scythe-ttp 0.12.4__tar.gz → 0.13.0__tar.gz

{scythe_ttp-0.12.4/scythe_ttp.egg-info → scythe_ttp-0.13.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: scythe-ttp
-Version: 0.12.4
+Version: 0.13.0
 Summary: An extensible framework for emulating attacker TTPs with Selenium.
 Home-page: https://github.com/EpykLab/scythe
 Author: EpykLab
@@ -23,6 +23,8 @@ Requires-Dist: h11==0.16.0
 Requires-Dist: idna==3.10
 Requires-Dist: outcome==1.3.0.post0
 Requires-Dist: PySocks==1.7.1
+Requires-Dist: pydantic==2.7.1
+Requires-Dist: pydantic-core==2.18.2
 Requires-Dist: requests==2.32.4
 Requires-Dist: selenium==4.34.0
 Requires-Dist: setuptools==80.9.0

scythe_ttp-0.13.0/VERSION

@@ -0,0 +1 @@
+0.14.0

{scythe_ttp-0.12.4 → scythe_ttp-0.13.0}/requirements.txt

@@ -5,6 +5,8 @@ h11==0.16.0
 idna==3.10
 outcome==1.3.0.post0
 PySocks==1.7.1
+pydantic==2.7.1
+pydantic-core==2.18.2
 requests==2.32.4
 selenium==4.34.0
 setuptools==80.9.0

{scythe_ttp-0.12.4 → scythe_ttp-0.13.0}/scythe/auth/__init__.py

@@ -8,9 +8,11 @@ authenticate before executing their main functionality.
 from .base import Authentication
 from .bearer import BearerTokenAuth
 from .basic import BasicAuth
+from .cookie_jwt import CookieJWTAuth
 
 __all__ = [
     'Authentication',
     'BearerTokenAuth', 
-    'BasicAuth'
+    'BasicAuth',
+    'CookieJWTAuth',
 ]

{scythe_ttp-0.12.4 → scythe_ttp-0.13.0}/scythe/auth/base.py

@@ -80,6 +80,15 @@ class Authentication(ABC):
         """
         return {}
     
+    def get_auth_cookies(self) -> Dict[str, str]:
+        """
+        Get authentication cookies that should be set for API requests.
+        
+        Returns:
+            Dictionary mapping cookie name to cookie value.
+        """
+        return {}
+    
     def store_auth_data(self, key: str, value: Any) -> None:
         """
         Store authentication-related data.

