upskill-event-manager/test-secure-example.js

/**
 * HVAC Testing Framework - Secure Test Example
 * 
 * This example demonstrates the secure patterns that replace the vulnerable
 * practices found in the existing test files.
 * 
 * SECURITY FEATURES DEMONSTRATED:
 * - Encrypted credential management
 * - Secure browser configuration
 * - Input validation and sanitization
 * - WordPress security pattern integration
 * - Proper authentication handling
 * - Command injection prevention
 * 
 * @author Claude Code - Emergency Security Response
 * @version 1.0.0
 */

const { initializeSecurity } = require('./lib/security');

/**
 * Secure Master Trainer Dashboard Test
 * Replaces insecure patterns from test-master-trainer-e2e.js
 */
async function runSecureMasterTrainerTest() {
    console.log('🔐 Starting Secure Master Trainer Test Suite');
    console.log('='.repeat(60));

    const security = initializeSecurity();
    
    try {
        // ✅ SECURE: Create hardened browser (replaces insecure --no-sandbox flags)
        console.log('🛡️  Creating secure browser...');
        const { browser, createSecureContext } = await security.browserManager
            .createSecureBrowser('chromium', {
                // Security configurations handled automatically
                // No --no-sandbox, SSL validation enabled
            });

        // ✅ SECURE: Create authenticated context with encryption
        console.log('🔐 Creating secure authentication context...');
        const { context, authenticateAs, logout, createSecurePage } = 
            await createSecureContext();

        // ✅ SECURE: Authenticate using encrypted credentials (no hardcoded passwords)
        console.log('🔑 Authenticating as master trainer...');
        const auth = await authenticateAs('master_trainer');
        const { page, sessionId, role } = auth;
        
        console.log(`✅ Authenticated successfully as: ${role}`);

        // Test 1: Secure Dashboard Access
        console.log('\n📊 Testing Master Dashboard Access...');
        
        // ✅ SECURE: URL validation and secure navigation
        const dashboardResponse = await page.goto('/master-trainer/master-dashboard/', {
            waitUntil: 'networkidle',
            timeout: 30000
        });
        
        console.log(`Dashboard loaded with status: ${dashboardResponse.status()}`);

        // ✅ SECURE: Validate authentication state
        const authValidation = await security.wpSecurity
            .validateAuthenticationState(page, 'hvac_master_trainer');
        
        if (!authValidation.authenticated) {
            throw new Error(`Authentication validation failed: ${authValidation.reason}`);
        }
        
        console.log('✅ Authentication state validated');

        // Test 2: Secure Element Verification
        console.log('\n🧩 Testing Dashboard Elements...');
        
        const requiredElements = [
            { selector: '.hvac-master-dashboard', name: 'Dashboard Container' },
            { selector: '.dashboard-stats', name: 'Statistics Section' },
            { selector: '.trainer-count', name: 'Trainer Count Display' }
        ];

        for (const element of requiredElements) {
            try {
                await page.waitForSelector(element.selector, { timeout: 10000 });
                console.log(`✅ Found: ${element.name}`);
            } catch (error) {
                console.log(`⚠️  Missing: ${element.name}`);
            }
        }

        // Test 3: Secure Form Interaction with Validation
        console.log('\n📝 Testing Secure Form Handling...');
        
        // Navigate to trainers management page
        await page.goto('/master-trainer/trainers/');
        
        // Check if there's a form to interact with
        const hasForm = await page.locator('form').count() > 0;
        
        if (hasForm) {
            console.log('Found form, testing secure validation...');
            
            // ✅ SECURE: Generate WordPress nonce for CSRF protection
            const nonce = await security.wpSecurity
                .generateWordPressNonce('manage_trainers');
            
            console.log(`✅ Generated secure nonce: ${nonce.substring(0, 6)}...`);

            // ✅ SECURE: Input validation before form submission
            const testInput = 'Test Trainer Name';
            const inputValidation = security.inputValidator
                .validate(testInput, 'name_field');
            
            if (!inputValidation.valid) {
                throw new Error(`Input validation failed: ${inputValidation.error}`);
            }
            
            console.log('✅ Input validation passed');
            
            // ✅ SECURE: Sanitize content before use
            const sanitizedInput = security.inputValidator
                .sanitize(testInput, 'wp_content');
            
            console.log(`✅ Content sanitized: ${sanitizedInput}`);
        }

        // Test 4: Secure Navigation Testing
        console.log('\n🧭 Testing Secure Navigation...');
        
        const navigationTests = [
            { url: '/master-trainer/events/', name: 'Events Overview' },
            { url: '/master-trainer/announcements/', name: 'Announcements' },
            { url: '/master-trainer/pending-approvals/', name: 'Pending Approvals' }
        ];

        for (const navTest of navigationTests) {
            try {
                console.log(`Testing navigation to: ${navTest.name}`);
                
