Research
Security News
Malicious PyPI Package ‘pycord-self’ Targets Discord Developers with Token Theft and Backdoor Exploit
Socket researchers uncover the risks of a malicious Python package targeting Discord developers.
@apideck/portman
Advanced tools
Port OpenAPI Spec to Postman Collection, with contract & variation tests included
Port OpenAPI Spec to Postman Collection, with contract & variation tests included!
Portman leverages OpenAPI documents, with all its defined API request/response properties, to power your Postman collection. Let Portman do all the work and inject contract & variation tests with a minimum of configuration. Customize the Postman requests & variables with a wide range of options to assign & overwrite variables.
Convert your OpenAPI spec to Postman, generate contract & variation tests, upload the Postman collection & run the tests through Newman. Include the Portman CLI as part of an automated process for injecting the power of Portman directly into your CI/CD pipeline.
With Portman, you can:
$ portman --init
OR
.env.example
to .env
and add environment variables you need available to your collectionAll configuration options to convert from OpenAPI to Postman can be found in the openapi-to-postman package documentation. All configuration options to filter flags/tags/methods/operations/... from OpenAPI can be found in the openapi-format package documentation.
You can add the Portman CLI to the node_modules
by using:
$ npm install --save @apideck/portman
or using yarn:
$ yarn add @apideck/portman
Note that this will require you to run the Portman CLI with npx @apideck/portman -l your-openapi-file.yaml
or, if
you are using an older version of npm, ./node_modules/.bin/Portman -l your-openapi-file.yaml
.
$ npm install -g @apideck/portman
To execute the CLI without installing it via npm, use the npx method.
$ npx @apideck/portman -l your-openapi-file.yaml
Usage: -u <url> -l <local> -b <baseUrl> -t <includeTests>
Options:
--help Show help [boolean]
--version Show version number [boolean]
-u, --url URL of OAS to port to Postman collection [string]
-l, --local Use local OAS to port to Postman collection [string]
-b, --baseUrl Override spec baseUrl to use in Postman [string]
-o, --output Write the Postman collection to an output file [string]
--oaOutput Write the (filtered) OpenAPI file to an output file [string]
-n, --runNewman Run Newman on newly created collection [boolean]
--newmanRunOptions JSON stringified object to pass options for configuring Newman [string]
-d, --newmanIterationData Iteration data to run Newman with newly created collection [string]
--localPostman Use local Postman collection, skips OpenAPI conversion [string]
--syncPostman Upload generated collection to Postman (default: false) [boolean]
-p, --postmanUid Postman collection UID to upload with the generated Postman collection [string]
--postmanWorkspaceName Postman Workspace name to target the upload of the generated Postman collection [string]
-t, --includeTests Inject Portman test suite (default: true) [boolean]
--bundleContractTests Bundle Portman contract tests in a separate folder in Postman (default: false) [boolean]
-c, --portmanConfigFile Path to Portman settings config file (portman-config.json) [string]
-s, --postmanConfigFile Path to openapi-to-postman config file (postman-config.json) [string]
--filterFile Path to openapi-format config file (oas-format-filter.json) [string]
--envFile Path to the .env file to inject environment variables [string]
--cliOptionsFile Path to Portman CLI options file [string]
--init Configure Portman CLI options in an interactive manner [string]
Portman uses dotenv
to not only access variables for functionality, but you can also add environment variables that you'd like declared within your Postman environment.
Simply prefix any variable name with PORTMAN_
, and it will be available for use in your Postman collection as the camel-cased equivalent. For example:
PORTMAN_CONSUMER_ID=test_user_id
will be available in your collection or tests by referencing:
{{consumerId}}
It is possible to set a spec-specific .env
file, that lives next to your config files. The path can be passed in via envFile
cli option.
This is useful if you have Portman managing multiple specs that have unique environment requirements.
By default, Portman will leverage any ENVIRONMENT variable that is defined that starts with PORTMAN_
.
portman --init
The init
option will help you to configure the cliConfig options and put the default config, env file in place to kick-start the usage of Portman.
portman -u https://specs.apideck.com/crm.yml
portman -u https://specs.apideck.com/crm.yml -b http://localhost:3050 -n true
portman -u https://specs.apideck.com/crm.yml -b http://localhost:3050 -n true -d ./tmp/newman/data/crm.json
portman -l ./tmp/specs/crm.yml -o ./tmp/specs/crm.Postman.json
portman -l ./tmp/specs/crm.yml -t false
portman -u https://specs.apideck.com/crm.yml --filterFile examples/cli-filtering/oas-format-filter.json
For more details, review the cli-filtering example.
portman -l ./tmp/specs/crm.yml --syncPostman true
Upload newly generated collection to Postman using the collection UID to overwrite the existing.
portman -l ./tmp/specs/crm.yml --syncPostman true -p 9601963a-53ff-4aaa-92a0-2e70a8a2a748
All configuration options to convert from OpenAPI to Postman can be on the openapi-to-postman package documentation.
