mockforge_bench/conformance/
spec_driven.rs

1//! Spec-driven conformance testing
2//!
3//! Analyzes the user's OpenAPI spec to determine which features their API uses,
4//! then generates k6 conformance tests against their real endpoints.
5
6use super::generator::ConformanceConfig;
7use super::schema_validator::SchemaValidatorGenerator;
8use super::spec::ConformanceFeature;
9use crate::error::Result;
10use crate::request_gen::RequestGenerator;
11use crate::spec_parser::ApiOperation;
12use openapiv3::{
13    OpenAPI, Operation, Parameter, ParameterSchemaOrContent, ReferenceOr, RequestBody, Response,
14    Schema, SchemaKind, SecurityScheme, StringFormat, Type, VariantOrUnknownOrEmpty,
15};
16use std::collections::HashSet;
17
18/// Resolve `$ref` references against the OpenAPI components
19mod ref_resolver {
20    use super::*;
21
22    pub fn resolve_parameter<'a>(
23        param_ref: &'a ReferenceOr<Parameter>,
24        spec: &'a OpenAPI,
25    ) -> Option<&'a Parameter> {
26        match param_ref {
27            ReferenceOr::Item(param) => Some(param),
28            ReferenceOr::Reference { reference } => {
29                let name = reference.strip_prefix("#/components/parameters/")?;
30                let components = spec.components.as_ref()?;
31                match components.parameters.get(name)? {
32                    ReferenceOr::Item(param) => Some(param),
33                    ReferenceOr::Reference {
34                        reference: inner_ref,
35                    } => {
36                        // One level of recursive resolution
37                        let inner_name = inner_ref.strip_prefix("#/components/parameters/")?;
38                        match components.parameters.get(inner_name)? {
39                            ReferenceOr::Item(param) => Some(param),
40                            ReferenceOr::Reference { .. } => None,
41                        }
42                    }
43                }
44            }
45        }
46    }
47
48    pub fn resolve_request_body<'a>(
49        body_ref: &'a ReferenceOr<RequestBody>,
50        spec: &'a OpenAPI,
51    ) -> Option<&'a RequestBody> {
52        match body_ref {
53            ReferenceOr::Item(body) => Some(body),
54            ReferenceOr::Reference { reference } => {
55                let name = reference.strip_prefix("#/components/requestBodies/")?;
56                let components = spec.components.as_ref()?;
57                match components.request_bodies.get(name)? {
58                    ReferenceOr::Item(body) => Some(body),
59                    ReferenceOr::Reference {
60                        reference: inner_ref,
61                    } => {
62                        // One level of recursive resolution
63                        let inner_name = inner_ref.strip_prefix("#/components/requestBodies/")?;
64                        match components.request_bodies.get(inner_name)? {
65                            ReferenceOr::Item(body) => Some(body),
66                            ReferenceOr::Reference { .. } => None,
67                        }
68                    }
69                }
70            }
71        }
72    }
73
74    pub fn resolve_schema<'a>(
75        schema_ref: &'a ReferenceOr<Schema>,
76        spec: &'a OpenAPI,
77    ) -> Option<&'a Schema> {
78        resolve_schema_with_visited(schema_ref, spec, &mut HashSet::new())
79    }
80
81    fn resolve_schema_with_visited<'a>(
82        schema_ref: &'a ReferenceOr<Schema>,
83        spec: &'a OpenAPI,
84        visited: &mut HashSet<String>,
85    ) -> Option<&'a Schema> {
86        match schema_ref {
87            ReferenceOr::Item(schema) => Some(schema),
88            ReferenceOr::Reference { reference } => {
89                if !visited.insert(reference.clone()) {
90                    return None; // Cycle detected
91                }
92                let name = reference.strip_prefix("#/components/schemas/")?;
93                let components = spec.components.as_ref()?;
94                let nested = components.schemas.get(name)?;
95                resolve_schema_with_visited(nested, spec, visited)
96            }
97        }
98    }
99
100    /// Resolve a boxed schema reference (used by array items and object properties)
101    pub fn resolve_boxed_schema<'a>(
102        schema_ref: &'a ReferenceOr<Box<Schema>>,
103        spec: &'a OpenAPI,
104    ) -> Option<&'a Schema> {
105        match schema_ref {
106            ReferenceOr::Item(schema) => Some(schema.as_ref()),
107            ReferenceOr::Reference { reference } => {
108                // Delegate to the regular schema resolver
109                let name = reference.strip_prefix("#/components/schemas/")?;
110                let components = spec.components.as_ref()?;
111                let nested = components.schemas.get(name)?;
112                resolve_schema_with_visited(nested, spec, &mut HashSet::new())
113            }
114        }
115    }
116
117    pub fn resolve_response<'a>(
118        resp_ref: &'a ReferenceOr<Response>,
119        spec: &'a OpenAPI,
120    ) -> Option<&'a Response> {
121        match resp_ref {
122            ReferenceOr::Item(resp) => Some(resp),
123            ReferenceOr::Reference { reference } => {
124                let name = reference.strip_prefix("#/components/responses/")?;
125                let components = spec.components.as_ref()?;
126                match components.responses.get(name)? {
127                    ReferenceOr::Item(resp) => Some(resp),
128                    ReferenceOr::Reference {
129                        reference: inner_ref,
130                    } => {
131                        // One level of recursive resolution
132                        let inner_name = inner_ref.strip_prefix("#/components/responses/")?;
133                        match components.responses.get(inner_name)? {
134                            ReferenceOr::Item(resp) => Some(resp),
135                            ReferenceOr::Reference { .. } => None,
136                        }
137                    }
138                }
139            }
140        }
141    }
142}
143
144/// Resolved security scheme details for an operation
145#[derive(Debug, Clone)]
146pub enum SecuritySchemeInfo {
147    /// HTTP Bearer token
148    Bearer,
149    /// HTTP Basic auth
150    Basic,
151    /// API Key in header, query, or cookie
152    ApiKey {
153        location: ApiKeyLocation,
154        name: String,
155    },
156}
157
158/// Where an API key is transmitted
159#[derive(Debug, Clone, PartialEq)]
160pub enum ApiKeyLocation {
161    Header,
162    Query,
163    Cookie,
164}
165
166/// An API operation annotated with the conformance features it exercises
167#[derive(Debug, Clone)]
168pub struct AnnotatedOperation {
169    pub path: String,
170    pub method: String,
171    pub features: Vec<ConformanceFeature>,
172    pub request_body_content_type: Option<String>,
173    pub sample_body: Option<String>,
174    pub query_params: Vec<(String, String)>,
175    pub header_params: Vec<(String, String)>,
176    pub path_params: Vec<(String, String)>,
177    /// Response schema for validation (JSON string of the schema)
178    pub response_schema: Option<Schema>,
179    /// Security scheme details resolved from the OpenAPI spec
180    pub security_schemes: Vec<SecuritySchemeInfo>,
181}
182
183/// Generates spec-driven conformance k6 scripts
184pub struct SpecDrivenConformanceGenerator {
185    config: ConformanceConfig,
186    operations: Vec<AnnotatedOperation>,
187}
188
189impl SpecDrivenConformanceGenerator {
190    pub fn new(config: ConformanceConfig, operations: Vec<AnnotatedOperation>) -> Self {
191        Self { config, operations }
192    }
193
194    /// Annotate a list of API operations with conformance features
195    pub fn annotate_operations(
196        operations: &[ApiOperation],
197        spec: &OpenAPI,
198    ) -> Vec<AnnotatedOperation> {
199        operations.iter().map(|op| Self::annotate_operation(op, spec)).collect()
200    }
201
202    /// Analyze an operation and determine which conformance features it exercises
203    fn annotate_operation(op: &ApiOperation, spec: &OpenAPI) -> AnnotatedOperation {
204        let mut features = Vec::new();
205        let mut query_params = Vec::new();
206        let mut header_params = Vec::new();
207        let mut path_params = Vec::new();
208
209        // Detect HTTP method feature
210        match op.method.to_uppercase().as_str() {
211            "GET" => features.push(ConformanceFeature::MethodGet),
212            "POST" => features.push(ConformanceFeature::MethodPost),
213            "PUT" => features.push(ConformanceFeature::MethodPut),
214            "PATCH" => features.push(ConformanceFeature::MethodPatch),
215            "DELETE" => features.push(ConformanceFeature::MethodDelete),
216            "HEAD" => features.push(ConformanceFeature::MethodHead),
217            "OPTIONS" => features.push(ConformanceFeature::MethodOptions),
218            _ => {}
219        }
220
221        // Detect parameter features (resolves $ref)
222        for param_ref in &op.operation.parameters {
223            if let Some(param) = ref_resolver::resolve_parameter(param_ref, spec) {
224                Self::annotate_parameter(
225                    param,
226                    spec,
227                    &mut features,
228                    &mut query_params,
229                    &mut header_params,
230                    &mut path_params,
231                );
232            }
233        }
234
235        // Detect path parameters from the path template itself
236        for segment in op.path.split('/') {
237            if segment.starts_with('{') && segment.ends_with('}') {
238                let name = &segment[1..segment.len() - 1];
239                // Only add if not already found from parameters
240                if !path_params.iter().any(|(n, _)| n == name) {
241                    path_params.push((name.to_string(), "test-value".to_string()));
242                    // Determine type from path params we didn't already handle
