It has been almost a month since I contacted the test development module, and the code that I worked so hard to write for more than half a month is about to be overturned again. Because I didn't understand the principles and ideas of interface testing before, I took a lot of detours, I have interface documents, but I don't know how to design use cases. Baidu has done a lot of research and read the mental journey written by many predecessors. Here, I will summarize it.
There are two types of interface tests. One is the webservice interface, which is transmitted through HTTP using the soap protocol. The request message and the return message are both in xml format. During the test, the tool soapUI is used for testing, and the usage is relatively small. The other is the http api interface, which uses the http transmission protocol to distinguish the calling methods by path. The most commonly used are get and post requests.
The get request and the post request are distinguished by the path. The request parameters of the get request are written in the URL in the format: http://url?param1¶m2. The post request is generally written in the body, which may be in key-value format, or in json string format, or uploading a file. So the question is, what is the difference between get request and post?
1. The get request can be requested in the browser, and the test of the post request requires the help of tools.
2. The get request uses url and cookie to pass parameters, and the post data is placed in the body.
3.post is more secure than get, because the passed parameters are invisible on the url.
4. The url of the get request will be limited, and the data of the post request may be very large.
5. The general get request is to obtain data, while the post request is to transfer data.
On the surface, post uses body to pass parameters, which is safer than get's url pass parameters, but in fact, as long as you use packet capture tools (fiddler, Chales, etc.), the parameters of post are also at a glance.
How to do interface testing? Based on what? This requires the development of
接口文档了,接口文档和功能测试的需求说明书是一样的。包括:
接口说明、调用的url、请求方式(get or post)、请求参数、参数类型(String、int、long等)、请求参数说明(是否可以为空)、返回结果说明(字段代表的意义)。有了接口文档后,我们就可以设计用例了,一般接口测试的用例分为以下几种:
1.
通过性验证,说白了
就是传递正确的参数,是否返回正常的结果。
2.参数组合,因为参数有必传和非必传,参数的类型和长度,以及传递时可能业务上的一些限制,
所以在设计用例时,就要排列组合这些情况,保证所有情况都能覆盖到。
3、接口的安全性,这个又分为几种情况:
1)绕过验证,比如提交订单时,在传递商品价格参数时,修改商品价格,就要看后端有没有验证了。或者我支付时,抓个包将订单金额一改,如果能以我改后的金额支付,那这个借口就有问题了。
2)绕过身份验证,就是某个功能只有有特殊权限的用户才能操作,那我传递一个普通的用户,是不是也能操作呢
3)参数是否加密,这个关系到一些账户的安全,比如我们在登录一些网站时,它要将我们的登录信息进行加密,如果不加密我们的信息就会暴露,危害性极大。
4) 密码安全规则,设置密码时复杂程度的校验。
4.根据业务逻辑来
设计测试用例
。
用例设计完成后,可以借助一些工具来进行接口测试,例如:
postman
和
jmeter
。
postman示例:
postman使用比较简单,可以在列表中选择请求方式,在输入框中输入URL。
eg:如果是get请求,直接点击send就可以看出返回结果了。
eg:如果是post请求,会涉及到几种参数的上传方式和添加请求头、权限验证还有添加cookie等操作。在标红的地方基本都能完成。
还有一种测试接口的工具是jmeter,用途比较广泛,不但能测试接口的功能,还能对接口进行压力测试。自带的一些功能,比如参数化、数据关联更符合自动化测试的思想,而且还能操作数据库。在jmeter中需要创建线程组,线程组的循环次数和线程数决定了并发量,也可以设置持续时间或者启动结束时间来决定请求的运行时间。如图:
然后在线程组下面添加http请求,将接口的url、路径、参数、请求方法写好,再添加察看结果树来看请求返回结果,如果压测接口的化,需要添加聚合报告。
在jmeter中post请求添加请求头、cookie或者授权等,都需要添加相应的功能,比如标红部分,操作起来也比较简单。
使用jemeter时,可以对传递的参数进行参数化,有个函数生成器这样的小工具,举一个小小的例子,比如你想要生成一个随机数,只有打开函数生成器,输入最小值和最大值,再点击生成,就可以使用这个函数了,创建一个用户定义的变量,起一个变量名,变量值输入生成的函数,这样每次用到的时候,写成$(variable)就可以了。
jmeter关联的意思是,上一个接口的返回结果,作为下一个接口的请求参数,很多场景都会用到,如果压测这种场景的接口,关联是非常好用的。
以上便是使用jmeter做接口测试的一些基本用法(jmeter我现在还没有学习到,上图是看前辈写的)。
在我目前的工作中,这些接口测试工具只是配合使用,现在要做的是用java实现自动化接口测试,并生成相应的测试报告,以及发邮件给相关人员。还在学习阶段,未完待续~