Наталия Рихмаер (QA Emgineer, DataArt) рассказала: 1. Что такое API (Application Programming Interface) и о тестировании API на разных этапах проекта. 2. Что такое HTTP, об основных запросах: post, get, put, delete и показала пример возможных запросов к API при помощи Postman. 3. Что такое REST и SOAP, в чем их отличие, преимущества и недостатки, и тенденции использования их в разработке веб-приложений. 4. О типах тестирования API и полезных инструментах: Postman, Swagger, SoapUI, Retrofit и др. 5. О трудностях в тестировании АPI.

2. Web Services Testing
Natalia Rikhmayer,
QA Automation Engineer, DataArt

3. • Experienced in :
• Web,
• Web Mobile,
• Mobile Native,
• API
• Currently work on API automation
What about you? :)
Lets’s get acquainted!

4. Test Pyramid
https://martinfowler.com/bliki/TestPyramid.html
•

5. Why is it important?

6. Agenda
‣ What is API?
‣ Basic definitions
‣ HTTP request/response
‣ SOAP, example
‣ REST, example
‣ API testing tools
‣ REST-Assured framework
‣ Examples

7. What is Application Programming Interface (API)?

8. Basic definitions
‣ HTTP
‣ The most used HTTP Methods (CRUD operations)
– POST - Create
– GET - Read
– PUT - Update/replace
– DELETE - Delete
‣ Headers

9. HTTP request/response

10. Example

11. HTTP Status Codes
‣ 1XX: Informational
‣ 2XX: Success
‣ 3XX: Redirection
‣ 4XX: Client Error
‣ 5XX: Server Error
‣ There are over 70 HTTP status codes (!).
‣ Everything worked
‣ The application did something wrong
‣ The API did something wrong
http://blog.restcase.com/rest-api-error-codes-101/
➡ 200 - OK
➡ 400 - Bad Request
➡ 500 - Internal Server Error
Everything is going to be 200 OK :)

12. HTTP Status Code Description
‣ 200 OK - Response to a successful REST API action
‣ 400 Bad Request - The request is malformed, such as message body format error
‣ 401 Unauthorized - Wrong or no authentication ID/password provided
‣ 403 Forbidden - It's used when the authentication succeeded but authenticated user doesn't have
permission to the request resource
‣ 404 Not Found - When a non-existent resource is requested
‣ 405 Method Not Allowed - The error checking for unexpected HTTP method. For example, the
RestAPI is expecting HTTP GET, but HTTP PUT is used
‣ 429 Too Many Requests - The error is used when there may be DOS attack detected or the
request is rejected due to rate limiting

13. Representational State Transfer (REST)
‣RESTful applications use HTTP methods
‣data available as resources (nouns), I.e. “user”
‣hard to enforce authorization and security on top of it
‣relatively easy to implement and maintain
‣clearly separates client and server implementations
‣can return data in multiple formats (JSON, XML etc)
‣Scalability, maintainability
‣Demo
https://dzone.com/articles/j2ee-compare-restful-vs-soap https://habrahabr.ru/post/131343/ https://nordicapis.com/rest-vs-soap-nordic-apis-infographic-comparison/
‣ Examples
Slack API
LinkedIn API
Twitter API

14. Simple Object Access Protocol (SOAP)
‣data available as services (verb+noun), I.e. “getUser”
‣follows a formal enterprise approach (its a standard)
‣works on top of any communication protocol
‣security and authorization are part of the protocol
‣can be fully described using WSDL (e.g. put your WSDL url to generate Java/Objective-C/Swift
classes http://easywsdl.com/WsdlGenerator#)
‣hard to implement and is unpopular among Web and mobile developers
‣uses only XML
https://dzone.com/articles/j2ee-compare-restful-vs-soap https://habrahabr.ru/post/131343/ https://nordicapis.com/rest-vs-soap-nordic-apis-infographic-comparison/
‣ Examples
Salesforce SOAP API
Paypal SOAP API
Clickatell SMS SOAP API

15. Common types of API testing
• Verify API Response Code
• Based on input request, response should be checked
• Verification of the updating some data structure
• Delays in API Response time
• Response Data structure
• Security testing

16. Useful Tools
Rest assured - Java, RestSharp - C#
Airborne - Ruby, Apickli - JS
Retrofit - Android/JAVA… and other

17. Rest-assured
@Test(groups = {APIConfig.login_ID})
public void login() {
Logger.info("Verify login");
String loginURL = getModifiedURI(LOGIN_URI, "v1");
String token =
given()
.contentType(ContentType.JSON)
.body("{n" +
" "UserId": " + userId + ",n" +
" "Email": "" + email + "",n" +
" "ScreenName": "" + screenName + ""n" +
"}")
.when()
.post(loginURL)
.then()
.assertThat()
.statusCode(HttpURLConnection.HTTP_OK)
.extract()
.path(AUTH_TOKEN_KEY);
assertFalse(token.isEmpty(), "User Token should not be empty");
}
<dependency>
<groupId>io.rest-assured</groupId>
<artifactId>rest-assured</artifactId>
<version>3.0.0</version>
</dependency>

18. To automate or not to automate on API level?
‣ Login
‣ Registration
‣ Join/leave group
‣ Ban/unban for 30 min
‣ Confirmation via email
‣ Subscription
‣ Navigation
‣ Article verification

19. Challenges of API testing
‣ Parameter Combination
‣ Parameter Selection
‣ Call Sequencing
‣ Frequent releases
‣ Delays in logging
‣ Support of auto-tests
‣ Data is changed

20. Advantages of API testing
‣ Access to the application without a user interface
‣ Time effective, especially automated tests
‣ Cost effective, accordingly
‣ Language-independent
‣ Test Core Functionality, once for several clients
Project examples

21. Thank you! Any questions?
Any further questions?
Natalia.Bilogrud@dataart.com