pplate/cannamanage
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
59b785b8eddd2be907c25b07d0547d0ee39ad885
cannamanage/docs/sprint-11/cannamanage-sprint11-analysis.md
T
Patrick Plate 59b785b8ed
Deploy to Production / test (push) Failing after 1s
Details
Deploy to Production / deploy (push) Has been skipped
Details
test(sprint-11): centralize JaCoCo coverage rules and add bank import + finance test coverage 
- pom.xml: introduce risk-tiered JaCoCo rules in parent POM
  - bundle: 80% line coverage
  - bankimport/finance packages: 90% (highest precision)
  - api.security: 85%
  - scheduler/notification: 70%
  - exclude entity/enums/dto/config from coverage measurement
  - add Surefire 3.5.2 plugin management
- cannamanage-service/pom.xml: remove obsolete module-local ComplianceService=100% rule
  (subsumed by parent package rules), add explicit jackson-databind dep so
  ByteBuddy can mock AuditService.METADATA_MAPPER
- Add AbstractServiceTest base class for service-layer tests
- Add FinanceServiceTest
- Add bankimport test suite:
  - Mt940ParserTest with malformed input fixtures
    (encoding, overflow, truncated, generic)
  - PaymentMatchingServiceTest with ParsedTransactionBuilder helper
  - CAMT.053 / Sparkasse MT940 sample fixtures
  - XXE attack fixtures (billion-laughs, SSRF, generic)
- docs/sprint-11/: analysis, plan, plan-review, testplan
2026-06-15 21:37:49 +02:00

215 lines
9.2 KiB
Markdown
Raw Blame History

# Sprint 11 Analysis — Quality Foundation: Backend Test Coverage
**Date:** 2026-06-15
**Sprint Theme:** Quality Foundation — Backend Test Coverage
**Author:** Patrick Plate / Roo (Architect)
**Status:** Draft v1
---
## 1. Current State Assessment
### 1.1 Codebase Metrics
| Metric | Value |
|--------|-------|
| Backend LOC (Java) | ~29,000 |
| Service classes | 42 (main) + 12 (bankimport) + 19 (report generators) |
| Existing unit tests | 9 test classes in `cannamanage-service` |
| Existing integration tests | 6 test classes in `cannamanage-api` |
| Existing Playwright E2E tests | 202 |
| Estimated current line coverage | ~12% |
| Target line coverage | ≥80% overall, ≥90% for financial/compliance |
### 1.2 Existing Test Inventory
**Unit Tests (`cannamanage-service/src/test/`):**
| Test Class | Service Under Test | Approx. Coverage |
|------------|-------------------|-----------------|
| `ClubServiceTest` | ClubService | Partial |
| `ComplianceServiceTest` | ComplianceService | Good (quota enforcement) |
| `EmailServiceTest` | EmailService | Basic |
| `PdfReportGeneratorTest` | PdfReportGenerator | Basic |
| `PortalServiceTest` | PortalService | Partial |
| `PreventionOfficerServiceTest` | PreventionOfficerService | Good |
| `ReportServiceTest` | ReportService | Partial |
| `StaffServiceTest` | StaffService | Partial |
| `TokenRevocationServiceTest` | TokenRevocationService | Good |
**Integration Tests (`cannamanage-api/src/test/`):**
| Test Class | Scope |
|------------|-------|
| `AbstractIntegrationTest` | Base class (Testcontainers PostgreSQL) |
| `AuthIntegrationTest` | Full auth flow |
| `PortalIntegrationTest` | Member portal endpoints |
| `ReportIntegrationTest` | Report generation endpoints |
| `StaffPermissionIntegrationTest` | RBAC enforcement |
| `TenantIsolationTest` | Multi-tenant data isolation |
| `TokenRevocationIntegrationTest` | Token lifecycle |
| `AuthControllerIntegrationTest` | Auth controller |
| `ClubControllerTest` | Club CRUD |
| `ComplianceControllerIntegrationTest` | Compliance endpoints |
