schemathesis 3.25.5__py3-none-any.whl → 4.0.0a1__py3-none-any.whl

schemathesis/specs/openapi/checks.py

@@ -1,23 +1,48 @@
 from __future__ import annotations
-from typing import TYPE_CHECKING, Any, Generator, NoReturn
-
-from ... import failures
-from ...exceptions import (
-    get_headers_error,
-    get_malformed_media_type_error,
-    get_missing_content_type_error,
-    get_response_type_error,
-    get_status_code_error,
+
+import enum
+import http.client
+from dataclasses import dataclass
+from http.cookies import SimpleCookie
+from typing import TYPE_CHECKING, Any, Dict, Generator, NoReturn, cast
+from urllib.parse import parse_qs, urlparse
+
+import schemathesis
+from schemathesis.checks import CheckContext
+from schemathesis.core import media_types, string_to_boolean
+from schemathesis.core.failures import Failure
+from schemathesis.core.transport import Response
+from schemathesis.generation.case import Case
+from schemathesis.generation.meta import ComponentKind, CoveragePhaseData
+from schemathesis.openapi.checks import (
+    AcceptedNegativeData,
+    EnsureResourceAvailability,
+    IgnoredAuth,
+    JsonSchemaError,
+    MalformedMediaType,
+    MissingContentType,
+    MissingHeaders,
+    MissingRequiredHeaderConfig,
+    NegativeDataRejectionConfig,
+    PositiveDataAcceptanceConfig,
+    RejectedPositiveData,
+    UndefinedContentType,
+    UndefinedStatusCode,
+    UseAfterFree,
 )
-from ...transports.content_types import parse_content_type
-from .utils import expand_status_code
+from schemathesis.specs.openapi.constants import LOCATION_TO_CONTAINER
+from schemathesis.transport.prepare import prepare_path
+
+from .utils import expand_status_code, expand_status_codes
 
 if TYPE_CHECKING:
-    from ...transports.responses import GenericResponse
-    from ...models import Case
+    from requests import PreparedRequest
+
+    from ...schemas import APIOperation
 
 
-def status_code_conformance(response: GenericResponse, case: Case) -> bool | None:
+@schemathesis.check
+def status_code_conformance(ctx: CheckContext, response: Response, case: Case) -> bool | None:
     from .schemas import BaseOpenAPISchema
 
     if not isinstance(case.operation.schema, BaseOpenAPISchema):
@@ -30,15 +55,12 @@ def status_code_conformance(response: GenericResponse, case: Case) -> bool | Non
     if response.status_code not in allowed_status_codes:
         defined_status_codes = list(map(str, responses))
         responses_list = ", ".join(defined_status_codes)
-        exc_class = get_status_code_error(response.status_code)
-        raise exc_class(
-            failures.UndefinedStatusCode.title,
-            context=failures.UndefinedStatusCode(
-                message=f"Received: {response.status_code}\nDocumented: {responses_list}",
-                status_code=response.status_code,
-                defined_status_codes=defined_status_codes,
-                allowed_status_codes=allowed_status_codes,
-            ),
+        raise UndefinedStatusCode(
+            operation=case.operation.label,
+            status_code=response.status_code,
+            defined_status_codes=defined_status_codes,
+            allowed_status_codes=allowed_status_codes,
+            message=f"Received: {response.status_code}\nDocumented: {responses_list}",
         )
     return None  # explicitly return None for mypy
 
@@ -48,7 +70,8 @@ def _expand_responses(responses: dict[str | int, Any]) -> Generator[int, None, N
         yield from expand_status_code(code)
 
