ploeh blog danish software design

An applicative functor containing monoidal values itself forms a monoid.

This article is an instalment in an article series about applicative functors. An applicative functor is a data container that supports combinations. If an applicative functor contains values of a type that gives rise to a monoid, then the functor itself forms a monoid.

In a previous article you learned that lazy computations of monoids remain monoids. Furthermore, a lazy computation is an applicative functor, and it turns out that the result generalises. The result regarding lazy computation is just a special case.

Monap #

Since version 4.11 of Haskell's base library, Monoid is a subset of Semigroup, so in order to create a Monoid instance, you must first define a Semigroup instance.

In order to escape the need for flexible contexts, you'll have to define a wrapper newtype that'll be the instance. What should you call it? It's going to be an applicative functor of monoids, so perhaps something like ApplicativeMonoid? Nah, that's too long. AppMon, then? Sure, but how about flipping the terms: MonApp? That's better. Let's drop the last p and dispense with the Pascal case: Monap.

Monap almost looks like Monad, only with the last letter rotated half a revolution. This should allow for maximum confusion.

To be clear, I normally don't advocate for droll word play when writing production code, but I occasionally do it in articles and presentations. The Monap in this article exists only to illustrate a point. It's not intended to be used. Furthermore, this article doesn't discuss monads at all, so the risk of confusion should, hopefully, be minimised. I may, however, regret this decision...

Applicative semigroup #

First, introduce the wrapper newtype:

newtype Monap f a = Monap { runMonap :: f a } deriving (Show, Eq)

This only states that there's a type called Monap that wraps some higher-kinded type f a; that is, a container f of values of the type a. The intent is that f is an applicative functor, hence the use of the letter f, but the type itself doesn't constrain f to any type class.

The Semigroup instance does, though:

instance (Applicative f, Semigroup a) => Semigroup (Monap f a) where
  (Monap x) <> (Monap y) = Monap $ liftA2 (<>) x y

This states that when f is a Applicative instance, and a is a Semigroup instance, then Monap f a is also a Semigroup instance.

Here's an example of combining two applicative semigroups:

λ> Monap (Just (Max 42)) <> Monap (Just (Max 1337))
Monap {runMonap = Just (Max {getMax = 1337})}

This example uses the Max semigroup container, and Maybe as the applicative functor. For Max, the <> operator returns the value that contains the highest value, which in this case is 1337.

It even works when the applicative functor in question is IO:

λ> runMonap $ Monap (Sum <$> randomIO @Word8) <> Monap (Sum <$> randomIO @Word8)
Sum {getSum = 165}

This example uses randomIO to generate two random values. It uses the TypeApplications GHC extension to make randomIO generate Word8 values. Each random number is projected into the Sum container, which means that <> will add the numbers together. In the above example, the result is 165, but if you evaluate the expression a second time, you'll most likely get another result:

λ> runMonap $ Monap (Sum <$> randomIO @Word8) <> Monap (Sum <$> randomIO @Word8)
Sum {getSum = 246}

You can also use linked list ([]) as the applicative functor. In this case, the result may be surprising (depending on what you expect):

λ> Monap [Product 2, Product 3] <> Monap [Product 4, Product 5, Product 6]
Monap {runMonap = [Product {getProduct = 8},Product {getProduct = 10},Product {getProduct = 12},
                   Product {getProduct = 12},Product {getProduct = 15},Product {getProduct = 18}]}

Notice that we get all the combinations of products: 2 multiplied with each element in the second list, followed by 3 multiplied by each of the elements in the second list. This shouldn't be that startling, though, since you've already, previously in this article series, seen several examples of how an applicative functor implies combinations.

Applicative monoid #

With the Semigroup instance in place, you can now add the Monoid instance:

instance (Applicative f, Monoid a) => Monoid (Monap f a) where
  mempty = Monap $ pure $ mempty

This is straightforward: you take the identity (mempty) of the monoid a, promote it to the applicative functor f with pure, and finally put that value into the Monap wrapper.

This works fine as well:

λ> mempty :: Monap Maybe (Sum Integer)
Monap {runMonap = Just (Sum {getSum = 0})}

λ> mempty :: Monap [] (Product Word8)
Monap {runMonap = [Product {getProduct = 1}]}

The identity laws also seem to hold:

λ> Monap (Right mempty) <> Monap (Right (Sum 2112))
Monap {runMonap = Right (Sum {getSum = 2112})}

λ> Monap ("foo", All False) <> Monap mempty
Monap {runMonap = ("foo",All {getAll = False})}

The last, right-identity example is interesting, because the applicative functor in question is a tuple. Tuples are Applicative instances when the first, or left, element is a Monoid instance. In other words, f is, in this case, (,) String. The Monoid instance that Monap sees as a, on the other hand, is All.

Since tuples of monoids are themselves monoids, however, I can get away with writing Monap mempty on the right-hand side, instead of the more elaborate template the other examples use:

λ> Monap ("foo", All False) <> Monap ("", mempty)
Monap {runMonap = ("foo",All {getAll = False})}

or perhaps even:

λ> Monap ("foo", All False) <> Monap (mempty, mempty)
Monap {runMonap = ("foo",All {getAll = False})}

Ultimately, all three alternatives mean the same.

Associativity #

As usual, I'm not going to do the work of formally proving that the monoid laws hold for the Monap instances, but I'd like to share some QuickCheck properties that indicate that they do, starting with a property that verifies associativity:

assocLaw :: (Eq a, Show a, Semigroup a) => a -> a -> a -> Property
assocLaw x y z = (x <> y) <> z === x <> (y <> z)

This property is entirely generic. It'll verify associativity for any Semigroup a, not only for Monap. You can, however, run it for various Monap types, as well. You'll see how this is done a little later.

Identity #

Likewise, you can write two properties that check left and right identity, respectively.

leftIdLaw :: (Eq a, Show a, Monoid a) => a -> Property
leftIdLaw x = x === mempty <> x

rightIdLaw :: (Eq a, Show a, Monoid a) => a -> Property
rightIdLaw x = x === x <> mempty

Again, this is entirely generic. These properties can be used to test the identity laws for any monoid, including Monap.

Properties #

You can run each of these properties multiple time, for various different functors and monoids. As Applicative instances, I've used Maybe, [], (,) Any, and Identity. As Monoid instances, I've used String, Sum Integer, Max Int16, and [Float]. Notice that a list ([]) is both an applicative functor as well as a monoid. In this test set, I've used it in both roles.

tests =
  [
    testGroup "Properties" [
      testProperty "Associativity law, Maybe String" (assocLaw @(Monap Maybe String)),
      testProperty "Left identity law, Maybe String" (leftIdLaw @(Monap Maybe String)),
      testProperty "Right identity law, Maybe String" (rightIdLaw @(Monap Maybe String)),
      testProperty "Associativity law, [Sum Integer]" (assocLaw @(Monap [] (Sum Integer))),
      testProperty "Left identity law, [Sum Integer]" (leftIdLaw @(Monap [] (Sum Integer))),
      testProperty "Right identity law, [Sum Integer]" (rightIdLaw @(Monap [] (Sum Integer))),
      testProperty "Associativity law, (Any, Max Int8)" (assocLaw @(Monap ((,) Any) (Max Int8))),
      testProperty "Left identity law, (Any, Max Int8)" (leftIdLaw @(Monap ((,) Any) (Max Int8))),
      testProperty "Right identity law, (Any, Max Int8)" (rightIdLaw @(Monap ((,) Any) (Max Int8))),
      testProperty "Associativity law, Identity [Float]" (assocLaw @(Monap Identity [Float])),
      testProperty "Left identity law, Identity [Float]" (leftIdLaw @(Monap Identity [Float])),
      testProperty "Right identity law, Identity [Float]" (rightIdLaw @(Monap Identity [Float]))
    ]
  ]

All of these properties pass.

Summary #

It seems that any applicative functor that contains monoidal values itself forms a monoid. The Monap type presented in this article only exists to demonstrate this conjecture; it's not intended to be used.

If it holds, I think it's an interesting result, because it further enables you to reason about the properties of complex systems, based on the properties of simpler systems.

Next: Bifunctors.

Comments

public static Tuple<Guid, TResult> Apply<TResult, T>(
    this Tuple<Guid, Func<T, TResult>> selector,
    Tuple<Guid, T> source)
{
    throw new NotImplementedException("What would you write here?");
}

public static Tuple<Guid, int> Add(this Tuple<Guid, int> x, Tuple<Guid, int> y)
{
    throw new NotImplementedException("What would you write here?");
}

public static Tuple<string, TResult> Apply<TResult, T>(
    this Tuple<string, Func<T, TResult>> selector,
    Tuple<string, T> source)
{
    return Tuple.Create(
        selector.Item1 + source.Item1,
        selector.Item2(source.Item2));
}
 
public static Tuple<string, int> Add(this Tuple<string, int> x, Tuple<string, int> y)
{
    return Tuple.Create(x.Item1 + y.Item1, x.Item2 + y.Item2);
}

Monoid a => Applicative ((,) a)

pure x = (mempty, x)

public static Tuple<string, T> Pure<T>(this T x)
{
    return Tuple.Create("", x);
}

Prelude Data.Monoid> pure 42 :: (String, Int)
("",42)

Lazy monoids are monoids. An article for object-oriented programmers.

This article is part of a series about monoids. In short, a monoid is an associative binary operation with a neutral element (also known as identity). Previous articles have shown how more complex monoids arise from simpler monoids, such as tuple monoids, function monoids, and Maybe monoids. This article shows another such result: how lazy computations of monoids itself form monoids.

You'll see how simple this is through a series of examples. Specifically, you'll revisit several of the examples you've already seen in this article series.

Lazy addition #

Perhaps the most intuitive monoid is addition. Lazy addition forms a monoid as well. In C#, you can implement this with a simple extension method:

public static Lazy<int> Add(this Lazy<int> x, Lazy<int> y)
{
    return new Lazy<int>(() => x.Value + y.Value);
}

This Add method simply adds two lazy integers together in a lazy computation. You use it like any other extension method:

Lazy<int> x = // ...
Lazy<int> y = // ... 
Lazy<int> sum = x.Add(y);

I'll spare you the tedious listing of FsCheck-based properties that demonstrate that the monoid laws hold. We'll look at an example of such a set of properties later in this article, for one of the other monoids.

Lazy multiplication #

Not surprisingly, I hope, you can implement multiplication over lazy numbers in the same way:

public static Lazy<int> Multiply(this Lazy<int> x, Lazy<int> y)
{
    return new Lazy<int>(() => x.Value * y.Value);
}

Usage is similar to lazy addition:

Lazy<int> x = // ...
Lazy<int> y = // ...
Lazy<int> product = x.Multiply(y);

As is the case with lazy addition, this Multiply method currently only works with lazy int values. If you also want it to work with long, short, or other types of numbers, you'll have to add method overloads.

