As basic information on API, the customer provided automatically generated Swagger documentation. It was our starting point for defining the number of necessary tests and choosing the way of application testing. To ensure the qualitative API functioning, it was necessary to check the way valid and nonvalid requests were processed, what response codes returned, response structure, and data types used for responses. These checking processes were automated and formed the basis of the framework for automated API testing. The framework was packed into a Docker image for fast and easy integration in CI/CD. As a result, the framework became a part of the program code, and API is tested automatically with a respect of any code changes.
We had to take into account that API would build up its functionality. Ideally, new tests had to be added to the framework automatically. To ensure automatic updates of tests, we built a utility, generating tests from Swagger documentation. Each time after launching the set of tests, the utility checked the API documentation version and generated new tests if it detected any changes. So, each new API version was automatically tested without human intervention into the process of generating tests.
Finally, the framework was supplemented by tests, which checked API responses that way testing internal algorithms, embedded in API. The testing was conducted according to the automated Black Box method. To ensure API safety, we ran
- Role-based security testing,
- Brute-force attack protection testing,
- Session management testing,
- SQL injection protection testing.