scythe_ttp-0.13.0/scythe/auth/cookie_jwt.py

@@ -0,0 +1,172 @@
+from __future__ import annotations
+
+import time
+from typing import Dict, Optional, Any
+from urllib.parse import urlparse
+
+try:
+    import requests  # type: ignore
+except Exception:  # pragma: no cover - tests may run without requests installed
+    requests = None  # type: ignore
+from selenium.webdriver.remote.webdriver import WebDriver
+
+from .base import Authentication, AuthenticationError
+
+
+def _extract_by_dot_path(data: Any, path: str) -> Optional[Any]:
+    """
+    Extract a value from a nested dict/list structure using a simple dot path.
+    Supports numeric indices for lists, e.g., "data.items.0.token".
+    """
+    if not path:
+        return None
+    parts = path.split(".")
+    current: Any = data
+    for part in parts:
+        if isinstance(current, dict):
+            if part in current:
+                current = current[part]
+            else:
+                return None
+        elif isinstance(current, list):
+            try:
+                idx = int(part)
+            except ValueError:
+                return None
+            if idx < 0 or idx >= len(current):
+                return None
+            current = current[idx]
+        else:
+            return None
+    return current
+
+
+class CookieJWTAuth(Authentication):
+    """
+    Hybrid authentication where a JWT is acquired from an API login response and
+    then used as a cookie for subsequent requests. Useful when the target server
+    expects a cookie (e.g., "stellarbridge") instead of Authorization headers.
+    
+    Behavior:
+    - In API mode: JourneyExecutor will call get_auth_cookies(); this class will
+      perform a POST to login_url (if token not cached), parse JSON, extract the
+      token via jwt_json_path, and return {cookie_name: token}.
+    - In UI mode: authenticate() will ensure the browser has the cookie set for
+      the target domain.
+    """
+
+    def __init__(self,
+                 login_url: str,
+                 username: Optional[str] = None,
+                 password: Optional[str] = None,
+                 username_field: str = "email",
+                 password_field: str = "password",
+                 extra_fields: Optional[Dict[str, Any]] = None,
+                 jwt_json_path: str = "token",
+                 cookie_name: str = "stellarbridge",
+                 session: Optional[requests.Session] = None,
+                 description: str = "Authenticate via API and set JWT cookie"):
+        super().__init__(
+            name="Cookie JWT Authentication",
+            description=description
+        )
+        self.login_url = login_url
+        self.username = username
+        self.password = password
+        self.username_field = username_field
+        self.password_field = password_field
+        self.extra_fields = extra_fields or {}
+        self.jwt_json_path = jwt_json_path
+        self.cookie_name = cookie_name
+        # Avoid importing requests in test environments; allow injected session
+        self._session = session or (requests.Session() if requests is not None else None)
+        self.token: Optional[str] = None
+
+    def _login_and_get_token(self) -> str:
+        payload: Dict[str, Any] = dict(self.extra_fields)
+        if self.username is not None:
+            payload[self.username_field] = self.username
+        if self.password is not None:
+            payload[self.password_field] = self.password
+        try:
+            resp = self._session.post(self.login_url, json=payload, timeout=15)
+            # try json; raise on non-2xx to surface errors
+            resp.raise_for_status()
+            data = resp.json()
+        except Exception as e:
+            raise AuthenticationError(f"Login request failed: {e}", self.name)
+        token = _extract_by_dot_path(data, self.jwt_json_path)
+        if not token or not isinstance(token, str):
+            raise AuthenticationError(
+                f"JWT not found at path '{self.jwt_json_path}' in login response",
+                self.name,
+            )
+        self.token = token
+        self.store_auth_data('jwt', token)
+        self.store_auth_data('login_time', time.time())
+        return token
+
+    def get_auth_cookies(self) -> Dict[str, str]:
+        """
+        Return cookie mapping for API mode. Will perform login if token absent.
+        """
+        if not self.token:
+            self._login_and_get_token()
+        if not self.token:
+            return {}
+        return {self.cookie_name: self.token}
+
+    def get_auth_headers(self) -> Dict[str, str]:
+        """
+        For this hybrid approach, we typically do not use auth headers.
+        """
+        return {}
+
+    def authenticate(self, driver: WebDriver, target_url: str) -> bool:
+        """
+        UI path: ensure the cookie exists on the browser for the target domain.
+        Will perform the API login if token not yet acquired.
+        """
+        try:
+            if not self.token:
+                self._login_and_get_token()
+            if not self.token:
+                return False
+            # Navigate to the target domain base so cookie domain matches
+            parsed = urlparse(target_url)
+            base = f"{parsed.scheme}://{parsed.netloc}"
+            try:
+                driver.get(base)
+            except Exception:
+                pass
+            cookie_dict = {
+                'name': self.cookie_name,
+                'value': self.token,
+                'path': '/',
+            }
+            # If domain available, set explicitly to be safe
+            if parsed.netloc:
+                cookie_dict['domain'] = parsed.hostname or parsed.netloc
+            driver.add_cookie(cookie_dict)
+            self.authenticated = True
+            return True
+        except Exception as e:
+            raise AuthenticationError(f"Cookie auth failed: {e}", self.name)
+
+    def is_authenticated(self, driver: WebDriver) -> bool:
+        return self.authenticated and self.token is not None
+
+    def logout(self, driver: WebDriver) -> bool:
+        try:
+            self.token = None
+            self.authenticated = False
+            self.clear_auth_data()
+            # Best-effort cookie removal
+            try:
+                driver.delete_cookie(self.cookie_name)
+            except Exception:
+                pass
+            super().logout(driver)
+            return True
+        except Exception:
+            return False

{scythe_ttp-0.12.4 → scythe_ttp-0.13.0}/scythe/journeys/__init__.py

@@ -7,7 +7,7 @@ or other custom actions like navigation, form filling, etc.
 """
 
 from .base import Journey, Step, Action
-from .actions import NavigateAction, ClickAction, FillFormAction, WaitAction, TTPAction
+from .actions import NavigateAction, ClickAction, FillFormAction, WaitAction, TTPAction, ApiRequestAction
 from .executor import JourneyExecutor
 
 __all__ = [
@@ -19,5 +19,6 @@ __all__ = [
     'FillFormAction', 
     'WaitAction',
     'TTPAction',
+    'ApiRequestAction',
     'JourneyExecutor'
 ]

