NamingsContractInfoFuzzer does not allow operations in path names because they are in singular form

Endava / cats

CATS is a REST API Fuzzer and negative testing tool for OpenAPI endpoints. CATS automatically generates, runs and reports tests with minimum configuration and no coding effort. Tests are self-healing and do not require maintenance.

Apache License 2.0

1.17k stars 74 forks source link

NamingsContractInfoFuzzer does not allow operations in path names because they are in singular form #6

Closed sebipirpi closed 3 years ago

sebipirpi commented 3 years ago

Since not all actions are logically linked to CRUD operations, you should be allowed to have endpoints which end with an operation name rather than a resource, in case the action is isolated. https://www.finextra.com/blogposting/16402/nouns-and-verbs-in-the-world-of-apis https://plonerestapi.readthedocs.io/en/latest/conventions.html

e.g. /devices/{id}/alerts/{id}/resend

CATS does not accomodate this approach, since it checks if the path ends with a plural noun, even if the beginning includes one which identifies a resource, in the case above, "alerts"

sebipirpi commented 3 years ago

I think this should also be allowed when the second to last path element is not a resource identifier, for operations such as "calculations/add", "encryptions/encrypt_using_aes"

en-milie commented 3 years ago

The second example is not valid. This shouldn't be seen as a good practice. What you should do is a POST on /encryptions with {algorithm: AES, payload: ....}. For the first example, indeed, matches the controller use case. I'll update the matchers.

en-milie commented 3 years ago

This is now fixed in v5.2.9. Thanks @sebipirpi for reporting this.

sebipirpi commented 3 years ago

No problem. Thank you @en-milie for addressing it so quickly!