API Tests

Comprehensive test suite for REST APIs, gRPC APIs, and API Gateway with security validation, performance benchmarks, and integration tests.

Overview

This crate provides extensive testing coverage for all API implementations in the LLM Auto Optimizer project:

• REST API Tests: Endpoints, authentication, validation, rate limiting, performance
• gRPC API Tests: Services, streaming (server/client/bidirectional), interceptors, performance
• API Gateway Tests: Routing, protocol translation, composition, security
• Security Tests: OWASP API Security Top 10, authentication bypass, penetration testing
• Performance Benchmarks: Latency (p50/p95/p99), throughput, load testing
• Integration Tests: End-to-end workflows

Test Coverage Goals

• >90% code coverage across all API implementations
• 100% endpoint coverage for REST and gRPC APIs
• Zero security vulnerabilities (OWASP API Top 10 compliant)
• Performance targets: p95 latency <50ms, throughput >10,000 req/sec
• Load testing: Validated with 1000+ concurrent connections

Quick Start

Prerequisites

# Install Rust (1.75+)
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

# Install testing tools (optional but recommended)
cargo install cargo-tarpaulin  # Code coverage
brew install k6                 # Load testing (macOS)
# or
sudo apt-get install wrk       # Alternative load testing

Running Tests

# Run all tests
cargo test --all

# Run specific test suites
cargo test --test rest_api
cargo test --test grpc_api
cargo test --test gateway
cargo test --test security
cargo test --test integration

# Run with output
cargo test -- --nocapture

# Run benchmarks
cargo bench

# Generate coverage report
cargo tarpaulin --out Html --output-dir coverage

Running Test Scripts

# Run all tests with comprehensive reporting
./scripts/run_all_tests.sh

# Run load tests
export API_BASE_URL=http://localhost:8080
./scripts/load_test.sh

# Run security scan
./scripts/security_scan.sh

Test Structure

api-tests/
├── src/
│   ├── lib.rs              # Test library
│   ├── common.rs           # Common utilities
│   ├── fixtures.rs         # Test fixtures and mock data
│   └── helpers.rs          # Helper functions (JWT, HTTP client)
├── tests/
│   ├── rest_api/           # REST API tests
│   │   ├── endpoints.rs    # CRUD operations, pagination
│   │   ├── auth.rs         # Authentication, authorization
│   │   ├── validation.rs   # Request/response validation
│   │   ├── ratelimit.rs    # Rate limiting tests
│   │   └── performance.rs  # REST performance tests
│   ├── grpc_api/           # gRPC API tests
│   │   ├── services.rs     # RPC method tests
│   │   ├── streaming.rs    # Streaming tests
│   │   ├── interceptors.rs # Interceptor tests
│   │   └── performance.rs  # gRPC performance tests
│   ├── gateway/            # API Gateway tests
│   │   ├── routing.rs      # Routing tests
│   │   ├── translation.rs  # Protocol translation
│   │   ├── composition.rs  # Service composition
│   │   └── security.rs     # Gateway security
│   ├── security/           # Security tests
│   │   ├── owasp_api_top10.rs  # OWASP compliance
│   │   ├── auth_security.rs     # Auth security
│   │   └── penetration.rs       # Penetration tests
│   └── integration/        # Integration tests
│       └── e2e.rs          # End-to-end workflows
├── benches/                # Performance benchmarks
│   ├── latency_bench.rs    # Latency benchmarks
│   ├── load_test.rs        # Load testing
│   └── streaming_bench.rs  # Streaming performance
├── scripts/                # Test automation scripts
│   ├── run_all_tests.sh    # Run all tests
│   ├── load_test.sh        # Load testing script
│   └── security_scan.sh    # Security scanning
├── proto/                  # Protocol buffer definitions
│   └── optimizer.proto     # gRPC service definitions
└── README.md               # This file

Test Categories

1. REST API Tests (120+ tests)

Endpoints Tests (tests/rest_api/endpoints.rs):

• Health check and readiness probes
• CRUD operations (Create, Read, Update, Delete)
• List with pagination and filtering
• Error handling (404, 400, 500)

Authentication Tests (tests/rest_api/auth.rs):

• JWT token validation and expiration
• API key authentication
• Authorization (role-based access control)
• Token refresh and logout

Validation Tests (tests/rest_api/validation.rs):

• Required field validation
• Type validation
• Value constraints (ranges, lengths)
• Nested object validation
• Array validation
• Malformed JSON handling

Rate Limiting Tests (tests/rest_api/ratelimit.rs):

• Per-API-key rate limiting
• IP-based rate limiting
• Different tier limits (free, premium)
• Rate limit headers (X-RateLimit-*)
• Burst protection

Performance Tests (tests/rest_api/performance.rs):

• Endpoint latency (p50, p95, p99)
• Concurrent requests (100+)
• Large payload handling
• Streaming performance
• Connection reuse

2. gRPC API Tests (80+ tests)

Service Tests (tests/grpc_api/services.rs):

• Unary RPC methods
• Error status codes (NOT_FOUND, INVALID_ARGUMENT, etc.)
• Metadata authentication
• Deadline handling

Streaming Tests (tests/grpc_api/streaming.rs):

• Server-side streaming
• Client-side streaming
• Bidirectional streaming
• Backpressure handling
• Stream cancellation
• Large message streaming
• Concurrent streams

