Uploading Espresso Tests Using the DevOps API

The Mobile Security DevOps API can be used to upload Espresso UI test bundles. These bundles can be used by Data Theorem to perform a fully-automated dynamic scan of its associated mobile app in your Data Theorem account, using the bundle’s test cases to drive our dynamic scanner.

Overview

Uploading Espresso tests is a 2-step process:

  1. Make an API call in order to initialize the upload
  2. Upload a zip archive containing the espresso UI test code.

Step 1 - Initialize the Upload

The upload process can be initialized by calling this method.

Authentication

Authentication is done by passing your organization’s Upload API key as part of the Authorization header:

1
Authorization: APIKey 1234567890abcdefgh

The Upload API key can be retrieved by users in the Data Theorem portal by navigating to https://www.securetheorem.com/devsecops/scancicd

See API Conventions – Authentication and Authorization for more information.

Request

POST /apis/mobile_security/devops/v1/upload_espresso_attachment_init

For example, this method can be called via curl using:

1
curl -X POST -H "Authorization: APIKey AAAABBBBCCCCAJ82/iNaIQ=="  --data ""  https://api.securetheorem.com/apis/mobile_security/devops/v1/upload_espresso_attachment_init

Response

1
2
3
{
  "upload_url": "https://prod-dopinder-v2.securetheorem.com/_ah/upload/AMm[...]/"
}

The response contains the upload_url, to be used for uploading the zip file containing the espresso tests. This URL will only be valid for 10 minutes.

Step 2 - Upload the Tests

After retrieving the upload_url, the zip archive containing the espresso tests should be sent as a standard multipart file upload, with the following arguments:

  • file: The zip archive.
  • release_type: either APP_STORE, PRE_PROD, or ENTERPRISE of the associated mobile app as set in your Data Theorem account.
  • bundle_id: the bundle id of the associated mobile app in your Data Theorem account.
  • version: the version of the app this UI Test bundle belongs to.

Authentication

Since the upload_url is unique for each upload, there is no need to authenticate with the Upload API Key.

Request

POST {upload_url}

The request must be a standard multipart file upload, the zip archive is expected in the file field.

For example, this method can be called via curl using:

1
curl -F file=@espresso_tests.zip -F "bundle_id=com.yourcompany.TestApp" -F "version=2.5" -F "release_type=APP_STORE" https://prod-dopinder-v2.securetheorem.com/_ah/upload/Aewsadw[...]/

Note: Pay special attention to the @ character. It needs to be put in front of the file’s name for curl to upload the file.

Response

A successful upload returns a status code 200 and status text ok.

1
2
3
4
{
  "session_id": "<session_id>",
  "success": true
}

Errors are also JSON formatted.

1
2
3
4
{
  "status": "invalid_attachment",
  "session_id": "<session_id>"
}

Status/error code mapping

  • 200/ok: upload succeeded
  • 401/unauthorized: unauthorized (bad credentials or the url may have expired)
  • 422/invalid_espresso_attachment: Espresso attachment is not valid
  • 422/bad_zip_file: corrupted or malformed zip file
  • 500/error: internal server error