Understanding and testing RESTful Web Services - Created by Mark Winteringham / @2bittester © 2017

Understanding and testing Web Services

Available at http://mwtestconsultancy.co.uk/presentations/understanding_web_services/


Please install the standalone POSTMAN app

POSTMANhttps://www.getpostman.com/apps

About me...

- www.mwtestconsultancy.co.uk

- @2bittester

- linkedin.com/in/markwinteringham

profile.png

Workshop goals

Explore what is a Web Service

Discover different test design techniques

Build different requests to query and manipulate data

Going forward with the skills you've learnt

Welcome to 'The best at rest ltd'


Creators of RESTFUL-BOOKER

A webservice that allows hotels to store booking details about their guests

Restful-booker requirements

  1. Be able store Bookings with the following items
    • Guests name
    • The price of their booking
    • Whether they have paid a deposit
    • The dates of their booking
    • Any additional needs
  2. Must be able to create, read, update and delete bookings
  3. Bookings must be searchable

Restful-booker API

Restful booker: www.github.com/mwinteringham/restful-booker

API details are in the README

POSTMAN

Our test tool for the workshop

Web Service

web server

'A Web service is a software system designed to support interoperable machine-to-machine interaction over a network.'

http://www.w3.org/TR/2004/NOTE-ws-gloss-20040211/#webservice

Mobile to Web Service

web server

UI

web server

Backend

Web Service to Web Service

web server

Reports

web server

Search

A service-oriented architecture

A Web Service example

services http://adrianmejia.com/blog/2014/10/01/creating-a-restful-api-tutorial-with-nodejs-and-mongodb/

A typical HTTP Read request


URI Path
URI Host

Uniform Resource Identifiers

scheme://host:port/path/to/resource?queryString

http://localhost:3001/booking/1?name=mary

Uniform Resource Identifiers

Scheme


HTTP

-

Web

FTP

-

File transfer

SMTP

-

Mail


Uniform Resource Identifiers

Hosts



192.168.1.254



hostname.com

server

192.168.1.254

server

Uniform Resource Identifiers

Ports



192.168.1.254:80



192.168.1.254:443

80

443

server

Uniform Resource Identifiers

Paths

Resource

Booking resource:

id: 1

Something the service exposes to the end user to interact with such as an image, video, html, text, etc.

GET /booking/1
jsonresource

Query strings

A query string indicates additional actions you might want to apply to the resource you want

GET /booking?checkin=2014-03-13&checkout=2014-05-21

Returns all bookings between two dates whereas:

GET /booking

Returns all the bookings

Creating query strings

  • Query strings start with a ? after the resource path
  • Are declared as key=value
  • Multiple query declarations are joined using &

For example:

GET /booking?checkin=2014-03-13&checkout=2014-05-21

A typical HTTP request


HTTP method

HTTP methods

HTTP methods indicate an action the user would like to do on a resource

rest-reporter is a C.R.U.D. service

Create

=

POST

Read

=

GET

Update

=

PUT

Delete

=

DELETE

Methods in action

GET http://localhost:3001/booking

-Returns current bookings

POST http://localhost:3001/booking

-Creates a new booking

OPTION http://localhost:3001/booking

Returns which Methods can be used on a URI

A typical HTTP response

Payload
response

Types of Payloads

JSON


"booking": {
  "firstname": "Sally",
  "lastname": "Brown",
  "totalprice": 111,
  "depositpaid": true,
  "additionalneeds": "Breakfast",
  "bookingdates": {
    "checkin": "2013-02-23",
    "checkout": "2014-10-23"
  }
}

XML

<created-booking>
  <booking>
    <firstname>Sally</firstname>
    <lastname>Brown</lastname>
    <totalprice>111</totalprice>
    <depositpaid>true</depositpaid>
    <additionalneeds>Breakfast</additionalneeds>
    <bookingdates>
      <checkin>2013-02-23</checkin>
      <checkout>2014-10-23</checkout>
    </bookingdates>
  </booking>
</created-booking>

A typical HTTP response

HTTP Status code
response

100 - Informational

100
101
https://http.cat

200 - Success

200
201
https://http.cat

300 - Redirection

301
302
https://http.cat

400 - Client error

400
403
https://http.cat

500 - Server error

500
503
https://http.cat

Iteration one - Investigating Read

Users stories


As a user of restful-booker

I want to be able to view all current booking IDs

So that I can choose an ID to view the booking of


GET /booking

As a user of restful-booker

I want to be able to search on the booking dates

So that I can filter the relevant booking IDs I require


GET /booking?checkin=*&checkout=*

As a user of restful-booker

I want to be able to retrieve a booking using its ID

So that I can view the details of that booking


GET /booking/{id}
API can be found at: github.com/mwinteringham/restful-booker

What did you learn?

