12 C
New York
Wednesday, March 26, 2025
Home Blog Page 18

Overcome MFA Workflow Testing Challenges

codesanitize
-
0
Overcome MFA Workflow Testing Challenges


We proceed our collection of articles targeted on testing programs that incorporate Multi-Issue Authentication (MFA or 2FA) safety mechanisms. In our earlier article about MFA testing, we explored why firms working in regulated industries should undertake these mechanisms to strengthen their safety.

Though there’s a variety of MFA options out there, most firms favor those who present a easy and easy person expertise, equivalent to MFA by way of SMS, e-mail, or TOTP.

On this article, we’ll delve into an important subject: what are the challenges associated to testing workflows that embrace MFA, and what methods might be adopted to beat them?

Overcome MFA Workflow Testing Challenges

1. Key Challenges in MFA Check Automation

1.1 Dependency on Exterior Units

By design, MFA depends on exterior units, equivalent to telephones for receiving SMS or apps for producing TOTP codes. This reliance complicates check automation, particularly when a number of accounts are concerned:

  • Electronic mail MFA: QA groups generally use alias-based e-mail constructions (e.g., person+alias@area.com) to streamline account creation. Nonetheless, these strategies may be restricted or disabled in company settings, complicating automation efforts. On high of that, retrieving emails from third-party suppliers is a problem.
  • SMS MFA: Every person account usually requires a novel telephone quantity. This results in logistical points, equivalent to managing bodily SIM playing cards or sharing check telephones, which undermines effectivity and scalability. Ever needed to name your colleague to allow them to share the MFA code retrieved on their telephone?
  • TOTP MFA: Time-based One-Time Passwords require safe dealing with of personal keys. Automating checks turns into intricate, as these keys are often inaccessible after initialization.

1.2 Restricted Automation Feasibility

MFA workflows work together with exterior programs, making them arduous to automate and sometimes impractical, significantly for third-party providers like e-mail suppliers (e.g., Outlook). Automating such interactions is resource-intensive and sometimes restricted by service suppliers that block bot connections.

1.3 Dangerous Method #1: Disabling MFA in Check Environments

To avoid wasting time, some groups disable MFA in testing environments. Whereas expedient, this method introduces vital dangers:

  • Elevated Safety Threat:
    • Accounts turn into much less safe in testing environments, as MFA turns into non-compulsory.
    • Divergent habits from the manufacturing atmosphere undermines check validity, as you would possibly uncover points in manufacturing brought on by a misconfiguration.
  • Much less Consultant Checks: Checks fail to mirror real-world manufacturing situations, rising the chance of undetected bugs surfacing in manufacturing.
  • Human Errors: Configuration variations between testing and manufacturing environments complicate deployments, generally leading to unintended coverage misconfigurations in manufacturing.
  • Incomplete Checks: Key steps like login processes or transaction validation are skipped, lowering the flexibility to detect points in vital functionalities.

1.4 Dangerous Method #2: Intercepting MFA in Testing Environments

Whereas higher than disabling MFA, this method nonetheless dangers configuration divergence between environments and potential errors throughout deployment (i.e. discovering points in manufacturing).

1.5 A pricey however Efficient Method: Interfacing with Third-Social gathering Suppliers

This methodology, though generally pricey and sophisticated, might be extremely helpful in case your service suppliers (e-mail or SMS) provide APIs or interfaces suitable with automation instruments like Cypress or Robotic Framework. Instruments like Eggplant may also assist obtain this aim.

These integrations will let you immediately extract MFA codes and incorporate them into your automated check scripts.

Nonetheless, it’s usually essential to proactively talk with these suppliers, as they could be reluctant to permit automated entry to their programs. For example, you would possibly discover it’s fairly arduous to automate outlook login and e-mail content material retrieval by means of an internet interface. Regardless of these challenges, this method ensures real looking testing aligned with manufacturing eventualities.

2. Methods for Automating and Testing Finish-to-Finish MFA Workflows

2.1 Align Testing Environments with Manufacturing

Guaranteeing parity between testing and manufacturing environments is important for figuring out potential points successfully. Leveraging instruments to retrieve MFA codes by way of e-mail, SMS, or APIs can provide the next advantages:

  • Improved UX/UI Detection: Reproducing manufacturing situations helps determine anomalies within the person expertise or interface.
  • Load Administration: Testing below production-like constraints uncovers system weaknesses, equivalent to throttling points or utilization limits for MFA providers.
  • Third-Social gathering Service Validation: Verifies correct integrations and ensures messages aren not misplaced. Load testing may also reveal vulnerabilities below heavy utilization.