{scythe_ttp-0.12.4 → scythe_ttp-0.13.0}/scythe/journeys/actions.py

@@ -5,6 +5,7 @@ from selenium.webdriver.common.by import By
 from selenium.webdriver.support.ui import WebDriverWait
 from selenium.webdriver.support import expected_conditions as EC
 from selenium.common.exceptions import TimeoutException, NoSuchElementException
+import requests
 
 from .base import Action
 from ..core.ttp import TTP
@@ -643,4 +644,126 @@ class AssertAction(Action):
         by_method = selector_map.get(self.selector_type)
         if by_method is None:
             raise ValueError(f"Unsupported selector type: {self.selector_type}")
-        return by_method
+        return by_method
+
+class ApiRequestAction(Action):
+    """Action to perform a REST API request in Journey API mode.
+    
+    This action ignores the WebDriver and uses a requests.Session provided
+    in the journey context under the key 'requests_session'. It merges any
+    'auth_headers' from the context into the request headers.
+    Optionally, it can validate and parse the JSON response using a Pydantic
+    model class when provided.
+    """
+    def __init__(self,
+                 method: str,
+                 url: str,
+                 params: Optional[Dict[str, Any]] = None,
+                 body_json: Optional[Dict[str, Any]] = None,
+                 data: Optional[Dict[str, Any]] = None,
+                 headers: Optional[Dict[str, str]] = None,
+                 expected_status: Optional[int] = 200,
+                 timeout: float = 10.0,
+                 name: Optional[str] = None,
+                 description: Optional[str] = None,
+                 expected_result: bool = True,
+                 response_model: Optional[Any] = None,
+                 response_model_context_key: Optional[str] = None,
+                 fail_on_validation_error: bool = False):
+        self.method = method.upper()
+        self.url = url
+        self.params = params or {}
+        self.body_json = body_json
+        self.data = data
+        self.headers = headers or {}
+        self.expected_status = expected_status
+        self.timeout = timeout
+        self.response_model = response_model
+        self.response_model_context_key = response_model_context_key
+        self.fail_on_validation_error = fail_on_validation_error
+        name = name or f"API {self.method} {url}"
+        description = description or f"Perform {self.method} request to {url}"
+        super().__init__(name, description, expected_result)
+
+    def execute(self, driver: WebDriver, context: Dict[str, Any]) -> bool:
+        # Resolve session
+        session = context.get('requests_session')
+        if session is None:
+            session = requests.Session()
+            context['requests_session'] = session
+        
+        # Build headers: auth headers from context + action headers (action overrides)
+        final_headers = {}
+        auth_headers = context.get('auth_headers', {}) or {}
+        if auth_headers:
+            final_headers.update(auth_headers)
+        if self.headers:
+            final_headers.update(self.headers)
+        
+        # Resolve URL: absolute or join with target_url from context
+        from urllib.parse import urljoin
+        base_url = context.get('target_url') or ''
+        resolved_url = self.url if self.url.lower().startswith('http') else urljoin(base_url, self.url)
+        
+        try:
+            response = session.request(
+                self.method,
+                resolved_url,
+                params=self.params or None,
+                json=self.body_json,
+                data=self.data,
+                headers=final_headers or None,
+                timeout=self.timeout,
+            )
+            
+            # Store details
+            self.store_result('url', resolved_url)
+            self.store_result('request_headers', final_headers)
+            self.store_result('status_code', getattr(response, 'status_code', None))
+            response_headers = dict(getattr(response, 'headers', {}) or {})
+            self.store_result('response_headers', response_headers)
+            # Publish to context for downstream version extraction
+            context['last_response_headers'] = response_headers
+            context['last_response_url'] = resolved_url
+            # Try JSON, fallback to text
+            body = None
+            parsed_model = None
+            validation_error = None
+            try:
+                body = response.json()
+                self.store_result('response_json', body)
+                # If a response_model is provided, attempt validation/parsing
+                if self.response_model is not None:
+                    try:
+                        # Pydantic v2 preferred: model_validate
+                        if hasattr(self.response_model, 'model_validate'):
+                            parsed_model = self.response_model.model_validate(body)
+                        else:
+                            # Pydantic v1 fallback
+                            parsed_model = self.response_model.parse_obj(body)
+                        self.store_result('response_model_instance', parsed_model)
+                        # Save into context for downstream actions
+                        key = self.response_model_context_key or 'last_response_model'
+                        context[key] = parsed_model
+                    except Exception as ve:
+                        validation_error = str(ve)
+                        self.store_result('response_validation_error', validation_error)
+            except Exception:
+                text = getattr(response, 'text', '')
+                # Limit stored text to keep logs light
+                self.store_result('response_text', text if text is None or len(text) <= 2000 else text[:2000])
+            
+            # Determine success (status-based by default)
+            if self.expected_status is not None:
+                http_ok = (getattr(response, 'status_code', None) == self.expected_status)
+            else:
+                http_ok = bool(getattr(response, 'ok', False))
+            
+            # Optionally fail on validation error
+            if self.response_model is not None and self.fail_on_validation_error and self.get_result('response_validation_error'):
+                return False if http_ok else False
+            
+            return http_ok
+        except Exception as e:
+            self.store_result('error', str(e))
+            return False

