Tag Archives: code

Development Standards for API Policies?

16 Monday Dec 2019

Posted by in API Platform CS, General, tools

Leave a comment

Tags

, , , , , , ,

When it comes to development, we have had coding standards for almost as long as we have been coding. We tend to look at coding standards for purposes of helping to promote good quality code and reduce the likelihood of bugs and so on. But they also help with readability, making it easy to navigate a code base and so on. This is sufficiently important that there is a vast choice of tools to help us ensure we align with good practices.

That readability etc, when it comes to code interfaces lends to making it easier to use an interface as it promotes consistency and as Don Norman would say avoids ‘cognitive load‘, in other words, the effort involved in performing actions with the interface. Any Java Developer will tell you, want to print out an object (any object) you get a string representation using the .toString() method and direct it using the io packages.

That consistency and predictability are important not just for code if you look at any API best practises documents you’ll encounter directly or indirectly the need to use conventions that drive consistency – use of singular or plural for the name of entities, application of case – camel case, snake case etc. Good naming etc and we’ll see related things appear together in the documentation. Products such as Apiary and SwaggerHub include tooling to help police this in our API design work.

But what about policies that we use to define how an API Gateway handles the receipt and routing of API invocations? Well yes, we should have standards here as well. Some might say, governance gone mad. But gateways are often shared services, so making it easy to see and logically group APIs together at very least by using a good naming convention will help as a minimum. If API management is being administered in a more DevOps fashion, then information security professionals will probably want assurance that developers are applying policies in a recommended manner.

Continue reading

Tracing Executions in an API Environment

07 Wednesday Feb 2018

Posted by in API Platform CS, APIs & microservices, General, Technology

2 Comments

Tags

, , , , , , ,

As APIs become more pervasive within our solutions we see the arrival of not just design and cataloging tools such as Apiary, Apigee and others but also the arrival of gateways. The gateways provide execution of operations including validation, accounting (moneytization), routing, and other controls such as throttled checks that would often not occur until the first contact with a service bus. For example initial routing based on the API call, fine grained authentication and authorisation (differing from your firewalls who will just perhaps authorise).

In the more traditional integration middleware of Oracle Service Bus and SOA (regardless of cloud, on-premises) you can trace the execution through the middleware end to end. This tracing can be achieved because the platform creates and assigns the a UUID (aka eCID) and ensures that it is carried through the middleware. It is this very behaviour that allows Oracle to provide Business Activity Monitoring without any need to be invasive. Burt not only that in a highly distyributed environment you can track the processing of a transaction from end to end.

The challenge now is that the first point of middleware style behaviour can be at the gateway. So we actually need to move forward the UUID or equivalent forward the the first point of contact. Not only that we need to think about the fact we will see non Oracle integration middleware involved.  Within Spring, Kabana and other established frameworks and tools which are getting signficiant traction with the rise of Microservices, the Ids being used are not the same as the UUIDs used by Oracle. For example Spring Cloud Slueth uses the same HTTP header Ids that Zipkin and Kabana support:

  • X-B3-TraceId
  • X-B3-SpanId
  • X-B3-ParentSpanId

More information can be found here and here.

For the new Oracle API Platform Cloud Service we can check for the existance of the header attributes as a policy and apply actions such as:

  • Apply a header with a TraceId or spanId,
  • If a SpanId exists then we may wish to nest our call as a child span by moving the SpandId to the ParentSpanId and creating a new SpanId.

Ultimately it would be more attractive to apply the logic using the API Platform’s SDK but to get things rolling applying the IDs with the API Groovy policy is sufficient (more here).

Next question that begs, is where to put the ID and want to call it? Put the value in the body, and you’re invading the business aspect of an API with execution specific details, not to mention potentially  changing the API definition. Whilst stuffing HTTP(s) headers with custom attributes is often discouraged as the values aren’t to immediately visible. In my opinion at least the answer largely has been set by president for us. If you weren’t using HTTPS but JMS then you would use the header, but also a number of frameworks already exist that do make use of this strategy such as those mentioned above.

Using the header defined by Kabana etc means that the very process will mean that a number of Support tools out of the box will understand and be able to help visualise your logs with no additional effort.

