After getting familiar with Locust, it’s time for me to try to write the real test. The project to be tested is using ADFS authentication. So if an unauthenticated user visited its URL https://project.mycompany.com, it will be redirected to:

https://fs.mycompany.com/adfs/ls/?wtrealm=https%3A%2F%2Fproject.mycompany.com&wctx=WsFedOwinState%3__SUPER_LONG_BASE64_TEXT__&wa=wsignin1.0

Which prompts the username and password:

Once I entered the correct username and password, the project’s landing page is shown.

To help me to know the submission sequence, I logout, open Chrome’s DevTools, then repeat the login process. Here’s what I see on DevTools -> Network -> Doc tab:

We can see that there was 3 redirects (302):

1. When we load https://project.mycompany.com
2. When we submit the username and password (POST)
3. POST to https://project.mycompany.com

First, let’s observe the form of the login page:

<form method="post" id="loginForm" autocomplete="off" novalidate="novalidate" 
	onkeypress="if (event &amp;&amp; event.keyCode == 13) Login.submitLoginRequest();" 
	action="/adfs/ls/?wtrealm=https%3A%2F%2Fproject.mycompany.com&amp;wctx=WsFedOwinState%3D__LONG_BASE64_TEXT__&amp;wa=wsignin1.0&amp;client-request-id=__GUID_VALUE__">
	<div id="error" class="fieldMargin error smallText" style="display: none;">
		<span id="errorText" for=""></span>
	</div>

	<div id="formsAuthenticationArea">
		<div id="userNameArea">
			<label id="userNameInputLabel" for="userNameInput" class="hidden">User Account</label>
			<input id="userNameInput" name="UserName" type="email" value="" tabindex="1" class="text fullWidth" spellcheck="false" 
			placeholder="someone@example.com" autocomplete="off">
		</div>

		<div id="passwordArea">
			<label id="passwordInputLabel" for="passwordInput" class="hidden">Password</label>
			<input id="passwordInput" name="Password" type="password" tabindex="2" class="text fullWidth" placeholder="Password" autocomplete="off">
		</div>
		<div id="kmsiArea" style="display:''">
			<input type="checkbox" name="Kmsi" id="kmsiInput" value="true" tabindex="3">
			<label for="kmsiInput">Keep me signed in</label>
		</div>
		<div id="submissionArea" class="submitMargin">
			<span id="submitButton" class="submit" tabindex="4" role="button" 
			onkeypress="if (event &amp;&amp; event.keyCode == 32) Login.submitLoginRequest();" 
			onclick="return Login.submitLoginRequest();">Sign in</span>
		</div>
	</div>
	<input id="optionForms" type="hidden" name="AuthMethod" value="FormsAuthentication">
</form>

From above, we can confirm that we need to extract out the form’s action value.

Looking at the first POST (submit username and password), we can confirm the parameters submitted.

After submit, it redirected to a page:

<html>
	<head>
		<title>Working...</title>
	</head>
	<body>
		<form method="POST" name="hiddenform" action="https://project.mycompany.com:443/">
			<input type="hidden" name="wa" value="wsignin1.0"/>
			<input type="hidden" name="wresult" value="&lt;t:RequestSecurityTokenResponse ....VERY LONG ENCODED XML... &lt;/t:RequestSecurityTokenResponse>"/>
			<input type="hidden" name="wctx" value="WsFedOwinState=...QUITE LONG BASE64 TEXT ..."/>
			<noscript>
				<p>Script is disabled. Click Submit to continue.</p>
				<input type="submit" value="Submit"/>
			</noscript>
		</form>
		<script language="javascript">window.setTimeout('document.forms[0].submit()', 0);</script>
	</body>
</html>

We can see above, it is an auto-submit form where the ADFS authentication result is submitted.

Base on the sequence above, here’s how the construct of our test:

from locust import HttpUser, between, task
import logging

#to parse HTML
from bs4 import BeautifulSoup

class WebsiteUser(HttpUser):
    host = "https://project.mycompany.com"
    #wait for 3 to 10 seconds before each request
    wait_time = between(3,10)

    def on_start(self):
        resp = self.client.get("/", allow_redirects=True) 
        soup = BeautifulSoup(resp.text, "html.parser")
        logging.info(soup.title)
        
        #steps to handle unauthenticated users
        if soup.title.contents[0] == "Sign In":
            # find the login form's action
            logging.info('Trying to login')
            action = soup.form["action"]
            url = "https://fs.mycompany.com" + action
            logging.info("Post URL: " + url)
        
