Upload
wilson-mar
View
309
Download
3
Embed Size (px)
DESCRIPTION
An overview of API marketplace, including a deep-dive into authentication and authorization mechanisms at Google, Amazon, and others.
Citation preview
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Performance Testing APIs
@WilsonMar
#STPCon New Orleans
10:45 Thursday, April 17, 2014
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2
http://www.stpcon.com/Session/170/Performance-Testing-API's
Published topic
Today's mobile apps and HTML apps typically make use of AJAX (Asynchronous JavaScript) coding to assemble data from several sources. To uniquely identify users, many websites are using 3rd party services such as Google, Facebook, Twitter, etc. Even though standards such as OAuth have been defined, websites differ in how programs talk with them.
This session examines how some sites are evolving over time, and how developers can collaborate to quickly adapt to the fast change. The pace of change will accelerate due to fundamental new systems being created in response to Wikileaks, Edward Snowden, and RSA adding back door access for the NSA.
During a "deep dive" into the technical differences among the most significant APIs, this session will explore the coding features which programmers of applications and performance testing scripters need to incorporate into their code.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4
Locus of control in machines, not individual humans
Paradigm of who drives data
http://54.188.18.140/demos/PortfolioDemo_Basic/ http://54.188.18.140/demos/DropDownDemo/
1
2
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6
http://www.google.com/landing/now/#cards
Customized updates pushed real-time
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7
http://www.addall.com/ (aggregator site)
Aggregators for comparison shopping
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8
Aggregators of aggregators interconnected
PayBuy Ship Track
Inventory,Evaluations
Shop
Customer profiles
Payments Travel,Routes
GoogleEBay
AmazonPinterest
Etsy
Google+FacebookAmazonTwitter
Google Maps(Waze)
BingYahoo
Packages
Google NowUSPSUPS
FedEx
Google WalletPayPal
AmazonVisa,
Stripe, Square
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10
http://apicommons.org/apis.html
Taxonomy of APIs
Businesses
Companies
Events
(Calendars)
Images
Jobs
Offices
Shops
Stores
Videos People
Names
(Teams)
Programs
Projects
Tasks
ProductsPublications
Places
Music
Sounds
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14
Mash-up: APIs about each data element
PostalZip code
Phone Area Code
Phone number
Email address
WebsiteURLs
StreetAddr.
Country code
Socialhandles
Domain names
Phonearea code
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16
Mash-up: APIs for each data element
PostalZip code
weatherShort URL
Phone number
longitude& latitude
Email address
facephoto
MD5()
Videos& pics.
WebsiteURLs
map areas
QR codeimage
IP Address
SHA,Sign()
OAuth1.0a
IP black listed?
Accountvalid?
Secrets,OAuth1
Ratings & Reviews
Domain names
ping()DNS
Sound
Parm. lookup
Noauth.
Trulioo
Country Lists
StreetAddr.
Addr. valid?
UPS Yelp
Gravitar
PhoneCountry
OAuth2
bit.ly, Google
Socialhandles
UofAustin ipslist
MelissaData
censusetc.
SymantecSnap app
ProperNames
Phonearea code
Country code
Weatherunderground
Location of IP
ip2location
TimeZones
Flickr,Facebook
census.gov
Yahoo
Alexa
ForvoTwilio
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18
Amazon.com stores around the world
http://www.amazon.com/gp/feature.html?docId=487250
Northern Virginiaamazon.com
amazon.ukamazon.framazon.gbamazon.atamazon.itamazon.es
amazon.jp
amazon.auamazon.br
amazon.cn(joyo.com)
amazon.ca
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.19
http://docs.aws.amazon.com/AWSECommerceService/latest/DG/CHAP_ResponseGroupsList.html
SearchIndex (TypeProduct)
CategoryDepartmentBooks
DigitalMusic
DVD
Magazines
MobileApps
Music
MusicTracks
MP3Downloads
Photo
Software
UnboxVideo
VHS
Video
VideoGames
Store
ApparelAppliancesArtsAndCraftsAutomotiveGroceryElectronicsJewelryMusicalInstrumentsPCHardwareShoesSportingGoodsToolsToysWatchesWirelessWirelessAccessories
BabyPetSuppliesBeautyHealthPersonalCareHomeGardenIndustrialKitchenLawnGardenOfficeProductsOutdoorLiving
Media
Blended
Classical
Collectibles
KindleStore
Marketplace
Merchants
Miscellaneous
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20
http://docs.aws.amazon.com/AWSECommerceService/latest/DG/CHAP_OperationListAlphabetical.html
Operations verbs
CartCreate
CartAdd
CartClear
CartGet
CartModify
ItemLookup
ItemSearch
SimilarityLookup
BrowseNodeLookup
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.21
http://docs.aws.amazon.com/AWSECommerceService/latest/DG/CHAP_ResponseGroupsList.html
Response Groups (among 55)
Cart
CartNewReleases
CartTopSellers
CartSimilarities
Large
Medium
Small
Images
ItemIds
ItemAttributes
RelatedItems
NewReleases
TopSellers
Similarities
MostGifted
MostWishedFor
AlternateVersions
Variations
VariationMatrix
VariationImages
VariationOffers
VariationSummary
SearchBins
Accessories
OffersOfferSummaryOfferFullOfferListings
PromotionSummary
BrowseNodeInfoBrowseNodesTracks
Request
SalesRankReviewsEditorialReview
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.31
http://docs.aws.amazon.com/AWSECommerceService/latest/DG/BasicAuthProcess.html
Amazon Product API REST request processing
OK?Amazon
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.32
http://webservices.amazon.com/onca/xml?
