🥒 CCC.SvlsComp Test: finos-ccc-integration-fn-main

Test Parameters

ServiceType	serverless-computing
ProviderServiceType	cloudfunctions.googleapis.com/Function
CatalogTypes	CCC.SvlsComp
TagFilter	@Behavioural, @serverless-computing, @Behavioural
UID	finos-ccc-integration-fn-main
ResourceName	finos-ccc-integration-fn-main
Config	{}
burst-overrun	15
catalog-versions	{ "CCC.Core": "v2025.10", "CCC.SvlsComp": "DEV" }
function-name	finos-ccc-integration-fn-main
gcp-project-id	nodal-time-474015-p5
permitted-regions	[ "us-central1" ]
private-endpoint-url	internal-only
provider	gcp
rate-limit-threshold	10
region	us-central1
resource	finos-ccc-integration-fn-main
service	serverless-computing
service-type	serverless-computing
tags	@Behavioural @serverless-computing

Summary

Generated: 2026-06-16 16:34:20

Total Run Time: 35s

Features: 12

Scenarios: 14 (✅ 7 | ❌ 7)

Steps: 105 (✅ 88 | ❌ 7 | ⏭️ 9 | ❓ 1)

Filter by Tag:

Feature: CCC.Core.CN02.AR01 - Encrypt Data For Storage

Scenario: Function encryption status reports enabled controls @CCC.Core @CCC.Core.CN02 @PerService @tlp-amber @tlp-green @tlp-red @Behavioural @serverless-computing

Given a cloud api for "{config}" in "api"39µs

Given I call "{api}" with "GetServiceAPI" using argument "serverless-computing"91µs

And I refer to "{result}" as "svc"18µs

When I call "{svc}" with "GetFunctionEncryptionStatus" using argument "{uid}"817ms

Then "{result}" is not an error46µs

And I refer to "{result}" as "encryption"19µs

And I attach "{encryption}" to the test output as "Function Encryption Status"43µs

Then "{encryption.EnvEncrypted}" is "true"34µs

expected {encryption.EnvEncrypted} to equal 'true', got 'false'

📎 Attachments:

Function Encryption Status

View JSON (62 bytes)

{"EnvEncrypted":false,"KMSKeyArn":"","SecretsEncrypted":false}

Feature: CCC.SvlsComp.CN01.AR01 - Deny Public Internet Access

Scenario: Private invoke path succeeds @CCC.SvlsComp @CCC.SvlsComp.CN01 @PerService @tlp-amber @tlp-red @Behavioural @serverless-computing @SANITY @OPT_IN

Given a cloud api for "{config}" in "api"40µs

And I call "{api}" with "GetServiceAPI" using argument "serverless-computing"45µs

And I refer to "{result}" as "svc"25µs

When I call "{svc}" with "AttemptPrivateInvoke" using argument "{uid}"61µs

Then "{result}" is not an error29µs

And I refer to "{result}" as "privateInvoke"21µs

Then "{privateInvoke.Invoked}" is "true"19µs

Scenario: No public invoke surface is configured @CCC.SvlsComp @CCC.SvlsComp.CN01 @PerService @tlp-amber @tlp-red @Behavioural @serverless-computing @MAIN

Given a cloud api for "{config}" in "api"31µs

And I call "{api}" with "GetServiceAPI" using argument "serverless-computing"32µs

And I refer to "{result}" as "svc"24µs

When I call "{svc}" with "GetInvokeEndpointExposure" using argument "{uid}"156ms

Then "{result}" is not an error25µs

And I refer to "{result}" as "exposure"17µs

And I attach "{exposure}" to the test output as "Invoke Endpoint Exposure"59µs

Then "{exposure.PublicEndpointConfigured}" is "false"68µs

📎 Attachments:

Invoke Endpoint Exposure

View JSON (127 bytes)

