Django Test Suite - jastit00/IT-Sec-Projekt GitHub Wiki

Author: Yunis Ghazali

Overview

This documentation describes the comprehensive test suite for the Django-based log processing and incident detection system. The test suite is organized into two main modules: Log Processor Tests and Incident Detector Tests, ensuring robust validation of security log analysis functionality.

Test Architecture

Test Organization

The test suite follows Django's best practices with clear separation of concerns:

  • Log Processor Tests: Focus on API endpoints, file uploads, and log parsing functionality
  • Incident Detector Tests: Validate security incident detection algorithms and business logic
  • Utility Classes: Shared helper classes for test data creation and cleanup

Key Design Patterns

  1. Mock-based Testing: Extensive use of @patch decorators for external dependencies (Keycloak authentication)
  2. File-based Test Data: Real log files stored in tests_logs/ directory for realistic scenario testing
  3. Cleanup Management: Proper test isolation with setUp(), tearDown(), and addCleanup() methods
  4. Parametric Testing: Multiple test methods covering edge cases and boundary conditions

Log Processor Tests

Authentication & Authorization Tests (LogFileUploadAPITest)

Coverage:

  • Valid token authentication flow
  • File upload with multipart/form-data
  • Invalid file type rejection (.txt files)
  • Duplicate file upload prevention
  • Unauthorized access handling

Key Features:

  • Mocks Keycloak token validation using @patch decorator
  • Tests both positive and negative authentication scenarios
  • Validates proper HTTP status codes (200, 400, 401)
@patch('log_processor.views.validation.validate_keycloak_token')
def test_upload_log_file(self, mock_validate_token):
    mock_validate_token.return_value = {"preferred_username": "testuser"}
    # Test implementation...

File Processing Tests (UsysConfigLogTest, UsysConfigLogTestWithFiles)

Coverage:

  • Log file parsing accuracy
  • Missing field handling
  • Malformed log entry processing
  • Database entry creation
  • Duplicate prevention logic

Test Scenarios:

  • Missing Files: Validates error handling for non-existent log files
  • Empty Fields: Tests behavior with incomplete log entries
  • Whitespace Issues: Handles spaces in key-value pairs (value= "spaced_value")
  • Multiple Entries: Processes multiple log entries from single file
  • Duplicate Prevention: Ensures repeated processing doesn't create duplicates

Data Validation Tests (WronglyFormatedLogs)

Coverage:

  • Important empty fields (table, action, key)
  • Whitespace handling in log parsing
  • Malformed log entry rejection

Notable Test Cases:

def test_space_between_equal_and_content(self):
    # Tests logs with spaces after equal sign: value= "content"
    # Expects all 6 entries to be created successfully

Incident Detector Tests

Test Data Management (CreateEntries Class)

Purpose: Utility class for creating realistic test data from log files

Functionality:

  • Parses multiple log types: USER_LOGIN, USER_LOGOUT, USYS_CONFIG, NETFILTER_PKT
  • Creates corresponding database entries
  • Handles timestamp extraction and conversion
  • Implements packet aggregation for network traffic analysis

Key Methods:

  • make_entries(): Primary interface for test data creation
  • process_log_file(): Core log parsing logic
  • extract_timestamp(): Converts audit timestamps to Django timezone-aware datetime objects

Brute Force Detection Tests (BruteForceDetectionTests)

Coverage:

  • Threshold Testing: Validates minimum attempt requirements
  • Time Window Analysis: Tests detection within specific time frames
  • Success/Failure Patterns: Different handling for successful vs. failed attempts
  • Multiple Incidents: Detection of several concurrent brute force attempts
  • Duplicate Prevention: Ensures incidents aren't duplicated on repeated analysis

Test Scenarios:

  • test_no_bruteforce_if_too_few_attempts(): Validates threshold enforcement
  • test_spaced_attempts_still_detected(): Tests detection across time windows
  • test_successful_last_attempt_changes_reason(): Validates incident reason modification

Concurrent Login Detection Tests (ConcurrentLoginsDetectionTest)

Coverage:

  • Single User Multiple Logins: Detects simultaneous sessions
  • Login/Logout Pattern Analysis: Validates proper session tracking
  • Mixed Scenarios: Complex patterns with interspersed valid and suspicious activity
  • False Positive Prevention: Ensures legitimate login/logout pairs don't trigger alerts

Key Test Cases:

