质量保证策略:Reply 模块
发布: (2025年12月13日 GMT+8 17:38)
4 min read
原文: Dev.to
Source: Dev.to
问题陈述:为什么测试工具重要?
面临的问题
| 问题 | 影响 | 示例 |
|---|---|---|
| 不知道系统容量 | 生产环境意外宕机 | 能处理多少用户? |
| 功能不符合需求 | 开发与利益相关者之间的困惑 | 如何验证需求? |
| 安全问题被忽略 | 泄露或数据曝光 | 是否已测试所有 OWASP 场景? |
| 性能下降未被检测 | API 变慢但无警告 | P95 延迟是多少?是否上升? |
没有系统化工具,团队只能:
- 手动测试(不可扩展)
- 等待用户报告 bug(延迟)
- 猜测性能(非数据驱动)
解决方案等级 3:实现现代工具
2.1 使用 k6 进行压力测试:衡量系统容量
工具: k6(现代负载测试框架)
实现
File: apps/reply/tests/performance/k6_reply_stress_test.js
export const options = {
stages: [
{ duration: '1m', target: 60 }, // Ramp up
{ duration: '1m', target: 80 }, // Peak load
{ duration: '1m', target: 100 }, // Stress test
],
thresholds: {
'http_req_duration': ['p(95) 2000 ms, test FAIL → Force improvement2.2 渗透测试:防护网络威胁
工具: 基于 OWASP API Top 10 的自定义渗透测试
实现
File: apps/reply/tests/test_penetration.py
def test_api1_broken_object_level_authorization(self):
"""Attacker mencoba ubah reply orang lain"""
attacker_user = User.objects.create_user("attacker")
victim_reply = Reply.objects.create(..., author="victim")
client = APIClient()
client.force_authenticate(user=attacker_user)
response = client.patch(
f'/forums/{forum_id}/replies/{victim_reply.id}/',
{"content": "Hacked content"},
)
# ✅ MUST be 403 Forbidden
assert response.status_code == 403
# ✅ Content tidak berubah
victim_reply.refresh_from_db()
assert victim_reply.content == "Original content"测试结果
Ran 40+ penetration tests:
✅ API1 (BOLA) - PASSED
✅ API2 (Authentication) - PASSED
✅ API3 (Data Exposure) - PASSED
✅ API5 (Access Control) - PASSED
✅ API6 (Mass Assignment) - PASSED
✅ API7 (Injection) - PASSED
✅ API8 (Asset Management) - PASSED
✅ API9 (Logging) - PASSED
✅ Rate Limiting - PASSED
✅ Concurrent Modification - PASSED项目的实际收益
- 安全信心: 已测试 OWASP Top 10。
- 漏洞预防: 检测到如竞争条件等边缘情况。
- 合规准备: 安全测试文档已准备好审计。
- 所有权验证: 用户无法访问或修改他人数据。
实践
# Sebelum release, jalankan security tests
$ python manage.py test apps.reply.tests.test_penetration
# Jika ada test FAIL, security issue harus di‑fix terlebih dahulu
# Ini menjadi gating requirement untuk release2.3 BDD 测试:使功能与需求保持一致
工具: Behave(用于可执行需求的 Gherkin 语法)
实现
Feature file: apps/reply/tests/bdd/features/reply.feature
Feature: Reply Management - Business Requirements & Acceptance Criteria
Scenario: User can create a new reply
When alice creates a reply with content "Hello forum!"
Then the reply should be created successfully with status 201
And the reply status should be "pending" by default
And alice should be the author of the reply
Scenario: User cannot modify other user's reply
Given a reply exists by bob with content "Bob's reply"
When alice attempts to update bob's reply to "Hacked content"
Then the modification should be rejected with status 403 Forbidden
And bob's reply content should remain "Bob's reply"
Scenario: Rate limiting prevents abuse
When alice creates 100 replies in quick succession
Then the reply creation should be rate limited
And alice should receive 429 Too Many Requests after thresholdStep implementation: apps/reply/tests/bdd/steps/reply_steps.py
@when(u'{username} creates a reply with content "{content}"')
def step_create_reply(context, username, content):
"""Execute: Create reply via API"""
context.response = context.client.post(
f'/api/forums/{context.forum.id}/replies/',
{'content': content, 'status': 'active'},
format='json'
)
@then(u'the reply should be created successfully with status 201')
def step_reply_created_success(context):
"""Verify: Response status and data"""
assert context.response.status_code == 201
assert 'id' in context.response.data测试结果
$ behave apps/reply/tests/bdd/
Running 20+ scenarios:
✅ User can create a new reply
✅ User can view all replies in a forum
✅ User can update their own reply
✅ User can delete their own reply
✅ User cannot modify other user's reply (403 check)
✅ Rate limiting prevents abuse
...