{"PublicEndpointConfigured":false,"PublicEndpointURL":"","PrivateEndpointConfigured":true,"PrivateEndpointURL":"internal-only"}

Scenario: Public internet invoke attempt is denied @CCC.SvlsComp @CCC.SvlsComp.CN01 @PerService @tlp-amber @tlp-red @Behavioural @serverless-computing @MAIN @OPT_IN

Given a cloud api for "{config}" in "api"45µs

And I call "{api}" with "GetServiceAPI" using argument "serverless-computing"34µs

And I refer to "{result}" as "svc"20µs

When I call "{svc}" with "AttemptPublicInternetInvoke" using argument "{uid}"179ms

Then "{result}" is not an error33µs

expected {result} to not be an error, but got: no public invoke URL available (set public-invoke-url or expose function with ALLOW_ALL ingress)

And I refer to "{result}" as "publicInvoke"16µs

And I attach "{publicInvoke}" to the test output as "Public Invoke Attempt"20µs

Then "{publicInvoke.AccessDenied}" is "true"21µs

Feature: CCC.SvlsComp.CN02.AR01 - Function Invocation Rate Limits

Scenario: Invocations beyond threshold are throttled @CCC.SvlsComp @CCC.SvlsComp.CN02 @PerService @tlp-amber @tlp-red @Behavioural @Destructive @serverless-computing

Given a cloud api for "{config}" in "api"34µs

And I call "{api}" with "GetServiceAPI" using argument "serverless-computing"35µs

And I refer to "{result}" as "svc"20µs

When I call "{svc}" with "InvokeFunctionBurst" using arguments "{uid}" and "{rate-limit-threshold}"197ms

Then "{result}" is not an error85µs

expected {result} to not be an error, but got: no invoke URL available for function

And I refer to "{result}" as "withinThreshold"49µs

Then "{withinThreshold.AllSucceeded}" is "true"65µs

When I call "{svc}" with "InvokeFunctionBurst" using arguments "{uid}" and "{burst-overrun}"33µs

Then "{result}" is not an error14µs

And I refer to "{result}" as "overrun"12µs

And I attach "{overrun}" to the test output as "Invocation Burst Overrun"14µs

Then "{overrun.ThrottledCount}" is greater than "{0}"22µs

Feature: CCC.Core.CN03.AR01 - Multi-Factor Authentication for Destructive Operations

Scenario: MFA requirement for destructive operations cannot be tested automatically @CCC.Core @CCC.Core.CN03 @PerService @tlp-amber @tlp-green @tlp-red @Behavioural @object-storage @load-balancer @virtual-machines @serverless-computing @NotTestable

Given a cloud api for "{config}" in "api"76µs

Then no-op required48µs

Feature: CCC.Core.CN04.AR01 - Log Administrative Access Attempts

Scenario: Verify admin actions are logged with identity and timestamp @CCC.Core @CCC.Core.CN04 @PerService @tlp-amber @tlp-clear @tlp-green @tlp-red @Behavioural @object-storage @virtual-machines @serverless-computing

Given a cloud api for "{config}" in "api"32µs

And I call "{api}" with "GetServiceAPI" using argument "{service-type}"32µs

And I refer to "{result}" as "theService"21µs

Given I call "{api}" with "GetServiceAPI" using argument "logging"693µs

And I refer to "{result}" as "loggingService"18µs

When I call "{theService}" with "UpdateResourcePolicy"1s

Then "{result}" is not an error25µs

And I attach "{result}" to the test output as "Policy Update Result"33µs

And we wait for a period of "10000" ms10s

When I call "{loggingService}" with "QueryLogs" using arguments "{resource-name}", "admin", and "{20}"1s

Then "{result}" is not an error26µs

And I refer to "{result}" as "adminLogs"20µs

And I attach "{adminLogs}" to the test output as "Admin Activity Logs"85µs

Then "{adminLogs}" is an array of objects with at least the following contents341µs

result
Succeeded

expected row not found: map[result:Succeeded]