243                    if !features.contains(&ConformanceFeature::PathParamString)
244                        && !features.contains(&ConformanceFeature::PathParamInteger)
245                    {
246                        features.push(ConformanceFeature::PathParamString);
247                    }
248                }
249            }
250        }
251
252        // Detect request body features (resolves $ref)
253        let mut request_body_content_type = None;
254        let mut sample_body = None;
255
256        let resolved_body = op
257            .operation
258            .request_body
259            .as_ref()
260            .and_then(|b| ref_resolver::resolve_request_body(b, spec));
261
262        if let Some(body) = resolved_body {
263            for (content_type, _media) in &body.content {
264                match content_type.as_str() {
265                    "application/json" => {
266                        features.push(ConformanceFeature::BodyJson);
267                        request_body_content_type = Some("application/json".to_string());
268                        // Generate sample body from schema
269                        if let Ok(template) = RequestGenerator::generate_template(op) {
270                            if let Some(body_val) = &template.body {
271                                sample_body = Some(body_val.to_string());
272                            }
273                        }
274                    }
275                    "application/x-www-form-urlencoded" => {
276                        features.push(ConformanceFeature::BodyFormUrlencoded);
277                        request_body_content_type =
278                            Some("application/x-www-form-urlencoded".to_string());
279                    }
280                    "multipart/form-data" => {
281                        features.push(ConformanceFeature::BodyMultipart);
282                        request_body_content_type = Some("multipart/form-data".to_string());
283                    }
284                    _ => {}
285                }
286            }
287
288            // Detect schema features in request body (resolves $ref in schema)
289            if let Some(media) = body.content.get("application/json") {
290                if let Some(schema_ref) = &media.schema {
291                    if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
292                        Self::annotate_schema(schema, spec, &mut features);
293                    }
294                }
295            }
296        }
297
298        // Detect response code features
299        Self::annotate_responses(&op.operation, spec, &mut features);
300
301        // Extract response schema for validation (resolves $ref)
302        let response_schema = Self::extract_response_schema(&op.operation, spec);
303        if response_schema.is_some() {
304            features.push(ConformanceFeature::ResponseValidation);
305        }
306
307        // Detect content negotiation (response with multiple content types)
308        Self::annotate_content_negotiation(&op.operation, spec, &mut features);
309
310        // Detect security features and resolve scheme details
311        let mut security_schemes = Vec::new();
312        Self::annotate_security(&op.operation, spec, &mut features, &mut security_schemes);
313
314        // Deduplicate features
315        features.sort_by_key(|f| f.check_name());
316        features.dedup_by_key(|f| f.check_name());
317
318        AnnotatedOperation {
319            path: op.path.clone(),
320            method: op.method.to_uppercase(),
321            features,
322            request_body_content_type,
323            sample_body,
324            query_params,
325            header_params,
326            path_params,
327            response_schema,
328            security_schemes,
329        }
330    }
331
332    /// Annotate parameter features
333    fn annotate_parameter(
334        param: &Parameter,
335        spec: &OpenAPI,
336        features: &mut Vec<ConformanceFeature>,
337        query_params: &mut Vec<(String, String)>,
338        header_params: &mut Vec<(String, String)>,
339        path_params: &mut Vec<(String, String)>,
340    ) {
341        let (location, data) = match param {
342            Parameter::Query { parameter_data, .. } => ("query", parameter_data),
343            Parameter::Path { parameter_data, .. } => ("path", parameter_data),
344            Parameter::Header { parameter_data, .. } => ("header", parameter_data),
345            Parameter::Cookie { .. } => {
346                features.push(ConformanceFeature::CookieParam);
347                return;
348            }
349        };
350
351        // Detect type from schema
352        let is_integer = Self::param_schema_is_integer(data, spec);
353        let is_array = Self::param_schema_is_array(data, spec);
354
355        // Generate sample value
356        let sample = if is_integer {
357            "42".to_string()
358        } else if is_array {
359            "a,b".to_string()
360        } else {
361            "test-value".to_string()
362        };
363
364        match location {
365            "path" => {
366                if is_integer {
367                    features.push(ConformanceFeature::PathParamInteger);
368                } else {
369                    features.push(ConformanceFeature::PathParamString);
370                }
371                path_params.push((data.name.clone(), sample));
372            }
373            "query" => {
374                if is_array {
375                    features.push(ConformanceFeature::QueryParamArray);
376                } else if is_integer {
377                    features.push(ConformanceFeature::QueryParamInteger);
378                } else {
379                    features.push(ConformanceFeature::QueryParamString);
380                }
381                query_params.push((data.name.clone(), sample));
382            }
383            "header" => {
384                features.push(ConformanceFeature::HeaderParam);
385                header_params.push((data.name.clone(), sample));
386            }
387            _ => {}
388        }
389
390        // Check for constraint features on the parameter (resolves $ref)
391        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
392            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
393                Self::annotate_schema(schema, spec, features);
394            }
395        }
396
397        // Required/optional
398        if data.required {
399            features.push(ConformanceFeature::ConstraintRequired);
400        } else {
401            features.push(ConformanceFeature::ConstraintOptional);
402        }
403    }
404
405    fn param_schema_is_integer(data: &openapiv3::ParameterData, spec: &OpenAPI) -> bool {
406        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
407            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
408                return matches!(&schema.schema_kind, SchemaKind::Type(Type::Integer(_)));
409            }
410        }
411        false
412    }
413
414    fn param_schema_is_array(data: &openapiv3::ParameterData, spec: &OpenAPI) -> bool {
415        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
416            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
417                return matches!(&schema.schema_kind, SchemaKind::Type(Type::Array(_)));
418            }
419        }
420        false
421    }
422
423    /// Annotate schema-level features (types, composition, formats, constraints)
424    fn annotate_schema(schema: &Schema, spec: &OpenAPI, features: &mut Vec<ConformanceFeature>) {
425        match &schema.schema_kind {
426            SchemaKind::Type(Type::String(s)) => {
427                features.push(ConformanceFeature::SchemaString);
428                // Check format
429                match &s.format {
430                    VariantOrUnknownOrEmpty::Item(StringFormat::Date) => {
431                        features.push(ConformanceFeature::FormatDate);
432                    }
433                    VariantOrUnknownOrEmpty::Item(StringFormat::DateTime) => {
434                        features.push(ConformanceFeature::FormatDateTime);
435                    }
436                    VariantOrUnknownOrEmpty::Unknown(fmt) => match fmt.as_str() {
437                        "email" => features.push(ConformanceFeature::FormatEmail),
438                        "uuid" => features.push(ConformanceFeature::FormatUuid),
439                        "uri" | "url" => features.push(ConformanceFeature::FormatUri),
440                        "ipv4" => features.push(ConformanceFeature::FormatIpv4),
441                        "ipv6" => features.push(ConformanceFeature::FormatIpv6),
442                        _ => {}
443                    },
444                    _ => {}
445                }
446                // Check constraints
447                if s.pattern.is_some() {
448                    features.push(ConformanceFeature::ConstraintPattern);
449                }
450                if !s.enumeration.is_empty() {
451                    features.push(ConformanceFeature::ConstraintEnum);
452                }
453                if s.min_length.is_some() || s.max_length.is_some() {
454                    features.push(ConformanceFeature::ConstraintMinMax);
455                }
456            }
457            SchemaKind::Type(Type::Integer(i)) => {
458                features.push(ConformanceFeature::SchemaInteger);
459                if i.minimum.is_some() || i.maximum.is_some() {
460                    features.push(ConformanceFeature::ConstraintMinMax);
461                }
462                if !i.enumeration.is_empty() {
463                    features.push(ConformanceFeature::ConstraintEnum);
464                }
465            }
466            SchemaKind::Type(Type::Number(n)) => {
467                features.push(ConformanceFeature::SchemaNumber);
468                if n.minimum.is_some() || n.maximum.is_some() {
469                    features.push(ConformanceFeature::ConstraintMinMax);
