DEV Community

Cover image for API Testing with Postman and Newman from CI/CD
Dalibor Kundrat
Dalibor Kundrat

Posted on • Updated on

API Testing with Postman and Newman from CI/CD

I`ll show you how to use Postman to test protected GraphQL API and run test collection using Newman from GithubActions!

Note: This article is part of opensource fullstack app

Postman as GraphQL IDE?

Postman is a well-known tool that helps you test your APIs.

Postman supports:

  • REST
  • WebSockets
  • GraphQL

Not yet, but I see the possibility of it becoming a powerfool tool for GraphQL.

Import GraphQL SDL

This has to be done manually! (Unfortunately) Postman does not support schema introspection.

Postman copy SDL schema

Pre-requests scripts

The Pre-Request and Tests can be found in several scopes.

Postman tets vs script

Scope is just place, where you can find them.

  • Scope level Collection
  • Section level Folder
  • Scope level Request

Is there a initial script?

Postman does not have init script that runs once on startup! You can workaround this and implement it using variables!

Postman init scsript

How to sign-in with OAuth?

This depends on whether you are doing the tests manually or automated

If you run heedless from CI/CD you need to write scripts and that can be difficult with some oidc providers who have strict rules and check all security aspects.

For testing purposes, you can define a specific oidc client_id:Postman. You can simply protect it with ResourceOwnerPassword and create a test user for it.

Oauth grant flow Image from Okta

The ResourceOwnerPassword is fully secured in this scenario:

  • You have a special client (oidc client) and you need Secret to use it.
  • The test user still needs to provide his name and password.
  • Will only be activated under a specific flag
  • Will not be used publicly
  • Can be restricted to a specific origin

Request access token

To request a new token, you must make an asynchronous call to the oidc token endpoint.

Logical Flow

Requesting token using password resource owner

Pre-scripts:

1) Check if you have the token from the previous run
2) Validate the lifetime of the token.

  • Token is valid - > uses the existing one
  • Token has expired - > requests a new one

Postman async helper

The OAuth_Token_Exchange triggers the request with the function pm.sendRequest(...).

Postman request access token from oidc

Validation of the GraphQL response

GraphQL returns json and you need to create a helper script to validate it. This script validates property by property with the option to ignore some.

Validate GraphQL response

Export test collection

For that you need to export the collection and the variables and use exported data in headless ci/cd runner.

Export collection:
Export postman collection

Export enviroment:
Export postman enviroment

Newman headless runner

Newman is CLI runner for postman collections. You can find it on Github.

Install with: npm install -g newman.

Run test collection from console (terminal):

Export postman enviroment

(We use the --insecure flag because we use untrusted developer certificates).

This is an example of the output

Export postman enviroment

Integration in Build and CI/CD

The demo application uses Nuke for build automation.

Nuke is a console application that contains all build logic defined as Targets and allows you to run cross-platform and generate .yaml for CI/CD pipelines.

Let us place Newman in front of the Cypress tests.

E2E example

To better understand what Target_E2E_Tests is. Let us take a look at the whole pipeline and the dependencies between the different targets.

Targets define named operation with specific actions.

Nuke build plan

Github-Action run:

Nuke build plan

Repository

You can find the full source code of the app, including identity, distributed logging, tracing and monitoring, in the open source

Github repo:
https://github.com/damikun/trouble-training

Newman sources sub-link (under postman folder):
https://github.com/damikun/trouble-training/tree/main/Src/Tests

Discussion (0)