Can You Hack It?

Why wouldn't you just give up?

The system under test has poor testability which means that the testing you'd like to do will take longer and the resolution of your findings will be lower than you'd like.

So do you give up, battle through, wait for someone to add what you need ... or change the product yourself?

There are potential risks to that last option, of course, because (duh!) you're changing the product. But there are potential wins, too, because you're getting the data you want earlier and can give richer feedback to your stakeholders.

I took that route this week.

The service I'm looking at is essentially a pipeline of steps, each of which calls out to a third-party service and post-processes the result, set up like this:

  result1 = step1.run(input)
  result2 = step2.run(result1)
  result3 = step3.run(result2)

I wanted the response time for a large number of requests against its API, which I can get easily from the client I am using, and also the time for each internal step. While there's a ticket to expose this data, it's not in the product yet.

I thought it was important to capture now, so I made a branch of the source code and added a timer and a log line. I'll use a Kotlin-ish psuedocode for snippets:

(result, time) = Timer {
	call_external_service1(some_data)
}
log.debug("timing, service1, $time, $requestID")

This produces log output that I can parse and visualise easily, for example:

timing, service1, 324, aaaaa
timing, service2, 221, aaaaa
timing, service3, 530, aaaaa

I included requestID, which is also in the API response, so that I can tie the timing data to each request I made in later analysis. I felt reasonably confident that I would not be affecting the behaviour of the product with this, but I showed the change to the developers to check.

For some of the tests I was more concerned about the behaviour of our code over sustained load and didn't care so much about hitting the external services. To facilitate that, I extended my changes:

(result, time) = Timer {
    if (spoof_external) {
	sleep(1000)
	"""
	  spoofed response body
	"""
    }
    else {
	call_external_service1(some_data)
    }
log.debug("timing, service1, $time, $requestID})

In this implementation, if I set a run-time flag spoof_external to true, then there's a short wait and spoofed response instead of an external call. This is enough to simulate the external service and force the service to follow its standard code paths.

I could have added some variability to the latency and the responses if I'd wanted to, but this was good enough for a first iteration.

Both of those changes worked well. Next I wanted to be able to hit each of the external services individually. Again, our API doesn't provide this option, yet.

I can do it through unit tests but I wanted something more interactive this time. Both of those approaches have value, and I've written about it in e.g. Exploratory Tooling, Use the Force Multiplier, and The Love of a List and a Loop.

The service under test is written in Kotlin using Spring Boot. I am fluent in neither so I am not about to add any new endpoints, but I could see a cheap way to do what I wanted and it was another iteration on what I'd already done.

In turn, for each step I wanted to explore, I spoofed the external service returning a field from the request my client made instead of some static content:

if (spoof_external) {
    input.some_field
}

This gives me a way to inject data direct to a step. Conceptually, I am telling a step not to take its input from the previous step, but to instead take it from my request, e.g:

result1 = step1.run(input)
result2 = step2.run(result1)
result3 = step3.run(input)

If you're thinking that it's inefficient because other steps still run you'd be right. But that was much less of a concern in this case than being able to test what I wanted to test.

Of course, I still need to see the output, so I added more logging:

log.debug("output, service3, $result")

With this change, I can have Bruno set up on one side of my screen and a shell on the other. In the shell I am doing this:

$ tail -f log.txt  | grep output,

As I submit a request in Bruno, I can see the result of the step I am interested in immediately:

output, service3, resultA
output, service3, resultB
output, service3, resultC

This is instant feedback and now I'm exploring interactively. After each experiment I'm able to go again immediately, with another variant, looking for interesting behaviour.

Was this valuable?

Yes, I got data that helped us to understand the behaviour of the product in scenarios we think will be important.

Was there risk that I had changed the behaviour of the product sufficiently that the testing was invalid?

Yes, but I was careful to make my changes in such a way that I was happy the risk was very low: in every case I was wrapping or substituting a call I understood well. I also added logging that made it clear what was being called.