2.2 Collaborative Guide Testing Options

For handbook testing, collaborative options can simplify MFA administration inside QA groups:

  • Electronic mail: Use shared mailboxes with aliases (e.g., testing+xyz@firm.io) to centralize code reception. In case your IT division doesn’t will let you use such options, you would possibly want to contemplate another method from a 3rd get together. For example, digital mailbox providers like GetMyMFA provide non-public e-mail addresses to retrieve MFA codes.
  • SMS: Options like GetMyMFA provide non-public digital telephone numbers, avoiding bodily units. Free choices like Obtain-SMS-Free exist however pose dangers as a result of publicly shared numbers. This represents a difficulty as your group’s SMS messages can turn into public (Search Engine indexing).
  • TOTP: Securely share secret keys utilizing password managers like Bitwarden or 1Password. This allows groups to entry momentary codes with out bodily units whereas managing key entry successfully.
Automate your E2E Tests: Overcoming MFA Workflow Testing Challenges
MFA-sharing service GetMyMFA use-case

2.3 Automation Instruments for MFA Testing

Automating MFA checks requires instruments that simplify interactions with authentication mechanisms. Specialised APIs streamline this course of, lowering the necessity for advanced handbook integrations and combating suppliers on bot-blocking insurance policies. Examples embrace:

  • Electronic mail APIs: Providers like MailSlurp or GetMyMFA permit producing momentary e-mail addresses to automate code retrieval by way of APIs.

MFA retrieval illustration by means of GetMyMFA’s programmatic API

    • SMS APIs: Digital telephone quantity suppliers, equivalent to GetMyMFA, simplify automating SMS MFA workflows by exposing a public and safe API which extracts the MFA codes obtained to your non-public telephone numbers. This enables to keep away from buying and dealing with SIM playing cards. On high of that, you may simply share the telephone numbers with the QA staff members.
Automate your E2E Tests: Overcoming MFA Workflow Testing Challenges
MFA retrieval illustration by means of GetMyMFA’s programmatic API
  • TOTP APIs: Suppliers provide options for importing non-public TOTP keys, exposing OTP codes by way of APIs.

Conclusion

Successfully testing workflows that incorporate Multi-Issue Authentication (MFA) mechanisms stays a problem for QA groups, who usually find yourself disabling MFA in staging environments. Nonetheless, it’s important to check these flows to make sure the reliability and safety of programs in manufacturing. The constraints associated to automation and handbook testing (significantly the dealing with of exterior units and interactions with third-party providers) spotlight {that a} simplistic or rushed method can result in vital dangers, whether or not when it comes to safety, check validity, or tester expertise.

Utilizing specialised tools-such as e-mail inbox administration providers or digital telephone quantity platforms-alongside collaborative methods for handbook testing permits groups to simulate production-like situations as carefully as doable. These approaches not solely reduce the hole between testing and manufacturing environments, but additionally improve the staff’s skill to detect vital points earlier than deployment.

In conclusion, adopting a well-thought-out technique for MFA testing-combining the correct instruments, collaborative processes, and automation finest practices-is important to satisfy this problem. It ensures that MFA workflows carry out as anticipated in a exact and repeatable method.

Not solely does this strengthen the robustness of MFA flows, nevertheless it additionally protects finish customers and improves anomaly detection. With such an method, firms can guarantee their programs are each safe and dependable, whereas nonetheless delivering a high-quality person expertise.

In regards to the Writer: Jonathan Bernales

I’m the CTO at Germen, an InsurTech firm constructing tech platforms for each company and particular person shoppers. I’m enthusiastic about constructing and utilizing expertise that enables groups to ship high-quality code in advanced environments with out compromising on safety or pace. I’m additionally the founding father of GetMyMFA.

Managing and monitoring person accounts on Linux

codesanitize
-
0
Managing and monitoring person accounts on Linux 



$ id george
uid=1003(george) gid=1003(george) teams=1003(george)

To view all customers on the system, you possibly can study the contents of the /and many others/passwd file, however that would come with all of the system accounts in addition to the person account. The “ls /house” command ought to provide you with an inventory of all house directories.

$ ls /house
cookie  dumdum  fedora  george  lola  newuser  shs

You too can get particulars on person account utilizing a command like this that selects entries that comprise the phrase “house”.

$ grep house /and many others/passwd
fedora:x:1000:1000:fedora:/house/fedora:/bin/bash
shs:x:1001:1001::/house/shs:/bin/bash
newuser:x:1002:1002::/house/newuser:/bin/bash
george:x:1003:1003::/house/george:/bin/bash
lola:x:1006:1006::/house/lola:/bin/bash

To verify which teams a person belongs to, use the teams command.

