From 5d6d38cd126f3ba512de193709b9f10afa06d80e Mon Sep 17 00:00:00 2001 From: Maximilien Cuony Date: Wed, 15 Jan 2025 18:51:36 +0100 Subject: [PATCH] [uss_qualifier/scenarios/netrid/misbehavior] Add checks for invalid credentials (NET0210) (#883) --- .../astm/netrid/common/misbehavior.py | 42 ++++++++++++------- .../scenarios/astm/netrid/v19/misbehavior.md | 12 +++++- .../scenarios/astm/netrid/v22a/misbehavior.md | 13 +++++- 3 files changed, 48 insertions(+), 19 deletions(-) diff --git a/monitoring/uss_qualifier/scenarios/astm/netrid/common/misbehavior.py b/monitoring/uss_qualifier/scenarios/astm/netrid/common/misbehavior.py index 2dd5744fc5..19078b9122 100644 --- a/monitoring/uss_qualifier/scenarios/astm/netrid/common/misbehavior.py +++ b/monitoring/uss_qualifier/scenarios/astm/netrid/common/misbehavior.py @@ -79,9 +79,15 @@ def run(self, context: ExecutionContext): self.end_test_step() self.begin_test_step("Unauthenticated requests") + self._poll_unauthenticated_during_flights( + auth.NoAuth(aud_override=""), "Missing credentials", "no" + ) + self.end_test_step() - self._poll_unauthenticated_during_flights() - + self.begin_test_step("Incorrectly authenticated requests") + self._poll_unauthenticated_during_flights( + auth.InvalidTokenSignatureAuth(), "Invalid credentials", "invalid" + ) self.end_test_step() self.end_test_case() @@ -92,7 +98,9 @@ def _inject_flights(self): self, self._flights_data, self._service_providers ) - def _poll_unauthenticated_during_flights(self): + def _poll_unauthenticated_during_flights( + self, auth: auth.AuthAdapter, check_name: str, credentials_type_description: str + ): config = self._evaluation_configuration.configuration virtual_observer = VirtualObserver( injected_flights=InjectedFlightCollection(self._injected_flights), @@ -109,7 +117,9 @@ def _poll_unauthenticated_during_flights(self): def poll_fct(rect: LatLngRect) -> bool: nonlocal remaining_injection_ids - tested_inj_ids = self._evaluate_and_test_authentication(rect) + tested_inj_ids = self._evaluate_and_test_authentication( + auth, check_name, credentials_type_description, rect + ) remaining_injection_ids -= tested_inj_ids # interrupt polling if there are no more injection IDs to cover @@ -127,6 +137,9 @@ def poll_fct(rect: LatLngRect) -> bool: def _evaluate_and_test_authentication( self, + auth: auth.AuthAdapter, + check_name: str, + credentials_type_description: str, rect: s2sphere.LatLngRect, ) -> Set[str]: """Queries all flights in the expected way, then repeats the queries to SPs without credentials. @@ -159,16 +172,15 @@ def _evaluate_and_test_authentication( for injection_id, mapping in mapping_by_injection_id.items(): participant_id = mapping.injected_flight.uss_participant_id flights_url = mapping.observed_flight.query.flights_url - unauthenticated_session = UTMClientSession( - flights_url, auth.NoAuth(aud_override="") - ) + + invalid_session = UTMClientSession(flights_url, auth) self.record_note( f"{participant_id}/{injection_id}/missing_credentials_queries", - f"Will attempt querying with missing credentials at flights URL {flights_url} for a flights list and {len(mapping.observed_flight.query.flights)} flight details.", + f"Will attempt querying with {credentials_type_description} credentials at flights URL {flights_url} for a flights list and {len(mapping.observed_flight.query.flights)} flight details.", ) - with self.check("Missing credentials", [participant_id]) as check: + with self.check(check_name, [participant_id]) as check: # check uss flights query uss_flights_query = rid.uss_flights( @@ -176,7 +188,7 @@ def _evaluate_and_test_authentication( rect, True, self._rid_version, - unauthenticated_session, + invalid_session, participant_id, ) self.record_query(uss_flights_query.query) @@ -185,13 +197,13 @@ def _evaluate_and_test_authentication( check.record_failed( "Unauthenticated request for flights to USS was fulfilled", severity=Severity.Medium, - details=f"Queried flights on {flights_url} for USS {participant_id} with no credentials, expected a failure but got a success reply.", + details=f"Queried flights on {flights_url} for USS {participant_id} with {credentials_type_description} credentials, expected a failure but got a success reply.", ) elif uss_flights_query.status_code != 401: check.record_failed( "Unauthenticated request for flights failed with wrong HTTP code", severity=Severity.Medium, - details=f"Queried flights on {flights_url} for USS {participant_id} with no credentials, expected an HTTP 401 but got an HTTP {uss_flights_query.status_code}.", + details=f"Queried flights on {flights_url} for USS {participant_id} with {credentials_type_description} credentials, expected an HTTP 401 but got an HTTP {uss_flights_query.status_code}.", ) # check