Skip to content

Security Testing

This guide covers how to test the security features implemented in the UBU Finance backend.

Overview

Security testing is crucial to ensure that the security measures implemented in the UBU Finance backend are working correctly. This guide provides instructions for testing various security features, including rate limiting, IP whitelisting, account lockout, and advanced logout.

Prerequisites

Before running security tests, ensure you have the following:

  • Python 3.8 or higher
  • Docker and Docker Compose (for monitoring tests)
  • Access to the UBU Finance backend codebase
  • Admin credentials for the UBU Finance backend

Automated Testing

The UBU Finance backend includes a script for automated security testing: setup_and_test.py. This script tests all security components and generates a report of the results.

Running the Automated Tests

To run the automated tests:

python setup_and_test.py

This will:

  1. Start the Docker Compose services for monitoring (if not already running)
  2. Test all security components
  3. Generate a report of the results

Command-Line Options

The setup_and_test.py script accepts the following command-line options:

  • --skip-docker: Skip starting Docker Compose services
  • --test-only: Only run security tests (don't start Docker Compose services)

Example:

python setup_and_test.py --test-only

Test Report

The test report is saved to security_report.json and includes:

  • Timestamp of the test
  • Results of each security component test
  • Current security configuration

Manual Testing

In addition to the automated tests, you can manually test each security feature.

Rate Limiting

To test rate limiting:

  1. Send multiple requests to an endpoint within a short time period
  2. Verify that after exceeding the rate limit, subsequent requests are rejected with a 429 (Too Many Requests) status code

Example using curl:

# Send 100 requests to the health endpoint
for i in {1..100}; do
    curl -s -o /dev/null -w "%{http_code}\n" http://localhost:8080/health
done

IP Whitelisting

To test IP whitelisting:

  1. Enable IP whitelisting in the configuration
  2. Add your IP address to the whitelist
  3. Verify that you can access the API
  4. Remove your IP address from the whitelist
  5. Verify that you can no longer access the API

Example using the Security API:

# Add IP to whitelist
curl -X POST \
  -H "Authorization: Bearer $TOKEN" \
  http://localhost:8080/api/admin/security/whitelist/add/192.168.1.1

# Remove IP from whitelist
curl -X POST \
  -H "Authorization: Bearer $TOKEN" \
  http://localhost:8080/api/admin/security/whitelist/remove/192.168.1.1

Account Lockout

To test account lockout:

  1. Attempt to log in with incorrect credentials multiple times
  2. Verify that after exceeding the maximum number of failed attempts, the account is locked
  3. Verify that you cannot log in with correct credentials while the account is locked
  4. Wait for the lockout duration to expire or use the admin API to unlock the account
  5. Verify that you can log in with correct credentials after the account is unlocked

Example using the authentication API:

# Attempt to log in with incorrect credentials
for i in {1..10}; do
    curl -X POST \
      -H "Content-Type: application/json" \
      -d '{"username":"testuser","password":"wrongpassword"}' \
      http://localhost:8080/authentication/request-otp
done

# Attempt to log in with correct credentials (should fail if account is locked)
curl -X POST \
  -H "Content-Type: application/json" \
  -d '{"username":"testuser","password":"correctpassword"}' \
  http://localhost:8080/authentication/request-otp

# Unlock account using admin API
curl -X POST \
  -H "Authorization: Bearer $ADMIN_TOKEN" \
  http://localhost:8080/api/admin/security/account/unlock/testuser

Advanced Logout

To test advanced logout:

  1. Log in to obtain a token
  2. Use the token to access a protected endpoint
  3. Log out using the logout endpoint
  4. Verify that the token is no longer valid
  5. Log in again to obtain a new token
  6. Use the new token to access a protected endpoint
  7. Log out from all devices using the logout-all-devices endpoint
  8. Verify that the token is no longer valid

Example using the authentication API:

