schemathesis 4.1.4__py3-none-any.whl → 4.2.0__py3-none-any.whl

schemathesis/specs/openapi/checks.py

@@ -4,16 +4,17 @@ import enum
 import http.client
 from dataclasses import dataclass
 from http.cookies import SimpleCookie
-from typing import TYPE_CHECKING, Any, Dict, Generator, NoReturn, cast
+from typing import TYPE_CHECKING, Any, Iterator, Mapping, NoReturn, cast
 from urllib.parse import parse_qs, urlparse
 
 import schemathesis
 from schemathesis.checks import CheckContext
 from schemathesis.core import media_types, string_to_boolean
 from schemathesis.core.failures import Failure
+from schemathesis.core.parameters import ParameterLocation
 from schemathesis.core.transport import Response
 from schemathesis.generation.case import Case
-from schemathesis.generation.meta import ComponentKind, CoveragePhaseData
+from schemathesis.generation.meta import CoveragePhaseData
 from schemathesis.openapi.checks import (
     AcceptedNegativeData,
     EnsureResourceAvailability,
@@ -29,13 +30,13 @@ from schemathesis.openapi.checks import (
     UnsupportedMethodResponse,
     UseAfterFree,
 )
-from schemathesis.specs.openapi.constants import LOCATION_TO_CONTAINER
 from schemathesis.transport.prepare import prepare_path
 
 from .utils import expand_status_code, expand_status_codes
 
 if TYPE_CHECKING:
     from schemathesis.schemas import APIOperation
+    from schemathesis.specs.openapi.adapter.parameters import OpenApiParameterSet
 
 
 def is_unexpected_http_status_case(case: Case) -> bool:
@@ -53,13 +54,13 @@ def status_code_conformance(ctx: CheckContext, response: Response, case: Case) -
 
     if not isinstance(case.operation.schema, BaseOpenAPISchema) or is_unexpected_http_status_case(case):
         return True
-    responses = case.operation.definition.raw.get("responses", {})
+    status_codes = case.operation.responses.status_codes
     # "default" can be used as the default response object for all HTTP codes that are not covered individually
-    if "default" in responses:
+    if "default" in status_codes:
         return None
-    allowed_status_codes = list(_expand_responses(responses))
+    allowed_status_codes = list(_expand_status_codes(status_codes))
     if response.status_code not in allowed_status_codes:
-        defined_status_codes = list(map(str, responses))
+        defined_status_codes = list(map(str, status_codes))
         responses_list = ", ".join(defined_status_codes)
         raise UndefinedStatusCode(
             operation=case.operation.label,
@@ -71,7 +72,7 @@ def status_code_conformance(ctx: CheckContext, response: Response, case: Case) -
     return None  # explicitly return None for mypy
 
 
-def _expand_responses(responses: dict[str | int, Any]) -> Generator[int, None, None]:
+def _expand_status_codes(responses: tuple[str, ...]) -> Iterator[int]:
     for code in responses:
         yield from expand_status_code(code)
 
@@ -131,60 +132,48 @@ def _reraise_malformed_media_type(case: Case, location: str, actual: str, define
 def response_headers_conformance(ctx: CheckContext, response: Response, case: Case) -> bool | None:
     import jsonschema
 
-    from .parameters import OpenAPI20Parameter, OpenAPI30Parameter
-    from .schemas import BaseOpenAPISchema, OpenApi30, _maybe_raise_one_or_more
+    from .schemas import BaseOpenAPISchema, _maybe_raise_one_or_more
 
     if not isinstance(case.operation.schema, BaseOpenAPISchema) or is_unexpected_http_status_case(case):
         return True
-    resolved = case.operation.schema.get_headers(case.operation, response)
-    if not resolved:
+
+    # Find the matching response definition
+    response_definition = case.operation.responses.find_by_status_code(response.status_code)
+    if response_definition is None:
         return None
-    scopes, defined_headers = resolved
-    if not defined_headers:
+    # Check whether the matching response definition has headers defined
+    headers = response_definition.headers
+    if not headers:
         return None
 