$ teams shs
shs : shs wheel techs

If you wish to take a look at the /and many others/shadow file that incorporates passwords in an encrypted kind together with different knowledge, you possibly can run a command like this:

$ sudo grep george /and many others/shadow
[sudo] password for shs:
george:$y$j9T$igg/m6Ixl7kvW/i7mPP891$oq/zlqU8DGOPwnGbnvoVaaDmDbspK/R92XnrEKcPKk0:20033:0:99999:7:::

The fields on this colon-separated file embrace:

  1. the username
  2. the encrypted password (that very lengthy discipline)
  3. the variety of days because the password was final modified *
  4. the minimal variety of days earlier than the password may be modified once more
  5. the utmost variety of days earlier than the password should be modified
  6. the variety of days earlier than password expiration that the person is warned that their password will expire
  7. the variety of days after password expiration earlier than the account is locked (inactive interval)
  8. the date the password expires *
  9. a reserved discipline

Notice that the third and eighth fields are expressed because the variety of days because the Unix “epoch” (Epoch time relies on the variety of seconds since 00:00:00 on January 1, 1970). This enables these fields to have an extended period. The final three fields, nonetheless, are sometimes empty.

Kagent: Bringing agentic AI to cloud native

codesanitize
-
0
Kagent: Bringing agentic AI to cloud native


Oh no! Your software is unreachable, buried beneath a number of connection hops. How do you pinpoint the damaged hyperlink? How do you generate an alert or bug report from Prometheus when sure circumstances are met? 

You should roll out a brand new model of your software. How do you execute a progressive rollout utilizing Argo Rollouts? How do you safely allow zero belief community safety when your software scales past a single cluster or cloud? 

With so many tasks within the cloud native ecosystem, how do you determine which of them are proper in your wants and layer them along with correct configuration administration?

Sound acquainted? We hear these questions on a regular basis from platform and DevOps engineers working with Cloud Native Computing Basis (CNCF) tasks like Kubernetes, Envoy, Istio, Prometheus, and Argo. 

So why not construct AI brokers to deal with widespread challenges and assist  engineers and clients? Why not create a catalog of AI brokers for the cloud native ecosystem, enabling everybody to run, construct and share AI-driven options?

What’s kagent?

You’ve in all probability interacted with ChatGPT, an AI chatbot that gives pure language responses. Agentic AI, nonetheless, goes past easy chat interactions. It makes use of superior reasoning and iterative planning to autonomously clear up advanced, non-deterministic multistep issues, turning insights into actions that improve productiveness.

What if we utilized agentic AI to the day-to-day operational challenges confronted by cloud native engineers? That’s the place kagent is available in.

Kagent is an open supply programming framework designed for DevOps and platform engineers to run AI brokers in Kubernetes. It helps engineers construct highly effective inner platforms by tackling cloud native duties similar to configuration, troubleshooting, advanced deployment eventualities, observability pipelines and dashboards, and safely enabling community safety (like mTLS, authentication/authorization modifications, and many others). Recognizing that totally different customers have totally different challenges, we designed kagent to be extensible—permitting DevOps engineers, platform groups, and gear builders to create and share their very own AI brokers.

Constructed on Microsoft’s AutoGen open supply framework, kagent gives a strong basis for AI-driven options in cloud native environments.

Structure of kagent

Kagent is constructed on three key layers: Instruments, Brokers, and the Framework.

  • Instruments: Pre-defined capabilities that AI brokers can use, similar to sending emails, looking out a database, displaying pod logs, or calling exterior APIs. Customers can combine Mannequin Context Protocol (MCP) servers as instruments or construct customized instruments.
  • Brokers: Autonomous methods able to planning, executing duties, analyzing outcomes, and constantly enhancing outcomes. Brokers make the most of a number of instruments to perform aims.
  • Framework: A easy interface to run brokers by way of UI or declaratively. The framework is absolutely extensible, permitting customers to develop new instruments or brokers, or prolong the framework itself.

Primarily based on our expertise, we’ve constructed instruments to work together with Kubernetes, Prometheus, Istio, and Argo, together with AI brokers to autonomously clear up a few of the commonest cloud native issues.

Be part of the kagent Neighborhood

When you’re a platform or DevOps engineer, and leveraging AI brokers to unravel cloud native operation challenges excites you, or for those who’re a developer or CNCF challenge maintainer taken with constructing AI brokers to counterpoint our ecosystem, we’d like to collaborate!

