tarn 0.11.2

CLI-first API testing tool
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149

//! TL005 — shorthand status assertion where a specific code would be
//! more diagnostic.
//!
//! `status: "2xx"` is a useful smoke assertion, but when the step
//! name implies a specific outcome (e.g. `"creates user"`, `"deletes
//! user"`, `"returns 201"`) the user almost certainly *knows* the
//! expected code. Using the shorthand there hides the signal: a
//! mutation drifting from 201 to 200 slips through, and later schema
//! drift detection (NAZ-415) won't know what normal looks like.
//!
//! The rule is deliberately noisy-only-when-the-name-tells-us: we
//! match simple verb heuristics in the step/test name. If the
//! heuristic is unsure, we stay silent.

use crate::lint::{finding_from_step, walk_steps, Finding, Severity};
use crate::model::{StatusAssertion, TestFile};

pub fn lint(file: &TestFile, path: &str) -> Vec<Finding> {
    let mut findings = Vec::new();
    for (step_path, step) in walk_steps(file, path) {
        let Some(assertion) = &step.assertions else {
            continue;
        };
        let Some(status) = &assertion.status else {
            continue;
        };
        let StatusAssertion::Shorthand(s) = status else {
            continue;
        };
        if !is_broad_shorthand(s) {
            continue;
        }
        let expected = expected_code_from_name(&step.name);
        if expected.is_none() {
            continue;
        }
        let expected = expected.unwrap();
        findings.push(finding_from_step(
            "TL005",
            Severity::Info,
            path,
            Some(step_path.clone()),
            step,
            format!(
                "Step `{}` asserts `status: \"{}\"` but its name suggests an expected code of {}.",
                step.name, s, expected
            ),
            Some(
                "A literal status value narrows diagnosis when an endpoint drifts from 201 to 200 (or vice versa).".to_string(),
            ),
        ));
    }
    findings
}

fn is_broad_shorthand(s: &str) -> bool {
    matches!(
        s.to_ascii_lowercase().as_str(),
        "1xx" | "2xx" | "3xx" | "4xx" | "5xx" | "xxx"
    )
}

/// Very conservative verb heuristic — only returns `Some` when the
/// name pattern is unambiguous. False positives here are worse than
/// false negatives, because lint must not be noisy.
fn expected_code_from_name(name: &str) -> Option<u16> {
    let lower = name.to_ascii_lowercase();
    // "creates X" / "create X" / "POST X" → 201
    if lower.starts_with("create") || lower.contains(" creates ") || lower.starts_with("post ") {
        return Some(201);
    }
    // "deletes X" / "delete X" → 204 (most common) — we don't guess
    // 200 here; `204` is the API-design default and if the service
    // uses 200 the user can make the assertion literal.
    if lower.starts_with("delete") || lower.contains(" deletes ") {
        return Some(204);
    }
    None
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::parser::parse_str;
    use std::path::Path;

    fn parse(source: &str) -> TestFile {
        parse_str(source, Path::new("t.tarn.yaml")).expect("parse")
    }

    #[test]
    fn fires_on_create_with_2xx_shorthand() {
        let file = parse(
            r#"
name: weak-status
steps:
  - name: create user
    request:
      method: POST
      url: "http://example.com/users"
      body: { name: x }
    assert:
      status: "2xx"
"#,
        );
        let findings = lint(&file, "t.tarn.yaml");
        assert_eq!(findings.len(), 1);
        assert_eq!(findings[0].rule_id, "TL005");
        assert_eq!(findings[0].severity, Severity::Info);
    }

    #[test]
    fn quiet_when_status_is_literal_201() {
        let file = parse(
            r#"
name: literal
steps:
  - name: create user
    request:
      method: POST
      url: "http://example.com/users"
      body: { name: x }
    assert:
      status: 201
"#,
        );
        let findings = lint(&file, "t.tarn.yaml");
        assert!(findings.is_empty());
    }

    #[test]
    fn quiet_when_step_name_gives_no_signal() {
        // Non-CRUD step name → heuristic returns None → no fire.
        let file = parse(
            r#"
name: opaque-name
steps:
  - name: poke endpoint
    request:
      method: GET
      url: "http://example.com/health"
    assert:
      status: "2xx"
"#,
        );
        let findings = lint(&file, "t.tarn.yaml");
        assert!(findings.is_empty(), "got {:?}", findings);
    }
}