{scythe_ttp-0.12.4 → scythe_ttp-0.13.0}/scythe/journeys/base.py

@@ -311,12 +311,45 @@ class Journey:
             if self.requires_authentication():
                 auth_name = self.authentication.name if self.authentication else "Unknown"
                 logger.info(f"Authentication required: {auth_name}")
-                auth_success = self.authenticate(driver, target_url)
-                if not auth_success:
-                    logger.error("Authentication failed - aborting journey")
-                    results['errors'].append("Authentication failed")
-                    return results
-                logger.info("Authentication successful")
+                if driver is None:
+                    # API mode: use header-based authentication if available
+                    headers = {}
+                    try:
+                        if self.authentication and hasattr(self.authentication, 'get_auth_headers'):
+                            headers = self.authentication.get_auth_headers() or {}
+                    except Exception as e:
+                        logger.error(f"Failed to get authentication headers: {e}")
+                        headers = {}
+                    cookies = {}
+                    if headers:
+                        # Merge into existing context headers
+                        existing = self.get_context('auth_headers', {})
+                        merged = {**existing, **headers}
+                        self.set_context('auth_headers', merged)
+                        logger.info("Authentication headers prepared for API mode")
+                    # Try to merge cookies as well (hybrid auth)
+                    try:
+                        if self.authentication and hasattr(self.authentication, 'get_auth_cookies'):
+                            cookies = self.authentication.get_auth_cookies() or {}
+                    except Exception as e:
+                        logger.error(f"Failed to get authentication cookies: {e}")
+                        cookies = {}
+                    if cookies:
+                        existing_cookies = self.get_context('auth_cookies', {})
+                        merged_cookies = {**existing_cookies, **cookies}
+                        self.set_context('auth_cookies', merged_cookies)
+                        logger.info("Authentication cookies prepared for API mode")
+                    if not headers and not cookies:
+                        logger.error("Authentication required but no headers/cookies available in API mode")
+                        results['errors'].append("Authentication failed (no API auth data)")
+                        return results
+                else:
+                    auth_success = self.authenticate(driver, target_url)
+                    if not auth_success:
+                        logger.error("Authentication failed - aborting journey")
+                        results['errors'].append("Authentication failed")
+                        return results
+                    logger.info("Authentication successful")
             
             # Execute each step
             for i, step in enumerate(self.steps, 1):
@@ -342,7 +375,7 @@ class Journey:
                             results['actions_failed'] += 1
                     
                     # Extract target version header after step execution
-                    target_version = header_extractor.extract_target_version(driver, target_url)
+                    target_version = header_extractor.extract_target_version_hybrid(driver, target_url)
                     if target_version:
                         results['target_versions'].append(target_version)
                         logger.info(f"Target version detected: {target_version}")

{scythe_ttp-0.12.4 → scythe_ttp-0.13.0}/scythe/journeys/executor.py

@@ -3,6 +3,7 @@ import logging
 from selenium import webdriver
 from selenium.webdriver.chrome.options import Options
 from typing import Optional, Dict, Any, List
+import requests
 from ..behaviors.base import Behavior
 from .base import Journey
 from ..core.headers import HeaderExtractor
@@ -24,6 +25,10 @@ class JourneyExecutor:
     
     Similar to TTPExecutor but designed for complex multi-step scenarios
     involving journeys composed of steps and actions.
+    
+    Supports two interaction modes:
+      - UI: browser-driven via Selenium (default, backward-compatible)
+      - API: REST-driven via requests without starting a browser
     """
     
     def __init__(self, 
@@ -31,7 +36,8 @@ class JourneyExecutor:
                  target_url: str, 
                  headless: bool = True, 
                  behavior: Optional[Behavior] = None,
-                 driver_options: Optional[Dict[str, Any]] = None):
+                 driver_options: Optional[Dict[str, Any]] = None,
+                 mode: str = "UI"):
         """
         Initialize the Journey executor.
         
@@ -45,6 +51,7 @@ class JourneyExecutor:
         self.journey = journey
         self.target_url = target_url
         self.behavior = behavior
+        self.mode = (mode or "UI").upper()
         self.logger = logging.getLogger(f"Journey.{self.journey.name}")
         
         # Setup Chrome options
@@ -108,29 +115,62 @@ class JourneyExecutor:
             self.logger.info(f"Using behavior: {self.behavior.name}")
             self.logger.info(f"Behavior description: {self.behavior.description}")
         