-    missing_headers = [
-        header
-        for header, definition in defined_headers.items()
-        if header.lower() not in response.headers and definition.get(case.operation.schema.header_required_field, False)
-    ]
     errors: list[Failure] = []
-    if missing_headers:
-        formatted_headers = [f"\n- `{header}`" for header in missing_headers]
-        message = f"The following required headers are missing from the response:{''.join(formatted_headers)}"
-        errors.append(MissingHeaders(operation=case.operation.label, message=message, missing_headers=missing_headers))
-    for name, definition in defined_headers.items():
+
+    missing_headers = []
+
+    for name, header in headers.items():
         values = response.headers.get(name.lower())
         if values is not None:
             value = values[0]
-            with case.operation.schema._validating_response(scopes) as resolver:
-                if "$ref" in definition:
-                    _, definition = resolver.resolve(definition["$ref"])
-                parameter_definition = {"in": "header", **definition}
-                parameter: OpenAPI20Parameter | OpenAPI30Parameter
-                if isinstance(case.operation.schema, OpenApi30):
-                    parameter = OpenAPI30Parameter(parameter_definition)
-                else:
-                    parameter = OpenAPI20Parameter(parameter_definition)
-                schema = parameter.as_json_schema(case.operation)
-                coerced = _coerce_header_value(value, schema)
-                try:
-                    jsonschema.validate(
-                        coerced,
-                        schema,
-                        cls=case.operation.schema.validator_cls,
-                        resolver=resolver,
-                        format_checker=jsonschema.Draft202012Validator.FORMAT_CHECKER,
-                    )
-                except jsonschema.ValidationError as exc:
-                    errors.append(
-                        JsonSchemaError.from_exception(
-                            title="Response header does not conform to the schema",
-                            operation=case.operation.label,
-                            exc=exc,
-                            config=case.operation.schema.config.output,
-                        )
+            coerced = _coerce_header_value(value, header.schema)
+            try:
+                header.validator.validate(coerced)
+            except jsonschema.ValidationError as exc:
+                errors.append(
+                    JsonSchemaError.from_exception(
+                        title="Response header does not conform to the schema",
+                        operation=case.operation.label,
+                        exc=exc,
+                        config=case.operation.schema.config.output,
                     )
+                )
+        elif header.is_required:
+            missing_headers.append(name)
+
+    if missing_headers:
+        formatted_headers = [f"\n- `{header}`" for header in missing_headers]
+        message = f"The following required headers are missing from the response:{''.join(formatted_headers)}"
+        errors.append(MissingHeaders(operation=case.operation.label, message=message, missing_headers=missing_headers))
+
     return _maybe_raise_one_or_more(errors)  # type: ignore[func-returns-value]
 
 
@@ -279,7 +268,7 @@ def missing_required_header(ctx: CheckContext, response: Response, case: Case) -
     data = meta.phase.data
     if (
         data.parameter
-        and data.parameter_location == "header"
+        and data.parameter_location == ParameterLocation.HEADER
         and data.description
         and data.description.startswith("Missing ")
     ):
@@ -334,25 +323,30 @@ def has_only_additional_properties_in_non_body_parameters(case: Case) -> bool:
     # This function is used to determine if negation is solely in the form of extra properties,
     # which are often ignored for backward-compatibility by the tested apps
     from ._hypothesis import get_schema_for_location
+    from .schemas import BaseOpenAPISchema
 
