Security/QA/TestPlans/Web Authentication
< Security
Jump to navigation
Jump to search
Approvals Required / Received
The following individuals are required to/have approved this Test Plan:
| Name | Title | Department | Approval Date | Method |
|---|---|---|---|---|
| QA Manager | Product Integrity | Date | ||
| JC Jones | Software Engineer | Engineering | Date | |
| EPM | Product Management | Date |
Revision History
This section describes the modifications that have been made to this wiki page. A new row has been completed each time the content of this document is updated (small corrections for typographical errors do not need to be recorded). The description of the modification contains the differences from the prior version, in terms of what sections were updated and to what extent.
| Date | Version | Author | Description |
|---|---|---|---|
| 2017-08-16 | 1.0 | Matt Wobensmith | Created first draft |
Overview
Purpose
Detail the purpose of this document. For example:
- The test scope, focus areas and objectives
- The test responsibilities
- The test strategy for the levels and types of test for this release
- The entry and exit criteria
- The basis of the test estimates
- Any risks, issues, assumptions and test dependencies
- The test schedule and major milestones
- The test deliverables
Scope
This wiki details the testing that will be performed by the project team for the <project name> project. It defines the overall testing requirements and provides an integrated view of the project test activities. Its purpose is to document:
- What will be tested
- How testing will be performed
Ownership
This feature is being tested by both Mozilla and one or more third parties.
- Yubico is performing smoke tests using hardware keys across a range of hardware and software
- JC Jones and Tim Taubert have created unit tests for both JS API and hardware interaction
- The Fuzzing team has been enlisted, initially to test USB interaction, time frame unknown
- The PI Security team has been requested to perform a security review between now and mid-September 2017.
- Matt Wobensmith (QA) is responsible for the entire process, as well as creating manual scenario tests
- Mozilla's QA - most likely SoftVision - will use the manual tests for ongoing build certification post-feature-signoff
Testing summary
Scope of Testing
In Scope
- Web Authentication, as well as U2F (both soft token and hardware) if we decide to ship it
- All JS APIs
- Fuzzing wherever possible
- A range of scenario tests that mirror user interaction, including boundary and error cases
Out of Scope
- Yubico has provided us with some USB keys to test with, but the full range of keys plus hardware is not something we have available to us. We are relying on their help but will not be able to replicate their coverage, and will run passes using existing hardware in our possession.
- This feature is not currently supported on Fennec.
Requirements for testing
Environments
We support the same OS and hardware configurations that Firefox supports on desktop only.
Channel dependent settings (configs) and environment setups
The feature is controlled by prefs that are gated to channels at the moment. To control this feature, set the following prefs to true:
security.webauth.u2f; security.webauth.u2f_enable_softtoken; security.webauth.u2f_enable_usbtoken; security.webauth.webauthn; security.webauth.webauthn_enable_softtoken; security.webauth.webauthn_enable_usbtoken;
Nightly
Currently set to false.
Beta
Currently set to false.
Post Beta / Release
Depending on ship decisions, will be set to true.
Test Strategy
Risk Assessment and Coverage
| ID | Description / Threat Description | Covered by Test Objective | Magnitude | Probability | Priority | Impact Score |
|---|---|---|---|---|---|---|
| RAC-1 | Incorrect authentication allows security bypass | TO-1, TO-2, TO-3 | 3-High | 1-Unlikely | 2-Moderate | 6 |
| RAC-2 | XSS/information leak | TO-1, TO-3 | 3-High | 1-Almost Certain | 1-Low | 3 |
| RAC-3 | Confined to secure context | TO-1, TO-3 | 2-Moderate | 2-Possible | 1-Low | 4 |
| RAC-4 | Incorrectly functioning JS API | TO-1 | 3-High | 2-Possible | 2-Moderate | 12 |
| RAC-5 | Stability for entire feature | TO-1, TO-2 | 3-High | 2-Possible | 3-High | 18 |
| RAC-6 | Interaction with other aspects of normal Firefox usage | TO-1, TO-2 | 3-Moderate | 3-Almost Certain | 3-High | 27 |
| RAC-7 | Memory issues in JS API and hardware support code | TO-3 | 3-High | 1-Unlikely | 2-Moderate | 6 |
| RAC-8 | Incorrectly functioning hardware | TO-2 | 2-Moderate | 1-Unlikely | 1-Low | 2 |
Values:
- Magnitude: 1- Low , 2-Moderate, 3-High
- Probability: 1-Unlikely, 2-Possible, 3-Almost Certain
- Priority: 1 - Low, 2-Medium, 3-High
Impact Score Breakdown:
- An impact value of 1, 2, 3, 4 would describe an area which although should be covered there aren't expected any discoveries of critical issues.
