API Performance Testing at STPcon 2014
Upcoming SlideShare
Loading in...5
×
 

API Performance Testing at STPcon 2014

on

  • 180 views

An overview of API marketplace, including a deep-dive into authentication and authorization mechanisms at Google, Amazon, and others.

An overview of API marketplace, including a deep-dive into authentication and authorization mechanisms at Google, Amazon, and others.

Statistics

Views

Total Views
180
Views on SlideShare
175
Embed Views
5

Actions

Likes
0
Downloads
5
Comments
0

1 Embed 5

https://twitter.com 5

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

API Performance Testing at STPcon 2014 API Performance Testing at STPcon 2014 Presentation Transcript

  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. PerformanceTestingAPIs @WilsonMar #STPCon New Orleans 10:45 Thursday, April 17, 2014
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2 http://www.stpcon.com/Session/170/Performance-Testing-API's Published topic Today's mobile apps and HTML apps typically make use of AJAX (Asynchronous JavaScript) coding to assemble data from several sources. To uniquely identify users, many websites are using 3rd party services such as Google, Facebook, Twitter, etc. Even though standards such as OAuth have been defined, websites differ in how programs talk with them. This session examines how some sites are evolving over time, and how developers can collaborate to quickly adapt to the fast change. The pace of change will accelerate due to fundamental new systems being created in response to Wikileaks, Edward Snowden, and RSA adding back door access for the NSA. During a "deep dive" into the technical differences among the most significant APIs, this session will explore the coding features which programmers of applications and performance testing scripters need to incorporate into their code.
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4 Locus of control in machines, not individual humans Paradigm of who drives data http://54.188.18.140/demos/PortfolioDemo_Basic/ http://54.188.18.140/demos/DropDownDemo/ 1 2
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6 http://www.google.com/landing/now/#cards Customized updates pushed real-time
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7 http://www.addall.com/ (aggregator site) Aggregators for comparison shopping
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8 Aggregators of aggregators interconnected PayBuy Ship Track Inventory, Evaluations Shop Customer profiles Payments Travel, Routes Google EBay Amazon Pinterest Etsy Google+ Facebook Amazon Twitter LinkedIn Google Maps (Waze) Bing Yahoo Packages Google Now USPS UPS FedEx Google Wallet PayPal Amazon Visa, Stripe, Square
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10 http://apicommons.org/apis.html Taxonomy of APIs Businesses Companies Events (Calendars) Images Jobs Offices Shops Stores Videos People Names (Teams) Programs Projects Tasks ProductsPublications Places Music Sounds
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14 Mash-up: APIs about each data element Postal Zip code Phone Area Code Phone number Email address Website URLs Street Addr. Country code Social handles Domain names Phone area code
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16 Mash-up: APIs for each data element Postal Zip code weather Short URL Phone number longitude & latitude Email address face photo MD5() Videos & pics. Website URLs map areas QR code image IP Address SHA, Sign() OAuth 1.0a IP black listed? Account valid? Secrets, OAuth1 Ratings & Reviews Domain names ping() DNS Sound Parm. lookup No auth. Trulioo Country Lists Street Addr. Addr. valid? UPS Yelp Gravitar Phone Country OAuth2 bit.ly, Google Social handles UofAustin ipslist Melissa Data census etc. Symantec Snap app Proper Names Phone area code Country code Weather underground Location of IP ip2location Time Zones Flickr, Facebook census. gov Yahoo Alexa Forvo Twilio
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18 Amazon.com stores around the world http://www.amazon.com/gp/feature.html?docId=487250 Northern Virginiaamazon.com amazon.uk amazon.fr amazon.gb amazon.at amazon.it amazon.es amazon.jp amazon.au amazon.br amazon.cn (joyo.com) amazon.ca
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.19 http://docs.aws.amazon.com/AWSECommerceService/latest/DG/CHAP_ResponseGroupsList.html SearchIndex (TypeProduct) CategoryDepartment Books DigitalMusic DVD Magazines MobileApps Music MusicTracks MP3Downloads Photo Software UnboxVideo VHS Video VideoGames Store Apparel Appliances ArtsAndCrafts Automotive Grocery Electronics Jewelry MusicalInstruments PCHardware Shoes SportingGoods Tools Toys Watches Wireless WirelessAccessories Baby PetSupplies Beauty HealthPersonalCare HomeGarden Industrial Kitchen LawnGarden OfficeProducts OutdoorLiving Media Blended Classical Collectibles KindleStore Marketplace Merchants Miscellaneous
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20 http://docs.aws.amazon.com/AWSECommerceService/latest/DG/CHAP_OperationListAlphabetical.html Operations verbs CartCreate CartAdd CartClear CartGet CartModify ItemLookup ItemSearch SimilarityLookup BrowseNodeLookup