-        self._setup_driver()
-        
         try:
-            # Pre-execution behavior setup
-            if self.behavior and self.driver:
-                self.behavior.pre_execution(self.driver, self.target_url)
-            
-            # Execute the journey
-            if self.driver:
-                self.execution_results = self.journey.execute(self.driver, self.target_url)
+            if self.mode == 'API':
+                # API mode: no WebDriver, prepare requests session and context
+                session = requests.Session()
+                auth_headers = {}
+                auth_cookies = {}
+                if getattr(self.journey, 'authentication', None):
+                    # Try to obtain headers/cookies directly (no browser flow)
+                    try:
+                        auth_headers = self.journey.authentication.get_auth_headers() or {}
+                    except Exception as e:
+                        self.logger.warning(f"Failed to get auth headers from authentication: {e}")
+                    try:
+                        if hasattr(self.journey.authentication, 'get_auth_cookies'):
+                            auth_cookies = self.journey.authentication.get_auth_cookies() or {}
+                    except Exception as e:
+                        self.logger.warning(f"Failed to get auth cookies from authentication: {e}")
+                if auth_headers:
+                    session.headers.update(auth_headers)
+                if auth_cookies:
+                    for ck, cv in auth_cookies.items():
+                        try:
+                            session.cookies.set(ck, cv)
+                        except Exception:
+                            pass
+                
+                # Seed journey context for API actions
+                self.journey.set_context('mode', 'API')
+                self.journey.set_context('requests_session', session)
+                self.journey.set_context('auth_headers', auth_headers)
+                self.journey.set_context('auth_cookies', auth_cookies)
+                
+                # Execute journey with a None driver (API actions ignore driver)
+                self.execution_results = self.journey.execute(None, self.target_url)
             else:
-                raise RuntimeError("WebDriver not initialized")
-            
-            # Apply behavior timing between steps if configured
-            if self.behavior:
-                # Let behavior influence the journey execution
-                self._apply_behavior_to_journey()
-            
-            # Post-execution behavior cleanup
-            if self.behavior and self.driver:
-                # Convert journey results to format expected by behavior
-                behavior_results = self._convert_results_for_behavior()
-                self.behavior.post_execution(self.driver, behavior_results)
+                # UI mode (default)
+                self._setup_driver()
+                
+                # Pre-execution behavior setup
+                if self.behavior and self.driver:
+                    self.behavior.pre_execution(self.driver, self.target_url)
+                
+                # Execute the journey
+                if self.driver:
+                    self.execution_results = self.journey.execute(self.driver, self.target_url)
+                else:
+                    raise RuntimeError("WebDriver not initialized")
+                
+                # Apply behavior timing between steps if configured
+                if self.behavior:
+                    self._apply_behavior_to_journey()
+                
+                # Post-execution behavior cleanup
+                if self.behavior and self.driver:
+                    behavior_results = self._convert_results_for_behavior()
+                    self.behavior.post_execution(self.driver, behavior_results)
         
         except KeyboardInterrupt:
             self.logger.info("Journey interrupted by user.")
@@ -143,6 +183,7 @@ class JourneyExecutor:
                 self.execution_results = self._create_error_results(str(e))
         
         finally:
+            # Cleanup and print summary (driver quit only if initialized)
             self._cleanup()
         
         return self.execution_results

{scythe_ttp-0.12.4 → scythe_ttp-0.13.0}/scythe/ttps/web/uuid_guessing.py

@@ -5,6 +5,7 @@ from ...payloads.generators import PayloadGenerator
 import requests
 from uuid import UUID
 
+
 class GuessUUIDInURL(TTP):
     def __init__(self,
                  target_url: str,
@@ -18,10 +19,10 @@ class GuessUUIDInURL(TTP):
             description="simulate bruteforcing UUID's in the URL path",
             expected_result=expected_result,
             authentication=authentication)
-        
+
         self.target_url = target_url
         self.uri_root_path = uri_root_path
-        self.payload_generator = payload_generator   
+        self.payload_generator = payload_generator
 
     def get_payloads(self):
         yield from self.payload_generator()

{scythe_ttp-0.12.4 → scythe_ttp-0.13.0/scythe_ttp.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: scythe-ttp
-Version: 0.12.4
+Version: 0.13.0
 Summary: An extensible framework for emulating attacker TTPs with Selenium.
 Home-page: https://github.com/EpykLab/scythe
 Author: EpykLab
@@ -23,6 +23,8 @@ Requires-Dist: h11==0.16.0
 Requires-Dist: idna==3.10
 Requires-Dist: outcome==1.3.0.post0
 Requires-Dist: PySocks==1.7.1
+Requires-Dist: pydantic==2.7.1
+Requires-Dist: pydantic-core==2.18.2
 Requires-Dist: requests==2.32.4
 Requires-Dist: selenium==4.34.0
 Requires-Dist: setuptools==80.9.0

{scythe_ttp-0.12.4 → scythe_ttp-0.13.0}/scythe_ttp.egg-info/SOURCES.txt

@@ -9,6 +9,7 @@ scythe/auth/__init__.py
 scythe/auth/base.py
 scythe/auth/basic.py
 scythe/auth/bearer.py
+scythe/auth/cookie_jwt.py
 scythe/behaviors/__init__.py
 scythe/behaviors/base.py
 scythe/behaviors/default.py
@@ -40,8 +41,10 @@ scythe_ttp.egg-info/SOURCES.txt
 scythe_ttp.egg-info/dependency_links.txt
 scythe_ttp.egg-info/requires.txt
 scythe_ttp.egg-info/top_level.txt
+tests/test_api_models.py
 tests/test_authentication.py
 tests/test_behaviors.py
+tests/test_cookie_jwt_auth.py
 tests/test_expected_results.py
 tests/test_feature_completeness.py
 tests/test_header_extraction.py

{scythe_ttp-0.12.4 → scythe_ttp-0.13.0}/scythe_ttp.egg-info/requires.txt

@@ -5,6 +5,8 @@ h11==0.16.0
 idna==3.10
 outcome==1.3.0.post0
 PySocks==1.7.1
+pydantic==2.7.1
+pydantic-core==2.18.2
 requests==2.32.4
 selenium==4.34.0
 setuptools==80.9.0

{scythe_ttp-0.12.4 → scythe_ttp-0.13.0}/setup.py

@@ -8,7 +8,7 @@ with open("./requirements.txt", "r", encoding="utf-8") as f:
 
 setuptools.setup(
     name="scythe-ttp",
-    version="0.12.4",
+    version="0.13.0",
     author="EpykLab",
     author_email="cyber@epyklab.com",
     description="An extensible framework for emulating attacker TTPs with Selenium.",

scythe_ttp-0.13.0/tests/test_api_models.py

@@ -0,0 +1,126 @@
+import unittest
+from typing import Any, Dict, Optional
+
+from scythe.journeys.actions import ApiRequestAction
+
+
+class _FakeResponse:
+    def __init__(self, status_code: int = 200, headers: Optional[Dict[str, str]] = None, json_body: Optional[Dict[str, Any]] = None, text: str = ""):
+        self.status_code = status_code
+        self.headers = headers or {}
+        self._json = json_body
+        self.text = text
+
+    @property
+    def ok(self) -> bool:
+        return 200 <= self.status_code < 300
+
+    def json(self) -> Dict[str, Any]:
+        if self._json is None:
+            raise ValueError("No JSON body")
+        return self._json
+
+
+class _FakeSession:
+    def __init__(self, response: _FakeResponse):
+        self._response = response
+        self.headers: Dict[str, str] = {}
+
+    def request(self, method, url, params=None, json=None, data=None, headers=None, timeout=None):
+        # emulate minimal requests.Session.request
+        return self._response
+
+
+# Fake Pydantic-like models to avoid external imports
+class FakeModelV2:
+    def __init__(self, status: str, version: Optional[str] = None):
+        self.status = status
+        self.version = version
+
+    @classmethod
+    def model_validate(cls, data: Dict[str, Any]) -> "FakeModelV2":
+        # Minimal validation: require 'status'
+        if not isinstance(data, dict) or "status" not in data or not isinstance(data["status"], str):
+            raise ValueError("Invalid data for FakeModelV2: missing 'status' as str")
+        version = data.get("version")
+        if version is not None and not isinstance(version, str):
+            raise ValueError("Invalid 'version' type")
+        return cls(status=data["status"], version=version)
+
+
+class FakeModelV1:
+    def __init__(self, status: str):
+        self.status = status
+
+    @classmethod
+    def parse_obj(cls, data: Dict[str, Any]) -> "FakeModelV1":
+        if not isinstance(data, dict) or "status" not in data or not isinstance(data["status"], str):
+            raise ValueError("Invalid data for FakeModelV1: missing 'status' as str")
+        return cls(status=data["status"])
+
+
+class TestApiRequestActionModels(unittest.TestCase):
+    def test_valid_json_parses_into_model_v2(self):
+        fake_resp = _FakeResponse(
+            status_code=200,
+            headers={"Content-Type": "application/json"},
+            json_body={"status": "ok", "version": "1.2.3"},
+        )
+        session = _FakeSession(fake_resp)
+
+        action = ApiRequestAction(
+            method="GET",
+            url="/api/health",
+            expected_status=200,
+            response_model=FakeModelV2,
+            response_model_context_key="health_model",
+        )
+        context: Dict[str, Any] = {
+            "target_url": "http://localhost:8080",
+            "requests_session": session,
+        }
+
+        result = action.execute(driver=None, context=context)
+
+        self.assertTrue(result)
+        # Model instance stored
+        model_instance = action.get_result("response_model_instance")
+        self.assertIsNotNone(model_instance)
+        self.assertIsInstance(model_instance, FakeModelV2)
+        self.assertEqual(model_instance.status, "ok")
+        # Context updated with model
+        self.assertIn("health_model", context)
+        self.assertIsInstance(context["health_model"], FakeModelV2)
+        # No validation error recorded
+        self.assertIsNone(action.get_result("response_validation_error"))
+
+    def test_invalid_json_records_error_and_can_fail_v1(self):
+        fake_resp = _FakeResponse(
+            status_code=200,
+            headers={"Content-Type": "application/json"},
+            json_body={"wrong": "shape"},
+        )
+        session = _FakeSession(fake_resp)
+
+        action = ApiRequestAction(
+            method="GET",
+            url="/api/health",
+            expected_status=200,
+            response_model=FakeModelV1,  # triggers parse_obj path
+            fail_on_validation_error=True,
+        )
+        context: Dict[str, Any] = {
+            "target_url": "http://localhost:8080",
+            "requests_session": session,
+        }
+
+        result = action.execute(driver=None, context=context)
+
+        # HTTP status would normally be success, but validation error should force failure
+        self.assertFalse(result)
+        self.assertIsNone(action.get_result("response_model_instance"))
+        self.assertIsNotNone(action.get_result("response_validation_error"))
+
+
+if __name__ == "__main__":
+    unittest.main()

