schemathesis 4.0.0a12__py3-none-any.whl → 4.0.1__py3-none-any.whl

schemathesis/specs/openapi/checks.py

@@ -21,10 +21,12 @@ from schemathesis.openapi.checks import (
     JsonSchemaError,
     MalformedMediaType,
     MissingContentType,
+    MissingHeaderNotRejected,
     MissingHeaders,
     RejectedPositiveData,
     UndefinedContentType,
     UndefinedStatusCode,
+    UnsupportedMethodResponse,
     UseAfterFree,
 )
 from schemathesis.specs.openapi.constants import LOCATION_TO_CONTAINER
@@ -33,9 +35,7 @@ from schemathesis.transport.prepare import prepare_path
 from .utils import expand_status_code, expand_status_codes
 
 if TYPE_CHECKING:
-    from requests import PreparedRequest
-
-    from ...schemas import APIOperation
+    from schemathesis.schemas import APIOperation
 
 
 def is_unexpected_http_status_case(case: Case) -> bool:
@@ -289,8 +289,14 @@ def missing_required_header(ctx: CheckContext, response: Response, case: Case) -
             config = ctx.config.missing_required_header
             expected_statuses = expand_status_codes(config.expected_statuses or [])
         if response.status_code not in expected_statuses:
-            allowed = f"Allowed statuses: {', '.join(map(str, expected_statuses))}"
-            raise AssertionError(f"Unexpected response status for a missing header: {response.status_code}\n{allowed}")
+            allowed = ", ".join(map(str, expected_statuses))
+            raise MissingHeaderNotRejected(
+                operation=f"{case.method} {case.path}",
+                header_name=data.parameter,
+                status_code=response.status_code,
+                expected_statuses=list(expected_statuses),
+                message=f"Missing header not rejected (got {response.status_code}, expected {allowed})",
+            )
     return None
 
 
@@ -302,13 +308,24 @@ def unsupported_method(ctx: CheckContext, response: Response, case: Case) -> boo
     data = meta.phase.data
     if data.description and data.description.startswith("Unspecified HTTP method:"):
         if response.status_code != 405:
-            raise AssertionError(
-                f"Unexpected response status for unspecified HTTP method: {response.status_code}\nExpected: 405"
+            raise UnsupportedMethodResponse(
+                operation=case.operation.label,
+                method=cast(str, response.request.method),
+                status_code=response.status_code,
+                failure_reason="wrong_status",
+                message=f"Wrong status for unsupported method {response.request.method} (got {response.status_code}, expected 405)",
             )
 
         allow_header = response.headers.get("allow")
         if not allow_header:
-            raise AssertionError("Missing 'Allow' header in 405 Method Not Allowed response")
+            raise UnsupportedMethodResponse(
+                operation=case.operation.label,
+                method=cast(str, response.request.method),
+                status_code=response.status_code,
+                allow_header_present=False,
+                failure_reason="missing_allow_header",
+                message=f"Missing Allow header for unsupported method {response.request.method}",
+            )
     return None
 
 
@@ -458,6 +475,12 @@ def ensure_resource_availability(ctx: CheckContext, response: Response, case: Ca
     )
 
 
+class AuthScenario(str, enum.Enum):
+    NO_AUTH = "no_auth"
+    INVALID_AUTH = "invalid_auth"
+    GENERATED_AUTH = "generated_auth"
+
+
 class AuthKind(str, enum.Enum):
     EXPLICIT = "explicit"
     GENERATED = "generated"
@@ -473,23 +496,28 @@ def ignored_auth(ctx: CheckContext, response: Response, case: Case) -> bool | No
     security_parameters = _get_security_parameters(case.operation)
     # Authentication is required for this API operation and response is successful
     if security_parameters and 200 <= response.status_code < 300:
-        auth = _contains_auth(ctx, case, response.request, security_parameters)
+        auth = _contains_auth(ctx, case, response, security_parameters)
         if auth == AuthKind.EXPLICIT:
             # Auth is explicitly set, it is expected to be valid
             # Check if invalid auth will give an error
             no_auth_case = remove_auth(case, security_parameters)
             kwargs = ctx._transport_kwargs or {}
             kwargs.copy()
-            if "headers" in kwargs:
-                headers = kwargs["headers"].copy()
-                _remove_auth_from_explicit_headers(headers, security_parameters)
-                kwargs["headers"] = headers
+            for location, container_name in (
+                ("header", "headers"),
+                ("cookie", "cookies"),
+                ("query", "query"),
+            ):
+                if container_name in kwargs:
+                    container = kwargs[container_name].copy()
+                    _remove_auth_from_container(container, security_parameters, location=location)
+                    kwargs[container_name] = container
             kwargs.pop("session", None)
             ctx._record_case(parent_id=case.id, case=no_auth_case)
             no_auth_response = case.operation.schema.transport.send(no_auth_case, **kwargs)
             ctx._record_response(case_id=no_auth_case.id, response=no_auth_response)
             if no_auth_response.status_code != 401:
-                _raise_no_auth_error(no_auth_response, no_auth_case, "that requires authentication")
+                _raise_no_auth_error(no_auth_response, no_auth_case, AuthScenario.NO_AUTH)
             # Try to set invalid auth and check if it succeeds
             for parameter in security_parameters:
                 invalid_auth_case = remove_auth(case, security_parameters)
@@ -498,22 +526,38 @@ def ignored_auth(ctx: CheckContext, response: Response, case: Case) -> bool | No
                 invalid_auth_response = case.operation.schema.transport.send(invalid_auth_case, **kwargs)
                 ctx._record_response(case_id=invalid_auth_case.id, response=invalid_auth_response)
                 if invalid_auth_response.status_code != 401:
-                    _raise_no_auth_error(invalid_auth_response, invalid_auth_case, "with any auth")
+                    _raise_no_auth_error(invalid_auth_response, invalid_auth_case, AuthScenario.INVALID_AUTH)
         elif auth == AuthKind.GENERATED:
             # If this auth is generated which means it is likely invalid, then
             # this request should have been an error
-            _raise_no_auth_error(response, case, "with invalid auth")
+            _raise_no_auth_error(response, case, AuthScenario.GENERATED_AUTH)
         else:
             # Successful response when there is no auth
-            _raise_no_auth_error(response, case, "that requires authentication")
+            _raise_no_auth_error(response, case, AuthScenario.NO_AUTH)
     return None
 
 
-def _raise_no_auth_error(response: Response, case: Case, suffix: str) -> NoReturn:
+def _raise_no_auth_error(response: Response, case: Case, auth: AuthScenario) -> NoReturn:
     reason = http.client.responses.get(response.status_code, "Unknown")
+
+    if auth == AuthScenario.NO_AUTH:
+        title = "API accepts requests without authentication"
+        detail = None
+    elif auth == AuthScenario.INVALID_AUTH:
+        title = "API accepts invalid authentication"
+        detail = "invalid credentials provided"
+    else:
+        title = "API accepts invalid authentication"
+        detail = "generated auth likely invalid"
+
+    message = f"Expected 401, got `{response.status_code} {reason}` for `{case.operation.label}`"
+    if detail is not None:
+        message = f"{message} ({detail})"
+
     raise IgnoredAuth(
         operation=case.operation.label,
-        message=f"The API returned `{response.status_code} {reason}` for `{case.operation.label}` {suffix}.",
+        message=message,
+        title=title,
         case_id=case.id,
     )
 
@@ -534,7 +578,7 @@ def _get_security_parameters(operation: APIOperation) -> list[SecurityParameter]
 
 
 def _contains_auth(
-    ctx: CheckContext, case: Case, request: PreparedRequest, security_parameters: list[SecurityParameter]
+    ctx: CheckContext, case: Case, response: Response, security_parameters: list[SecurityParameter]
 ) -> AuthKind | None:
     """Whether a request has authentication declared in the schema."""
     from requests.cookies import RequestsCookieJar
@@ -542,6 +586,7 @@ def _contains_auth(
     # If auth comes from explicit `auth` option or a custom auth, it is always explicit
     if ctx._auth is not None or case._has_explicit_auth:
         return AuthKind.EXPLICIT
+    request = response.request
     parsed = urlparse(request.url)
     query = parse_qs(parsed.query)  # type: ignore
     # Load the `Cookie` header separately, because it is possible that `request._cookies` and the header are out of sync
@@ -563,19 +608,35 @@ def _contains_auth(
     for parameter in security_parameters:
         name = parameter["name"]
         if has_header(parameter):
-            if (ctx._headers is not None and name in ctx._headers) or (ctx._override and name in ctx._override.headers):
+            if (
+                # Explicit CLI headers
+                (ctx._headers is not None and name in ctx._headers)
+                # Other kinds of overrides
+                or (ctx._override and name in ctx._override.headers)
+                or (response._override and name in response._override.headers)
+            ):
                 return AuthKind.EXPLICIT
             return AuthKind.GENERATED
         if has_cookie(parameter):
-            if ctx._headers is not None and "Cookie" in ctx._headers:
-                cookies = cast(RequestsCookieJar, ctx._headers["Cookie"])  # type: ignore
-                if name in cookies:
-                    return AuthKind.EXPLICIT
-            if ctx._override and name in ctx._override.cookies:
+            for headers in [
+                ctx._headers,
+                (ctx._override.headers if ctx._override else None),
+                (response._override.headers if response._override else None),
+            ]:
+                if headers is not None and "Cookie" in headers:
+                    jar = cast(RequestsCookieJar, headers["Cookie"])
+                    if name in jar:
+                        return AuthKind.EXPLICIT
+
+            if (ctx._override and name in ctx._override.cookies) or (
+                response._override and name in response._override.cookies
+            ):
                 return AuthKind.EXPLICIT
             return AuthKind.GENERATED
         if has_query(parameter):
-            if ctx._override and name in ctx._override.query:
+            if (ctx._override and name in ctx._override.query) or (
+                response._override and name in response._override.query
+            ):
                 return AuthKind.EXPLICIT
             return AuthKind.GENERATED
 
@@ -587,9 +648,9 @@ def remove_auth(case: Case, security_parameters: list[SecurityParameter]) -> Cas
 
     It mutates `case` in place.
     """
-    headers = case.headers.copy() if case.headers else None
-    query = case.query.copy() if case.query else None
-    cookies = case.cookies.copy() if case.cookies else None
+    headers = case.headers.copy()
+    query = case.query.copy()
+    cookies = case.cookies.copy()
     for parameter in security_parameters:
         name = parameter["name"]
         if parameter["in"] == "header" and headers:
@@ -602,7 +663,7 @@ def remove_auth(case: Case, security_parameters: list[SecurityParameter]) -> Cas
         operation=case.operation,
         method=case.method,
         path=case.path,
-        path_parameters=case.path_parameters.copy() if case.path_parameters else None,
+        path_parameters=case.path_parameters.copy(),
         headers=headers,
         cookies=cookies,
         query=query,
@@ -612,11 +673,11 @@ def remove_auth(case: Case, security_parameters: list[SecurityParameter]) -> Cas
     )
 