Lazy Boolean monoids #

There are four monoids over Boolean values, although I've customarily only shown two of them: and and or. These also, trivially, work with lazy Boolean values:

public static Lazy<bool> And(this Lazy<bool> x, Lazy<bool> y)
{
    return new Lazy<bool>(() => x.Value && y.Value);
}
 
public static Lazy<bool> Or(this Lazy<bool> x, Lazy<bool> y)
{
    return new Lazy<bool>(() => x.Value || y.Value);
}

Given the previous examples, you'll hardly be surprised to see how you can use one of these extension methods:

Lazy<bool> x = // ...
Lazy<bool> y = // ...
Lazy<bool> b = x.And(y);

Have you noticed a pattern in how the lazy binary operations Add, Multiply, And, and Or are implemented? Could this be generalised?

Lazy angular addition #

In a previous article you saw how angular addition forms a monoid. Lazy angular addition forms a monoid as well, which you can implement with another extension method:

public static Lazy<Angle> Add(this Lazy<Angle> x, Lazy<Angle> y)
{
    return new Lazy<Angle>(() => x.Value.Add(y.Value));
}

Until now, you may have noticed that all the extension methods seemed to follow a common pattern that looks like this:

return new Lazy<Foo>(() => x.Value ⋄ y.Value);

I've here used the diamond operator ⋄ as a place-holder for any sort of binary operation. My choice of that particular character is strongly influenced by Haskell, where semigroups and monoids polymorphically are modelled with (among other options) the <> operator.

The lazy angular addition implementation looks a bit different, though. This is because the original example uses an instance method to model the binary operation, instead of an infix operator such as +, &&, and so on. Given that the implementation of a lazy binary operation can also look like this, can you still imagine a generalisation?

Lazy string concatenation #

If we follow the rough ordering of examples introduced in this article series about monoids, we've now reached concatenation as a monoid. While various lists, arrays, and other sorts of collections also form a monoid over concatenation, in .NET, IEnumerable<T> already enables lazy evaluation, so I think it's more interesting to consider lazy string concatenation.

The implementation, however, holds few surprises:

public static Lazy<string> Concat(this Lazy<string> x, Lazy<string> y)
{
    return new Lazy<string>(() => x.Value + y.Value);
}

The overall result, so far, seems encouraging. All the basic monoids we've covered are also monoids when lazily computed.

Lazy money addition #

The portfolio example from Kent Beck's book Test-Driven Development By Example also forms a monoid. You can, again, implement an extension method that enables you to add lazy expressions together:

public static Lazy<IExpression> Plus(
    this Lazy<IExpression> source,
    Lazy<IExpression> addend)
{
    return new Lazy<IExpression>(() => source.Value.Plus(addend.Value));
}

So far, you've seen several examples of implementations, but are they really monoids? All are clearly binary operations, but are they associative? Do identities exist? In other words, do the lazy binary operations obey the monoid laws?

As usual, I'm not going to prove that they do, but I do want to share a set of FsCheck properties that demonstrate that the monoid laws hold. As an example, I'll share the properties for this lazy Plus method, but you can write similar properties for all of the above methods as well.

You can verify the associativity law like this:

public void LazyPlusIsAssociative(
    Lazy<IExpression> x,
    Lazy<IExpression> y,
    Lazy<IExpression> z)
{
    Assert.Equal(
        x.Plus(y).Plus(z),
        x.Plus(y.Plus(z)),
        Compare.UsingBank);
}

Here, Compare.UsingBank is just a test utility API to make the code more readable:

public static class Compare
{
    public static ExpressionEqualityComparer UsingBank =
        new ExpressionEqualityComparer();
}

This takes advantage of the overloads for xUnit.net's Assert methods that take custom equality comparers as an extra, optional argument. ExpressionEqualityComparer is implemented in the test code base:

public class ExpressionEqualityComparer :
    IEqualityComparer<IExpression>, IEqualityComparer<Lazy<IExpression>>
{
    private readonly Bank bank;
 
    public ExpressionEqualityComparer()
    {
        bank = new Bank();
        bank.AddRate("CHF", "USD", 2);
    }
 
    public bool Equals(IExpression x, IExpression y)
    {
        var xm = bank.Reduce(x, "USD");
        var ym = bank.Reduce(y, "USD");
        return object.Equals(xm, ym);
    }
 
    public int GetHashCode(IExpression obj)
    {
        return bank.Reduce(obj, "USD").GetHashCode();
    }
 
    public bool Equals(Lazy<IExpression> x, Lazy<IExpression> y)
    {
        return Equals(x.Value, y.Value);
    }
 
    public int GetHashCode(Lazy<IExpression> obj)
    {
        return GetHashCode(obj.Value);
    }
}

If you think that the exchange rate between Dollars and Swiss Francs looks ridiculous, it's because I'm using the rate that Kent Beck used in his book, which is from 2002 (but otherwise timeless).

The above property passes for hundreds of randomly generated input values, as is the case for this property, which verifies the left and right identity:

public void LazyPlusHasIdentity(Lazy<IExpression> x)
{
    Assert.Equal(x, x.Plus(Plus.Identity.ToLazy()), Compare.UsingBank);
    Assert.Equal(x, Plus.Identity.ToLazy().Plus(x), Compare.UsingBank);
}

These properties are just examples, not proofs. Still, they give confidence that lazy computations of monoids are themselves monoids.

Lazy Roster combinations #

The last example you'll get in this article is the Roster example from the article on tuple monoids. Here's yet another extension method that enables you to combine two lazy rosters:

public static Lazy<Roster> Combine(this Lazy<Roster> x, Lazy<Roster> y)
{
    return new Lazy<Roster>(() => x.Value.Combine(y.Value));
}

At this point it should be clear that there's essentially two variations in how the above extension methods are implemented. One variation is when the binary operation is implemented with an infix operator (like +, ||, and so on), and another variation is when it's modelled as an instance method. How do these implementations generalise?

I'm sure you could come up with an ad-hoc higher-order function, abstract base class, or interface to model such a generalisation, but I'm not motivated by saving keystrokes. What I'm trying to uncover with this overall article series is how universal abstractions apply to programming.

Which universal abstraction is in play here?

Lazy monoids as applicative operations #

Lazy<T> forms an applicative functor. Using appropriate Apply overloads, you can rewrite all the above implementations in applicative style. Here's lazy addition:

public static Lazy<int> Add(this Lazy<int> x, Lazy<int> y)
{
    Func<int, int, int> f = (i, j) => i + j;
    return f.Apply(x).Apply(y);
}

This first declares a Func value f that invokes the non-lazy binary operation, in this case +. Next, you can leverage the applicative nature of Lazy<T> to apply f to the two lazy values x and y.

Multiplication, as well as the Boolean operations, follow the exact same template:

public static Lazy<int> Multiply(this Lazy<int> x, Lazy<int> y)
{
    Func<int, int, int> f = (i, j) => i * j;
    return f.Apply(x).Apply(y);
}
 
public static Lazy<bool> And(this Lazy<bool> x, Lazy<bool> y)
{
    Func<bool, bool, bool> f = (b1, b2) => b1 && b2;
    return f.Apply(x).Apply(y);
}
 
public static Lazy<bool> Or(this Lazy<bool> x, Lazy<bool> y)
{
    Func<bool, bool, bool> f = (b1, b2) => b1 || b2;
    return f.Apply(x).Apply(y);
}

Notice that in all four implementations, the second line of code is verbatim the same: return f.Apply(x).Apply(y);

Does this generalisation also hold when the underlying, non-lazy binary operation is modelled as an instance method, as is the case of e.g. angular addition? Yes, indeed:

public static Lazy<Angle> Add(this Lazy<Angle> x, Lazy<Angle> y)
{
    Func<Angle, Angle, Angle> f = (i, j) => i.Add(j);
    return f.Apply(x).Apply(y);
}

You can implement the Combine method for lazy Roster objects in the same way, as well as Plus for lazy monetary expressions. The latter is worth revisiting.

Using the Lazy functor over portfolio expressions #

The lazy Plus implementation looks like all of the above Apply-based implementations:

public static Lazy<IExpression> Plus(
    this Lazy<IExpression> source, Lazy<IExpression> addend)
{
    Func<IExpression, IExpression, IExpression> f = (x, y) => x.Plus(y);
    return f.Apply(source).Apply(addend);
}

In my article, however, you saw how, when Plus is a monoid, you can implement Times as an extension method. Can you implement a lazy version of Times as well? Must it be another extension method?

Yes, but instead of an ad-hoc implementation, you can take advantage of the functor nature of Lazy:

public static Lazy<IExpression> Times(this Lazy<IExpression> exp, int multiplier)
{
    return exp.Select(x => x.Times(multiplier));
}

Notice that instead of explicitly reaching into the lazy Value, you can simply call Select on exp. This lazily projects the Times operation, while preserving the invariants of Lazy<T> (i.e. that the computation is deferred until you ultimately access the Value property).

You can implement a lazy version of Reduce in the same way:

public static Lazy<Money> Reduce(this Lazy<IExpression> exp, Bank bank, string to)
{
    return exp.Select(x => x.Reduce(bank, to));
}

The question is, however, is it even worthwhile? Do you need to create all these overloads, or could you just leverage Select when you have a lazy value?

For example, if the above Reduce overload didn't exist, you'd still be able to work with the portfolio API like this:

Lazy<IExpression> portfolio = // ...
Lazy<Money> result = portfolio.Select(x => x.Reduce(bank, "USD"));

If you only occasionally use Reduce, then perhaps this is good enough. If you frequently call Reduce, however, it might be worth to add the above overload, in which case you could then instead write:

Lazy<IExpression> portfolio = // ...
Lazy<Money> result = portfolio.Reduce(bank, "USD");

In both cases, however, I think that you'd be putting the concept of an applicative functor to good use.

Towards generalisation #

Is the applicative style better than the initial ad-hoc implementations? That depends on how you evaluate 'better'. If you count lines of code, then the applicative style is twice as verbose as the ad-hoc implementations. In other words, this:

return new Lazy<int>(() => x.Value + y.Value);

seems simpler than this:

Func<int, int, int> f = (i, j) => i + j;
return f.Apply(x).Apply(y);

This is, however, mostly because C# is too weak to express such abstractions in an elegant way. In F#, using the custom <*> operator from the article on the Lazy applicative functor, you could express the lazy addition as simply as:

lazy (+) <*> x <*> y

In Haskell (if we, once more, pretend that Identity is equivalent to Lazy), you can simplify even further to:

(+) <$> x <*> y

Or rather, if you want it in point-free style, liftA2 (+).

Summary #

The point of this article series isn't to save keystrokes, but to identify universal laws of computing, even as they relate to object-oriented programming. The pattern seems clear enough that I dare propose the following:

All monoids remain monoids under lazy computation.

In a future article I'll offer further support for that proposition.

Next: Monoids accumulate.