     meta = case.meta
-    if meta is None:
+    if meta is None or not isinstance(case.operation.schema, BaseOpenAPISchema):
         # Ignore manually created cases
         return False
-    if (ComponentKind.BODY in meta.components and meta.components[ComponentKind.BODY].mode.is_negative) or (
-        ComponentKind.PATH_PARAMETERS in meta.components
-        and meta.components[ComponentKind.PATH_PARAMETERS].mode.is_negative
+    if (ParameterLocation.BODY in meta.components and meta.components[ParameterLocation.BODY].mode.is_negative) or (
+        ParameterLocation.PATH in meta.components and meta.components[ParameterLocation.PATH].mode.is_negative
     ):
         # Body or path negations always imply other negations
         return False
-    validator_cls = case.operation.schema.validator_cls  # type: ignore[attr-defined]
-    for container in (ComponentKind.QUERY, ComponentKind.HEADERS, ComponentKind.COOKIES):
-        meta_for_location = meta.components.get(container)
-        value = getattr(case, container.value)
+    validator_cls = case.operation.schema.adapter.jsonschema_validator_cls
+    for location in (ParameterLocation.QUERY, ParameterLocation.HEADER, ParameterLocation.COOKIE):
+        meta_for_location = meta.components.get(location)
+        value = getattr(case, location.container_name)
         if value is not None and meta_for_location is not None and meta_for_location.mode.is_negative:
-            parameters = getattr(case.operation, container)
-            value_without_additional_properties = {k: v for k, v in value.items() if k in parameters}
-            schema = get_schema_for_location(case.operation, container, parameters)
+            container = getattr(case.operation, location.container_name)
+            schema = get_schema_for_location(location, container)
+
+            if _has_serialization_sensitive_types(schema, container):
+                # Can't reliably determine if only additional properties were added
+                continue
+
+            value_without_additional_properties = {k: v for k, v in value.items() if k in container}
             if not validator_cls(schema).is_valid(value_without_additional_properties):
                 # Other types of negation found
                 return False
@@ -360,6 +354,30 @@ def has_only_additional_properties_in_non_body_parameters(case: Case) -> bool:
     return True
 
 
+def _has_serialization_sensitive_types(schema: dict, container: OpenApiParameterSet) -> bool:
+    """Check if schema contains array or object types in defined parameters.
+
+    In query/header/cookie parameters, arrays and objects are serialized to strings.
+    This makes post-serialization validation against the original schema unreliable:
+
+    - Generated: ["foo", "bar"] (array)
+    - Serialized: "foo,bar" (string)
+
+    Validation of string against array schema fails incorrectly.
+    A better approach would be to apply serialization later on in the process.
+
+    """
+    from schemathesis.core.jsonschema import get_type
+
+    properties = schema.get("properties", {})
+    for prop_name, prop_schema in properties.items():
+        if prop_name in container:
+            types = get_type(prop_schema)
+            if "array" in types or "object" in types:
+                return True
+    return False
+
+
 @schemathesis.check
 def use_after_free(ctx: CheckContext, response: Response, case: Case) -> bool | None:
     from .schemas import BaseOpenAPISchema
@@ -439,7 +457,7 @@ def ensure_resource_availability(ctx: CheckContext, response: Response, case: Ca
     overrides = case._override
     overrides_all_parameters = True
     for parameter in case.operation.iter_parameters():
-        container = LOCATION_TO_CONTAINER[parameter.location]
+        container = parameter.location.container_name
         if parameter.name not in getattr(overrides, container, {}):
             overrides_all_parameters = False
             break
@@ -495,12 +513,14 @@ class AuthKind(str, enum.Enum):
 @schemathesis.check
 def ignored_auth(ctx: CheckContext, response: Response, case: Case) -> bool | None:
     """Check if an operation declares authentication as a requirement but does not actually enforce it."""
-    from .schemas import BaseOpenAPISchema
+    from schemathesis.specs.openapi.adapter.security import has_optional_auth
+    from schemathesis.specs.openapi.schemas import BaseOpenAPISchema
 
+    operation = case.operation
     if (
-        not isinstance(case.operation.schema, BaseOpenAPISchema)
+        not isinstance(operation.schema, BaseOpenAPISchema)
         or is_unexpected_http_status_case(case)
-        or _has_optional_auth(case.operation)
+        or has_optional_auth(operation.schema.raw_schema, operation.definition.raw)
     ):
         return True
     security_parameters = _get_security_parameters(case.operation)
@@ -574,30 +594,19 @@ def _raise_no_auth_error(response: Response, case: Case, auth: AuthScenario) ->
     )
 
 
-SecurityParameter = Dict[str, Any]
-
-
-def _get_security_parameters(operation: APIOperation) -> list[SecurityParameter]:
+def _get_security_parameters(operation: APIOperation) -> list[Mapping[str, Any]]:
     """Extract security definitions that are active for the given operation and convert them into parameters."""
-    from .schemas import BaseOpenAPISchema
+    from schemathesis.specs.openapi.adapter.security import ORIGINAL_SECURITY_TYPE_KEY
 