 
-def _remove_auth_from_explicit_headers(headers: dict, security_parameters: list[SecurityParameter]) -> None:
+def _remove_auth_from_container(container: dict, security_parameters: list[SecurityParameter], location: str) -> None:
     for parameter in security_parameters:
         name = parameter["name"]
-        if parameter["in"] == "header":
-            headers.pop(name, None)
+        if parameter["in"] == location:
+            container.pop(name, None)
 
 
 def _set_auth_for_case(case: Case, parameter: SecurityParameter) -> None:

schemathesis/specs/openapi/expressions/nodes.py

@@ -87,7 +87,7 @@ class NonBodyRequest(Node):
     extractor: Extractor | None = None
 
     def evaluate(self, output: StepOutput) -> str | Unresolvable:
-        container: dict | CaseInsensitiveDict = {
+        container = {
             "query": output.case.query,
             "path": output.case.path_parameters,
             "header": output.case.headers,

schemathesis/specs/openapi/negative/__init__.py

@@ -28,16 +28,17 @@ class CacheKey:
     operation_name: str
     location: str
     schema: Schema
+    validator_cls: type[jsonschema.Validator]
 
     def __hash__(self) -> int:
         return hash((self.operation_name, self.location))
 
 
 @lru_cache
-def get_validator(cache_key: CacheKey) -> jsonschema.Draft4Validator:
+def get_validator(cache_key: CacheKey) -> jsonschema.Validator:
     """Get JSON Schema validator for the given schema."""
     # Each operation / location combo has only a single schema, therefore could be cached
-    return jsonschema.Draft4Validator(cache_key.schema)
+    return cache_key.validator_cls(cache_key.schema)
 
 
 @lru_cache
@@ -63,6 +64,7 @@ def negative_schema(
     generation_config: GenerationConfig,
     *,
     custom_formats: dict[str, st.SearchStrategy[str]],
+    validator_cls: type[jsonschema.Validator],
 ) -> st.SearchStrategy:
     """A strategy for instances that DO NOT match the input schema.
 
@@ -70,7 +72,7 @@ def negative_schema(
     """
     # The mutated schema is passed to `from_schema` and guarded against producing instances valid against
     # the original schema.
-    cache_key = CacheKey(operation_name, location, schema)
+    cache_key = CacheKey(operation_name, location, schema, validator_cls)
     validator = get_validator(cache_key)
     keywords, non_keywords = split_schema(cache_key)
 

schemathesis/specs/openapi/negative/mutations.py

@@ -402,8 +402,8 @@ def negate_constraints(context: MutationContext, draw: Draw, schema: Schema) ->
                 if key in DEPENDENCIES:
                     # If this keyword has a dependency, then it should be also negated
                     dependency = DEPENDENCIES[key]
-                    if dependency not in negated:
-                        negated[dependency] = copied[dependency]  # Assuming the schema is valid
+                    if dependency not in negated and dependency in copied:
+                        negated[dependency] = copied[dependency]
         else:
             schema[key] = value
     if is_negated:

schemathesis/specs/openapi/parameters.py

@@ -314,9 +314,6 @@ def parameters_to_json_schema(
 ) -> dict[str, Any]:
     """Create an "object" JSON schema from a list of Open API parameters.
 
-    :param List[OpenAPIParameter] parameters: A list of Open API parameters related to the same location. All of
-        them are expected to have the same "in" value.
-
     For each input parameter, there will be a property in the output schema.
 
     This:

schemathesis/specs/openapi/schemas.py

@@ -39,7 +39,6 @@ from schemathesis.core.transport import Response
 from schemathesis.core.validation import INVALID_HEADER_RE
 from schemathesis.generation.case import Case
 from schemathesis.generation.meta import CaseMetadata
-from schemathesis.generation.overrides import Override, OverrideMark, check_no_override_mark
 from schemathesis.openapi.checks import JsonSchemaError, MissingContentType
 from schemathesis.specs.openapi.stateful import links
 
@@ -259,26 +258,6 @@ class BaseOpenAPISchema(BaseSchema):
                 # Ignore errors
                 continue
 