Ad-hoc Test Spies can be implemented in Haskell using the Writer monad.

In a previous article on state-based testing in Haskell, I made the following throw-away statement:

"you could write an ad-hoc Mock using, for example, the Writer monad"

Test Double continuum #

More than a decade ago, I wrote an MSDN Magazine article called Exploring The Continuum Of Test Doubles. It was in the September 2007 issue, and you can also download the entire issue as a single file and read the article offline, should you want to.

In the article, I made the argument that the classification of Test Doubles presented in the excellent xUnit Test Patterns should be thought of more as a continuum with vague and fuzzy transitions, rather than discrete categories.

This figure appeared in the original article. Given that the entire MSDN Magazine issue is available for free, and that I'm the original author of the article, I consider it fair use to repeat it here.

The point is that it's not always clear whether a Test Double is, say, a Mock, or a Spy. What I'll show you in this article is closer to a Test Spy than to a Mock, but since the distinction is blurred anyway, I think that I can get away with it.

Test Spy #

xUnit Test Patterns defines a Test Spy as a Test Double that captures "the indirect output calls made to another component by the SUT [System Under Test] for later verification by the test." When, as shown in a previous article, you use Mock<T>.Verify to assert than an interaction took place, you're using the Test Double more as a Spy than a Mock:

repoTD.Verify(r => r.Update(user));

Strictly speaking, a Mock is a Test Double that immediately fails the test if any unexpected interaction takes place. People often call those Strict Mocks, but according to the book, that's a Mock. If the Test Double only records what happens, so that you can later query it to verify whether some interaction took place, it's closer to being a Test Spy.

Whether you call it a Mock or a Spy, you can implement verification similar to the above Verify method in functional programming using the Writer monad.

Writer-based Spy #

I'll show you a single example in Haskell. In a previous article, you saw a simplified function to implement a restaurant reservation feature, repeated here for your convenience:

tryAccept :: Int -> Reservation -> MaybeT ReservationsProgram Int
tryAccept capacity reservation = do
  guard =<< isReservationInFuture reservation
 
  reservations <- readReservations $ reservationDate reservation
  let reservedSeats = sum $ reservationQuantity <$> reservations
  guard $ reservedSeats + reservationQuantity reservation <= capacity
 
  create $ reservation { reservationIsAccepted = True }

This function runs in the MaybeT monad, so the two guard functions could easily prevent if from running 'to completion'. In the happy path, though, execution should reach 'the end' of the function and call the create function.

In order to test this happy path, you'll need to not only run a test-specific interpreter over the ReservationsProgram free monad, you should also verify that reservationIsAccepted is True.

You can do this using the Writer monad to implement a Test Spy:

testProperty "tryAccept, happy path" $ \
  (NonNegative i)
  (fmap getReservation -> reservations)
  (ArbReservation reservation)
  expected
  ->
  let spy (IsReservationInFuture _ next) = return $ next True
      spy (ReadReservations _ next) = return $ next reservations
      spy (Create r next) = tell [r] >> return (next expected)
      reservedSeats = sum $ reservationQuantity <$> reservations
      capacity = reservedSeats + reservationQuantity reservation + i
 
      (actual, observedReservations) =
        runWriter $ foldFreeT spy $ runMaybeT $ tryAccept capacity reservation
 
  in  Just expected == actual &&
      [True] == (reservationIsAccepted <$> observedReservations)

This test is an inlined QuickCheck-based property. The entire source code is available on GitHub.

Notice the spy function. As the name implies, it's the Test Spy for the test. Its full type is:

spy :: Monad m => ReservationsInstruction a -> WriterT [Reservation] m a

This is a function that, for a given ReservationsInstruction value returns a WriterT value where the type of data being written is [Reservation]. The function only writes to the writer context in one of the three cases: the Create case. The Create case carries with it a Reservation value here named r. Before returning the next step in interpreting the free monad, the spy function calls tell, thereby writing a singleton list of [r] to the writer context.

In the Act phase of the test, it calls the tryAccept function and proceeds to interpret the result, which is a MaybeT ReservationsProgram Int value. Calling runMaybeT produces a ReservationsProgram (Maybe Int), which you can then interpret with foldFreeT spy. This returns a Writer [Reservation] (Maybe Int), which you can finally run with runWriter to get a (Maybe Int, [Reservation]) tuple. Thus, actual is a Maybe Int value, and observedReservations is a [Reservation] value - the reservation that was written by spy using tell.

The Assert phase of the test is a Boolean expression that checks that actual is as expected, and that reservationIsAccepted of the observed reservation is True.

It takes a little while to make the pieces of the puzzle fit, but it's basically just standard Haskell library functions clicked together.

Summary #

People sometimes ask me: How do Mocks and Stubs work in functional programming?

In general, my answer is that you don't need Mocks and Stubs because when functions are pure, you don't need to to test interactions. Sooner or later, though, you may run into higher-level interactions, even if they're pure interactions, and you'll likely want to unit test those.

In a previous article you saw how to apply state-based testing in Haskell, using the State monad. In this article you've seen how you can create ad-hoc Mocks or Spies with the Writer monad. No auto-magical test-specific 'isolation frameworks' are required.

An example of avoiding Mocks and Stubs in C# unit testing.

This article is an instalment in an article series about how to move from interaction-based testing to state-based testing. In the previous article, you saw an example of a pragmatic state-based test in F#. You can now take your new-found knowledge and apply it to the original C# example.

In the spirit of xUnit Test Patterns, in this article you'll see how to refactor the tests while keeping the implementation code constant.

The code shown in this article is available on GitHub.

Connect two users #

The previous article provides more details on the System Under Test (SUT), but here it is, repeated, for your convenience:

public class ConnectionsController : ApiController
{
    public ConnectionsController(
        IUserReader userReader,
        IUserRepository userRepository)
    {
        UserReader = userReader;
        UserRepository = userRepository;
    }
 
    public IUserReader UserReader { get; }
    public IUserRepository UserRepository { get; }
 
    public IHttpActionResult Post(string userId, string otherUserId)
    {
        var userRes = UserReader.Lookup(userId).SelectError(
            error => error.Accept(UserLookupError.Switch(
                onInvalidId: "Invalid user ID.",
                onNotFound:  "User not found.")));
        var otherUserRes = UserReader.Lookup(otherUserId).SelectError(
            error => error.Accept(UserLookupError.Switch(
                onInvalidId: "Invalid ID for other user.",
                onNotFound:  "Other user not found.")));
 
        var connect =
            from user in userRes
            from otherUser in otherUserRes
            select Connect(user, otherUser);
 
        return connect.SelectBoth(Ok, BadRequest).Bifold();
    }
 
    private User Connect(User user, User otherUser)
    {
        user.Connect(otherUser);
        UserRepository.Update(user);
 
        return otherUser;
    }
}

This implementation code is a simplification of the code example that serves as an example running through my two Clean Coders videos, Church Visitor and Preserved in translation.

A Fake database #

As in the previous article, you can define a test-specific Fake database:

public class FakeDB : Collection<User>, IUserReader, IUserRepository
{
    public IResult<User, IUserLookupError> Lookup(string id)
    {
        if (!(int.TryParse(id, out int i)))
            return Result.Error<User, IUserLookupError>(UserLookupError.InvalidId);
 
        var user = this.FirstOrDefault(u => u.Id == i);
        if (user == null)
            return Result.Error<User, IUserLookupError>(UserLookupError.NotFound);
 
        return Result.Success<User, IUserLookupError>(user);
    }
 
    public bool IsDirty { get; set; }
 
    public void Update(User user)
    {
        IsDirty = true;
        if (!Contains(user))
            Add(user);
    }
}

This is one of the few cases where I find inheritance more convenient than composition. By deriving from Collection<User>, you don't have to explicitly write code to expose a Retrieval Interface. The entirety of a standard collection API is already available via the base class. Had this class been part of a public API, I'd be concerned that inheritance could introduce future breaking changes, but as part of a suite of unit tests, I hope that I've made the right decision.

Although you can derive a Fake database from a base class, you can still implement required interfaces - in this case IUserReader and IUserRepository. The Update method is the easiest one to implement, since it simply sets the IsDirty flag to true and adds the user if it's not already part of the collection.

The IsDirty flag is the only custom Retrieval Interface added to the FakeDB class. As the previous article explains, this flag provides a convenient was to verify whether or not the database has changed.

The Lookup method is a bit more involved, since it has to support all three outcomes implied by the protocol:

• If the id is invalid, a result to that effect is returned.
• If the user isn't found, a result to that effect is returned.
• If the user with the requested id is found, then that user is returned.

Happy path test case #

This is all you need in terms of Test Doubles. You now have a test-specific IUserReader and IUserRepository implementation that you can pass to the Post method. Notice that a single class implements multiple interfaces. This is often key to be able to implement a Fake object in the first place.

Like in the previous article, you can start by exercising the happy path where a user successfully connects with another user:

[Theory, UserManagementTestConventions]
public void UsersSuccessfullyConnect(
    [Frozen(Matching.ImplementedInterfaces)]FakeDB db,
    User user,
    User otherUser,
    ConnectionsController sut)
{
    db.Add(user);
    db.Add(otherUser);
    db.IsDirty = false;
 
    var actual = sut.Post(user.Id.ToString(), otherUser.Id.ToString());
 
    var ok = Assert.IsAssignableFrom<OkNegotiatedContentResult<User>>(actual);
    Assert.Equal(otherUser, ok.Content);
    Assert.True(db.IsDirty);
    Assert.Contains(otherUser.Id, user.Connections);
}

This, and all other tests in this article use xUnit.net 2.3.1 and AutoFixture 4.1.0.

The test is organised according to my standard heuristic for formatting tests according to the Arrange Act Assert pattern. In the Arrange phase, it adds the two valid User objects to the Fake db and sets the IsDirty flag to false.

Setting the flag is necessary because this is object-oriented code, where objects have mutable state. In the previous articles with examples in F# and Haskell, the User types were immutable. Connecting two users didn't mutate one of the users, but rather returned a new User value, as this F# example demonstrates:

// User -> User -> User
let addConnection user otherUser =
    { user with ConnectedUsers = otherUser :: user.ConnectedUsers }

In the current object-oriented code base, however, connecting one user to another is an instance method on the User class that mutates its state:

public void Connect(User otherUser)
{
    connections.Add(otherUser.Id);
}

As a consequence, the Post method could, if someone made a mistake in its implementation, call user.Connect, but forget to invoke UserRepository.Update. Even if that happened, then all the other assertions would pass. This is the reason that you need the Assert.True(db.IsDirty) assertion in the Assert phase of the test.

While we can apply to object-oriented code what we've learned from functional programming, the latter remains simpler.

Error test cases #

While there's one happy path, there's four distinct error paths that you ought to cover. You can use the Fake database for that as well:

[Theory, UserManagementTestConventions]
public void UsersFailToConnectWhenUserIdIsInvalid(
    [Frozen(Matching.ImplementedInterfaces)]FakeDB db,
    string userId,
    User otherUser,
    ConnectionsController sut)
{
    Assert.False(int.TryParse(userId, out var _));
    db.Add(otherUser);
    db.IsDirty = false;
 
    var actual = sut.Post(userId, otherUser.Id.ToString());
 
    var err = Assert.IsAssignableFrom<BadRequestErrorMessageResult>(actual);
    Assert.Equal("Invalid user ID.", err.Message);
    Assert.False(db.IsDirty);
}
 
[Theory, UserManagementTestConventions]
public void UsersFailToConnectWhenOtherUserIdIsInvalid(
    [Frozen(Matching.ImplementedInterfaces)]FakeDB db,
    User user,
    string otherUserId,
    ConnectionsController sut)
{
    Assert.False(int.TryParse(otherUserId, out var _));
    db.Add(user);
    db.IsDirty = false;
 
    var actual = sut.Post(user.Id.ToString(), otherUserId);
 
    var err = Assert.IsAssignableFrom<BadRequestErrorMessageResult>(actual);
    Assert.Equal("Invalid ID for other user.", err.Message);
    Assert.False(db.IsDirty);
}
 
[Theory, UserManagementTestConventions]
public void UsersDoNotConnectWhenUserDoesNotExist(
    [Frozen(Matching.ImplementedInterfaces)]FakeDB db,
    int userId,
    User otherUser,
    ConnectionsController sut)
{
    db.Add(otherUser);
    db.IsDirty = false;
 
    var actual = sut.Post(userId.ToString(), otherUser.Id.ToString());
 
    var err = Assert.IsAssignableFrom<BadRequestErrorMessageResult>(actual);
    Assert.Equal("User not found.", err.Message);
    Assert.False(db.IsDirty);
}
 
[Theory, UserManagementTestConventions]
public void UsersDoNotConnectWhenOtherUserDoesNotExist(
    [Frozen(Matching.ImplementedInterfaces)]FakeDB db,
    User user,
    int otherUserId,
    ConnectionsController sut)
{
    db.Add(user);
    db.IsDirty = false;
 
    var actual = sut.Post(user.Id.ToString(), otherUserId.ToString());
 
    var err = Assert.IsAssignableFrom<BadRequestErrorMessageResult>(actual);
    Assert.Equal("Other user not found.", err.Message);
    Assert.False(db.IsDirty);
}

There's little to say about these tests that hasn't already been said in at least one of the previous articles. All tests inspect the state of the Fake database after calling the Post method. The exact interactions between Post and db aren't specified. Instead, these tests rely on setting up the initial state, exercising the SUT, and verifying the final state. These are all state-based tests that avoid over-specifying the interactions.

Specifically, none of these tests use Mocks and Stubs. In fact, at this incarnation of the test code, I was able to entirely remove the reference to Moq.

Summary #

The premise of Refactoring is that in order to be able to refactor, the "precondition is [...] solid tests". In reality, many development organisations have the opposite experience. When programmers attempt to make changes to how their code is organised, tests break. In xUnit Test Patterns this problem is called Fragile Tests, and the cause is often Overspecified Software. This means that tests are tightly coupled to implementation details of the SUT.

It's easy to inadvertently fall into this trap when you use Mocks and Stubs, even when you follow the rule of using Mocks for Commands and Stubs for Queries. Refactoring tests towards state-based testing with Fake objects, instead of interaction-based testing, could make test suites more robust to changes.

It's intriguing, though, that state-based testing is simpler in functional programming. In Haskell, you can simply write your tests in the State monad and compare the expected outcome to the actual outcome. Since state in Haskell is immutable, it's trivial to compare the expected with the actual state.

As soon as you introduce mutable state, structural equality is no longer safe, and instead you have to rely on other inspection mechanisms, such as the IsDirty flag seen in this, and the previous, article. This makes the tests slightly more brittle, because it tends to pull towards interaction-based testing.

While you can implement the State monad in both F# and C#, it's probably more pragmatic to express state-based tests using mutable state and the occasional IsDirty flag. As always, there's no panacea.

While this article concludes the series on moving towards state-based testing, I think that an appendix on Test Spies is in order.

Next: A pure Test Spy.

Comments

While F# is a functional-first language, it's okay to occasionally be pragmatic and use mutable state, for example to easily write some sustainable state-based tests.

This article is an instalment in an article series about how to move from interaction-based testing to state-based testing. In the previous article, you saw how to write state-based tests in Haskell. In this article, you'll see how to apply what you've learned in F#.

The code shown in this article is available on GitHub.

A function to connect two users #

This article, like the others in this series, implements an operation to connect two users. I explain the example in details in my two Clean Coders videos, Church Visitor and Preserved in translation.

Like in the previous Haskell example, in this article we'll start with the implementation, and then see how to unit test it.

// ('a -> Result<User,UserLookupError>) -> (User -> unit) -> 'a -> 'a -> HttpResponse<User>
let post lookupUser updateUser userId otherUserId =
    let userRes =
        lookupUser userId |> Result.mapError (function
            | InvalidId -> "Invalid user ID."
            | NotFound  -> "User not found.")
    let otherUserRes =
        lookupUser otherUserId |> Result.mapError (function
            | InvalidId -> "Invalid ID for other user."
            | NotFound  -> "Other user not found.")
 
    let connect = result {
        let! user = userRes
        let! otherUser = otherUserRes
        addConnection user otherUser |> updateUser
        return otherUser }
 
    match connect with Ok u -> OK u | Error msg -> BadRequest msg

While the original C# example used Constructor Injection, the above post function uses partial application for Dependency Injection. The two function arguments lookupUser and updateUser represent interactions with a database. Since functions are polymorphic, however, it's possible to replace them with Test Doubles.

A Fake database #

Like in the Haskell example, you can implement a Fake database in F#. It's also possible to implement the State monad in F#, but there's less need for it. F# is a functional-first language, but you can also write mutable code if need be. You could, then, choose to be pragmatic and base your Fake database on mutable state.

type FakeDB () =
    let users = Dictionary<int, User> ()
 
    member val IsDirty = false with get, set
 
    member this.AddUser user =
        this.IsDirty <- true
        users.Add (user.UserId, user)
 
    member this.TryFind i =
        match users.TryGetValue i with
        | false, _ -> None
        | true,  u -> Some u
 
    member this.LookupUser s =
        match Int32.TryParse s with
        | false, _ -> Error InvalidId
        | true, i ->
            match users.TryGetValue i with
            | false, _ -> Error NotFound
            | true, u -> Ok u
 
    member this.UpdateUser u =
        this.IsDirty <- true
        users.[u.UserId] <- u

This FakeDB type is a class that wraps a mutable dictionary. While it 'implements' LookupUser and UpdateUser, it also exposes what xUnit Test Patterns calls a Retrieval Interface: an API that tests can use to examine the state of the object.

Immutable values normally have structural equality. This means that two values are considered equal if they contain the same constituent values, and have the same structure. Mutable objects, on the other hand, typically have reference equality. This makes it harder to compare two objects, which is, however, what almost all unit testing is about. You compare expected state with actual state.

In the previous article, the Fake database was simply an immutable dictionary. This meant that tests could easily compare expected and actual values, since they were immutable. When you use a mutable object, like the above dictionary, this is harder. Instead, what I chose to do here was to introduce an IsDirty flag. This enables easy verification of whether or not the database changed.

Happy path test case #

This is all you need in terms of Test Doubles. You now have test-specific LookupUser and UpdateUser methods that you can pass to the post function.

Like in the previous article, you can start by exercising the happy path where a user successfully connects with another user:

[<Fact>]
let ``Users successfully connect`` () = Property.check <| property {
    let! user = Gen.user
    let! otherUser = Gen.withOtherId user
    let db = FakeDB ()
    db.AddUser user
    db.AddUser otherUser
 
    let actual = post db.LookupUser db.UpdateUser (string user.UserId) (string otherUser.UserId)
 
    test <@ db.TryFind user.UserId
            |> Option.exists
                (fun u -> u.ConnectedUsers |> List.contains otherUser) @>
    test <@ isOK actual @> }

All tests in this article use xUnit.net 2.3.1, Unquote 4.0.0, and Hedgehog 0.7.0.0.

This test first adds two valid users to the Fake database db. It then calls the post function, passing the db.LookupUser and db.UpdateUser methods as arguments. Finally, it verifies that the 'first' user's ConnectedUsers now contains the otherUser. It also verifies that actual represents a 200 OK HTTP response.

Missing user test case #

While there's one happy-path test case, there's four other test cases left. One of these is when the first user doesn't exist:

[<Fact>]
let ``Users don't connect when user doesn't exist`` () = Property.check <| property {
    let! i = Range.linear 1 1_000_000 |> Gen.int
    let! otherUser = Gen.user
    let db = FakeDB ()
    db.AddUser otherUser
    db.IsDirty <- false
    let uniqueUserId = string (otherUser.UserId + i)
 
    let actual = post db.LookupUser db.UpdateUser uniqueUserId (string otherUser.UserId)
 
    test <@ not db.IsDirty @>
    test <@ isBadRequest actual @> }

This test adds one valid user to the Fake database. Once it's done with configuring the database, it sets IsDirty to false. The AddUser method sets IsDirty to true, so it's important to reset the flag before the act phase of the test. You could consider this a bit of a hack, but I think it makes the intent of the test clear. This is, however, a position I'm ready to reassess should the tests evolve to make this design awkward.

As explained in the previous article, this test case requires an ID of a user that doesn't exist. Since this is a property-based test, there's a risk that Hedgehog might generate a number i equal to otherUser.UserId. One way to get around that problem is to add the two numbers together. Since i is generated from the range 1 - 1,000,000, uniqueUserId is guaranteed to be different from otherUser.UserId.

The test verifies that the state of the database didn't change (that IsDirty is still false), and that actual represents a 400 Bad Request HTTP response.

Remaining test cases #

You can write the remaining three test cases in the same vein:

[<Fact>]
let ``Users don't connect when other user doesn't exist`` () = Property.check <| property {
    let! i = Range.linear 1 1_000_000 |> Gen.int
    let! user = Gen.user
    let db = FakeDB ()
    db.AddUser user
    db.IsDirty <- false
    let uniqueOtherUserId = string (user.UserId + i)
 
    let actual = post db.LookupUser db.UpdateUser (string user.UserId) uniqueOtherUserId 
 
    test <@ not db.IsDirty @>
    test <@ isBadRequest actual @> }
 
[<Fact>]
let ``Users don't connect when user Id is invalid`` () = Property.check <| property {
    let! s = Gen.alphaNum |> Gen.string (Range.linear 0 100) |> Gen.filter isIdInvalid
    let! otherUser = Gen.user
    let db = FakeDB ()
    db.AddUser otherUser
    db.IsDirty <- false
 
    let actual = post db.LookupUser db.UpdateUser s (string otherUser.UserId)
 
    test <@ not db.IsDirty @>
    test <@ isBadRequest actual @> }
 
[<Fact>]
let ``Users don't connect when other user Id is invalid`` () = Property.check <| property {
    let! s = Gen.alphaNum |> Gen.string (Range.linear 0 100) |> Gen.filter isIdInvalid
    let! user = Gen.user
    let db = FakeDB ()
    db.AddUser user
    db.IsDirty <- false
 
    let actual = post db.LookupUser db.UpdateUser (string user.UserId) s
 
    test <@ not db.IsDirty @>
    test <@ isBadRequest actual @> }

All tests inspect the state of the Fake database after the calling the post function. The exact interactions between post and db aren't specified. Instead, these tests rely on setting up the initial state, exercising the System Under Test, and verifying the final state. These are all state-based tests that avoid over-specifying the interactions.

Summary #

While the previous Haskell example demonstrated that it's possible to write state-based unit tests in a functional style, when using F#, it sometimes make sense to leverage the object-oriented features already available in the .NET framework, such as mutable dictionaries. It would have been possible to write purely functional state-based tests in F# as well, by porting the Haskell examples, but here, I wanted to demonstrate that this isn't required.

I tend to be of the opinion that it's only possible to be pragmatic if you know how to be dogmatic, but now that we know how to write state-based tests in a strictly functional style, I think it's fine to be pragmatic and use a bit of mutable state in F#. The benefit of this is that it now seems clear how to apply what we've learned to the original C# example.

Next: An example of state-based testing in C#.

As a programmer, your job is to make technical decisions. Make some more.

When I speak at conferences, people often come and talk to me. (I welcome that, BTW.) Among all the conversations I've had over the years, there's a pattern to some of them. The attendee will start by telling me how inspired (s)he is by the talk I just gave, or something I've written. That's gratifying, and a good way to start a conversation, but is often followed up like this:

Attendee: "I just wish that we could do something like that in our organisation..."

Let's just say that here we're talking about test-driven development, or perhaps just unit testing. Nothing too controversial. I'd typically respond,

Me: "Why can't you?"

Attendee: "Our boss won't let us..."

That's unfortunate. If your boss has explicitly forbidden you to write and run unit tests, then there's not much you can do. Let me make this absolutely clear: I'm not going on record saying that you should actively disobey a direct order (unless it's unethical, that is). I do wonder, however:

Why is the boss even involved in that decision?

It seems to me that programmers often defer too much authority to their managers.

A note on culture #

I'd like to preface the rest of this article with my own context. I've spent most of my programming career in Danish organisations. Even when I worked for Microsoft, I worked for Danish subsidiaries, with Danish managers.

The power distance in Denmark is (in)famously short. It's not unheard of for individual contributors to question their superiors' decisions; sometimes to their face, and sometimes even when other people witness this. When done respectfully (which it often is), this can be extremely efficient. Managers are as fallible as the rest of us, and often their subordinates know of details that could impact a decision that a manager is about to make. Immediately discussing such details can help ensure that good decisions are made, and bad decisions are cancelled.

This helps managers make better decisions, so enlightened managers welcome feedback.

In general, Danish employees also tend to have a fair degree of autonomy. What I'll suggest in this article is unlikely to get you fired in Denmark. Please use your own judgement if you consider transplanting the following to your own culture.

Technical decisions #

If your job is programmer, software developer, or similar, the value you add to the team is that you bring technical expertise. Maybe some of your colleagues are programmers as well, but together, you are the people with the technical expertise.

Even if the project manager or other superiors used to program, unless they're also writing code for the current code base, they only have general technical expertise, but not specific expertise related to the code base you're working with. The people with most technical expertise are you and your colleagues.

You are decision makers.

Whenever you interact with your code base, you make technical decisions.

In order to handle incoming HTTP requests to a /reservations resource, you may first decide to create a new file called ReservationsController.cs. You'd most likely also decide to open that file and start adding code to it.

Perhaps you add a method called Post that takes a Reservation argument. Perhaps you decide to inject an IMaîtreD dependency.

At various steps along the way, you may decide to compile the code.

Once you think that you've made enough changes to address your current work item, you may decide to run the program to see if it works. For a web-based piece of software, that typically involves starting up a browser and somehow interacting with the service. If your program is a web site, you may start at the front page, log in, click around, and fill in some forms. If your program is a REST API, you may interact with it via Fiddler or Postman (I prefer curl or Furl, but most people I've met still prefer something they can click on, it seems).

What often happens is that your changes don't work the first time around, so you'll have to troubleshoot. Perhaps you decide to use a debugger.

How many decisions are that?

I just described seven or eight types of the sort of decisions you make as a programmer. You make such decisions all the time. Do you ask your managers permission before you start a debugging session? Before you create a new file? Before you name a variable?

Of course you don't. You're the technical expert. There's no-one better equipped than you or your team members to make those decisions.

Decide to add unit tests #

If you want to add unit tests, why don't you just decide to add them? If you want to apply test-driven development, why don't you just do so?

A unit test is one or more code files. You're already authorised to make decisions about adding files.

You can run a test suite instead of launching the software every time you want to interact with it. It's likely to be faster, even.

Why should you ask permission to do that?

Decide to refactor #

Another complaint I hear is that people aren't allowed to refactor.

Why are you even asking permission to refactor?

Refactoring means reorganising the code without changing the behaviour of the system. Another word for that is editing the code. It's okay. You're already permitted to edit code. It's part of your job description.

I think I know what the underlying problem is, though...

Make technical decisions in the small #

As an individual contributor, you're empowered to make small-scale technical decisions. These are decisions that are unlikely to impact schedules or allocation of programmers, including new hires. Big decisions probably should involve your manager.

I have an inkling of why people feel that they need permission to refactor. It's because the refactoring they have in mind is going to take weeks. Weeks in which nothing else can be done. Weeks where perhaps the code doesn't even compile.

Many years ago (but not as many as I'd like it to be), my colleague and I had what Eric Evans in DDD calls a breakthrough. We wanted to refactor towards deeper insight. What prompted the insight was a new feature that we had to add, and we'd been throwing design ideas back and forth for some time before the new insight arrived.

We could implement the new feature if we changed one of the core abstractions in our domain model, but it required substantial changes to the existing code base. We informed our manager of our new insight and our plan, estimating that it would take less than a week to make the changes and implement the new feature. Our manager agreed with the plan.

Two weeks later our code hadn't been in a compilable state for a week. Our manager pulled me away to tell me, quietly and equitably, that he was not happy with our lack of progress. I could only concur.

After more heroic work, we finally managed to complete the changes and implement the new feature. Nonetheless, blocking all other development for two-three weeks in order to make a change isn't acceptable.

That sort of change is a big decision because it impacts other team members, schedules, and perhaps overall business plans. Don't make those kinds of decisions without consulting with stakeholders.

This still leaves, I believe, lots of room for individual decision-making in the small. What I learned from the experience I just recounted was not to engage in big changes to a code base. Learn how to make multiple incremental changes instead. In case that's completely impossible, add the new model side-by-side with the old model, and incrementally change over. That's what I should have done those many years ago.

Don't be sneaky #

When I give talks about the blessings of functional programming, I sometimes get into another type of discussion.

Attendee: It's so inspiring how beautiful and simple complex domain models become in F#. How can we do the same in C#?

Me: You can't. If you're already using C#, you should strongly consider F# if you wish to do functional programming. Since it's also a .NET language, you can gradually introduce F# code and mix the compiled code with your existing C# code.

Attendee: Yes... [already getting impatient with me] But we can't do that...

Me: Why not?

Attendee: Because our manager will not allow it.

Based on the suggestions I've already made here, you may expect me to say that that's another technical decision that you should make without asking permission. Like the previous example about blocking refactorings, however, this is another large-scale decision.

Your manager may be concerned that it'd be hard to find new employees if the code base is written in some niche language. I tend to disagree with that position, but I do understand why a manager would take that position. While I think it suboptimal to restrict an entire development organisation to a single language (whether it's C#, Java, C++, Ruby, etc.), I'll readily accept that language choice is a strategic decision.

If every programmer got to choose the programming language they prefer the most that day, you'd have code bases written in dozens of different languages. While you can train bright new hires to learn a new language or two, it's unrealistic that a new employee will be able to learn thirty different languages in a short while.

I find it reasonable that a manager has the final word on the choice of language, even when I often disagree with the decisions.

The outcome usually is that people are stuck with C# (or Java, or...). Hence the question: How can we do functional programming in C#?

I'll give the answer that I often give here on the blog: mu (unask the question). You can, in fact, translate functional concepts to C#, but the result is so non-idiomatic that only the syntax remains of C#:

public static IReservationsInstruction<TResult> Select<T, TResult>(
    this IReservationsInstruction<T> source,
    Func<T, TResult> selector)
{
    return source.Match<IReservationsInstruction<TResult>>(
        isReservationInFuture: t =>
            new IsReservationInFuture<TResult>(
                new Tuple<Reservation, Func<bool, TResult>>(
                    t.Item1,
                    b => selector(t.Item2(b)))),
        readReservations: t =>
            new ReadReservations<TResult>(
                new Tuple<DateTimeOffset, Func<IReadOnlyCollection<Reservation>, TResult>>(
                    t.Item1,
                    d => selector(t.Item2(d)))),
        create: t =>
            new Create<TResult>(
                new Tuple<Reservation, Func<int, TResult>>(
                    t.Item1,
                    r => selector(t.Item2(r)))));
}

Keep in mind the manager's motivation for standardising on C#. It's often related to concerns about being able to hire new employees, or move employees from project to project.

If you write 'functional' C#, you'll end up with code like the above, or the following real-life example:

return await sendRequest(
        ApiMethodNames.InitRegistration,
        new GSObject())
    .Map(r => ValidateResponse.Validate(r)
        .MapFailure(_ => ErrorResponse.RegisterErrorResponse()))
    .Bind(r => r.RetrieveField("regToken"))
    .BindAsync(token =>
        sendRequest(
                ApiMethodNames.RegisterAccount,
                CreateRegisterRequest(
                    mailAddress,
                    password,
                    token))
            .Map(ValidateResponse.Validate)
            .Bind(response => getIdentity(response)
                .ToResult(ErrorResponse.ExternalServiceResponseInvalid)))
    .Map(id => GigyaIdentity.CreateNewSiteUser(id.UserId, mailAddress));

(I'm indebted to Rune Ibsen for this example.)

A new hire can have ten years of C# experience and still have no chance in a code base like that. You'll first have to teach him or her functional programming. If you can do that, you might as well also teach a new language, like F#.

It's my experience that learning the syntax of a new language is easy, and usually doesn't take much time. The hard part is learning a new way to think.

