API Performance Testing at STPcon 2014

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
PerformanceTestingAPIs
@WilsonMar
#STPCon New Orleans
10:45 Thursday, April 17, 2014

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2
http://www.stpcon.com/Session/170/Performance-Testing-API's
Published topic
Today's mobile apps and HTML apps typically make use of AJAX (Asynchronous JavaScript)
coding to assemble data from several sources. To uniquely identify users, many websites are
using 3rd party services such as Google, Facebook, Twitter, etc. Even though standards such as
OAuth have been defined, websites differ in how programs talk with them.
This session examines how some sites are evolving over time, and how developers can
collaborate to quickly adapt to the fast change. The pace of change will accelerate due to
fundamental new systems being created in response to Wikileaks, Edward Snowden, and RSA
adding back door access for the NSA.
During a "deep dive" into the technical differences among the most significant APIs, this
session will explore the coding features which programmers of applications and performance
testing scripters need to incorporate into their code.

Locus of control in machines, not individual humans
Paradigm of who drives data
http://54.188.18.140/demos/PortfolioDemo_Basic/ http://54.188.18.140/demos/DropDownDemo/
1
2

http://www.google.com/landing/now/#cards
Customized updates pushed real-time

http://www.addall.com/ (aggregator site)
Aggregators for comparison shopping

Aggregators of aggregators interconnected
PayBuy Ship Track
Inventory,
Evaluations
Shop
Customer
profiles
Payments Travel,
Routes
Google
EBay
Amazon
Pinterest
Etsy
Google+
Facebook
Amazon
Twitter
LinkedIn
Google Maps
(Waze)
Bing
Yahoo
Packages
Google Now
USPS
UPS
FedEx
Google Wallet
PayPal
Amazon
Visa,
Stripe, Square

http://apicommons.org/apis.html
Taxonomy of APIs
Businesses
Companies
Events
(Calendars)
Images
Jobs
Offices
Shops
Stores
Videos People
Names
(Teams)
Programs
Projects
Tasks
ProductsPublications
Places
Music
Sounds

Mash-up: APIs about each data element
Postal
Zip code
Phone
Area Code
Phone
number
Email
address
Website
URLs
Street
Addr.
Country
code
Social
handles
Domain
names
Phone
area code

Mash-up: APIs for each data element
Postal
Zip code
weather
Short
URL
Phone
number
longitude
& latitude
Email
address
face
photo
MD5()
Videos
& pics.
Website
URLs
map
areas
QR code
image
IP
Address
SHA,
Sign()
OAuth
1.0a
IP black
listed?
Account
valid?
Secrets,
OAuth1
Ratings &
Reviews
Domain
names
ping()
DNS
Sound
Parm.
lookup
No
auth.
Trulioo
Country
Lists
Street
Addr.
Addr.
valid?
UPS Yelp
Gravitar
Phone
Country
OAuth2
bit.ly,
Google
Social
handles
UofAustin ipslist
Melissa
Data
census
etc.
Symantec
Snap app
Proper
Names
Phone
area code
Country
code
Weather
underground
Location
of IP
ip2location
Time
Zones
Flickr,
Facebook
census.
gov
Yahoo
Alexa
Forvo
Twilio

Amazon.com stores around the world
http://www.amazon.com/gp/feature.html?docId=487250
Northern
Virginiaamazon.com
amazon.uk
amazon.fr
amazon.gb
amazon.at
amazon.it
amazon.es
amazon.jp
amazon.au
amazon.br
amazon.cn
(joyo.com)
amazon.ca

http://docs.aws.amazon.com/AWSECommerceService/latest/DG/CHAP_ResponseGroupsList.html
SearchIndex (TypeProduct)
CategoryDepartment
Books
DigitalMusic
DVD
Magazines
MobileApps
Music
MusicTracks
MP3Downloads
Photo
Software
UnboxVideo
VHS
Video
VideoGames
Store
Apparel
Appliances
ArtsAndCrafts
Automotive
Grocery
Electronics
Jewelry
MusicalInstruments
PCHardware
Shoes
SportingGoods
Tools
Toys
Watches
Wireless
WirelessAccessories
Baby
PetSupplies
Beauty
HealthPersonalCare
HomeGarden
Industrial
Kitchen
LawnGarden
OfficeProducts
OutdoorLiving
Media
Blended
Classical
Collectibles
KindleStore
Marketplace
Merchants
Miscellaneous

http://docs.aws.amazon.com/AWSECommerceService/latest/DG/CHAP_OperationListAlphabetical.html
Operations verbs
CartCreate
CartAdd
CartClear
CartGet
CartModify
ItemLookup
ItemSearch
SimilarityLookup
BrowseNodeLookup

http://docs.aws.amazon.com/AWSECommerceService/latest/DG/CHAP_ResponseGroupsList.html
Response Groups (among 55)
Cart
CartNewReleases
CartTopSellers
CartSimilarities
Large
Medium
Small
Images
ItemIds
ItemAttributes
RelatedItems
NewReleases
TopSellers
Similarities
MostGifted
MostWishedFor
AlternateVersions
Variations
VariationMatrix
VariationImages
VariationOffers
VariationSummary
SearchBins
Accessories
Offers
OfferSummary
OfferFull
OfferListings
PromotionSummary
BrowseNodeInfo
BrowseNodes
Tracks
Request
SalesRank
Reviews
EditorialReview

http://docs.aws.amazon.com/AWSECommerceService/latest/DG/BasicAuthProcess.html
Amazon Product API REST request processing
OK?
Amazon

http://webservices.amazon.com/onca/xml?
AssociateTag=[ID]&
http://docs.aws.amazon.com/AWSECommerceService/latest/DG/AnatomyOfaRESTRequest.html
Amazon Product API REST request
AWSAccessKeyId=[Access Key ID]&
Keywords=Shirt&
Operation=ItemSearch&
ResponseGroup=Offers%2CImages%2CReviews
SearchIndex=Apparel&
Service=AWSECommerceService&
Version=2011-08-01&
Different endpoint URI
& Asso. each country
Space ends request
Alphabetically listed
value pairs to sign
"dummy" Secret Access
Key1234567890
Timestamp=[YYYY-MM-DDThh:mm:ssZ]&
http://www.w3.org/T
R/xmlschema-
2/#dateTime
Signature=[Request Signature] RFC 2104 base64-
encoded HMAC_SHA25
of request
Escape
+ , ;

http://docs.aws.amazon.com/AWSECommerceService/latest/DG/CommonRequestPar
ameters.html
Amazon response XMLEscaping
XMLEscaping=Single
The default number of passes.
Ampersand character (&) is returned in its regular XML encoding (&).
XMLEscaping=Double
Ampersand character (&) is XML-encoded twice (&)
for PHP which does not decode text within XML elements.

http://docs.aws.amazon.com/AWSECommerceService/latest/DG/DebuggingParameters.html
Amazon request validation
Validate=False
The default.
Validate=True
Process request without actually executing it.
Returns isValid=“True” or “False”.

Other
Authenticationand
Authorization

3rd party authentication web services
• Google (Maps, etc.)
• Amazon
• Facebook (Parse, acquired 2013)
• Yahoo
• Microsoft (Bing maps)
• Twitter
• LinkedIn
• etc.

https://dev.trulioo.com/apiGuide/truDetect?
JSON response sample
{
"ok": true,
"result": {
"score": "60",
"transaction_id": "d8ad1829-9abc-4d84-5383-3a13a32f4092"
}
}
 Return a binary response status (“ok”: true or false)
 Exchange mutual GUID for unique mutual tracking.
Less verbose than XML.
More verbose than
HTML5 WebSockets.

Authentication vs. Authorization
Authentication Authorization
First thing Occurs after authentication
For whether to allow authorization For whether to allow use of resources
Based on user credentials Based on authentication token
Output: Session token Output: Requested resource

http://docs.stormpath.com/rest/quickstart/
Sample request in Curl
curl -X POST --user $YOUR_API_KEY_ID:$YOUR_API_KEY_SECRET
-H "Accept: application/json"
-H "Content-Type: application/json"
-d '{
"givenName": "Jean-Luc",
"surname": "Picard",
"username": "jlpicard",
"email": "capt@enterprise.com",
"password":"Changeme1"
}'
"https://api.stormpath.com/v1/applications/$YOUR_APPLICATION_ID/accounts"}

Sample request in LoadRunner script
lr_save_string("3xFb1EU6dYCXBHXEa…","stormpath_app_id");
web_set_user("1PHM75I…","AC7fw+efr2xM831Q…", "");
web_add_header("Accept", "application/json");
web_custom_request("AddAcct",
"URL=https://api.stormpath.com/v1/accounts/{stormpath_app_id}",
"Method=POST",
"Resource=0",
"EncType=application/json",
"Mode=HTTP",
"Body={"
""givenName": “{user_givenName}","
""surname": "{user_surname}","
""username": “{user_acctname}","
""email": “{user_email}","
""password": “{user_password}""
"}", LAST);
Name variables with
consistent prefix of
file to iterate through
Variables for reuse
Automated handling
of credentials &
headers

lr_save_string("3xFb1EU6dYCXBHXEa…","stormpath_app_id");
web_set_user("1PHM75I…","AC7fw+efr2xM831Q…", "");
web_add_header("Accept", "application/json");
web_custom_request("AddAcct",
"URL=https://api.stormpath.com/v1/accounts/{stormpath_app_id}",
"Method=POST",
"Resource=0",
"EncType=application/json",
"Mode=HTTP",
"Body={"
""givenName": “{user_givenName}","
""surname": "{user_surname}","
""username": “{user_acctname}","
""email": “{user_email}","
""password": “{user_password}""
"}", LAST);
Errors to test for
Would repeating
requests with same
data create dups?
Would unrecognized
fields be ignored?
How long before
credentials expire?

