Merge pull request #942 from EMResearch/auth-mock-flag

Auth mock flag
WebFuzzing · Mar 28, 2024 · bdf239f · bdf239f
2 parents b146420 + 7a7c238
commit bdf239f
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 4 deletions.
diff --git a/...pi/src/main/java/org/evomaster/client/java/controller/api/dto/auth/AuthenticationDto.java b/...pi/src/main/java/org/evomaster/client/java/controller/api/dto/auth/AuthenticationDto.java
@@ -15,6 +15,16 @@ public class AuthenticationDto {
      */
     public String name;
 
+    /**
+     * Specify that the authentication for this user requires setting up mock responses from external services
+     * in the API.
+     * This will be done as part of the fuzzing, although only possible for white-box testing.
+     *
+     * One consequence here is that, even if we provide correct auth info as input, then a request might still
+     * fail due to unauthorized access if the fuzzing process does not properly set up these mocked responses in the API itself.
+     */
+    public Boolean requireMockHandling;
+
     /**
      * The headers needed for authentication.
      * This is used to represent cases in which auth info is static/fixed,

diff --git a/core/src/main/kotlin/org/evomaster/core/problem/httpws/auth/HttpWsAuthenticationInfo.kt b/core/src/main/kotlin/org/evomaster/core/problem/httpws/auth/HttpWsAuthenticationInfo.kt
@@ -24,7 +24,8 @@ open class HttpWsAuthenticationInfo(
      * Represent call done to a login endpoint, from which a token or cookie is extracted
      * for auth in following requests.
      */
-    val endpointCallLogin: EndpointCallLogin?
+    val endpointCallLogin: EndpointCallLogin?,
+    val requireMockHandling: Boolean
 ): AuthenticationInfo(name) {
 
     init {
@@ -65,7 +66,9 @@ open class HttpWsAuthenticationInfo(
                 null
             }
 
-           return HttpWsAuthenticationInfo(dto.name.trim(), headers, endpointCallLogin)
+            val requireMockHandling = dto.requireMockHandling != null && dto.requireMockHandling
+
+           return HttpWsAuthenticationInfo(dto.name.trim(), headers, endpointCallLogin, requireMockHandling)
         }
     }
 

diff --git a/core/src/main/kotlin/org/evomaster/core/problem/httpws/auth/HttpWsNoAuth.kt b/core/src/main/kotlin/org/evomaster/core/problem/httpws/auth/HttpWsNoAuth.kt
@@ -3,4 +3,4 @@ package org.evomaster.core.problem.httpws.auth
 import org.evomaster.core.problem.enterprise.auth.NoAuth
 
 
-class HttpWsNoAuth : HttpWsAuthenticationInfo("NoAuth", listOf(), null), NoAuth
+class HttpWsNoAuth : HttpWsAuthenticationInfo("NoAuth", listOf(), null, false), NoAuth
diff --git a/core/src/main/kotlin/org/evomaster/core/problem/rest/service/AbstractRestFitness.kt b/core/src/main/kotlin/org/evomaster/core/problem/rest/service/AbstractRestFitness.kt
@@ -559,7 +559,7 @@ abstract class AbstractRestFitness : HttpWsFitness<RestIndividual>() {
             }
         }
 
-        if (response.status == 401 && a.auth !is NoAuth) {
+        if (response.status == 401 && a.auth !is NoAuth && !a.auth.requireMockHandling) {
             /*
                 if the endpoint itself is to get auth info, we might exclude auth check for it
                 eg,
Original file line number	Diff line number	Diff line change
Expand Up		@@ -3,4 +3,4 @@ package org.evomaster.core.problem.httpws.auth
		import org.evomaster.core.problem.enterprise.auth.NoAuth


		class HttpWsNoAuth : HttpWsAuthenticationInfo("NoAuth", listOf(), null), NoAuth
		class HttpWsNoAuth : HttpWsAuthenticationInfo("NoAuth", listOf(), null, false), NoAuth
-Original file line number
+Diff line change
@@ Expand Up @@
                 }
             }
-            if (response.status == 401 && a.auth !is NoAuth) {
+            if (response.status == 401 && a.auth !is NoAuth && !a.auth.requireMockHandling) {
                 /*
                     if the endpoint itself is to get auth info, we might exclude auth check for it
                     eg,
@@ Expand Down @@