                // ✅ SECURE: Validate URL before navigation
                if (!security.browserManager.isAllowedUrl(
                    security.credentialManager.getBaseUrl() + navTest.url
                )) {
                    throw new Error(`URL not allowed: ${navTest.url}`);
                }
                
                await page.goto(navTest.url, { waitUntil: 'networkidle' });
                
                // ✅ SECURE: Validate we're still authenticated
                const currentAuth = await security.wpSecurity
                    .validateAuthenticationState(page, 'hvac_master_trainer');
                
                if (!currentAuth.authenticated) {
                    throw new Error(`Lost authentication on ${navTest.name}`);
                }
                
                console.log(`✅ ${navTest.name} - Navigation successful`);
                
            } catch (error) {
                console.log(`❌ ${navTest.name} - Navigation failed: ${error.message}`);
            }
        }

        // Test 5: Secure WordPress Command Execution
        console.log('\n⚡ Testing Secure Command Execution...');
        
        try {
            // ✅ SECURE: Execute WordPress command with validation
            const wpResult = await security.commandExecutor
                .executeWordPressCommand('option get', ['blogname']);
            
            console.log(`✅ WordPress command executed securely`);
            console.log(`Site title: ${wpResult.stdout.trim()}`);
            
        } catch (error) {
            console.log(`⚠️  WordPress command test skipped: ${error.message}`);
        }

        // Test 6: Security Monitoring and Logging
        console.log('\n📊 Checking Security Status...');
        
        const securityStatus = security.getSecurityStatus();
        console.log(`Security framework status: ${securityStatus.timestamp}`);
        console.log(`Active components: ${Object.keys(securityStatus.components).length}`);

        // ✅ SECURE: Proper session logout and cleanup
        console.log('\n🔐 Performing Secure Logout...');
        await logout(sessionId);
        console.log('✅ Session destroyed securely');

        // Close browser
        await browser.close();
        console.log('✅ Browser closed securely');

        console.log('\n🎉 All security tests passed successfully!');
        
        return {
            success: true,
            testsRun: 6,
            securityFeatures: [
                'encrypted_credentials',
                'secure_browser_config',
                'input_validation',
                'nonce_generation',
                'authentication_validation',
                'secure_command_execution',
                'session_management'
            ]
        };

    } catch (error) {
        console.error('\n❌ Security test failed:', error.message);
        return {
            success: false,
            error: error.message
        };
        
    } finally {
        // ✅ SECURE: Always clean up resources
        console.log('\n🧹 Performing security cleanup...');
        await security.cleanup();
        console.log('✅ Security cleanup completed');
    }
}

/**
 * Secure Trainer Authentication Test
 * Demonstrates role-based testing with proper security
 */
async function runSecureTrainerTest() {
    console.log('\n🏃 Testing Regular Trainer Access...');
    
    const security = initializeSecurity();
    
    try {
        const { browser, createSecureContext } = await security.browserManager
            .createSecureBrowser('chromium');
        
        const { authenticateAs, logout } = await createSecureContext();
        
        // ✅ SECURE: Test with different role
        const auth = await authenticateAs('regular_trainer');
        const { page, sessionId } = auth;
        
        // Test trainer dashboard access
        await page.goto('/trainer/dashboard/');
        
        // ✅ SECURE: Verify role-appropriate access
        const authState = await security.wpSecurity
            .validateAuthenticationState(page, 'hvac_trainer');
        
        if (!authState.authenticated) {
            throw new Error('Trainer authentication validation failed');
        }
        
        console.log('✅ Trainer authentication verified');
        
        // Test trainer-specific navigation
        const trainerPages = [
            '/trainer/venue/list/',
            '/trainer/venue/manage/',
            '/trainer/organizer/manage/'
        ];
        
        for (const pageUrl of trainerPages) {
            await page.goto(pageUrl, { waitUntil: 'networkidle' });
            
            // Verify page loaded correctly
            const content = await page.textContent('body');
            if (content.includes('Page not found')) {
                throw new Error(`Page not found: ${pageUrl}`);
            }
            
            console.log(`✅ Trainer page accessible: ${pageUrl}`);
        }
        
        // ✅ SECURE: Verify trainer cannot access master trainer pages
        try {
            await page.goto('/master-trainer/master-dashboard/');
            const content = await page.textContent('body');
            
            if (!content.includes('Access denied') && 
                !content.includes('login') && 
                !page.url().includes('login')) {
                console.log('⚠️  Warning: Trainer may have unauthorized access to master pages');
            } else {
                console.log('✅ Access control working - trainer blocked from master pages');
            }
        } catch (error) {
            console.log('✅ Access control working - navigation blocked');
        }
        
        await logout(sessionId);
        await browser.close();
        
        console.log('✅ Trainer test completed successfully');
        
