REST API Automation
Introduction
A REST (Representational State Transfer) API is an architecture that allows systems to communicate with each other. In REST, everything is a resource and REST API is commonly used for web services and allows clients to interact with resources on a specific server using HTTP Methods (verbs). The following are most commonly used Methods:
GET: Retrieves a resource or a group of resources
POST: Creates a new resource
PUT / PATCH: Updates an existing resource or creates a new one
DELETE: Removes a resource
Endpoints: An API endpoint is a specific URL where a resource or a group of resources can be accessed. Each endpoint corresponds to a different action or operation on the resource. For example, /profiles
could be the endpoint to retrieve all profiles, and /profiles/{id}
could be the endpoint to retrieve a specific profile by its ID.
When a client makes a call to a REST API, it sends an HTTP request to a specific endpoint, including the desired HTTP method, headers, and possibly a request body. The server then processes the request and sends back an HTTP response, which includes a response status code, headers, and a response body (if available).
HTTP Status Codes are numbers included in the response that indicate the status of the request. Some commonly used status codes for REST APIs include:
200 (OK): The request was successful
201 (Created): A new resource was successfully created
400 (Bad Request): The request is malformed or has invalid data
401 (Authorization): The request is not authorized
404 (Not Found): The requested resource is not found
415 (Unsupported Media Type): The server cannot process the request because the media type or format of the request is not supported (header may be required)
500 (Internal Server Error): An error occurred on the server
These codes help the client understand the outcome of their request and handle any errors or exceptions.
Authorization
Basic Authorization: a simple authorization where the client sends the username and password which are typically encoded in Base64 format. The server then decodes the credentials and verifies them against a user database. If the credentials are valid, the server grants access to the requested resource.
Digest Authorization: a more secure method of authorization compared to basic authorization. It involves a challenge-response mechanism where the server generates a unique nonce (number used once) and sends it to the client. The client then uses the nonce to generate a hash code using a specified algorithm. The client sends this hash code in the Authorization header back to the server. The server performs the same calculation using the stored credentials and checks if the hash code matches, after which the server grants access to the requested resource.
NTLM Authorization: an authorization protocol used in Microsoft Windows environments. It is commonly used for integrating REST APIs with Windows Active Directory (AD) for authorization. The client’s Workstation and Domain are typically required for the authorization process.
Headers provide additional information about the request or response. They consist of key-value pairs and are included in the HTTP request or response message. Here are the most commonly used headers in REST APIs:
Content-Type: specifies the media type of the request or response body, such as JSON (application/json) or XML (application/xml).
Accept: indicates the media types that the client can accept in the response.
Authorization: used to authenticate the client's credentials. It contains the authentication token or credentials required for accessing protected resources.
X-API-Key: similar to Authorization header and it contains an API key, which is a secret token provided by the API provider to the client. The API key acts as a unique identifier for the client and is used to authenticate and authorize the client to access protected resources or perform specific actions within the API.
PS: In Subject7, you can also add you own header name in case it’s not one of the available options.
Subject7 Setup
In order to begin automating REST APIs, you will first need to create a REST Connection. Hover over Repository menu and select REST Connections
Click + and select Connection
Insert a name for your REST Connection
Insert the URL of the endpoint in URL field
If your API call requires authorization, select the Type and enter the credentials.
Under Method section, select the method for your request
As an example, we will use an endpoint which will allow us to send an execution set to cloud run.
If you select POST, PUT, PATCH or DELETE, you can enter Payload if it’s required. GET method does not have a payload because it has no meaning to the server
{ "name": "api_test", "configuration": { "pool": "default", "buildNumber": "10.2.3.2217", "browserTypes": [ "CHROME" ], "videoCaption": true, "delay": 10, "rotations": 1, "runtimeSpeed": 200, "callbackArgs": null, "dataSetSelection": [], "projectName": "Common", "versionName": "default", "dataTemplateFieldValueReplacements": [] } }
In order to test your API call before using it in a test case, click Test Connection next to Configuration
Click Test Connection button
As you can see in the screenshot above, the test was successful as shown by the Status Code = 201 (execution set was created)
The Response Headers section will display all headers associated with your request, including the date in which your request was completed
The Loading Time displays how much time communication spent to finish the request in milliseconds
The Response (or body) displays the response sent back by the server which shows that an execution set was sent to be executed in the cloud.
Back on the platform, you can go to Execution Sets under Executions menu, find the execution set “api_test” and check the request you sent. As you can see below, the information matches what we specified in the payload and the id matches what was sent back in the responses. If you see Web Service under Type, this indicates that the request was sent via a REST API. Additionally, the Build Number can be used in special CI/CD pipelines to indicate against which build your API request was executed.
Using Subject7 Commands
In order to integrate the REST Connections into your test cases, you can use the following commands:
Execute_REST: Used if you want to execute a request without retrieving any data back from the response/headers. For example, uploading datasets into a data template.
Get_REST_Value: Used if you want to execute a request and receive some data back from the response/headers. For example, sending an execution set to cloud run and getting the id and state from the response.
Verify_REST: Used if you want to verify specific data exists in the response/headers. For example, verifying that the state is CREATED.
Execute_REST: This command requires only the Status Variable which will be used to store the returned http status code into this variable and the REST Connection.
Get_REST_Value: This command requires the following options:
Status Variable: used to store the returned http status code into this variable
Capturing Variable: used to store the returned values from the response/headers which correspond to each Key/XPath provided by the user. If more than one Key/XPath is specified, the variables should be separated with commas.
Keys/XPaths: indicates what you want to receive from the response/headers by specifying the key that you see in the response. The Type of data to receive will also need to be determined. You can select from the below options:
HEADERS: to retrieve a value in the headers section
BODY_JSON: to retrieve a value in the body using a specific Key/XPath
BODY_JSON_COUNT: to return the count of elements in the response that correspond to a Key/XPath in JSON
BODY_XML: to return the entire body in XML
BODY_XML_COUNT: to return the count of elements in the response that correspond to a Key/XPath in XML
BODY_TEXT: to return the entire body in JSON
REST Connection
Verify_REST: This command requires the following options:
Status Variable: used to store the returned http status code into this variable
Value: indicates what you want to compare from the response/headers against another value of your choosing. The Operator Type will need to be selected from one of these options:
EQUALS: Checks whether a value in the response/headers equals the value of your choosing
NOT_EQUALS: Checks whether a value in the response/headers does not equal the value of your choosing
CONTAINS: : Checks whether a value in the response/headers contains the value of your choosing
COUNT: Counts elements in the response/headers and compares against a number of your choosing
Using Subject7 APIs
You can use Subject7 APIs which can be accessed in this URL to automate various actions on your account. Here are some examples:
POST/executions: Allows you to send an execution set to the cloud run
POST/test-case-executions: Allows you to send a test case to cloud run independently (same as clicking Cloud Run icon on any test case)
POST/load-plan-executions: Allows you to load run a load set in cloud
PUT/load-plan-executions/{id}: Allows you to cancel a load run by specifying the id of that run