tarn 0.11.4

CLI-first API testing tool
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121

//! TL004 — mutation step has no status assertion.
//!
//! Reads often have only body assertions and that's fine. Mutations
//! (POST / PUT / PATCH / DELETE), though, should always pin an
//! expected status. Without one, a 500 that *happens to* return a
//! body that satisfies the body assertions (or an empty body, when
//! there are none) can look like a passing test.
//!
//! The rule only fires when the step has an `assert:` block. A step
//! with no assertions at all is a separate concern (we don't want to
//! demand status assertions on pure-smoke "did this not explode?"
//! steps that use only runtime checks).

use crate::lint::{finding_from_step, walk_steps, Finding, Severity};
use crate::model::TestFile;

pub fn lint(file: &TestFile, path: &str) -> Vec<Finding> {
    let mut findings = Vec::new();
    for (step_path, step) in walk_steps(file, path) {
        let method = step.request.method.to_ascii_uppercase();
        let is_mutation = matches!(method.as_str(), "POST" | "PUT" | "PATCH" | "DELETE");
        if !is_mutation {
            continue;
        }
        let Some(assertion) = &step.assertions else {
            continue;
        };
        if assertion.status.is_some() {
            continue;
        }
        findings.push(finding_from_step(
            "TL004",
            Severity::Warning,
            path,
            Some(step_path.clone()),
            step,
            format!(
                "{method} step `{}` has an `assert:` block but no `status:` assertion.",
                step.name
            ),
            Some(
                "Mutations should assert an explicit status (e.g. 201 or 200). Without it, a 500 can look like a test pass if body assertions happen to be vacuous.".to_string(),
            ),
        ));
    }
    findings
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::parser::parse_str;
    use std::path::Path;

    fn parse(source: &str) -> TestFile {
        parse_str(source, Path::new("t.tarn.yaml")).expect("parse")
    }

    #[test]
    fn fires_on_post_without_status_assertion() {
        let file = parse(
            r#"
name: no-status
steps:
  - name: create user
    request:
      method: POST
      url: "http://example.com/users"
      body: { name: x }
    assert:
      body:
        "$.name": "x"
"#,
        );
        let findings = lint(&file, "t.tarn.yaml");
        assert_eq!(findings.len(), 1);
        assert_eq!(findings[0].rule_id, "TL004");
    }

    #[test]
    fn quiet_when_get_has_no_status_assertion() {
        // Reads without status assertions are a normal pattern —
        // don't flag them.
        let file = parse(
            r#"
name: read-only
steps:
  - name: get users
    request:
      method: GET
      url: "http://example.com/users"
    assert:
      body:
        "$": { length_gte: 0 }
"#,
        );
        let findings = lint(&file, "t.tarn.yaml");
        assert!(findings.is_empty());
    }

    #[test]
    fn quiet_when_post_has_status_assertion() {
        let file = parse(
            r#"
name: fine
steps:
  - name: create user
    request:
      method: POST
      url: "http://example.com/users"
      body: { name: x }
    assert:
      status: 201
      body:
        "$.name": "x"
"#,
        );
        let findings = lint(&file, "t.tarn.yaml");
        assert!(findings.is_empty());
    }
}