schemathesis 3.19.7__py3-none-any.whl → 3.20.1__py3-none-any.whl

schemathesis/runner/impl/core.py

@@ -14,6 +14,7 @@ import requests
 from _pytest.logging import LogCaptureHandler, catching_logs
 from hypothesis.errors import HypothesisException, InvalidArgument
 from hypothesis_jsonschema._canonicalise import HypothesisRefResolutionError
+from jsonschema.exceptions import ValidationError
 from requests.auth import HTTPDigestAuth, _basic_auth_str
 
 from ... import failures, hooks
@@ -29,8 +30,8 @@ from ...exceptions import (
     CheckFailed,
     DeadlineExceeded,
     InvalidRegularExpression,
-    InvalidSchema,
     NonCheckError,
+    OperationSchemaError,
     SkipTest,
     get_grouped_exception,
 )
@@ -184,7 +185,7 @@ class BaseRunner:
                         headers=headers,
                         **kwargs,
                     )
-                except InvalidSchema as exc:
+                except OperationSchemaError as exc:
                     yield from handle_schema_error(
                         exc,
                         results,
@@ -229,7 +230,7 @@ class EventStream:
 
 
 def handle_schema_error(
-    error: InvalidSchema,
+    error: OperationSchemaError,
     results: TestResultSet,
     data_generation_methods: Iterable[DataGenerationMethod],
     recursion_level: int,
@@ -299,7 +300,6 @@ def run_test(
         method=operation.method.upper(),
         path=operation.full_path,
         verbose_name=operation.verbose_name,
-        overridden_headers=headers,
         data_generation_method=data_generation_methods,
     )
     # To simplify connecting `before` and `after` events in external systems
@@ -364,8 +364,8 @@ def run_test(
     except SkipTest:
         status = Status.skip
         result.mark_skipped()
-    except AssertionError as exc:  # comes from `hypothesis-jsonschema`
-        error = reraise(exc)
+    except AssertionError:  # comes from `hypothesis-jsonschema`
+        error = reraise(operation)
         status = Status.error
         result.add_error(error)
     except HypothesisRefResolutionError:
@@ -440,7 +440,7 @@ def has_all_not_found(results: TestResultSet) -> bool:
                 else:
                     # There are non-404 responses, no reason to check any other response
                     return False
-    # Only happens if all responses are 404, ot there are no responses at all.
+    # Only happens if all responses are 404, or there are no responses at all.
     # In the first case, it returns True, for the latter - False
     return has_not_found
 
@@ -466,16 +466,14 @@ def get_invalid_regular_expression_message(warnings: List[WarningMessage]) -> Op
     return None
 
 
-def reraise(error: AssertionError) -> InvalidSchema:
-    traceback = format_exception(error, True)
-    if "assert type_ in TYPE_STRINGS" in traceback:
-        message = "Invalid type name"
-    else:
-        message = "Unknown schema error"
+def reraise(operation: APIOperation) -> OperationSchemaError:
     try:
-        raise InvalidSchema(message) from error
-    except InvalidSchema as exc:
-        return exc
+        operation.schema.validate()
+    except ValidationError as exc:
+        return OperationSchemaError.from_jsonschema_error(
+            exc, path=operation.path, method=operation.method, full_path=operation.schema.get_full_path(operation.path)
+        )
+    return OperationSchemaError("Unknown schema error")
 
 
 def deduplicate_errors(errors: List[Exception]) -> Generator[Exception, None, None]:
@@ -490,6 +488,7 @@ def deduplicate_errors(errors: List[Exception]) -> Generator[Exception, None, No
 