So, I made my choice but what would you do in the face of low testability? Just hack it, or just hack it?
Image: Pawel Czerwinski on Unsplash
Syntax highlighting: pinetools

Comments

Meet Me Halfway?

The Association for Software Testing is crowd-sourcing a book, Navigating the World as a Context-Driven Tester , which aims to provide responses to common questions and statements about testing from a context-driven perspective . It's being edited by Lee Hawkins who is posing questions on Twitter , LinkedIn , Mastodon , Slack , and the AST mailing list and then collating the replies, focusing on practice over theory. I've decided to contribute by answering briefly, and without a lot of editing or crafting, by imagining that I'm speaking to someone in software development who's acting in good faith, cares about their work and mine, but doesn't have much visibility of what testing can be. Perhaps you'd like to join me? --00-- "Stop answering my questions with questions." Sure, I can do that. In return, please stop asking me questions so open to interpretation that any answer would be almost meaningless and certa

Can Code, Can't Code, Is Useful

The Association for Software Testing is crowd-sourcing a book, Navigating the World as a Context-Driven Tester , which aims to provide responses to common questions and statements about testing from a context-driven perspective . It's being edited by Lee Hawkins who is posing questions on Twitter , LinkedIn , Mastodon , Slack , and the AST mailing list and then collating the replies, focusing on practice over theory. I've decided to contribute by answering briefly, and without a lot of editing or crafting, by imagining that I'm speaking to someone in software development who's acting in good faith, cares about their work and mine, but doesn't have much visibility of what testing can be. Perhaps you'd like to join me? --00-- "If testers can’t code, they’re of no use to us" My first reaction is to wonder what you expect from your testers. I am immediately interested in your working context and the way

Not Strictly for the Birds

One of my chores takes me outside early in the morning and, if I time it right, I get to hear a charming chorus of birdsong from the trees in the gardens down our road, a relaxing layered soundscape of tuneful calls, chatter, and chirrupping. Interestingly, although I can tell from the number and variety of trills that there must be a large number of birds around, they are tricky to spot. I have found that by staring loosely at something, such as the silhouette of a tree's crown against the slowly brightening sky, I see more birds out of the corner of my eye than if I scan to look for them. The reason seems to be that my peripheral vision picks up movement against the wider background that direct inspection can miss. An optometrist I am not, but I do find myself staring at data a great deal, seeking relationships, patterns, or gaps. I idly wondered whether, if I filled my visual field with data, I might be able to exploit my peripheral vision in that quest. I have a wide monito

ChatGPTesters

The Association for Software Testing is crowd-sourcing a book, Navigating the World as a Context-Driven Tester , which aims to provide responses to common questions and statements about testing from a context-driven perspective . It's being edited by Lee Hawkins who is posing questions on Twitter , LinkedIn , Mastodon , Slack , and the AST mailing list and then collating the replies, focusing on practice over theory. I've decided to contribute by answering briefly, and without a lot of editing or crafting, by imagining that I'm speaking to someone in software development who's acting in good faith, cares about their work and mine, but doesn't have much visibility of what testing can be. Perhaps you'd like to join me? --00-- "Why don’t we replace the testers with AI?" We have a good relationship so I feel safe telling you that my instinctive reaction, as a member of the Tester's Union, is to ask why we don&

Postman Curlections

My team has been building a new service over the last few months. Until recently all the data it needs has been ingested at startup and our focus has been on the logic that processes the data, architecture, and infrastructure. This week we introduced a couple of new endpoints that enable the creation (through an HTTP POST) and update (PUT) of the fundamental data type (we call it a definition ) that the service operates on. I picked up the task of smoke testing the first implementations. I started out by asking the system under test to show me what it can do by using Postman to submit requests and inspecting the results. It was the kinds of things you'd imagine, including: submit some definitions (of various structure, size, intent, name, identifiers, etc) resubmit the same definitions (identical, sharing keys, with variations, etc) retrieve the submitted definitions (using whatever endpoints exist to show some view of them) compare definitions I submitted fro

