2013/7/11

1

ChinaTest, Our TEST!

Testing the API behind a mobile app

Tutorial

Marc van ‘t Veer

ChinaTest, Our TEST!

Content

• What is an API

• Why use an API

• How to use an API

• How-to test an API

• Exercises

– Group exercises (learning concepts – 7)

– Individual exercises (apply concepts – 4)

• Lessons learned

2013/7/11

2

ChinaTest, Our TEST!

What is an API - Definition

• API, stands for application program interface:

– Set of routines, protocols, tools and blocks for

building applications (systems of systems) and so

reducing complexity

• Definition within the context of this training:

– An internet web service that opens systems and

giving standard way of access to external users

4 Marc van ‘t Veer – Polteq

2013/7/11

3

ChinaTest, Our TEST!

What is an API - API model

• Lego bricks are standard building blocks

• Blocks are a library to build

• Figure is showing which resources there are

• Sales box is an example of the possibilities

ChinaTest, Our TEST!

What is an API - API model

2013/7/11

4

ChinaTest, Our TEST!

What is an API – Typical structure

• API is built upon existing internal architecture

Backend (Enterprise Service Bus)

Adapter

Desktop web

Browser

API

Webservices Adapter

app

Mobile web

SoapUI

Adapter

Test app’s app

Facebook

ChinaTest, Our TEST!

Why use an API - example

Telecom companies provide usage details on their

websites. App developers used screen scraping to

get this data into their apps.

Resulting in:

• Misinterpretation of data

• Malformed data

• Telecom company gets

blamed when the app

provides wrong information

2013/7/11

5

ChinaTest, Our TEST!

Why use an API - example

API provides the telecom companies:

• More control over the data

• Control over the content used in an app

– Key needed to use the API

– App developer needs to prove that it works

correct before getting access

ChinaTest, Our TEST!

Why use an API

• Scaling development

– Enhance a program without editing itself

• Converting competitors into partners

– Allow competitors to build on top of your product

• Scaling market reach

– Open up new markets

• Empowering users

– Allow people to use the product for things it

wasn’t designed for

2013/7/11

6

ChinaTest, Our TEST!

How to use an API – Mashup

• A mashup is a web page or web application

that uses and combines data, presentation or

functionality from two or more sources to

create new services

– Easy, fast integration

– Frequently using API

– Produce enriched results from the raw source

data

ChinaTest, Our TEST!

How to use an API – Demo of API’s

• Local examples

– Command line on Windows or Linux

– Local VB script with Windows API

• Web API examples

– Overview of API’s: Programmableweb.com

– Demo of WordPress blog API

2013/7/11

7

ChinaTest, Our TEST!

How to use an API – Concepts

• Concepts of the API

– Division of data and presentation

– Root (Start URL, http or https)

– Navigation

– View of a command-line

– Hierarchy

– Resources

– Account (private API)

– Structure

ChinaTest, Our TEST!

How to use an API – Who uses it?

• Apps: Android, Iphone, Windows, Blackberry

• Internal organizations

• User via browser version of the API

• Social media: Facebook, twitter, etc.

• (internal/external) developers:

– Documentation

– Base line code for new App (with guidelines)

• Operations (monitoring)

2013/7/11

8

ChinaTest, Our TEST!

Summary – Introduction to an API

• Public available via Internet

• No-frontend

• Interfaces

• API is part of an end-to-end solution

• Architecture / protocol focus

• External users / devices

• Test tools are needed

• Main goal is: a generic API

ChinaTest, Our TEST!

How-to test an API – start from scratch

2013/7/11

9

ChinaTest, Our TEST!

How to test an API – start from scratch

• Architecture

– REST vs. SOAP

– Stateless vs. Session

– Media types vs. WSDL

• text/xml or application/vendor specific

– Verbs (GET) and resources

– Headers and caching results

• Tools

– SoapUI, Fiddler, new add-ons for Firefox

• Architecture

– REST vs. SOAP

– Stateless vs. Session

– Media types vs. WSDL

• text/xml or application/vendor specific

– Verbs (GET) and resources

– Headers and caching results

• Tools

– SoapUI, Fiddler, new add-ons for Firefox

ChinaTest, Our TEST!

How to test an API – RESTful verbs

• Verbs are actions, actions like CRUD on

database

• POST: Create a new data element

• GET: Read a data element

• PUT: Update a data element

• DELETE: Delete a data element

2013/7/11

10

ChinaTest, Our TEST!

How to test an API – Headers

• HTTP header fields are components of the

message header of requests and responses in

the Hypertext Transfer Protocol (HTTP).

• They define the operating parameters of an

HTTP transaction

• Request example:

• Accept: text/plain

• Cache-Control: no-cache

ChinaTest, Our TEST!

How to test an API – Cache

• A web browser stores web content for reuse

• If the back button is pressed, the local cached

version of a page is displayed instead of a new

request being sent to the web server.

• Risks

– Old data

– Cached errors

– Layered caching (app – API – server)

2013/7/11

11

ChinaTest, Our TEST!

How to test an API - Typical risks

• Unknown integration

• Big variation of customer data

• No control of the E2E chain

• Load is unknown

• Wrong use of API

• Dynamic scope

ChinaTest, Our TEST!

How to test an API - Strategy

• Early integration test with complete

infrastructure

– Integration test and dog fooding during

Development and System Testing

– Multiple integration phases

– Prototype app (on Acceptance environment)

2013/7/11

12

ChinaTest, Our TEST!

How to test an API - Dogfooding

• Dogfooding: Don’t try to build the sort of API you think people will want, but use the public

API’s your self everywhere

• Examples

– All Google tools use their own public API’s

– Windows 7 is build with windows 7

– Twitter.com uses it’s own public API

ChinaTest, Our TEST!

How to test an API - Test approach

1. Development (with dogfooding)

2. System testing (API with stubs and SIT)

3. Integration testing (API with backend)

4. Acceptance testing (API with prototype app)

5. Production integration (in phases)

6. Regression testing (automated)

2013/7/11

13

ChinaTest, Our TEST!

How to test an API - Test approach

Backend (Enterprise Service Bus)

Adapter

Desktop web

Browser

API

Webservices Adapter

app

Mobile web

SoapUI

Adapter

Test app’s app

Facebook

ChinaTest, Our TEST!

How to test an API - Mocks and stubs - 1

• API’s are part of a big E2E chain

• Testing is only possible if a stub framework is

available

• Stub, driver, mock

• Example of a stub framework

2013/7/11

14

ChinaTest, Our TEST!

How to test an API - Mocks and stubs - 2

• Replacement of a reply from backend system

ChinaTest, Our TEST!

How to test an API - Mocks and stubs - 3

• If there is no connection to a backend system

• Re-routing an interface to a local tool like

SoapUI

2013/7/11

15

ChinaTest, Our TEST!

Group exercises

• Minimum of three implementations is needed

for a quality API

• Learning

– One implementation: it’s a trick

– Two implementations: it’s a method

– Three implementations: it’s your own way of working

ChinaTest, Our TEST!

Group exercises – learning concepts

• Exercise 1 – Lorum ipsum text

• Exercise 2 – Colour lovers and Color picker

• Exercise 3 – Authorization

• Exercise 4 – Status and error codes

• Exercise 5 – Header injections

• Exercise 6 – Business rules

• Exercise 7 – Current and future version

2013/7/11

16

ChinaTest, Our TEST!

Exercise 1 – Lorum ipsum text

• Description

– Generation of Lorum ipsum text

• Assignment

– Get a number of lines of bacon ipsum text

– Tool: Firefox

ChinaTest, Our TEST!

Exercise 1 details – Lorum ipsum text

• API

– http://baconipsum.com/api/

• API documentation

– Open two tabs

• One with documentation: http://baconipsum.com/api/

• One to enter commands like

– ?type=meat-and-filler

2013/7/11

17

ChinaTest, Our TEST!

Exercise 2 – Colour lovers and Color picker

• Description

– API provide content in many different types, like

generation of colors

• Assignment

– Find a favorite color with colour lover API and

validate the Hex-code with Color picker

– Tool: Firefox

ChinaTest, Our TEST!

Exercise 2 details – Color lovers and Color picker

• API

– http://www.colourlovers.com/api/colors?

– http://www.colorpicker.com/

• API documentation

– http://www.colourlovers.com/api/

2013/7/11

18

ChinaTest, Our TEST!

Exercise 3 – Authorization

• Description

– Difference between public and private API

– Testing of functional security

• Assignment

– Get access to API by using access tokens

– Tools: Firefox

ChinaTest, Our TEST!

Exercise 3 details – Authorization

• API

– http://openexchangerates.org/api/latest.json

– Access key:

• 66e62d8337b545ec9f0508c1215764b5

• API documentation

• https://openexchangerates.org/documentation

• https://openexchangerates.org/documentation#app-

ids

2013/7/11

19

ChinaTest, Our TEST!

Exercise 4 – Status and error codes

• Description

– Explore what is a good and what is a bad request

• Assignment

– Find status and error codes and rules to trigger

them

– Which error code is shown when (priority)

– When do you expect an error code

– Tools: Firefox + Firebug

ChinaTest, Our TEST!

Exercise 4 details – Status and error codes

• API

– http://openexchangerates.org/api/latest.json?app

_id=66e62d8337b545ec9f0508c1215764b5

• API documentation

– https://openexchangerates.org/documentation

– https://openexchangerates.org/documentation#e

rrors

– http://en.wikipedia.org/wiki/List_of_HTTP_status

_codes

2013/7/11

20

ChinaTest, Our TEST!

Exercise 5 – Header injections

• Description

– Explore what header elements are

• Assignment

– Compare results with and without a header

elements

• If-Modified-Since and If-None-Match

– Tools: Firefox + Rest Client

ChinaTest, Our TEST!

Exercise 5 details - Header injections

• API

– http://openexchangerates.org/api/latest.json?app

_id=66e62d8337b545ec9f0508c1215764b5

• Documentation

– https://openexchangerates.org/documentation#e

tags

– http://en.wikipedia.org/wiki/List_of_HTTP_heade

r_fields

2013/7/11

21

ChinaTest, Our TEST!

Exercise 6 – Business rules

• Description

– Compare output between different customer

types. Which resource has which output?

• Assignment

– Find output of a prepaid and a business customer

– Find a invoice for a prepaid customer

– Tool: Firefox

ChinaTest, Our TEST!

Exercise 6 details – Business rules

• API

– https://capi.t-mobile.nl/

– Access key

• {Bearer} with:

– {StubbedResidentialPostPaid}

– {StubbedBusinessPostPaid}

– {StubbedResidentialPrePaid}

• Documentation

– https://capi.t-mobile.nl/documentation 42 Marc van ‘t Veer – Polteq

2013/7/11

22

ChinaTest, Our TEST!

Exercise 7 – Versions of resources

• Description

– Resources have a life cycle which is organized in

versions for now and the future

• Assignment

– Find a resource that is active, have multiple

versions and is end of life

– Tool: Firefox

ChinaTest, Our TEST!

Exercise 7 details - Versions of resources

• API

– https://capi.t-mobile.nl/

– Access key

• {Bearer} with:

– {StubbedResidentialPostPaid}

– {StubbedBusinessPostPaid}

– {StubbedResidentialPrePaid}

• Documentation

– https://capi.t-mobile.nl/documentation

2013/7/11

23

ChinaTest, Our TEST!

Individual exercises – Apply concepts

• Exercise 8 - Design review

• Exercise 9 – Testing design techniques

• Exercise 10 – Explore test application

• Exercise 11 - Search of the defects

ChinaTest, Our TEST!

Test levels for testing an API Phase Structure Element Test case

-2. Create designs Review -Perform review on API design

-1. Test case design Design -Create test cases from designs

0. Setup Test application Setup - Stub frame work

- Tooling

- Interfaces and test data

1. Development Framework Dog fooding Check easy of use framework and how good it functions

2. System testing Functionality with and

without stubs

• With and without stubs

• Test applications

URL Structure, parameters

• Header request : character set, media types, Verbs (GET/POST/UPDATE), HTTP(S), status/error codes

• Logging: Support defect analysis (server and database)

• HTTP-status: Error and related status

Common validation/Authentication/Authorization

• Access codes (tokes)

• Profiles (subscription active, SIM active, token status)

• Customer/contract types

• Caching: Duration, authorization, clearing, content, multiple users

• Navigation: between resources

Resources

• Profiles: Business rules for each resource with variation customer data

Output

• Presentation forms and versions (supported not supported)

Monitoring

• Reporting and performance (load filter, backend availability

Documentation

SIT No stubs

Integration with Middleware

Variation in customers, rate plans, prices, contract types, history, options with no stubs

3. Integration testing Internal API with complete backend No regression impact of other projects

4. Acceptance testing External integration API with prototype First integration of app with API

5. Production testing Real customers API with live app Real customers with app on production API

6. Regression Regression Reruns - Manual and Automated regression tests

2013/7/11

24

ChinaTest, Our TEST!

Test application

• JSON API as plugin for WordPress

• CMS system

• Customizable and Open source

• Based on PHP language and MySQL database

• Also has mobile application for all platforms

• See also:

http://en.wikipedia.org/wiki/WordPress

ChinaTest, Our TEST!

Test environment setup

Test tool

API

Verification

Request

Reply

Request

Reply

WordPress

server

Data

2013/7/11

25

ChinaTest, Our TEST!

IP address WordPress

ChinaTest, Our TEST!

Exercise 8 – Design review

• Description

– An API design should give all information about

how it operates

• Assignment

– Use a checklist to review design of JSON API plugin

2013/7/11

26

ChinaTest, Our TEST!

Exercise 8 details – Design review

• API

– http://wordpress.org/extend/plugins/json-

api/other_notes/

– http://<local IP address>/documentation/json-

api/

• Documentation

– https://github.com/WhiteHouse/api-standards

– http://<local IP address>/documentation/design-

review-checklist/

51 Marc van ‘t Veer – Polteq

ChinaTest, Our TEST!

Exercise 8 - Design review result

• Result of design review on JSON API plugin

–

–

–

–

–

–

–

–

2013/7/11

27

ChinaTest, Our TEST!

Exercise 9 – Test design techniques

• Description

– Normal test techniques are useful

• Assignment

– Create test cases for the JSON API plugin of

Wordpress

– Use techniques like

• State transition

• Data combination / classification tree

• Equivalence Class partitioning

• Boundary Value analysis

ChinaTest, Our TEST!

Exercise 9 – Testing design techniques

• Use scrap paper to write test cases

• See example workout

• Documentation

– http://wordpress.org/extend/plugins/json-

api/other_notes/

2013/7/11

28

ChinaTest, Our TEST!

Exercise 10 – Explore Test application

• Description

– Before you can test the API you should first

explore it

• Assignment

– Open the JSON API and try it out

ChinaTest, Our TEST!

Exercise 10 – Explore Test application details

• API

– http://<local IP address>/?json=

• Documentation

• http://wordpress.org/extend/plugins/json-

api/other_notes/

• http://<local IP address>/json-api/

• To comment or post with RestClient use: – “name” = “Content-Type” and “value” = “application/x-www-

form-urlencoded” 56 Marc van ‘t Veer – Polteq

2013/7/11

29

ChinaTest, Our TEST!

Exercise 11 – Search the defects

• Description

– Search defects on the JSON API in WordPress

• Assignment

– Use the design test cases

– Use the learned tooling and techniques

– Analyze the results

– Tool: Firefox + Rest Client

ChinaTest, Our TEST!

Exercise 11 – API details

• API

– http://<local IP address>/?json=

• Documentation

• http://wordpress.org/extend/plugins/json-

api/other_notes/

• http://<local IP address>/json-api/

• To comment or post with RestClient use: – “name” = “Content-Type” and “value” = “application/x-www-

form-urlencoded”

2013/7/11

30

ChinaTest, Our TEST!

Exercise 11 - Search the defects

• Which defects are found

–

–

–

–

–

–

–

–

–

–

––

ChinaTest, Our TEST!

Evaluation of exercises

• What went well?

–

–

–

• What went wrong?

–

–

–

• Conclusion

–

––

2013/7/11

31

ChinaTest, Our TEST!