 
-def content_type_conformance(response: GenericResponse, case: Case) -> bool | None:
+@schemathesis.check
+def content_type_conformance(ctx: CheckContext, response: Response, case: Case) -> bool | None:
     from .schemas import BaseOpenAPISchema
 
     if not isinstance(case.operation.schema, BaseOpenAPISchema):
@@ -56,74 +79,549 @@ def content_type_conformance(response: GenericResponse, case: Case) -> bool | No
     documented_content_types = case.operation.schema.get_content_types(case.operation, response)
     if not documented_content_types:
         return None
-    content_type = response.headers.get("Content-Type")
-    if not content_type:
-        formatted_content_types = [f"\n- `{content_type}`" for content_type in documented_content_types]
-        raise get_missing_content_type_error()(
-            failures.MissingContentType.title,
-            context=failures.MissingContentType(
-                message=f"The following media types are documented in the schema:{''.join(formatted_content_types)}",
-                media_types=documented_content_types,
-            ),
+    content_types = response.headers.get("content-type")
+    if not content_types:
+        all_media_types = [f"\n- `{content_type}`" for content_type in documented_content_types]
+        raise MissingContentType(
+            operation=case.operation.label,
+            message=f"The following media types are documented in the schema:{''.join(all_media_types)}",
+            media_types=documented_content_types,
         )
+    content_type = content_types[0]
     for option in documented_content_types:
         try:
-            expected_main, expected_sub = parse_content_type(option)
-        except ValueError as exc:
-            _reraise_malformed_media_type(exc, "Schema", option, option)
+            expected_main, expected_sub = media_types.parse(option)
+        except ValueError:
+            _reraise_malformed_media_type(case, "Schema", option, option)
         try:
-            received_main, received_sub = parse_content_type(content_type)
-        except ValueError as exc:
-            _reraise_malformed_media_type(exc, "Response", content_type, option)
-        if (expected_main, expected_sub) == (received_main, received_sub):
+            received_main, received_sub = media_types.parse(content_type)
+        except ValueError:
+            _reraise_malformed_media_type(case, "Response", content_type, option)
+        if (
+            (expected_main == "*" and expected_sub == "*")
+            or (expected_main == received_main and expected_sub == "*")
+            or (expected_main == "*" and expected_sub == received_sub)
+            or (expected_main == received_main and expected_sub == received_sub)
+        ):
             return None
-    exc_class = get_response_type_error(f"{expected_main}_{expected_sub}", f"{received_main}_{received_sub}")
-    raise exc_class(
-        failures.UndefinedContentType.title,
-        context=failures.UndefinedContentType(
-            message=f"Received: {content_type}\nDocumented: {', '.join(documented_content_types)}",
-            content_type=content_type,
-            defined_content_types=documented_content_types,
-        ),
+    raise UndefinedContentType(
+        operation=case.operation.label,
+        message=f"Received: {content_type}\nDocumented: {', '.join(documented_content_types)}",
+        content_type=content_type,
+        defined_content_types=documented_content_types,
     )
 
 
-def _reraise_malformed_media_type(exc: ValueError, location: str, actual: str, defined: str) -> NoReturn:
-    message = f"Media type for {location} is incorrect\n\nReceived: {actual}\nDocumented: {defined}"
-    raise get_malformed_media_type_error(message)(
-        failures.MalformedMediaType.title,
-        context=failures.MalformedMediaType(message=message, actual=actual, defined=defined),
-    ) from exc
+def _reraise_malformed_media_type(case: Case, location: str, actual: str, defined: str) -> NoReturn:
+    raise MalformedMediaType(
+        operation=case.operation.label,
+        message=f"Media type for {location} is incorrect\n\nReceived: {actual}\nDocumented: {defined}",
+        actual=actual,
+        defined=defined,
+    )
+
 
+@schemathesis.check
+def response_headers_conformance(ctx: CheckContext, response: Response, case: Case) -> bool | None:
+    import jsonschema
 
-def response_headers_conformance(response: GenericResponse, case: Case) -> bool | None:
-    from .schemas import BaseOpenAPISchema
+    from .parameters import OpenAPI20Parameter, OpenAPI30Parameter
+    from .schemas import BaseOpenAPISchema, OpenApi30, _maybe_raise_one_or_more
 
     if not isinstance(case.operation.schema, BaseOpenAPISchema):
         return True
-    defined_headers = case.operation.schema.get_headers(case.operation, response)
+    resolved = case.operation.schema.get_headers(case.operation, response)
+    if not resolved:
+        return None
+    scopes, defined_headers = resolved
     if not defined_headers:
         return None
 
