Skip to main content

regulator-portal-service — Testing Strategy

Version: 1.0 Status: Draft Owner: Regulator-facing + Legal + QA Last Updated: 2026-04-21 References: SERVICE_OVERVIEW.md, SECURITY_MODEL.md, docs/standards/DEFINITION_OF_DONE.md

Testing strategy for regulator-portal-service. Elevated bar on: mTLS + cert-revocation enforcement, LI workflow dual-control correctness, SIEM forwarding reliability, attestation-bundle integrity.

1. Test Pyramid

     ┌────────────────────────┐
     │ Regulator exchange    │   ← monthly ATRA dry-runs in staging
     ├────────────────────────┤
     │   E2E tests           │   ← login → LI submit → deliver → ATRA ACK
     ├────────────────────────┤
     │ Contract tests        │   ← upstream (compliance, consent, sender-id, cdr)
     ├────────────────────────┤
     │ Integration           │   ← mTLS cert mocks, HSM, SIEM mocks, SFTP mock
     ├────────────────────────┤
     │ Unit tests            │   ← dominant
     └────────────────────────┘

Distribution: ~65% unit, ~20% integration, ~8% contract, ~5% E2E, ~2% regulator dry-run.

2. Unit Tests

Framework: Vitest. No I/O.

2.1 mTLS + cert-validation logic

  • Valid cert + valid chain → SUCCESS.
  • Expired cert → FAILURE CERT_EXPIRED.
  • Revoked via CRL → FAILURE CRL_REVOKED.
  • Revoked via OCSP staple → FAILURE OCSP_REJECT.
  • Cert subject-name not in regulator.users → FAILURE UNKNOWN_SUBJECT.
  • Cert intermediate chain broken → FAILURE CHAIN_INCOMPLETE.
  • Clock-skew tolerance test (valid window ± 5 min).
  • ≥ 30 tests.

2.2 LI state-machine

  • State transitions: RECEIVED → ACK → IN_PROGRESS → DELIVERED → CLOSED and REJECTED paths.
  • Invalid transitions rejected (e.g., CLOSED → IN_PROGRESS).
  • Dual-control: initiator + approver must be different users.
  • Dual-control expires after 60-s window.
  • Single-approver attempts rejected.
  • ≥ 25 tests.

2.3 CEF / LEEF formatters

  • CEF header: version, device vendor, product, severity, signature.
  • LEEF header: LEEF version, device info, extensions.
  • Field escaping (pipes, equals, newlines).
  • Large payload truncation rules.
  • ≥ 20 tests per format.

2.4 Report-builder logic

  • Daily CDR status report: pulls from cdr-mediation read-through.
  • Monthly compliance summary: aggregates from compliance + consent + sender-id.
  • Ad-hoc queries: filter validation.
  • Partial-data handling (upstream unavailable for one source).
  • ≥ 15 tests.

2.5 Auditor time-box

  • Token TTL enforcement.
  • Session refresh during valid window.
  • Expired session → 401 on next API call.
  • Revoke-before-expiry works.
  • ≥ 10 tests.

2.6 Attestation evidence-collector

  • Evidence status determination (CURRENT/STALE/MISSING).
  • Cross-framework deduplication (same evidence covers multiple frameworks).
  • Lineage tracking.
  • ≥ 15 tests.

2.7 Property-based

fast-check:

  • LI state-machine invariants under random transition sequences.
  • CEF/LEEF formatters: inverse property (parse(format(x)) == x for representable x).
  • Auditor-access time-boxing: no API call accepted after expiresAt.
  • ≥ 10 properties.

Coverage targets: ≥ 90% line domain; ≥ 80% branch.

3. Integration Tests

Vitest + Testcontainers + mock ATRA endpoints + softhsm2.

3.1 mTLS + cert revocation

Using mock national-PKI CA + mock CRL server:

  • Valid cert + chain + clean CRL/OCSP → login success.
  • Revoked cert (CRL hit) → login rejected.
  • Revoked cert (OCSP-stapled hit) → rejected.
  • Expired cert → rejected.
  • CRL expired + stale → login rejected (fail-closed).

3.2 LI workflow

  • Submit LI request → RECEIVED state + SLA timer.
  • Dual-control transition: two different users within 60 s → ACK.
  • Dual-control timeout → transition rejected.
  • IN_PROGRESS → DELIVERED: upload signed package to mock SFTP.
  • Deliver + receive ACK from ATRA → CLOSED.
  • SLA breach (18 h in IN_PROGRESS) → alert fires.