Vanilla Flavour Testing

I have been pairing with a new developer colleague recently. In our last session he asked me "is this normal testing?" saying that he'd never seen anything like it anywhere else that he'd worked. We finished the task we were on and then chatted about his question for a few minutes. This is a short summary of what I said. I would describe myself as context-driven . I don't take the same approach to testing every time, except in a meta way. I try to understand the important questions, who they are important to, and what the constraints on the work are. With that knowledge I look for productive, pragmatic, ways to explore whatever we're looking at to uncover valuable information or find a way to move on. I write test notes as I work in a format that I have found to be useful to me, colleagues, and stakeholders. For me, the notes should clearly state the mission and give a tl;dr summary of the findings and I like them to be public while I'm working not just w

Make, Fix, and Test

A few weeks ago, in A Good Tester is All Over the Place , Joep Schuurkes described a model of testing work based on three axes: do testing yourself or support testing by others be embedded in a team or be part of a separate team do your job or improve the system It resonated with me and the other testers I shared it with at work, and it resurfaced in my mind while I was reflecting on some of the tasks I've picked up recently and what they have involved, at least in the way I've chosen to address them. Here's three examples: Documentation Generation We have an internal tool that generates documentation in Confluence by extracting and combining images and text from a handful of sources. Although useful, it ran very slowly or not at all so one of the developers performed major surgery on it. Up to that point, I had never taken much interest in the tool and I could have safely ignored this piece of work too because it would have been tested by

Build Quality

The Association for Software Testing is crowd-sourcing a book, Navigating the World as a Context-Driven Tester , which aims to provide responses to common questions and statements about testing from a context-driven perspective . It's being edited by Lee Hawkins who is posing questions on Twitter , LinkedIn , Mastodon , Slack , and the AST mailing list and then collating the replies, focusing on practice over theory. I've decided to contribute by answering briefly, and without a lot of editing or crafting, by imagining that I'm speaking to someone in software development who's acting in good faith, cares about their work and mine, but doesn't have much visibility of what testing can be. Perhaps you'd like to join me? --00-- "When the build is green, the product is of sufficient quality to release" An interesting take, and one I wouldn't agree with in general. That surprises you? Well, ho

The Best Laid Test Plans

The Association for Software Testing is crowd-sourcing a book, Navigating the World as a Context-Driven Tester , which aims to provide responses to common questions and statements about testing from a context-driven perspective . It's being edited by Lee Hawkins who is posing questions on Twitter , LinkedIn , Mastodon , Slack , and the AST mailing list and then collating the replies, focusing on practice over theory. I've decided to contribute by answering briefly, and without a lot of editing or crafting, by imagining that I'm speaking to someone in software development who's acting in good faith, cares about their work and mine, but doesn't have much visibility of what testing can be. Perhaps you'd like to join me? --00-- "What's the best format for a test plan?" I'll side-step the conversation about what a test plan is and just say that the format you should use is one that works for you, your coll

Express, Listen, and Field

Last weekend I participated in the LLandegfan Exploratory Workshop on Testing (LLEWT) 2024, a peer conference in a small parish hall on Anglesey, north Wales. The topic was communication and I shared my sketchnotes and a mind map from the day a few days ago. This post summarises my experience report. Express, Listen, and Field Just about the most hands-on, practical, and valuable training I have ever done was on assertiveness with a local Cambridge coach, Laura Dain . In it she introduced Express, Listen, and Field (ELF), distilled from her experience across many years in the women’s movement, business, and academia. ELF: say your key message clearly and calmly, actively listen to the response, and then focus only on what is relevant to your needs. I blogged a little about it back in 2017 and I've been using it ever since. Assertiveness In a previous role, I was the manager of a test team and organised training for the whole team

Hiccupps

Search This Blog