scythe_ttp-0.13.0/tests/test_cookie_jwt_auth.py

@@ -0,0 +1,201 @@
+import unittest
+from unittest.mock import Mock, patch
+from typing import Any, Dict, Optional
+import sys
+import types
+
+# Provide minimal shims if dependencies are not installed
+# requests shim
+if 'requests' not in sys.modules:
+    requests_mod = types.ModuleType('requests')
+    class _Session:
+        pass
+    requests_mod.Session = _Session
+    sys.modules['requests'] = requests_mod
+
+# Provide a minimal selenium shim if selenium is not installed
+if 'selenium' not in sys.modules:
+    selenium_mod = types.ModuleType('selenium')
+    webdriver_mod = types.ModuleType('selenium.webdriver')
+    chrome_mod = types.ModuleType('selenium.webdriver.chrome')
+    options_mod = types.ModuleType('selenium.webdriver.chrome.options')
+    remote_mod = types.ModuleType('selenium.webdriver.remote')
+    remote_webdriver_mod = types.ModuleType('selenium.webdriver.remote.webdriver')
+    common_mod = types.ModuleType('selenium.webdriver.common')
+    common_by_mod = types.ModuleType('selenium.webdriver.common.by')
+    selenium_common_mod = types.ModuleType('selenium.common')
+    selenium_common_ex_mod = types.ModuleType('selenium.common.exceptions')
+    support_mod = types.ModuleType('selenium.webdriver.support')
+    support_ui_mod = types.ModuleType('selenium.webdriver.support.ui')
+    support_ec_mod = types.ModuleType('selenium.webdriver.support.expected_conditions')
+
+    class _Options:  # placeholder Options
+        def __init__(self):
+            pass
+    options_mod.Options = _Options
+
+    class _WebDriver:  # minimal placeholder to satisfy type import
+        pass
+    remote_webdriver_mod.WebDriver = _WebDriver
+
+    class _By:
+        ID = 'id'
+        XPATH = 'xpath'
+        CSS_SELECTOR = 'css selector'
+        NAME = 'name'
+        CLASS_NAME = 'class name'
+        TAG_NAME = 'tag name'
+    common_by_mod.By = _By
+
+    class _NoSuchElementException(Exception):
+        pass
+    class _TimeoutException(Exception):
+        pass
+    selenium_common_ex_mod.NoSuchElementException = _NoSuchElementException
+    selenium_common_ex_mod.TimeoutException = _TimeoutException
+
+    # Dummy expected conditions and WebDriverWait
+    class _EC:
+        @staticmethod
+        def element_to_be_clickable(locator):
+            return True
+    support_ec_mod = types.ModuleType('selenium.webdriver.support.expected_conditions')
+    support_ec_mod.element_to_be_clickable = _EC.element_to_be_clickable
+
+    class _WebDriverWait:
+        def __init__(self, driver, timeout):
+            pass
+        def until(self, method):
+            return Mock()
+    support_ui_mod = types.ModuleType('selenium.webdriver.support.ui')
+    support_ui_mod.WebDriverWait = _WebDriverWait
+    support_mod = types.ModuleType('selenium.webdriver.support')
+
+    sys.modules['selenium'] = selenium_mod
+    sys.modules['selenium.webdriver'] = webdriver_mod
+    sys.modules['selenium.webdriver.chrome'] = chrome_mod
+    sys.modules['selenium.webdriver.chrome.options'] = options_mod
+    sys.modules['selenium.webdriver.remote'] = remote_mod
+    sys.modules['selenium.webdriver.remote.webdriver'] = remote_webdriver_mod
+    sys.modules['selenium.webdriver.common'] = common_mod
+    sys.modules['selenium.webdriver.common.by'] = common_by_mod
+    sys.modules['selenium.webdriver.support'] = support_mod
+    sys.modules['selenium.webdriver.support.ui'] = support_ui_mod
+    sys.modules['selenium.webdriver.support.expected_conditions'] = support_ec_mod
+    sys.modules['selenium.common'] = selenium_common_mod
+    sys.modules['selenium.common.exceptions'] = selenium_common_ex_mod
+
+from scythe.auth.cookie_jwt import CookieJWTAuth
