API Performance Testing at STPcon 2014

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Performance Testing APIs

@WilsonMar

#STPCon New Orleans

10:45 Thursday, April 17, 2014

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2

http://www.stpcon.com/Session/170/Performance-Testing-API's

Published topic

Today's mobile apps and HTML apps typically make use of AJAX (Asynchronous JavaScript) coding to assemble data from several sources. To uniquely identify users, many websites are using 3rd party services such as Google, Facebook, Twitter, etc. Even though standards such as OAuth have been defined, websites differ in how programs talk with them.

This session examines how some sites are evolving over time, and how developers can collaborate to quickly adapt to the fast change. The pace of change will accelerate due to fundamental new systems being created in response to Wikileaks, Edward Snowden, and RSA adding back door access for the NSA.

During a "deep dive" into the technical differences among the most significant APIs, this session will explore the coding features which programmers of applications and performance testing scripters need to incorporate into their code.


Locus of control in machines, not individual humans

Paradigm of who drives data

http://54.188.18.140/demos/PortfolioDemo_Basic/ http://54.188.18.140/demos/DropDownDemo/

1

2


http://www.google.com/landing/now/#cards

Customized updates pushed real-time


http://www.addall.com/ (aggregator site)

Aggregators for comparison shopping

http://www.addall.com/


Aggregators of aggregators interconnected

PayBuy Ship Track

Inventory,Evaluations

Shop

Customer profiles

Payments Travel,Routes

GoogleEBay

AmazonPinterest

Etsy

Google+FacebookAmazonTwitter

LinkedIn

Google Maps(Waze)

BingYahoo

Packages

Google NowUSPSUPS

FedEx

Google WalletPayPal

AmazonVisa,

Stripe, Square


http://apicommons.org/apis.html

Taxonomy of APIs

Businesses

Companies

Events

(Calendars)

Images

Jobs

Offices

Shops

Stores

Videos People

Names

(Teams)

Programs

Projects

Tasks

ProductsPublications

Places

Music

Sounds


Mash-up: APIs about each data element

PostalZip code

Phone Area Code

Phone number

Email address

WebsiteURLs

StreetAddr.

Country code

Socialhandles

Domain names

Phonearea code


Mash-up: APIs for each data element

PostalZip code

weatherShort URL

Phone number

longitude& latitude

Email address

facephoto

MD5()

Videos& pics.

WebsiteURLs

map areas

QR codeimage

IP Address

SHA,Sign()

OAuth1.0a

IP black listed?

Accountvalid?

Secrets,OAuth1

Ratings & Reviews

Domain names

ping()DNS

Sound

Parm. lookup

Noauth.

Trulioo

Country Lists

StreetAddr.

Addr. valid?

UPS Yelp

Gravitar

PhoneCountry

OAuth2

bit.ly, Google

Socialhandles

UofAustin ipslist

MelissaData

censusetc.

SymantecSnap app

ProperNames

Phonearea code

Country code

Weatherunderground

Location of IP

ip2location

TimeZones

Flickr,Facebook

census.gov

Yahoo

Alexa

ForvoTwilio


Amazon.com stores around the world

http://www.amazon.com/gp/feature.html?docId=487250

Northern Virginiaamazon.com

amazon.ukamazon.framazon.gbamazon.atamazon.itamazon.es

amazon.jp

amazon.auamazon.br

amazon.cn(joyo.com)

amazon.ca


http://docs.aws.amazon.com/AWSECommerceService/latest/DG/CHAP_ResponseGroupsList.html

SearchIndex (TypeProduct)

CategoryDepartmentBooks

DigitalMusic

DVD

Magazines

MobileApps

Music

MusicTracks

MP3Downloads

Photo

Software

UnboxVideo

VHS

Video

VideoGames

Store

ApparelAppliancesArtsAndCraftsAutomotiveGroceryElectronicsJewelryMusicalInstrumentsPCHardwareShoesSportingGoodsToolsToysWatchesWirelessWirelessAccessories

BabyPetSuppliesBeautyHealthPersonalCareHomeGardenIndustrialKitchenLawnGardenOfficeProductsOutdoorLiving

Media

Blended

Classical

Collectibles

KindleStore

Marketplace

Merchants

Miscellaneous


http://docs.aws.amazon.com/AWSECommerceService/latest/DG/CHAP_OperationListAlphabetical.html

Operations verbs

CartCreate

CartAdd

CartClear

CartGet

CartModify

ItemLookup

ItemSearch

SimilarityLookup

BrowseNodeLookup


http://docs.aws.amazon.com/AWSECommerceService/latest/DG/CHAP_ResponseGroupsList.html

Response Groups (among 55)

Cart

CartNewReleases

CartTopSellers

CartSimilarities

Large

Medium

Small

Images

ItemIds

ItemAttributes

RelatedItems

NewReleases

TopSellers

Similarities

MostGifted

MostWishedFor

AlternateVersions

Variations

VariationMatrix

VariationImages

VariationOffers

VariationSummary

SearchBins

Accessories

OffersOfferSummaryOfferFullOfferListings

PromotionSummary

BrowseNodeInfoBrowseNodesTracks

Request

SalesRankReviewsEditorialReview


http://docs.aws.amazon.com/AWSECommerceService/latest/DG/BasicAuthProcess.html

Amazon Product API REST request processing

OK?Amazon


http://webservices.amazon.com/onca/xml?