flight details query @@ -201,7 +213,7 @@ def _evaluate_and_test_authentication( flight.id, False, self._rid_version, - unauthenticated_session, + invalid_session, participant_id, ) self.record_query(uss_flight_details_query.query) @@ -210,13 +222,13 @@ def _evaluate_and_test_authentication( check.record_failed( "Unauthenticated request for flight details to USS was fulfilled", severity=Severity.Medium, - details=f"Queried flight details on {flights_url} for USS {participant_id} for flight {flight.id} with no credentials, expected a failure but got a success reply.", + details=f"Queried flight details on {flights_url} for USS {participant_id} for flight {flight.id} with {credentials_type_description} credentials, expected a failure but got a success reply.", ) elif uss_flight_details_query.status_code != 401: check.record_failed( "Unauthenticated request for flight details failed with wrong HTTP code", severity=Severity.Medium, - details=f"Queried flight details on {flights_url} for USS {participant_id} for flight {flight.id} with no credentials, expected an HTTP 401 but got an HTTP {uss_flight_details_query.status_code}.", + details=f"Queried flight details on {flights_url} for USS {participant_id} for flight {flight.id} with {credentials_type_description} credentials, expected an HTTP 401 but got an HTTP {uss_flight_details_query.status_code}.", ) return set(mapping_by_injection_id.keys()) diff --git a/monitoring/uss_qualifier/scenarios/astm/netrid/v19/misbehavior.md b/monitoring/uss_qualifier/scenarios/astm/netrid/v19/misbehavior.md index af43f8b57f..d06105783a 100644 --- a/monitoring/uss_qualifier/scenarios/astm/netrid/v19/misbehavior.md +++ b/monitoring/uss_qualifier/scenarios/astm/netrid/v19/misbehavior.md @@ -44,12 +44,20 @@ This particular test requires each flight to be uniquely identifiable by its 2D In order to properly test whether the SP handles authentication correctly, this step will first attempt to do a request with the proper credentials to confirm that the requested data is indeed available to any authorized query. -It then repeats the exact same request with incorrect credentials, and expects this to fail. +It then repeats the exact same request without credentials, and expects this to fail. #### Missing credentials check This check ensures that all requests are properly authenticated, as required by **[astm.f3411.v19.NET0210](../../../../requirements/astm/f3411/v19.md)**, -and that requests for existing flights that are executed with missing or incorrect credentials fail. +and that requests for existing flights that are executed with missing credentials fail. + +### Incorrectly authenticated requests test step + +This step is similar to unauthenticated requests, but uses incorrectly-authenticated requests instead. + +#### ⚠️ Invalid credentials check +This check ensures that all requests are properly authenticated, as required by **[astm.f3411.v19.NET0210](../../../../requirements/astm/f3411/v19.md)**, +and that requests for existing flights that are executed with incorrect credentials fail. ## Cleanup diff --git a/monitoring/uss_qualifier/scenarios/astm/netrid/v22a/misbehavior.md b/monitoring/uss_qualifier/scenarios/astm/netrid/v22a/misbehavior.md index 698084d61d..4072ffa59b 100644 --- a/monitoring/uss_qualifier/scenarios/astm/netrid/v22a/misbehavior.md +++ b/monitoring/uss_qualifier/scenarios/astm/netrid/v22a/misbehavior.md @@ -44,12 +44,21 @@ This particular test requires each flight to be uniquely identifiable by its 2D In order to properly test whether the SP handles authentication correctly, this step will first attempt to do a request with the proper credentials to confirm that the requested data is indeed available to any authorized query. -It then repeats the exact same request with incorrect credentials, and expects this to fail. +It then repeats the exact same request without credentials, and expects this to fail. #### Missing credentials check This check ensures that all requests are properly authenticated, as required by **[astm.f3411.v22a.NET0210](../../../../requirements/astm/f3411/v22a.md)**, -and that requests for existing flights that are executed with missing or incorrect credentials fail. +and that requests for existing flights that are executed with missing credentials fail. + +### Incorrectly authenticated requests test step + +This step is similar to unauthenticated requests, but uses incorrectly-authenticated requests instead. + +#### ⚠️ Invalid credentials check + +This check ensures that all requests are properly authenticated, as required by **[astm.f3411.v22a.NET0210](../../../../requirements/astm/f3411/v22a.md)**, +and that requests for existing flights that are executed with incorrect credentials fail. ## Cleanup