 
 def run_checks(
+    *,
     case: Case,
     checks: Iterable[CheckFunction],
     check_results: List[Check],
@@ -623,24 +622,7 @@ def network_test(
             headers["User-Agent"] = USER_AGENT
         timeout = prepare_timeout(request_timeout)
         if not dry_run:
-            response = _network_test(
-                case,
-                checks,
-                targets,
-                result,
-                session,
-                timeout,
-                store_interactions,
-                headers,
-                feedback,
-                request_tls_verify,
-                request_cert,
-                max_response_time,
-            )
-            add_cases(
-                case,
-                response,
-                _network_test,
+            args = (
                 checks,
                 targets,
                 result,
@@ -653,6 +635,8 @@ def network_test(
                 request_cert,
                 max_response_time,
             )
+            response = _network_test(case, *args)
+            add_cases(case, response, _network_test, *args)
 
 
 def _network_test(
@@ -695,14 +679,22 @@ def _network_test(
     run_targets(targets, context)
     status = Status.success
     try:
-        run_checks(case, checks, check_results, result, response, context.response_time * 1000, max_response_time)
+        run_checks(
+            case=case,
+            checks=checks,
+            check_results=check_results,
+            result=result,
+            response=response,
+            elapsed_time=context.response_time * 1000,
+            max_response_time=max_response_time,
+        )
     except CheckFailed:
         status = Status.failure
         raise
     finally:
+        feedback.add_test_case(case, response)
         if store_interactions:
             result.store_requests_response(case, response, status, check_results)
-    feedback.add_test_case(case, response)
     return response
 
 
@@ -742,13 +734,7 @@ def wsgi_test(
         result.mark_executed()
         headers = _prepare_wsgi_headers(headers, auth, auth_type)
         if not dry_run:
-            response = _wsgi_test(
-                case, checks, targets, result, headers, store_interactions, feedback, max_response_time
-            )
-            add_cases(
-                case,
-                response,
-                _wsgi_test,
+            args = (
                 checks,
                 targets,
                 result,
@@ -757,6 +743,8 @@ def wsgi_test(
                 feedback,
                 max_response_time,
             )
+            response = _wsgi_test(case, *args)
+            add_cases(case, response, _wsgi_test, *args)
 
 
 def _wsgi_test(
@@ -782,14 +770,22 @@ def _wsgi_test(
     status = Status.success
     check_results: List[Check] = []
     try:
-        run_checks(case, checks, check_results, result, response, context.response_time * 1000, max_response_time)
+        run_checks(
+            case=case,
+            checks=checks,
+            check_results=check_results,
+            result=result,
+            response=response,
+            elapsed_time=context.response_time * 1000,
+            max_response_time=max_response_time,
+        )
     except CheckFailed:
         status = Status.failure
         raise
     finally:
+        feedback.add_test_case(case, response)
         if store_interactions:
             result.store_wsgi_response(case, response, headers, elapsed, status, check_results)
-    feedback.add_test_case(case, response)
     return response
 
 
@@ -833,13 +829,7 @@ def asgi_test(
         headers = headers or {}
 
         if not dry_run:
-            response = _asgi_test(
-                case, checks, targets, result, store_interactions, headers, feedback, max_response_time
-            )
-            add_cases(
-                case,
-                response,
-                _asgi_test,
+            args = (
                 checks,
                 targets,
                 result,
@@ -848,6 +838,8 @@ def asgi_test(
                 feedback,
                 max_response_time,
             )
+            response = _asgi_test(case, *args)
+            add_cases(case, response, _asgi_test, *args)
 
 
 def _asgi_test(
@@ -869,12 +861,20 @@ def _asgi_test(
     status = Status.success
     check_results: List[Check] = []
     try:
-        run_checks(case, checks, check_results, result, response, context.response_time * 1000, max_response_time)
+        run_checks(
+            case=case,
+            checks=checks,
+            check_results=check_results,
+            result=result,
+            response=response,
+            elapsed_time=context.response_time * 1000,
+            max_response_time=max_response_time,
+        )
     except CheckFailed:
         status = Status.failure
         raise
     finally:
+        feedback.add_test_case(case, response)
         if store_interactions:
             result.store_requests_response(case, response, status, check_results)
-    feedback.add_test_case(case, response)
     return response