+
+
+class _FakeLoginResponse:
+    def __init__(self, data: Dict[str, Any], status_code: int = 200):
+        self._data = data
+        self.status_code = status_code
+
+    def raise_for_status(self):
+        if not (200 <= self.status_code < 300):
+            raise RuntimeError("HTTP Error")
+
+    def json(self):
+        return self._data
+
+
+class _FakeLoginSession:
+    def __init__(self, data: Dict[str, Any]):
+        self._data = data
+
+    def post(self, url, json=None, timeout=None):
+        return _FakeLoginResponse(self._data, 200)
+
+
+class _CookieJar:
+    def __init__(self):
+        self._cookies: Dict[str, str] = {}
+
+    def set(self, key: str, value: str):
+        self._cookies[key] = value
+
+    def get(self, key: str, default=None):
+        return self._cookies.get(key, default)
+
+
+class _FakeRequestsSession:
+    def __init__(self):
+        self.headers: Dict[str, str] = {}
+        self.cookies = _CookieJar()
+        self._last_request: Dict[str, Any] = {}
+        self._status: int = 200
+        self._text: str = "ok"
+        self._json: Optional[Dict[str, Any]] = None
+
+    class _Resp:
+        def __init__(self, status_code: int, headers: Dict[str, str], text: str, json_body: Optional[Dict[str, Any]]):
+            self.status_code = status_code
+            self.headers = headers
+            self.text = text
+            self._json = json_body
+
+        @property
+        def ok(self):
+            return 200 <= self.status_code < 300
+
+        def json(self):
+            if self._json is None:
+                raise ValueError("No JSON body")
+            return self._json
+
+    def request(self, method, url, params=None, json=None, data=None, headers=None, timeout=None):
+        # Record request for assertions
+        self._last_request = {
+            'method': method,
+            'url': url,
+            'headers': headers or {},
+            'params': params or {},
+            'json': json,
+            'data': data,
+        }
+        return self._Resp(self._status, {}, self._text, self._json)
+
+
+class TestCookieJWTAuth(unittest.TestCase):
+    def test_get_auth_cookies_via_login(self):
+        fake_login = _FakeLoginSession({"auth": {"jwt": "ABC123"}})
+        auth = CookieJWTAuth(
+            login_url="http://api.example.com/login",
+            username="user@example.com",
+            password="secret",
+            username_field="email",
+            password_field="password",
+            jwt_json_path="auth.jwt",
+            cookie_name="stellarbridge",
+            session=fake_login,
+        )
+
+        cookies = auth.get_auth_cookies()
+        self.assertEqual(cookies, {"stellarbridge": "ABC123"})
+        self.assertEqual(auth.token, "ABC123")
+        self.assertEqual(auth.get_auth_headers(), {})
+
+    def test_ui_auth_sets_browser_cookie(self):
+        fake_login = _FakeLoginSession({"token": "XYZ"})
+        auth = CookieJWTAuth(
+            login_url="http://api.example.com/login",
+            username="user@example.com",
+            password="secret",
+            jwt_json_path="token",
+            cookie_name="stellarbridge",
+            session=fake_login,
+        )
+        driver = Mock()
+        result = auth.authenticate(driver, target_url="http://app.example.com/protected")
+        self.assertTrue(result)
+        # add_cookie called with correct name and value
+        called_args = driver.add_cookie.call_args[0][0]
+        self.assertEqual(called_args["name"], "stellarbridge")
+        self.assertEqual(called_args["value"], "XYZ")
+
+
+
+if __name__ == "__main__":
+    unittest.main()

scythe_ttp-0.12.4/VERSION

@@ -1 +0,0 @@
-0.12.5