# Log in
TOKEN=$(curl -X POST \
  -H "Content-Type: application/json" \
  -d '{"username":"testuser","password":"password"}' \
  http://localhost:8080/authentication/request-otp | jq -r '.access_token')

# Access protected endpoint
curl -H "Authorization: Bearer $TOKEN" \
  http://localhost:8080/api/protected-endpoint

# Log out
curl -X POST \
  -H "Authorization: Bearer $TOKEN" \
  http://localhost:8080/authentication/logout

# Attempt to access protected endpoint (should fail)
curl -H "Authorization: Bearer $TOKEN" \
  http://localhost:8080/api/protected-endpoint

# Log in again
TOKEN=$(curl -X POST \
  -H "Content-Type: application/json" \
  -d '{"username":"testuser","password":"password"}' \
  http://localhost:8080/authentication/request-otp | jq -r '.access_token')

# Log out from all devices
curl -X POST \
  -H "Authorization: Bearer $TOKEN" \
  http://localhost:8080/authentication/logout-all-devices

Monitoring Tests

To test the monitoring and alerting system:

  1. Start the Docker Compose services:
docker-compose up -d
  1. Access the Grafana dashboard at http://localhost:3000 (default credentials: admin/admin)
  2. Verify that the UBU Finance overview dashboard is available
  3. Verify that metrics are being collected
  4. Trigger alerts by exceeding thresholds (e.g., generate errors, exceed rate limits)
  5. Verify that alerts are triggered and notifications are sent

Security Configuration Testing

To test different security configurations:

  1. Modify the environment variables or the app/config/security_config.py file
  2. Restart the application
  3. Verify that the new configuration is applied

Example environment variables:

# Rate Limiting
export RATE_LIMIT_ENABLED=true
export RATE_LIMIT_MAX_REQUESTS=10
export RATE_LIMIT_WINDOW_SECONDS=60

# IP Whitelist
export IP_WHITELIST_ENABLED=true
export IP_WHITELIST=127.0.0.1
export IP_WHITELIST_ALLOW_LOCALHOST=true

# Account Lockout
export ACCOUNT_LOCKOUT_ENABLED=true
export ACCOUNT_LOCKOUT_MAX_FAILED_ATTEMPTS=3
export ACCOUNT_LOCKOUT_DURATION_SECONDS=300

Performance Testing

To test the performance impact of security features:

  1. Run performance tests with security features disabled
  2. Run performance tests with security features enabled
  3. Compare the results to ensure that security features don't significantly impact performance

Example using Apache Benchmark:

# Test with security features disabled
ab -n 1000 -c 10 http://localhost:8080/health

# Test with security features enabled
ab -n 1000 -c 10 http://localhost:8080/health

Security Audit

Periodically conduct a security audit to ensure that all security features are working correctly:

  1. Review security logs for suspicious activity
  2. Check for unauthorized access attempts
  3. Verify that rate limiting is preventing abuse
  4. Ensure that account lockout is protecting against brute force attacks
  5. Confirm that IP whitelisting is restricting access as expected
  6. Validate that advanced logout is properly invalidating tokens

Troubleshooting

If you encounter issues during security testing:

  1. Check the application logs for error messages
  2. Verify that the security configuration is correct
  3. Ensure that Redis is running (if used for rate limiting and token blacklisting)
  4. Check that the database is accessible (for account lockout and token versioning)
  5. Verify that Docker services are running (for monitoring tests)

Best Practices

  1. Regular Testing: Conduct security tests regularly to ensure that security features continue to work correctly.
  2. Automated Testing: Automate security tests to make them part of your CI/CD pipeline.
  3. Comprehensive Testing: Test all security features, not just the ones you think might fail.
  4. Edge Cases: Test edge cases, such as rate limiting with concurrent requests or account lockout with simultaneous login attempts.
  5. Documentation: Document all security tests and their results for future reference.
  6. Penetration Testing: Periodically conduct penetration testing to identify vulnerabilities.
  7. Security Updates: Keep all dependencies up to date to address security vulnerabilities.