RubyGems - api-tester - Versions diffs - 1.0.0 → 1.1.1 - Mend

api-tester 1.0.0 → 1.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (48) hide show

checksums.yaml +5 -5
data/.github/dependabot.yml +15 -0
data/.github/workflows/push.yml +39 -0
data/.github/workflows/test.yml +31 -0
data/.rubocop.yml +61 -0
data/Gemfile +2 -0
data/Guardfile +70 -0
data/README.md +65 -61
data/Rakefile +8 -3
data/api-tester.gemspec +29 -24
data/changelog.txt +10 -0
data/lib/api-tester.rb +6 -3
data/lib/api-tester/config.rb +16 -13
data/lib/api-tester/definition/boundary_case.rb +4 -1
data/lib/api-tester/definition/contract.rb +8 -3
data/lib/api-tester/definition/endpoint.rb +32 -23
data/lib/api-tester/definition/fields/array_field.rb +20 -19
data/lib/api-tester/definition/fields/boolean_field.rb +12 -9
data/lib/api-tester/definition/fields/email_field.rb +14 -11
data/lib/api-tester/definition/fields/enum_field.rb +14 -11
data/lib/api-tester/definition/fields/field.rb +46 -45
data/lib/api-tester/definition/fields/number_field.rb +11 -8
data/lib/api-tester/definition/fields/object_field.rb +34 -31
data/lib/api-tester/definition/fields/plain_array_field.rb +25 -0
data/lib/api-tester/definition/method.rb +7 -2
data/lib/api-tester/definition/request.rb +43 -16
data/lib/api-tester/definition/response.rb +29 -26
data/lib/api-tester/method_case_test.rb +67 -53
data/lib/api-tester/modules/extra_verbs.rb +29 -9
data/lib/api-tester/modules/format.rb +23 -7
data/lib/api-tester/modules/good_case.rb +25 -10
data/lib/api-tester/modules/injection_module.rb +32 -17
data/lib/api-tester/modules/required_fields.rb +51 -0
data/lib/api-tester/modules/server_information.rb +13 -10
data/lib/api-tester/modules/typo.rb +36 -13
data/lib/api-tester/modules/unexpected_fields.rb +61 -0
data/lib/api-tester/modules/unused_fields.rb +12 -6
data/lib/api-tester/reporter/api_report.rb +24 -16
data/lib/api-tester/reporter/missing_field_report.rb +12 -13
data/lib/api-tester/reporter/report.rb +11 -8
data/lib/api-tester/reporter/status_code_report.rb +9 -2
data/lib/api-tester/test_helper.rb +6 -6
data/lib/api-tester/util/response_evaluator.rb +70 -57
data/lib/api-tester/util/supported_verbs.rb +8 -5
data/lib/api-tester/version.rb +3 -1
metadata +99 -25
data/.travis.yml +0 -6
data/lib/api-tester/reporter/missing_response_field_report.rb +0 -21