AssociateTag=[ID]&
http://docs.aws.amazon.com/AWSECommerceService/latest/DG/AnatomyOfaRESTRequest.html
Amazon Product API REST request
AWSAccessKeyId=[Access Key ID]&
Keywords=Shirt&
Operation=ItemSearch&
ResponseGroup=Offers%2CImages%2CReviews
SearchIndex=Apparel&
Service=AWSECommerceService&
Version=2011-08-01&
Different endpoint URI & Asso. each country
Space ends request
Alphabetically listedvalue pairs to sign
"dummy" Secret Access Key1234567890
Timestamp=[YYYY-MM-DDThh:mm:ssZ]&
http://www.w3.org/TR/xmlschema-2/#dateTime
Signature=[Request Signature] RFC 2104 base64-encoded HMAC_SHA25
of request
Escape+ , ;
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.33
http://docs.aws.amazon.com/AWSECommerceService/latest/DG/CommonRequestParameters.html
Amazon response XMLEscaping
XMLEscaping=Single
The default number of passes.
Ampersand character (&) is returned in its regular XML encoding (&).
XMLEscaping=Double
Ampersand character (&) is XML-encoded twice (&) for PHP which does not decode text within XML elements.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.34
http://docs.aws.amazon.com/AWSECommerceService/latest/DG/DebuggingParameters.html
Amazon request validation
Validate=False
The default.
Validate=True
Process request without actually executing it.
Returns isValid=“True” or “False”.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Other Authentication and Authorization
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.36
3rd party authentication web services
• Google (Maps, etc.)
• Amazon
• Facebook (Parse, acquired 2013)
• Yahoo
• Microsoft (Bing maps)
• etc.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.39
https://dev.trulioo.com/apiGuide/truDetect?
JSON response sample
{"ok": true, "result": {
"score": "60", "transaction_id": "d8ad1829-9abc-4d84-5383-3a13a32f4092"
} }
Return a binary response status (“ok”: true or false)
Exchange mutual GUID for unique mutual tracking.
Less verbose than XML.More verbose than
HTML5 WebSockets.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.40
Authentication vs. Authorization
Authentication Authorization
First thing Occurs after authentication
For whether to allow authorization For whether to allow use of resources
Based on user credentials Based on authentication token
Output: Session token Output: Requested resource
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.42
http://docs.stormpath.com/rest/quickstart/
Sample request in Curl
curl -X POST --user $YOUR_API_KEY_ID:$YOUR_API_KEY_SECRET \-H "Accept: application/json" \-H "Content-Type: application/json" \-d '{
"givenName": "Jean-Luc","surname": "Picard","username": "jlpicard","email": "[email protected]","password":"Changeme1"
}' \"https://api.stormpath.com/v1/applications/$YOUR_APPLICATION_ID/accounts"}
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.43
Sample request in LoadRunner script
lr_save_string("3xFb1EU6dYCXBHXEa…","stormpath_app_id");web_set_user("1PHM75I…","AC7fw+efr2xM831Q…", "");web_add_header("Accept", "application/json");web_custom_request("AddAcct",
"URL=https://api.stormpath.com/v1/accounts/{stormpath_app_id}","Method=POST","Resource=0","EncType=application/json","Mode=HTTP","Body={"
"\"givenName\": \“{user_givenName}\",""\"surname\": \"{user_surname}\",""\"username\": \“{user_acctname}\",""\"email\": \“{user_email}\",""\"password\": \“{user_password}\""
"}", LAST);
Name variables with consistent prefix of
file to iterate through
Variables for reuse
Automated handling of credentials &
headers
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.44
lr_save_string("3xFb1EU6dYCXBHXEa…","stormpath_app_id");web_set_user("1PHM75I…","AC7fw+efr2xM831Q…", "");web_add_header("Accept", "application/json");web_custom_request("AddAcct",
"URL=https://api.stormpath.com/v1/accounts/{stormpath_app_id}","Method=POST","Resource=0","EncType=application/json","Mode=HTTP","Body={"
"\"givenName\": \“{user_givenName}\",""\"surname\": \"{user_surname}\",""\"username\": \“{user_acctname}\",""\"email\": \“{user_email}\",""\"password\": \“{user_password}\""
"}", LAST);
Errors to test for
Would repeating requests with same data create dups?