| `StaffPermissionCheckerTest` | Permission checker logic |
### 1.3 Untested Services (Coverage Gaps)
**Critical — Zero Test Coverage:**
| Service | LOC | Complexity | Risk |
|---------|-----|-----------|------|
| `FinanceService` | 371 | High (ledger, payments, fees) | 🔴 Financial |
| `PaymentMatchingService` | 507 | Very High (scoring algorithm) | 🔴 Financial |
| `BankImportService` | ~400 | High (stateful session) | 🔴 Financial/GoBD |
| `Mt940Parser` | ~300 | High (state machine) | 🔴 Financial |
| `Camt053Parser` | ~250 | High (StAX XML) | 🔴 Security (XXE) |
| `CsvBankParser` | ~200 | Medium | 🟡 Financial |
| `RetentionService` | ~200 | Medium (GDPR logic) | 🔴 Compliance |
| `ReportGeneratorService` | ~150 | Medium (dispatch) | 🟡 Compliance |
| `EurReportGenerator` | ~300 | High (§4(3) EStG) | 🔴 Financial |
| `AnnualAuthorityReportGenerator` | ~250 | High (CanG §26) | 🔴 Compliance |
| `AssemblyService` | ~350 | High (quorum, voting) | 🟡 Legal |
| `EventService` | ~250 | Medium (RSVP, iCal) | 🟢 Standard |
| `ForumService` | ~200 | Medium | 🟢 Standard |
| `InfoBoardService` | ~150 | Low | 🟢 Standard |
| `NotificationDispatchService` | ~200 | Medium (fan-out) | 🟡 Reliability |
| `JwtService` | ~120 | Medium (crypto) | 🔴 Security |
| `LoginRateLimiter` | ~80 | Low | 🔴 Security |
| `TenantFilterAspect` | ~60 | Low (AOP) | 🔴 Security |
| `DocumentService` | ~200 | Medium (file I/O) | 🔴 Security |
### 1.4 Test Infrastructure Status
| Infrastructure | Status |
|---------------|--------|
| JUnit 5 | ✅ Available (via spring-boot-starter-test) |
| Mockito | ✅ Available (via spring-boot-starter-test) |
| AssertJ | ✅ Available (explicit dependency) |
| Testcontainers PostgreSQL | ✅ Available + configured |
| AbstractIntegrationTest base class | ✅ Exists with helper methods |
| JaCoCo coverage plugin | ❌ Not configured |
| Test profiles (application-test.properties) | ✅ Exists |
| Integration profile (application-integration.properties) | ✅ Exists |
---
## 2. Risk Analysis
### 2.1 Why 12% Coverage is a Production Blocker
| Risk | Impact | Probability | Mitigation |
|------|--------|-------------|-----------|
| Financial calculation bug (rounding, fee logic) | Loss of member trust, incorrect Kassenbuch | High | Unit tests for FinanceService with cent-precision assertions |
| Bank import data corruption (GoBD violation) | Legal liability under §147 AO | Medium | Integration tests for immutable session lifecycle |
| Payment matching false positive (wrong member) | Incorrect bookkeeping, member disputes | Medium | Unit tests with realistic German bank statement data |
| MT940 parser crash on edge cases | Import failure blocks payment reconciliation | High | Fuzz-style tests with malformed input |
| GDPR retention logic error | Supervisory authority fine (up to 4% revenue) | Low | Unit tests for anonymization completeness |
| Quota enforcement bypass | CanG violation, club loses license | Medium | Already tested (ComplianceServiceTest) — verify edge cases |
| JWT token validation bypass | Unauthorized access | Low-Medium | Unit tests for expiry, tampering, revocation |
| Tenant isolation breach | Data leak between clubs | Critical | Already tested (TenantIsolationTest) — extend |
### 2.2 Coverage Targets by Risk Category
| Category | Target | Rationale |
|----------|--------|-----------|
| Financial (FinanceService, BankImport, Parsers, Matching) | ≥90% | Money handling requires near-complete coverage |
| Compliance (Retention, ComplianceService, Reports) | ≥90% | Regulatory requirements |
