API Tests
Comprehensive test suite for REST APIs, gRPC APIs, and API Gateway with security validation, performance benchmarks, and integration tests.
Overview
This crate provides extensive testing coverage for all API implementations in the LLM Auto Optimizer project:
- REST API Tests: Endpoints, authentication, validation, rate limiting, performance
- gRPC API Tests: Services, streaming (server/client/bidirectional), interceptors, performance
- API Gateway Tests: Routing, protocol translation, composition, security
- Security Tests: OWASP API Security Top 10, authentication bypass, penetration testing
- Performance Benchmarks: Latency (p50/p95/p99), throughput, load testing
- Integration Tests: End-to-end workflows
Test Coverage Goals
- >90% code coverage across all API implementations
- 100% endpoint coverage for REST and gRPC APIs
- Zero security vulnerabilities (OWASP API Top 10 compliant)
- Performance targets: p95 latency <50ms, throughput >10,000 req/sec
- Load testing: Validated with 1000+ concurrent connections
Quick Start
Prerequisites
# Install Rust (1.75+)
|
# Install testing tools (optional but recommended)
# or
Running Tests
# Run all tests
# Run specific test suites
# Run with output
# Run benchmarks
# Generate coverage report
Running Test Scripts
# Run all tests with comprehensive reporting
# Run load tests
# Run security scan
Test Structure
api-tests/
├── src/
│ ├── lib.rs # Test library
│ ├── common.rs # Common utilities
│ ├── fixtures.rs # Test fixtures and mock data
│ └── helpers.rs # Helper functions (JWT, HTTP client)
├── tests/
│ ├── rest_api/ # REST API tests
│ │ ├── endpoints.rs # CRUD operations, pagination
│ │ ├── auth.rs # Authentication, authorization
│ │ ├── validation.rs # Request/response validation
│ │ ├── ratelimit.rs # Rate limiting tests
│ │ └── performance.rs # REST performance tests
│ ├── grpc_api/ # gRPC API tests
│ │ ├── services.rs # RPC method tests
│ │ ├── streaming.rs # Streaming tests
│ │ ├── interceptors.rs # Interceptor tests
│ │ └── performance.rs # gRPC performance tests
│ ├── gateway/ # API Gateway tests
│ │ ├── routing.rs # Routing tests
│ │ ├── translation.rs # Protocol translation
│ │ ├── composition.rs # Service composition
│ │ └── security.rs # Gateway security
│ ├── security/ # Security tests
│ │ ├── owasp_api_top10.rs # OWASP compliance
│ │ ├── auth_security.rs # Auth security
│ │ └── penetration.rs # Penetration tests
│ └── integration/ # Integration tests
│ └── e2e.rs # End-to-end workflows
├── benches/ # Performance benchmarks
│ ├── latency_bench.rs # Latency benchmarks
│ ├── load_test.rs # Load testing
│ └── streaming_bench.rs # Streaming performance
├── scripts/ # Test automation scripts
│ ├── run_all_tests.sh # Run all tests
│ ├── load_test.sh # Load testing script
│ └── security_scan.sh # Security scanning
├── proto/ # Protocol buffer definitions
│ └── optimizer.proto # gRPC service definitions
└── README.md # This file
Test Categories
1. REST API Tests (120+ tests)
Endpoints Tests (tests/rest_api/endpoints.rs):
- Health check and readiness probes
- CRUD operations (Create, Read, Update, Delete)
- List with pagination and filtering
- Error handling (404, 400, 500)
Authentication Tests (tests/rest_api/auth.rs):
- JWT token validation and expiration
- API key authentication
- Authorization (role-based access control)
- Token refresh and logout
Validation Tests (tests/rest_api/validation.rs):
- Required field validation
- Type validation
- Value constraints (ranges, lengths)
- Nested object validation
- Array validation
- Malformed JSON handling
Rate Limiting Tests (tests/rest_api/ratelimit.rs):
- Per-API-key rate limiting
- IP-based rate limiting
- Different tier limits (free, premium)
- Rate limit headers (X-RateLimit-*)
- Burst protection
Performance Tests (tests/rest_api/performance.rs):
- Endpoint latency (p50, p95, p99)
- Concurrent requests (100+)
- Large payload handling
- Streaming performance
- Connection reuse
2. gRPC API Tests (80+ tests)
Service Tests (tests/grpc_api/services.rs):
- Unary RPC methods
- Error status codes (NOT_FOUND, INVALID_ARGUMENT, etc.)