AssociateTag=[ID]&

http://docs.aws.amazon.com/AWSECommerceService/latest/DG/AnatomyOfaRESTRequest.html

Amazon Product API REST request

AWSAccessKeyId=[Access Key ID]&

Keywords=Shirt&

Operation=ItemSearch&

ResponseGroup=Offers%2CImages%2CReviews

SearchIndex=Apparel&

Service=AWSECommerceService&

Version=2011-08-01&

Different endpoint URI & Asso. each country

Space ends request

Alphabetically listedvalue pairs to sign

"dummy" Secret Access Key1234567890

Timestamp=[YYYY-MM-DDThh:mm:ssZ]&

http://www.w3.org/TR/xmlschema-2/#dateTime

Signature=[Request Signature] RFC 2104 base64-encoded HMAC_SHA25

of request

Escape+ , ;


http://docs.aws.amazon.com/AWSECommerceService/latest/DG/CommonRequestParameters.html

Amazon response XMLEscaping

XMLEscaping=Single

The default number of passes.

Ampersand character (&) is returned in its regular XML encoding (&).

XMLEscaping=Double

Ampersand character (&) is XML-encoded twice (&) for PHP which does not decode text within XML elements.


http://docs.aws.amazon.com/AWSECommerceService/latest/DG/DebuggingParameters.html

Amazon request validation

Validate=False

The default.

Validate=True

Process request without actually executing it.

Returns isValid=“True” or “False”.


Other Authentication and Authorization


3rd party authentication web services

• Google (Maps, etc.)

• Amazon

• Facebook (Parse, acquired 2013)

• Yahoo

• Microsoft (Bing maps)

• Twitter

• LinkedIn

• etc.


https://dev.trulioo.com/apiGuide/truDetect?

JSON response sample

{"ok": true, "result": {

"score": "60", "transaction_id": "d8ad1829-9abc-4d84-5383-3a13a32f4092"

} }

Return a binary response status (“ok”: true or false)

Exchange mutual GUID for unique mutual tracking.

Less verbose than XML.More verbose than

HTML5 WebSockets.


Authentication vs. Authorization

Authentication Authorization

First thing Occurs after authentication

For whether to allow authorization For whether to allow use of resources

Based on user credentials Based on authentication token

Output: Session token Output: Requested resource


http://docs.stormpath.com/rest/quickstart/

Sample request in Curl

curl -X POST --user $YOUR_API_KEY_ID:$YOUR_API_KEY_SECRET \-H "Accept: application/json" \-H "Content-Type: application/json" \-d '{

"givenName": "Jean-Luc","surname": "Picard","username": "jlpicard","email": "[email protected]","password":"Changeme1"

}' \"https://api.stormpath.com/v1/applications/$YOUR_APPLICATION_ID/accounts"}


Sample request in LoadRunner script

lr_save_string("3xFb1EU6dYCXBHXEa…","stormpath_app_id");web_set_user("1PHM75I…","AC7fw+efr2xM831Q…", "");web_add_header("Accept", "application/json");web_custom_request("AddAcct",

"URL=https://api.stormpath.com/v1/accounts/{stormpath_app_id}","Method=POST","Resource=0","EncType=application/json","Mode=HTTP","Body={"

"\"givenName\": \“{user_givenName}\",""\"surname\": \"{user_surname}\",""\"username\": \“{user_acctname}\",""\"email\": \“{user_email}\",""\"password\": \“{user_password}\""

"}", LAST);

Name variables with consistent prefix of

file to iterate through

Variables for reuse

Automated handling of credentials &

headers


lr_save_string("3xFb1EU6dYCXBHXEa…","stormpath_app_id");web_set_user("1PHM75I…","AC7fw+efr2xM831Q…", "");web_add_header("Accept", "application/json");web_custom_request("AddAcct",

"URL=https://api.stormpath.com/v1/accounts/{stormpath_app_id}","Method=POST","Resource=0","EncType=application/json","Mode=HTTP","Body={"

"\"givenName\": \“{user_givenName}\",""\"surname\": \"{user_surname}\",""\"username\": \“{user_acctname}\",""\"email\": \“{user_email}\",""\"password\": \“{user_password}\""

"}", LAST);

Errors to test for

Would repeating requests with same data create dups?