470                }
471            }
472            SchemaKind::Type(Type::Boolean(_)) => {
473                features.push(ConformanceFeature::SchemaBoolean);
474            }
475            SchemaKind::Type(Type::Array(arr)) => {
476                features.push(ConformanceFeature::SchemaArray);
477                if let Some(item_ref) = &arr.items {
478                    if let Some(item_schema) = ref_resolver::resolve_boxed_schema(item_ref, spec) {
479                        Self::annotate_schema(item_schema, spec, features);
480                    }
481                }
482            }
483            SchemaKind::Type(Type::Object(obj)) => {
484                features.push(ConformanceFeature::SchemaObject);
485                // Check required fields
486                if !obj.required.is_empty() {
487                    features.push(ConformanceFeature::ConstraintRequired);
488                }
489                // Walk properties (resolves $ref)
490                for (_name, prop_ref) in &obj.properties {
491                    if let Some(prop_schema) = ref_resolver::resolve_boxed_schema(prop_ref, spec) {
492                        Self::annotate_schema(prop_schema, spec, features);
493                    }
494                }
495            }
496            SchemaKind::OneOf { .. } => {
497                features.push(ConformanceFeature::CompositionOneOf);
498            }
499            SchemaKind::AnyOf { .. } => {
500                features.push(ConformanceFeature::CompositionAnyOf);
501            }
502            SchemaKind::AllOf { .. } => {
503                features.push(ConformanceFeature::CompositionAllOf);
504            }
505            _ => {}
506        }
507    }
508
509    /// Detect response code features (resolves $ref in responses)
510    fn annotate_responses(
511        operation: &Operation,
512        spec: &OpenAPI,
513        features: &mut Vec<ConformanceFeature>,
514    ) {
515        for (status_code, resp_ref) in &operation.responses.responses {
516            // Only count features for responses that actually resolve
517            if ref_resolver::resolve_response(resp_ref, spec).is_some() {
518                match status_code {
519                    openapiv3::StatusCode::Code(200) => {
520                        features.push(ConformanceFeature::Response200)
521                    }
522                    openapiv3::StatusCode::Code(201) => {
523                        features.push(ConformanceFeature::Response201)
524                    }
525                    openapiv3::StatusCode::Code(204) => {
526                        features.push(ConformanceFeature::Response204)
527                    }
528                    openapiv3::StatusCode::Code(400) => {
529                        features.push(ConformanceFeature::Response400)
530                    }
531                    openapiv3::StatusCode::Code(404) => {
532                        features.push(ConformanceFeature::Response404)
533                    }
534                    _ => {}
535                }
536            }
537        }
538    }
539
540    /// Extract the response schema for the primary success response (200 or 201)
541    /// Resolves $ref for both the response and the schema within it.
542    fn extract_response_schema(operation: &Operation, spec: &OpenAPI) -> Option<Schema> {
543        // Try 200 first, then 201
544        for code in [200u16, 201] {
545            if let Some(resp_ref) =
546                operation.responses.responses.get(&openapiv3::StatusCode::Code(code))
547            {
548                if let Some(response) = ref_resolver::resolve_response(resp_ref, spec) {
549                    if let Some(media) = response.content.get("application/json") {
550                        if let Some(schema_ref) = &media.schema {
551                            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
552                                return Some(schema.clone());
553                            }
554                        }
555                    }
556                }
557            }
558        }
559        None
560    }
561
562    /// Detect content negotiation: response supports multiple content types
563    fn annotate_content_negotiation(
564        operation: &Operation,
565        spec: &OpenAPI,
566        features: &mut Vec<ConformanceFeature>,
567    ) {
568        for (_status_code, resp_ref) in &operation.responses.responses {
569            if let Some(response) = ref_resolver::resolve_response(resp_ref, spec) {
570                if response.content.len() > 1 {
571                    features.push(ConformanceFeature::ContentNegotiation);
572                    return; // Only need to detect once per operation
573                }
574            }
575        }
576    }
577
578    /// Detect security scheme features.
579    /// Checks operation-level security first, falling back to global security requirements.
580    /// Resolves scheme names against SecurityScheme definitions in components.
581    fn annotate_security(
582        operation: &Operation,
583        spec: &OpenAPI,
584        features: &mut Vec<ConformanceFeature>,
585        security_schemes: &mut Vec<SecuritySchemeInfo>,
586    ) {
587        // Use operation-level security if present, otherwise fall back to global
588        let security_reqs = operation.security.as_ref().or(spec.security.as_ref());
589
590        if let Some(security) = security_reqs {
591            for security_req in security {
592                for scheme_name in security_req.keys() {
593                    // Try to resolve the scheme from components for accurate type detection
594                    if let Some(resolved) = Self::resolve_security_scheme(scheme_name, spec) {
595                        match resolved {
596                            SecurityScheme::HTTP { ref scheme, .. } => {
597                                if scheme.eq_ignore_ascii_case("bearer") {
598                                    features.push(ConformanceFeature::SecurityBearer);
599                                    security_schemes.push(SecuritySchemeInfo::Bearer);
600                                } else if scheme.eq_ignore_ascii_case("basic") {
601                                    features.push(ConformanceFeature::SecurityBasic);
602                                    security_schemes.push(SecuritySchemeInfo::Basic);
603                                }
604                            }
605                            SecurityScheme::APIKey { location, name, .. } => {
606                                features.push(ConformanceFeature::SecurityApiKey);
607                                let loc = match location {
608                                    openapiv3::APIKeyLocation::Query => ApiKeyLocation::Query,
609                                    openapiv3::APIKeyLocation::Header => ApiKeyLocation::Header,
610                                    openapiv3::APIKeyLocation::Cookie => ApiKeyLocation::Cookie,
611                                };
612                                security_schemes.push(SecuritySchemeInfo::ApiKey {
613                                    location: loc,
614                                    name: name.clone(),
615                                });
616                            }
617                            // OAuth2 and OpenIDConnect don't map to our current feature set
618                            _ => {}
619                        }
620                    } else {
621                        // Fallback: heuristic name matching for unresolvable schemes
622                        let name_lower = scheme_name.to_lowercase();
623                        if name_lower.contains("bearer") || name_lower.contains("jwt") {
624                            features.push(ConformanceFeature::SecurityBearer);
625                            security_schemes.push(SecuritySchemeInfo::Bearer);
626                        } else if name_lower.contains("api") && name_lower.contains("key") {
627                            features.push(ConformanceFeature::SecurityApiKey);
628                            security_schemes.push(SecuritySchemeInfo::ApiKey {
629                                location: ApiKeyLocation::Header,
630                                name: "X-API-Key".to_string(),
631                            });
632                        } else if name_lower.contains("basic") {
633                            features.push(ConformanceFeature::SecurityBasic);
634                            security_schemes.push(SecuritySchemeInfo::Basic);
635                        }
636                    }
637                }
638            }
639        }
640    }
641
642    /// Resolve a security scheme name to its SecurityScheme definition
643    fn resolve_security_scheme<'a>(name: &str, spec: &'a OpenAPI) -> Option<&'a SecurityScheme> {
644        let components = spec.components.as_ref()?;
645        match components.security_schemes.get(name)? {
646            ReferenceOr::Item(scheme) => Some(scheme),
647            ReferenceOr::Reference { .. } => None,
648        }
649    }
650
651    /// Returns the number of operations being tested
652    pub fn operation_count(&self) -> usize {
653        self.operations.len()
654    }
655
656    /// Generate the k6 conformance script.
657    /// Returns (script, check_count) where check_count is the number of unique checks emitted.
658    pub fn generate(&self) -> Result<(String, usize)> {
659        let mut script = String::with_capacity(16384);
660
661        // Imports
662        script.push_str("import http from 'k6/http';\n");
663        script.push_str("import { check, group } from 'k6';\n");
664        if self.config.request_delay_ms > 0 {
665            script.push_str("import { sleep } from 'k6';\n");
666        }
667        script.push('\n');
668
669        // Tell k6 that all HTTP status codes are "expected" in conformance mode.
670        // Without this, k6 counts 4xx responses (e.g. intentional 404 tests) as
671        // http_req_failed errors, producing a misleading error rate percentage.