| Security (JWT, RateLimiter, Tenant, Document) | ≥80% | Attack surface minimization |
| Core Business (Assembly, Events, Forum, InfoBoard) | ≥75% | Functional correctness |
| Infrastructure (Notifications, Schedulers) | ≥60% | Reliability baseline |
---
## 3. Testing Strategy
### 3.1 Test Pyramid
```
/‾‾‾‾‾‾‾‾‾‾‾‾\
/ Playwright \ 202 existing (unchanged)
/ E2E (202) \
/____________________\
/ \
/ Integration (~12) \ ~12 new (Testcontainers)
/ API + DB flows \
/__________________________\
/ \
/ Unit Tests (~95+) \ ~95 new (Mockito)
/ Service logic isolation \
/________________________________\
```
### 3.2 Unit Test Approach
- **Pattern:** JUnit 5 + Mockito + AssertJ (matching existing ComplianceServiceTest style)
- **Naming:** `test<Method>_<Scenario>_<Expected>()` with `@DisplayName`
- **Structure:** Given-When-Then with clear section comments
- **Mocking:** All repository dependencies mocked; test pure business logic
- **Edge cases:** null inputs, boundary values, German locale specifics (umlauts, date formats)
### 3.3 Integration Test Approach
- **Base class:** Extend existing `AbstractIntegrationTest` (Testcontainers PostgreSQL)
- **Scope:** Full request → DB → response cycles
- **Auth:** Use helper methods to create users and obtain JWT tokens
- **Data isolation:** Each test creates its own club/user context
- **Cleanup:** `@Transactional` rollback or manual cleanup in `@AfterEach`
### 3.4 Coverage Measurement
- **Tool:** JaCoCo Maven plugin
- **Report:** HTML + XML (for CI parsing)
- **Enforcement:** `<rule>` element with minimum 60% line coverage
- **Exclusions:** Generated code, DTOs, enums, configuration classes
---
## 4. Sprint Scope
### 4.1 In Scope
- 296+ new unit tests across 30+ service classes (includes report generators, schedulers, CRUD services)
- 29+ new integration tests for critical flows (incl. SecurityConfig and Flyway migration verification)
- JaCoCo plugin configuration with 80% enforcement
- Maven Surefire parallelization (forkCount=2) for build speed
- Test fixtures and builders for realistic German data (incl. real Sparkasse MT940)
- Coverage from 12% → 80%+ overall (realistically achievable with +70 easy-win tests in v3)
### 4.2 Out of Scope
- New features
- Frontend changes
- Playwright test additions
- CI/CD pipeline changes (deferred to Sprint 12)
- Performance testing
---
## 5. Dependencies
| Dependency | Status | Action |
|-----------|--------|--------|
| Testcontainers | ✅ Already in POM | None |
| JaCoCo | ❌ Missing | Add to parent POM |
| Test fixtures (MT940 samples, CAMT053 XML) | ❌ Missing | Create in src/test/resources |
| Mockito (for unit tests) | ✅ via starter-test | None |
| AssertJ | ✅ Explicit dependency | None |
---
## 6. Success Criteria
| Criterion | Threshold | Measurement |
|-----------|-----------|-------------|
| Overall line coverage | ≥80% | JaCoCo report |
| Financial module coverage | ≥90% | JaCoCo per-package |
| Compliance module coverage | ≥90% | JaCoCo per-package |
| Security module coverage | ≥85% | JaCoCo per-package (boosted by GlobalExceptionHandler tests) |
| Core business coverage | ≥75% | JaCoCo per-package |
| Infrastructure coverage (Schedulers + Notifications) | ≥70% | JaCoCo per-package |
| All tests pass | 100% green | `mvn test` exit code 0 |
| Total backend tests | ≥345 | Surefire report count |
| No new features introduced | 0 feature commits | Git log review |
| Build time increase | ≤3 minutes | Maven timing (with forkCount=2) |
Reference in New Issue View Git Blame Copy Permalink