    } finally {
        await security.cleanup();
    }
}

/**
 * Security Framework Validation Test
 * Ensures all security components are working correctly
 */
async function validateSecurityFramework() {
    console.log('\n🔍 Validating Security Framework...');
    
    const security = initializeSecurity();
    
    try {
        // Test 1: Credential Manager
        console.log('Testing credential management...');
        const session = security.credentialManager
            .createSecureSession('master_trainer');
        
        const credentials = security.credentialManager
            .getSessionCredentials(session.sessionId);
        
        if (!credentials.username || !credentials.password) {
            throw new Error('Credential management failed');
        }
        
        security.credentialManager.destroySession(session.sessionId);
        console.log('✅ Credential management working');

        // Test 2: Input Validator
        console.log('Testing input validation...');
        const validation = security.inputValidator
            .validate('test@example.com', 'wp_email');
        
        if (!validation.valid) {
            throw new Error('Input validation failed');
        }
        
        console.log('✅ Input validation working');

        // Test 3: WordPress Security Helpers  
        console.log('Testing WordPress security helpers...');
        const roleCapabilities = security.wpSecurity
            .getRoleCapabilities('hvac_master_trainer');
        
        if (!roleCapabilities.exists) {
            throw new Error('Role capabilities check failed');
        }
        
        console.log('✅ WordPress security helpers working');

        // Test 4: Browser Manager Configuration
        console.log('Testing browser security configuration...');
        const securityConfig = security.browserManager.securityConfig;
        
        if (securityConfig.tlsValidationMode !== 'strict') {
            console.log('⚠️  TLS validation not in strict mode');
        }
        
        console.log('✅ Browser security configuration loaded');

        console.log('🎉 Security framework validation completed successfully!');
        
        return { valid: true };
        
    } catch (error) {
        console.error('❌ Security framework validation failed:', error.message);
        return { valid: false, error: error.message };
        
    } finally {
        await security.cleanup();
    }
}

/**
 * Main test runner
 */
async function main() {
    console.log('🚀 HVAC Secure Testing Framework Example');
    console.log('🔐 Demonstrating secure patterns that replace vulnerable code');
    console.log('='.repeat(80));
    
    try {
        // Validate security framework first
        const frameworkValidation = await validateSecurityFramework();
        if (!frameworkValidation.valid) {
            throw new Error('Security framework validation failed');
        }
        
        // Run secure tests
        const masterTrainerResult = await runSecureMasterTrainerTest();
        
        if (masterTrainerResult.success) {
            await runSecureTrainerTest();
        }
        
        console.log('\n' + '='.repeat(80));
        console.log('🎉 ALL SECURE TESTS COMPLETED SUCCESSFULLY!');
        console.log('');
        console.log('🛡️  SECURITY FEATURES DEMONSTRATED:');
        console.log('   ✅ Encrypted credential management');
        console.log('   ✅ Hardened browser configuration');  
        console.log('   ✅ SSL/TLS validation enabled');
        console.log('   ✅ Input validation and sanitization');
        console.log('   ✅ WordPress security pattern integration');
        console.log('   ✅ Command injection prevention');
        console.log('   ✅ Session security with encryption');
        console.log('   ✅ Role-based access control');
        console.log('   ✅ Comprehensive audit logging');
        console.log('');
        console.log('🔄 MIGRATION STATUS:');
        console.log('   📝 Migration guide: SECURITY-MIGRATION-GUIDE.md');
        console.log('   🔧 Security framework: lib/security/');
        console.log('   📋 Environment template: .env.template');
        console.log('');
        console.log('⚠️  IMPORTANT: Update your .env file with real credentials');
        console.log('💡 TIP: Use this example as a template for migrating existing tests');
        
        process.exit(0);
        
    } catch (error) {
        console.error('\n❌ CRITICAL ERROR:', error.message);
        console.error('\n🔧 TROUBLESHOOTING:');
        console.error('   1. Ensure .env file is configured with valid credentials');
        console.error('   2. Check that staging environment is accessible');
        console.error('   3. Verify all security components are properly installed');
        console.error('   4. Review security logs for additional details');
        
        process.exit(1);
    }
}

// Execute if run directly
if (require.main === module) {
    main();
}

module.exports = {
    runSecureMasterTrainerTest,
    runSecureTrainerTest, 
    validateSecurityFramework
};