Тестовая матрица

Зачем нужно

Документ фиксирует обязательные unit, integration, e2e и security tests для identity. Реализация не считается готовой без покрытия этих сценариев.

Минимальные пороги

Уровень	Порог
Unit backend	85% statements для identity modules
Unit frontend	80% для UI Kit и auth/security screens
Integration API	все mutating endpoints
E2E	все critical user flows
Security regression	все сценарии из раздела Security

Backend unit tests

Auth

• password hash/verify;
• password policy validation;
• auth flow state transitions;
• verification code hash and attempts;
• refresh token rotation;
• refresh token reuse detection;
• logout current/all sessions;
• reset password neutral response;
• brute-force lockout.

RBAC

• effective permissions для global roles;
• organization/team scoped permissions;
• expired role excluded;
• user cannot assign higher role;
• frontend visibility не влияет на server guard.

Family

• adult can create family;
• child account creation;
• delegated session starts only with access;
• revoked access invalidates delegated session;
• actor/subject ids written to audit.

Organizations

• organization reference search;
• create organization with possible duplicate warning;
• draft -> active;
• unclaimed -> active через ownership claim;
• active -> archived;
• active -> merged;
• merged organization cannot be hard-deleted;
• active organization without owner is rejected;
• membership request approve/reject;
• invitation accept/revoke/expire;
• ownership claim approve/reject/request more info/disputed;
• ownership transfer accept/expire/cancel/complete;
• organization student duplicate detection;
• archive organization student;
• competitions can reference organization student by external ref;
• merge only system admin;
• merge requires impact preview;
• duplicate organization receives status merged;
• links move or are marked for downstream update;
• team membership requires organization membership;
• organization role does not leak globally.

OAuth

• redirect URI exact match;
• PKCE S256 required;
• authorization code single use;
• code expiry;
• consent required for new scopes;
• token introspection;
• revocation;
• JWKS key selection by kid.

Plugins/transports

• manifest validation;
• secret settings encrypted;
• plugin sandbox denies forbidden APIs;
• transport failure returns controlled error;
• plugin event handler failure does not break event bus.

API integration tests

Scenario	Expected
Register with email	user, credential, primary email, session created
Duplicate email	409 platform.conflict
Login wrong password	401, audit failure, attempts increment
Login locked account	neutral auth error
Refresh reuse	family revoked, identity.refresh_token.reuse_detected
Assign role without permission	403 platform.forbidden
Create organization invitation twice	idempotent existing pending invitation
Create organization without owner then activate	rejected with identity.organization.owner_required
Accept expired ownership transfer	400 identity.organization.transfer_expired
Create duplicate student	409 identity.organization_student.duplicate_possible with candidates
Merge organization as non-system admin	403 platform.forbidden
OAuth token with wrong verifier	400 identity.oauth.invalid_request
Plugin install invalid manifest	400 platform.plugin.validation_failed
Audit logs without permission	403 platform.forbidden

E2E tests

• user registration → verify contact → dashboard;
• login with password → logout;
• forgot password → reset → login with new password;
• saved account quick login;
• parent creates family → adds child → opens delegated context;
• organization application → admin verifies → invite member;
• organization search → membership request → owner approves;
• ownership claim → system admin approves → user becomes owner;
• owner transfers ownership → recipient accepts;
• add organization student → duplicate warning → choose existing or create with note;
• system admin merge organizations → duplicate status becomes merged;
• admin creates role → assigns role → user sees new admin page after refresh;
• OAuth authorize + consent + callback;
• notification appears after security event;
• plugin install → enable → auth method visible.

Frontend tests

• LoginPage renders steps from auth flow;
• RegisterPage validates password and terms;
• SecurityPage revokes session and updates list;
• UsersManagementPage filters and opens user detail;
• RolesManagementPage disables unavailable permissions;
• OAuthClientsManagementPage validates redirect URI;
• PluginsManagementPage shows validation errors;
• AuditLogsPage filters by actor/action/date;
• permission denied state shown for hidden admin areas.

Security tests

• no password/token/code in logs;
• rate limits return 429 and Retry-After;
• CSRF required for cookie-auth mutating requests;
• CORS rejects untrusted origin;
• OAuth wildcard redirect URI rejected;
• JWT with wrong alg rejected;
• expired JWT rejected;
• revoked session cannot refresh;
• old rotated refresh token triggers compromise;
• plugin cannot read filesystem outside allowed path;
• audit export requires re-auth.

Organization RBAC tests

• org owner can manage organization members;
• organization cannot become active without owner_membership_id;
• owner_membership_id must point to active membership in the same organization;
• owner membership must have owner role;
• merged organization cannot become owner target;
• org owner can transfer ownership;
• org admin cannot archive organization if permission missing;
• org admin cannot transfer ownership unless explicit permission/policy allows;
• org member cannot manage roles;
• org member cannot invite without identity.organization-invitations.create.organization;
• global admin does not become org member;
• global break-glass access is audited;
• team lead can manage team members but not org roles;
• team grant works only inside team;
• resource-level grant works only for specified resource;
• deny overrides allow in runtime evaluator;
• grant subject validation rejects missing or cross-organization membership, team and role subjects;
• unknown permission in organization_roles.permissions is rejected.

Database tests

• unique email/phone constraints;
• primary email/phone partial unique indexes;
• FK restrict/cascade policies;
• expired verification codes cleanup;
• retention jobs delete only allowed records;
• anonymization removes PII but keeps audit integrity;
• migrations apply and rollback in clean database.

Acceptance smoke suite

Перед релизом должна проходить smoke suite:

1. Register/login/logout.
2. Refresh token rotation.
3. Reset password.
4. Admin user block/unblock.
5. Role assignment and permission check.
6. Family delegated session.
7. Organization invitation.
8. OAuth authorization code + PKCE.
9. Notification delivery.
10. Audit log search.

Готовность

• каждый critical flow имеет e2e test;
• security regressions автоматизированы;
• database constraints проверены integration-тестами;
• тесты не зависят от внешних email/SMS providers;
• CI запускает lint, typecheck, unit, integration и e2e smoke.