672        script.push_str(
673            "http.setResponseCallback(http.expectedStatuses({ min: 100, max: 599 }));\n\n",
674        );
675
676        // Options
677        script.push_str("export const options = {\n");
678        script.push_str("  vus: 1,\n");
679        script.push_str("  iterations: 1,\n");
680        if self.config.skip_tls_verify {
681            script.push_str("  insecureSkipTLSVerify: true,\n");
682        }
683        script.push_str("  thresholds: {\n");
684        script.push_str("    checks: ['rate>0'],\n");
685        script.push_str("  },\n");
686        script.push_str("};\n\n");
687
688        // Base URL (includes base_path if configured)
689        script.push_str(&format!("const BASE_URL = '{}';\n\n", self.config.effective_base_url()));
690        script.push_str("const JSON_HEADERS = { 'Content-Type': 'application/json' };\n\n");
691
692        // Failure detail collector — logs req/res info for failed checks via console.log
693        // (k6's handleSummary runs in a separate JS context, so we can't use module-level arrays)
694        script
695            .push_str("function __captureFailure(checkName, res, expected, schemaViolations) {\n");
696        script.push_str("  let bodyStr = '';\n");
697        script.push_str("  try { bodyStr = res.body ? res.body.substring(0, 2000) : ''; } catch(e) { bodyStr = '<unreadable>'; }\n");
698        script.push_str("  let reqHeaders = {};\n");
699        script.push_str(
700            "  if (res.request && res.request.headers) { reqHeaders = res.request.headers; }\n",
701        );
702        script.push_str("  let reqBody = '';\n");
703        script.push_str("  if (res.request && res.request.body) { try { reqBody = res.request.body.substring(0, 2000); } catch(e) {} }\n");
704        script.push_str("  let payload = {\n");
705        script.push_str("    check: checkName,\n");
706        script.push_str("    request: {\n");
707        script.push_str("      method: res.request ? res.request.method : 'unknown',\n");
708        script.push_str("      url: res.request ? res.request.url : res.url || 'unknown',\n");
709        script.push_str("      headers: reqHeaders,\n");
710        script.push_str("      body: reqBody,\n");
711        script.push_str("    },\n");
712        script.push_str("    response: {\n");
713        script.push_str("      status: res.status,\n");
714        script.push_str("      headers: res.headers ? Object.fromEntries(Object.entries(res.headers).slice(0, 20)) : {},\n");
715        script.push_str("      body: bodyStr,\n");
716        script.push_str("    },\n");
717        script.push_str("    expected: expected,\n");
718        script.push_str("  };\n");
719        script.push_str("  if (schemaViolations && schemaViolations.length > 0) { payload.schema_violations = schemaViolations; }\n");
720        script.push_str("  console.log('MOCKFORGE_FAILURE:' + JSON.stringify(payload));\n");
721        script.push_str("}\n\n");
722
723        // Request/response capture for --export-requests
724        if self.config.export_requests {
725            script.push_str("function __captureExchange(checkName, res) {\n");
726            script.push_str("  let bodyStr = '';\n");
727            script.push_str("  try { bodyStr = res.body ? res.body.substring(0, 2000) : ''; } catch(e) { bodyStr = '<unreadable>'; }\n");
728            script.push_str("  let reqHeaders = {};\n");
729            script.push_str(
730                "  if (res.request && res.request.headers) { reqHeaders = res.request.headers; }\n",
731            );
732            script.push_str("  let reqBody = '';\n");
733            script.push_str("  if (res.request && res.request.body) { try { reqBody = res.request.body.substring(0, 2000); } catch(e) {} }\n");
734            script.push_str("  console.log('MOCKFORGE_EXCHANGE:' + JSON.stringify({\n");
735            script.push_str("    check: checkName,\n");
736            script.push_str("    request: {\n");
737            script.push_str("      method: res.request ? res.request.method : 'unknown',\n");
738            script.push_str("      url: res.request ? res.request.url : res.url || 'unknown',\n");
739            script.push_str("      headers: reqHeaders,\n");
740            script.push_str("      body: reqBody,\n");
741            script.push_str("    },\n");
742            script.push_str("    response: {\n");
743            script.push_str("      status: res.status,\n");
744            script.push_str("      headers: res.headers ? Object.fromEntries(Object.entries(res.headers).slice(0, 30)) : {},\n");
745            script.push_str("      body: bodyStr,\n");
746            script.push_str("    },\n");
747            script.push_str("  }));\n");
748            script.push_str("}\n\n");
749        }
750
751        // Default function
752        script.push_str("export default function () {\n");
753
754        if self.config.has_cookie_header() {
755            script.push_str(
756                "  // Clear cookie jar to prevent server Set-Cookie from duplicating custom Cookie header\n",
757            );
758            script.push_str("  http.cookieJar().clear(BASE_URL);\n\n");
759        }
760
761        // Group operations by category
762        let mut category_ops: std::collections::BTreeMap<
763            &'static str,
764            Vec<(&AnnotatedOperation, &ConformanceFeature)>,
765        > = std::collections::BTreeMap::new();
766
767        for op in &self.operations {
768            for feature in &op.features {
769                let category = feature.category();
770                if self.config.should_include_category(category) {
771                    category_ops.entry(category).or_default().push((op, feature));
772                }
773            }
774        }
775
776        // Emit grouped tests
777        let mut total_checks = 0usize;
778        for (category, ops) in &category_ops {
779            script.push_str(&format!("  group('{}', function () {{\n", category));
780
781            if self.config.all_operations {
782                // All-operations mode: test every operation, using path-qualified check names
783                let mut emitted_checks: HashSet<String> = HashSet::new();
784                for (op, feature) in ops {
785                    let qualified = format!("{}:{}", feature.check_name(), op.path);
786                    if emitted_checks.insert(qualified.clone()) {
787                        self.emit_check_named(&mut script, op, feature, &qualified);
788                        total_checks += 1;
789                    }
790                }
791            } else {
792                // Default: one representative operation per feature, with path-qualified
793                // check names so failures identify which endpoint was tested.
794                let mut emitted_features: HashSet<&str> = HashSet::new();
795                for (op, feature) in ops {
796                    if emitted_features.insert(feature.check_name()) {
797                        let qualified = format!("{}:{}", feature.check_name(), op.path);
798                        self.emit_check_named(&mut script, op, feature, &qualified);
799                        total_checks += 1;
800                    }
801                }
802            }
803
804            script.push_str("  });\n\n");
805        }
806
807        // Custom checks from YAML file
808        if let Some(custom_group) = self.config.generate_custom_group()? {
809            script.push_str(&custom_group);
810        }
811
812        script.push_str("}\n\n");
813
814        // handleSummary
815        self.generate_handle_summary(&mut script);
816
817        Ok((script, total_checks))
818    }
819
820    /// Emit a single k6 check for an operation + feature with a custom check name
821    fn emit_check_named(
822        &self,
823        script: &mut String,
824        op: &AnnotatedOperation,
825        feature: &ConformanceFeature,
826        check_name: &str,
827    ) {
828        // Escape single quotes in check name since it's embedded in JS single-quoted strings
829        let check_name = check_name.replace('\'', "\\'");
830        let check_name = check_name.as_str();
831
832        script.push_str("    {\n");
833
834        // Build the URL path with parameters substituted
835        let mut url_path = op.path.clone();
836        for (name, value) in &op.path_params {
837            url_path = url_path.replace(&format!("{{{}}}", name), value);
838        }
839
840        // Build query string
841        if !op.query_params.is_empty() {
842            let qs: Vec<String> =
843                op.query_params.iter().map(|(k, v)| format!("{}={}", k, v)).collect();
844            url_path = format!("{}?{}", url_path, qs.join("&"));
845        }
846
847        let full_url = format!("${{BASE_URL}}{}", url_path);
848
849        // Build effective headers: merge spec-derived headers with custom headers.
850        // Custom headers override spec-derived ones with the same name.
851        let mut effective_headers = self.effective_headers(&op.header_params);
852
853        // For non-default response code checks, add header to tell the mock server
854        // which status code to return (the server defaults to the first declared status)
855        if matches!(feature, ConformanceFeature::Response400 | ConformanceFeature::Response404) {
856            let expected_code = match feature {
857                ConformanceFeature::Response400 => "400",
858                ConformanceFeature::Response404 => "404",
859                _ => unreachable!(),
860            };
861            effective_headers
862                .push(("X-Mockforge-Response-Status".to_string(), expected_code.to_string()));
863        }
864
865        // For security checks AND for all requests on endpoints with security requirements,
866        // inject auth credentials so the server doesn't reject with 401.
867        // Only inject if the user hasn't already provided the header via --custom-headers.
