akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
877fee487bee75f87d2b2adbbf7dfb5d9b2aa277
Charon/docs/issues/created/20251221-issue-365-manual-test-plan.md
GitHub Actions 3169b05156 fix: skip incomplete system log viewer tests 
- Marked 12 tests as skip pending feature implementation
- Features tracked in GitHub issue #686 (system log viewer feature completion)
- Tests cover sorting by timestamp/level/method/URI/status, pagination controls, filtering by text/level, download functionality
- Unblocks Phase 2 at 91.7% pass rate to proceed to Phase 3 security enforcement validation
- TODO comments in code reference GitHub #686 for feature completion tracking
- Tests skipped: Pagination (3), Search/Filter (2), Download (2), Sorting (1), Log Display (4)
2026-02-09 21:55:55 +00:00

2.8 KiB
Raw Blame History

title, labels, type, priority, parent_issue
title labels type priority parent_issue
Issue #365: Additional Security Enhancements - Manual Test Plan
manual-testing
security
testing
testing medium 365

Issue #365: Additional Security Enhancements - Manual Test Plan

Issue: https://github.com/Wikid82/Charon/issues/365 PRs: #436, #437 Status: Ready for Manual Testing

Test Scenarios

1. Invite Token Security

Objective: Verify constant-time token comparison doesn't leak timing information.

Steps:

  1. Create a new user invite via the admin UI
  2. Copy the invite token from the generated link
  3. Attempt to accept the invite with the correct token - should succeed
  4. Attempt to accept with a token that differs only in the last character - should fail with same response time
  5. Attempt to accept with a completely wrong token - should fail with same response time

Expected: Response times should be consistent regardless of where the token differs.

2. Security Headers Verification

Objective: Verify all security headers are present.

Steps:

  1. Start Charon with HTTPS enabled
  2. Use browser dev tools or curl to inspect response headers
  3. Verify presence of:
    • Content-Security-Policy
    • Strict-Transport-Security (with preload)
    • X-Frame-Options: DENY
    • X-Content-Type-Options: nosniff
    • Referrer-Policy
    • Permissions-Policy

curl command:

curl -I https://your-charon-instance.com/

3. Container Hardening (Optional - Production)

Objective: Verify documented container hardening works.

Steps:

  1. Deploy Charon using the hardened docker-compose config from docs/security.md
  2. Verify container starts successfully with read_only: true
  3. Verify all functionality works (proxy hosts, certificates, etc.)
  4. Verify logs are written to tmpfs mount

4. Documentation Review

Objective: Verify all documentation is accurate and complete.

Pages to Review:

  • docs/security.md - TLS, DNS, Container Hardening sections
  • docs/security-incident-response.md - SIRP document
  • docs/getting-started.md - Security Update Notifications section

Check for:

  • Correct code examples
  • Working links
  • No typos or formatting issues

5. SBOM Generation (CI/CD)

Objective: Verify SBOM is generated on release builds.

Steps:

  1. Push a commit to trigger a non-PR build
  2. Check GitHub Actions workflow run
  3. Verify "Generate SBOM" step completes successfully
  4. Verify "Attest SBOM" step completes successfully
  5. Verify attestation is visible in GitHub container registry

Acceptance Criteria

  • All test scenarios pass
  • No regressions in existing functionality
  • Documentation is accurate and helpful

Tester: ________________ Date: ________________ Result: [ ] PASS / [ ] FAIL

Reference in New Issue View Git Blame Copy Permalink