schemathesis/runner/serialization.py

@@ -4,44 +4,71 @@ They all consist of primitive types and don't have references to schemas, app, e
 """
 import logging
 from dataclasses import dataclass, field
-from typing import Any, Dict, List, Optional, Set, Tuple
+from typing import Any, Dict, List, Optional, Set, Tuple, Union
 
 import requests
+from requests.structures import CaseInsensitiveDict
 
+from ..code_samples import EXCLUDED_HEADERS
 from ..exceptions import FailureContext, InternalError, make_unique_by_key
-from ..models import Case, Check, Interaction, Request, Response, Status, TestResult
-from ..utils import IGNORED_HEADERS, WSGIResponse, format_exception
+from ..models import Case, Check, Interaction, Request, Response, Status, TestResult, serialize_payload
+from ..utils import WSGIResponse, format_exception
 
 
 @dataclass
 class SerializedCase:
-    requests_code: str
-    curl_code: str
-    path_template: str
+    # Case data
+    id: str
     path_parameters: Optional[Dict[str, Any]]
-    query: Optional[Dict[str, Any]]
+    headers: Optional[Dict[str, Any]]
     cookies: Optional[Dict[str, Any]]
-    verbose_name: str
-    data_generation_method: Optional[str]
+    query: Optional[Dict[str, Any]]
+    body: Optional[str]
     media_type: Optional[str]
+    data_generation_method: Optional[str]
+    # Operation data
+    method: str
+    url: str
+    path_template: str
+    verbose_name: str
+    # Transport info
+    verify: bool
+    # Headers coming from sources outside data generation
+    extra_headers: Dict[str, Any]
 
     @classmethod
-    def from_case(cls, case: Case, headers: Optional[Dict[str, Any]]) -> "SerializedCase":
+    def from_case(cls, case: Case, headers: Optional[Dict[str, Any]], verify: bool) -> "SerializedCase":
+        # `headers` include not only explicitly provided headers but also ones added by hooks, custom auth, etc.
+        request_data = case.prepare_code_sample_data(headers)
+        serialized_body = _serialize_body(request_data.body)
         return cls(
-            requests_code=case.get_code_to_reproduce(headers),
-            curl_code=case.as_curl_command(headers),
-            path_template=case.path,
+            id=case.id,
             path_parameters=case.path_parameters,
-            query=case.query,
+            headers=dict(case.headers) if case.headers is not None else None,
             cookies=case.cookies,
-            verbose_name=case.operation.verbose_name,
+            query=case.query,
+            body=serialized_body,
+            media_type=case.media_type,
             data_generation_method=case.data_generation_method.as_short_name()
             if case.data_generation_method is not None
             else None,
-            media_type=case.media_type,
+            method=case.method,
+            url=request_data.url,
+            path_template=case.path,
+            verbose_name=case.operation.verbose_name,
+            verify=verify,
+            extra_headers=request_data.headers,
         )
 
 
+def _serialize_body(body: Optional[Union[str, bytes]]) -> Optional[str]:
+    if body is None:
+        return None
+    if isinstance(body, str):
+        body = body.encode("utf-8")
+    return serialize_payload(body)
+
+
 @dataclass
 class SerializedCheck:
     # Check name
@@ -75,23 +102,14 @@ class SerializedCheck:
             response = Response.from_wsgi(check.response, check.elapsed)
         else:
             response = None
-        headers = {key: value[0] for key, value in request.headers.items() if key not in IGNORED_HEADERS}
-        history = []
-        case = check.example
-        while case.source is not None:
-            if isinstance(case.source.response, requests.Response):
-                history_response = Response.from_requests(case.source.response)
-            else:
-                history_response = Response.from_wsgi(case.source.response, case.source.elapsed)
-            entry = SerializedHistoryEntry(
-                case=SerializedCase.from_case(case.source.case, headers), response=history_response
-            )
-            history.append(entry)
-            case = case.source.case
+        headers = _get_headers(request.headers)
+        history = get_serialized_history(check.example)
         return cls(
             name=check.name,
             value=check.value,
-            example=SerializedCase.from_case(check.example, headers),
+            example=SerializedCase.from_case(
+                check.example, headers, verify=response.verify if response is not None else True
+            ),
             message=check.message,
             request=request,
             response=response,
@@ -100,27 +118,50 @@ class SerializedCheck:
         )
 