Would unrecognized fields be ignored?

How long before credentials expire?


http://www.yelp.com/developers/documentation/v2/authentication

Yelp.com v2 uses OAuth 1.0a


https://developers.google.com/accounts/docs/OAuth2ServiceAccount

Google web service calls

https://developers.google.com/accounts/docs/OAuth2ServiceAccount


Google APIs Console

https://www.googleapis.com/urlshortener/v1/url

Specific API Project

Google account

Service acct.

service email

.p12 filefingerprint

“notasecret”

oauth_url_escape()

oauth_sign_rsa_sha256()

Short URL (JSON)

signature

encoded

signature

URLtoShorten Body

oauth_encode_base64()

JWTBodyoauth_load_privatekey()

JWT (JSONWeb Token)

Current Time

Expire Time

Good for 1800 seconds

JWT Assertion

https://accounts.google.com/o/oauth2/token

AssessTokenLong URLs

endpoint :


Programming languages in sample code

C (LoadRunner) ?

Ruby ?

Python ?

?

IP2Location Parse (Facebook)FedEx

https://parse.com/docs/api_libraries


Local Git repos.

Public Github repo.

Secure repo.

Shell script to automate extra secure file operations.

File handling to/from public repositories

Upload script

Script

Private files

Private files Download script

Script

Public files

.gitignore


UI performance test run types

Landing UI

Register

Menu item 1

Menu item 2

Menu

Sequential transaction flow

• Name

• Address

• Etc.

Add

Retrieve 1

List

Change

Delete

(Click Login for dialog)

Login UI

Logout UI


API performance test run types

Landing UI

Register

Discreet transactions

• Name

• Address

• Etc.

Menu item 1

Menu item 2

Menu

Request session token

Logout (session end / timeout)

Login

POST

GET 1

GET all

PUT

DELETE


API characterization & performance metrics

# Registrations

# Credentials (Users)

# Fields

# Sessions

# Completions

# Timeouts

# Attempts

# Run Types

# Run Cycles

# Iterations in run

# Files

# Resource Hits

# Bytes transferred

# Exchanges (messages)

# Searches

# Variations in data # Add

# Retrieve

# List collection

# Updates

# Delete


AUT

Continuous load verification worldwide

Test Controller

APIs connect securely on standard ports

9 Amazon AWS EC2 regions

API for Jenkins to control LR for Continuous Testing

End users


Benchmark performance of security operations?

Acceptable

delay

Extent of processing

A

B

Minimal processing for fast response

Strong encryptionfor security, but slower

No authentication

OAuth 1.0a

OAuth 2.0


How frequently are access keys refreshed?

Acceptable

delay

Longevity of access keys

A

B

Infrequentfor fast response

Frequentfor security

weeks

30 minutesMax. 120 minutes,

client configurable


Value of local functionality?

Acceptable

latency

Locality of data

A

B

On device forfast response

Remote fordistributed access

Craigslist.com

Evernote.com

Akamai.com


Tune low-level transmission settings?

Acceptable

latency

Data transmittedper burst

A

B

Small bursts each for fast response

Large bursts for offline analysis

Spritz.com

Hibernate


Immersive experiences with fall-back?

Acceptable

latency

Data transmittedper request

A

B

Few files for faster response

Many files formore immersive user experience

Google.com

Pinterest.com

Bing.com


@WilsonMar

• API’s enabling comparison shopping among competing sites [addall.com]

• API’s assimilate data unique to interests and needs of each user [Google Now]

• Some services require certification to access. Some don’t. [FedEx]

• Avoid limiting permissions to browse and search [USPS, FedEx, UPS]

• Support several programming languages [FedEx vs. Parse]

• Support different versions of IDE (Eclipse, Visual Studio 2005 and 2013)

• Respond with JSON (as well as XML/SOAP)

• Provide sample calls in Curl format


@WilsonMar - Calls to Action

• Manage web service usage by groups and other attributes of individuals.

• Protect against spammers by validating data values as real entities.

• Design for enterprise usage, with usage tracking and monitoring.

• Move from easier OAuth 2.0 to more secure OAuth 1.0a with certificates (Yelp).

• Have a rapid approach to quickly change encryption keys everywhere.

• Measure, eliminate, and virtualize network latency effects, worldwide.

• Test widely and continuously to detect integration breakage.

• Conduct real user monitoring to detect breakage in production.

• Design for and verify large increases and decreases in capacity.


Talk to me!

LinkedIn:Twitter:

[email protected]

YouTube:

Internet

API Performance Testing at STPcon 2014