The following is a Groovy script that could ber used for the purposes of applying an Id appropriately into the HTTP header in the API Platform:

if (!context.getApiRequest().getHeaders().containsKey ("baggage-UUID "))
{
  // use current time to seed random generator
  def now = java.time.Instant.now()
  def random = new java.util.Random(now.getEpochSecond())

  // create an array of 16 bytes to hold the random value
  byte[] uid = new byte[16]
  random.nextBytes(uid)

  // convert the random string from Hex to an ASCII string
  Writable uidInHex= uid.encodeHex()
  String uidStr= uidInHex.toString() 

  // set the outbound header
  context.getServiceRequest().setHeader("baggage-UUID", uidStr)
}

Validating API Platform Policies & Gateway Deployments

01 Thursday Feb 2018

Posted by in API Platform CS, APIs & microservices, General, Oracle, Technology

2 Comments

Tags

, , , , , , ,

When configuring API Policies in the the Oracle API Platform it helps if there is a simple back end that can take the received payload and record the sent values (header & body) as well as reflect the call details back as the response, or possibly respond with a test payload (so that response policies, particularly policies that require payload navigation  can be exercised correctly).  By having this facility it becomes a lot easier to determine whether the policies are executing correctly in terms of routing, transforming, filtering etc. without needing to worry about whether the API implementation is correct. You could say that this is a kind of mock for testing the API Platform.

The added benefit of having a mock back end is that it is easy to ‘smoke test’ a gateway deployment very easily.  Particularly if the mock is happy to receive any form of call.

Whilst implementing such a capability can be done in pretty much any language and platform you like.  We have in the past for example built a Springboot Java application that can have the dependencies configured to then deploy into WebLogic for example.  We have come to refer these test apps/mocks as PlatformTests as that’s exactly what they help do. A Node.js implementation of a PlatformTest such as as the following implementation is particularly appealing as the Node.js footprint is small and simple to deploy and undeploy. A basic Node.js implementation can also consume any URL and operation you choose to use. The nature of JavaScript makes it very quick to adapt the mock if need be. Although in the ideal world, we write the solution once and then use simple configuration to tune behavior.

The following code looks for a local file called testResponse.json if found then returns the content of the file (assumed to be JSON) otherwise it reflects back in the body, the received header and body.  This reflection makes it extremely easy to see how the policies have changed the inbound call.  The content is also logged to the console – making it easy to also see what came through to the back end.

The implementation also assumes port 8080, but changing the port is exceptionally easy.

There one enhancement planned, and this is to allow the response test payload to be handled as XML.  This will need a little tweaking of the code as presently a JSON Object is currently stringified.

JavaScriptThe code is also available in my GitHub repository – https://github.com/mp3monster/Utils/blob/master/PlatformTest.js and an example test response file is at https://github.com/mp3monster/Utils/blob/master/testResponse.json

const http = require('http');
const fs = require('fs');

// create a simple HTTP server that will handle the requests
http.createServer((request, response) => {
const { headers, method, url } = request;
console.log("Called at " + new Date().toLocaleDateString());
let body = [];
request.on('error', (err) => {
console.log("Svr Error Handler :" + err.toString);
response.statusCode(400);
response.end();
}).on('data', (chunk) => {
body.push(chunk);
}).on('end', () => {
body = Buffer.concat(body).toString();
// At this point, we have the headers, method, url and body, and can now
// do whatever we need to in order to respond to this request.

});

// record in the console what details have been received
console.log ("Received:\nMethod:" + method.toString() +
"\n URL:"+ url.toString + "\nheaders:\n"+headers.toString() +
"\nBody:\n" + body);
// now build the response
response.setHeader('Content-Type', 'application/json');
response.setHeader('PlatformTestTime', new Date().toLocaleDateString());

// initialise our response object so that if we don't load a response
// file then we reflect the content
var responseBody = { headers, method, url, body };

try {
// try reading a response file
fs.readFile('testResponse.json', function(err, data) {
console.log("handling file");
if (err != null) {
if (err.code === 'ENOENT') {
console.log("on return file - will reflect");
} else {
console.log("Read error:" + err.toString());
}
} else {
// a file exists - but is empty?
if ((data != null) && (data.length > 0)) {
// we have a file with content - lets process so it into a JSON
// object
if (Buffer.isBuffer(data)) {
// convert the buffer from hex to an ASCII string
body = data.toString('utf8');
console.log("test response:" + body);
responseBody = JSON.parse(body);
}
}
}

// create an array with our values and then make it

// JSON with stringfy

var output = JSON.stringify(responseBody);
response.write(output);
console.log("Returning:" + output);
response.statusCode = 200;
response.end();

});

} catch (err) {

if (err.code === 'ENOENT') {
console.log("on return file - will reflect");
} else {
console.log(err.toString());
}
var output = JSON.stringify(responseBody);
response.write(output);
console.log("Returning:" + output);
response.statusCode = 200;
response.end();
}
}).listen(8080); // Activates this server, listening on port 8080.