            #submit login information
            loginResp = self.client.post(url, {"UserName":"__USERNAME__", "Password":"__PASSWORD__", "AuthMethod": "FormsAuthentication"}, allow_redirects=True)            
            logging.info("Login Result URL: " + loginResp.url)
            #parse the login submit result
            soupLogin = BeautifulSoup(loginResp.text, "html.parser")

            #construct the auto-submit form
            inputs = soupLogin.find_all("input")
            dict = {}
            for inp in inputs:
                if inp.get("name") != None:
                    dict[inp["name"]] = inp["value"]

            # POST auto-submit form
            resp = self.client.post("/", dict, allow_redirects=True) 
            soup = BeautifulSoup(resp.text, "html.parser")
            # the title should be project's landing page title
            logging.info(soup.title)

    @task
    def index(self):
        resp = self.client.get("/", allow_redirects=True)
        soup = BeautifulSoup(resp.text, "html.parser")
        logging.info("URL: " + resp.url)
        logging.info(soup.title)

With that, we should be able to write more @task to test the performance of each pages. Hopefully, we can identify the choke-points before opening access to the users.

That’s all friends! I hope it helps. Cheers!

As I mentioned in previous post, I decided to pick Locust to help to do performance testing on my soon-to-be launched project.

First, we need to get Locust installed. If Python is not available in our system, we can download and get it installed. Since I’m on Windows, I downloaded Python 3.10.0 for Windows. Below is the command to install Locust:

pip install locust

To verify the installation:

locust -V
# locust 1.3.2

If above command produced errors, we need to add python’s script folder to PATH environment variable

C:\Users\__YOUR_WINDOWS_USERNAME__\AppData\Roaming\Python\Python310\Scripts

Before we can start writing the test script in Python, I recommend to install VS Code as editor for .py(python scripts). Having VS Code installed, let’s prepare the folder for all the test scripts, then launch VS Code:

mkdir projects
mkdir projects\python
mkdir projects\python\locust
cd projects\python\locust
code .

On VS Code it is highly recommended to install the python extension

Now let’s write our first test script (test.py):

from locust import HttpUser, between, task

class WebsiteUser(HttpUser):
    host = "https://sodeve.net"
    
    # wait in between requests, 5-15 seconds
    wait_time = between(5, 15)  
     
    @task
    def index(self):
        self.client.get("/") 
        
    @task
    def category(self):
        self.client.get("/posts-by-category/")

    @task
    def sitemap(self):
        self.client.get("/map/") 

Let’s run locust from VS Code console (press Ctrl+Shift+`):

locust -f test.py --logfile locust.log

If we never run a python program before, we will have below prompt:

Click “Allow”, then open this address http://localhost:8089 in your browser. You should see something like this:

Click “Start swarming” to start the test.

That’s all for my start on testing website using Locust. Next, let’s try to test an application which is using ADFS (Active Directory Federation Service) authentication. Cheers!

My current project is almost launched. One of the final steps is to do a performance/stress testing. The purpose of this test to measure:

1. how fast the response under normal load
2. maximum concurrent users before the response fell below the acceptance standard

As I am looking for a free/open source solution, I stumbled on this page. Here’s my short take on each of the software.

1. JMeter. It is a Java-based application. But due to Java-licensing uncertainty, I was advised to totally skip this application
2. Gatling. It’s a Scala-based testing application. Since I’m not familiar with Scala, I’ll keep this as last resort
3. Locust. A python-based software. I have previously toying around with python, so this is a possible candidate
4. Tsung. An erlang-based testing tool. Last release was 4 years ago, so maybe it’s no longer actively maintained. Also, I’m not familiar with erlang.
5. Siege. Since this testing application is only running on Linux/Unix, I’m not considering it.
6. Httperf. Another Linux-based application. Skipped
7. Taurus. Not exactly a performance testing application, but more like an automation application. But its usage to automate JMeter or Selenium is prominently highlighted. It is a python application, so it might worth for consideration
8. Artillery. A Node JS testing application. But reading from its page, this application purpose is more on testing the performance of the backend systems.
9. Goad. A go-based application. Unfortunately, it’s totally dependent on AWS Lambda. So this is not suitable to my requirement

After looking at all of these options, and also considering things like budget, time required to learn, I decided to pick up Locust. So I’ll keep you posted on my progress on using Locust to test my project’s performance. Cheers!