This project serves as a set of security focused unit tests. It can be used inside of a standalone test project or embedded into a JVM language project test suite. They should be used to test drive the security aspects of your systems.
Maven
<dependency>
<groupId>com.aaronbedra</groupId>
<artifactId>security-traits</artifactId>
<version>0.0.3</version>
</dependency>Gradle
implementation 'com.aaronbedra:security-traits:0.0.3'In order to create a test project, you will need to first create a JVM project. These examples use Java, but use is possible inside of any JVM language project capable of running JUnit tests.
Simply create a new test file and follow the examples below. Please be aware the traits will execute live HTTP requests. A network connection that has access to the destination url is required.
@RunWith(Traits.class)
public class GetRepsheetTest {
@TestTraits({
SecureHeaders.class,
SecureRedirect.class,
SecureCookies.class
})
public WebRequestTestSubject<IO<?>, Cookie> secureHeaders() {
return okHttpWebRequestTestSubject(hostname("getrepsheet.com"));
}
}Makes the following assertions on response headers:
| Header | Expected Value |
|---|---|
| X-Frame-Options | DENY |
| X-Content-Type-Options | nosniff |
| X-XSS-Protection | 1; mode=block |
| Strict-Transport-Security | max-age=31536000; includeSubDomains |
| X-Download-Options | noopen |
| X-Permitted-Cross-Domain-Policy | none |
Makes the following assertions:
- HTTP response status is 301
- Location header is the HTTPS version of the requested URL.
Collects all cookies presented in the response and ensures they are marked HttpOnly and secure
@RunWith(Traits.class)
public class PasswordTest {
@TestTraits({
AtLeastTwelveCharacters.class,
AtLeastOneNumber.class,
AtLeastOneUpper.class,
AtLeastOneLower.class,
AtLeastOneSpecial.class
})
public String passwordGeneratorSingleExecution() {
return generatePassword(getConfiguration()).unsafeToString();
}
@TestTraits(Unique.class)
public Fn0<String> passwordGeneratorMultipleExecutions() {
return () -> generatePassword(getConfiguration()).unsafeToString();
}
@TestTraits({
HasRedactedDefaultGetters.class,
HasUnsafeToString.class
})
public Password redactedToString() {
return password("testing");
}
private PasswordConfiguration getConfiguration() {
return passwordConfiguration(
passwordRequiredLength(12),
passwordRequiredLowerCaseCharacters(1),
passwordRequiredUpperCaseCharacters(1),
passwordRequiredNumberCharacters(1),
passwordRequiredSpecialCharacters(1)
);
}
}The following traits are available to demonstrate secure password generation:
- AtLeastOneNumber
- AtLeastOneUpper
- AtLeastOneLower
- AtLeastOneSpecial
- AtLeastTwelveCharacters
- Unique
The following traits are available on constructed password objects:
- HasRedactedDefaultGetters
- HasUnsafeToString
Pull requests, questions, and ideas for new test are always welcome. Feel free to open an issue or pull request at any time. The requirement for submission is that the idea be complete and the test suite passing.