868        let needs_auth = matches!(
869            feature,
870            ConformanceFeature::SecurityBearer
871                | ConformanceFeature::SecurityBasic
872                | ConformanceFeature::SecurityApiKey
873        ) || !op.security_schemes.is_empty();
874
875        if needs_auth {
876            self.inject_security_headers(&op.security_schemes, &mut effective_headers);
877        }
878
879        let has_headers = !effective_headers.is_empty();
880        let headers_obj = if has_headers {
881            Self::format_headers(&effective_headers)
882        } else {
883            String::new()
884        };
885
886        // Determine HTTP method and emit request
887        match op.method.as_str() {
888            "GET" => {
889                if has_headers {
890                    script.push_str(&format!(
891                        "      let res = http.get(`{}`, {{ headers: {} }});\n",
892                        full_url, headers_obj
893                    ));
894                } else {
895                    script.push_str(&format!("      let res = http.get(`{}`);\n", full_url));
896                }
897            }
898            "POST" => {
899                self.emit_request_with_body(script, "post", &full_url, op, &effective_headers);
900            }
901            "PUT" => {
902                self.emit_request_with_body(script, "put", &full_url, op, &effective_headers);
903            }
904            "PATCH" => {
905                self.emit_request_with_body(script, "patch", &full_url, op, &effective_headers);
906            }
907            "DELETE" => {
908                if has_headers {
909                    script.push_str(&format!(
910                        "      let res = http.del(`{}`, null, {{ headers: {} }});\n",
911                        full_url, headers_obj
912                    ));
913                } else {
914                    script.push_str(&format!("      let res = http.del(`{}`);\n", full_url));
915                }
916            }
917            "HEAD" => {
918                if has_headers {
919                    script.push_str(&format!(
920                        "      let res = http.head(`{}`, {{ headers: {} }});\n",
921                        full_url, headers_obj
922                    ));
923                } else {
924                    script.push_str(&format!("      let res = http.head(`{}`);\n", full_url));
925                }
926            }
927            "OPTIONS" => {
928                if has_headers {
929                    script.push_str(&format!(
930                        "      let res = http.options(`{}`, null, {{ headers: {} }});\n",
931                        full_url, headers_obj
932                    ));
933                } else {
934                    script.push_str(&format!("      let res = http.options(`{}`);\n", full_url));
935                }
936            }
937            _ => {
938                if has_headers {
939                    script.push_str(&format!(
940                        "      let res = http.get(`{}`, {{ headers: {} }});\n",
941                        full_url, headers_obj
942                    ));
943                } else {
944                    script.push_str(&format!("      let res = http.get(`{}`);\n", full_url));
945                }
946            }
947        }
948
949        // Capture request/response for --export-requests
950        // (check_name is already escaped at line 829 above — don't double-escape)
951        if self.config.export_requests {
952            script.push_str(&format!(
953                "      if (typeof __captureExchange === 'function') __captureExchange('{}', res);\n",
954                check_name
955            ));
956        }
957
958        // Check: emit assertion based on feature type, with failure detail capture
959        if matches!(
960            feature,
961            ConformanceFeature::Response200
962                | ConformanceFeature::Response201
963                | ConformanceFeature::Response204
964                | ConformanceFeature::Response400
965                | ConformanceFeature::Response404
966        ) {
967            let expected_code = match feature {
968                ConformanceFeature::Response200 => 200,
969                ConformanceFeature::Response201 => 201,
970                ConformanceFeature::Response204 => 204,
971                ConformanceFeature::Response400 => 400,
972                ConformanceFeature::Response404 => 404,
973                _ => 200,
974            };
975            script.push_str(&format!(
976                "      {{ let ok = check(res, {{ '{}': (r) => r.status === {} }}); if (!ok) __captureFailure('{}', res, 'status === {}'); }}\n",
977                check_name, expected_code, check_name, expected_code
978            ));
979        } else if matches!(feature, ConformanceFeature::ResponseValidation) {
980            // Response schema validation — validate the response body against the schema
981            // Uses inline field-level error collection so failure details include
982            // which specific fields violated the schema (field_path, violation_type,
983            // expected, actual) — matching the Ajv `errors` array structure.
984            if let Some(schema) = &op.response_schema {
985                let validation_js = SchemaValidatorGenerator::generate_validation(schema);
986                let schema_json = serde_json::to_string(schema).unwrap_or_default();
987                // Escape backticks and backslashes for JS template literal safety
988                let schema_json_escaped = schema_json.replace('\\', "\\\\").replace('`', "\\`");
989                script.push_str(&format!(
990                    concat!(
991                        "      try {{\n",
992                        "        let body = res.json();\n",
993                        "        let ok = check(res, {{ '{check}': (r) => ( {validation} ) }});\n",
994                        "        if (!ok) {{\n",
995                        "          let __violations = [];\n",
996                        "          try {{\n",
997                        "            let __schema = JSON.parse(`{schema}`);\n",
998                        "            function __collectErrors(schema, data, path) {{\n",
999                        "              if (!schema || typeof schema !== 'object') return;\n",
1000                        "              let st = schema.type || (schema.schema_kind && schema.schema_kind.Type && Object.keys(schema.schema_kind.Type)[0]);\n",
1001                        "              if (st) {{ st = st.toLowerCase(); }}\n",
1002                        "              if (st === 'object') {{\n",
1003                        "                if (typeof data !== 'object' || data === null) {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'object', actual: typeof data }}); return; }}\n",
1004                        "                let props = schema.properties || (schema.schema_kind && schema.schema_kind.Type && schema.schema_kind.Type.Object && schema.schema_kind.Type.Object.properties) || {{}};\n",
1005                        "                let req = schema.required || (schema.schema_kind && schema.schema_kind.Type && schema.schema_kind.Type.Object && schema.schema_kind.Type.Object.required) || [];\n",
1006                        "                for (let f of req) {{ if (!(f in data)) {{ __violations.push({{ field_path: path + '/' + f, violation_type: 'required', expected: 'present', actual: 'missing' }}); }} }}\n",
1007                        "                for (let [k, v] of Object.entries(props)) {{ if (data[k] !== undefined) {{ let ps = v.Item || v; __collectErrors(ps, data[k], path + '/' + k); }} }}\n",
1008                        "              }} else if (st === 'array') {{\n",
1009                        "                if (!Array.isArray(data)) {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'array', actual: typeof data }}); return; }}\n",
1010                        "                let items = schema.items || (schema.schema_kind && schema.schema_kind.Type && schema.schema_kind.Type.Array && schema.schema_kind.Type.Array.items);\n",
1011                        "                if (items) {{ let is = items.Item || items; for (let i = 0; i < Math.min(data.length, 5); i++) {{ __collectErrors(is, data[i], path + '/' + i); }} }}\n",
1012                        "              }} else if (st === 'string') {{\n",
1013                        "                if (typeof data !== 'string') {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'string', actual: typeof data }}); }}\n",
1014                        "              }} else if (st === 'integer') {{\n",
1015                        "                if (typeof data !== 'number' || !Number.isInteger(data)) {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'integer', actual: typeof data }}); }}\n",
1016                        "              }} else if (st === 'number') {{\n",
1017                        "                if (typeof data !== 'number') {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'number', actual: typeof data }}); }}\n",
1018                        "              }} else if (st === 'boolean') {{\n",
1019                        "                if (typeof data !== 'boolean') {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'boolean', actual: typeof data }}); }}\n",
1020                        "              }}\n",
1021                        "            }}\n",
1022                        "            __collectErrors(__schema, body, '');\n",
1023                        "          }} catch(_e) {{}}\n",
1024                        "          __captureFailure('{check}', res, 'schema validation', __violations);\n",
1025                        "        }}\n",
1026                        "      }} catch(e) {{ check(res, {{ '{check}': () => false }}); __captureFailure('{check}', res, 'JSON parse failed: ' + e.message); }}\n",
1027                    ),
1028                    check = check_name,
1029                    validation = validation_js,
1030                    schema = schema_json_escaped,
1031                ));
1032            }
1033        } else if matches!(
1034            feature,
1035            ConformanceFeature::SecurityBearer
1036                | ConformanceFeature::SecurityBasic
1037                | ConformanceFeature::SecurityApiKey
1038        ) {
1039            // Security checks verify the server accepts the auth credentials (not 401/403)
1040            script.push_str(&format!(
1041                "      {{ let ok = check(res, {{ '{}': (r) => r.status >= 200 && r.status < 400 }}); if (!ok) __captureFailure('{}', res, 'status >= 200 && status < 400 (auth accepted)'); }}\n",
1042                check_name, check_name
1043            ));
1044        } else {
1045            script.push_str(&format!(
1046                "      {{ let ok = check(res, {{ '{}': (r) => r.status >= 200 && r.status < 500 }}); if (!ok) __captureFailure('{}', res, 'status >= 200 && status < 500'); }}\n",
1047                check_name, check_name
1048            ));
1049        }
1050
1051        // Clear cookie jar after each request to prevent Set-Cookie leaking
1052        let has_cookie = self.config.has_cookie_header()
1053            || effective_headers.iter().any(|(h, _)| h.eq_ignore_ascii_case("Cookie"));
1054        if has_cookie {
1055            script.push_str("      http.cookieJar().clear(BASE_URL);\n");
1056        }
1057
1058        script.push_str("    }\n");
1059
1060        // Rate-limit delay between checks (to avoid 429 from target API)
1061        if self.config.request_delay_ms > 0 {
1062            script.push_str(&format!(
1063                "    sleep({:.3});\n",
1064                self.config.request_delay_ms as f64 / 1000.0
1065            ));
1066        }
1067    }
1068
1069    /// Emit an HTTP request with a body
1070    fn emit_request_with_body(
1071        &self,
1072        script: &mut String,
1073        method: &str,
1074        url: &str,
1075        op: &AnnotatedOperation,
1076        effective_headers: &[(String, String)],
1077    ) {
1078        if let Some(body) = &op.sample_body {
1079            let escaped_body = body.replace('\'', "\\'");
1080            let headers = if !effective_headers.is_empty() {
1081                format!(
1082                    "Object.assign({{}}, JSON_HEADERS, {})",
1083                    Self::format_headers(effective_headers)
1084                )
1085            } else {
1086                "JSON_HEADERS".to_string()
1087            };
1088            script.push_str(&format!(
1089                "      let res = http.{}(`{}`, '{}', {{ headers: {} }});\n",
1090                method, url, escaped_body, headers
1091            ));
1092        } else if !effective_headers.is_empty() {
1093            script.push_str(&format!(
1094                "      let res = http.{}(`{}`, null, {{ headers: {} }});\n",
1095                method,
1096                url,
1097                Self::format_headers(effective_headers)
1098            ));
1099        } else {
1100            script.push_str(&format!("      let res = http.{}(`{}`, null);\n", method, url));
1101        }
1102    }
1103
1104    /// Build effective headers by merging spec-derived headers with custom headers.
