Securing and Testing

Scalable services
BITS Pilani Soma Sundaram P
Pilani Campus Guest Faculty
 BITS Pilani
Pilani Campus

Merged - CCZG583/SEUSZG583,
Scalable Services
Lecture No. 11
 BITS Pilani
Pilani Campus

Securing code and repositories

Securing code and
repository
• Your code is only as secure as the systems used to
create it.
• Version control, peer review and built-in auditing are
some of the advantages which come with using a code
repository.
• If proper attention is paid to security measures, the
benefits of using a repository far outweigh the risks.

BITS Pilani, Pilani Campus

Measures for securing the
code and repository
• Choose a repository you trust
• Consider the exposure of your repository
• Protect access credentials
• Access to the repository should be revoked when no
longer required, or in the event of compromise
• Review all code changes
• Ensure your code is backed up
• External code changes may be malicious

BITS Pilani, Pilani Campus

What is Authentication?

• Verifying the identity of the application or human that’s

attempting to access the application.

BITS Pilani, Pilani Campus

Authentication
implementation options
• One option is for the individual services to authenticate
the user.
• Better approach is for the API gateway to authenticate a
request before forwarding it to the services.

BITS Pilani, Pilani Campus

Authentication in API
Gateway

BITS Pilani, Pilani Campus

The sequence of events for API clients is as follows:
• A client makes a request containing credentials.
• The API gateway authenticates the credentials
• It creates a security token, and passes that to the service
or services.

BITS Pilani, Pilani Campus

The sequence of events for login-based clients is as
follows:
• A client makes a login request containing credentials.
• The API gateway returns a security token.
• The client includes the security token in requests that
invoke operations.
• The API gateway validates the security token and
forwards it to the service or services.

BITS Pilani, Pilani Campus

Authorization

• Verifying that the principal is allowed to perform the

requested operation on the specified data.
• Applications often use a combination of rolebased
security and access control lists (ACLs).

BITS Pilani, Pilani Campus

Authorization in API
Gateway
• If a user isn’t allowed to access a particular path, the API
gateway can reject the request before forwarding it on to
the service.
• We can implement authorization in the API gateway
using a security framework, such as Spring Security.

BITS Pilani, Pilani Campus

Authorization in Services

• The other place to implement authorization is in the

services.
• A service can implement role-based authorization for
URLs and for service methods.
• It can also implement ACLs to manage access to
aggregates.

BITS Pilani, Pilani Campus

What is OAuth?

• OAuth is an open-standard authorization protocol or

framework
• The simplest example of OAuth is when you go to log
onto a website and it offers one or more opportunities to
log on using another website’s/service’s logon.
• You then click on the button linked to the other website,
the other website authenticates you

BITS Pilani, Pilani Campus

Terms used in OAuth

• Authorization Server
• Access Token
• Refresh Token
• Resource Server
• Client

BITS Pilani, Pilani Campus

How OAuth works for
Microservices

BITS Pilani, Pilani Campus

 BITS Pilani
Pilani Campus

Testing
Types of Tests

BITS Pilani, Pilani Campus

Unit Tests

• These are tests that typically test a single function or

method call.
• These are tests that help the developers and so they
would be technology-facing, not business facing
• The prime goal of these tests is to give us very fast
feedback about whether our functionality is good.

BITS Pilani, Pilani Campus

Types of Unit Test

• Solitary unit test—Tests a class in isolation using mock

objects for the class’s dependencies
• Sociable unit test—Tests a class and its dependencies

BITS Pilani, Pilani Campus

Unit Testing Strategy

The typical testing strategy for each class is as follows:

• Entities, such as Order, are objects with persistent
identity, are tested using sociable unit tests.
• Value objects, such as Money, are objects that are
collections of values, are tested using sociable unit tests.
• Sagas, such as CreateOrderSaga, maintain data
consistency across services, are tested using sociable
unit tests.

BITS Pilani, Pilani Campus

Unit Testing Strategy

• Domain services, such as OrderService, are classes that

implement business logic that doesn’t belong in entities
or value objects, are tested using solitary unit tests.
• Controllers, such as OrderController, which handle HTTP
requests, are tested using solitary unit tests.
• Inbound and outbound messaging gateways are tested
using solitary unit tests.

BITS Pilani, Pilani Campus

Integration Test

BITS Pilani, Pilani Campus

Approaches to test interaction
between services

• Launch all the services and test them through their APIs.
This, however, is what’s known as end-to-end testing,
which is slow, brittle, and costly.
• A much more effective strategy is to write what are
known as integration tests.

BITS Pilani, Pilani Campus

Integration testing using
Contracts
• For simplifying integration tests that verify interactions
between application services is to use contracts

BITS Pilani, Pilani Campus

• Consumer-side tests: These are tests for the
consumer’s adapter. They use the contracts to configure
stubs that simulate the provider, enabling you to write
integration tests for a consumer that don’t require a
running provider.
• Provider-side tests: These are tests for the provider’s
adapter. They use the contracts to test the adapters
using mocks for the adapters dependencies.

BITS Pilani, Pilani Campus

Consumer Driven Contract
testing
Verify that a service and its clients can communicate while
testing them in isolation

BITS Pilani, Pilani Campus

Load testing

• Load testing helps us understand the behavior of an

application when a large amount of data is being
transferred between single services.
• In such cases, the network often causes bottlenecks in
the application.
• By using load testing, we can prevent application
crashes caused by large user loads in the production
environment.

BITS Pilani, Pilani Campus

Few tips for Load Testing

• Prioritize High-Risk Services Instead of Going for 100%

Testing
• Leverage Service Virtualization Instead of Waiting for
Fully Functional Dependencies
• Go Beyond the Request/Response Ratio as a Metric for
Performance

BITS Pilani, Pilani Campus

Tools for testing

• JMeter
• influxDB
• Grafana
• CloudWatch

BITS Pilani, Pilani Campus

Other Testing Tools

• Pact – to facilitate your contract testing.

• Mocha, Jest are integration and unit testing tool and
microservices testing framework.

BITS Pilani, Pilani Campus

Chaos Engineering At
Netflix
It is an emerging approach to evaluating distributed
networks, running experiments against a system while
it's in active use.

BITS Pilani, Pilani Campus

Self Study

•
https://docs.github.com/en/code-security/getting-
started/quickstart-for-securing-your-repository
• OAuth in detail from textbook
• Testing in detail from textbook
• https://www.neotys.com/insights/microservices-load-
testing
• https://netflix.github.io/chaosmonkey/

BITS Pilani, Pilani Campus

References

• Books as per the handout

• https://performancelabus.com/load-testing-for-
microservices/
• https://netflixtechblog.com/from-chaos-to-control-testing-
the-resiliency-of-netflixscontent-discovery-platform-
ce5566aef0a4
• https://spectrum.ieee.org/chaos-engineering-saved-your-
netflix

BITS Pilani, Pilani Campus