3.3 Report generation

  • Daily CDR status: read-through to mock cdr-mediation.
  • Monthly compliance summary: reads + aggregates from 3 mock upstreams.
  • PDF rendering + HSM signing.
  • Signed download URL returned.

3.4 SIEM forwarding

Mock Splunk HEC + Logstash + QRadar:

  • CEF events delivered to Splunk.
  • LEEF events delivered to QRadar.
  • JSON events to Logstash.
  • Each destination ACKs independently.
  • One destination down → others continue.
  • All destinations down → WAL engages; events buffered.
  • Destination recovers → WAL drains + events replayed.

3.5 Auditor portal

  • Auditor cert (mock auditor CA) → login with time-box.
  • Download evidence within window → success + audit log.
  • Download after expiry → 401.
  • Manual revocation → next API call rejected.

3.6 Complaint ingest + triage

  • ATRA POSTs complaint → routed to admin-dashboard workbench.
  • Resolution posted → regulator notified via callback.
  • Audit trail complete.

4. Contract Tests

4.1 Provider contracts (Pact)

Service is provider for:

  • ATRA client (REST + mTLS): LI submission, complaint ingest, report retrieval.
  • Auditor client: evidence browse, bundle download.

4.2 Consumer contracts (Pact)

Service is consumer of:

  • cdr-mediation-service — CDR submission status + export status.
  • compliance-engine — audit query.
  • consent-ledger-service — consent audit query.
  • sender-id-registry-service — registry export.
  • analytics-service — ClickHouse cold-tier queries.

4.3 Event schema conformance

Events produced (regulator.*) must match schema registry; additive evolution only.

5. End-to-End Tests

Dedicated regulator-e2e namespace.

5.1 Regulator full flow

  1. Mock-ATRA-user logs in with mTLS cert.
  2. Submits LI request.
  3. Ghasi legal dual-control moves state through workflow.
  4. Package built + HSM-signed + delivered to mock ATRA SFTP.
  5. ATRA ACK received.
  6. Report downloaded by mock-ATRA-user.
  7. SIEM events flow to mock Splunk.

5.2 Auditor full flow

  1. Auditor granted time-boxed access.
  2. Logs in with auditor cert.
  3. Browses evidence catalog.
  4. Downloads attestation bundle.
  5. Access expires; next call rejected.

5.3 SIEM backpressure

  • Stop mock Splunk → WAL grows → alert fires.
  • Restart → WAL drains without event loss.
  • Verify event ordering preserved.

5.4 Complaint roundtrip

  • ATRA posts complaint → admin-dashboard sees it.
  • Admin resolves → ATRA receives callback.

6. Regulator Exchange (Staging)

Monthly dry-run with ATRA staging:

  • Submit mock LI request from ATRA-test cert.
  • Verify Ghasi-side workflow.
  • ATRA verifies our LI delivery.
  • Quarterly: attestation-bundle download exercise.

7. Load Tests

7.1 Login storm

1 000 concurrent mTLS logins / sec for 5 min → P99 login latency ≤ 3 s, no CRL cache collapse.

7.2 SIEM event surge

100 000 events / min for 30 min → lag stays < 60 s P95 per destination.

7.3 Report burst

50 concurrent on-demand report requests → each completes ≤ 5 min; HSM sign queue doesn't overflow.

8. Security Tests

8.1 Cert-bypass corpus

  • Cert chain with untrusted root → reject.
  • Self-signed → reject.
  • Cert with correct chain but revoked → reject.
  • Cert valid but subject not in regulator.users → reject.
  • Replay of previously-seen session token → reject.

8.2 Authorisation escalation

  • Regulator with li-officer role attempts platform-admin action → 403.
  • Auditor attempts write action → 403.

8.3 SIEM injection

  • CEF-reserved chars in payload (|, =, newline) → escaped correctly.

8.4 Bundle tamper

  • Attacker modifies downloaded attestation bundle → signature invalid.

8.5 Disk-WAL tamper

  • Attacker alters WAL file → WAL-checksum detects on replay.

9. Coverage Targets

LayerLineBranch
Domain≥ 90%≥ 80%
Application≥ 80%≥ 75%
Infrastructure≥ 60%≥ 60%
Value Objects100%95%

Mutation testing: ≥ 75% aggregates, ≥ 85% VOs.

10. CI Gates

  • TypeScript strict + ESLint.
  • Pact broker verification.
  • Event schema conformance.
  • CEF/LEEF golden-file regression.
  • Security tests all pass.
  • mTLS negative-path tests all pass.

Failing any gate blocks merge.