Writing 'functional' C# makes it doubly hard on new team members. Not only do they have to learn a new paradigm (functional programming), but they have to learn it in a language unsuited for that paradigm.

That's why I think you should unask the question. If your manager doesn't want to allow F#, then writing 'functional' C# is just being sneaky. That'd be obeying the letter of the law while breaking the spirit of it. That is, in my opinion, immoral. Don't be sneaky.

Summary #

As a professional programmer, your job is to be a technical expert. In normal circumstances (at least the ones I know from my own career), you have agency. In order to get anything done, you make small decisions all the time, such as editing code. That's not only okay, but expected of you.

Some decision, on the other hand, can have substantial ramifications. Choosing to write code in an unsanctioned language tends to fall on the side where a manager should be involved in the decision.

In between is a grey area.

I don't even consider adding unit tests to be in the grey area, but some refactorings may be.

"It's easier to ask forgiveness than it is to get permission."

To navigate grey areas you need a moral compass.

I'll let you be the final judge of what you can get away with, but I consider it both appropriate and ethical to make the decision to add unit tests, and to continually improve code bases. You shouldn't have to ask permission to do that.

Comments

How do you do state-based testing when state is immutable? You use the State monad.

This article is an instalment in an article series about how to move from interaction-based testing to state-based testing. In the previous article, you saw an example of an interaction-based unit test written in C#. The problem that this article series attempts to address is that interaction-based testing can lead to what xUnit Test Patterns calls Fragile Tests, because the tests get coupled to implementation details, instead of overall behaviour.

My experience is that functional programming is better aligned with unit testing because functional design is intrinsically testable. While I believe that functional programming is no panacea, it still seems to me that we can learn many valuable lessons about programming from it.

People often ask me about F# programming: How do I know that my F# code is functional?

I sometimes wonder that myself, about my own F# code. One can certainly choose to ignore such a question as irrelevant, and I sometimes do, as well. Still, in my experience, asking such questions can create learning opportunities.

The best answer that I've found is: Port the F# code to Haskell.

Haskell enforces referential transparency via its compiler. If Haskell code compiles, it's functional. In this article, then, I take the problem from the previous article and port it to Haskell.

The code shown in this article is available on GitHub.

A function to connect two users #

In the previous article, you saw implementation and test coverage of a piece of software functionality to connect two users with each other. This was a simplification of the example running through my two Clean Coders videos, Church Visitor and Preserved in translation.

In contrast to the previous article, we'll start with the implementation of the System Under Test (SUT).

post :: Monad m =>
        (a -> m (Either UserLookupError User)) ->
        (User -> m ()) ->
        a ->
        a ->
        m (HttpResponse User)
post lookupUser updateUser userId otherUserId = do
  userRes <- first (\case
      InvalidId -> "Invalid user ID."
      NotFound  -> "User not found.")
    <$> lookupUser userId
  otherUserRes <- first (\case
      InvalidId -> "Invalid ID for other user."
      NotFound  -> "Other user not found.")
    <$> lookupUser otherUserId

  connect <- runExceptT $ do
      user <- ExceptT $ return userRes
      otherUser <- ExceptT $ return otherUserRes
      lift $ updateUser $ addConnection user otherUser
      return otherUser

  return $ either BadRequest OK connect

This is as direct a translation of the C# code as makes sense. If I'd only been implementing the desired functionality in Haskell, without having to port existing code, I'd designed the code differently.

This post function uses partial application as an analogy to dependency injection, but in order to enable potentially impure operations to take place, everything must happen inside of some monad. While the production code must ultimately run in the IO monad in order to interact with a database, tests can choose to run in another monad.

In the C# example, two dependencies are injected into the class that defines the Post method. In the above Haskell function, these two dependencies are instead passed as function arguments. Notice that both functions return values in the monad m.

The intent of the lookupUser argument is that it'll query a database with a user ID. It'll return the user if present, but it could also return a UserLookupError, which is a simple sum type:

data UserLookupError = InvalidId | NotFound deriving (Show, Eq)

If both users are found, the function connects the users and calls the updateUser function argument. The intent of this 'dependency' is that it updates the database. This is recognisably a Command, since its return type is m () - unit (()) is equivalent to void.

State-based testing #

How do you unit test such a function? How do you use Mocks and Stubs in Haskell? You don't; you don't have to. While the post method can be impure (when m is IO), it doesn't have to be. Functional design is intrinsically testable, but that proposition depends on purity. Thus, it's worth figuring out how to keep the post function pure in the context of unit testing.

While IO implies impurity, most common monads are pure. Which one should you choose? You could attempt to entirely 'erase' the monadic quality of the post function with the Identity monad, but if you do that, you can't verify whether or not updateUser was invoked.

While you could write an ad-hoc Mock using, for example, the Writer monad, it might be a better choice to investigate if something closer to state-based testing would be possible.

In an object-oriented context, state-based testing implies that you exercise the SUT, which mutates some state, and then you verify that the (mutated) state matches your expectations. You can't do that when you test a pure function, but you can examine the state of the function's return value. The State monad is an obvious choice, then.

A Fake database #

Haskell's State monad is parametrised on the state type as well as the normal 'value type', so in order to be able to test the post function, you'll have to figure out what type of state to use. The interactions implied by the post function's lookupUser and updateUser arguments are those of database interactions. A Fake database seems an obvious choice.

For the purposes of testing the post function, an in-memory database implemented using a Map is appropriate:

type DB = Map Integer User

This is simply a dictionary keyed by Integer values and containing User values. You can implement compatible lookupUser and updateUser functions with State DB as the Monad. The updateUser function is the easiest one to implement:

updateUser :: User -> State DB ()
updateUser user = modify $ Map.insert (userId user) user

This simply inserts the user into the database, using the userId as the key. The type of the function is compatible with the general requirement of User -> m (), since here, m is State DB.

The lookupUser Fake implementation is a bit more involved:

lookupUser :: String -> State DB (Either UserLookupError User)
lookupUser s = do
  let maybeInt = readMaybe s :: Maybe Integer
  let eitherInt = maybe (Left InvalidId) Right maybeInt
  db <- get
  return $ eitherInt >>= maybe (Left NotFound) Right . flip Map.lookup db

First, consider the type. The function takes a String value as an argument and returns a State DB (Either UserLookupError User). The requirement is a function compatible with the type a -> m (Either UserLookupError User). This works when a is String and m is, again, State DB.

The entire function is written in do notation, where the inferred Monad is, indeed, State DB. The first line attempts to parse the String into an Integer. Since the built-in readMaybe function returns a Maybe Integer, the next line uses the maybe function to handle the two possible cases, converting the Nothing case into the Left InvalidId value, and the Just case into a Right value.

It then uses the State module's get function to access the database db, and finally attempt a lookup against that Map. Again, maybe is used to convert the Maybe value returned by Map.lookup into an Either value.

Happy path test case #

This is all you need in terms of Test Doubles. You now have test-specific lookupUser and updateUser functions that you can pass to the post function.

Like in the previous article, you can start by exercising the happy path where a user successfully connects with another user:

testProperty "Users successfully connect" $ \
  user otherUser -> runStateTest $ do
 
  put $ Map.fromList [toDBEntry user, toDBEntry otherUser]

  actual <- post lookupUser updateUser (show $ userId user) (show $ userId otherUser)
 
  db <- get
  return $
    isOK actual &&
    any (elem otherUser . connectedUsers) (Map.lookup (userId user) db)

Here I'm inlining test cases as anonymous functions - this time expressing the tests as QuickCheck properties. I'll later return to the runStateTest helper function, but first I want to focus on the test body itself. It's written in do notation, and specifically, it runs in the State DB monad.

user and otherUser are input arguments to the property. These are both User values, since the test also defines Arbitrary instances for that type (not shown in this article; see the source code repository for details).

The first step in the test is to 'save' both users in the Fake database. This is easily done by converting each User value to a database entry:

toDBEntry :: User -> (Integer, User)
toDBEntry = userId &&& id

Recall that the Fake database is nothing but an alias over Map Integer User, so the only operation required to turn a User into a database entry is to extract the key.

The next step in the test is to exercise the SUT, passing the test-specific lookupUser and updateUser Test Doubles to the post function, together with the user IDs converted to String values.

In the assert phase of the test, it first extracts the current state of the database, using the State library's built-in get function. It then verifies that actual represents a 200 OK value, and that the user entry in the database now contains otherUser as a connected user.

Missing user test case #

While there's one happy-path test case, there's four other test cases left. One of these is when the first user doesn't exist:

testProperty "Users don't connect when user doesn't exist" $ \
  (Positive i) otherUser -> runStateTest $ do
 
  let db = Map.fromList [toDBEntry otherUser]
  put db
  let uniqueUserId = show $ userId otherUser + i
 
  actual <- post lookupUser updateUser uniqueUserId (show $ userId otherUser)
 
  assertPostFailure db actual

What ought to trigger this test case is that the 'first' user doesn't exist, even if the otherUser does exist. For this reason, the test inserts the otherUser into the Fake database.

Since the test is a QuickCheck property, i could be any positive Integer value - including the userId of otherUser. In order to properly exercise the test case, however, you'll need to call the post function with a uniqueUserId - thas it: an ID which is guaranteed to not be equal to the userId of otherUser. There's several options for achieving this guarantee (including, as you'll see soon, the ==> operator), but a simple way is to add a non-zero number to the number you need to avoid.

You then exercise the post function and, as a verification, call a reusable assertPostFailure function:

assertPostFailure :: (Eq s, Monad m) => s -> HttpResponse a -> StateT s m Bool
assertPostFailure stateBefore resp = do
  stateAfter <- get
  let stateDidNotChange = stateBefore == stateAfter
  return $ stateDidNotChange && isBadRequest resp

This function verifies that the state of the database didn't change, and that the response value represents a 400 Bad Request HTTP response. This verification doesn't actually verify that the error message associated with the BadRequest case is the expected message, like in the previous article. This would, however, involve a fairly trivial change to the code.

Missing other user test case #

Similar to the above test case, users will also fail to connect if the 'other user' doesn't exist. The property is almost identical:

testProperty "Users don't connect when other user doesn't exist" $ \
  (Positive i) user -> runStateTest $ do
  
  let db = Map.fromList [toDBEntry user]
  put db
  let uniqueOtherUserId = show $ userId user + i
 
  actual <- post lookupUser updateUser (show $ userId user) uniqueOtherUserId
 
  assertPostFailure db actual

Since this test body is so similar to the previous test, I'm not going to give you a detailed walkthrough. I did, however, promise to describe the runStateTest helper function:

runStateTest :: State (Map k a) b -> b
runStateTest = flip evalState Map.empty

Since this is a one-liner, you could also write all the tests by simply in-lining that little expression, but I thought that it made the tests more readable to give this function an explicit name.

It takes any State (Map k a) b and runs it with an empty map. Thus, all State-valued functions, like the tests, must explicitly put data into the state. This is also what the tests do.