📎 Attachments:

Policy Update Result

View JSON (4 bytes)

null

Admin Activity Logs

View JSON (1379 bytes)

[{"resource":"cloud_run_revision","timestamp":"2026-06-16T16:31:38.819958Z","result":"Notice","fields":{"resource.configuration_name":"","resource.location":"us-central1","resource.project_id":"nodal-time-474015-p5","resource.revision_name":"","resource.service_name":"finos-ccc-integration-fn-main"}},{"resource":"cloud_function","timestamp":"2026-06-16T16:31:39.51796967Z","result":"Notice","fields":{"resource.function_name":"finos-ccc-integration-fn-main","resource.project_id":"nodal-time-474015-p5","resource.region":"us-central1"}},{"resource":"cloud_run_revision","timestamp":"2026-06-16T16:32:42.537686Z","result":"Notice","fields":{"resource.configuration_name":"","resource.location":"us-central1","resource.project_id":"nodal-time-474015-p5","resource.revision_name":"","resource.service_name":"finos-ccc-integration-fn-main"}},{"resource":"cloud_function","timestamp":"2026-06-16T16:32:50.123318614Z","result":"Notice","fields":{"resource.function_name":"finos-ccc-integration-fn-main","resource.project_id":"nodal-time-474015-p5","resource.region":"us-central1"}},{"resource":"cloud_run_revision","timestamp":"2026-06-16T16:34:22.506391Z","result":"Notice","fields":{"resource.configuration_name":"","resource.location":"us-central1","resource.project_id":"nodal-time-474015-p5","resource.revision_name":"","resource.service_name":"finos-ccc-integration-fn-main"}}]

Feature: CCC.Core.CN04.AR02 - Log Data Modification Attempts

Scenario: Verify data modifications are logged with identity and timestamp @CCC.Core @CCC.Core.CN04 @PerService @tlp-amber @tlp-red @Behavioural @object-storage @virtual-machines @serverless-computing

Given a cloud api for "{config}" in "api"35µs

Given I call "{api}" with "GetServiceAPI" using argument "{service-type}"34µs

And I refer to "{result}" as "theService"22µs

And I call "{api}" with "GetServiceAPI" using argument "logging"19µs

And I refer to "{result}" as "loggingService"13µs

When I call "{theService}" with "TriggerDataWrite" using argument "{resource-name}"160ms

And I attach "{result}" to the test output as "Data Write Trigger Result"52µs

And we wait for a period of "10000" ms10s

Then I call "{loggingService}" with "QueryLogs" using arguments "{resource-name}", "data-write", and "{20}"386ms

And I refer to "{result}" as "dataLogs"26µs

And I attach "{dataLogs}" to the test output as "Data Write Logs"41µs

Then "{dataLogs}" is an array of objects with at least the following contents36µs

result
Succeeded

expected row not found: map[result:Succeeded]

📎 Attachments:

Data Write Trigger Result

View JSON (4 bytes)

null

Data Write Logs

View JSON (2 bytes)

[]

Feature: CCC.Core.CN04.AR03 - Log Data Read Attempts

Scenario: Verify data read operations are logged with identity and timestamp @CCC.Core @CCC.Core.CN04 @PerService @tlp-red @Behavioural @object-storage @virtual-machines @serverless-computing

Given a cloud api for "{config}" in "api"54µs

Given I call "{api}" with "GetServiceAPI" using argument "{service-type}"35µs

And I refer to "{result}" as "theService"23µs

And I call "{api}" with "GetServiceAPI" using argument "logging"25µs

And I refer to "{result}" as "loggingService"18µs

When I call "{theService}" with "TriggerDataRead" using argument "{resource-name}"146ms

And I attach "{result}" to the test output as "Data Read Trigger Result"46µs

And we wait for a period of "10000" ms10s

When I call "{loggingService}" with "QueryLogs" using arguments "{resource-name}", "data-read", and "{20}"261ms

Then "{result}" is not an error30µs

And I refer to "{result}" as "readLogs"30µs

And I attach "{readLogs}" to the test output as "Data Read Logs"33µs

Then "{readLogs}" is an array of objects with at least the following contents37µs

result
Succeeded

expected row not found: map[result:Succeeded]

📎 Attachments:

Data Read Trigger Result

View JSON (4 bytes)

null

Data Read Logs

View JSON (2 bytes)

[]

Feature: CCC.Core.CN05.AR06 - Block All Unauthorized Requests

Scenario: Service prevents data read by user with no access @CCC.Core @CCC.Core.CN05 @PerService @tlp-amber @tlp-green @tlp-red @Destructive @Behavioural @object-storage @virtual-machines @serverless-computing

Given a cloud api for "{config}" in "api"40µs

And I call "{api}" with "GetServiceAPIWithIdentity" using arguments "{service-type}" and "test-user-no-access"166µs

And "{result}" is not an error29µs

And I refer to "{result}" as "userReadableService"15µs

When I call "{userReadableService}" with "TriggerDataRead" using argument "{resource-name}"195ms

Then "{result}" is an error25µs

And I attach "{result}" to the test output as "no-access-trigger-data-read-error.txt"35µs

📎 Attachments:

no-access-trigger-data-read-error.txt

View Content (296 bytes)

failed to get function "projects/nodal-time-474015-p5/locations/us-central1/functions/finos-ccc-integration-fn-main": googleapi: Error 403: Permission 'cloudfunctions.functions.get' denied on 'projects/nodal-time-474015-p5/locations/us-central1/functions/finos-ccc-integration-fn-main', forbidden

Feature: CCC.Core.CN07.AR01 - Publish Enumeration Activity Events

Scenario: Enumeration event publishing cannot be tested automatically @CCC.Core @CCC.Core.CN07 @PerService @tlp-amber @tlp-red @Behavioural @NotTestable @object-storage @virtual-machines @serverless-computing

Given a cloud api for "{config}" in "api"106µs

Then no-op required43µs

Feature: CCC.Core.CN07.AR02 - Log Enumeration Activities

Scenario: Enumeration logging cannot be verified automatically @CCC.Core @CCC.Core.CN07 @PerService @tlp-amber @tlp-clear @tlp-green @tlp-red @Behavioural @NotTestable @object-storage @virtual-machines @serverless-computing

Given a cloud api for "{config}" in "api"36µs

Then no-op required20µs

Feature: CCC.Core.CN10.AR01 - Replication Destination Trust

Scenario: Replication destination trust cannot be verified automatically @CCC.Core @CCC.Core.CN10 @PerService @tlp-amber @tlp-green @tlp-red @Behavioural @NotTestable @object-storage @virtual-machines @serverless-computing

Given a cloud api for "{config}" in "api"29µs

Then no-op required19µs

Feature: CCC.Core.CN06.AR01 - Resource Location Compliance

Scenario: Resource region can be retrieved for compliance verification @CCC.Core @CCC.Core.CN06 @PerService @tlp-amber @tlp-green @tlp-red @Behavioural @object-storage @vpc @virtual-machines @serverless-computing

Given a cloud api for "{config}" in "api"27µs

Given I call "{api}" with "GetServiceAPI" using argument "{service-type}"35µs

And I refer to "{result}" as "theService"20µs

When I call "{theService}" with "GetResourceRegion" using argument "{resource-name}"33µs

Then "{result}" is not an error19µs

And I refer to "{result}" as "region"15µs

And I attach "{region}" to the test output as "Resource Region"24µs

Then "{permitted-regions}" is an array of objects with at least the following contents51µs

value
{region}

expected row not found: map[value:{region}]

📎 Attachments:

Resource Region

View Content (11 bytes)

us-central1