-    def override(
-        self,
-        *,
-        query: dict[str, str] | None = None,
-        headers: dict[str, str] | None = None,
-        cookies: dict[str, str] | None = None,
-        path_parameters: dict[str, str] | None = None,
-    ) -> Callable[[Callable], Callable]:
-        """Override Open API parameters with fixed values."""
-
-        def _add_override(test: Callable) -> Callable:
-            check_no_override_mark(test)
-            override = Override(
-                query=query or {}, headers=headers or {}, cookies=cookies or {}, path_parameters=path_parameters or {}
-            )
-            OverrideMark.set(test, override)
-            return test
-
-        return _add_override
-
     def _resolve_until_no_references(self, value: dict[str, Any]) -> dict[str, Any]:
         while "$ref" in value:
             _, value = self.resolver.resolve(value["$ref"])
@@ -596,52 +575,6 @@ class BaseOpenAPISchema(BaseSchema):
     def as_state_machine(self) -> type[APIStateMachine]:
         return create_state_machine(self)
 
-    def add_link(
-        self,
-        source: APIOperation,
-        target: str | APIOperation,
-        status_code: str | int,
-        parameters: dict[str, str] | None = None,
-        request_body: Any = None,
-        name: str | None = None,
-    ) -> None:
-        """Add a new Open API link to the schema definition.
-
-        :param APIOperation source: This operation is the source of data
-        :param target: This operation will receive the data from this link.
-            Can be an ``APIOperation`` instance or a reference like this - ``#/paths/~1users~1{userId}/get``
-        :param str status_code: The link is triggered when the source API operation responds with this status code.
-        :param parameters: A dictionary that describes how parameters should be extracted from the matched response.
-            The key represents the parameter name in the target API operation, and the value is a runtime
-            expression string.
-        :param request_body: A literal value or runtime expression to use as a request body when
-            calling the target operation.
-        :param str name: Explicit link name.
-
-        .. code-block:: python
-
-            schema = schemathesis.openapi.from_url("http://0.0.0.0/schema.yaml")
-
-            schema.add_link(
-                source=schema["/users/"]["POST"],
-                target=schema["/users/{userId}"]["GET"],
-                status_code="201",
-                parameters={"userId": "$response.body#/id"},
-            )
-        """
-        if parameters is None and request_body is None:
-            raise ValueError("You need to provide `parameters` or `request_body`.")
-        links.add_link(
-            resolver=self.resolver,
-            responses=self[source.path][source.method].definition.raw["responses"],
-            links_field=self.links_field,
-            parameters=parameters,
-            request_body=request_body,
-            status_code=status_code,
-            target=target,
-            name=name,
-        )
-
     def get_links(self, operation: APIOperation) -> dict[str, dict[str, Any]]:
         result: dict[str, dict[str, Any]] = defaultdict(dict)
         for status_code, link in links.get_all_links(operation):
@@ -909,7 +842,7 @@ class MethodMap(Mapping):
         try:
             return self._init_operation(item)
         except LookupError as exc:
-            available_methods = ", ".join(map(str.upper, self))
+            available_methods = ", ".join(key.upper() for key in self if key in HTTP_METHODS)
             message = f"Method `{item.upper()}` not found."
             if available_methods:
                 message += f" Available methods: {available_methods}"
@@ -1007,12 +940,6 @@ class SwaggerV20(BaseOpenAPISchema):
     def prepare_multipart(
         self, form_data: dict[str, Any], operation: APIOperation
     ) -> tuple[list | None, dict[str, Any] | None]:
-        """Prepare form data for sending with `requests`.
-
-        :param form_data: Raw generated data as a dictionary.
-        :param operation: The tested API operation for which the data was generated.
-        :return: `files` and `data` values for `requests.request`.
-        """
         files, data = [], {}
         # If there is no content types specified for the request or "application/x-www-form-urlencoded" is specified
         # explicitly, then use it., but if "multipart/form-data" is specified, then use it
@@ -1056,7 +983,7 @@ class SwaggerV20(BaseOpenAPISchema):
         method: str | None = None,
         path: str | None = None,
         path_parameters: dict[str, Any] | None = None,
-        headers: dict[str, Any] | None = None,
+        headers: dict[str, Any] | CaseInsensitiveDict | None = None,
         cookies: dict[str, Any] | None = None,
         query: dict[str, Any] | None = None,
         body: list | dict[str, Any] | str | int | float | bool | bytes | NotSet = NOT_SET,
@@ -1069,22 +996,16 @@ class SwaggerV20(BaseOpenAPISchema):
             operation=operation,
             method=method or operation.method.upper(),
             path=path or operation.path,
-            path_parameters=path_parameters,
-            headers=CaseInsensitiveDict(headers) if headers is not None else headers,
-            cookies=cookies,
-            query=query,
+            path_parameters=path_parameters or {},
+            headers=CaseInsensitiveDict() if headers is None else CaseInsensitiveDict(headers),
+            cookies=cookies or {},
+            query=query or {},
             body=body,
             media_type=media_type,
             meta=meta,
         )
 