 
+def _get_headers(headers: Union[Dict[str, Any], CaseInsensitiveDict]) -> Dict[str, str]:
+    return {key: value[0] for key, value in headers.items() if key not in EXCLUDED_HEADERS}
+
+
 @dataclass
 class SerializedHistoryEntry:
     case: SerializedCase
     response: Response
 
 
+def get_serialized_history(case: Case) -> List[SerializedHistoryEntry]:
+    history = []
+    while case.source is not None:
+        history_request = case.source.response.request
+        headers = _get_headers(history_request.headers)
+        if isinstance(case.source.response, requests.Response):
+            history_response = Response.from_requests(case.source.response)
+            verify = history_response.verify
+        else:
+            history_response = Response.from_wsgi(case.source.response, case.source.elapsed)
+            verify = True
+        entry = SerializedHistoryEntry(
+            case=SerializedCase.from_case(case.source.case, headers, verify=verify), response=history_response
+        )
+        history.append(entry)
+        case = case.source.case
+    return history
+
+
 @dataclass
 class SerializedError:
     exception: str
     exception_with_traceback: str
-    example: Optional[SerializedCase]
     title: Optional[str]
 
     @classmethod
     def from_error(
-        cls, exception: Exception, case: Optional[Case], headers: Optional[Dict[str, Any]], title: Optional[str] = None
+        cls,
+        exception: Exception,
+        title: Optional[str] = None,
     ) -> "SerializedError":
         return cls(
             exception=format_exception(exception),
             exception_with_traceback=format_exception(exception, True),
-            example=SerializedCase.from_case(case, headers) if case else None,
             title=title,
         )
 
@@ -179,7 +220,7 @@ class SerializedTestResult:
             data_generation_method=[m.as_short_name() for m in result.data_generation_method],
             checks=[SerializedCheck.from_check(check) for check in result.checks],
             logs=[formatter.format(record) for record in result.logs],
-            errors=[SerializedError.from_error(*error, headers=result.overridden_headers) for error in result.errors],
+            errors=[SerializedError.from_error(error) for error in result.errors],
             interactions=[SerializedInteraction.from_interaction(interaction) for interaction in result.interactions],
         )
 