http://www.yelp.com/developers/documentation/v2/authentication
Yelp.com v2 uses OAuth 1.0a

https://developers.google.com/accounts/docs/OAuth2ServiceAccount
Google web service calls

Google APIs Console
https://www.googleapis.com/urlshortener/v1/url
Specific API Project
Google account
Service acct.
service email
.p12 file
fingerprint
“notasecret”
oauth_url_escape()
oauth_sign_rsa_sha256()
Short URL (JSON)
signature
encoded
signature
URLtoShorten Body
oauth_encode_base64()
JWTBodyoauth_load_privatekey()
JWT (JSON
Web Token)
Current
Time
Expire
Time
Good for
1800 seconds
JWT Assertion
https://accounts.google.com/o/oauth2/token
AssessTokenLong URLs
endpoint :

Programming languages in sample code
C (LoadRunner) ?
Ruby ?
Python ?
?
IP2Location Parse (Facebook)FedEx
https://parse.com/docs/api_libraries

Local Git repos.
Public Github repo.
Secure repo.
Shell script to automate extra secure file operations.
File handling to/from public repositories
Upload script
Script
Private files
Private files Download script
Script
Public files
.gitignore

UI performance test run types
 Landing UI
 Register
 Menu item 1
 Menu item 2
 Menu
Sequential transaction flow
• Name
• Address
• Etc.
 Add
 Retrieve 1
 List
 Change
 Delete
 (Click Login for dialog)
 Login UI
 Logout UI

API performance test run types
 Landing UI
 Register
Discreet transactions
• Name
• Address
• Etc.
 Menu item 1
 Menu item 2
 Menu
 Request session token
 Logout (session end / timeout)
 Login
 POST
 GET 1
 GET all
 PUT
 DELETE

API characterization & performance metrics
# Registrations
# Credentials (Users)
# Fields
# Sessions
# Completions
# Timeouts
# Attempts
# Run Types
# Run Cycles
# Iterations in run
# Files
# Resource Hits
# Bytes transferred
# Exchanges (messages)
# Searches
# Variations in data # Add
# Retrieve
# List collection
# Updates
# Delete

AUT
Continuous load verification worldwide
Test Controller
APIs connect
securely on
standard ports
9 Amazon AWS EC2 regions
API for Jenkins
to control LR
for Continuous
Testing
End users

Benchmark performance of security operations?
Acceptable
delay
Extent of
processing
A
B
Minimal processing
for fast response
Strong encryption
for security,
but slower
No authentication
OAuth 1.0a
OAuth 2.0

How frequently are access keys refreshed?
Acceptable
delay
Longevity of
access keys
A
B
Infrequent
for fast response
Frequent
for security
weeks
30 minutesMax. 120 minutes,
client configurable

Value of local functionality?
Acceptable
latency
Locality of
data
A
B
On device for
fast response
Remote for
distributed
access
Craigslist.com
Evernote.com
Akamai.com

Tune low-level transmission settings?
Acceptable
latency
Data transmitted
per burst
A
B
Small bursts each
for fast response
Large bursts for
offline analysis
Spritz.com
Hibernate

Immersive experiences with fall-back?
Acceptable
latency
Data transmitted
per request
A
B
Few files for
faster response
Many files for
more immersive
user experience
Google.com
Pinterest.com
Bing.com

@WilsonMar
• API’s enabling comparison shopping among competing sites [addall.com]
• API’s assimilate data unique to interests and needs of each user [Google Now]
• Some services require certification to access. Some don’t. [FedEx]
• Avoid limiting permissions to browse and search [USPS, FedEx, UPS]
• Support several programming languages [FedEx vs. Parse]
• Support different versions of IDE (Eclipse, Visual Studio 2005 and 2013)
• Respond with JSON (as well as XML/SOAP)
• Provide sample calls in Curl format

@WilsonMar - Calls to Action
• Manage web service usage by groups and other attributes of individuals.
• Protect against spammers by validating data values as real entities.
• Design for enterprise usage, with usage tracking and monitoring.
• Move from easier OAuth 2.0 to more secure OAuth 1.0a with certificates (Yelp).
• Have a rapid approach to quickly change encryption keys everywhere.
• Measure, eliminate, and virtualize network latency effects, worldwide.
• Test widely and continuously to detect integration breakage.
• Conduct real user monitoring to detect breakage in production.
• Design for and verify large increases and decreases in capacity.

Talktome!
LinkedIn:Twitter:
WilsonMar@gmail.com
YouTube:

API Performance Testing at STPcon 2014

Recomendados

Recomendados

Mais conteúdo relacionado

Semelhante a API Performance Testing at STPcon 2014

Semelhante a API Performance Testing at STPcon 2014 (20)

Último

Último (20)

API Performance Testing at STPcon 2014