.. deploy-test.rst


.. _testing:

==============================
Testing the Deployment
==============================

In this step you will retrieve an access token and make an API call to test that the app was correctly deployed to your environment. In the test you will leverage the APIs directly, for example by using a client like Postman, or any HTTP client. The test assumes that you have registered the Yubico FIDO Pre-reg Test Client as described in :ref:`register-apps`.

To *retrieve an access token*, do the following:

1. Go to the previously created :ref:`Yubico FIDO Pre-reg Test Client <register-apps>`.
2. From your client, make an API call using the following request:

   * **Method:** ``POST``
   * **URL:** ``https://login.microsoftonline.com/{your azure tenant domain}/oauth2/v2.0/token``
   * **Header:** Content-Type - ``application/x-www-form-urlencoded``
   * **Body:** 

     * **grant_type:** ``client_credentials``
     * **client_id:** Client ID created for the :ref:`Yubico FIDO Pre-reg Test Client <register-apps>`.
     * **client_secret:** Client secret from when you created the test client.
     * **scope:** ``api://fido-connector-api.{verified domain name}/.default``
3. Send the request.
4. From the response, copy the ``access_token value``.

To *call the API*, do the following:

1. From your client, make an API call using the following request:

   * **Method:** ``GET``
   * **URL:** ``https://{url of your container app}/v1/status``. For base URL, copy the Application URL from your Container App.
   * **Header:**

     * **Authorization** - Bearer ``{access_token from previous step}`` Example: ``Bearer eyJ0…``
     * **Content-Type** - ``application/json``

2. From this API call you should receive a 200 status code, with a response payload that outlines the different environment configurations that were made during setup of the components. Double-check these responses to ensure that they are correct.


.. _troubleshooting:

Troubleshooting
===================

The following provides basic troubleshooting steps for common deployment issues.

Where to Start?
-----------------

1. What is the error message that you are getting? 
2. Verify the environment variables and key vault values:

   a. *Key Vault Administrator* is required to view key vault entries.
   b. Verify secrets entries for the YubiEnterprise API. Must be a valid token retrieved from the YubiEnterprise Console, see `Generating API Tokens <https://console.yubico.com/help/API_Onboarding_Playbook.html#generating-api-tokens>`_.
3. Review response message from the Credential API Container App.
4. Check Container App Logs.
5. Verify Environment Variables.
6. Verify Azure Key Vault values.


Verifying Shipment Status in Storage Browser
---------------------------------------------

1. Log in to the `Azure portal <https://portal.azure.com/>`_.
2. Go to the **Resource Group**.
3. Go to **Storage Account** > **Storage Browser** > **Tables**.
4. Click the **fprshipments** table.
5. Find the desired shipment by ``shipmentId``.
6. Verify that the state of the shipment is complete. A ``shipmentId`` status that is not updated to "complete" will continue to retry. Once you investigate and resolve the issue, the status can be manually updated to "complete".
7. If a ``shipmentId`` has encountered an error during processing, it will be recorded in the **fprshipments** table fields ``error_kind`` and ``error_message``.
8. Once you have investigated and resolved the issue, the shipment will be reprocessed during the next scheduled run to "complete" status. Alternatively, the status can be manually updated to “complete” if the cause of the error cannot be resolved.

.. note:: The shipment status and processing error recorded in the **fprshipments** table can also be obtained by calling the API as described in :ref:`get-shipment-status`. You can find more details to understand the error in :ref:`check-fido-con-logs`.


Verifying Delivery Status of YubiKey PIN
------------------------------------------

By default Yubico FIDO Pre-reg is configured to send emails to the end user's manager. If the manager relationship for the end user is not set up, or the manager does not have an email address configured, the PIN delivery will fail. 

To verify that the PIN delivery was successful, do the following: 

1. Log in to the `Azure portal <https://portal.azure.com/>`_.
2. Go to **Resource Group** > **Logic App**.
3. In the left menu, click **Development tools** > **Run history**.
4. Verify that you have a record with **Status** “Succeeded”.
5. If the status is “Succeeded”:

   a. Open the history record.
   b. Select the connector for "HTTP - Get User Manager Details”.
   c. In the **Parameters** tab of the **Outputs** section, verify that **Body** has a field for the “mail” attribute populated with the email address of the end user's manager.

6. If the status is “Failed”:
    
   a. Open the history record.
   b. Review which connector had an error and investigate the details of the error by clicking the connector.


Verifying YubiKey Registration in Microsoft Entra ID
-------------------------------------------------------

1. Log in to the `Microsoft Entra admin center <https://entra.microsoft.com/>`_.
2. Go to **Users** > **All users**.
3. Search for the desired **User**.
4. Go to **Authentication method**.
5. Verify that the new YubiKey is listed.


Checking Microsoft Entra ID Audit Log History
----------------------------------------------------

1. Log in to the `Microsoft Entra admin center <https://entra.microsoft.com/>`_.
2. Go to **Users** > **All users**.
3. Search for the desired **User**.
4. Go to **Audit logs**.
5. Filter the **Activity** column for each of the following:

   a. "Get passkey creation options".
   b. "Admin registered security info".
   c. "User registered security info".
6. Check if any of the events indicate that an error occurred.

.. note:: If an error related to Microsoft Entra ID is encountered by the FIDO Connector App, the ``error_message`` in the **fprshipments** table, or error entry in FIDO Connector App logs, will contain a ``client-request-id`` which is related to the "Correlation ID" in Microsoft Entra ID Audit Logs.


.. _check-fido-con-logs:

Checking FIDO Connector Logs
----------------------------------

1. Log in to the `Azure portal <https://portal.azure.com/>`_.
2. Go to the **Resource Group** where the FIDO Connector App is deployed.
3. Select the **Container App**.
4. Select **Monitoring** > **Logs**.
5. Within the open tab, if not already selected, in the drop-down, change from “Simple mode” to “KQL mode” (using Kusto Query Language).
6. Paste a KQL query similar to the following to begin identifying errors and timeframes to investigate:

   .. code-block:: c#

    ContainerAppConsoleLogs_CL 
    | where Log_s contains "WARN" or Log_s contains "ERROR" or Log_s contains "Fail"
    | project TimeGenerated, ContainerName_s, Log_s