schemathesis/sanitization.py

@@ -0,0 +1,248 @@
+import threading
+from collections.abc import MutableMapping, MutableSequence
+from dataclasses import dataclass, replace
+from typing import TYPE_CHECKING, Any, FrozenSet, Optional, Union, cast
+from urllib.parse import parse_qs, urlencode, urlsplit, urlunsplit
+
+from requests import PreparedRequest
+
+from .utils import NOT_SET
+
+if TYPE_CHECKING:
+    from .models import Case, CaseSource, Request
+    from .runner.serialization import SerializedCase, SerializedCheck, SerializedInteraction
+    from .utils import GenericResponse
+
+# Exact keys to sanitize
+DEFAULT_KEYS_TO_SANITIZE = frozenset(
+    (
+        "phpsessid",
+        "xsrf-token",
+        "_csrf",
+        "_csrf_token",
+        "_session",
+        "_xsrf",
+        "aiohttp_session",
+        "api_key",
+        "api-key",
+        "apikey",
+        "auth",
+        "authorization",
+        "connect.sid",
+        "cookie",
+        "credentials",
+        "csrf",
+        "csrf_token",
+        "csrf-token",
+        "csrftoken",
+        "ip_address",
+        "mysql_pwd",
+        "passwd",
+        "password",
+        "private_key",
+        "private-key",
+        "privatekey",
+        "remote_addr",
+        "remote-addr",
+        "secret",
+        "session",
+        "sessionid",
+        "set_cookie",
+        "set-cookie",
+        "token",
+        "x_api_key",
+        "x-api-key",
+        "x_csrftoken",
+        "x-csrftoken",
+        "x_forwarded_for",
+        "x-forwarded-for",
+        "x_real_ip",
+        "x-real-ip",
+    )
+)
+
+# Markers indicating potentially sensitive keys
+DEFAULT_SENSITIVE_MARKERS = frozenset(
+    (
+        "token",
+        "key",
+        "secret",
+        "password",
+        "auth",
+        "session",
+        "passwd",
+        "credential",
+    )
+)
+
+DEFAULT_REPLACEMENT = "[Filtered]"
+
+
+@dataclass
+class Config:
+    """Configuration class for sanitizing sensitive data.
+
+    :param FrozenSet[str] keys_to_sanitize: The exact keys to sanitize (case-insensitive).
+    :param FrozenSet[str] sensitive_markers: Markers indicating potentially sensitive keys (case-insensitive).
+    :param str replacement: The replacement string for sanitized values.
+    """
+
+    keys_to_sanitize: FrozenSet[str] = DEFAULT_KEYS_TO_SANITIZE
+    sensitive_markers: FrozenSet[str] = DEFAULT_SENSITIVE_MARKERS
+    replacement: str = DEFAULT_REPLACEMENT
+
+    def with_keys_to_sanitize(self, *keys: str) -> "Config":
+        """Create a new configuration with additional keys to sanitize."""
+        new_keys_to_sanitize = self.keys_to_sanitize.union([key.lower() for key in keys])
+        return replace(self, keys_to_sanitize=frozenset(new_keys_to_sanitize))
+
+    def without_keys_to_sanitize(self, *keys: str) -> "Config":
+        """Create a new configuration without certain keys to sanitize."""
+        new_keys_to_sanitize = self.keys_to_sanitize.difference([key.lower() for key in keys])
+        return replace(self, keys_to_sanitize=frozenset(new_keys_to_sanitize))
+
+    def with_sensitive_markers(self, *markers: str) -> "Config":
+        """Create a new configuration with additional sensitive markers."""
+        new_sensitive_markers = self.sensitive_markers.union([key.lower() for key in markers])
+        return replace(self, sensitive_markers=frozenset(new_sensitive_markers))
+
+    def without_sensitive_markers(self, *markers: str) -> "Config":
+        """Create a new configuration without certain sensitive markers."""
+        new_sensitive_markers = self.sensitive_markers.difference([key.lower() for key in markers])
+        return replace(self, sensitive_markers=frozenset(new_sensitive_markers))
+
+
+_thread_local = threading.local()
+
+
+def _get_default_sanitization_config() -> Config:
+    # Initialize the thread-local default sanitization config if not already set
+    if not hasattr(_thread_local, "default_sanitization_config"):
+        _thread_local.default_sanitization_config = Config()
+    return _thread_local.default_sanitization_config
+
+
+def configure(config: Config) -> None:
+    _thread_local.default_sanitization_config = config
+
+
+def sanitize_value(item: Any, *, config: Optional[Config] = None) -> None:
+    """Sanitize sensitive values within a given item.
+
+    This function is recursive and will sanitize sensitive data within nested
+    dictionaries and lists as well.
+    """
+    config = config or _get_default_sanitization_config()
+    if isinstance(item, MutableMapping):
+        for key in list(item.keys()):
+            lower_key = key.lower()