Take a look at our web site and GitHub repository. Observe our getting began information to experiment with AI brokers in your Kubernetes cluster, and contribute your personal brokers and instruments to increase the cloud native AI ecosystem. Be part of the dialogue within the #kagent channel on CNCF Slack—we’d love to listen to from you!

We may also be at KubeCon + CloudNativeCon Europe in London from April 1-4 on the Solo.io sales space if you’re taken with discussing the challenge additional.

Let’s construct the way forward for AI brokers to unravel cloud native operation challenges, collectively.

How Blockchain Places Customers In Management

codesanitize
-
0
How Blockchain Places Customers In Management


Proving who you declare to be on-line is turning into more and more sophisticated. With many facets of on a regular basis life now going down on-line, defending your digital identification is extra essential than ever.

We have seemingly all been by safety trainings that encourage us to select secure passwords, allow two-factor authentication or reply safety questions like, “What was the identify of your grandmother’s childhood canine?” Whereas these authentication processes can admittedly be irritating, they’re key to making sure our on-line identification is protected and maintained.

Companies and clients have a shared curiosity in identification authentication. Prospects deserve the peace of thoughts of realizing their private data is secure, simply as companies have to know precisely who they’re coping with and in what capability. However, as identification authentication strategies advance, so do the capabilities of hackers making an attempt to steal data.

Digital Id vs. Id Authentication

There’s an essential distinction between digital identification and identification authentication. Your digital identification consists of all on-line details about you — identify, accounts, electronic mail addresses, and the listing goes on. However your digital identification does not verify or authenticate you because the proprietor of this data. That is the aim of identification authentication. It confirms your digital identification by a password or biometrics to validate who you say you’re.

It is critically essential to safeguard this data, and blockchain may help. Blockchain may very well be the know-how that creates extra user-controlled, safe digital identities and authentication processes. But, adoption is just within the early phases. A extra collective effort is required to make blockchain extra mainstream and user-centric.

Let’s check out the connection between blockchain and identification authentication and discover what the long run might appear like.

Enhancing Id Authentication

One key good thing about blockchain is that it is decentralized. As an alternative of a single database that data person data — one ripe for information breaches — blockchain makes use of one thing known as decentralized identifiers (DIDs).

DIDs are cryptographic key pairs that permit customers to have extra management over their on-line identities. They’re gaining popularity, with Forbes claiming they’re the way forward for on-line identification. To clarify what DIDs are, let’s begin by explaining what they aren’t.

In the present day, most individuals work together on-line through a centralized identifier, reminiscent of an electronic mail handle, username or password. This permits the database to retailer your digital data on that platform. However single databases are extra susceptible to information breaches and customers don’t have any management over their information. After we use centralized platforms, we actually hand over all our belief to no matter platform we use.

DIDs present a brand new option to entry data whereas permitting customers to take care of possession. They’re composed of a set of distinctive numbers. To keep away from entering into the nitty gritty of all of it, here is a picture from W3C that helps give a bit extra context as to what they appear like.

did_w3c.png

CREDIT: W3C

CREDIT: W3C

In my final article on information possession, I gave a short overview of private and non-private keys. DIDs use the identical mannequin. They provide customers the flexibility to work together with particular components of a blockchain community to handle their identification and information sharing preferences. They do that by utilizing private and non-private keys. The DID public key lets customers obtain encrypted messages or digitally signal or confirm their data. The personal key proves identification possession and permits the person to decrypt messages. Collectively, the keys permit customers to reveal sure facets of their identification — related to their DIDs — in a safe manner.

A well being supplier, for instance, might depend on a blockchain mannequin to let customers decide how their information is used whereas they keep consent rights and keep away from damaged information trails. Or a monetary agency might use blockchain-based e-invoicing to confirm invoices and mitigate dangers.

Rising Id Authentication Insurance policies

Under are some insurance policies and applications round identification authentication.

eIDAS Regulation

The EU is showcasing what the way forward for identification administration may appear like. The European Fee’s Digital Identification, Authentication and Belief Companies (eIDAS) regulation already gives a authorized framework that governs on-line interactions inside the EU by the usage of digital IDs and different authenticators. The thought is to extend safety on digital identification and transactions, promote cross-border transactions and supply higher safety.

One of many methods eIDAS and blockchain doubtlessly overlap is thru e-signatures and sensible contracts. Combining eIDAS with blockchain has the ability to create an much more safe and efficient strategy for digital authentication.

