🥒 CCC.SecMgmt Test: finos-ccc-integration-secret-main

Test Parameters

ServiceTypesecrets
ProviderServiceTypeMicrosoft.KeyVault/vault/secrets
CatalogTypesCCC.SecMgmt
TagFilter@Behavioural, @secrets, @Behavioural
UIDfinos-ccc-integration-secret-main
ResourceNamefinos-ccc-integration-secret-main
Config
{}
authorized-regionwestus2
azure-key-vault-namefinoscccintkvsec
azure-key-vault-urihttps://finoscccintkvsec.vault.azure.net/
azure-secret-namefinos-ccc-integration-secret-main
azure-subscription-idc1cedd8e-bf91-4d7d-a4cc-45700402a2a1
azure-tenant-idfa193ac0-9c06-4111-bf55-341e4db193d3
catalog-versions
{
  "CCC.Core": "v2025.10",
  "CCC.SecMgmt": "DEV"
}
permitted-regions
[
  "westus2"
]
providerazure
regioneastus
resourcefinos-ccc-integration-secret-main
servicesecrets
service-typesecrets
tags@Behavioural @secrets
unauthorized-regionwesteurope

Summary

Generated: 2026-06-16 15:49:45

Total Run Time: 21s

Features: 2

Scenarios: 4 (✅ 2 | ❌ 2)

Steps: 26 (✅ 21 | ❌ 2 | ⏭️ 3 | ❓ 0)

Feature: CCC.SecMgmt.CN01.AR01 - Deny Outdated Secret Version After Rotation
Scenario: Current secret version is readable @CCC.SecMgmt @CCC.SecMgmt.CN01 @PerService @tlp-amber @tlp-red @Behavioural @secrets @SANITY @OPT_IN
Given a cloud api for "{config}" in "api"50µs
And I call "{api}" with "GetServiceAPI" using argument "secrets"121µs
And I refer to "{result}" as "svc"28µs
When I call "{svc}" with "RetrieveSecretVersion" using arguments "{uid}" and "latest"1s
Then "{result}" is not an error26µs
And I refer to "{result}" as "currentSecret"17µs
And I attach "{currentSecret}" to the test output as "Current Secret Version"46µs
Then "{currentSecret.Denied}" is "false"22µs
📎 Attachments:
Current Secret Version
View JSON (115 bytes)
{"Plaintext":"ccc-integration-secret-v2","VersionID":"27e2b4d65c9d4343b8d6acf8faa8bda6","Denied":false,"Reason":""}
Scenario: Stale secret version retrieve is denied @CCC.SecMgmt @CCC.SecMgmt.CN01 @PerService @tlp-amber @tlp-red @Behavioural @secrets @MAIN
Given a cloud api for "{config}" in "api"37µs
And I call "{api}" with "GetServiceAPI" using argument "secrets"35µs
And I refer to "{result}" as "svc"20µs
When I call "{svc}" with "RetrieveSecretVersion" using arguments "{uid}" and "{stale-version-id}"70ms
Then "{result}" is an error28µs
expected {result} to be an error, got *secrets.SecretValue
Feature: CCC.SecMgmt.CN02.AR01 - Deny Retrieve From Unauthorized Region
Scenario: Authorized region read succeeds @CCC.SecMgmt @CCC.SecMgmt.CN02 @PerService @tlp-amber @tlp-red @Behavioural @secrets @SANITY @OPT_IN
Given a cloud api for "{config}" in "api"39µs
And I call "{api}" with "GetServiceAPI" using argument "secrets"30µs
And I refer to "{result}" as "svc"30µs
When I call "{svc}" with "RetrieveSecretInRegion" using arguments "{uid}" and "{authorized-region}"11s
Then "{result}" is not an error42µs
expected {result} to not be an error, but got: access denied: Get "https://finos-ccc-integration-missing-westus2.vault.azure.net/secrets/finos-ccc-integration-secret-main/?api-version=2025-07-01": dial tcp: lookup finos-ccc-integration-missing-westus2.vault.azure.net on 127.0.0.53:53: no such host
And I refer to "{result}" as "authorizedRead"11µs
And I attach "{authorizedRead}" to the test output as "Authorized Region Read"32µs
Then "{authorizedRead.Denied}" is "false"16µs
Scenario: Unauthorized region read is denied @CCC.SecMgmt @CCC.SecMgmt.CN02 @PerService @tlp-amber @tlp-red @Behavioural @secrets @MAIN
Given a cloud api for "{config}" in "api"40µs
And I call "{api}" with "GetServiceAPI" using argument "secrets"33µs
And I refer to "{result}" as "svc"36µs
When I call "{svc}" with "RetrieveSecretInRegion" using arguments "{uid}" and "{unauthorized-region}"9s
Then "{result}" is an error36µs