Using semantics for automating the authentication of Web APIs

Recent technology developments in the area of services on the Web are marked by the proliferation of Web applications and APIs. The implementation and evolution of applications based on Web APIs is, however, hampered by the lack of automation that can be achieved with current technologies. Research on semantic Web services is there fore trying to adapt the principles and technologies that were devised for traditional Web services, to deal with this new kind of services. In this paper we show that currently more than 80% of the Web APIs require some form of authentication. Therefore authentication plays a major role for Web API invocation and should not be neglected in the context of mashups and composite data applications. We present a thorough analysis carried out over a body of publicly available APIs that determines the most commonly used authentication approaches. In the light of these results, we propose an ontology for the semantic annotation of Web API authentication information and demonstrate how it can be used to create semantic Web API descriptions. We evaluate the applicability of our approach by providing a prototypical implementation, which uses authentication annotations as the basis for automated service invocation

Multicloud API binding generation from documentation

We present industry experience from implementing retargetable cloud API binding generator. The analysis is implemented in Haskell, using type classes, types a la carte, and code generation monad. It also targets Haskell, and allows us to bind cloud APIs on short notice, and unprecedented scale.Comment: Presented on XP 2020: Agility in Microservices worksho

Automated testing of Hypermedia REST applications

Testimine on oluline osa tarkvaraarenduse elutsüklis ja testidel põhinev arendamine on üks peamistest praktikatest Agile metoodikas. Tihti keskenduvad programmeerijad RESTful rakenduse loomise protsessis äriloogika testimisele ja unustavad kontrollida protokolli, mis teostab REST interaktsioone. Selles kontekstis pakutakse välja tööriist, mis automatiseerib testide genereerimist ja teostab interaktsioone RESTful rakendusega. Tööriist võtab sisendiks kasutuslood, mis on koostatud Gherkini kitsendatud versiooniga. See on domeenispetsiifiline keel käitumispõhiseks arenduseks. Kasutuslood, mis on kirjutatud selles Gherkini variandis, hõlmavad REST rakenduse poolt nõutud interaktsioone sellisel viisil, et neist on võimalik genereerida teste. Veelgi enam, tööriist genereerib samalt kasutusloolt täisfunktsionaalse pseudoteostuse.\n\rProgrammeerijad saavad kasutada neid pseudoteostusi kliendipoole arendamiseks, vajamata REST rakenduse tegelikku teostust. Käesolev töö tutvustab tööriista kasutust ja disainiprintsiipe ning esitab näite selle kasutamisest.Testing is one essential part of the software development lifecycle and Test Driven Development is one of the main practices in agile methodology. During the development of a RESTful web application, developers oftentimes focus only in testing the business logic and neglect testing the protocol implementing REST interactions. In this context, we propose a tool to automate the generation of test cases that exercise the interactions required by a RESTful application. The tool takes as input user stories written in restricted version of Gherkin, a widely use domain specific language for behaviour driven development. User stories written in this variant of Gherkin capture the essence of the interactions required by a REST application in a way that it is possible to derive test cases from them. Moreover, the tool derives fully functional mock implementations from the same input user story. Such mock implementations can be then used by programmers to develop the client side without requiring the actual implementation of the REST application. This document introduces the design principles and implementation of the tool and presents a study case showcasing its use

A Precise Model for Google Cloud Platform

International audienceToday, Google Cloud Platform (GCP) is one of the leaders among cloud APIs. Although it was established only five years ago, GCP has gained notable expansion due to its suite of public cloud services that it based on a huge, solid infrastructure. GCP allows developers to use these services by accessing GCP RESTful API that is described through HTML pages on its website. However, the documentation of GCP API is written in natural language (English prose) and therefore shows several drawbacks, such as Informal Heterogeneous Documentation, Imprecise Types, Implicit Attribute Metadata, Hidden Links, Redundancy and Lack of Visual Support. To avoid confusion and misunderstandings, the cloud developers obviously need a precise specification of the knowledge and activities in GCP. Therefore, this paper introduces GCP MODEL, an inferred formal model-driven specification of GCP which describes without ambiguity the resources offered by GCP. GCP MODEL is conform to the Open Cloud Computing Interface (OCCI) metamodel and is implemented based on the open source model-driven Eclipse-based OCCIWARE tool chain. Thanks to our GCP MODEL, we offer corrections to the drawbacks we identified

Adaptive REST API Testing with Reinforcement Learning

Modern web services increasingly rely on REST APIs. Effectively testing these APIs is challenging due to the vast search space to be explored, which involves selecting API operations for sequence creation, choosing parameters for each operation from a potentially large set of parameters, and sampling values from the virtually infinite parameter input space. Current testing tools lack efficient exploration mechanisms, treating all operations and parameters equally (i.e., not considering their importance or complexity) and lacking prioritization strategies. Furthermore, these tools struggle when response schemas are absent in the specification or exhibit variants. To address these limitations, we present an adaptive REST API testing technique that incorporates reinforcement learning to prioritize operations and parameters during exploration. Our approach dynamically analyzes request and response data to inform dependent parameters and adopts a sampling-based strategy for efficient processing of dynamic API feedback. We evaluated our technique on ten RESTful services, comparing it against state-of-the-art REST testing tools with respect to code coverage achieved, requests generated, operations covered, and service failures triggered. Additionally, we performed an ablation study on prioritization, dynamic feedback analysis, and sampling to assess their individual effects. Our findings demonstrate that our approach outperforms existing REST API testing tools in terms of effectiveness, efficiency, and fault-finding ability.Comment: To be published in the 38th IEEE/ACM International Conference on Automated Software Engineering (ASE 2023

The pragmatic proof: hypermedia API composition and execution

Machine clients are increasingly making use of the Web to perform tasks. While Web services traditionally mimic remote procedure calling interfaces, a new generation of so-called hypermedia APIs works through hyperlinks and forms, in a way similar to how people browse the Web. This means that existing composition techniques, which determine a procedural plan upfront, are not sufficient to consume hypermedia APIs, which need to be navigated at runtime. Clients instead need a more dynamic plan that allows them to follow hyperlinks and use forms with a preset goal. Therefore, in this paper, we show how compositions of hypermedia APIs can be created by generic Semantic Web reasoners. This is achieved through the generation of a proof based on semantic descriptions of the APIs' functionality. To pragmatically verify the applicability of compositions, we introduce the notion of pre-execution and post-execution proofs. The runtime interaction between a client and a server is guided by proofs but driven by hypermedia, allowing the client to react to the application's actual state indicated by the server's response. We describe how to generate compositions from descriptions, discuss a computer-assisted process to generate descriptions, and verify reasoner performance on various composition tasks using a benchmark suite. The experimental results lead to the conclusion that proof-based consumption of hypermedia APIs is a feasible strategy at Web scale.Peer ReviewedPostprint (author's final draft

RESTful Web Services Development with a Model-Driven Engineering Approach

A RESTful web service implementation requires following the constrains inherent to Representational State Transfer (REST) architectural style, which, being a non-trivial task, often leads to solutions that do not fulfill those requirements properly. Model-driven techniques have been proposed to improve the development of complex applications. In model-driven software development, software is not implemented manually based on informal descriptions, but partial or completely generated from formal models derived from metamodels. A model driven approach, materialized in a domain specific language that integrates the OpenAPI specification, an emerging standard for describing REST services, allows developers to use a design first approach in the web service development process, focusing in the definition of resources and their relationships, leaving the repetitive code production process to the automation provided by model-driven engineering techniques. This also allows to shift the creative coding process to the resolution of the complex business rules, instead of the tiresome and error-prone create, read, update, and delete operations. The code generation process covers the web service flow, from the establishment and exposure of the endpoints to the definition of database tables.A implementação de serviços web RESTful requer que as restrições inerentes ao estilo arquitetónico “Representational State Transfer” (REST) sejam cumpridas, o que, sendo usualmente uma tarefa não trivial, geralmente leva a soluções que não atendem a esses requisitos adequadamente. Técnicas orientadas a modelos têm sido propostas para melhorar o desenvolvimento de aplicações complexas. No desenvolvimento de software orientado a modelos, o software não é implementado manualmente com base em descrições informais, mas parcial ou completamente gerado a partir de modelos formais derivados de meta-modelos. Uma abordagem orientada a modelos, materializada através de uma linguagem específica do domínio que integra a especificação OpenAPI, um padrão emergente para descrever serviços REST, permite aos desenvolvedores usar uma primeira abordagem de design no processo de desenvolvimento de serviços da Web, concentrando-se na definição dos recursos e das suas relações, deixando o processo de produção de código repetitivo para a automação fornecida por técnicas de engenharia orientadas a modelos. Isso também permite focar o processo de codificação criativo na resolução e implementação das regras de negócios mais complexas, em vez de nas operações mais repetitivas e propensas a erros: criação, leitura, atualização e remoção de dados. O processo de geração de código abrange o fluxo do serviço web desde o estabelecimento e exposição dos caminhos para os serviços disponíveis até à definição de tabelas de base de dados