  • test_multiple_attack_mixed_w_logout(): Complex scenario with mixed legitimate and suspicious activity
  • test_several_attacks_several_pairs_login_logout(): Multi-user scenario validation

Configuration Change Detection Tests (ConfigChangeDetectionTest)

Coverage:

  • Critical Configuration Monitoring: Detects changes to sensitive system settings
  • User Attribution: Links configuration changes to responsible users
  • IP Address Tracking: Associates changes with source IP addresses
  • Severity Classification: Different incident severities based on change type
  • Time Correlation: Links config changes to recent login events

Advanced Scenarios:

  • test_multiple_config_changes_from_different_users_mix_valid_logins(): Complex multi-user scenarios
  • test_change_of_severity(): Validates proper severity assignment based on configuration criticality

Network Attack Detection Tests (DoSDetectionTest, DDosDetectionTest)

DoS Detection Coverage:

  • Packet Threshold Analysis: Validates traffic volume-based detection
  • Time Window Aggregation: Tests 30-second packet aggregation windows
  • Multiple Attack Detection: Handles multiple simultaneous DoS attempts
  • Attack Duration Tracking: Detects extended attacks spanning multiple time windows

DDoS Detection Coverage:

  • Source IP Diversity: Validates detection of attacks from multiple sources
  • Coordinated Attack Patterns: Detects distributed attack patterns
  • Configuration Flexibility: Tests customizable detection thresholds
  • Attack Group Correlation: Links related attacks from same source groups

Test Coverage Analysis

Strengths

  1. Comprehensive Scenario Coverage: Tests cover normal operations, edge cases, and error conditions
  2. Realistic Data: Uses actual log file formats and structures
  3. Security Focus: Emphasizes authentication, authorization, and security incident detection
  4. Database Integration: Validates ORM operations and data integrity
  5. API Testing: Complete HTTP endpoint testing with proper status codes

Areas for Enhancement

  1. Performance Testing: No load testing or performance benchmarks
  2. Concurrency Testing: Limited testing of concurrent operations
  3. Error Recovery: Could expand testing of system recovery scenarios
  4. Integration Testing: More end-to-end workflow testing
  5. Monitoring Coverage: Limited testing of logging and monitoring functionality

Test Data Management

Log File Organization:

incident_detector/tests_logs/
├── not_enough_tries.log
├── clear_simple_bruteforce.log
├── spaced_tries.log
├── successful_bruteforce.log
├── several_clear_bruteforce.log
├── logins_test.log
├── many_simultaneous_logins.log
├── mix_logins.log
├── valid_login.log
├── config_change_user_login.log
├── single_clear_dos_attack.log
├── alternating_ip.log
└── [additional test log files...]

Best Practices Demonstrated

Django Testing Best Practices

  1. Test Isolation: Each test method is independent and doesn't affect others
  2. Proper Setup/Teardown: Uses setUp(), tearDown(), and addCleanup() appropriately
  3. Assertion Specificity: Uses specific assertions (assertEqual, assertIn, assertTrue)
  4. Mock Usage: Proper mocking of external dependencies
  5. Database Testing: Uses Django's test database for isolated testing

Security Testing Considerations

  1. Authentication Testing: Validates both valid and invalid authentication scenarios
  2. Authorization Enforcement: Tests proper access control
  3. Input Validation: Validates handling of malformed and malicious input
  4. Data Sanitization: Tests proper handling of potentially dangerous log content

Maintainability Features

  1. Descriptive Test Names: Clear, self-documenting test method names
  2. Helper Methods: Reusable utility functions for common operations
  3. Parameterized Testing: Efficient testing of multiple scenarios
  4. Clear Assertions: Easy-to-understand test failure messages

Running the Tests

Command Line Execution

# Run all tests
python manage.py test

# Run specific test modules
python manage.py test log_processor
python manage.py test incident_detector

# Run with verbose output
python manage.py test --verbosity=2

# Run specific test class
python manage.py test incident_detector.tests.BruteForceDetectionTests

Test Environment Setup

  • Uses Django's built-in test database
  • Automatically creates and destroys test data
  • Isolates tests from production data
  • Handles database transactions properly

Conclusion

This test suite provides comprehensive coverage of the security log processing system, demonstrating Django testing best practices while ensuring robust validation of critical security functionality. The combination of unit tests, integration tests, and realistic test data provides confidence in the system's reliability and security posture.

The test architecture supports both current functionality validation and future enhancements, making it a valuable foundation for ongoing development and maintenance of the security monitoring system.