@@ -27,8 +27,102 @@ properties:
2727 type : string
2828required : ["auth"]
2929$def :
30+ HttpVerb :
31+ type : string
32+ enum :
33+ - POST
34+ - GET
35+ - PATCH
36+ - DELETE
37+ - PUT
38+ Header :
39+ description : " HTTP header information"
40+ type : object
41+ properties :
42+ name :
43+ description : " The header name, e.g., 'Authorization'."
44+ type : string
45+ value :
46+ description : " The value of the header"
47+ type : string
48+ required : ["name","value"]
3049 AuthenticationInfo :
3150 type : object
32-
33-
34-
51+ properties :
52+ name :
53+ description : " The name given to this authentication info. \
54+ This works as a unique id for this authentication configuration."
55+ type : string
56+ requireMockHandling :
57+ description : " Specify that the authentication for this user requires setting up mock responses from an external service. \
58+ This will be done as part of the fuzzing, although only possible for white-box testing. \
59+ One consequence here is that, even if we provide correct auth info as input, then a request might still \
60+ fail due to unauthorized access if the fuzzing process does not properly set up these mocked responses in the API itself."
61+ type : boolean
62+ fixedHeaders :
63+ description : " The headers needed for authentication. \
64+ This is used to represent cases in which auth info is static/fixed, e.g., \
65+ when passing an id or username/password through a HTTP header (and not \
66+ using for example a dynamically generated token from a login endpoint first)."
67+ type : array
68+ items :
69+ $ref : " #/$def/Header"
70+ loginEndpointAuth :
71+ $ref : " #/$def/LoginEndpoint"
72+ required : ["name"]
73+ # ##
74+ LoginEndpoint :
75+ description : " Used to represent the case in which a login endpoint is used to obtain the authentication credentials. \
76+ These can be cookies, or a token extracted from the login endpoint's response. \
77+ This token can then be added to an HTTP header in the following requests."
78+ type : object
79+ properties :
80+ endpoint :
81+ description : " The endpoint path (eg '/login') where to execute the login. \
82+ It assumes it is on same server of API.\
83+ If not, rather use 'externalEndpointURL'."
84+ type : string
85+ externalEndpointURL :
86+ description : " If the login endpoint is on a different server, here can rather specify the full URL for it."
87+ type : string
88+ payloadRaw :
89+ description : " The raw payload to send, as a string."
90+ type : string
91+ payloadUserPwd :
92+ $ref : " #/$def/PayloadUsernamePassword" # TODO
93+ headers :
94+ description : " HTTP headers needed when calling the login endpoint. \
95+ Username/password could be passed by headers instead of by the body payload."
96+ type : array
97+ items :
98+ $ref : " #/$def/Header"
99+ verb :
100+ description : " The verb used to connect to the login endpoint. \
101+ Most of the time, this will be a 'POST'."
102+ allOf :
103+ - $ref : " #/$def/HttpVerb"
104+ - type : string
105+ contentType :
106+ description : " Specify the format in which the payload is sent to the login endpoint. \
107+ A common example is 'application/json'."
108+ token :
109+ $ref : " #/$def/TokenHandling" # TODO
110+ expectCookies :
111+ description : " Specify if we are expecting to get cookies from the login endpoint. \
112+ If so, a fuzzer can use those as auth info in following requests, instead of trying to extract \
113+ an auth token from the response payload."
114+ type : boolean
115+ required : ["verb"]
116+ # ##
117+ TokenHandling :
118+ description : " Specify how to extract token from response, and how to use it for auth in following requests. \
119+ Not needed if rather expect to get back a cookie."
120+ type : object
121+ properties :
122+ # ## TODO
123+ # ##
124+ PayloadUsernamePassword :
125+ description : " Payload with username and password information. \
126+ It will be automatically formatted in a proper payload based on content type."
127+ type : object
128+ # ## TODO
0 commit comments