Interceptor Tests (tests/grpc_api/interceptors.rs):

• Authentication interceptor
• Logging interceptor
• Rate limiting interceptor
• Compression interceptor
• Timeout interceptor
• Retry interceptor
• Metadata propagation

Performance Tests (tests/grpc_api/performance.rs):

• Unary RPC latency
• Concurrent requests (1000+)
• Streaming throughput
• Connection pooling
• Large message performance

3. API Gateway Tests (40+ tests)

Routing Tests (tests/gateway/routing.rs):

• REST routing
• gRPC routing
• WebSocket routing
• Path-based routing
• Header-based routing
• Route not found handling

Translation Tests (tests/gateway/translation.rs):

• REST to gRPC translation
• gRPC to REST translation
• Request format conversion (JSON ↔ Protobuf)
• Response format conversion
• Error code translation

Composition Tests (tests/gateway/composition.rs):

• Parallel service composition
• Sequential service composition
• Partial failure handling

Security Tests (tests/gateway/security.rs):

• Authentication enforcement
• Gateway-level rate limiting
• CORS headers
• Security headers

4. Security Tests (50+ tests)

OWASP API Security Top 10 (tests/security/owasp_api_top10.rs):

1. Broken Object Level Authorization (BOLA)
2. Broken Authentication
3. Broken Object Property Level Authorization
4. Unrestricted Resource Consumption
5. Broken Function Level Authorization
6. Unrestricted Access to Sensitive Business Flows
7. Server Side Request Forgery (SSRF)
8. Security Misconfiguration
9. Improper Inventory Management
10. Unsafe Consumption of APIs

Authentication Security (tests/security/auth_security.rs):

• JWT token expiration
• SQL injection prevention
• XSS prevention
• CSRF protection
• Brute force protection
• API key rotation
• Privilege escalation prevention

Penetration Tests (tests/security/penetration.rs):

• Directory traversal
• Command injection
• XML external entity (XXE)
• Insecure deserialization
• Open redirect

5. Performance Benchmarks

Latency Benchmarks (benches/latency_bench.rs):

• REST API latency (GET, POST, PUT, DELETE)
• gRPC API latency (unary, streaming)
• Authentication overhead (JWT, API key)

Load Tests (benches/load_test.rs):

• Concurrent requests (10, 50, 100, 500, 1000)
• Throughput testing (requests/sec)
• Streaming throughput (10k+ messages)

Streaming Benchmarks (benches/streaming_bench.rs):

• Server streaming (1000 events)
• Client streaming (1000 events)
• Bidirectional streaming (1000 messages)

6. Integration Tests

End-to-End Tests (tests/integration/e2e.rs):

• User registration and authentication workflow
• Complete CRUD workflow
• Error handling workflow
• Pagination workflow

Performance Targets

Security Compliance

• ✅ OWASP API Security Top 10 (2023): Full compliance
• ✅ Authentication: JWT, API keys, role-based access control
• ✅ Authorization: Object-level and function-level authorization
• ✅ Rate Limiting: Per-user, per-IP, per-endpoint
• ✅ Input Validation: All inputs validated and sanitized
• ✅ Security Headers: X-Frame-Options, CSP, HSTS, etc.
• ✅ TLS: Required for all production endpoints
• ✅ Audit Logging: All security events logged

CI/CD Integration

GitHub Actions

name: API Tests

on: [push, pull_request]

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions-rs/toolchain@v1
        with:
          toolchain: stable
      - name: Run tests
        run: cargo test --all
      - name: Run benchmarks
        run: cargo bench --no-run
      - name: Security scan
        run: ./scripts/security_scan.sh
      - name: Generate coverage
        run: cargo tarpaulin --out Xml
      - name: Upload coverage
        uses: codecov/codecov-action@v3

Troubleshooting

Tests Failing?

1. Check server is running: Some integration tests require a running API server
2. Check dependencies: Ensure all workspace dependencies are up-to-date
3. Check environment: Verify environment variables (API_BASE_URL, etc.)
4. Check ports: Ensure test ports (50051 for gRPC) are available

Performance Issues?

1. Run in release mode: cargo test --release
2. Increase timeouts: Some tests have configurable timeouts
3. Reduce concurrency: Lower MAX_CONCURRENT_CONNECTIONS if system resources are limited

Security Tests Failing?

1. Review implementation: Security tests should pass before production
2. Update dependencies: Ensure all security libraries are up-to-date
3. Check configuration: Verify security settings in config files

Contributing

Adding New Tests

1. Create test file in appropriate directory
2. Follow existing test patterns and naming conventions
3. Use test fixtures from src/fixtures.rs
4. Update this README with new test categories
5. Ensure tests pass: cargo test

Test Guidelines

• Descriptive names: Use clear, descriptive test function names
• Arrange-Act-Assert: Follow AAA pattern
• One assertion per test: Focus each test on a single behavior
• Use fixtures: Leverage common test data from fixtures
• Mock external dependencies: Use wiremock for HTTP mocking
• Document complex tests: Add comments for non-obvious test logic

Resources

• OWASP API Security Top 10
• Rust Testing Guide
• Criterion.rs Benchmarking
• Tonic gRPC
• Axum Web Framework

License

Apache 2.0 - See LICENSE file for details