Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Open API: named auth implementation #1710

Open
Stranger6667 opened this issue Feb 20, 2023 · 0 comments
Open

[FEATURE] Open API: named auth implementation #1710

Stranger6667 opened this issue Feb 20, 2023 · 0 comments
Assignees
@Stranger6667
Labels
Component: Hooks Extensibility and customization Core: Transport Sending data to the tested app Difficulty: Hard Complex, needs deep understanding Priority: Medium Planned for regular releases Specification: OpenAPI Specific to OpenAPI Type: Feature New functionalities or enhancements

Comments

@Stranger6667
Copy link
Member

Stranger6667 commented Feb 20, 2023
edited

Problem

It could be tedious to use different auth types within the same Open API schemas in Schemathesis. Essentially it means duplicating the filtering logic inside the auth implementation itself (filters will simplify it though).

Solution

Add a method that makes Schemathesis use certain auth mechanisms based on their name & type.

Schema:

components:
  securitySchemes:
    BasicAuth:
      type: http
      scheme: basic
    BearerAuth:
      type: http
      scheme: bearer
    ApiKeyAuth:
      type: apiKey
      in: header
      name: X-API-Key
    OpenID:
      type: openIdConnect
      openIdConnectUrl: https://example.com/.well-known/openid-configuration
    OAuth2:
      type: oauth2
      flows:
        password:
          refreshUrl: https://example.com/oauth/refresh
          tokenUrl: https://example.com/oauth/token
          scopes:
            read: Grants read access
            write: Grants write access
            admin: Grants access to admin operations

Then it could be something like:

schema.auth.http_basic("BasicAuth", username="username", password="password")
schema.auth.http_bearer("BearerAuth", token="TOKEN")
schema.auth.api_key("ApiKeyAuth", api_key="API-KEY")

I.e. some specifically typed methods that will automatically add proper impl under the hood.

Alternative, a simpler interface, but typing would be harder to specify (+ some validation would be needed):

schema.auth.define("BasicAuth", username="username", password="password")
schema.auth.define("BearerAuth", token="TOKEN")
schema.auth.define("ApiKeyAuth", api_key="API-KEY")
schema.auth.define("OAuth2", username="username", password="password")

Also, overriding some values would be nice for testing purposes - e.g. specify a different refreshUrl for testing purposes.

Probably Schemathesis can't support all security schemes, especially ones with device auth codes, but username / password or token-like should be a good starting point.

Implementation notes

  • I'd like to have everything called via schema.auth, but since AuthStorage is spec-agnostic we might need to subclass it in order to add some setup-time validation for inputs
@Stranger6667 Stranger6667 added Status: Needs Triage Requires initial assessment to categorize and prioritize Type: Feature New functionalities or enhancements labels Feb 20, 2023
@Stranger6667 Stranger6667 self-assigned this Feb 20, 2023
@Stranger6667 Stranger6667 added Priority: Medium Planned for regular releases Specification: OpenAPI Specific to OpenAPI Difficulty: Hard Complex, needs deep understanding Component: Hooks Extensibility and customization Core: Transport Sending data to the tested app and removed Status: Needs Triage Requires initial assessment to categorize and prioritize labels Oct 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Stranger6667 Stranger6667

Labels
Component: Hooks Extensibility and customization Core: Transport Sending data to the tested app Difficulty: Hard Complex, needs deep understanding Priority: Medium Planned for regular releases Specification: OpenAPI Specific to OpenAPI Type: Feature New functionalities or enhancements
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Stranger6667