OracleCode London 2017

21 Friday Apr 2017

Posted by in General, Oracle, Technology

1 Comment

Tags

, , , , , , , , , , , , , ,

My colleague & boss Ace Director Luis Weir and I were invited to present at Thursday 20th’s Oracle Code London.

oracle_codeThe request to present came late as we where needed to cover someone who had to cancel (not that we aren’t grateful for the opportunity). This did mean getting the presentation together was a little bit of a scramble, unfortunately I missed a couple of sessions as I needed to assemble an environment, work out how I wanted to explain the point Luis’ slides where communicating as this was the first time presenting with Luis as a double act. Add to that address the day to day work demands.

Despite these challenges, I think the presentation went very smoothly (and we’re looking forward to receiving the feedback). The slides can be found here …

I did catch a few presentations, including the keynote by Adam Bien, Tim Hall‘s presentation on exposing databases using REST services, Lucas Jemella‘s microservices and eventing backbone and finally CQRS by Sebastian Daschner. All presentations  where all top notch, loaded with useful information.  I’ve been fortunate to see both Lucas and Tim presenting before so knew I would in for a really good presentations.  So if you ever want to know about Oracle DB stuff with practical honest insights I’d recommend looking Tim up.  Like wise in the middleware space for Lucas.

Seeing the presentations and different presenting styles was interesting. Those presenters with a Java Rockstar background vs those from an Oracle Ace background. The Java guys taking a very minimalist (if any) slides and all code / demo – but blink and you’ll miss it, where as the Ace community (of which I am fortunate enough to be a member) with slides that are often visually very strong and still supported by demos.

Whilst I’ve attended Oracle Open World, I’ve not yet seen the parrallel Java One conference in San Francisco. That said, the feel of the day’s event (and presumably the goal) is what I’d expect Java One to be like. I have in the past attended similar RedHat events, whilst the venue has a similar feel (not unsurprising as both have used SkillsMatter venues), what was different between the Oracle and RedHat events was that the atmosphere felt a lot friendlier and communial at Oracle Code. This maybe down in part to the fact that I know more of the people both Aces and Oracle employees, although that can’t be the only reason as when I was involved in the RedHat environment I had known senior people within the organisation and encountered presenters.

My last observation, more technical is the fact that JavaEE was mentioned a lot more than I’d expected, even those much maligned EJBs got a mention. Is JavaEE making a reassurgence?

So, if you get a chance to attend OracleCode – as an architect or developer I’d recommend that you take the opportunity. Whilst Devox maybe bigger with the really big name speakers, the day was both informative, engaging and rewarding.

25-04-17 UPDATE: Oracle have just made all the OracleCode London sessions available on YouTube here, and our session specifically here.

SQL Static Code analysis for MySQL

05 Thursday Sep 2013

Posted by in General, Technology

Leave a comment

Tags

, , , ,

With MySQL now capable of features such as stored procedures and functions the need for tooling to support SQL code quality is greater than ever. A number of tools provide editors with syntax support and all the fancy features you’d expect from a modern IDE (see Toad as a leading product).

However the means to assess the quality of the procedures or scripts written for MySQL or the divergence from ISO standards doesn’t exist, although plenty of options exist for T-SQL (MS SQL Server), PL/SQL (Oracle) and even some tooling for DB2 and Informix.

The value of the static analysis tool means you can implement quality measures, controls and reporting through Continuous Integration tooling such as Jenkins, Sonar etc. All of which is a little ironic when you consider a lot of energy in CI (and Continuous Delivery appears to come from the open source community) which usually supports MySQL as one of the 1st options for databases.

Does this mean there is a gap in the market? Such capabilities dont seem to be in the MySQL WorkBench roadmap. Would love to know what people think?

Of course if you can support MySQL, then the offshoots such as MariaDB wouldn’t be too difficult.