     def _get_consumes_for_operation(self, definition: dict[str, Any]) -> list[str]:
-        """Get the `consumes` value for the given API operation.
-
-        :param definition: Raw API operation definition.
-        :return: A list of media-types for this operation.
-        :rtype: List[str]
-        """
         global_consumes = self.raw_schema.get("consumes", [])
         consumes = definition.get("consumes", [])
         if not consumes:
@@ -1183,12 +1104,6 @@ class OpenApi30(SwaggerV20):
     def prepare_multipart(
         self, form_data: dict[str, Any], operation: APIOperation
     ) -> tuple[list | None, dict[str, Any] | None]:
-        """Prepare form data for sending with `requests`.
-
-        :param form_data: Raw generated data as a dictionary.
-        :param operation: The tested API operation for which the data was generated.
-        :return: `files` and `data` values for `requests.request`.
-        """
         files = []
         definition = operation.definition.raw
         if "$ref" in definition["requestBody"]:

schemathesis/specs/openapi/stateful/links.py

@@ -2,7 +2,7 @@ from __future__ import annotations
 
 from dataclasses import dataclass
 from functools import lru_cache
-from typing import TYPE_CHECKING, Any, Callable, Generator, Literal, Union, cast
+from typing import Any, Callable, Generator, Literal, cast
 
 from schemathesis.core import NOT_SET, NotSet
 from schemathesis.core.errors import InvalidTransition, OperationNotFound, TransitionValidationError
@@ -13,10 +13,6 @@ from schemathesis.specs.openapi import expressions
 from schemathesis.specs.openapi.constants import LOCATION_TO_CONTAINER
 from schemathesis.specs.openapi.references import RECURSION_DEPTH_LIMIT
 
-if TYPE_CHECKING:
-    from jsonschema import RefResolver
-
-
 SCHEMATHESIS_LINK_EXTENSION = "x-schemathesis"
 ParameterLocation = Literal["path", "query", "header", "cookie", "body"]
 
