Migrate Brute Force Test to CVSS 4.0 (#9)

* Update dashboard timestamp to Eastern Time (Indiana)

* Complete Playwright migration with improved dashboard

* Merge PR #6: Integrate Docker setup with Playwright tests

* Fix tests 1 & 2: Accept rate limiting as valid security behavior

- Removed assertion that required correct credentials to succeed
- Tests now pass if CVSS score is calculated correctly
- Acknowledges rate limiting as expected security control
- Aligns with research finding that OpenMRS rate limits after ~8-10 attempts

* Rewrite session management tests with Playwright

- Replaced HTTP-based tests with Playwright browser automation
- Added CVSS score calculations for all 3 session tests
- Integrated with O3_BASE_URL environment variable
- Simplified idle timeout test (30s instead of 5-60 minutes)
- Tests now follow same pattern as authentication tests

Tests included:
1. Session hijacking (different browser context)
2. Session idle timeout (simulated)
3. Expired session reuse prevention

All tests include proper CVSS calculations and dashboard integration.

* Remove old session management tests

Old HTTP-based tests moved to old_backup/ directory.
Replaced with new Playwright-based tests.

* Fix session tests: Implement two-step login

- Created login_helper.py with proper two-step login function
- Updated all 3 session tests to use the helper
- Fixes TimeoutError on password field (was aria-hidden)
- Matches authentication tests login pattern

This resolves the 'element is not visible' errors.

* Improve rate limit handling in login_helper

- Add 45s initial cooldown before first attempt
- Increase retries to 4 attempts
- Progressive backoff: 45s, 60s, 90s between retries
- Longer timeouts (15s) for stability
- Better error messages for debugging

* Revert to simple login_helper without retry logic

Removing retry/wait logic that was trying to handle rate limiting.
Back to clean two-step login implementation.

* Remove old_backup directory causing test collection errors

The old backup files were causing pytest to fail during collection,
preventing all tests from running.

* Fix Test 1: Brute Force Password Attack (was Username Enumeration)

- Corrected test from unrealistic username enumeration to brute force attack
- Changed to known username 'admin' + random passwords
- Updated from 10 attempts to 7 (OpenMRS default lockout threshold)
- Added account lockout verification (7 failures)
- Added 5-minute cooldown verification
- CVSS score corrected from 9.1 to 7.4 for high AC
- Renamed test file: test_01_username_enumeration.py -> test_01_brute_force_password.py
- Added comprehensive comments to feature file with CVSS documentation

* Remove old username enumeration test file

The test has been replaced with test_01_brute_force_password.py

* Add Description column to dashboard

- Added comprehensive test descriptions for all 5 tests
- Reordered columns: Test Name, Description, Test Execution, CVSS Score, Severity, Duration
- Improved duration formatting (shows minutes for tests >60s)
- Increased dashboard width to accommodate description column
- Added smart test name matching for descriptions

* feat: Migrate brute force test to CVSS 4.0 with dynamic parameters

- Implement CVSS 4.0 scoring for test_01_brute_force_password.py
- Add dynamic parameter detection (AC, VA based on observed defenses)
- Add adaptive dashboard naming via docstring extraction
- Include eye-catching comments explaining AV=Network design decision

* Remove CVSS 3.1 tests - will rebuild with CVSS 4.0

* refactor: Clean up CVSS 3.1 tests and improve score extraction

- Remove old CVSS 3.1 tests (will rebuild with CVSS 4.0 later)
- Shorten test description while keeping key information
- Improve CVSS score extraction for multi-test scenarios
- Keep only test_01_brute_force_password.py (CVSS 4.0)

Author: ZhenanYin

.github/workflows/security-tests.yml

@@ -46,6 +46,13 @@ jobs:
       id: wait-for-omrs-instance
       run: while [[ "$(echo $(curl -s -o /dev/null -w '%{http_code}' http://localhost/openmrs/health/started))" != "200" ]]; do echo "$(curl -i http://localhost/openmrs/health/started)"; sleep 10; done
 
+    - name: Download previous test results DB
+      uses: dawidd6/action-download-artifact@v3
+      with:
+        name: test-results-db
+        path: .
+      continue-on-error: true  # First run won't have a DB artifact yet
+
     - name: Run Security Tests
       if: always() && (steps.wait-for-omrs-instance.outcome == 'success')
       run: |
@@ -62,6 +69,15 @@ jobs:
       if: always()
       run: python scripts/generate_security_dashboard.py
 
+    - name: Upload test results DB
+      if: always()
+      uses: actions/upload-artifact@v4
+      with:
+        name: test-results-db
+        path: test_results.db
+        retention-days: 90
+        overwrite: true
+
     - name: Upload Security Dashboard
       if: always()
       uses: actions/upload-artifact@v4

requirements.txt

@@ -12,3 +12,4 @@ pytest-json-report==1.5.0
 
 # Environment configuration
 python-dotenv==1.2.1
+requests==2.32.3