- An impact value of 6, 8, 9, 12 would describe an area in which we expect to find issues but those issues are not expected to be critical.
- An impact value of 18 or 27 would describe an area on which it is likely to find issues and those issues to be critical or blockers.
Test Objectives
This section details the progression test objectives that will be covered. Please note that this is at a high level. For large projects, a suite of test cases would be created which would reference directly back to this master. This could be documented in bullet form or in a table similar to the one below.
| Ref | Function | Test Objective | Evaluation Criteria | Test Type | RAC | Owners |
|---|---|---|---|---|---|---|
| TO1 | JS API | Verify functionality | All tests indicate stable, functional API for using Web Authentication and/or U2F with both hardware and software tokens | Manual/ Automation / Usability | RAC-1, RAC-2, RAC-3, RAC-4, RAC-5, RAC-6 | Eng Team, QA |
| TO2 | Hardware support via USB token | Verify functionality | All tests indicate stable, functional support of USB hardware keys, as above | Manual/ Automation / Usability | RAC-1, RAC-5, RAC-6, RAC-8 | Eng Team, QA |
| TO3 | Stable, secure code | Fuzzing and security review | All testing and inspection surfaces known security issues | Manual/ Security | RAC-1, RAC-2, RAC-3, RAC-7 | Eng Team, QA, PI Fuzzing + Sec Review |
Builds
This section should contain links for builds with the feature -
- Links for Nightly builds
- Links for Beta builds
Test Execution Schedule
The following table identifies the anticipated testing period available for test execution.
| Project phase | Start Date | End Date |
|---|---|---|
| Start project | 2017-08-01 | |
| Study documentation/specs received from developers | 2017-08-01 | |
| QA - Test plan creation | 2017-08-01 | |
| QA - Test cases/Env preparation | 2017-08-01 | |
| QA - Nightly Testing | ||
| QA - Beta Testing | ||
| Release Date |
Testing Tools
Detail the tools to be used for testing, for example see the following table:
| Process | Tool |
|---|---|
| Test plan creation | Mozilla wiki |
| Test case creation | TestRail/ Google docs |
| Test case execution | TestRail |
| Bugs management | Bugzilla |
Status
Overview
Track the dates and build number where feature was released to Nightly Track the dates and build number where feature was merged to Release/Beta
References
Testcases
Test Areas
| Test Areas | Covered | Details |
|---|---|---|
| Private Window | yes | Test case |
| Multi-Process Enabled | yes | |
| Multi-process Disabled | yes | |
| Theme (high contrast) | no | n/a |
| UI | ||
| Mouse-only operation | no | n/a |
| Keyboard-only operation | no | n/a |
| Display (HiDPI) | no | n/a |
| Interaction (scroll, zoom) | no | n/a |
| Usable with a screen reader | no | n/a |
| Usability and/or discoverability testing | no | n/a |
| RTL build testing | no | n/a |
| Help/Support | ||
| Help/support interface required | no | |
| Support documents planned(written) | no | |
| Install/Upgrade | ||
| Feature upgrades/downgrades data as expected | no | n/a |
| Does sync work across upgrades | no | n/a |
| Requires install testing | no | n/a |
| Affects first-run or onboarding | no | n/a |
| Does this affect partner builds? Partner build testing | no | n/a |
| Enterprise | Raise up the topic to developers to see if they are expecting to work different on ESR builds | |
| Enterprise administration | no | |
| Network proxies/autoconfig | no | |
| ESR behavior changes | no | |
| Locked preferences | no | |
| Data Monitoring | ||
| Temporary or permanent telemetry monitoring | no | |
| Telemetry correctness testing | no | |