data/lib/api-tester/method_case_test.rb CHANGED

@@ -1,69 +1,83 @@
+# frozen_string_literal: true
 require 'api-tester/util/response_evaluator.rb'
 module ApiTester
+  # Class for testing methods
   class MethodCaseTest
-      attr_accessor :expected_response
-      attr_accessor :payload
-      attr_accessor :response
-      attr_accessor :reports
-      attr_accessor :url
-      attr_accessor :module_name
+    attr_accessor :expected_response
+    attr_accessor :payload
+    attr_accessor :response
+    attr_accessor :reports
+    attr_accessor :url
+    attr_accessor :module_name
-      def initialize response, payload, expected_response, url, verb, module_name
-          self.payload = payload
-          self.response = response
-          self.expected_response = expected_response
-          self.reports = []
-          self.url = "#{verb} #{url}"
-          self.module_name = module_name
-      end
+    def initialize(response:, payload:, expected_response:, url:, verb:, module_name:)
+      self.payload = payload
+      self.response = response
+      self.expected_response = expected_response
+      self.reports = []
+      self.url = "#{verb} #{url}"
+      self.module_name = module_name
+    end
-      def response_code_report
-          report = StatusCodeReport.new "#{module_name} - Incorrect response code", self.url, self.payload, self.expected_response.code, self.response.code
-          self.reports << report
-          nil
-      end
+    def response_code_report
+      report = StatusCodeReport.new description: "#{module_name} - Incorrect response code",
+                                    url: url,
+                                    request: payload,
+                                    expected_status_code: expected_response.code,
+                                    actual_status_code: "#{response.code} : #{response.body}"
+      reports << report
+      nil
+    end
-      def missing_field_report field
-          report = Report.new "#{module_name} - Missing field #{field}", self.url, self.payload, self.expected_response, self.response
-          self.reports << report
-          nil
-      end
+    def missing_field_report(field)
+      report = Report.new description: "#{module_name} - Missing field #{field}",
+                          url: url,
+                          request: payload,
+                          expected_response: expected_response,
+                          actual_response: response
+      reports << report
+      nil
+    end
-      def extra_field_report field
-          report = Report.new "#{module_name} - Found extra field #{field}", self.url, self.payload, self.expected_response, self.response
-          self.reports << report
-          nil
-      end
+    def extra_field_report(field)
+      report = Report.new description: "#{module_name} - Found extra field #{field}",
+                          url: url,
+                          request: payload,
+                          expected_response: expected_response,
+                          actual_response: response
+      reports << report
+      nil
+    end
-      def check
-          if check_response_code
-              evaluator = ApiTester::ResponseEvaluator.new json_parse(self.response.body), self.expected_response
-              evaluator.missing_fields.map{|field| missing_field_report(field)}
-              evaluator.extra_fields.map{|field| extra_field_report(field)}
-              increment_fields evaluator.seen_fields
-          end
-          return self.reports
+    def check
+      if check_response_code
+        evaluator = ApiTester::ResponseEvaluator.new actual_body: json_parse(response.body),
+                                                     expected_fields: expected_response
+        evaluator.missing_fields.map { |field| missing_field_report(field) }
+        evaluator.extra_fields.map { |field| extra_field_report(field) }
+        increment_fields evaluator.seen_fields
       end
+      reports
+    end
-      def check_response_code
-          if response.code != expected_response.code
-              response_code_report
-              return false
-          end
-          return true
+    def check_response_code
+      if response.code != expected_response.code
+        response_code_report
+        return false
       end
+      true
+    end
-      def increment_fields seen_fields
-          seen_fields.each do |field|
-              field.seen
-          end
-      end
+    def increment_fields(seen_fields)
+      seen_fields.each(&:seen)
+    end
-      def json_parse body
-          JSON.parse!(body)
-        rescue JSON::ParserError
-          body
-      end
+    def json_parse(body)
+      JSON.parse!(body)
+    rescue JSON::ParserError
+      body
+    end
   end
 end

data/lib/api-tester/modules/extra_verbs.rb CHANGED

@@ -1,18 +1,32 @@
- require 'api-tester/util/supported_verbs'
+# frozen_string_literal: true
+require 'api-tester/util/supported_verbs'
 module ApiTester
+  # Check verbs not explicitly defined in contract
   module ExtraVerbs
-    def self.go contract
+    def self.go(contract)
       reports = []
       contract.endpoints.each do |endpoint|
         extras = ApiTester::SupportedVerbs.all - endpoint.verbs
         headers = endpoint.methods[0].request.default_headers
         extras.each do |verb|
-          verb_case = BoundaryCase.new("Verb check with #{verb} for #{endpoint.name}", {}, headers)
-          method = ApiTester::Method.new verb, ApiTester::Response.new, ApiTester::Request.new
-          response = endpoint.call method, verb_case.payload, verb_case.headers
-          test = VerbClass.new response, verb_case.payload, endpoint.not_allowed_response, endpoint.url, verb
+          verb_case = BoundaryCase.new description: "Verb check with #{verb} for #{endpoint.name}",
+                                       payload: {},
+                                       headers: headers
+          method = ApiTester::Method.new verb: verb,
+                                         response: ApiTester::Response.new,
+                                         request: ApiTester::Request.new
+          response = endpoint.call base_url: contract.base_url,
+                                   method: method,
+                                   payload: verb_case.payload,
+                                   headers: verb_case.headers
+          test = VerbClass.new response: response,
+                               payload: verb_case.payload,
+                               expected_response: endpoint.not_allowed_response,
+                               url: endpoint.url,
+                               verb: verb
           reports.concat test.check
         end
       end
@@ -25,9 +39,15 @@ module ApiTester
     end
   end
+  # Test template used for module
   class VerbClass < MethodCaseTest
-      def initialize response, payload, expected_response, url, verb
-          super response, payload, expected_response, url, verb, "VerbModule"
-      end
+    def initialize(response:, payload:, expected_response:, url:, verb:)
+      super response: response,
+            payload: payload,
+            expected_response: expected_response,
+            url: url,
+            verb: verb,
+            module_name: 'VerbModule'
+    end
   end
 end