1105    /// Custom headers override spec-derived ones with the same name (case-insensitive).
1106    /// Custom headers not in the spec are appended.
1107    fn effective_headers(&self, spec_headers: &[(String, String)]) -> Vec<(String, String)> {
1108        let custom = &self.config.custom_headers;
1109        if custom.is_empty() {
1110            return spec_headers.to_vec();
1111        }
1112
1113        let mut result: Vec<(String, String)> = Vec::new();
1114
1115        // Start with spec headers, replacing values if a custom header matches
1116        for (name, value) in spec_headers {
1117            if let Some((_, custom_val)) =
1118                custom.iter().find(|(cn, _)| cn.eq_ignore_ascii_case(name))
1119            {
1120                result.push((name.clone(), custom_val.clone()));
1121            } else {
1122                result.push((name.clone(), value.clone()));
1123            }
1124        }
1125
1126        // Append custom headers that aren't already in spec headers
1127        for (name, value) in custom {
1128            if !spec_headers.iter().any(|(sn, _)| sn.eq_ignore_ascii_case(name)) {
1129                result.push((name.clone(), value.clone()));
1130            }
1131        }
1132
1133        result
1134    }
1135
1136    /// Inject security headers based on resolved security scheme details.
1137    /// Respects user-provided custom headers (won't overwrite if already set).
1138    fn inject_security_headers(
1139        &self,
1140        schemes: &[SecuritySchemeInfo],
1141        headers: &mut Vec<(String, String)>,
1142    ) {
1143        let mut to_add: Vec<(String, String)> = Vec::new();
1144
1145        let has_header = |name: &str, headers: &[(String, String)]| {
1146            headers.iter().any(|(h, _)| h.eq_ignore_ascii_case(name))
1147                || self.config.custom_headers.iter().any(|(h, _)| h.eq_ignore_ascii_case(name))
1148        };
1149
1150        // If user provides Cookie header, they're using session-based auth — skip auto auth
1151        let has_cookie_auth = has_header("Cookie", headers);
1152
1153        for scheme in schemes {
1154            match scheme {
1155                SecuritySchemeInfo::Bearer => {
1156                    if !has_cookie_auth && !has_header("Authorization", headers) {
1157                        // MockForge mock server accepts any Bearer token
1158                        to_add.push((
1159                            "Authorization".to_string(),
1160                            "Bearer mockforge-conformance-test-token".to_string(),
1161                        ));
1162                    }
1163                }
1164                SecuritySchemeInfo::Basic => {
1165                    if !has_cookie_auth && !has_header("Authorization", headers) {
1166                        let creds = self.config.basic_auth.as_deref().unwrap_or("test:test");
1167                        use base64::Engine;
1168                        let encoded =
1169                            base64::engine::general_purpose::STANDARD.encode(creds.as_bytes());
1170                        to_add.push(("Authorization".to_string(), format!("Basic {}", encoded)));
1171                    }
1172                }
1173                SecuritySchemeInfo::ApiKey { location, name } => match location {
1174                    ApiKeyLocation::Header => {
1175                        if !has_header(name, headers) {
1176                            let key = self
1177                                .config
1178                                .api_key
1179                                .as_deref()
1180                                .unwrap_or("mockforge-conformance-test-key");
1181                            to_add.push((name.clone(), key.to_string()));
1182                        }
1183                    }
1184                    ApiKeyLocation::Cookie => {
1185                        if !has_header("Cookie", headers) {
1186                            to_add.push((
1187                                "Cookie".to_string(),
1188                                format!("{}=mockforge-conformance-test-session", name),
1189                            ));
1190                        }
1191                    }
1192                    ApiKeyLocation::Query => {
1193                        // Query params are handled via URL, not headers — skip here
1194                    }
1195                },
1196            }
1197        }
1198
1199        headers.extend(to_add);
1200    }
1201
1202    /// Format header params as a JS object literal
1203    fn format_headers(headers: &[(String, String)]) -> String {
1204        let entries: Vec<String> = headers
1205            .iter()
1206            .map(|(k, v)| format!("'{}': '{}'", k, v.replace('\'', "\\'")))
1207            .collect();
1208        format!("{{ {} }}", entries.join(", "))
1209    }
1210
1211    /// handleSummary — same format as reference mode for report compatibility
1212    fn generate_handle_summary(&self, script: &mut String) {
1213        // Use absolute path for report output so k6 writes where the CLI expects
1214        let report_path = match &self.config.output_dir {
1215            Some(dir) => {
1216                let abs = std::fs::canonicalize(dir)
1217                    .unwrap_or_else(|_| dir.clone())
1218                    .join("conformance-report.json");
1219                abs.to_string_lossy().to_string()
1220            }
1221            None => "conformance-report.json".to_string(),
1222        };
1223
1224        script.push_str("export function handleSummary(data) {\n");
1225        script.push_str("  let checks = {};\n");
1226        script.push_str("  if (data.metrics && data.metrics.checks) {\n");
1227        script.push_str("    checks.overall_pass_rate = data.metrics.checks.values.rate;\n");
1228        script.push_str("  }\n");
1229        script.push_str("  let checkResults = {};\n");
1230        script.push_str("  function walkGroups(group) {\n");
1231        script.push_str("    if (group.checks) {\n");
1232        script.push_str("      for (let checkObj of group.checks) {\n");
1233        script.push_str("        checkResults[checkObj.name] = {\n");
1234        script.push_str("          passes: checkObj.passes,\n");
1235        script.push_str("          fails: checkObj.fails,\n");
1236        script.push_str("        };\n");
1237        script.push_str("      }\n");
1238        script.push_str("    }\n");
1239        script.push_str("    if (group.groups) {\n");
1240        script.push_str("      for (let subGroup of group.groups) {\n");
1241        script.push_str("        walkGroups(subGroup);\n");
1242        script.push_str("      }\n");
1243        script.push_str("    }\n");
1244        script.push_str("  }\n");
1245        script.push_str("  if (data.root_group) {\n");
1246        script.push_str("    walkGroups(data.root_group);\n");
1247        script.push_str("  }\n");
1248        script.push_str("  return {\n");
1249        script.push_str(&format!(
1250            "    '{}': JSON.stringify({{ checks: checkResults, overall: checks }}, null, 2),\n",
1251            report_path
1252        ));
1253        script.push_str("    'summary.json': JSON.stringify(data),\n");
1254        script.push_str("    stdout: textSummary(data, { indent: '  ', enableColors: true }),\n");
1255        script.push_str("  };\n");
1256        script.push_str("}\n\n");
1257        script.push_str("function textSummary(data, opts) {\n");
1258        script.push_str("  return JSON.stringify(data, null, 2);\n");
1259        script.push_str("}\n");
1260    }
1261}
1262
1263#[cfg(test)]
1264mod tests {
1265    use super::*;
1266    use openapiv3::{
1267        Operation, ParameterData, ParameterSchemaOrContent, PathStyle, Response, Schema,
1268        SchemaData, SchemaKind, StringType, Type,
1269    };
1270
1271    fn make_op(method: &str, path: &str, operation: Operation) -> ApiOperation {
1272        ApiOperation {
1273            method: method.to_string(),
1274            path: path.to_string(),
1275            operation,
1276            operation_id: None,
1277        }
1278    }
1279
1280    fn empty_spec() -> OpenAPI {
1281        OpenAPI::default()
1282    }
1283
1284    #[test]
1285    fn test_annotate_get_with_path_param() {
1286        let mut op = Operation::default();
1287        op.parameters.push(ReferenceOr::Item(Parameter::Path {
1288            parameter_data: ParameterData {
1289                name: "id".to_string(),
1290                description: None,
1291                required: true,
1292                deprecated: None,
1293                format: ParameterSchemaOrContent::Schema(ReferenceOr::Item(Schema {
1294                    schema_data: SchemaData::default(),
1295                    schema_kind: SchemaKind::Type(Type::String(StringType::default())),
1296                })),
1297                example: None,
1298                examples: Default::default(),
1299                explode: None,
1300                extensions: Default::default(),
1301            },
1302            style: PathStyle::Simple,
1303        }));
1304
1305        let api_op = make_op("get", "/users/{id}", op);