Lessons learned

• API

• API/app communication

• Testing

ChinaTest, Our TEST!

API

• New test type: production tests

• Command line

• Scope

• Different skills

– Security

– Performance

– Automation

• No backup tricks

2013/7/11

32

ChinaTest, Our TEST!

API/app communication

• Provider of the API is seen as responsible for

the presentation of the data in the app

• Presentation errors of data will always occur

• Very tempting to fix defects in app instead of

API

• More explanation needed with secured API

ChinaTest, Our TEST!

Testing

• Normal test techniques

• Instrument for defect analysis

• Automated regression tests on production

• New responsibilities

• SOA/Interfaces/HTTP protocol/Tools

• Experience with building interfaces

2013/7/11

33

ChinaTest, Our TEST!

More information

Marc van 't Veer

Test consultant

Polteq Amersfoort (Netherlands)

+31 (0) 6 46 63 61 48 (mob)

http://www.polteq.com

marc.vantveer@polteq.com

ChinaTest, Our TEST!

References

Source Link

[Apple, 2009]

iPhone 3g Commercial "There's An App For That"

http://www.youtube.com/watch?v=szrsfeyLzyg

[T-Mobile, 2011] Customer API T-Mobile: https://capi.t-mobile.nl/

[API design, 2013] http://apidesign.com

[SmartBear Software, 2011] SoapUI with REST:

http://www.soapui.org/REST-Testing/getting-started.html

API testing:

http://blog.smartbear.com/software-

quality/bid/273613/practicing-safe-sex-with-third-party-apis

[Molen animation,2013] http://www.animatieplaatjes.nl/molens.html

Test design technique http://www.pragmaticmarketing.com/resources/why-api-as-a-

strategy

2013/7/11

34

ChinaTest, Our TEST!

References, continued

Source Link

[Tweakers, 2012] More secure public API from NS:

http://tweakers.net/nieuws/81389/ns-wil-apps-die-prijs-

treinreis-tonen-vooraf-keuren.html

WordPress http://www.wordpress.org

http://en.wikipedia.org/wiki/WordPress

http://developer.wordpress.com/docs/api/

http://wordpress.org/extend/plugins/json-api/other_notes/

Practical API Design Jaroslav Tulach, chapter 9: Keep Testability in Mind

Firefox add-ons http://www.garethhunt.com/modifyheaders/help/

http://jsonview.com/

http://restclient.net/

https://addons.mozilla.org/en-us/firefox/addon/make-address-

bar-font-size-big/

ChinaTest, Our TEST!

References, continued

Source Link

[Wiki,2012] http://en.wikipedia.org/wiki/Application_programming_interfac

e#Use_of_APIs_to_share_content

REST architecture:

http://en.wikipedia.org/wiki/Representational_state_transfer

Internet Media Types:

http://en.wikipedia.org/wiki/Internet_media_type#Type_applica

tion

http://en.wikipedia.org/wiki/Mashup_%28web_application_hyb

rid%29

http://www.mediawiki.org/wiki/API:Main_page

http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Requ

est_methods

http://en.wikipedia.org/wiki/List_of_HTTP_header_fields

http://en.wikipedia.org/wiki/Web_browser

2013/7/11

35

ChinaTest, Our TEST!

References, continued

Source Link

[Wiki,2012], continued http://en.wikipedia.org/wiki/Service-oriented_architecture

Sequence diagrams:

http://nl.wikipedia.org/wiki/Unified_Modeling_Language

Dogfooding:

http://en.wikipedia.org/wiki/Eating_your_own_dog_food

Learning REST API

http://www.restapitutorial.com/

http://toc.oreilly.com/2013/02/a-publishers-job-is-to-provide-a-

good-api-for-books.html

http://net.tutsplus.com/tutorials/other/a-beginners-

introduction-to-http-and-rest/

https://github.com/WhiteHouse/api-standards

HTTP design http://www.ietf.org/rfc/rfc2616.txt

App testing http://www.kohl.ca

HTTP Header elements http://themayesfamily.com/blogs/b/2011/05/rest-client-for-

firefox-sample-post-request/