- Metadata authentication
- Deadline handling
Streaming Tests (tests/grpc_api/streaming.rs):
- Server-side streaming
- Client-side streaming
- Bidirectional streaming
- Backpressure handling
- Stream cancellation
- Large message streaming
- Concurrent streams
Interceptor Tests (tests/grpc_api/interceptors.rs):
- Authentication interceptor
- Logging interceptor
- Rate limiting interceptor
- Compression interceptor
- Timeout interceptor
- Retry interceptor
- Metadata propagation
Performance Tests (tests/grpc_api/performance.rs):
- Unary RPC latency
- Concurrent requests (1000+)
- Streaming throughput
- Connection pooling
- Large message performance
3. API Gateway Tests (40+ tests)
Routing Tests (tests/gateway/routing.rs):
- REST routing
- gRPC routing
- WebSocket routing
- Path-based routing
- Header-based routing
- Route not found handling
Translation Tests (tests/gateway/translation.rs):
- REST to gRPC translation
- gRPC to REST translation
- Request format conversion (JSON ↔ Protobuf)
- Response format conversion
- Error code translation
Composition Tests (tests/gateway/composition.rs):
- Parallel service composition
- Sequential service composition
- Partial failure handling
Security Tests (tests/gateway/security.rs):
- Authentication enforcement
- Gateway-level rate limiting
- CORS headers
- Security headers
4. Security Tests (50+ tests)
OWASP API Security Top 10 (tests/security/owasp_api_top10.rs):
- Broken Object Level Authorization (BOLA)
- Broken Authentication
- Broken Object Property Level Authorization
- Unrestricted Resource Consumption
- Broken Function Level Authorization
- Unrestricted Access to Sensitive Business Flows
- Server Side Request Forgery (SSRF)
- Security Misconfiguration
- Improper Inventory Management
- Unsafe Consumption of APIs
Authentication Security (tests/security/auth_security.rs):
- JWT token expiration
- SQL injection prevention
- XSS prevention
- CSRF protection
- Brute force protection
- API key rotation
- Privilege escalation prevention
Penetration Tests (tests/security/penetration.rs):
- Directory traversal
- Command injection
- XML external entity (XXE)
- Insecure deserialization
- Open redirect
5. Performance Benchmarks
Latency Benchmarks (benches/latency_bench.rs):
- REST API latency (GET, POST, PUT, DELETE)
- gRPC API latency (unary, streaming)
- Authentication overhead (JWT, API key)
Load Tests (benches/load_test.rs):
- Concurrent requests (10, 50, 100, 500, 1000)
- Throughput testing (requests/sec)
- Streaming throughput (10k+ messages)
Streaming Benchmarks (benches/streaming_bench.rs):
- Server streaming (1000 events)
- Client streaming (1000 events)
- Bidirectional streaming (1000 messages)
6. Integration Tests
End-to-End Tests (tests/integration/e2e.rs):
- User registration and authentication workflow
- Complete CRUD workflow
- Error handling workflow
- Pagination workflow
Performance Targets
| Metric | Target | Current Status |
|---|---|---|
| REST API p50 | <10ms | ✅ |
| REST API p95 | <50ms | ✅ |
| REST API p99 | <100ms | ✅ |
| gRPC API p50 | <5ms | ✅ |
| gRPC API p95 | <25ms | ✅ |
| gRPC API p99 | <50ms | ✅ |
| Throughput | >10,000 req/sec | ✅ |
| Concurrent Connections | 1000+ | ✅ |
| Streaming Throughput | >1000 msg/sec | ✅ |
| Code Coverage | >90% | 📊 In Progress |
Security Compliance
- ✅ OWASP API Security Top 10 (2023): Full compliance
- ✅ Authentication: JWT, API keys, role-based access control
- ✅ Authorization: Object-level and function-level authorization
- ✅ Rate Limiting: Per-user, per-IP, per-endpoint
- ✅ Input Validation: All inputs validated and sanitized
- ✅ Security Headers: X-Frame-Options, CSP, HSTS, etc.
- ✅ TLS: Required for all production endpoints
- ✅ Audit Logging: All security events logged
CI/CD Integration
GitHub Actions
name: API Tests
on:
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions-rs/toolchain@v1
with:
toolchain: stable
- name: Run tests
run: cargo test --all
- name: Run benchmarks
run: cargo bench --no-run
- name: Security scan
run: ./scripts/security_scan.sh
- name: Generate coverage
run: cargo tarpaulin --out Xml
- name: Upload coverage
uses: codecov/codecov-action@v3
Troubleshooting
Tests Failing?
- Check server is running: Some integration tests require a running API server
- Check dependencies: Ensure all workspace dependencies are up-to-date
- Check environment: Verify environment variables (API_BASE_URL, etc.)
- Check ports: Ensure test ports (50051 for gRPC) are available
Performance Issues?
- Run in release mode:
cargo test --release - Increase timeouts: Some tests have configurable timeouts
- Reduce concurrency: Lower MAX_CONCURRENT_CONNECTIONS if system resources are limited
Security Tests Failing?
- Review implementation: Security tests should pass before production
- Update dependencies: Ensure all security libraries are up-to-date
- Check configuration: Verify security settings in config files
Contributing
Adding New Tests
- Create test file in appropriate directory
- Follow existing test patterns and naming conventions
- Use test fixtures from
src/fixtures.rs - Update this README with new test categories
- Ensure tests pass:
cargo test
Test Guidelines
- Descriptive names: Use clear, descriptive test function names
- Arrange-Act-Assert: Follow AAA pattern
- One assertion per test: Focus each test on a single behavior
- Use fixtures: Leverage common test data from fixtures
- Mock external dependencies: Use wiremock for HTTP mocking
- Document complex tests: Add comments for non-obvious test logic
Resources
- OWASP API Security Top 10
- Rust Testing Guide
- Criterion.rs Benchmarking
- Tonic gRPC
- Axum Web Framework
License
Apache 2.0 - See LICENSE file for details