Notice that all the tests return State values. For example, the assertPostFailure function returns StateT s m Bool, of which State s Bool is an alias. This fits State (Map k a) b when s is Map k a, which again is aliased to DB. Reducing all of this, the tests are simply functions that return Bool.

Invalid user ID test cases #

Finally, you can also cover the two test cases where one of the user IDs is invalid:

testProperty "Users don't connect when user Id is invalid" $ \
  s otherUser -> isIdInvalid s ==> runStateTest $ do
 
  let db = Map.fromList [toDBEntry otherUser]
  put db
 
  actual <- post lookupUser updateUser s (show $ userId otherUser)
 
  assertPostFailure db actual
 
,
testProperty "Users don't connect when other user Id is invalid" $ \
  s user -> isIdInvalid s ==> runStateTest $ do
 
  let db = Map.fromList [toDBEntry user]
  put db
 
  actual <- post lookupUser updateUser (show $ userId user) s
 
  assertPostFailure db actual

Both of these properties take a String value s as input. When QuickCheck generates a String, that could be any String value. Both tests require that the value is an invalid user ID. Specifically, it mustn't be possible to parse the string into an Integer. If you don't constrain QuickCheck, it'll generate various strings, including e.g. "8" and other strings that can be parsed as numbers.

In the above "Users don't connect when user doesn't exist" test, you saw how one way to explicitly model constraints on data is to project a seed value in such a way that the constraint always holds. Another way is to use QuickCheck's built-in ==> operator to filter out undesired values. In this example, both tests employ the isIdInvalid function:

isIdInvalid :: String -> Bool
isIdInvalid s =
  let userInt = readMaybe s :: Maybe Integer
  in isNothing userInt

Using isIdInvalid with the ==> operator guarantees that s is an invalid ID.

Summary #

While state-based testing may, at first, sound incompatible with strictly functional programming, it's not only possible with the State monad, but even, with good language support, easily done.

The tests shown in this article aren't concerned with the interactions between the SUT and its dependencies. Instead, they compare the initial state with the state after exercising the SUT. Comparing values, even complex data structures such as maps, tends to be trivial in functional programming. Immutable values typically have built-in structural equality (in Haskell signified by the automatic Eq type class), which makes comparing them trivial.

Now that we know that state-based testing is possible even with Haskell's enforced purity, it should be clear that we can repeat the feat in F#.

Next: An example of state based-testing in F#.

A trivial observation made explicit.

You'd think that it's evident that code quality and software quality are two different things. Yet, I often see or hear arguments about one or the other that indicates to me that some people don't make that distinction. I wonder why; I do.

Software quality #

There's a school of thought leaders who advocate that, ultimately, we write code to solve problems, or to improve life, for people. I have nothing against that line of reasoning; it's just not one that I pursue much. Why should I use my energy on this message when someone like Dan North does it so much better than I could?

Dan North is far from the only person making the point that our employers, or clients, or end-users don't care about the code; he is, in my opinion, one of the best communicators in that field. It makes sense that, with that perspective on software development, you'd invent something like behaviour-driven development.

The evaluation criterion used in this discourse is one of utility. Does the software serve a purpose? Does it do it well?

In that light, quality software is software that serves its purpose beyond expectation. It rarely, if ever, crashes. It's easy to use. It's sufficiently responsive. It's pretty. It works both on-line and off-line. Attributes like that are externally observable qualities.

You can write quality software in many different languages, using various styles. When you evaluate the externally observable qualities of software, the code is invisible. It's not part of the evaluation.

It seems to me that some people try to make an erroneous conclusion from this premise. They'd say that since no employer, client, or end user evaluates the software based on the code that produced it, then no one cares about the code.

Code quality #

It's easy to refute that argument. All you have to do is to come up with a counter-example. You just have to find one person who cares about the code. That's easy.

You care about the code.

Perhaps you react negatively to that assertion. Perhaps you say: "No! I'm not one of those effete aesthetes who only program in Plankalkül." Fine. Maybe you're not the type who likes to polish the code; maybe you're the practical, down-to-earth type who just likes to get stuff done, so that your employer/client/end-user is happy.

Even so, I think that you still care about the code. Have you ever looked with bewilderment at a piece of code and thought: "Who the hell wrote this piece of shit!?" How many WTFs/m is your code?

I think every programmer cares about their code bases; if not in an active manner, then at least in a passive way. Bad code can seriously impede progress. I've seen more than one organisation effectively go out of business because of bad legacy code.

Code quality is when you care about the readability and malleability of the code. It's when you care about the code's ability to sustain the business, not only today, but also in the future.

Sustainable code #

I often get the impression that some people look at code quality and software quality as a (false) dichotomy.

Such arguments often seem to imply that you can't have one without sacrificing the other. You must choose.

The reality is, of course, that you can do both.

At the intersection between software and code quality the code sustains the business both now, and in the future.

Yes, you should write code such that it produces software that provides value here and now, but you should also do your best to enable it to provide value in the future. This is sustainable code. It's code that can sustain the organisation during its lifetime.

No gold-plating #

To be clear: this is not a call for gold plating or speculative generality. You probably can't predict the future needs of the stake-holders.

Quality code doesn't have to be able to perfectly address all future requirements. In order to be sustainable, though, it should be easy to modify in the future, or perhaps just easy to throw away and rewrite. I think a good start is to write humane code; code that fits in your brain.

At least, do your best to avoid writing legacy code.

Summary #

Software quality and code quality can co-exist. You can write quality code that compiles to quality software, but one doesn't imply the other. These are two independent quality dimensions.

An example of using Mocks and Stubs for unit testing in C#.

This article is an instalment in an article series about how to move from interaction-based testing to state-based testing. In this series, you'll be presented with some alternatives to interaction-based testing with Mocks and Stubs. Before we reach the alternatives, however, we need to establish an example of interaction-based testing, so that you have something against which you can compare those alternatives. In this article, I'll present a simple example, in the form of C# code.

The code shown in this article is available on GitHub.

Connect two users #

For the example, I'll use a simplified version of the example that runs through my two Clean Coders videos, Church Visitor and Preserved in translation.

The desired functionality is simple: implement a REST API that enables one user to connect to another user. You could imagine some sort of social media platform, or essentially any sort of online service where users might be interested in connecting with, or following, other users.

In essence, you could imagine that a user interface makes an HTTP POST request against our REST API:

POST /connections/42 HTTP/1.1
Content-Type: application/json

{
    "otherUserId": 1337
}

Let's further imagine that we implement the desired functionality with a C# method with this signature:

public IHttpActionResult Post(string userId, string otherUserId)

We'll return to the implementation later, but I want to point out a few things.

First, notice that both userId and otherUserId are string arguments. While the above example encodes both IDs as numbers, essentially, both URLs and JSON are text-based. Following Postel's law, the method should also accept JSON like { "otherUserId": "1337" }. That's the reason the Post method takes string arguments instead of int arguments.

Second, the return type is IHttpActionResult. Don't worry if you don't know that interface. It's just a way to model HTTP responses, such as 200 OK or 400 Bad Request.

Depending on the input values, and the state of the application, several outcomes are possible:

The assumption here is that the underlying user database uses integers as row IDs.

When both users are found, the other user should be returned in the HTTP response, like this:

HTTP/1.1 200 OK
Content-Type: application/json

{
    "id": 1337,
    "name": "ploeh",
    "connections": [{
        "id": 42,
        "name": "fnaah"
    }, {
        "id": 2112,
        "name": "ndøh"
    }]
}

The intent is that when the first user (e.g. the one with the 42 ID) successfully connects to user 1337, a user interface can show the full details of the other user, including the other user's connections.

Happy path test case #

Since there's five distinct outcomes, you ought to write at least five test cases. You could start with the happy-path case, where both user IDs are well-formed and the users exist.

All tests in this article use xUnit.net 2.3.1, Moq 4.8.1, and AutoFixture 4.1.0.

[Theory, UserManagementTestConventions]
public void UsersSuccessfullyConnect(
    [Frozen]Mock<IUserReader> readerTD,
    [Frozen]Mock<IUserRepository> repoTD,
    User user,
    User otherUser,
    ConnectionsController sut)
{
    readerTD
        .Setup(r => r.Lookup(user.Id.ToString()))
        .Returns(Result.Success<User, IUserLookupError>(user));
    readerTD
        .Setup(r => r.Lookup(otherUser.Id.ToString()))
        .Returns(Result.Success<User, IUserLookupError>(otherUser));
 
    var actual = sut.Post(user.Id.ToString(), otherUser.Id.ToString());
 
    var ok = Assert.IsAssignableFrom<OkNegotiatedContentResult<User>>(
        actual);
    Assert.Equal(otherUser, ok.Content);
    repoTD.Verify(r => r.Update(user));
    Assert.Contains(otherUser.Id, user.Connections);
}

To be clear, as far as Overspecified Software goes, this isn't a bad test. It only has two Test Doubles, readerTD and repoTD. My current habit is to name any Test Double with the TD suffix (for Test Double), instead of explicitly naming them readerStub and repoMock. The latter would have been more correct, though, since the Mock<IUserReader> object is consistently used as a Stub, whereas the Mock<IUserRepository> object is used only as a Mock. This is as it should be, because it follows the rule that you should use Mocks for Commands, Stubs for Queries.

IUserRepository.Update is, indeed a Command:

public interface IUserRepository
{
    void Update(User user);
}

Since the method returns void, unless it doesn't do anything at all, the only thing it can do is to somehow change the state of the system. The test verifies that IUserRepository.Update was invoked with the appropriate input argument.

This is fine.

I'd like to emphasise that this isn't the biggest problem with this test. A Mock like this verifies that a desired interaction took place. If IUserRepository.Update isn't called in this test case, it would constitute a defect. The software wouldn't have the desired behaviour, so the test ought to fail.

The signature of IUserReader.Lookup, on the other hand, implies that it's a Query:

public interface IUserReader
{
    IResult<User, IUserLookupError> Lookup(string id);
}

In C# and most other languages, you can't be sure that implementations of the Lookup method have no side effects. If, however, we assume that the code base in question obeys the Command Query Separation principle, then, by elimination, this must be a Query (since it's not a Command, because the return type isn't void).

For a detailed walkthrough of the IResult<S, E> interface, see my Preserved in translation video. It's just an Either with different terminology, though. Right is equivalent to SuccessResult, and Left corresponds to ErrorResult.

The test configures the IUserReader Stub twice. It's necessary to give the Stub some behaviour, but unfortunately you can't just use Moq's It.IsAny<string>() for configuration, because in order to model the test case, the reader should return two different objects for two different inputs.

This starts to look like Overspecified Software.

Ideally, a Stub should just be present to 'make happy noises' in case the SUT decides to interact with the dependency, but with these two Setup calls, the interaction is overspecified. The test is tightly coupled to how the SUT is implemented. If you change the interaction implemented in the Post method, you could break the test.

