Introduction
FedRAMP tests are aimed to test the target site against FedRAMP controls. Important! None of the tests guarantee FedRAMP compliance, please review and adjust if needed.
Test Descriptions
Cypress test IDs use -CY- and Cypress files end with .cy.js.
Playwright test IDs use -PW- and Playwright files end with .spec.js.
FedRAMP tests start at ATK-XX-1200.
Test ID
File Name
Category
Tags
Description
ATK-XX-1200
atk_rapid_login
@fedramp @multiple-logins
Multiple rapid logins via GUI. Can be seen as an atypical activity (AC-2 (12)). This test asserts that more than 3 concurrent sessions will be blocked, change the assertions for your organizations if needed.
ATK-XX-1201
atk_rapid_login
@fedramp @multiple-logins
Multiple unsuccessful rapid logins via GUI. Can be seen as an atypical activity (AC-2 (12)). This test asserts that an account is blocked after more than 3 concurrent failed login attempts. Change the assertions for your organization if needed.
ATK-XX-1210
atk_cors
@fedramp @cors
Basic CORS enforcement (deny unauthorized origin)
ATK-XX-1211
atk_cors
@fedramp @cors
Preflight CORS
ATK-XX-1220
atk_session_termination
@fedramp @session-termination
Session termination by inactivity (AC-12)
ATK-XX-1230
atk_unauthorized_access
@fedramp @unauthorized-access
Resource is not under the control of Drupal. Check that 401 response for the file which is located in the web folder but doesn't have read permissions. Basically, it tests that the web application is run by a separate user.
ATK-XX-1231
atk_unauthorized_access
@fedramp @unauthorized-access
For the list of resources, check that each of them gets 403 response for unauthenticated request. See AC-14.
ATK-XX-1232
atk_unauthorized_access
@fedramp
Resource is not under the control of Drupal. For the list of resources, check that each of them gets 403 response when accessed by an authorized user without admin privilege. See AC-14.