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.21 http://docs.aws.amazon.com/AWSECommerceService/latest/DG/CHAP_ResponseGroupsList.html Response Groups (among 55) Cart CartNewReleases CartTopSellers CartSimilarities Large Medium Small Images ItemIds ItemAttributes RelatedItems NewReleases TopSellers Similarities MostGifted MostWishedFor AlternateVersions Variations VariationMatrix VariationImages VariationOffers VariationSummary SearchBins Accessories Offers OfferSummary OfferFull OfferListings PromotionSummary BrowseNodeInfo BrowseNodes Tracks Request SalesRank Reviews EditorialReview
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.31 http://docs.aws.amazon.com/AWSECommerceService/latest/DG/BasicAuthProcess.html Amazon Product API REST request processing OK? Amazon
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.32 http://webservices.amazon.com/onca/xml? AssociateTag=[ID]& http://docs.aws.amazon.com/AWSECommerceService/latest/DG/AnatomyOfaRESTRequest.html Amazon Product API REST request AWSAccessKeyId=[Access Key ID]& Keywords=Shirt& Operation=ItemSearch& ResponseGroup=Offers%2CImages%2CReviews SearchIndex=Apparel& Service=AWSECommerceService& Version=2011-08-01& Different endpoint URI & Asso. each country Space ends request Alphabetically listed value pairs to sign "dummy" Secret Access Key1234567890 Timestamp=[YYYY-MM-DDThh:mm:ssZ]& http://www.w3.org/T R/xmlschema- 2/#dateTime Signature=[Request Signature] RFC 2104 base64- encoded HMAC_SHA25 of request Escape + , ;
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.33 http://docs.aws.amazon.com/AWSECommerceService/latest/DG/CommonRequestPar ameters.html Amazon response XMLEscaping XMLEscaping=Single The default number of passes. Ampersand character (&) is returned in its regular XML encoding (&). XMLEscaping=Double Ampersand character (&) is XML-encoded twice (&) for PHP which does not decode text within XML elements.
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.34 http://docs.aws.amazon.com/AWSECommerceService/latest/DG/DebuggingParameters.html Amazon request validation Validate=False The default. Validate=True Process request without actually executing it. Returns isValid=“True” or “False”.
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Other Authenticationand Authorization
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.36 3rd party authentication web services • Google (Maps, etc.) • Amazon • Facebook (Parse, acquired 2013) • Yahoo • Microsoft (Bing maps) • Twitter • LinkedIn • etc.
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.39 https://dev.trulioo.com/apiGuide/truDetect? JSON response sample { "ok": true, "result": { "score": "60", "transaction_id": "d8ad1829-9abc-4d84-5383-3a13a32f4092" } }  Return a binary response status (“ok”: true or false)  Exchange mutual GUID for unique mutual tracking. Less verbose than XML. More verbose than HTML5 WebSockets.
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.40 Authentication vs. Authorization Authentication Authorization First thing Occurs after authentication For whether to allow authorization For whether to allow use of resources Based on user credentials Based on authentication token Output: Session token Output: Requested resource
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.42 http://docs.stormpath.com/rest/quickstart/ Sample request in Curl curl -X POST --user $YOUR_API_KEY_ID:$YOUR_API_KEY_SECRET -H "Accept: application/json" -H "Content-Type: application/json" -d '{ "givenName": "Jean-Luc", "surname": "Picard", "username": "jlpicard", "email": "capt@enterprise.com", "password":"Changeme1" }' "https://api.stormpath.com/v1/applications/$YOUR_APPLICATION_ID/accounts"}
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.43 Sample request in LoadRunner script lr_save_string("3xFb1EU6dYCXBHXEa…","stormpath_app_id"); web_set_user("1PHM75I…","AC7fw+efr2xM831Q…", ""); web_add_header("Accept", "application/json"); web_custom_request("AddAcct", "URL=https://api.stormpath.com/v1/accounts/{stormpath_app_id}", "Method=POST", "Resource=0", "EncType=application/json", "Mode=HTTP", "Body={" ""givenName": “{user_givenName}"," ""surname": "{user_surname}"," ""username": “{user_acctname}"," ""email": “{user_email}"," ""password": “{user_password}"" "}", LAST); Name variables with consistent prefix of file to iterate through Variables for reuse Automated handling of credentials & headers
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.44 lr_save_string("3xFb1EU6dYCXBHXEa…","stormpath_app_id"); web_set_user("1PHM75I…","AC7fw+efr2xM831Q…", ""); web_add_header("Accept", "application/json"); web_custom_request("AddAcct", "URL=https://api.stormpath.com/v1/accounts/{stormpath_app_id}", "Method=POST", "Resource=0", "EncType=application/json", "Mode=HTTP", "Body={" ""givenName": “{user_givenName}"," ""surname": "{user_surname}"," ""username": “{user_acctname}"," ""email": “{user_email}"," ""password": “{user_password}"" "}", LAST); Errors to test for Would repeating requests with same data create dups? Would unrecognized fields be ignored? How long before credentials expire?