1306        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1307
1308        assert!(annotated.features.contains(&ConformanceFeature::MethodGet));
1309        assert!(annotated.features.contains(&ConformanceFeature::PathParamString));
1310        assert!(annotated.features.contains(&ConformanceFeature::ConstraintRequired));
1311        assert_eq!(annotated.path_params.len(), 1);
1312        assert_eq!(annotated.path_params[0].0, "id");
1313    }
1314
1315    #[test]
1316    fn test_annotate_post_with_json_body() {
1317        let mut op = Operation::default();
1318        let mut body = openapiv3::RequestBody {
1319            required: true,
1320            ..Default::default()
1321        };
1322        body.content
1323            .insert("application/json".to_string(), openapiv3::MediaType::default());
1324        op.request_body = Some(ReferenceOr::Item(body));
1325
1326        let api_op = make_op("post", "/items", op);
1327        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1328
1329        assert!(annotated.features.contains(&ConformanceFeature::MethodPost));
1330        assert!(annotated.features.contains(&ConformanceFeature::BodyJson));
1331    }
1332
1333    #[test]
1334    fn test_annotate_response_codes() {
1335        let mut op = Operation::default();
1336        op.responses
1337            .responses
1338            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(Response::default()));
1339        op.responses
1340            .responses
1341            .insert(openapiv3::StatusCode::Code(404), ReferenceOr::Item(Response::default()));
1342
1343        let api_op = make_op("get", "/items", op);
1344        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1345
1346        assert!(annotated.features.contains(&ConformanceFeature::Response200));
1347        assert!(annotated.features.contains(&ConformanceFeature::Response404));
1348    }
1349
1350    #[test]
1351    fn test_generate_spec_driven_script() {
1352        let config = ConformanceConfig {
1353            target_url: "http://localhost:3000".to_string(),
1354            api_key: None,
1355            basic_auth: None,
1356            skip_tls_verify: false,
1357            categories: None,
1358            base_path: None,
1359            custom_headers: vec![],
1360            output_dir: None,
1361            all_operations: false,
1362            custom_checks_file: None,
1363            request_delay_ms: 0,
1364            custom_filter: None,
1365            export_requests: false,
1366            validate_requests: false,
1367        };
1368
1369        let operations = vec![AnnotatedOperation {
1370            path: "/users/{id}".to_string(),
1371            method: "GET".to_string(),
1372            features: vec![
1373                ConformanceFeature::MethodGet,
1374                ConformanceFeature::PathParamString,
1375            ],
1376            request_body_content_type: None,
1377            sample_body: None,
1378            query_params: vec![],
1379            header_params: vec![],
1380            path_params: vec![("id".to_string(), "test-value".to_string())],
1381            response_schema: None,
1382            security_schemes: vec![],
1383        }];
1384
1385        let gen = SpecDrivenConformanceGenerator::new(config, operations);
1386        let (script, _check_count) = gen.generate().unwrap();
1387
1388        assert!(script.contains("import http from 'k6/http'"));
1389        assert!(script.contains("/users/test-value"));
1390        assert!(script.contains("param:path:string"));
1391        assert!(script.contains("method:GET"));
1392        assert!(script.contains("handleSummary"));
1393    }
1394
1395    #[test]
1396    fn test_generate_with_category_filter() {
1397        let config = ConformanceConfig {
1398            target_url: "http://localhost:3000".to_string(),
1399            api_key: None,
1400            basic_auth: None,
1401            skip_tls_verify: false,
1402            categories: Some(vec!["Parameters".to_string()]),
1403            base_path: None,
1404            custom_headers: vec![],
1405            output_dir: None,
1406            all_operations: false,
1407            custom_checks_file: None,
1408            request_delay_ms: 0,
1409            custom_filter: None,
1410            export_requests: false,
1411            validate_requests: false,
1412        };
1413
1414        let operations = vec![AnnotatedOperation {
1415            path: "/users/{id}".to_string(),
1416            method: "GET".to_string(),
1417            features: vec![
1418                ConformanceFeature::MethodGet,
1419                ConformanceFeature::PathParamString,
1420            ],
1421            request_body_content_type: None,
1422            sample_body: None,
1423            query_params: vec![],
1424            header_params: vec![],
1425            path_params: vec![("id".to_string(), "1".to_string())],
1426            response_schema: None,
1427            security_schemes: vec![],
1428        }];
1429
1430        let gen = SpecDrivenConformanceGenerator::new(config, operations);
1431        let (script, _check_count) = gen.generate().unwrap();
1432
1433        assert!(script.contains("group('Parameters'"));
1434        assert!(!script.contains("group('HTTP Methods'"));
1435    }
1436
1437    #[test]
1438    fn test_annotate_response_validation() {
1439        use openapiv3::ObjectType;
1440
1441        // Operation with a 200 response that has a JSON schema
1442        let mut op = Operation::default();
1443        let mut response = Response::default();
1444        let mut media = openapiv3::MediaType::default();
1445        let mut obj_type = ObjectType::default();
1446        obj_type.properties.insert(
1447            "name".to_string(),
1448            ReferenceOr::Item(Box::new(Schema {
1449                schema_data: SchemaData::default(),
1450                schema_kind: SchemaKind::Type(Type::String(StringType::default())),
1451            })),
1452        );
1453        obj_type.required = vec!["name".to_string()];
1454        media.schema = Some(ReferenceOr::Item(Schema {
1455            schema_data: SchemaData::default(),
1456            schema_kind: SchemaKind::Type(Type::Object(obj_type)),
1457        }));
1458        response.content.insert("application/json".to_string(), media);
1459        op.responses
1460            .responses
1461            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1462
1463        let api_op = make_op("get", "/users", op);
1464        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1465
1466        assert!(
1467            annotated.features.contains(&ConformanceFeature::ResponseValidation),
1468            "Should detect ResponseValidation when response has a JSON schema"
1469        );
1470        assert!(annotated.response_schema.is_some(), "Should extract the response schema");
1471
1472        // Verify generated script includes schema validation with try-catch
1473        let config = ConformanceConfig {
1474            target_url: "http://localhost:3000".to_string(),
1475            api_key: None,
1476            basic_auth: None,
1477            skip_tls_verify: false,
1478            categories: None,
1479            base_path: None,
1480            custom_headers: vec![],
1481            output_dir: None,
1482            all_operations: false,
1483            custom_checks_file: None,
1484            request_delay_ms: 0,
1485            custom_filter: None,
1486            export_requests: false,
1487            validate_requests: false,
1488        };
1489        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1490        let (script, _check_count) = gen.generate().unwrap();
1491
1492        assert!(
1493            script.contains("response:schema:validation"),
1494            "Script should contain the validation check name"
1495        );
1496        assert!(script.contains("try {"), "Script should wrap validation in try-catch");
1497        assert!(script.contains("res.json()"), "Script should parse response as JSON");
1498    }
1499
1500    #[test]
1501    fn test_annotate_global_security() {
1502        // Spec with global security requirement, operation without its own security
1503        let op = Operation::default();
1504        let mut spec = OpenAPI::default();
1505        let mut global_req = openapiv3::SecurityRequirement::new();
1506        global_req.insert("bearerAuth".to_string(), vec![]);
1507        spec.security = Some(vec![global_req]);
1508        // Define the security scheme in components
1509        let mut components = openapiv3::Components::default();
1510        components.security_schemes.insert(
1511            "bearerAuth".to_string(),
1512            ReferenceOr::Item(SecurityScheme::HTTP {
1513                scheme: "bearer".to_string(),
1514                bearer_format: Some("JWT".to_string()),
1515                description: None,
1516                extensions: Default::default(),
1517            }),
1518        );
1519        spec.components = Some(components);
1520
1521        let api_op = make_op("get", "/protected", op);
1522        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &spec);
1523
1524        assert!(