+            if lower_key in config.keys_to_sanitize or any(marker in lower_key for marker in config.sensitive_markers):
+                if isinstance(item[key], list):
+                    item[key] = [config.replacement]
+                else:
+                    item[key] = config.replacement
+        for value in item.values():
+            if isinstance(value, (MutableMapping, MutableSequence)):
+                sanitize_value(value, config=config)
+    elif isinstance(item, MutableSequence):
+        for value in item:
+            if isinstance(value, (MutableMapping, MutableSequence)):
+                sanitize_value(value, config=config)
+
+
+def sanitize_case(case: "Case", *, config: Optional[Config] = None) -> None:
+    """Sanitize sensitive values within a given case."""
+    if case.path_parameters is not None:
+        sanitize_value(case.path_parameters, config=config)
+    if case.headers is not None:
+        sanitize_value(case.headers, config=config)
+    if case.cookies is not None:
+        sanitize_value(case.cookies, config=config)
+    if case.query is not None:
+        sanitize_value(case.query, config=config)
+    if case.body not in (None, NOT_SET):
+        sanitize_value(case.body, config=config)
+    if case.source is not None:
+        sanitize_history(case.source, config=config)
+
+
+def sanitize_history(source: "CaseSource", *, config: Optional[Config] = None) -> None:
+    """Recursively sanitize history of case/response pairs."""
+    current: Optional["CaseSource"] = source
+    while current is not None:
+        sanitize_case(current.case, config=config)
+        sanitize_response(current.response, config=config)
+        current = current.case.source
+
+
+def sanitize_response(response: "GenericResponse", *, config: Optional[Config] = None) -> None:
+    # Sanitize headers
+    sanitize_value(response.headers, config=config)
+
+
+def sanitize_request(request: Union[PreparedRequest, "Request"], *, config: Optional[Config] = None) -> None:
+    if isinstance(request, PreparedRequest) and request.url:
+        request.url = sanitize_url(request.url, config=config)
+    else:
+        request = cast("Request", request)
+        request.uri = sanitize_url(request.uri, config=config)
+    # Sanitize headers
+    sanitize_value(request.headers, config=config)
+
+
+def sanitize_output(
+    case: "Case", response: Optional["GenericResponse"] = None, *, config: Optional[Config] = None
+) -> None:
+    sanitize_case(case, config=config)
+    if response is not None:
+        sanitize_response(response, config=config)
+        sanitize_request(response.request, config=config)
+
+
+def sanitize_url(url: str, *, config: Optional[Config] = None) -> str:
+    """Sanitize sensitive parts of a given URL.
+
+    This function will sanitize the authority and query parameters in the URL.
+    """
+    config = config or _get_default_sanitization_config()
+    parsed = urlsplit(url)
+
+    # Sanitize authority
+    netloc_parts = parsed.netloc.split("@")
+    if len(netloc_parts) > 1:
+        netloc = f"{config.replacement}@{netloc_parts[-1]}"
+    else:
+        netloc = parsed.netloc
+
+    # Sanitize query parameters
+    query = parse_qs(parsed.query, keep_blank_values=True)
+    sanitize_value(query, config=config)
+    sanitized_query = urlencode(query, doseq=True)
+
+    # Reconstruct the URL
+    sanitized_url_parts = parsed._replace(netloc=netloc, query=sanitized_query)
+    return urlunsplit(sanitized_url_parts)
+
+
+def sanitize_serialized_check(check: "SerializedCheck", *, config: Optional[Config] = None) -> None:
+    sanitize_request(check.request, config=config)
+    response = check.response
+    if response:
+        sanitize_value(response.headers, config=config)
+    sanitize_serialized_case(check.example, config=config)
+    for entry in check.history:
+        sanitize_serialized_case(entry.case, config=config)
+        sanitize_value(entry.response.headers, config=config)
+
+
+def sanitize_serialized_case(case: "SerializedCase", *, config: Optional[Config] = None) -> None:
+    for value in (case.path_parameters, case.headers, case.cookies, case.query, case.extra_headers):
+        if value is not None:
+            sanitize_value(value, config=config)
+
+
+def sanitize_serialized_interaction(interaction: "SerializedInteraction", *, config: Optional[Config] = None) -> None:
+    sanitize_request(interaction.request, config=config)
+    sanitize_value(interaction.response.headers, config=config)
+    for check in interaction.checks:
+        sanitize_serialized_check(check, config=config)