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.45 http://www.yelp.com/developers/documentation/v2/authentication Yelp.com v2 uses OAuth 1.0a
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.46 https://developers.google.com/accounts/docs/OAuth2ServiceAccount Google web service calls
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.47 Google APIs Console https://www.googleapis.com/urlshortener/v1/url Specific API Project Google account Service acct. service email .p12 file fingerprint “notasecret” oauth_url_escape() oauth_sign_rsa_sha256() Short URL (JSON) signature encoded signature URLtoShorten Body oauth_encode_base64() JWTBodyoauth_load_privatekey() JWT (JSON Web Token) Current Time Expire Time Good for 1800 seconds JWT Assertion https://accounts.google.com/o/oauth2/token AssessTokenLong URLs endpoint :
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.50 Programming languages in sample code C (LoadRunner) ? Ruby ? Python ? ? IP2Location Parse (Facebook)FedEx https://parse.com/docs/api_libraries
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.53 Local Git repos. Public Github repo. Secure repo. Shell script to automate extra secure file operations. File handling to/from public repositories Upload script Script Private files Private files Download script Script Public files .gitignore
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.55 UI performance test run types  Landing UI  Register  Menu item 1  Menu item 2  Menu Sequential transaction flow • Name • Address • Etc.  Add  Retrieve 1  List  Change  Delete  (Click Login for dialog)  Login UI  Logout UI
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.56 API performance test run types  Landing UI  Register Discreet transactions • Name • Address • Etc.  Menu item 1  Menu item 2  Menu  Request session token  Logout (session end / timeout)  Login  POST  GET 1  GET all  PUT  DELETE
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.57 API characterization & performance metrics # Registrations # Credentials (Users) # Fields # Sessions # Completions # Timeouts # Attempts # Run Types # Run Cycles # Iterations in run # Files # Resource Hits # Bytes transferred # Exchanges (messages) # Searches # Variations in data # Add # Retrieve # List collection # Updates # Delete
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.58 AUT Continuous load verification worldwide Test Controller APIs connect securely on standard ports 9 Amazon AWS EC2 regions API for Jenkins to control LR for Continuous Testing End users
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.60 Benchmark performance of security operations? Acceptable delay Extent of processing A B Minimal processing for fast response Strong encryption for security, but slower No authentication OAuth 1.0a OAuth 2.0
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.61 How frequently are access keys refreshed? Acceptable delay Longevity of access keys A B Infrequent for fast response Frequent for security weeks 30 minutesMax. 120 minutes, client configurable
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.62 Value of local functionality? Acceptable latency Locality of data A B On device for fast response Remote for distributed access Craigslist.com Evernote.com Akamai.com
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.63 Tune low-level transmission settings? Acceptable latency Data transmitted per burst A B Small bursts each for fast response Large bursts for offline analysis Spritz.com Hibernate
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.64 Immersive experiences with fall-back? Acceptable latency Data transmitted per request A B Few files for faster response Many files for more immersive user experience Google.com Pinterest.com Bing.com
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.66 @WilsonMar • API’s enabling comparison shopping among competing sites [addall.com] • API’s assimilate data unique to interests and needs of each user [Google Now] • Some services require certification to access. Some don’t. [FedEx] • Avoid limiting permissions to browse and search [USPS, FedEx, UPS] • Support several programming languages [FedEx vs. Parse] • Support different versions of IDE (Eclipse, Visual Studio 2005 and 2013) • Respond with JSON (as well as XML/SOAP) • Provide sample calls in Curl format
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.67 @WilsonMar - Calls to Action • Manage web service usage by groups and other attributes of individuals. • Protect against spammers by validating data values as real entities. • Design for enterprise usage, with usage tracking and monitoring. • Move from easier OAuth 2.0 to more secure OAuth 1.0a with certificates (Yelp). • Have a rapid approach to quickly change encryption keys everywhere. • Measure, eliminate, and virtualize network latency effects, worldwide. • Test widely and continuously to detect integration breakage. • Conduct real user monitoring to detect breakage in production. • Design for and verify large increases and decreases in capacity.
  • © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Talktome! LinkedIn:Twitter: WilsonMar@gmail.com YouTube: