schemathesis 3.33.3__py3-none-any.whl → 3.34.0__py3-none-any.whl

schemathesis/schemas.py

@@ -37,14 +37,21 @@ from .auths import AuthStorage
 from .code_samples import CodeSampleStyle
 from .constants import NOT_SET
 from .exceptions import OperationSchemaError, UsageError
-from .filters import FilterSet, FilterValue, MatcherFunc, RegexValue, filter_set_from_components, is_deprecated
+from .filters import (
+    FilterSet,
+    FilterValue,
+    MatcherFunc,
+    RegexValue,
+    filter_set_from_components,
+    is_deprecated,
+)
 from .generation import (
     DEFAULT_DATA_GENERATION_METHODS,
     DataGenerationMethod,
     DataGenerationMethodInput,
     GenerationConfig,
 )
-from .hooks import HookContext, HookDispatcher, HookScope, dispatch
+from .hooks import HookContext, HookDispatcher, HookScope, dispatch, to_filterable_hook
 from .internal.deprecation import warn_filtration_arguments
 from .internal.output import OutputConfig
 from .internal.result import Ok, Result
@@ -98,6 +105,9 @@ class BaseSchema(Mapping):
     rate_limiter: Limiter | None = None
     sanitize_output: bool = True
 
+    def __post_init__(self) -> None:
+        self.hook = to_filterable_hook(self.hooks)  # type: ignore[method-assign]
+
     def include(
         self,
         func: MatcherFunc | None = None,

schemathesis/service/serialization.py

@@ -104,6 +104,7 @@ def serialize_after_stateful_execution(event: events.AfterStatefulExecution) ->
         "status": event.status,
         "data_generation_method": event.data_generation_method,
         "result": asdict(event.result),
+        "elapsed_time": event.elapsed_time,
     }
 
 

schemathesis/specs/graphql/schemas.py

@@ -297,6 +297,9 @@ class GraphQLSchema(BaseSchema):
     def get_tags(self, operation: APIOperation) -> list[str] | None:
         return None
 
+    def validate(self) -> None:
+        return None
+
 
 @dataclass
 class FieldMap(Mapping):
@@ -367,6 +370,7 @@ def get_case_strategy(
         custom_scalars=custom_scalars,
         print_ast=_noop,  # type: ignore
         allow_x00=generation_config.allow_x00,
+        allow_null=generation_config.graphql_allow_null,
         codec=generation_config.codec,
     )
     strategy = apply_to_all_dispatchers(operation, hook_context, hooks, strategy, "body").map(graphql.print_ast)

schemathesis/specs/openapi/checks.py

@@ -1,23 +1,31 @@
 from __future__ import annotations
 
 from dataclasses import dataclass
-from typing import TYPE_CHECKING, Any, Generator, NoReturn
+from http.cookies import SimpleCookie
+from typing import TYPE_CHECKING, Any, Dict, Generator, NoReturn, cast
+from urllib.parse import parse_qs, urlencode, urlparse, urlunparse
 
 from ... import failures
 from ...exceptions import (
+    get_ensure_resource_availability_error,
     get_headers_error,
+    get_ignored_auth_error,
     get_malformed_media_type_error,
     get_missing_content_type_error,
     get_negative_rejection_error,
     get_response_type_error,
+    get_schema_validation_error,
     get_status_code_error,
     get_use_after_free_error,
 )
+from ...internal.transformation import convert_boolean_string
 from ...transports.content_types import parse_content_type
 from .utils import expand_status_code
 
 if TYPE_CHECKING:
-    from ...models import Case
+    from requests import PreparedRequest
+
+    from ...models import APIOperation, Case
     from ...transports.responses import GenericResponse
 
 
@@ -108,11 +116,17 @@ def _reraise_malformed_media_type(case: Case, exc: ValueError, location: str, ac
 
 
 def response_headers_conformance(response: GenericResponse, case: Case) -> bool | None:
-    from .schemas import BaseOpenAPISchema
+    import jsonschema
+
+    from .parameters import OpenAPI20Parameter, OpenAPI30Parameter
+    from .schemas import BaseOpenAPISchema, OpenApi30, _maybe_raise_one_or_more
 
     if not isinstance(case.operation.schema, BaseOpenAPISchema):
         return True
-    defined_headers = case.operation.schema.get_headers(case.operation, response)
+    resolved = case.operation.schema.get_headers(case.operation, response)
+    if not resolved:
+        return None
+    scopes, defined_headers = resolved
     if not defined_headers:
         return None
 
@@ -121,15 +135,70 @@ def response_headers_conformance(response: GenericResponse, case: Case) -> bool
         for header, definition in defined_headers.items()
         if header not in response.headers and definition.get(case.operation.schema.header_required_field, False)
     ]
-    if not missing_headers:
+    errors = []
+    if missing_headers:
+        formatted_headers = [f"\n- `{header}`" for header in missing_headers]
+        message = f"The following required headers are missing from the response:{''.join(formatted_headers)}"
+        exc_class = get_headers_error(case.operation.verbose_name, message)
+        try:
+            raise exc_class(
+                failures.MissingHeaders.title,
+                context=failures.MissingHeaders(message=message, missing_headers=missing_headers),
+            )
+        except Exception as exc:
+            errors.append(exc)
+    for name, definition in defined_headers.items():
+        value = response.headers.get(name)
+        if value is not None:
+            parameter_definition = {"in": "header", **definition}
+            parameter: OpenAPI20Parameter | OpenAPI30Parameter
+            if isinstance(case.operation.schema, OpenApi30):
+                parameter = OpenAPI30Parameter(parameter_definition)
+            else:
+                parameter = OpenAPI20Parameter(parameter_definition)
+            schema = parameter.as_json_schema(case.operation)
+            coerced = _coerce_header_value(value, schema)
+            with case.operation.schema._validating_response(scopes) as resolver:
+                try:
+                    jsonschema.validate(
+                        coerced,
+                        schema,
+                        cls=case.operation.schema.validator_cls,
+                        resolver=resolver,
+                        format_checker=jsonschema.Draft202012Validator.FORMAT_CHECKER,
+                    )
+                except jsonschema.ValidationError as exc:
+                    exc_class = get_schema_validation_error(case.operation.verbose_name, exc)
+                    ctx = failures.ValidationErrorContext.from_exception(
+                        exc, output_config=case.operation.schema.output_config
+                    )
+                    try:
+                        raise exc_class("Response header does not conform to the schema", context=ctx) from exc
+                    except Exception as exc:
+                        errors.append(exc)
+    return _maybe_raise_one_or_more(errors)  # type: ignore[func-returns-value]
+
+
+def _coerce_header_value(value: str, schema: dict[str, Any]) -> str | int | float | None | bool:
+    schema_type = schema.get("type")
+
+    if schema_type == "string":
+        return value
+    if schema_type == "integer":
+        try:
+            return int(value)
+        except ValueError:
+            return value
+    if schema_type == "number":
+        try:
+            return float(value)
+        except ValueError:
+            return value
+    if schema_type == "null" and value.lower() == "null":
         return None
-    formatted_headers = [f"\n- `{header}`" for header in missing_headers]
-    message = f"The following required headers are missing from the response:{''.join(formatted_headers)}"
-    exc_class = get_headers_error(case.operation.verbose_name, message)
-    raise exc_class(
-        failures.MissingHeaders.title,
-        context=failures.MissingHeaders(message=message, missing_headers=missing_headers),
-    )
+    if schema_type == "boolean":
+        return convert_boolean_string(value)
+    return value
 
 
 def response_schema_conformance(response: GenericResponse, case: Case) -> bool | None:
@@ -227,6 +296,174 @@ def use_after_free(response: GenericResponse, original: Case) -> bool | None:
     return None
 
 
+def ensure_resource_availability(response: GenericResponse, original: Case) -> bool | None:
+    from ...transports.responses import get_reason
+    from .schemas import BaseOpenAPISchema
+
+    if not isinstance(original.operation.schema, BaseOpenAPISchema):
+        return True
+    if (
+        # Response indicates a client error, even though all available parameters were taken from links
+        # and comes from a POST request. This case likely means that the POST request actually did not
+        # save the resource and it is not available for subsequent operations
+        400 <= response.status_code < 500
+        and original.source
+        and original.source.case.operation.method.upper() == "POST"
+        and 200 <= original.source.response.status_code < 400
+        and original.source.overrides_all_parameters
+    ):
+        created_with = original.source.case.operation.verbose_name
+        not_available_with = original.operation.verbose_name
+        exc_class = get_ensure_resource_availability_error(created_with)
+        reason = get_reason(response.status_code)
+        message = (
+            f"The API returned `{response.status_code} {reason}` for a resource that was just created.\n\n"
+            f"Created with      : `{created_with}`\n"
+            f"Not available with: `{not_available_with}`"
+        )
+        raise exc_class(
+            failures.EnsureResourceAvailability.title,
+            context=failures.EnsureResourceAvailability(
+                message=message, created_with=created_with, not_available_with=not_available_with
+            ),
+        )
+    return None
+
+
+def ignored_auth(response: GenericResponse, case: Case) -> bool | None:
+    """Check if an operation declares authentication as a requirement but does not actually enforce it."""
+    from requests import Session
+
+    from .schemas import BaseOpenAPISchema
+
+    if not isinstance(case.operation.schema, BaseOpenAPISchema):
+        return True
+    security_parameters = _get_security_parameters(case.operation)
+    # Authentication is required for this API operation and response is successful
+    # Will it still be successful if there is no auth?
+    if security_parameters and 200 <= response.status_code < 300:
+        if _contains_auth(response.request, security_parameters):
+            # If there is auth in the request, then drop it and retry the call
+            request = _remove_auth_from_request(response.request, security_parameters)
+            response.request = request
+            new_response = Session().send(request)
+            if new_response.ok:
+                # Mutate the response object in place on the best effort basis
+                for attribute in new_response.__attrs__:
+                    setattr(response, attribute, getattr(new_response, attribute))
+                _remove_auth_from_case(case, security_parameters)
+                _raise_auth_error(new_response, case.operation.verbose_name)
+        else:
+            # Successful response when there is no auth
+            _raise_auth_error(response, case.operation.verbose_name)
+    return None
+
+
+def _raise_auth_error(response: GenericResponse, operation: str) -> NoReturn:
+    from ...transports.responses import get_reason
+
+    exc_class = get_ignored_auth_error(operation)
+    reason = get_reason(response.status_code)
+    message = f"The API returned `{response.status_code} {reason}` for `{operation}` that requires authentication."
+    raise exc_class(
+        failures.IgnoredAuth.title,
+        context=failures.IgnoredAuth(message=message),
+    )
+
+
+SecurityParameter = Dict[str, Any]
+
+
+def _get_security_parameters(operation: APIOperation) -> list[SecurityParameter]:
+    """Extract security definitions that are active for the given operation and convert them into parameters."""
+    from .schemas import BaseOpenAPISchema
+
+    schema = cast(BaseOpenAPISchema, operation.schema)
+    return [
+        schema.security._to_parameter(parameter)
+        for parameter in schema.security._get_active_definitions(schema.raw_schema, operation, schema.resolver)
+        if parameter["type"] in ("apiKey", "basic", "http")
+    ]
+
+
+def _contains_auth(request: PreparedRequest, security_parameters: list[SecurityParameter]) -> bool:
+    """Whether a request has authentication declared in the schema."""
+    from requests.cookies import RequestsCookieJar
+
+    parsed = urlparse(request.url)
+    query = parse_qs(parsed.query)  # type: ignore
+    # Load the `Cookie` header separately, because it is possible that `request._cookies` and the header are out of sync
+    header_cookies: SimpleCookie = SimpleCookie()
+    raw_cookie = request.headers.get("Cookie")
+    if raw_cookie is not None:
+        header_cookies.load(raw_cookie)
+
+    def has_header(p: dict[str, Any]) -> bool:
+        return p["in"] == "header" and p["name"] in request.headers
+
+    def has_query(p: dict[str, Any]) -> bool:
+        return p["in"] == "query" and p["name"] in query
+
+    def has_cookie(p: dict[str, Any]) -> bool:
+        cookies = cast(RequestsCookieJar, request._cookies)  # type: ignore
+        return p["in"] == "cookie" and (p["name"] in cookies or p["name"] in header_cookies)
+
+    for parameter in security_parameters:
+        if has_header(parameter) or has_query(parameter) or has_cookie(parameter):
+            return True
+
+    return False
+
+
+def _remove_auth_from_request(
+    request: PreparedRequest, security_parameters: list[SecurityParameter]
+) -> PreparedRequest:
+    """Remove security parameters from a request."""
+    from requests.cookies import get_cookie_header
+
+    request = request.copy()
+    parsed = urlparse(request.url)
+    query = parse_qs(parsed.query)  # type: ignore
+    should_replace_url = False
+
+    for parameter in security_parameters:
+        name = parameter["name"]
+        if parameter["in"] == "header":
+            request.headers.pop(name, None)
+        if parameter["in"] == "query":
+            query.pop(name, None)
+            should_replace_url = True
+        if parameter["in"] == "cookie":
+            del request._cookies[name]  # type: ignore
+
+    if should_replace_url:
+        components = [parsed.scheme, parsed.netloc, parsed.path, parsed.params, urlencode(query), parsed.fragment]
+        url = cast(str, urlunparse(components))  # type: ignore
+        request.url = url
+    # Re-generate the `Cookie` header if needed
+    raw_cookie = request.headers.pop("Cookie", None)
+    if raw_cookie is not None:
+        new_cookie_header = get_cookie_header(request._cookies, request)  # type: ignore
+        if new_cookie_header:
+            request.headers["Cookie"] = new_cookie_header
+    return request
+
+
+def _remove_auth_from_case(case: Case, security_parameters: list[SecurityParameter]) -> None:
+    """Remove security parameters from a generated case.
+
+    It mutates `case` in place.
+    """
+    for parameter in security_parameters:
+        name = parameter["name"]
+        if parameter["in"] == "header" and case.headers:
+            case.headers.pop(name, None)
+        if parameter["in"] == "query" and case.query:
+            case.query.pop(name, None)
+        if parameter["in"] == "cookie" and case.cookies:
+            case.cookies.pop(name, None)
+
+
 @dataclass
 class ResourcePath:
     """A path to a resource with variables."""

schemathesis/specs/openapi/links.py

@@ -7,7 +7,8 @@ from __future__ import annotations
 
 from dataclasses import dataclass, field
 from difflib import get_close_matches
-from typing import TYPE_CHECKING, Any, Generator, NoReturn, Sequence, TypedDict, Union
+from types import SimpleNamespace
+from typing import TYPE_CHECKING, Any, Generator, Literal, NoReturn, Sequence, TypedDict, Union, cast
 
 from jsonschema import RefResolver
 
@@ -77,6 +78,9 @@ class Link(StatefulTest):
             body = merge_body(case.body, body)
         return ParsedData(parameters=parameters, body=body)
 
+    def is_match(self) -> bool:
+        return self.operation.schema.filter_set.match(SimpleNamespace(operation=self.operation))
+
     def make_operation(self, collected: list[ParsedData]) -> APIOperation:
         """Create a modified version of the original API operation with additional data merged in."""
         # We split the gathered data among all locations & store the original parameter
@@ -190,7 +194,7 @@ class OpenAPILink(Direction):
     status_code: str
     definition: dict[str, Any]
     operation: APIOperation
-    parameters: list[tuple[str | None, str, str]] = field(init=False)
+    parameters: list[tuple[Literal["path", "query", "header", "cookie", "body"] | None, str, str]] = field(init=False)
     body: dict[str, Any] | NotSet = field(init=False)
     merge_body: bool = True
 
@@ -212,13 +216,24 @@ class OpenAPILink(Direction):
     def set_data(self, case: Case, elapsed: float, **kwargs: Any) -> None:
         """Assign all linked definitions to the new case instance."""
         context = kwargs["context"]
-        self.set_parameters(case, context)
-        self.set_body(case, context)
-        case.set_source(context.response, context.case, elapsed)
+        overrides = self.set_parameters(case, context)
+        self.set_body(case, context, overrides)
+        overrides_all_parameters = True
+        if case.operation.body and "body" not in overrides.get("body", []):
+            overrides_all_parameters = False
+        if overrides_all_parameters:
+            for parameter in case.operation.iter_parameters():
+                if parameter.name not in overrides.get(parameter.location, []):
+                    overrides_all_parameters = False
+                    break
+        case.set_source(context.response, context.case, elapsed, overrides_all_parameters)
 
-    def set_parameters(self, case: Case, context: expressions.ExpressionContext) -> None:
+    def set_parameters(
+        self, case: Case, context: expressions.ExpressionContext
+    ) -> dict[Literal["path", "query", "header", "cookie", "body"], list[str]]:
+        overrides: dict[Literal["path", "query", "header", "cookie", "body"], list[str]] = {}
         for location, name, expression in self.parameters:
-            container = get_container(case, location, name)
+            location, container = get_container(case, location, name)
             # Might happen if there is directly specified container,
             # but the schema has no parameters of such type at all.
             # Therefore the container is empty, otherwise it will be at least an empty object
@@ -229,11 +244,21 @@ class OpenAPILink(Direction):
                 if matches:
                     message += f" Did you mean `{matches[0]}`?"
                 raise ValueError(message)
-            container[name] = expressions.evaluate(expression, context)
-
-    def set_body(self, case: Case, context: expressions.ExpressionContext) -> None:
+            value = expressions.evaluate(expression, context)
+            if value is not None:
+                container[name] = value
+                overrides.setdefault(location, []).append(name)
+        return overrides
+
+    def set_body(
+        self,
+        case: Case,
+        context: expressions.ExpressionContext,
+        overrides: dict[Literal["path", "query", "header", "cookie", "body"], list[str]],
+    ) -> None:
         if self.body is not NOT_SET:
             evaluated = expressions.evaluate(self.body, context, evaluate_nested=True)
+            overrides["body"] = ["body"]
             if self.merge_body:
                 case.body = merge_body(case.body, evaluated)
             else:
@@ -251,21 +276,26 @@ def merge_body(old: Any, new: Any) -> Any:
     return new
 
 
-def get_container(case: Case, location: str | None, name: str) -> dict[str, Any] | None:
+def get_container(
+    case: Case, location: Literal["path", "query", "header", "cookie", "body"] | None, name: str
+) -> tuple[Literal["path", "query", "header", "cookie", "body"], dict[str, Any] | None]:
     """Get a container that suppose to store the given parameter."""
     if location:
         container_name = LOCATION_TO_CONTAINER[location]
     else:
         for param in case.operation.iter_parameters():
             if param.name == name:
+                location = param.location
                 container_name = LOCATION_TO_CONTAINER[param.location]
                 break
         else:
             raise ValueError(f"Parameter `{name}` is not defined in API operation `{case.operation.verbose_name}`")
-    return getattr(case, container_name)
+    return location, getattr(case, container_name)
 
 
-def normalize_parameter(parameter: str, expression: str) -> tuple[str | None, str, str]:
+def normalize_parameter(
+    parameter: str, expression: str
+) -> tuple[Literal["path", "query", "header", "cookie", "body"] | None, str, str]:
     """Normalize runtime expressions.
 
     Runtime expressions may have parameter names prefixed with their location - `path.id`.
@@ -275,7 +305,8 @@ def normalize_parameter(parameter: str, expression: str) -> tuple[str | None, st
     try:
         # The parameter name is prefixed with its location. Example: `path.id`
         location, name = tuple(parameter.split("."))
-        return location, name, expression
+        _location = cast(Literal["path", "query", "header", "cookie", "body"], location)
+        return _location, name, expression
     except ValueError:
         return None, parameter, expression
 

schemathesis/specs/openapi/schemas.py

@@ -535,7 +535,9 @@ class BaseOpenAPISchema(BaseSchema):
     def _get_parameter_serializer(self, definitions: list[dict[str, Any]]) -> Callable | None:
         raise NotImplementedError
 
-    def _get_response_definitions(self, operation: APIOperation, response: GenericResponse) -> dict[str, Any] | None:
+    def _get_response_definitions(
+        self, operation: APIOperation, response: GenericResponse
+    ) -> tuple[list[str], dict[str, Any]] | None:
         try:
             responses = operation.definition.raw["responses"]
         except KeyError as exc:
@@ -545,18 +547,19 @@ class BaseOpenAPISchema(BaseSchema):
             self._raise_invalid_schema(exc, full_path, path, operation.method)
         status_code = str(response.status_code)
         if status_code in responses:
-            _, response = self.resolver.resolve_in_scope(responses[status_code], operation.definition.scope)
-            return response
+            return self.resolver.resolve_in_scope(responses[status_code], operation.definition.scope)
         if "default" in responses:
-            _, response = self.resolver.resolve_in_scope(responses["default"], operation.definition.scope)
-            return response
+            return self.resolver.resolve_in_scope(responses["default"], operation.definition.scope)
         return None
 
-    def get_headers(self, operation: APIOperation, response: GenericResponse) -> dict[str, dict[str, Any]] | None:
-        definitions = self._get_response_definitions(operation, response)
-        if not definitions:
+    def get_headers(
+        self, operation: APIOperation, response: GenericResponse
+    ) -> tuple[list[str], dict[str, dict[str, Any]] | None] | None:
+        resolved = self._get_response_definitions(operation, response)
+        if not resolved:
             return None
-        return definitions.get("headers")
+        scopes, definitions = resolved
+        return scopes, definitions.get("headers")
 