| Server integration testing | yes | If provided by third parties, yes, otherwise no |
| Offline and server failure testing | no | |
| Load testing | no | |
| Add-ons | If add-ons are available for testing feature, or is current feature will affect some add-ons, then API testing should be done for the add-on. | |
| Addon API required? | no | |
| Comprehensive API testing | no | |
| Permissions | no | |
| Testing with existing/popular addons | no | |
| Security | Security is in charge of Matt Wobensmith. We should contact his team to see if security testing is necessary for current feature. | |
| 3rd-party security review | no | In-house security review, yes |
| Privilege escalation testing | yes | QA + PI security review |
| Fuzzing | yes | Engineering + PI fuzzing team |
| Web Compatibility | depends on the feature | |
| Testing against target sites | yes | Sample sites are available |
| Survey of many sites for compatibility | yes | If we support U2F, we can try to find U2F-enabled sites |
| Interoperability | depends on the feature | |
| Common protocol/data format with other software: specification available. Interop testing with other common clients or servers. | yes | This is inherent in the feature, w/r/t hardware keys |
| Coordinated testing/interop across the Firefoxes: Desktop, Android, iOS | yes | Fennec and Focus support TBD |
| Interaction of this feature with other browser features | yes | Largest area of targeted testing by QA |
Test suite
Full Test suite - Link to test rail - testcases should be added under Firefox Desktop project link Smoke Test suite - Link with the tests - if available/needed. Regression Test suite - Link with the tests - if available/needed.
Bug Work
Logged bugs ( blocking 1294514 )
| ID | Priority | Component | Assigned to | Summary | Status | Target milestone |
|---|---|---|---|---|---|---|
| 1245527 | P3 | DOM: Device Interfaces | J.C. Jones [:jcj] (he/they) | Integrate the FIDO U2F JS API with the u2f-hid-rs library | RESOLVED | mozilla57 |
1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);
Bug fix verification
| ID | Priority | Component | Assigned to | Summary | Status | Resolution | Target milestone |
|---|---|---|---|---|---|---|---|
| 1245527 | P3 | DOM: Device Interfaces | J.C. Jones [:jcj] (he/they) | Integrate the FIDO U2F JS API with the u2f-hid-rs library | RESOLVED | FIXED | mozilla57 |
1 Total; 0 Open (0%); 1 Resolved (100%); 0 Verified (0%);
Sign off
Criteria
Checklist
- All test cases should be executed
- Has sufficient automated test coverage (as measured by code coverage tools) - coordinate with RelMan
- All blockers, criticals must be fixed and verified or have an agreed-upon timeline for being fixed (as determined by engineering/RelMan/QA)
Results
Nightly testing
List of OSes that will be covered by testing
- Link for the tests run
- Full Test suite, link to TestRail - Tests Runs and Results link
- Daily Smoke, if needed/available
- Regression Test suite, if needed/available
Merge to Beta Sign-off
List of OSes that will be covered by testing
- Link for the tests run
- Full Test suite
Checklist
| Exit Criteria | Status | Notes/Details |
|---|---|---|
| Testing Prerequisites (specs, use cases) | ||
| Testing Infrastructure setup | ||
| Test Plan Creation | ||
| Test Cases Creation | ||
| Automation Coverage | ||
| Performance Testing | ||
| All Defects Logged | ||
| Critical/Blockers Fixed and Verified | ||
| Metrics/Telemetry | ||
| Basic/Core functionality Nightly testing | ||
| QA mid-Nightly Signoff | Email to be sent | |
| QA Nightly - Full Testing | ||
| QA pre-Beta Signoff | Email to be sent | |
| QA Beta - Full Testing | ||
| QA pre-Release Signoff | Email to be sent |