I need to post a request to get an authorization token and include it in the header for all subsequent test requests. This token changes every time but it is valid for the entire test session as long as I keep sending requests. In each feature file I can call another feature file to get this token. But I don't want to do this for every feature file. I just want to get the token one time at the start of the test and use it for all feature files. How do I do that? I've read the Karate information on GitHub but did not find the answer.
The second example in the demos answers all your questions: karate-demo.
EDIT1: Sorry, I read your question too fast. You can use karate.call() in karate-config.js so it applies to all feature files. I don’t recommend this because you will always have some features where you DONT need this. Just use a call to a feature and don’t over-engineer your tests.
EDIT2: I thought about this a little more, if you are comfortable with Java, you could make a call to a singleton at the start of each feature (or even in the global karate-config.js) and in that singleton cache the value of the auth token. So you can do exactly what you need and it will be flexible.
EDIT3: based on this question - we added this functionality to Karate as a karate.callSingle() operation, here's the doc: https://github.com/intuit/karate/tree/develop#the-karate-object
Related
I have multiple feature files in my project. One of the feature file creates tokens. I want to call this feature only once at the start of the test and then use the tokens in the other feature without executing the token feature again and again.
Can someone please help me with this ?
Look at callSingle() in karate-config.js and please refer the docs: https://github.com/intuit/karate#hooks
var result = karate.callSingle('classpath:tokens.feature');
I need to create an automated test-setup for some webservies, and plan to use SoapUI or Postman for that. My question is pretty basic. What happnds to the data after a request is made?
E.g. if the response contains data from a system, and display it in the Postman UI, will Postman store the response? Or what will happnd to it after the request?
I'm asking for security purpose and I was not able to find a concrete answer myself. Thank you in advance.
Postman provides us the explicit ways to store data or not. When you try to run a collection then in the settings we can specify if we want to store responses, cookies, etc or not. Configure it as per your need.
As per the official site
"Postman does not track any content of your requests/responses."
Under File--> settings
You can even avoid using the cloud version if you don't want to sync up things
Re SoapUI...
If you call a service once, then the data remains in the UI. If you run a second or third time, then only the last response is shown in he UI.
Once you close SoapUI, the request and response data is gone.
However, you can save the data from every request and response by using a datasink step, should that be what you want.
Using Karate i am making API calls sequentially. I need to store API request and response for this sequential flow of APIs in separate text files for each API call.
Need to understand how can i achieve this.
I have tried logback which stores entire execution logs in a text file.
Take a look at karate.prevRequest which will give you the "request". Now use some custom Java (or JS) code and write whatever you want to a file.
I think personally it is un-necessary because Karate's HTML report has all that you need. If someone is asking you to do this, please try convince that person that this exercise is a waste of time.
I'm writing a REST client to look at project information available from several gitlab servers at the same time in one consolidated place. I understand REST and am able to pull the project details I need except one: the tags.
I'm not talking about git repository tags, those I'm able to get to just fine. I'm referring to the tags that are set under Project Settings. These are tags that, from what i can tell, are meant to be a form of describing the project, not referencing a particular commit hash.
I submitted a merge request back to the Gitlab folks, if accept, any REST call that involves a Project class will include a "tag_list" field with all the project labels.
The merge request is available here: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/329
EDIT: This was merged in Gitlab version 7.10.0 so now you can just run a GET on the Project and the tag_list will be included with the JSON response.
Try this:
http://www.example.com.br/api/v3/projects/#{str}/repository/tags?private_token=yourtoken"
Note that in #{str} variable, if you using a group/repository structure, you must replace the dash to %2F, for example, you must set:
http://www.example.com.br/api/v3/projects/group%2Frepository/repository/tags?private_token=yourtoken"
The response to your request will be the body. So you can console log response.body to retrieve the tags.
Not possible: ACCEPTING MERGE REQUEST at: http://feedback.gitlab.com/forums/176466-general/suggestions/6325819-project-labels-via-api , so feel free to implement it if you need it.
Should be simple: just return the project.tag_list (see: https://github.com/mbleigh/acts-as-taggable-on) as a JSON list from https://github.com/gitlabhq/gitlabhq/blob/41518a467dcef61deca24ad2f6205c6fd5706e1b/lib/api/projects.rb#L60
Always check the request tracker first for features ;) True, in this case you may have done it an not found because of label vs tag keyword confusion, I think it was renamed at some point, so always search for both.
Google plus returns ajax requests with )]}' on first line. I heard it is protection against XSS. Are there any examples what and how could anyone do with this without that protection ?
Here's my best guess as to what's happening here.
First off, there are other aspects of the google json format that aren't quite valid json. So, in addition to any protection purposes, they may be using this specific string to signal that the rest of the file is in google-json format and needs to be interpreted accordingly.
Using this convention also means that the data feed wont execute from a call from a script tag, nor by interpreting the javascript directly from an eval(). This ensures front end developers are passing the content through a parser, which will keep any implanted code from executing.
So to answer your question, there are two plausible attacks that this prevents, one cross-site through a script tag, but the more interesting on is within-site. Both attacks assume that:
a bug exists in how user data is escaped and
it is exploited in a way that allows an attacker to inject code into one of the data feeds.
As a simple example, lets say a user figured out how to take a string like example
["example"]
and changed it to "];alert('example');
[""];alert('example');"]
Now if when that data shows up in another user's feed, the attacker can execute arbitrary code in the user's browser. Since it's within site, cookies are being sent to the server and the attacker could automate things like sharing posts or messaging people from the user's account.
In the Google scenario, these attacks won't work for a number of reasons. The first 5 characters will cause a javascript error before the attack code is run. Plus, since developers are forced to parse the code instead of accidentally running it through an eval, this practice will prevent code from being executed anyway.
As others said, it's a protection against Cross Site Script Inclusion (XSSI)
We explained this on Gruyere as:
Third, you should make sure that the script is not executable. The
standard way of doing this is to append some non-executable prefix to
it, like ])}while(1);. A script running in the same domain can
read the contents of the response and strip out the prefix, but
scripts running in other domains can't.