Portman provides a default openapi-to-postman configuration postman-config.default.json, which will be used if no custom config --postmanConfigFile
is passed.
portman -u https://specs.apideck.com/crm.yml -c ./tmp/crm/portman-config.json -s ./common/postman-config.json
All the CLI options can be managed in a separate configuration file and passed along to the portman command. This will make configuration easier, especially in CI/CD implementations.
portman --cliOptionsFile ./examples/cli-options/portman-cli-options.json
All the available Portman CLI options can be used in the config file. By passing the CLI options as parameter, you can overwrite the defined CLI options defined in the file.
For more details, review the cli-options example.
Without specifying the output location, your generated Postman Collection is written to ./tmp/converted/${specName}.json
if you are manually importing to Postman or need to inspect for debugging.
By using -o
or --output
parameter, you can define the location where the Postman collection will be written.
portman -l ./tmp/specs/crm.yml -o ./tmp/specs/crm.Postman.json
Newman is set to ignore redirects to allow for testing redirect response codes. If you are running collections within Postman UI, you'll need to ensure Postman is set to the same, or your redirect tests will fail.
Postman > Preferences > Automatically follow redirects > OFF
The Portman settings consist out of multiple parts:
It is possible to inject Postman tests and pre-register scripts, assign variables and overwrite query params, headers, request body data with values.
To be able to do this very specifically, there are options to define the targets:
openApiOperationId (String) : References to the OpenAPI operationId, example: leadsAll
openApiOperationIds (Array) : References to an array of OpenAPI operationIds, example: ['leadsAll', 'companiesAll', 'contactsAll']
openApiOperation (String) : References to a combination of the OpenAPI method & path, example: GET::/crm/leads
excludeForOperations (Array) : References to OpenAPI operations that will be skipped for targeting. It supports both the openApiOperationId
and openApiOperation
format, example: ["leadsAdd", "GET::/crm/leads/{id}"]
An openApiOperationId
is an optional property. To offer support for OpenAPI documents that don't have operationIds, we
have added the openApiOperation
definition, which is the unique combination of the OpenAPI method & path, with a ::
separator symbol. The targeting option excludeForOperations
is really useful when using wildcards, to allow exclusions from the wildcard.
This will allow targeting for very specific OpenAPI items.
To facilitate managing the filtering, we have included wildcard options for the openApiOperation
option, supporting
the methods & path definitions.
REMARK: Be sure to put quotes around the target definition.
Strict matching example: "openApiOperation": "GET::/crm/leads",
This will target only the "GET" method and the specific path "/pets"
Method wildcard matching example: "openApiOperation": "*::/crm/leads",
This will target all methods ('get', 'put', 'post', 'delete', 'options', 'head', 'patch', 'trace') and the specific
path "/pets"
Path wildcard matching example: "openApiOperation": "GET::/crm/*"
This will target only the "GET" method and any path matching any folder behind the "/pets", like "/pets/123" and
"/pets/123/buy".
Method & Path wildcard matching example: "openApiOperation": "*::/crm/*",
A combination of wildcards for the method and path parts is even possible.
tests
propertiesThe Portman tests
is where you would define the tests that would be applicable and automatically generated by Portman, based on the OpenAPI document.
The contract tests are grouped in an array of contractTests
.
openApiOperationId (String) : References to the OpenAPI operationId. (example: leadsAll
)
openApiOperationIds (Array) : References to an array of OpenAPI operationIds, example: ['leadsAll', 'companiesAll', 'contactsAll']
openApiOperation (String) : References to a combination of the OpenAPI method & path (example: GET::/crm/leads
)
excludeForOperations (Array | optional) : References to OpenAPI operations that will be skipped for targeting, example: ["leadsAdd", "GET::/crm/leads/{id}"]
statusSuccess (Boolean) : Adds the test if the response of the Postman request returned a 2xx
statusCode (Boolean, HTTP code) : Adds the test if the response of the Postman request return a specific status code.
responseTime (Boolean) : Adds the test to verify if the response of the Postman request is returned within a number of ms.
contentType (Boolean) : Adds the test if the response header is matching the expected content-type defined in the OpenAPI spec.
jsonBody (Boolean) : Adds the test if the response body is matching the expected content-type defined in the OpenAPI spec.
schemaValidation (Boolean) : Adds the test if the response body is matching the JSON schema defined in the OpenAPI spec. The JSON schema is inserted inline in the Postman test.
headersPresent (Boolean) : Adds the test to verify if the Postman response header has the header names present, like defined in the OpenAPI spec.