Would unrecognized fields be ignored?
How long before credentials expire?
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.45
http://www.yelp.com/developers/documentation/v2/authentication
Yelp.com v2 uses OAuth 1.0a
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.46
https://developers.google.com/accounts/docs/OAuth2ServiceAccount
Google web service calls
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.47
Google APIs Console
https://www.googleapis.com/urlshortener/v1/url
Specific API Project
Google account
Service acct.
service email
.p12 filefingerprint
“notasecret”
oauth_url_escape()
oauth_sign_rsa_sha256()
Short URL (JSON)
signature
encoded
signature
URLtoShorten Body
oauth_encode_base64()
JWTBodyoauth_load_privatekey()
JWT (JSONWeb Token)
Current Time
Expire Time
Good for 1800 seconds
JWT Assertion
https://accounts.google.com/o/oauth2/token
AssessTokenLong URLs
endpoint :
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.50
Programming languages in sample code
C (LoadRunner) ?
Ruby ?
Python ?
?
IP2Location Parse (Facebook)FedEx
https://parse.com/docs/api_libraries
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.53
Local Git repos.
Public Github repo.
Secure repo.
Shell script to automate extra secure file operations.
File handling to/from public repositories
Upload script
Script
Private files
Private files Download script
Script
Public files
.gitignore
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.55
UI performance test run types
Landing UI
Register
Menu item 1
Menu item 2
Menu
Sequential transaction flow
• Name
• Address
• Etc.
Add
Retrieve 1
List
Change
Delete
(Click Login for dialog)
Login UI
Logout UI
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.56
API performance test run types
Landing UI
Register
Discreet transactions
• Name
• Address
• Etc.
Menu item 1
Menu item 2
Menu
Request session token
Logout (session end / timeout)
Login
POST
GET 1
GET all
PUT
DELETE
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.57
API characterization & performance metrics
# Registrations
# Credentials (Users)
# Fields
# Sessions
# Completions
# Timeouts
# Attempts
# Run Types
# Run Cycles
# Iterations in run
# Files
# Resource Hits
# Bytes transferred
# Exchanges (messages)
# Searches
# Variations in data # Add
# Retrieve
# List collection
# Updates
# Delete
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.58
AUT
Continuous load verification worldwide
Test Controller
APIs connect securely on standard ports
9 Amazon AWS EC2 regions
API for Jenkins to control LR for Continuous Testing
End users
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.60
Benchmark performance of security operations?
Acceptable
delay
Extent of processing
A
B
Minimal processing for fast response
Strong encryptionfor security, but slower
No authentication
OAuth 1.0a
OAuth 2.0
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.61
How frequently are access keys refreshed?
Acceptable
delay
Longevity of access keys
A
B
Infrequentfor fast response
Frequentfor security
weeks
30 minutesMax. 120 minutes,
client configurable
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.62
Value of local functionality?
Acceptable
latency
Locality of data
A
B
On device forfast response
Remote fordistributed access
Craigslist.com
Evernote.com
Akamai.com
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.63
Tune low-level transmission settings?
Acceptable
latency
Data transmittedper burst
A
B
Small bursts each for fast response
Large bursts for offline analysis
Spritz.com
Hibernate
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.64
Immersive experiences with fall-back?
Acceptable
latency
Data transmittedper request
A
B
Few files for faster response
Many files formore immersive user experience
Google.com
Pinterest.com
Bing.com
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.66
@WilsonMar
• API’s enabling comparison shopping among competing sites [addall.com]
• API’s assimilate data unique to interests and needs of each user [Google Now]
• Some services require certification to access. Some don’t. [FedEx]
• Avoid limiting permissions to browse and search [USPS, FedEx, UPS]
• Support several programming languages [FedEx vs. Parse]
• Support different versions of IDE (Eclipse, Visual Studio 2005 and 2013)
• Respond with JSON (as well as XML/SOAP)
• Provide sample calls in Curl format
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.67
@WilsonMar - Calls to Action
• Manage web service usage by groups and other attributes of individuals.
• Protect against spammers by validating data values as real entities.
• Design for enterprise usage, with usage tracking and monitoring.
• Move from easier OAuth 2.0 to more secure OAuth 1.0a with certificates (Yelp).
• Have a rapid approach to quickly change encryption keys everywhere.
• Measure, eliminate, and virtualize network latency effects, worldwide.
• Test widely and continuously to detect integration breakage.
• Conduct real user monitoring to detect breakage in production.
• Design for and verify large increases and decreases in capacity.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Talk to me!
LinkedIn:Twitter:
YouTube: