In [1]:
def s(x): return " "*(10+x)
print(s(5)+".\n"+s(4)+"..:\n"+s(2)+"Hultnér\n"+s(0)+"Technologies\n\n@ahultner | https://hultner.se/")

               .
              ..:
            Hultnér
          Technologies

@ahultner | https://hultner.se/


# ⠠⠵ Schema-based-API-Testing
**Automatically generate test-cases based on your API-schemas.**  
Shorter intro text.


## Index
- Short introduction to API-schemas
    - OpenAPI
    - Swagger
    - GraphQL
    - Flask Liraries
        - Flask RESTPlus (generated specs)
        - Connexion (spec-first)
        - Others?
- Why?
    - ...
- The Problems
    - Inaccurate schemas
        - Undocumented behaviour
    - Invalid schemas
    - Unexpected, but allowed data leads to faults
- Solution
    - Schemathesis
        - Hypothesis, Property Based Testing 
    - Background
        - Swagger Conformance
        - QuickREST
        - …
    - CLI
    - pytest-interface
    - Built in WSGI (and now ASGI) support
        - Import app directly for faster testing
    - HTTP interface
        - Language/framework agnostic universal interface
    - Stateful testing
    - Fixups
    - Targeted property based testing
    - Record into VCR-cassettes
        - Extra fields 
            - command. Full CLI command used to run Schemathesis.
            - http_interactions.id. A numeric interaction ID within the current cassette.
            - http_interactions.status. Type of test outcome, is one of SUCCESS, FAILURE, ERROR.
            - http_interactions.seed. Hypothesis seed used in that particular case could be used as an argument to --hypothesis-seed CLI option to reproduce this request.
            - http_interactions.elapsed. Time in seconds that a request took.
- The Future
- Questions

## API Schemas

API Schemas comes in many flavours, and have become increasingly more popular as our applications are becoming more decoupled. Today we will focus on the types supported by schemathesis, primarly OpenAPI.
* REST/JSON based
    * **OpenAPI 3**
    * Swagger
        * Predecessor to OpenAPI, nowadays a UI to OpenAPI
* GraphQL (Schemathesis support WIP)
    - Typed Query Langague, data format and Schema
    
### Flask Implementations of Swagger/OpenAPI
There's plenty of libraries implementing OpenAPI-specs for Flask, I won't cover them all in this talk but I'm going to take examples from two approaches.

* **Spec first, generate logic**: [Connexion](https://github.com/zalando/connexion) by Zalando
* **Code first, generate spec**: [Flask RESTPlus](https://flask-restplus.readthedocs.io/en/stable/), [Flasgger](https://github.com/flasgger/flasgger), [APISpec](https://github.com/marshmallow-code/apispec), and many more.


## The Problem
Inaccurate data, mismatch between database layer and application layer, library defect, human error, invalid schemas.

**Spectrum of defects**, not all errors are equal but they're never good, here's some examples.
- Incorrect/non conforming schema, lower severity
    - Waste engineering time 😴🥱
    - Leads to incorrect assumptions 🧐
    - Breaks client code generation 🤪
- Unhandled error, lower severity
    - Looks bad 🤨
    - Inconvienience 😔😠
    - Confusion 😕
    - Further escalation? 😈
- Logic errors, medium-high severity
    - Data corruption 😢
    - Incorrect behaviour 🤔😨
    - Crashed application 🤯🤬
    - Negative/incorrect billing 🧾⚠️📉
- Security problems, high-critical severity
    - Denial of Service (DOS) 😵🚧⏳💸
    - Data leak 📇💳📑📤 😡🤭
    - Authentication bypass 👺🔓😱
    - Remote code exectuion (RCE) ⚰️🧨💣👾👾👾

Many of these problems can be found in tricky corner cases and between layers, and are often missed by traditional testing approaches.

## The Solution
Property based testing (PBT) is great at finding corner casing and lets the computer do much of the heavy lifting in creating exhuastive tests. 

### Hypothesis
The defacto standard for PBT in Python. A property models the behaviour of a piece of code given a certain type of input.

### Modelling properties
To test the application we need to model the properties and their input, but can we do better?  
The nice things with schemas is that they specify the expected behaviour of the application for a defined type of input, sounds a bit like properties, doesn't it?

Can we leverage this? Yes we can with Schemathesis!

## Schemathesis
Takes over where it's spiritual predecessor *Swagger-Conformance* left of, both are based on Hypothesis.
Inspiration from the QuickREST research paper.

Automatically generates test cases based on what we already know about or application from our specs.

## The Future

- GraphQL
- Schema standard agnostic
- OpenAPI 3.1
- Faster test generation
- Grow the community
- Improve documentation
- …

In [1]:
import schemathesis

In [None]:
schemathesis