-    schema = cast(BaseOpenAPISchema, operation.schema)
     return [
-        schema.security._to_parameter(parameter)
-        for parameter in schema.security._get_active_definitions(schema.raw_schema, operation, schema.resolver)
-        if parameter["type"] in ("apiKey", "basic", "http")
+        param
+        for param in operation.security.iter_parameters()
+        if param[ORIGINAL_SECURITY_TYPE_KEY] in ["apiKey", "basic", "http"]
     ]
 
 
-def _has_optional_auth(operation: APIOperation) -> bool:
-    from .schemas import BaseOpenAPISchema
-
-    schema = cast(BaseOpenAPISchema, operation.schema)
-    return schema.security.has_optional_auth(schema.raw_schema, operation)
-
-
 def _contains_auth(
-    ctx: CheckContext, case: Case, response: Response, security_parameters: list[SecurityParameter]
+    ctx: CheckContext, case: Case, response: Response, security_parameters: list[Mapping[str, Any]]
 ) -> AuthKind | None:
     """Whether a request has authentication declared in the schema."""
     from requests.cookies import RequestsCookieJar
@@ -614,13 +623,13 @@ def _contains_auth(
     if raw_cookie is not None:
         header_cookies.load(raw_cookie)
 
-    def has_header(p: dict[str, Any]) -> bool:
+    def has_header(p: Mapping[str, Any]) -> bool:
         return p["in"] == "header" and p["name"] in request.headers
 
-    def has_query(p: dict[str, Any]) -> bool:
+    def has_query(p: Mapping[str, Any]) -> bool:
         return p["in"] == "query" and p["name"] in query
 
-    def has_cookie(p: dict[str, Any]) -> bool:
+    def has_cookie(p: Mapping[str, Any]) -> bool:
         cookies = cast(RequestsCookieJar, request._cookies)  # type: ignore
         return p["in"] == "cookie" and (p["name"] in cookies or p["name"] in header_cookies)
 
@@ -662,7 +671,7 @@ def _contains_auth(
     return None
 
 
-def remove_auth(case: Case, security_parameters: list[SecurityParameter]) -> Case:
+def remove_auth(case: Case, security_parameters: list[Mapping[str, Any]]) -> Case:
     """Remove security parameters from a generated case.
 
     It mutates `case` in place.
@@ -692,14 +701,14 @@ def remove_auth(case: Case, security_parameters: list[SecurityParameter]) -> Cas
     )
 
 
-def _remove_auth_from_container(container: dict, security_parameters: list[SecurityParameter], location: str) -> None:
+def _remove_auth_from_container(container: dict, security_parameters: list[Mapping[str, Any]], location: str) -> None:
     for parameter in security_parameters:
         name = parameter["name"]
         if parameter["in"] == location:
             container.pop(name, None)
 
 
-def _set_auth_for_case(case: Case, parameter: SecurityParameter) -> None:
+def _set_auth_for_case(case: Case, parameter: Mapping[str, Any]) -> None:
     name = parameter["name"]
     for location, attr_name in (
         ("header", "headers"),

schemathesis/specs/openapi/converter.py

@@ -1,31 +1,69 @@
 from __future__ import annotations
 
 from itertools import chain
-from typing import Any, Callable
+from typing import Any, Callable, overload
 
-from schemathesis.core.transforms import deepclone, transform
-
-from .patterns import update_quantifier
+from schemathesis.core.jsonschema.bundler import BUNDLE_STORAGE_KEY
+from schemathesis.core.jsonschema.types import JsonSchema
+from schemathesis.core.transforms import deepclone
+from schemathesis.specs.openapi.patterns import update_quantifier
 
 
+@overload
 def to_json_schema(
     schema: dict[str, Any],
-    *,
-    nullable_name: str,
-    copy: bool = True,
+    nullable_keyword: str,
     is_response_schema: bool = False,
     update_quantifiers: bool = True,
-) -> dict[str, Any]:
-    """Convert Open API parameters to JSON Schema.
+    clone: bool = True,
+) -> dict[str, Any]: ...  # pragma: no cover
+
 
-    NOTE. This function is applied to all keywords (including nested) during a schema resolving, thus it is not recursive.
-    See a recursive version below.
-    """
-    if copy:
+@overload
+def to_json_schema(
+    schema: bool,
+    nullable_keyword: str,
+    is_response_schema: bool = False,
+    update_quantifiers: bool = True,
+    clone: bool = True,
+) -> bool: ...  # pragma: no cover
+
+
+def to_json_schema(
+    schema: dict[str, Any] | bool,
+    nullable_keyword: str,
+    is_response_schema: bool = False,
+    update_quantifiers: bool = True,
+    clone: bool = True,
+) -> dict[str, Any] | bool:
+    if isinstance(schema, bool):
+        return schema
+    if clone:
         schema = deepclone(schema)
-    if schema.get(nullable_name) is True:
-        del schema[nullable_name]
+    return _to_json_schema(
+        schema,
+        nullable_keyword=nullable_keyword,
+        is_response_schema=is_response_schema,
+        update_quantifiers=update_quantifiers,
+    )
+
+
+def _to_json_schema(
+    schema: JsonSchema,
+    *,
+    nullable_keyword: str,
+    is_response_schema: bool = False,
+    update_quantifiers: bool = True,
+) -> JsonSchema:
+    if isinstance(schema, bool):
+        return schema
+
+    if schema.get(nullable_keyword) is True:
+        del schema[nullable_keyword]
+        bundled = schema.pop(BUNDLE_STORAGE_KEY, None)
         schema = {"anyOf": [schema, {"type": "null"}]}
+        if bundled:
+            schema[BUNDLE_STORAGE_KEY] = bundled
     schema_type = schema.get("type")
     if schema_type == "file":
         schema["type"] = "string"
@@ -54,9 +92,70 @@ def to_json_schema(
         else:
             # Read-only properties should not occur in requests
             rewrite_properties(schema, is_read_only)
+
+    for keyword, value in schema.items():
+        if keyword in IN_VALUE and isinstance(value, dict):
+            schema[keyword] = _to_json_schema(
+                value,
+                nullable_keyword=nullable_keyword,
+                is_response_schema=is_response_schema,
+                update_quantifiers=update_quantifiers,
+            )
+        elif keyword in IN_ITEM and isinstance(value, list):
+            for idx, subschema in enumerate(value):
+                value[idx] = _to_json_schema(
+                    subschema,
+                    nullable_keyword=nullable_keyword,
+                    is_response_schema=is_response_schema,
+                    update_quantifiers=update_quantifiers,
+                )
+        elif keyword in IN_CHILD and isinstance(value, dict):
+            for name, subschema in value.items():
+                value[name] = _to_json_schema(
+                    subschema,
+                    nullable_keyword=nullable_keyword,
+                    is_response_schema=is_response_schema,
+                    update_quantifiers=update_quantifiers,
+                )
+
     return schema
 
 
+IN_VALUE = frozenset(
+    (
+        "additionalProperties",
+        "contains",
+        "contentSchema",
+        "else",
+        "if",
+        "items",
+        "not",
+        "propertyNames",
+        "then",
+        "unevaluatedItems",
+        "unevaluatedProperties",
+    )
+)
+IN_ITEM = frozenset(
+    (
+        "allOf",
+        "anyOf",
+        "oneOf",
+    )
+)
+IN_CHILD = frozenset(
+    (
+        "prefixItems",
+        "$defs",
+        "definitions",
+        "dependentSchemas",
+        "patternProperties",
+        "properties",
+        BUNDLE_STORAGE_KEY,
+    )
+)
+
+
 def update_pattern_in_schema(schema: dict[str, Any]) -> None:
     pattern = schema.get("pattern")
     min_length = schema.get("minLength")
@@ -104,15 +203,3 @@ def is_read_only(schema: dict[str, Any] | bool) -> bool:
     if isinstance(schema, bool):
         return False
     return schema.get("readOnly", False)
-
-
-def to_json_schema_recursive(
-    schema: dict[str, Any], nullable_name: str, is_response_schema: bool = False, update_quantifiers: bool = True
-) -> dict[str, Any]:
-    return transform(
-        schema,
-        to_json_schema,
-        nullable_name=nullable_name,
-        is_response_schema=is_response_schema,
-        update_quantifiers=update_quantifiers,
-    )