@@ -211,61 +207,3 @@ def get_all_links(
                 yield status_code, Ok(link)
             except InvalidTransition as exc:
                 yield status_code, Err(exc)
-
-
-StatusCode = Union[str, int]
-
-
-def _get_response_by_status_code(responses: dict[StatusCode, dict[str, Any]], status_code: str | int) -> dict:
-    if isinstance(status_code, int):
-        # Invalid schemas may contain status codes as integers
-        if status_code in responses:
-            return responses[status_code]
-        # Passed here as an integer, but there is no such status code as int
-        # We cast it to a string because it is either there already and we'll get relevant responses, otherwise
-        # a new dict will be created because there is no such status code in the schema (as an int or a string)
-        return responses.setdefault(str(status_code), {})
-    if status_code.isnumeric():
-        # Invalid schema but the status code is passed as a string
-        numeric_status_code = int(status_code)
-        if numeric_status_code in responses:
-            return responses[numeric_status_code]
-    # All status codes as strings, including `default` and patterned values like `5XX`
-    return responses.setdefault(status_code, {})
-
-
-def add_link(
-    resolver: RefResolver,
-    responses: dict[StatusCode, dict[str, Any]],
-    links_field: str,
-    parameters: dict[str, str] | None,
-    request_body: Any,
-    status_code: StatusCode,
-    target: str | APIOperation,
-    name: str | None = None,
-) -> None:
-    response = _get_response_by_status_code(responses, status_code)
-    if "$ref" in response:
-        _, response = resolver.resolve(response["$ref"])
-    links_definition = response.setdefault(links_field, {})
-    new_link: dict[str, str | dict[str, str]] = {}
-    if parameters is not None:
-        new_link["parameters"] = parameters
-    if request_body is not None:
-        new_link["requestBody"] = request_body
-    if isinstance(target, str):
-        name = name or target
-        new_link["operationRef"] = target
-    else:
-        name = name or f"{target.method.upper()} {target.path}"
-        # operationId is a dict lookup which is more efficient than using `operationRef`, since it
-        # doesn't involve reference resolving when we will look up for this target during testing.
-        if "operationId" in target.definition.raw:
-            new_link["operationId"] = target.definition.raw["operationId"]
-        else:
-            new_link["operationRef"] = target.operation_reference
-    # The name is arbitrary, so we don't really case what it is,
-    # but it should not override existing links
-    while name in links_definition:
-        name += "_new"
-    links_definition[name] = new_link

schemathesis/transport/requests.py

@@ -11,6 +11,7 @@ from schemathesis.core import NotSet
 from schemathesis.core.rate_limit import ratelimit
 from schemathesis.core.transforms import deepclone, merge_at
 from schemathesis.core.transport import DEFAULT_RESPONSE_TIMEOUT, Response
+from schemathesis.generation.overrides import Override
 from schemathesis.transport import BaseTransport, SerializationContext
 from schemathesis.transport.prepare import prepare_body, prepare_headers, prepare_url
 from schemathesis.transport.serialization import Binary, serialize_binary, serialize_json, serialize_xml, serialize_yaml
@@ -104,7 +105,17 @@ class RequestsTransport(BaseTransport["requests.Session"]):
             rate_limit = config.rate_limit_for(operation=case.operation)
             with ratelimit(rate_limit, config.base_url):
                 response = session.request(**data)  # type: ignore
-            return Response.from_requests(response, verify=verify)
+            return Response.from_requests(
+                response,
+                verify=verify,
+                _override=Override(
+                    query=kwargs.get("params") or {},
+                    headers=kwargs.get("headers") or {},
+                    cookies=kwargs.get("cookies") or {},
+                    path_parameters={},
+                ),
+            )
+
         finally:
             if close_session:
                 session.close()

schemathesis/transport/serialization.py

@@ -82,10 +82,6 @@ def serialize_xml(
     """Serialize a generated Python object as an XML string.
 
     Schemas may contain additional information for fine-tuned XML serialization.
-
-    :param value: Generated value
-    :param raw_schema: The payload definition with not resolved references.
-    :param resolved_schema: The payload definition with all references resolved.
     """
     if isinstance(value, (bytes, str)):
         return {"data": value}

schemathesis/transport/wsgi.py

@@ -9,6 +9,7 @@ from schemathesis.core.rate_limit import ratelimit
 from schemathesis.core.transforms import merge_at
 from schemathesis.core.transport import Response
 from schemathesis.generation.case import Case
+from schemathesis.generation.overrides import Override
 from schemathesis.python import wsgi
 from schemathesis.transport import BaseTransport, SerializationContext
 from schemathesis.transport.prepare import normalize_base_url, prepare_body, prepare_headers, prepare_path
@@ -99,6 +100,12 @@ class WSGITransport(BaseTransport["werkzeug.Client"]):
             request=requests.Request(**requests_kwargs).prepare(),
             elapsed=elapsed,
             verify=False,
+            _override=Override(
+                query=kwargs.get("params") or {},
+                headers=kwargs.get("headers") or {},
+                cookies=kwargs.get("cookies") or {},
+                path_parameters={},
+            ),
         )