     def as_state_machine(self) -> type[APIStateMachine]:
         try:
@@ -668,12 +671,16 @@ class BaseOpenAPISchema(BaseSchema):
             except Exception as exc:
                 errors.append(exc)
                 _maybe_raise_one_or_more(errors)
-        resolver = ConvertingResolver(
-            self.location or "", self.raw_schema, nullable_name=self.nullable_name, is_response_schema=True
-        )
-        with in_scopes(resolver, scopes):
+        with self._validating_response(scopes) as resolver:
             try:
-                jsonschema.validate(data, schema, cls=self.validator_cls, resolver=resolver)
+                jsonschema.validate(
+                    data,
+                    schema,
+                    cls=self.validator_cls,
+                    resolver=resolver,
+                    # Use a recent JSON Schema format checker to get most of formats checked for older drafts as well
+                    format_checker=jsonschema.Draft202012Validator.FORMAT_CHECKER,
+                )
             except jsonschema.ValidationError as exc:
                 exc_class = get_schema_validation_error(operation.verbose_name, exc)
                 ctx = failures.ValidationErrorContext.from_exception(exc, output_config=operation.schema.output_config)
@@ -684,6 +691,14 @@ class BaseOpenAPISchema(BaseSchema):
         _maybe_raise_one_or_more(errors)
         return None  # explicitly return None for mypy
 
+    @contextmanager
+    def _validating_response(self, scopes: list[str]) -> Generator[ConvertingResolver, None, None]:
+        resolver = ConvertingResolver(
+            self.location or "", self.raw_schema, nullable_name=self.nullable_name, is_response_schema=True
+        )
+        with in_scopes(resolver, scopes):
+            yield resolver
+
     @property
     def rewritten_components(self) -> dict[str, Any]:
         if not hasattr(self, "_rewritten_components"):
@@ -776,7 +791,7 @@ class BaseOpenAPISchema(BaseSchema):
 
 def _maybe_raise_one_or_more(errors: list[Exception]) -> None:
     if not errors:
-        return
+        return None
     elif len(errors) == 1:
         raise errors[0]
     else:
@@ -1116,9 +1131,10 @@ class OpenApi30(SwaggerV20):
         return get_strategies_from_examples(operation, as_strategy_kwargs=as_strategy_kwargs)
 
     def get_content_types(self, operation: APIOperation, response: GenericResponse) -> list[str]:
-        definitions = self._get_response_definitions(operation, response)
-        if not definitions:
+        resolved = self._get_response_definitions(operation, response)
+        if not resolved:
             return []
+        _, definitions = resolved
         return list(definitions.get("content", {}).keys())
 
     def _get_parameter_serializer(self, definitions: list[dict[str, Any]]) -> Callable | None:

schemathesis/specs/openapi/stateful/__init__.py

@@ -5,7 +5,7 @@ from functools import lru_cache
 from typing import TYPE_CHECKING, Any, Callable, ClassVar, Iterator
 
 from hypothesis import strategies as st
-from hypothesis.stateful import Bundle, Rule, rule
+from hypothesis.stateful import Bundle, Rule, precondition, rule
 
 from ....constants import NOT_SET
 from ....internal.result import Ok
@@ -93,10 +93,11 @@ def create_state_machine(schema: BaseOpenAPISchema) -> type[APIStateMachine]:
                         for data_generation_method in schema.data_generation_methods
                     ]
                 )
+                bundle = bundles[bundle_name]
                 rules[name] = transition(
                     name=name,
                     target=catch_all,
-                    previous=bundles[bundle_name],
+                    previous=bundle,
                     case=case_strategy,
                     link=st.just(link),
                 )
@@ -116,11 +117,13 @@ def create_state_machine(schema: BaseOpenAPISchema) -> type[APIStateMachine]:
                     for data_generation_method in schema.data_generation_methods
                 ]
             )
-            rules[name] = transition(
-                name=name,
-                target=catch_all,
-                previous=st.none(),
-                case=case_strategy,
+            rules[name] = precondition(ensure_links_followed)(
+                transition(
+                    name=name,
+                    target=catch_all,
+                    previous=st.none(),
+                    case=case_strategy,
+                )
             )
 
     return type(
@@ -136,6 +139,14 @@ def create_state_machine(schema: BaseOpenAPISchema) -> type[APIStateMachine]:
     )
 
 
+def ensure_links_followed(machine: APIStateMachine) -> bool:
+    # If there are responses that have links to follow, reject any rule without incoming transitions
+    for bundle in machine.bundles.values():
+        if bundle:
+            return False
+    return True
+
+
 def transition(
     *,
     name: str,