Skip to main content

Providing Authorization Information for Vertical Authorization Abuse Test Cases

Testing for Vertical Authorization Abuse, requires credentials for additional users, and their associated role information.

User role information for API endpoints is provided in the API catalog via the metadata.yml file. The metadata file specifies the various roles used by the API, and specific roles that apply to specific API endpoints.

While the metadata file is used to specify role information, the environment.yml file requires the provisioning of one or more users per role (as specified in the metadata file), and their respective authentication credentials.

For example if the metadata file has specified two roles (ROLE_USER, and ROLE_ADMIN), the autogenerated environment.yml file will have the below structure (assuming the default Bearer AuthN mechanism is being used).

# Environment file that contains users, roles and their Authentication
# mechanisms that will be used by the API endpoints.
iam:
users:
# List all the users, their roles, username and password,
# if required, in this section.
# The default flag should be true if this user should be used
# as the default user for that role. If there are no roles,
# only one user should have default: True.
- name: user_1
default: true # Default user for `ROLE_USER`
bearer_tokens:
- name: bearerAuth
value: <Enter the bearer token>
roles:
- ROLE_USER
- name: user_2
bearer_tokens:
- name: bearerAuth
value: <Enter the bearer token>
roles:
- ROLE_ADMIN

If using an authentication mechanism other than Bearer AuthN, please modify the auto generated YAML appropriately.