In any case, what the test does specify is that when you query the UserReader, it returns a Success object for both user lookups, a 200 OK result is returned, and the Update method was called with user.

Invalid user ID test case #

If the first user ID is invalid (i.e. not an integer) then the return value should represent 400 Bad Request and the message body should indicate as much. This test verifies that this is the case:

[Theory, UserManagementTestConventions]
public void UsersFailToConnectWhenUserIdIsInvalid(
    [Frozen]Mock<IUserReader> readerTD,
    [Frozen]Mock<IUserRepository> repoTD,
    string userId,
    User otherUser,
    ConnectionsController sut)
{
    Assert.False(int.TryParse(userId, out var _));
    readerTD
        .Setup(r => r.Lookup(userId))
        .Returns(Result.Error<User, IUserLookupError>(
            UserLookupError.InvalidId));
 
    var actual = sut.Post(userId, otherUser.Id.ToString());
 
    var err = Assert.IsAssignableFrom<BadRequestErrorMessageResult>(actual);
    Assert.Equal("Invalid user ID.", err.Message);
    repoTD.Verify(r => r.Update(It.IsAny<User>()), Times.Never());
}

This test starts with a Guard Assertion that userId isn't an integer. This is mostly an artefact of using AutoFixture. Had you used specific example values, then this wouldn't have been necessary. On the other hand, had you written the test case as a property-based test, it would have been even more important to explicitly encode such a constraint.

Perhaps a better design would have been to use a domain-specific method to check for the validity of the ID, but there's always room for improvement.

This test is more brittle than it looks. It only defines what should happen when IUserReader.Lookup is called with the invalid userId. What happens if IUserReader.Lookup is called with the Id associated with otherUser?

This currently doesn't matter, so the test passes.

The test relies, however, on an implementation detail. This test implicitly assumes that the implementation short-circuits as soon as it discovers that userId is invalid. What if, however, you'd made some performance measurements, and you'd discovered that in most cases, the software would run faster if you Lookup both users in parallel?

Such an innocuous performance optimisation could break the test, because the behaviour of readerTD is unspecified for all other cases than for userId.

Invalid ID for other user test case #

What happens if the other user ID is invalid? This unit test exercises that test case:

[Theory, UserManagementTestConventions]
public void UsersFailToConnectWhenOtherUserIdIsInvalid(
    [Frozen]Mock<IUserReader> readerTD,
    [Frozen]Mock<IUserRepository> repoTD,
    User user,
    string otherUserId,
    ConnectionsController sut)
{
    Assert.False(int.TryParse(otherUserId, out var _));
    readerTD
        .Setup(r => r.Lookup(user.Id.ToString()))
        .Returns(Result.Success<User, IUserLookupError>(user));
    readerTD
        .Setup(r => r.Lookup(otherUserId))
        .Returns(Result.Error<User, IUserLookupError>(
            UserLookupError.InvalidId));
 
    var actual = sut.Post(user.Id.ToString(), otherUserId);
 
    var err = Assert.IsAssignableFrom<BadRequestErrorMessageResult>(actual);
    Assert.Equal("Invalid ID for other user.", err.Message);
    repoTD.Verify(r => r.Update(It.IsAny<User>()), Times.Never());
}

Notice how the test configures readerTD twice: once for the Id associated with user, and once for otherUserId. Why does this test look different from the previous test?

Why is the first Setup required? Couldn't the arrange phase of the test just look like the following?

Assert.False(int.TryParse(otherUserId, out var _));
readerTD
    .Setup(r => r.Lookup(otherUserId))
    .Returns(Result.Error<User, IUserLookupError>(
        UserLookupError.InvalidId));

If you wrote the test like that, it would resemble the previous test (UsersFailToConnectWhenUserIdIsInvalid). The problem, though, is that if you remove the Setup for the valid user, the test fails.

This is another example of how the use of interaction-based testing makes the tests brittle. The tests are tightly coupled to the implementation.

Missing users test cases #

I don't want to belabour the point, so here's the two remaining tests:

[Theory, UserManagementTestConventions]
public void UsersDoNotConnectWhenUserDoesNotExist(
    [Frozen]Mock<IUserReader> readerTD,
    [Frozen]Mock<IUserRepository> repoTD,
    string userId,
    User otherUser,
    ConnectionsController sut)
{
    readerTD
        .Setup(r => r.Lookup(userId))
        .Returns(Result.Error<User, IUserLookupError>(
            UserLookupError.NotFound));
 
    var actual = sut.Post(userId, otherUser.Id.ToString());
 
    var err = Assert.IsAssignableFrom<BadRequestErrorMessageResult>(actual);
    Assert.Equal("User not found.", err.Message);
    repoTD.Verify(r => r.Update(It.IsAny<User>()), Times.Never());
}
 
[Theory, UserManagementTestConventions]
public void UsersDoNotConnectWhenOtherUserDoesNotExist(
    [Frozen]Mock<IUserReader> readerTD,
    [Frozen]Mock<IUserRepository> repoTD,
    User user,
    int otherUserId,
    ConnectionsController sut)
{
    readerTD
        .Setup(r => r.Lookup(user.Id.ToString()))
        .Returns(Result.Success<User, IUserLookupError>(user));
    readerTD
        .Setup(r => r.Lookup(otherUserId.ToString()))
        .Returns(Result.Error<User, IUserLookupError>(
            UserLookupError.NotFound));
 
    var actual = sut.Post(user.Id.ToString(), otherUserId.ToString());
 
    var err = Assert.IsAssignableFrom<BadRequestErrorMessageResult>(actual);
    Assert.Equal("Other user not found.", err.Message);
    repoTD.Verify(r => r.Update(It.IsAny<User>()), Times.Never());
}

Again, notice the asymmetry of these two tests. The top one passes with only one Setup of readerTD, whereas the bottom test requires two in order to pass.

You can add a second Setup to the top test to make the two tests equivalent, but people often forget to take such precautions. The result is Fragile Tests.

Post implementation #

In the spirit of test-driven development, I've shown you the tests before the implementation.

public class ConnectionsController : ApiController
{
    public ConnectionsController(
        IUserReader userReader,
        IUserRepository userRepository)
    {
        UserReader = userReader;
        UserRepository = userRepository;
    }
 
    public IUserReader UserReader { get; }
    public IUserRepository UserRepository { get; }
 
    public IHttpActionResult Post(string userId, string otherUserId)
    {
        var userRes = UserReader.Lookup(userId).SelectError(
            error => error.Accept(UserLookupError.Switch(
                onInvalidId: "Invalid user ID.",
                onNotFound:  "User not found.")));
        var otherUserRes = UserReader.Lookup(otherUserId).SelectError(
            error => error.Accept(UserLookupError.Switch(
                onInvalidId: "Invalid ID for other user.",
                onNotFound:  "Other user not found.")));
 
        var connect =
            from user in userRes
            from otherUser in otherUserRes
            select Connect(user, otherUser);
 
        return connect.SelectBoth(Ok, BadRequest).Bifold();
    }
 
    private User Connect(User user, User otherUser)
    {
        user.Connect(otherUser);
        UserRepository.Update(user);
 
        return otherUser;
    }
}

This is a simplified version of the code shown towards the end of my Preserved in translation video, so I'll refer you there for a detailed explanation.

Summary #

The premise of Refactoring is that in order to be able to refactor, the "precondition is [...] solid tests". In reality, many development organisations have the opposite experience. When programmers attempt to make changes to how their code is organised, tests break. In xUnit Test Patterns this problem is called Fragile Tests, and the cause is often Overspecified Software. This means that tests are tightly coupled to implementation details of the System Under Test (SUT).

It's easy to inadvertently fall into this trap when you use Mocks and Stubs, even when you follow the rule of using Mocks for Commands and Stubs for Queries. In my experience, it's often the explicit configuration of Stubs that tend to make tests brittle. A Command represents an intentional side effect, and you want to verify that such a side effect takes place. A Query, on the other hand, has no side effect, so a black-box test shouldn't be concerned with any interactions involving Queries.

Yet, using an 'isolation framework' such as Moq, FakeItEasy, NSubstitute, and so on, will pull you towards overspecifying the interactions the SUT has with its Query dependencies.

How can we improve? One strategy is to move towards a more functional design, which is intrinsically testable. In the next article, you'll see how to rewrite both tests and implementation in Haskell.

Next: An example of state-based testing in Haskell.

Comments

Indiscriminate use of Mocks and Stubs can lead to brittle test suites. A more functional design can make state-based testing easier, leading to more robust test suites.

The original premise of Refactoring was that in order to refactor, you must have a trustworthy suite of unit tests, so that you can be confident that you didn't break any functionality.

"to refactor, the essential precondition is [...] solid tests"

This is a well-known test smell. In xUnit Test Patterns this is called Fragile Test, and it's often caused by Overspecified Software. Even if you follow the proper practice of using Mocks for Commands, Stubs for Queries, you can still end up with a code base where the tests are highly coupled to implementation details of the software.

The cause is often that when relying on Mocks and Stubs, test verification hinges on how the System Under Test (SUT) interacts with its dependencies. For that reason, we can call such tests interaction-based tests. For more information, watch my Pluralsight course Advanced Unit Testing.

Lessons from functional programming #

Another way to verify the outcome of a test is to inspect the state of the system after exercising the SUT. We can, quite naturally, call this state-based testing. In object-oriented design, this can lead to other problems. Nat Pryce has pointed out that state-based testing breaks encapsulation.

Interestingly, in his article, Nat Pryce concludes:

"I have come to think of object oriented programming as an inversion of functional programming. In a lazy functional language data is pulled through functions that transform the data and combine it into a single result. In an object oriented program, data is pushed out in messages to objects that transform the data and push it out to other objects for further processing."

Functional programming is based on the fundamental principle of referential transparency, which, among other things, means that data must be immutable. Thus, no objects change state. Instead, functions can return data that contains immutable state. In unit tests, you can verify that return values are as expected. Functional design is intrinsically testable; we can consider it a kind of state-based testing, although the states you'd be verifying are immutable return values.

In this article series, you'll see three different styles of testing, from interaction-based testing with Mocks and Stubs in C#, over strictly functional state-based testing in Haskell, to pragmatic state-based testing in F#, finally looping back to C# to apply the lessons from functional programming.

• An example of interaction-based testing in C#
• An example of state-based testing in Haskell
• An example of state based-testing in F#
• An example of state-based testing in C#
• A pure Test Spy

Summary #

Adopting a more functional design, even in a fundamentally object-oriented language like C# can, in my experience, lead to a more sustainable code base. Various maintenance tasks become easier, including unit tests. Functional programming, however, is no panacea. My intent with this article series is only to inspire; to show alternatives to the ways things are normally done. Adopting one of those alternatives could lead to better code, but you must still exercise context-specific judgement.

Next: An example of interaction-based testing in C#.