1525            annotated.features.contains(&ConformanceFeature::SecurityBearer),
1526            "Should detect SecurityBearer from global security + components"
1527        );
1528    }
1529
1530    #[test]
1531    fn test_annotate_security_scheme_resolution() {
1532        // Test that security scheme type is resolved from components, not just name heuristic
1533        let mut op = Operation::default();
1534        // Use a generic name that wouldn't match name heuristics
1535        let mut req = openapiv3::SecurityRequirement::new();
1536        req.insert("myAuth".to_string(), vec![]);
1537        op.security = Some(vec![req]);
1538
1539        let mut spec = OpenAPI::default();
1540        let mut components = openapiv3::Components::default();
1541        components.security_schemes.insert(
1542            "myAuth".to_string(),
1543            ReferenceOr::Item(SecurityScheme::APIKey {
1544                location: openapiv3::APIKeyLocation::Header,
1545                name: "X-API-Key".to_string(),
1546                description: None,
1547                extensions: Default::default(),
1548            }),
1549        );
1550        spec.components = Some(components);
1551
1552        let api_op = make_op("get", "/data", op);
1553        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &spec);
1554
1555        assert!(
1556            annotated.features.contains(&ConformanceFeature::SecurityApiKey),
1557            "Should detect SecurityApiKey from SecurityScheme::APIKey, not name heuristic"
1558        );
1559    }
1560
1561    #[test]
1562    fn test_annotate_content_negotiation() {
1563        let mut op = Operation::default();
1564        let mut response = Response::default();
1565        // Response with multiple content types
1566        response
1567            .content
1568            .insert("application/json".to_string(), openapiv3::MediaType::default());
1569        response
1570            .content
1571            .insert("application/xml".to_string(), openapiv3::MediaType::default());
1572        op.responses
1573            .responses
1574            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1575
1576        let api_op = make_op("get", "/items", op);
1577        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1578
1579        assert!(
1580            annotated.features.contains(&ConformanceFeature::ContentNegotiation),
1581            "Should detect ContentNegotiation when response has multiple content types"
1582        );
1583    }
1584
1585    #[test]
1586    fn test_no_content_negotiation_for_single_type() {
1587        let mut op = Operation::default();
1588        let mut response = Response::default();
1589        response
1590            .content
1591            .insert("application/json".to_string(), openapiv3::MediaType::default());
1592        op.responses
1593            .responses
1594            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1595
1596        let api_op = make_op("get", "/items", op);
1597        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1598
1599        assert!(
1600            !annotated.features.contains(&ConformanceFeature::ContentNegotiation),
1601            "Should NOT detect ContentNegotiation for a single content type"
1602        );
1603    }
1604
1605    #[test]
1606    fn test_spec_driven_with_base_path() {
1607        let annotated = AnnotatedOperation {
1608            path: "/users".to_string(),
1609            method: "GET".to_string(),
1610            features: vec![ConformanceFeature::MethodGet],
1611            path_params: vec![],
1612            query_params: vec![],
1613            header_params: vec![],
1614            request_body_content_type: None,
1615            sample_body: None,
1616            response_schema: None,
1617            security_schemes: vec![],
1618        };
1619        let config = ConformanceConfig {
1620            target_url: "https://192.168.2.86/".to_string(),
1621            api_key: None,
1622            basic_auth: None,
1623            skip_tls_verify: true,
1624            categories: None,
1625            base_path: Some("/api".to_string()),
1626            custom_headers: vec![],
1627            output_dir: None,
1628            all_operations: false,
1629            custom_checks_file: None,
1630            request_delay_ms: 0,
1631            custom_filter: None,
1632            export_requests: false,
1633            validate_requests: false,
1634        };
1635        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1636        let (script, _check_count) = gen.generate().unwrap();
1637
1638        assert!(
1639            script.contains("const BASE_URL = 'https://192.168.2.86/api'"),
1640            "BASE_URL should include the base_path. Got: {}",
1641            script.lines().find(|l| l.contains("BASE_URL")).unwrap_or("not found")
1642        );
1643    }
1644
1645    #[test]
1646    fn test_spec_driven_with_custom_headers() {
1647        let annotated = AnnotatedOperation {
1648            path: "/users".to_string(),
1649            method: "GET".to_string(),
1650            features: vec![ConformanceFeature::MethodGet],
1651            path_params: vec![],
1652            query_params: vec![],
1653            header_params: vec![
1654                ("X-Avi-Tenant".to_string(), "test-value".to_string()),
1655                ("X-CSRFToken".to_string(), "test-value".to_string()),
1656            ],
1657            request_body_content_type: None,
1658            sample_body: None,
1659            response_schema: None,
1660            security_schemes: vec![],
1661        };
1662        let config = ConformanceConfig {
1663            target_url: "https://192.168.2.86/".to_string(),
1664            api_key: None,
1665            basic_auth: None,
1666            skip_tls_verify: true,
1667            categories: None,
1668            base_path: Some("/api".to_string()),
1669            custom_headers: vec![
1670                ("X-Avi-Tenant".to_string(), "admin".to_string()),
1671                ("X-CSRFToken".to_string(), "real-csrf-token".to_string()),
1672                ("Cookie".to_string(), "sessionid=abc123".to_string()),
1673            ],
1674            output_dir: None,
1675            all_operations: false,
1676            custom_checks_file: None,
1677            request_delay_ms: 0,
1678            custom_filter: None,
1679            export_requests: false,
1680            validate_requests: false,
1681        };
1682        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1683        let (script, _check_count) = gen.generate().unwrap();
1684
1685        // Custom headers should override spec-derived test-value placeholders
1686        assert!(
1687            script.contains("'X-Avi-Tenant': 'admin'"),
1688            "Should use custom value for X-Avi-Tenant, not test-value"
1689        );
1690        assert!(
1691            script.contains("'X-CSRFToken': 'real-csrf-token'"),
1692            "Should use custom value for X-CSRFToken, not test-value"
1693        );
1694        // Custom headers not in spec should be appended
1695        assert!(
1696            script.contains("'Cookie': 'sessionid=abc123'"),
1697            "Should include Cookie header from custom_headers"
1698        );
1699        // test-value should NOT appear
1700        assert!(
1701            !script.contains("'test-value'"),
1702            "test-value placeholders should be replaced by custom values"
1703        );
1704    }
1705
1706    #[test]
1707    fn test_effective_headers_merging() {
1708        let config = ConformanceConfig {
1709            target_url: "http://localhost".to_string(),
1710            api_key: None,
1711            basic_auth: None,
1712            skip_tls_verify: false,
1713            categories: None,
1714            base_path: None,
1715            custom_headers: vec![
1716                ("X-Auth".to_string(), "real-token".to_string()),
1717                ("Cookie".to_string(), "session=abc".to_string()),
1718            ],
1719            output_dir: None,
1720            all_operations: false,
1721            custom_checks_file: None,
1722            request_delay_ms: 0,
1723            custom_filter: None,
1724            export_requests: false,
1725            validate_requests: false,
1726        };
1727        let gen = SpecDrivenConformanceGenerator::new(config, vec![]);
1728
1729        // Spec headers with a matching custom header
1730        let spec_headers = vec![
1731            ("X-Auth".to_string(), "test-value".to_string()),
1732            ("X-Other".to_string(), "keep-this".to_string()),
1733        ];
1734        let effective = gen.effective_headers(&spec_headers);
1735
1736        // X-Auth should be overridden
1737        assert_eq!(effective[0], ("X-Auth".to_string(), "real-token".to_string()));
1738        // X-Other should be kept as-is
1739        assert_eq!(effective[1], ("X-Other".to_string(), "keep-this".to_string()));
1740        // Cookie should be appended
1741        assert_eq!(effective[2], ("Cookie".to_string(), "session=abc".to_string()));
1742    }
1743}
mockforge_bench/conformance/spec_driven.rs

mockforge_bench/conformance/
spec_driven.rs