For more details, review the contract-tests example.
openApiOperationId (String) : References to the OpenAPI operationId for which a variation will be created. (example: leadsAll
)
openApiOperationIds (Array) : References to an array of OpenAPI operationIds, example: ['leadsAll', 'companiesAll', 'contactsAll']
openApiOperation (String) : References to a combination of the OpenAPI method & path for which a variation will be created. (example: GET::/crm/leads
)
excludeForOperations (Array | optional) : References to OpenAPI operations that will be skipped for targeting, example: ["leadsAdd", "GET::/crm/leads/{id}"]
tests : which refers to the definitions for the generated contract & variance tests for the variation.
assignVariables : This refers to setting Postman collection variables that are assigned based on variation.
overwrites : which refers to the custom additions/modifications of the OpenAPI/Postman request data, specifically for the variation.
For more details, review the content-variation example.
contentTests
propertiesContent tests will validate if the response property values will match the expected defined values.
While the Portman tests
verify the "contract" of the API, the contentTests
will verify the content of the API.
openApiOperationId (String) : References to the OpenAPI operationId. (example: leadsAll
)
openApiOperationIds (Array) : References to an array of OpenAPI operationIds, example: ['leadsAll', 'companiesAll', 'contactsAll']
openApiOperation (String) : References to a combination of the OpenAPI method & path (example: GET::/crm/leads
)
excludeForOperations (Array | optional) : References to OpenAPI operations that will be skipped for targeting, example: ["leadsAdd", "GET::/crm/leads/{id}"]
responseBodyTests (Array) : Array of key/value pairs of properties & values in the Postman response body.
For more details, review the content-tests example.
extendTests
propertiesWhen you need to add additional tests or overwrite the Portman-generated test, you can use the extendTests
to define the raw Postman tests.
Anything added in the tests
array will be added to the Postman test scripts.
openApiOperationId (String) : References to the OpenAPI operationId. (example: leadsAll
)
openApiOperationIds (Array) : References to an array of OpenAPI operationIds, example: ['leadsAll', 'companiesAll', 'contactsAll']
openApiOperation (String) : References to a combination of the OpenAPI method & path (example: GET::/crm/leads
)
excludeForOperations (Array | optional) : References to OpenAPI operations that will be skipped for targeting, example: ["leadsAdd", "GET::/crm/leads/{id}"]
tests (Array) : Array of additional Postman test scripts.
overwrite (Boolean true/false | Default: false) : Resets all generateTests and overwrites them with the defined tests from
the tests
array.
append (Boolean true/false | Default: true) : Place the tests after (append) or before (prepend) all generated tests.
assignVariables
propertiesThe "assignVariables" allows you to set Postman collection variables for easier automation.
openApiOperationId (String) : Reference to the OpenAPI operationId for which the Postman pm.collectionVariables will be set. (example: leadsAll
)
openApiOperationIds (Array) : References to an array of OpenAPI operationIds, for which the Postman pm.collectionVariables will be set. example: ['leadsAll', 'companiesAll', 'contactsAll']
openApiOperation (String) : Reference to the combination of the OpenAPI method & path, for which the Postman pm.collectionVariables will be set. (example: GET::/crm/leads
)
excludeForOperations (Array | optional) : References to OpenAPI operations that will be skipped for targeting, example: ["leadsAdd", "GET::/crm/leads/{id}"]
collectionVariables (Array) : Array of key/value pairs to set the Postman collection variables.
For more details, review the assign-variables example.
overwrites
propertiesTo facilitate automation, you might want to modify properties with "randomized" or specific values. The overwrites are mapped based on the OpenAPI operationId or OpenAPI Operation reference.
openApiOperationId (String) : Reference to the OpenAPI operationId for which the Postman request will be overwritten or extended. (example: leadsAll
)
openApiOperationIds (Array) : References to an array of OpenAPI operationIds, for which the Postman request will be overwritten or extended (example: ['leadsAll', 'companiesAll', 'contactsAll']
)
openApiOperation (String) : Reference to combination of the OpenAPI method & path, for which the Postman request will be overwritten or extended (example: GET::/crm/leads
)
excludeForOperations (Array | optional) : References to OpenAPI operations that will be skipped for targeting. (example: ["leadsAdd", "GET::/crm/leads/{id}"]
)
overwriteRequestQueryParams (Array) :
Array of key/value pairs to overwrite in the Postman Request Query params.
