ARIA is the Automated REST Interface Assertion Framework: a Java 21 API test automation framework for portfolio-quality REST testing with service objects, reusable clients, generated data, schema validation, mocks, contracts, security checks, OpenAPI coverage, reporting, and CI/CD.
Allure report: qa-test-automation-frameworks.github.io/aria-api-framework
| Area | Tools |
|---|---|
| Core testing | JUnit 5, RestAssured, AssertJ |
| Mocking and contracts | WireMock 3, Pact JVM |
| Data and models | Jackson, JSON Schema Validator, Datafaker, Lombok |
| Configuration | Owner, per-environment properties |
| Containers | Docker, Docker Compose, Testcontainers |
| Reporting and logging | Allure 2, SLF4J, Logback |
| CI/CD | Jenkins, GitHub Actions |
- Java 21
- Docker Desktop
- Gradle wrapper included in the repository
- Optional GitHub PAT in
GITHUB_TOKENfor authenticated GitHub tests
.\gradlew.bat clean test -Denv=devThe default test task is deterministic. It excludes tests tagged live and runs mock, contract, config, security-boundary, and OpenAPI coverage checks that do not depend on public APIs.
Run a tag:
.\gradlew.bat test -Denv=dev --tests "*AuthTests"
.\gradlew.bat smokeTest -Denv=devDedicated Gradle tasks are available for common deterministic suites: smokeTest, regressionTest, contractTest, securityTest, and containerTest. Use test -DincludeTags=... only when you intentionally want raw JUnit tag filtering; live tags require explicit credentials and network access.
JUnit tags are available as smoke, regression, negative, known-demo-api-limitations, contract, security, config, container, and live.
Run live public API tests only when credentials and network access are intentionally available:
$env:BOOKER_USERNAME="<restful-booker-user>"
$env:BOOKER_PASSWORD="<restful-booker-password>"
.\gradlew.bat liveTest -Denv=devScheduled CI runs liveSmokeTest weekly against the configured live environment; keep broader live regression runs manual unless the target APIs are controlled. liveSmokeTest uses a strict live & smoke tag expression, so regression-only live tests are excluded from the scheduled smoke path.
Run the full quality gate used by CI:
.\gradlew.bat clean check securityScan allureReport -Denv=devGenerate OpenAPI endpoint coverage:
.\gradlew.bat openApiCoverageReportGenerate Allure:
.\gradlew.bat allureReportRun with Docker:
$env:ENV="dev"
$env:GITHUB_TOKEN="<token>"
docker compose up --buildRuntime environment files live in src/main/resources/config.
base.url=https://restful-booker.herokuapp.com
github.base.url=https://api.github.com
github.token=
timeout.seconds=30
retry.maxAttempts=3
retry.baseDelayMs=1000
retry.maxDelayMs=8000
retry.jitterMs=250
sla.responseTimeMs=3000Sensitive values should be supplied through environment variables or system properties:
GITHUB_TOKENBOOKING_BASE_URLGITHUB_BASE_URLBOOKER_USERNAMEBOOKER_PASSWORDgithub.ownerandgithub.repofor GitHub issue write testsTIMEOUT_SECONDSRETRY_MAX_ATTEMPTS,RETRY_BASE_DELAY_MS,RETRY_MAX_DELAY_MS, andRETRY_JITTER_MSRESPONSE_TIME_SLA_MS
Configuration is validated at startup. Environment names must be one of dev, staging, or prod; base URLs must be absolute HTTP(S) URLs; timeout and retry values must be positive.
Response-time SLA thresholds are environment-configurable through sla.responseTimeMs or RESPONSE_TIME_SLA_MS.
check enforces:
- JUnit deterministic tests
- Spotless formatting checks
- SpotBugs static analysis for main and test code
- OpenAPI endpoint-to-test coverage generation
- CycloneDX SBOM generation in CI
- Secret-sanitized failure diagnostics and structured test logs under
build/logs
GitHub Actions also runs dependency review, OSV scanning, Gradle wrapper validation, Docker-backed container tests, scheduled live smoke tests, and uploads Allure, SpotBugs, test-result, log, SBOM, and OpenAPI coverage artifacts.
Generate a local SBOM plus OSV scan instructions:
.\gradlew.bat securityScanIf osv-scanner is installed, securityScan runs it against build/reports/cyclonedx/bom.json and fails on reported vulnerabilities. To fail when the scanner is missing, run:
.\gradlew.bat securityScan -PrequireOsvScanner=truesrc/main/java/com/aria/framework
auth Pluggable authentication strategies
builders Fluent request payload builders with valid defaults
clients RestAssured API clients
config Owner configuration
models Request and response DTOs
services Business-level API operations
utils JSON, dates, retry, and token utilities
src/test/java/com/aria/framework
base Shared test setup
contracts Pact consumer contracts
data Datafaker data factories
fixtures Owned in-memory API provider for deterministic contract/security checks
github GitHub REST API tests
mocks WireMock tests
security Deterministic OWASP-style API security tests
restfulbooker Restful Booker tests
- Add base URL and credentials to
EnvironmentConfigand environment property files. - Create a client under
clientswith endpoint mappings only. - Create a service under
servicesfor business-level operations. - Add request and response DTOs under
models. - Add builders and data factories for payloads.
- Add tests under
src/test/javawith status, header, body, response-time, and schema assertions. - Add the endpoint to
src/test/resources/openapi/*.yaml. - Map the endpoint to tests in
src/test/resources/openapi/endpoint-test-coverage.csv.
Generated output belongs under build/ and is intentionally ignored by version control:
- Gradle HTML/XML test reports:
build/reports/tests - Allure report:
build/reports/allure-report/allureReport - SpotBugs reports:
build/reports/spotbugs - OpenAPI coverage:
build/reports/openapi-coverage.md - Test duration summary:
build/reports/test-duration-report.md
Do not distribute .gradle/, .idea/, or build/ as part of the portfolio source artifact.
- Portfolio Review Guide
- Configuration Guide
- Execution Guide
- Writing Tests
- Debugging Test Failures
- Dos and Don'ts
- Security Test Strategy
- Architecture
- Architecture Decision Records
- Docker/Testcontainers tests require Docker Desktop or a Docker-compatible runtime. The default deterministic
testtask may show Docker-backed tests as skipped on a local machine without Docker; CI enforces that coverage through the dedicatedcontainerTestgate. - Live tests call public APIs and can fail because of network outages, rate limits, or changed public data. Keep them out of the default CI gate unless the environment is controlled.
- If live Restful Booker tests fail fast with a credential error, set
BOOKER_USERNAMEandBOOKER_PASSWORDor matching system properties.
- Add
billing.base.urland any credential keys toEnvironmentConfig,FrameworkConfig, and the environment property files. - Create
BillingApiClientundersrc/main/java/com/aria/framework/clientswith endpoint-level RestAssured mappings only. - Use an
AuthStrategyimplementation such as bearer token, API key, basic auth, cookie token, or OAuth2 token provider instead of hardcoding auth headers in the client. - Create
BillingServiceunderservicesfor business workflows such as creating invoices or listing payments. - Add request and response DTOs under
models, plus builders and data factories for valid, invalid, boundary, and security payloads. - Add deterministic tests against the owned provider fixture or WireMock for default CI, live tests with
@Tag("live"), and schema assertions for both paths. - Expand an OpenAPI YAML file with request bodies, path/query parameters, response statuses, schemas, and security requirements.
- Add every endpoint to
endpoint-test-coverage.csvwith default-CI and live references where applicable. - Add Pact consumer expectations and provider-state verification when the provider is owned or represented by an executable fixture.