     missing_headers = [
         header
         for header, definition in defined_headers.items()
-        if header not in response.headers and definition.get(case.operation.schema.header_required_field, False)
+        if header.lower() not in response.headers and definition.get(case.operation.schema.header_required_field, False)
     ]
-    if not missing_headers:
+    errors: list[Failure] = []
+    if missing_headers:
+        formatted_headers = [f"\n- `{header}`" for header in missing_headers]
+        message = f"The following required headers are missing from the response:{''.join(formatted_headers)}"
+        errors.append(MissingHeaders(operation=case.operation.label, message=message, missing_headers=missing_headers))
+    for name, definition in defined_headers.items():
+        values = response.headers.get(name.lower())
+        if values is not None:
+            value = values[0]
+            with case.operation.schema._validating_response(scopes) as resolver:
+                if "$ref" in definition:
+                    _, definition = resolver.resolve(definition["$ref"])
+                parameter_definition = {"in": "header", **definition}
+                parameter: OpenAPI20Parameter | OpenAPI30Parameter
+                if isinstance(case.operation.schema, OpenApi30):
+                    parameter = OpenAPI30Parameter(parameter_definition)
+                else:
+                    parameter = OpenAPI20Parameter(parameter_definition)
+                schema = parameter.as_json_schema(case.operation)
+                coerced = _coerce_header_value(value, schema)
+                try:
+                    jsonschema.validate(
+                        coerced,
+                        schema,
+                        cls=case.operation.schema.validator_cls,
+                        resolver=resolver,
+                        format_checker=jsonschema.Draft202012Validator.FORMAT_CHECKER,
+                    )
+                except jsonschema.ValidationError as exc:
+                    errors.append(
+                        JsonSchemaError.from_exception(
+                            title="Response header does not conform to the schema",
+                            operation=case.operation.label,
+                            exc=exc,
+                            output_config=case.operation.schema.output_config,
+                        )
+                    )
+    return _maybe_raise_one_or_more(errors)  # type: ignore[func-returns-value]
+
+
+def _coerce_header_value(value: str, schema: dict[str, Any]) -> str | int | float | None | bool:
+    schema_type = schema.get("type")
+
+    if schema_type == "string":
+        return value
+    if schema_type == "integer":
+        try:
+            return int(value)
+        except ValueError:
+            return value
+    if schema_type == "number":
+        try:
+            return float(value)
+        except ValueError:
+            return value
+    if schema_type == "null" and value.lower() == "null":
         return None
-    formatted_headers = [f"\n- `{header}`" for header in missing_headers]
-    message = f"The following required headers are missing from the response:{''.join(formatted_headers)}"
-    exc_class = get_headers_error(message)
-    raise exc_class(
-        failures.MissingHeaders.title,
-        context=failures.MissingHeaders(message=message, missing_headers=missing_headers),
-    )
+    if schema_type == "boolean":
+        return string_to_boolean(value)
+    return value
 
 
-def response_schema_conformance(response: GenericResponse, case: Case) -> bool | None:
+@schemathesis.check
+def response_schema_conformance(ctx: CheckContext, response: Response, case: Case) -> bool | None:
     from .schemas import BaseOpenAPISchema
 
     if not isinstance(case.operation.schema, BaseOpenAPISchema):
         return True
     return case.operation.validate_response(response)
+
+
+@schemathesis.check
+def negative_data_rejection(ctx: CheckContext, response: Response, case: Case) -> bool | None:
+    from .schemas import BaseOpenAPISchema
+
+    if not isinstance(case.operation.schema, BaseOpenAPISchema) or case.meta is None:
+        return True
+
+    config = ctx.config.get(negative_data_rejection, NegativeDataRejectionConfig())
+    allowed_statuses = expand_status_codes(config.allowed_statuses or [])
+
+    if (
+        case.meta.generation.mode.is_negative
+        and response.status_code not in allowed_statuses
+        and not has_only_additional_properties_in_non_body_parameters(case)
+    ):
+        raise AcceptedNegativeData(
+            operation=case.operation.label,
+            message=f"Allowed statuses: {', '.join(config.allowed_statuses)}",
+            status_code=response.status_code,
+            allowed_statuses=config.allowed_statuses,
+        )
+    return None
+
+
+@schemathesis.check
+def positive_data_acceptance(ctx: CheckContext, response: Response, case: Case) -> bool | None:
+    from .schemas import BaseOpenAPISchema
+
+    if not isinstance(case.operation.schema, BaseOpenAPISchema) or case.meta is None:
+        return True
+
+    config = ctx.config.get(positive_data_acceptance, PositiveDataAcceptanceConfig())
+    allowed_statuses = expand_status_codes(config.allowed_statuses or [])
+
+    if case.meta.generation.mode.is_positive and response.status_code not in allowed_statuses:
+        raise RejectedPositiveData(
+            operation=case.operation.label,
+            message=f"Allowed statuses: {', '.join(config.allowed_statuses)}",
+            status_code=response.status_code,
+            allowed_statuses=config.allowed_statuses,
+        )
+    return None
+
+
+def missing_required_header(ctx: CheckContext, response: Response, case: Case) -> bool | None:
+    # NOTE: This check is intentionally not registered with `@schemathesis.check` because it is experimental
+    meta = case.meta
+    if meta is None or not isinstance(meta.phase.data, CoveragePhaseData):
+        return None
+    data = meta.phase.data
+    if (
+        data.parameter
+        and data.parameter_location == "header"
+        and data.description
+        and data.description.startswith("Missing ")
+    ):
+        if data.parameter.lower() == "authorization":
+            allowed_statuses = {401}
+        else:
+            config = ctx.config.get(missing_required_header, MissingRequiredHeaderConfig())
+            allowed_statuses = expand_status_codes(config.allowed_statuses or [])
+        if response.status_code not in allowed_statuses:
+            allowed = f"Allowed statuses: {', '.join(map(str, allowed_statuses))}"
+            raise AssertionError(f"Unexpected response status for a missing header: {response.status_code}\n{allowed}")
+    return None
+
+
+def unsupported_method(ctx: CheckContext, response: Response, case: Case) -> bool | None:
+    meta = case.meta
+    if meta is None or not isinstance(meta.phase.data, CoveragePhaseData):
+        return None
+    data = meta.phase.data
+    if data.description and data.description.startswith("Unspecified HTTP method:"):
+        if response.status_code != 405:
+            raise AssertionError(
+                f"Unexpected response status for unspecified HTTP method: {response.status_code}\nExpected: 405"
+            )
+
+        allow_header = response.headers.get("allow")
+        if not allow_header:
+            raise AssertionError("Missing 'Allow' header in 405 Method Not Allowed response")
+    return None
+
+
+def has_only_additional_properties_in_non_body_parameters(case: Case) -> bool:
+    # Check if the case contains only additional properties in query, headers, or cookies.
+    # This function is used to determine if negation is solely in the form of extra properties,
+    # which are often ignored for backward-compatibility by the tested apps
+    from ._hypothesis import get_schema_for_location
+
+    meta = case.meta
+    if meta is None:
+        # Ignore manually created cases
+        return False
+    if (ComponentKind.BODY in meta.components and meta.components[ComponentKind.BODY].mode.is_negative) or (
+        ComponentKind.PATH_PARAMETERS in meta.components
+        and meta.components[ComponentKind.PATH_PARAMETERS].mode.is_negative
+    ):
+        # Body or path negations always imply other negations
+        return False
+    validator_cls = case.operation.schema.validator_cls  # type: ignore[attr-defined]
+    for container in (ComponentKind.QUERY, ComponentKind.HEADERS, ComponentKind.COOKIES):
+        meta_for_location = meta.components.get(container)
+        value = getattr(case, container.value)
+        if value is not None and meta_for_location is not None and meta_for_location.mode.is_negative:
+            parameters = getattr(case.operation, container)
+            value_without_additional_properties = {k: v for k, v in value.items() if k in parameters}
+            schema = get_schema_for_location(case.operation, container, parameters)
+            if not validator_cls(schema).is_valid(value_without_additional_properties):
+                # Other types of negation found
+                return False
+    # Only additional properties are added
+    return True
+
+
+@schemathesis.check
+def use_after_free(ctx: CheckContext, response: Response, case: Case) -> bool | None:
+    from .schemas import BaseOpenAPISchema
+
+    if not isinstance(case.operation.schema, BaseOpenAPISchema):
+        return True
+    if response.status_code == 404 or response.status_code >= 500:
+        return None
+
+    for related_case in ctx.find_related(case_id=case.id):
+        parent = ctx.find_parent(case_id=related_case.id)
+        if not parent:
+            continue
+
+        parent_response = ctx.find_response(case_id=parent.id)
+
+        if (
+            related_case.operation.method.lower() == "delete"
+            and parent_response is not None
+            and 200 <= parent_response.status_code < 300
+        ):
+            if _is_prefix_operation(
+                ResourcePath(related_case.path, related_case.path_parameters or {}),
+                ResourcePath(case.path, case.path_parameters or {}),
+            ):
+                free = f"{related_case.operation.method.upper()} {prepare_path(related_case.path, related_case.path_parameters)}"
+                usage = f"{case.operation.method.upper()} {prepare_path(case.path, case.path_parameters)}"
+                reason = http.client.responses.get(response.status_code, "Unknown")
+                raise UseAfterFree(
+                    operation=related_case.operation.label,
+                    message=(
+                        "The API did not return a `HTTP 404 Not Found` response "
+                        f"(got `HTTP {response.status_code} {reason}`) for a resource that was previously deleted.\n\nThe resource was deleted with `{free}`"
+                    ),
+                    free=free,
+                    usage=usage,
+                )
+
+    return None
+
+
+@schemathesis.check
+def ensure_resource_availability(ctx: CheckContext, response: Response, case: Case) -> bool | None:
+    from .schemas import BaseOpenAPISchema
+
+    if not isinstance(case.operation.schema, BaseOpenAPISchema):
+        return True
+
+    parent = ctx.find_parent(case_id=case.id)
+    if parent is None:
+        return None
+    parent_response = ctx.find_response(case_id=parent.id)
+    if parent_response is None:
+        return None
+
+    overrides = case._override
+    overrides_all_parameters = True
+    for parameter in case.operation.iter_parameters():
+        container = LOCATION_TO_CONTAINER[parameter.location]
+        if parameter.name not in getattr(overrides, container, {}):
+            overrides_all_parameters = False
+            break
+
+    if (
+        # Response indicates a client error, even though all available parameters were taken from links
+        # and comes from a POST request. This case likely means that the POST request actually did not
+        # save the resource and it is not available for subsequent operations
+        400 <= response.status_code < 500
+        and parent.operation.method.upper() == "POST"
+        and 200 <= parent_response.status_code < 400
+        and overrides_all_parameters
+        and _is_prefix_operation(
+            ResourcePath(parent.path, parent.path_parameters or {}),
+            ResourcePath(case.path, case.path_parameters or {}),
+        )
+    ):
+        created_with = parent.operation.label
+        not_available_with = case.operation.label
+        reason = http.client.responses.get(response.status_code, "Unknown")
+        raise EnsureResourceAvailability(
+            operation=created_with,
+            message=(
+                f"The API returned `{response.status_code} {reason}` for a resource that was just created.\n\n"
+                f"Created with      : `{created_with}`\n"
+                f"Not available with: `{not_available_with}`"
+            ),
+            created_with=created_with,
+            not_available_with=not_available_with,
+        )
+    return None
+
+
+class AuthKind(enum.Enum):
+    EXPLICIT = "explicit"
+    GENERATED = "generated"
+
+
+@schemathesis.check
+def ignored_auth(ctx: CheckContext, response: Response, case: Case) -> bool | None:
+    """Check if an operation declares authentication as a requirement but does not actually enforce it."""
+    from .schemas import BaseOpenAPISchema
+
+    if not isinstance(case.operation.schema, BaseOpenAPISchema):
+        return True
+    security_parameters = _get_security_parameters(case.operation)
+    # Authentication is required for this API operation and response is successful
+    if security_parameters and 200 <= response.status_code < 300:
+        auth = _contains_auth(ctx, case, response.request, security_parameters)
+        if auth == AuthKind.EXPLICIT:
+            # Auth is explicitly set, it is expected to be valid
+            # Check if invalid auth will give an error
+            no_auth_case = remove_auth(case, security_parameters)
+            kwargs = ctx.transport_kwargs or {}
+            kwargs.copy()
+            if "headers" in kwargs:
+                headers = kwargs["headers"].copy()
+                _remove_auth_from_explicit_headers(headers, security_parameters)
+                kwargs["headers"] = headers
+            kwargs.pop("session", None)
+            ctx.record_case(parent_id=case.id, case=no_auth_case)
+            no_auth_response = case.operation.schema.transport.send(no_auth_case, **kwargs)
+            ctx.record_response(case_id=no_auth_case.id, response=no_auth_response)
+            if no_auth_response.status_code != 401:
+                _raise_no_auth_error(no_auth_response, no_auth_case, "that requires authentication")
+            # Try to set invalid auth and check if it succeeds
+            for parameter in security_parameters:
+                invalid_auth_case = remove_auth(case, security_parameters)
+                _set_auth_for_case(invalid_auth_case, parameter)
+                ctx.record_case(parent_id=case.id, case=invalid_auth_case)
+                invalid_auth_response = case.operation.schema.transport.send(invalid_auth_case, **kwargs)
+                ctx.record_response(case_id=invalid_auth_case.id, response=invalid_auth_response)
+                if invalid_auth_response.status_code != 401:
+                    _raise_no_auth_error(invalid_auth_response, invalid_auth_case, "with any auth")
+        elif auth == AuthKind.GENERATED:
+            # If this auth is generated which means it is likely invalid, then
+            # this request should have been an error
+            _raise_no_auth_error(response, case, "with invalid auth")
+        else:
+            # Successful response when there is no auth
+            _raise_no_auth_error(response, case, "that requires authentication")
+    return None
+
+
+def _raise_no_auth_error(response: Response, case: Case, suffix: str) -> NoReturn:
+    reason = http.client.responses.get(response.status_code, "Unknown")
+    raise IgnoredAuth(
+        operation=case.operation.label,
+        message=f"The API returned `{response.status_code} {reason}` for `{case.operation.label}` {suffix}.",
+        case_id=case.id,
+    )
+
+
+SecurityParameter = Dict[str, Any]
+
+
+def _get_security_parameters(operation: APIOperation) -> list[SecurityParameter]:
+    """Extract security definitions that are active for the given operation and convert them into parameters."""
+    from .schemas import BaseOpenAPISchema
+
+    schema = cast(BaseOpenAPISchema, operation.schema)
+    return [
+        schema.security._to_parameter(parameter)
+        for parameter in schema.security._get_active_definitions(schema.raw_schema, operation, schema.resolver)
+        if parameter["type"] in ("apiKey", "basic", "http")
+    ]
+
+
+def _contains_auth(
+    ctx: CheckContext, case: Case, request: PreparedRequest, security_parameters: list[SecurityParameter]
+) -> AuthKind | None:
+    """Whether a request has authentication declared in the schema."""
+    from requests.cookies import RequestsCookieJar
+
+    # If auth comes from explicit `auth` option or a custom auth, it is always explicit
+    if ctx.auth is not None or case._has_explicit_auth:
+        return AuthKind.EXPLICIT
+    parsed = urlparse(request.url)
+    query = parse_qs(parsed.query)  # type: ignore
+    # Load the `Cookie` header separately, because it is possible that `request._cookies` and the header are out of sync
+    header_cookies: SimpleCookie = SimpleCookie()
+    raw_cookie = request.headers.get("Cookie")
+    if raw_cookie is not None:
+        header_cookies.load(raw_cookie)
+
+    def has_header(p: dict[str, Any]) -> bool:
+        return p["in"] == "header" and p["name"] in request.headers
+
+    def has_query(p: dict[str, Any]) -> bool:
+        return p["in"] == "query" and p["name"] in query
+
+    def has_cookie(p: dict[str, Any]) -> bool:
+        cookies = cast(RequestsCookieJar, request._cookies)  # type: ignore
+        return p["in"] == "cookie" and (p["name"] in cookies or p["name"] in header_cookies)
+
+    for parameter in security_parameters:
+        name = parameter["name"]
+        if has_header(parameter):
+            if (ctx.headers is not None and name in ctx.headers) or (ctx.override and name in ctx.override.headers):
+                return AuthKind.EXPLICIT
+            return AuthKind.GENERATED
+        if has_cookie(parameter):
+            if ctx.headers is not None and "Cookie" in ctx.headers:
+                cookies = cast(RequestsCookieJar, ctx.headers["Cookie"])  # type: ignore
+                if name in cookies:
+                    return AuthKind.EXPLICIT
+            if ctx.override and name in ctx.override.cookies:
+                return AuthKind.EXPLICIT
+            return AuthKind.GENERATED
+        if has_query(parameter):
+            if ctx.override and name in ctx.override.query:
+                return AuthKind.EXPLICIT
+            return AuthKind.GENERATED
+
+    return None
+
+
+def remove_auth(case: Case, security_parameters: list[SecurityParameter]) -> Case:
+    """Remove security parameters from a generated case.
+
+    It mutates `case` in place.
+    """
+    headers = case.headers.copy() if case.headers else None
+    query = case.query.copy() if case.query else None
+    cookies = case.cookies.copy() if case.cookies else None
+    for parameter in security_parameters:
+        name = parameter["name"]
+        if parameter["in"] == "header" and headers:
+            headers.pop(name, None)
+        if parameter["in"] == "query" and query:
+            query.pop(name, None)
+        if parameter["in"] == "cookie" and cookies:
+            cookies.pop(name, None)
+    return Case(
+        operation=case.operation,
+        method=case.method,
+        path=case.path,
+        path_parameters=case.path_parameters.copy() if case.path_parameters else None,
+        headers=headers,
+        cookies=cookies,
+        query=query,
+        body=case.body.copy() if isinstance(case.body, (list, dict)) else case.body,
+        media_type=case.media_type,
+        meta=case.meta,
+    )
+
+
+def _remove_auth_from_explicit_headers(headers: dict, security_parameters: list[SecurityParameter]) -> None:
+    for parameter in security_parameters:
+        name = parameter["name"]
+        if parameter["in"] == "header":
+            headers.pop(name, None)
+
+
+def _set_auth_for_case(case: Case, parameter: SecurityParameter) -> None:
+    name = parameter["name"]
+    for location, attr_name in (
+        ("header", "headers"),
+        ("query", "query"),
+        ("cookie", "cookies"),
+    ):
+        if parameter["in"] == location:
+            container = getattr(case, attr_name, {})
+            container[name] = "SCHEMATHESIS-INVALID-VALUE"
+            setattr(case, attr_name, container)
+
+
+@dataclass
+class ResourcePath:
+    """A path to a resource with variables."""
+
+    value: str
+    variables: dict[str, str]
+
+    __slots__ = ("value", "variables")
+
+    def get(self, key: str) -> str:
+        return self.variables[key.lstrip("{").rstrip("}")]
+
+
+def _is_prefix_operation(lhs: ResourcePath, rhs: ResourcePath) -> bool:
+    lhs_parts = lhs.value.rstrip("/").split("/")
+    rhs_parts = rhs.value.rstrip("/").split("/")
+
+    # Left has more parts, can't be a prefix
+    if len(lhs_parts) > len(rhs_parts):
+        return False
+
+    for left, right in zip(lhs_parts, rhs_parts):
+        if left.startswith("{") and right.startswith("{"):
+            if str(lhs.get(left)) != str(rhs.get(right)):
+                return False
+        elif left != right and left.rstrip("s") != right.rstrip("s"):
+            # Parts don't match, not a prefix
+            return False
+
+    # If we've reached this point, the LHS path is a prefix of the RHS path
+    return True