Monday, April 11, 2011

curl + 2xml for simple http get post web test command line scripting

Web programming can get complicated pretty quickly. Everybody wishes they could automatically test their website when they make a change to ensure they haven't broken anything. For many websites this is a large and tedious task that screams out for automation. It would be nice if you could separate your web-application's functionality from the details of browser compatibility. Great strides have been taken to improve compatibility between browser versions but quirks still (and will probably always) exist.
Some web automation tests really can and should be agnostic of the web browser being used at that point in time. Whichever version of Firefox, Chrome, Safari, Opera, IE , Lynx :), etc.. people are into at that moment.

So to ensure your test automation doesn't rely on some test framework version or browser quirks, you must take the long view, you have to ensure you use only methods from the w3c http spec, get && post with or without cookies. These are the web operations most likely to not change and remain compatible for the lifetime of your application.

Two interesting ways of doing this are either via some curl library in your favorite programming language or alternatively via the handy curl executable compiled for your operating system, which is available on 99.99% of computers today.

Let me get this out of the way. "You obviously cannot execute or test all client side JavaScript via curl." Nevertheless when any regular Javascript or even Ajax function communicates with the server it does so using standard http commands and curl can handle all of those operations. Here are some very useful sample commands that might surprise you by their simplicity and power. A consequence of building your website to be testable in this manner enforces a restful and simple design, regardless of whether you continue to test this way in future. Most higher level web testing frameworks are compatible with the operations I'm going to show you in curl, so once you've spiked out your test at the command line you'll see its trivial to convert this into another language/framework since these basic operations are universal to the web itself.

If you add xml2 and the grep command you can easily prototype some test scenarios that could subsequently be scripted. The reason I'm doing this is that I often want to prototype new website designs and functions and I don't really want to have to manually log in and navigate to the page in question if this can be automated at the command-line.

If you followed along with my previous post on federated login with spring-roo you'll have a copy of the same app I'm running my commands against.
We'll assume you did and your server and app are:


Most pages need redirection capability so this means add the -L flag to follow the location as it changes.
Additionally we're gonna need to know where we've been redirected to, we'll also add the -v for verbose flag.

myflags="-L -v"

curl $myflags "$myserver/$appname/"

\\lots of html in here returned\\

So that's a lot of xhtml that came back lets make that human friendly with xml2/html2 and grep
xml2/html2 gives you an xpath representation of each xml element on a separate line which makes them grepable.

So for example:

curl $myflags "$myserver/$appname" | xml2

on my app i get back something like this:

/html/body/div/div/ul/li/ul/li/a/@title=Create new Employee
/html/body/div/div/ul/li/ul/li/a/@title=List all Employees
/html/body/div/div/ul/li/ul/li/a/@title=Find by Open Id Identifier

This is not too bad actually. Right? And you were worried about not needing a web browser :). So you see here some link titles and hrefs for the basic CRUD operations on my app as well as a spring roo finder.
We also received a
Set-Cookie: JSESSIONID=F5E83F4ABC01CB1B0C8D222E6AE22B29; Path=/openidlogin
command from the server. This is our unique session token, it's been appended to our urls. Yours would be different.

To move forward from here, as is the case for many situations in life, we are going to need some cookies! Else every time we hit our server its going to think we are a different person. Curl gives us this functionality with two flags, one to store cookies, the other to send cookies. We store with a cookiejar -c flag. And we send with the -b flag. lets add those flags now.

myflags="-L -v -b cookiejar.txt -c cookiejar.txt"

Now if hit the site we only get a cookie the first time and it gets saved and sent along when necessary.

curl $myflags "$myserver/$appname/" | xml2

cat cookiejar.txt
beastinator.local FALSE /openidlogin FALSE 0 JSESSIONID 89CF82D8C4211D5C6913B9B911B67C2B

That's our session. simple. And since we stored our cookies properly the jsessionid isn't appended to the url anymore which cleans things up a lot:

/html/body/div/div/ul/li/ul/li/a/@title=Create new Employee
/html/body/div/div/ul/li/ul/li/a=Create new Employee
/html/body/div/div/ul/li/ul/li/a/@title=List all Employees
/html/body/div/div/ul/li/ul/li/a=List all Employees
/html/body/div/div/ul/li/ul/li/a/@title=Find by Open Id Identifier
/html/body/div/div/ul/li/ul/li/a=Find by Open Id Identifier

Now lets try to go from here to the List operation on my Employee entity. namely the following link.

curl $myflags "$myserver/$appname/employees" | xml2

So here, based on the security settings for this app, we get redirected to a login page. As you can see in the header:

< HTTP/1.1 302 Moved Temporarily
< Server: Apache-Coyote/1.1
< Location: http://localhost:8080/openidlogin/login

Now things get interesting. We have three options to log in.

1. User/pass combo. In this case I've pre set up user1/password.
2. Sign in with Google Federated Login. So we'll have to sign in via a prelinked google openid.
3. Sign in with a more standard, Non-google openid provider. In this case I'll show you how to use

1. User/pass combo method using user1/password. Lets look the first form action.

curl $myflags "$myserver/$appname/login" | xml2 | grep -i form

/html/body/div/div/div/div/form/div/script= Spring.addDecoration(new Spring.ElementDecoration({elementId : "j_username", widgetType : "dijit.form.ValidationTextBox", widgetAttrs : {promptMessage: "Enter your name", required : true}}));
/html/body/div/div/div/div/form/div/script= Spring.addDecoration(new Spring.ElementDecoration({elementId : "j_password", widgetType : "dijit.form.ValidationTextBox", widgetAttrs : {promptMessage: "Enter your password", required : true}}));
/html/body/div/div/div/div/form/div/script=Spring.addDecoration(new Spring.ValidateAllDecoration({elementId:'proceed', event:'onclick'}));

Pretty simple. We have j_username and j_password fields with submit and reset buttons and the http method is post to this url /openidlogin/resources/j_spring_security_check.

So in curl to make a post command all we have to do is add the data flag -d and point to the action url, like the following.

curl $myflags -d "j_username=user1&j_password=password" "$myserver/$appname/resources/j_spring_security_check" | xml2

thats it! we're in. we don't have to send the username and password again so we don't need to add this to $myflags since our session cookie keeps us authenticated.

lets log out now and try the next method.
curl $myflags "$myserver/$appname/resources/j_spring_security_logout" | html2

2. lets try it for google. this is the part of the form we're interested in:
visit google sign in page to get the GALX cookie
curl $myflags

grab the GALX token from the cookie:
GALX=`cat cookiejar.txt | grep | grep GALX | awk '{print $NF}'`

set a google user and pass

login to google:
curl $myflags -d "Email=$goog_user&GALX=$GALX&Passwd=$goog_pass&asts=&continue=$dsh&hl=en<mpl=default<mplcache=2&pstMsg=&rm=false&rmShown=1&scc=1&secTok&service=mail&signIn=Sign in&ss=1&timeStmp=" | html2

you now have all the fancy google cookies you need for oauth. (also google is tracking you :) )

So here's how we use the fancy cookies to log into our site. I'm going to assume you already granted permissions on the google account in question for this app.

so lets look at the part of our form that does google oauth:

curl $myflags "$myserver/$appname/login" | html2 | grep -i form

/html/body/div/div/div/div/form/div/input/@value=Sign in with Google

looks like all we need to do is send on the hard coded openid_identifier

curl $myflags -d "openid_identifier=" "$myserver/$appname/j_spring_openid_security_check"

let all the fancy oauth redirecting do its thing with your cookies, then you can query employees since you are logged in!

curl $myflags "$myserver/$appname/employees" | html2 | grep "/html/body/div/div/div/div/table/tr/td="


lets log out now and try the next method.
curl $myflags "$myserver/$appname/resources/j_spring_security_logout" | html2

3. Sign in with a more standard, Non-google openid provider. In this case I'll show you how to use
head back to the login page and examine the third form action.

curl $myflags "$myserver/$appname/login" | xml2 | grep -i form


so as before once we have our openid provider's cookie, we just send our openid provider url as a form post parameter and direct curl to the j_spring_openid_security_check action .

example for

curl $myflags -d "openid_identifier=" "$myserver/$appname/j_spring_openid_security_check" | html2

so to sign in to you do the following:
curl $myflags "" > myopenidsignin.html
blank=`cat myopenidsignin.html | html2 | grep "=_$" -A 1 | grep value | awk -F"@value=" '{print $2}' | tail -n 1`
tid=`cat myopenidsignin.html | html2 | grep "=tid$" -A 1 | grep value | awk -F"@value=" '{print $2}' | tail -n 1`
token=`cat myopenidsignin.html | html2 | grep "=token$" -A 1 | grep value | awk -F"@value=" '{print $2}' | head -n 1`

curl $myflags -d "user_name=$myopen_user&password=$myopen_pass&_=$blank&tid=$tid&token=$token" ""

curl $myflags -d "openid_identifier=https://$" "$myserver/$appname/j_spring_openid_security_check" | html2

Thats it you're in. congrats, you didn't even need a browser.

    1 ## summary
2 ## for those of you who read bash better than english.
4 myflags="-L -v -b cookiejar.txt -c cookiejar.txt"
5 myserver=http://localhost:8080
6 appname=openidlogin
8 #login with username and pass
9 curl $myflags -d "j_username=user1" -d "j_password=password" "$myserver/$appname/resources/j_spring_security_check" | html2
11 #login with google oauth
12 #simplified gmail oauth login
13 curl $myflags
14 GALX=`cat cookiejar.txt | grep | grep GALX | awk '{print $NF}'`
15 goog_user=your_goog_user
16 goog_pass=your_goog_pass
17 curl $myflags -d "Email=$goog_user&GALX=$GALX&Passwd=$goog_pass&asts=&continue=$dsh&hl=en&ltmpl=default&ltmplcache=2&pstMsg=&rm=false&rmShown=1&scc=1&secTok&service=mail&signIn=Sign in&ss=1&timeStmp=" | html2
18 curl $myflags -d "openid_identifier=" "$myserver/$appname/j_spring_openid_security_check"
21 #login with
22 curl $myflags "" > myopenidsignin.html
23 blank=`cat myopenidsignin.html | html2 | grep "=_$" -A 1 | grep value | awk -F"@value=" '{print $2}' | tail -n 1`
24 tid=`cat myopenidsignin.html | html2 | grep "=tid$" -A 1 | grep value | awk -F"@value=" '{print $2}' | tail -n 1`
25 token=`cat myopenidsignin.html | html2 | grep "=token$" -A 1 | grep value | awk -F"@value=" '{print $2}' | head -n 1`
26 myopen_user=username
27 myopen_pass=password
28 curl $myflags -d "user_name=$myopen_user&password=$myopen_pass&_=$blank&tid=$tid&token=$token" ""
29 curl $myflags -d "openid_identifier=https://$" "$myserver/$appname/j_spring_openid_security_check" | html2
31 #logout
32 curl $myflags "$myserver/$appname/resources/j_spring_security_logout" | html2
34 #list employees once logged in
35 curl $myflags "$myserver/$appname/employees" | html2 | grep "/html/body/div/div/div/div/table/tr/td="

more info on curl can be found here:

No comments:

Post a Comment