EU Digital Id

Within the meantime, a more moderen initiative, the EU Digital Id program, permits EU residents to verify their identities. That is all a part of the EU’s effort to digitalize public companies. As a part of this plan, massive platforms reminiscent of Meta or Amazon, can be legally required to authenticate identities, and customers should settle for an EU Digital Id Pockets to log in.

This course of, nevertheless, ushers in a precarious balancing act between safety and privateness on-line. The thought of huge tech corporations authenticating identities raises issues concerning the roles privateness, anonymity and the potential surveillance of on-line exercise need to play. It will be important for management to stay in customers’ palms in order that they keep the proper to manage how a lot they share on large platforms.

Right here is the place blockchain might assist. The Pockets is ready to carry quite a lot of digital paperwork, together with medical data and nation identification, reminiscent of a driver’s license. It has the potential to place customers first by permitting them to resolve what and the way they need to share their information. However the Pockets should contemplate privateness and the position of anonymity. Blockchain’s decentralization might assist fight these issues and assist make the Pockets safer and interesting to customers.

The Way forward for Blockchain & Id Authentication

Whereas improvements just like the EU Pockets are intriguing, they may make sure folks really feel left behind. In accordance with the EU, 32% of all Europeans nonetheless lack primary digital abilities and these proposed modifications will closely have an effect on older folks.

That stated, identification authentication and blockchain know-how do not need to be advanced subjects. They are often simple to make use of however require intuitive platforms and easy person experiences.

The EU’s digital insurance policies provide a robust basis for integrating blockchain. If blockchain turns into a part of the preliminary rulemaking, it might gasoline extra widespread adoption. There is a lengthy option to go earlier than folks really feel assured understanding ideas like DIDs. However by incorporating blockchain into initiatives such because the EU Digital Id Pockets, blockchain can develop into higher identified and understood.

Regulators should discover the proper stability between digital privateness and authentication. In any other case, they threat having all rising insurance policies rejected by residents who worth anonymity. With the proper mixture of privateness and authentication, EU residents can declare again management over their on-line identification — now and sooner or later.



ios – SwiftUI MVVM: Single View, 2 completely different ViewModels that conform to ObservableObject

codesanitize
-
0
ios – SwiftUI MVVM: Single View, 2 completely different ViewModels that conform to ObservableObject


I am offering a particularly simplified instance as an example my level:

  • A single SwiftUI View displaying the identical properties of a ViewModel
  • 2 ViewModels that are ObservableObject subclasses
  • The ViewModels have precisely the identical properties, simply the title/subtitle which are completely different and the underlying methodology calls which are completely different

The right way to appropriately initialize a View in order that it could “personal” the ViewModel?
Usually I am going about this as follows:


struct OverrideView: View {
    @Atmosphere(.dismiss) non-public var dismiss
    @StateObject non-public var viewModel: OverrideViewModelProtocol
    
    init(_ viewModel: @escaping @autoclosure () -> OverrideViewModelProtocol) {
        self._viewModel = StateObject(wrappedValue: viewModel())
    }
    
    var physique: some View {
    }
}

Nonetheless, clearly this does not work since I can not initialize a non-concrete class, the init is anticipating some kind of some OverrideViewModelProtocol:

protocol OverrideViewModelProtocol: ObservableObject {
    var mainTitle: String { get }
    var overrideSelectedSegmentIndex: Int { get set }

    var overrideCommentHeader: String { get }
    var overrideComment: String { get set }
    var overrideSubmitButtonEnabled: Bool { get }
    var overrideShouldDismiss: Bool { get }
    func submitButtonPressed()
}

Clearly, I can not impose that the OverrideViewModelProtocol can also be an ObservableObject, due to this fact I am getting a difficulty:

Kind ‘any OverrideViewModelProtocol’ can not conform to
‘ObservableObject’

One technique to clear up the issue is to create an summary base class and use it as a substitute of the protocol. However is there a means to make use of simply the protocol and prohibit solely ObservableObject subclass to have the ability to conform to it, in order that the View would know that it is a concrete ObservableObject subclass on initialization?

Use-case:
2 barely completely different views, which differ solely in textual content / button titles, in order that I might use 2 completely different view fashions as a substitute of if/else statements contained in the views.

1...171819...3,886Page 18 of 3,886

ABOUT US

Welcome to CodeSanitize, your number one source for all things coding and technology. We’re dedicated to providing you the very best of software development tutorials, tips, and resources, with a focus on clarity, practical examples, and up-to-date content.

© Copyright 2024 - codesanitize.com. All rights reserved