data/lib/api-tester/modules/format.rb CHANGED

@@ -1,16 +1,26 @@
+# frozen_string_literal: true
 require 'api-tester/reporter/status_code_report'
 require 'api-tester/method_case_test'
 module ApiTester
-  class Format
-    def self.go contract
+  # Checks the format constraints defined in contract
+  module Format
+    def self.go(contract)
       reports = []
       contract.endpoints.each do |endpoint|
         endpoint.methods.each do |method|
           cases = method.request.cases
           cases.each do |format_case|
-            response = endpoint.call method, format_case.payload, format_case.headers
-            test = FormatTest.new response, format_case.payload, endpoint.bad_request_response, endpoint.url, method.verb
+            response = endpoint.call base_url: contract.base_url,
+                                     method: method,
+                                     payload: format_case.payload,
+                                     headers: format_case.headers
+            test = FormatTest.new response: response,
+                                  payload: format_case.payload,
+                                  expected_response: endpoint.bad_request_response,
+                                  url: endpoint.url,
+                                  verb: method.verb
             reports.concat test.check
           end
         end
@@ -23,9 +33,15 @@ module ApiTester
     end
   end
+  # Test layout used by Format module
   class FormatTest < MethodCaseTest
-      def initialize response, payload, expected_response, url, verb
-          super response, payload, expected_response, url, verb, "FormatModule"
-      end
+    def initialize(response:, payload:, expected_response:, url:, verb:)
+      super response: response,
+            payload: payload,
+            expected_response: expected_response,
+            url: url,
+            verb: verb,
+            module_name: 'FormatModule'
+    end
   end
 end

data/lib/api-tester/modules/good_case.rb CHANGED

@@ -1,16 +1,26 @@
+# frozen_string_literal: true
 require 'api-tester/reporter/status_code_report'
 require 'api-tester/method_case_test'
 module ApiTester
-  class GoodCase
-    def self.go contract
+  # Checks the good case as defined in contract
+  module GoodCase
+    def self.go(contract)
       reports = []
       contract.endpoints.each do |endpoint|
         endpoint.methods.each do |method|
-          default_case = BoundaryCase.new endpoint.url, method.request.default_payload, method.request.default_headers
-          response = endpoint.call method, default_case.payload, default_case.headers
-          test = GoodCaseTest.new response, endpoint.url, method
+          default_case = BoundaryCase.new description: contract.base_url + endpoint.url,
+                                          payload: method.request.default_payload,
+                                          headers: method.request.default_headers
+          response = endpoint.call base_url: contract.base_url,
+                                   method: method,
+                                   payload: default_case.payload,
+                                   headers: default_case.headers
+          test = GoodCaseTest.new response: response,
+                                  url: contract.base_url + endpoint.url,
+                                  method: method
           reports.concat test.check
         end
       end
@@ -18,14 +28,19 @@ module ApiTester
     end
     def self.order
-        1
+      1
     end
   end
+  # Test layout used by module
   class GoodCaseTest < MethodCaseTest
-      def initialize response, url, method
-          super response, method.request.default_payload, method.expected_response, url, method.verb, "GoodCaseModule"
-      end
+    def initialize(response:, url:, method:)
+      super response: response,
+            payload: method.request.default_payload,
+            expected_response: method.expected_response,
+            url: url,
+            verb: method.verb,
+            module_name: 'GoodCaseModule'
+    end
   end
 end

data/lib/api-tester/modules/injection_module.rb CHANGED

@@ -1,29 +1,39 @@
-require "injection_vulnerability_library"
+# frozen_string_literal: true
+require 'injection_vulnerability_library'
 module ApiTester
+  # Tests injection cases
   module InjectionModule
-    def self.go contract
+    def self.go(contract)
       reports = []
       contract.endpoints.each do |endpoint|
         endpoint.methods.each do |method|
-          reports.concat inject_payload endpoint, method
+          reports.concat inject_payload contract.base_url, endpoint, method
         end
       end
       reports
     end
-    def self.inject_payload endpoint, method
+    def self.inject_payload(base_url, endpoint, method)
       reports = []
       sql_injections = InjectionVulnerabilityLibrary.sql_vulnerabilities
       method.request.fields.each do |field|
         sql_injections.each do |injection|
           injection_value = "#{field.default_value}#{injection}"
-          payload = method.request.altered_payload(field.name, injection_value)
-          response = endpoint.call method, payload, method.request.default_headers
-          if(!check_response(response, endpoint)) then
-            reports << InjectionReport.new("sql", endpoint.url, payload, response)
-          end
+          payload = method.request.altered_payload field_name: field.name,
+                                                   value: injection_value
+          response = endpoint.call base_url: base_url,
+                                   method: method,
+                                   payload: payload,
+                                   headers: method.request.default_headers
+          next if check_response(response, endpoint)
+          reports << InjectionReport.new('sql',
+                                         endpoint.url,
+                                         payload,
+                                         response)
         end
       end
@@ -34,22 +44,27 @@ module ApiTester
       response.code == 200 || check_error(response, endpoint)
     end
-    def self.check_error response, endpoint
-      evaluator = ApiTester::ResponseEvaluator.new response.body, endpoint.bad_request_response
+    def self.check_error(response, endpoint)
+      evaluator = ApiTester::ResponseEvaluator.new(
+        actual_body: response.body,
+        expected_fields: endpoint.bad_request_response
+      )
       missing_fields = evaluator.missing_fields
       extra_fields = evaluator.extra_fields
-      response.code == endpoint.bad_request_response.code && missing_fields.size == 0 && extra_fields.size == 0
+      response.code == endpoint.bad_request_response.code &&
+        missing_fields.size.zero? && extra_fields.size.zero?
     end
   end
 end
+# Report for InjectionModule
 class InjectionReport
   attr_accessor :injection_type
   attr_accessor :url
   attr_accessor :payload
   attr_accessor :response
-  def initialize injection_type, url, payload, response
+  def initialize(injection_type, url, payload, response)
     self.injection_type = injection_type
     self.url = url
     self.payload = payload
@@ -57,10 +72,10 @@ class InjectionReport
   end
   def print
-    puts "Found potential #{self.injection_type}: "
-    puts "   Requested #{self.url} with payload:"
-    puts "      #{self.payload}"
+    puts "Found potential #{injection_type}: "
+    puts "   Requested #{url} with payload:"
+    puts "      #{payload}"
     puts '   Received: '
-    puts "      #{self.response}"
+    puts "      #{response}"
   end
 end

data/lib/api-tester/modules/required_fields.rb ADDED

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+module ApiTester
+  # Ensures the fields marked as required in contract are guarded
+  module RequiredFields
+    def self.go(contract)
+      reports = []
+      contract.endpoints.each do |endpoint|
+        endpoint.methods.each do |method|
+          request_def = method.request
+          required_fields = request_def.fields.keep_if(&:required)
+          combinations = (1..required_fields.size).flat_map { |size| required_fields.combination(size).to_a }
+          combinations.each do |remove_fields|
+            fields = remove_fields.map do |field|
+              { name: field.name, value: nil }
+            end
+            payload = request_def.altered_payload_with fields
+            response = endpoint.call base_url: contract.base_url,
+                                     method: method,
+                                     payload: payload,
+                                     headers: request_def.default_headers
+            test = RequiredFieldsTest.new response: response,
+                                          payload: payload,
+                                          expected_response: endpoint.bad_request_response,
+                                          url: endpoint.url,
+                                          verb: method.verb
+            reports.concat test.check
+          end
+        end
+      end
+      reports
+    end
+    def self.order
+      5
+    end
+  end
+  # Test layout used for RequiredFieldsModule
+  class RequiredFieldsTest < MethodCaseTest
+    def initialize(response:, payload:, expected_response:, url:, verb:)
+      super response: response,
+            payload: payload,
+            expected_response: expected_response,
+            url: url,
+            verb: verb,
+            module_name: 'RequiredFieldsModule'
+    end
+  end
+end

data/lib/api-tester/modules/server_information.rb CHANGED

@@ -1,15 +1,17 @@
-require 'pry'
+# frozen_string_literal: true
 module ApiTester
+  # Module for ensuring the server isn't broadcasting information about itself
   module ServerInformation
-    def self.go contract
+    def self.go(contract)
       reports = []
       endpoint = contract.endpoints[0]
-      response = endpoint.default_call
+      response = endpoint.default_call contract.base_url
-      [:server, :x_powered_by, :x_aspnetmvc_version, :x_aspnet_version].each do |server_key|
-        if response.headers[server_key] then
-          reports << ServerBroadcastReport.new(response.headers[server_key], server_key)
+      %i[server x_powered_by x_aspnetmvc_version x_aspnet_version].each do |key|
+        if response.headers[key]
+          reports << ServerBroadcastReport.new(response.headers[key],
+                                               key)
         end
       end
@@ -22,18 +24,19 @@ module ApiTester
   end
 end
+# Report used by module
 class ServerBroadcastReport
   attr_accessor :server_info
   attr_accessor :server_key
-  def initialize server_info, server_key
+  def initialize(server_info, server_key)
     self.server_info = server_info
     self.server_key = server_key
   end
   def print
-    puts "Found server information being broadcast in headers:"
-    puts "   #{self.server_info}"
-    puts "     as #{self.server_key}"
+    puts 'Found server information being broadcast in headers:'
+    puts "   #{server_info}"
+    puts "     as #{server_key}"
   end
 end