A typical HTTP create request


Change in HTTP Verb
Payload

Payload

A representation of the resource you want to create through the service


The parameters and the structure of the payload have strict rules

Which can also be known as a 'contract'

Robustness principle

`Be conservative in what you do, be liberal in what you accept from others`

Postel's law


  • When sending a payload the service should conform to the contract being sent
  • When receiving a payload the service should accept invalid data without error

Data types

						{
	"firstName": "Mark",
	"lastName": "test",
	"totalPrice": 300.00,
	"depositPaid": true,
	"additionalNeeds": "Breakfast",
	"bookingDates": {
		"checkIn": "11/11/2014",
		"checkOut": "12/11/2014"
	}
}
					
  • String

  • Number

  • Boolean

  • Dates (String)

A typical HTTP Read request


Headers

HTTP Headers

Define the operating parameters of an HTTP request such as:

  • What is requesting the resource
  • What format the resource should be in
  • Authentication that the resource can be requested

And more: https://en.wikipedia.org/wiki/List_of_HTTP_header_fields

HTTP Headers

Adding headers can alter the behaviour of the service and its response

Key:ValueOutcome
Accept:application/jsonJSON is returned
Accept:application/xmlXML is returned
Content-Type:application/jsonJSON is accepted
Content-Type:text/xmlXML is accepted

Iteration two - Investigating Create

User stories


As a user of restful-booker

I want to be able to create bookings

So that I store new bookings that can be retrieved later


POST /booking
API can be found at: github.com/mwinteringham/restful-booker

What did you learn?

Authentication

Services generally have one or more layers of security such as:

  • Basic access authentication
  • Cookie based authentication

This isn't an exhaustive list

There may be other layers of security in place

Basic access authentication

Comes in the form of a header


AuthorizationBasic Base64(username:password)
AuthorizationBasic dXNlcm5hbWU6cGFzc3dvcmQ=

https://en.wikipedia.org/wiki/Basic_access_authentication

Cookie based authentication

POST /auth

{
  username: admin,
  password: password123
}

Response


Set-Cookie: token=abc123


DELETE /booking/{id}


Cookie: token=abc123


PUT

Similar to POST but rather than create it updates

However, in the real world that might not be the case:

PUT vs POST

DELETE

Similar to GET but it deletes rather than reads the resource

Iteration three - Investigating Update / Delete

User stories


As a user of restful-booker

I want to be able to protect create and delete functions

So that I can protect the bookings from being changed or deleted


POST /auth

As a user of restful-booker

I want to be able to update a pre-existing booking using its ID

So that I can correct and errors made in a booking


PUT /booking/{id}

As a user of restful-booker

I want to be able to delete a booking using its ID

So that I can remove the booking


DELETE /booking/{id}
API can be found at: github.com/mwinteringham/restful-booker

What did you learn?

Toolsmithing

How can we support our testing with APIs?

POSTMAN Collections

Setup

  1. Select the Collections tab
  2. Click on the folder to create a collection
  3. Select a request from history
  4. Click the save/disk item to add to a collection

Data driven API calls

Data driven flow one
Data driven flow one
Data driven flow one
Guide: www.mwtestconsultancy.co.uk/data-driven-testing-gherkin-api/

Monitoring tools

Burp suite logo
POSTMAN logo

Make your own monitoring tool!

http://www.mwtestconsultancy.co.uk/api-monitoring-tool-simple/

Iteration four - Implement custom tools

Taking Web Service testing further

Mobile to Web Service

web server

UI

UI testing
web server

Backend

Web service testing

Automation?

Wrapping up

Thank you

Restful-booker - https://github.com/mwinteringham/restful-booker

Slides - http://mwtestconsultancy.co.uk/presentations/understanding_web_services/