequisites":"Agent logged in to the system.","stepsToPerform":"1. Log in as agent.\n2. Remain inactive for period longer than session timeout.\n3. Attempt any action after session expires.","expectedResult":"User is logged out, and must re-authenticate.","rolesInvolved":"Agent","testData":"SessionTimeout: 15 minutes","negativeVariations":"Session remains active beyond timeout.","auditAndLogsToVerify":"Session start and end logs, inactivity duration.","securityAssertions":"Sessions auto-terminate after inactivity limit.","priority":"P0","automationFeasibility":"High, Suggested Tooling: Selenium","coverageTags":"session security, timeout, compliance"},{"type":"functional","title":"Access Control on Transaction Handling by Agents","description":"Validate that agents have the necessary permissions to view and handle specific customer transactions.","testId":"TC-006","testDescription":"Ensure that transaction handling is restricted based on agent roles.","prerequisites":"Agent login with appropriate role; transactions exist in the system.","stepsToPerform":"1. Log in as an agent.\n2. Navigate to the transaction handling section.\n3. Attempt to access a transaction requiring supervisor approval.","expectedResult":"Access to high-level transactions is denied with a 'not authorized' message.","rolesInvolved":"Agent, Supervisor","testData":"Agent credentials: ag*****","negativeVariations":"Agent tries to modify unauthorized transactions.","auditAndLogsToVerify":"Transaction access attempts, access denial logs.","securityAssertions":"Access to transactions is controlled by role-based permissions.","priority":"P1","automationFeasibility":"Medium, Suggested Tooling: Selenium","coverageTags":"access control, transactions, security"},{"type":"functional","title":"Sensitive Action Audit Trail","description":"Verify that every sensitive action in the system is recorded in the audit trail with complete details.","testId":"TC-007","testDescription":"Ensure actions such as beneficiary additions and card blocking are logged with necessary details.","prerequisites":"Successful agent login; access to customer account with permissions.","stepsToPerform":"1. Log in as an agent.\n2. Access a customer account.\n3. Add a new beneficiary.\n4. Block a customer card.","expectedResult":"All sensitive actions are logged with user, timestamp, and action details.","rolesInvolved":"Agent, Auditor","testData":"Beneficiary account: ****1234, Card: ****5678","negativeVariations":"Audit logs missing or incorrect for sensitive actions.","auditAndLogsToVerify":"Action logs for beneficiary additions and card blockings.","securityAssertions":"Audit logs are comprehensive and immutable.","priority":"P0","automationFeasibility":"High, Suggested Tooling: Log monitoring tools","coverageTags":"audit, sensitive actions, compliance"},{"type":"functional","title":"Concurrent Session Prevention","description":"Test the system's ability to prevent multiple concurrent sessions from a single user.","testId":"TC-008","testDescription":"Ensure that only one active session is possible per user, blocking simultaneous logins.","prerequisites":"Agent account with active session.","stepsToPerform":"1. Log in to the system as an agent.\n2. Attempt to log in with the same credentials on another device.","expectedResult":"Second login is denied, with a message indicating concurrent sessions are not allowed.","rolesInvolved":"Agent","testData":"Agent credentials: ag*****","negativeVariations":"Both sessions remain active, allowing concurrent logins.","auditAndLogsToVerify":"Session initiation and denial logs.","securityAssertions":"System prevents concurrent sessions effectively.","priority":"P0","automationFeasibility":"Medium, Suggested Tooling: Selenium","coverageTags":"session management, concurrency, security"},{"type":"functional","title":"Data Masking for Customer Information","description":"Confirm that customer data such as Social Security Numbers and account numbers are properly masked.","testId":"TC-009","testDescription":"Verify partial masking of SSNs and account numbers on the agent interface.","prerequisites":"Agent login and access to customer profiles.","stepsToPerform":"1. Access customer profile as an agent.\n2. View masked fields (SSN, Account Numbers).","expectedResult":"SSN and account number fields are partially masked and unreadable.","rolesInvolved":"Agent","testData":"SSN: 123-**-****, Account: 1234******7890","negativeVariations":"Full display of SSN or account numbers.","auditAndLogsToVerify":"Access logs to customer profile data.","securityAssertions":"Data masking adheres to regulatory and security standards.","priority":"P0","automationFeasibility":"High, Suggested Tooling: Selenium","coverageTags":"data masking, pii, compliance"},{"type":"functional","title":"Fraud Detection and Step-Up Authentication","description":"Evaluate the fraud detection system and the application of step-up authentication.","testId":"TC-010","testDescription":"Ensure risky actions trigger additional authentication measures to mitigate fraud.","prerequisites":"Customer account with flag triggers for high-risk transactions.","stepsToPerform":"1. Initiate a high-risk action as a customer.\n2. System detects risk and triggers additional verification.\n3. Complete verification to proceed.","expectedResult":"Action is paused until successful step-up verification.","rolesInvolved":"Customer, Fraud Monitoring Team","testData":"Phone: +1*******1234, Additional OTP: **5678","negativeVariations":"High-risk actions processed without step-up verification.","auditAndLogsToVerify":"Fraud detection signals, verification challenge initiation and response.","securityAssertions":"Step-up verification is enforced for all flagged actions.","priority":"P0","automationFeasibility":"High, Suggested Tooling: JMeter, Monitoring tools","coverageTags":"fraud detection, step-up, security"},{"type":"functional","title":"Secure Password Reset Process","description":"Validate the process for resetting an agent's password securely.","testId":"TC-011","testDescription":"Ensure the password reset procedure includes proper verification and confirmation steps.","prerequisites":"Agent's email and phone number registered in the system.","stepsToPerform":"1. Click on 'Forgot Password' on the login page.