{{$guid}}
or {{$randomInt}}
.overwriteRequestPathVariables (Array) :
Array of key/value pairs to overwrite in the Postman Request Path Variables.
{{$guid}}
or {{$randomInt}}
.overwriteRequestHeaders (Array) :
Array of key/value pairs to overwrite in the Postman Request Headers.
{{$guid}}
or {{$randomInt}}
.overwriteRequestBody (Array) :
Array of key/value pairs to overwrite in the Postman Request Body.
{{$guid}}
or {{$randomInt}}
.overwriteRequestSecurity (Object) :
A Postman RequestAuthDefinition object that will be applied to the request.
For more details, review the overwrites example.
operationPreRequestScripts
propertiesThe operationPreRequestScripts
configuration will inject pre-request scripts in the Postman collection, on request level.
Postman executes pre-request scripts before a request runs. If you want to set the Postman Collection pre-request scripts on the collection level, you can use the globals
> collectionPreRequestScripts
configuration.
The operationPreRequestScripts
is inserted on the request level.
openApiOperationId (String) : Reference to the OpenAPI operationId on which the "Pre-request Scripts" will be inserted. (example: leadsAll
)
openApiOperationIds (Array) : References to an array of OpenAPI operationIds, for which the "Pre-request Scripts" will be inserted (example: ['leadsAll', 'companiesAll', 'contactsAll']
openApiOperation (String) : Reference to combination of the OpenAPI method & path, for which the "Pre-request Scripts" will be inserted (example: GET::/crm/leads
)
excludeForOperations (Array | optional) : References to OpenAPI operations that will be skipped for targeting. (example: ["leadsAdd", "GET::/crm/leads/{id}"]
)
scripts (Array) : Array of scripts that will be injected as Postman Pre-request Scripts on request level, that will be executed before the targeted requests in this collection.
globals
propertyThe configuration defined in the globals
will be executed on the full Postman collection. This is handy if you need to do mass replacements of variables or specific words/keys/values in the full collection that cannot be overwritten per request.
orderOfOperations
is a list of OpenAPI operations, which is used by Portman to sort the Postman requests in the desired order, in their folder. Items that are not defined in the orderOfOperations
list will remain at their current order.The security overwrites provides a number of security types:
header
for "Header" or query
for "Query Params"."securityOverwrites": {
"apiKey": {
"value": "{{apiKey}}"
}
}
"securityOverwrites": {
"bearer": {
"token": "{{bearerToken}}"
}
}
"securityOverwrites": {
"basic": {
"username": "{{username}}",
"password": "{{password}}",
}
}
For more details on the globals
configuration options , review the globals example and ordering example
REMARK: Portman does not require you to have a Postman account.
In case you want to sync the generated Postman collection with the Postman app (portman --syncPostman
), you would need a Postman account since Portman leverages the Postman API to sync the collection.
This can be a "free" Postman account or any of the paid Postman plans.
The generated Postman collection can always be imported manually, without a Postman account.
To enable automatic uploads of the generated Postman collection through Portman, follow these steps:
Goto the root folder of your project
Copy ./env-postman-app-example
as .env
in the root folder of
Enter your Postman API key in your local .env
It is recommended to put a separate .env
file lives in the root of your project to hold your POSTMAN_API_KEY
.
Do not commit this .env
in any version systems like GIT since it contains credentials.
Portman started as a PR on the handy openapi-to-postman package to generate basic Postman tests from the OpenAPI specification.
Apideck immediately saw the PR's value and collaborated with the original author, Tim Haselaars, to adopt the functionality and extend the options & tooling to create "Portman".
The goal of Portman is to drive API automation by 'porting' a static OpenAPI document to a dynamic Postman collection that includes a powerful testing suite with variable requests, bodies and more. All this while being easy to configure & ready to use.
Portman is a valuable tool in any OpenAPI workflow, for local development or as part of a CI/CD automation pipeline.
Credits for this package for the hard work of Nick Lloyd and Tim Haselaars.
v1.8.2 - (2021-09-17)
FAQs
Port OpenAPI Spec to Postman Collection, with contract & variation tests included
The npm package @apideck/portman receives a total of 7,900 weekly downloads. As such, @apideck/portman popularity was classified as popular.
We found that @apideck/portman demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover the risks of a malicious Python package targeting Discord developers.
Security News
The UK is proposing a bold ban on ransomware payments by public entities to disrupt cybercrime, protect critical services, and lead global cybersecurity efforts.
Security News
Snyk's use of malicious npm packages for research raises ethical concerns, highlighting risks in public deployment, data exfiltration, and unauthorized testing.