\n2. Enter registered email or phone number.\n3. Verify identity using OTP or security questions.\n4. Set a new password and confirm it.","expectedResult":"Password is reset and the agent is prompted to log in with the new password.","rolesInvolved":"Agent","testData":"Email: agent****@example.com, Phone: +1*****1234, New Password: ****1234","negativeVariations":"Incorrect answer to security questions or expired OTP prevents reset.","auditAndLogsToVerify":"Password reset request, verification step, completion timestamp.","securityAssertions":"Password reset requires verification and confirmation.","priority":"P0","automationFeasibility":"High, Suggested Tooling: Selenium","coverageTags":"password reset, security, verification"},{"type":"functional","title":"Least Privilege Access to Call Recordings","description":"Ensure agents have restricted access to sensitive call recordings.","testId":"TC-012","testDescription":"Verify that only authorized personnel can access call recordings.","prerequisites":"Call recordings exist in the system; roles defined with access permissions.","stepsToPerform":"1. Log in as an agent.\n2. Attempt to access call recordings.\n3. Log in as a supervisor.\n4. Access call recordings successfully.","expectedResult":"Agent access denied; supervisor access granted.","rolesInvolved":"Agent, Supervisor","testData":"Agent credentials: ag****, Supervisor credentials: sup****","negativeVariations":"Agent manages to bypass restrictions and access recordings.","auditAndLogsToVerify":"Access attempts, role-based access logs.","securityAssertions":"Call recordings are protected with least privilege access.","priority":"P0","automationFeasibility":"Medium, Suggested Tooling: Selenium, Access Management Tools","coverageTags":"access control, call recordings, security"},{"type":"functional","title":"Secure Handling of User Lockout","description":"Verify secure practices are in place for handling user lockout scenarios.","testId":"TC-013","testDescription":"Ensure users are notified properly and the process for unlocking accounts is secure.","prerequisites":"User is locked out due to multiple failed login attempts.","stepsToPerform":"1. Attempt to log in multiple times with incorrect credentials.\n2. Trigger account lockout.\n3. Follow the unlock procedure using email verification or administrator approval.","expectedResult":"User is notified of lockout and must follow secure procedures to unlock.","rolesInvolved":"Agent, Administrator","testData":"Email: user****@example.com, Attempts: 5, Unlock Method: Email Verification","negativeVariations":"Unlocked without proper verification.","auditAndLogsToVerify":"Lockout events, unlock procedure timestamp, verification logs.","securityAssertions":"Account lockout and unlock processes are properly logged and secure.","priority":"P1","automationFeasibility":"High, Suggested Tooling: Selenium","coverageTags":"user lockout, security, account management"},{"type":"functional","title":"Integrity of Customer Profile Changes","description":"Test the secure update mechanisms for customer profiles.","testId":"TC-014","testDescription":"Ensure changes to customer profiles are securely logged and authorized.","prerequisites":"Customer profile with editable fields available.","stepsToPerform":"1. Log in as an agent.\n2. Access a customer profile.\n3. Update critical information such as address or phone number.\n4. Complete an approval step if necessary.","expectedResult":"Changes are authorized and logged with audit details.","rolesInvolved":"Agent, Supervisor","testData":"Customer ID: CUST****, New Address: 123 New St, Confirmation Required: Yes","negativeVariations":"Unauthorized changes to profile fields.","auditAndLogsToVerify":"Profile changes, authorization logs, before/after state.","securityAssertions":"All profile changes require authorization and produce audit entries.","priority":"P0","automationFeasibility":"Medium, Suggested Tooling: Selenium, Log Management Tools","coverageTags":"profile management, audit, security"},{"type":"functional","title":"Fraudulent Transaction Alerts and Blocking","description":"Validate the system's ability to block suspicious transactions and alert relevant personnel.","testId":"TC-015","testDescription":"Ensure that fraudulent transaction attempts are detected, blocked, and logged.","prerequisites":"System configured with fraud detection rules; test accounts flagged for high-risk transactions.","stepsToPerform":"1. Execute a transaction that violates fraud detection rules.\n2. Observe system behavior as transaction is flagged and blocked.\n3. Notify relevant personnel via alerts.","expectedResult":"Transaction is blocked; alerts are sent to designated personnel.","rolesInvolved":"Agent, Fraud Analyst","testData":"Transaction ID: TXN****, Fraud Rule: Excessive Amount","negativeVariations":"Fraudulent transactions processed without detection.","auditAndLogsToVerify":"Fraud alert logs, transaction blocking events.","securityAssertions":"Fraud detection and blocking mechanisms are effective.","priority":"P0","automationFeasibility":"High, Suggested Tooling: Fraud Detection Systems, Alerting Tools","coverageTags":"fraud detection, transaction security, alerts"}] \ No newline at end of file diff --git a/functional_tests/roost_test_1768113016/roost_test_1768113016.xlsx b/functional_tests/roost_test_1768113016/roost_test_1768113016.xlsx new file mode 100644 index 00000000..7dd4b8e3 Binary files /dev/null and b/functional_tests/roost_test_1768113016/roost_test_1768113016.xlsx differ