Home Explore Help
Sign In
girishm
/
mattermost-server
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
mattermost-s...
/
api4
/
cors_test.go

cors_test.go 4.0 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157 
  1. // Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
    2. 

  2. // See LICENSE.txt for license information.
    3. 

  3. 

  4. package api4
    5. 

  5. 

  6. import (
    7. 

  7. 	"fmt"
    8. 

  8. 	"net/http"
    9. 

  9. 	"testing"
    10. 

  10. 

  11. 	"github.com/mattermost/mattermost-server/v5/model"
    12. 

  12. 	"github.com/mattermost/mattermost-server/v5/store/storetest/mocks"
    13. 

  13. 	"github.com/stretchr/testify/assert"
    14. 

  14. 	"github.com/stretchr/testify/require"
    15. 

  15. )
    16. 

  16. 

  17. const (
    18. 

  18. 	acAllowOrigin      = "Access-Control-Allow-Origin"
    19. 

  19. 	acExposeHeaders    = "Access-Control-Expose-Headers"
    20. 

  20. 	acMaxAge           = "Access-Control-Max-Age"
    21. 

  21. 	acAllowCredentials = "Access-Control-Allow-Credentials"
    22. 

  22. 	acAllowMethods     = "Access-Control-Allow-Methods"
    23. 

  23. 	acAllowHeaders     = "Access-Control-Allow-Headers"
    24. 

  24. )
    25. 

  25. 

  26. func TestCORSRequestHandling(t *testing.T) {
    27. 

  27. 	for name, testcase := range map[string]struct {
    28. 

  28. 		AllowCorsFrom            string
    29. 

  29. 		CorsExposedHeaders       string
    30. 

  30. 		CorsAllowCredentials     bool
    31. 

  31. 		ModifyRequest            func(req *http.Request)
    32. 

  32. 		ExpectedAllowOrigin      string
    33. 

  33. 		ExpectedExposeHeaders    string
    34. 

  34. 		ExpectedAllowCredentials string
    35. 

  35. 	}{
    36. 

  36. 		"NoCORS": {
    37. 

  37. 			"",
    38. 

  38. 			"",
    39. 

  39. 			false,
    40. 

  40. 			func(req *http.Request) {
    41. 

  41. 			},
    42. 

  42. 			"",
    43. 

  43. 			"",
    44. 

  44. 			"",
    45. 

  45. 		},
    46. 

  46. 		"CORSEnabled": {
    47. 

  47. 			"http://somewhere.com",
    48. 

  48. 			"",
    49. 

  49. 			false,
    50. 

  50. 			func(req *http.Request) {
    51. 

  51. 			},
    52. 

  52. 			"",
    53. 

  53. 			"",
    54. 

  54. 			"",
    55. 

  55. 		},
    56. 

  56. 		"CORSEnabledStarOrigin": {
    57. 

  57. 			"*",
    58. 

  58. 			"",
    59. 

  59. 			false,
    60. 

  60. 			func(req *http.Request) {
    61. 

  61. 				req.Header.Set("Origin", "http://pre-release.mattermost.com")
    62. 

  62. 			},
    63. 

  63. 			"*",
    64. 

  64. 			"",
    65. 

  65. 			"",
    66. 

  66. 		},
    67. 

  67. 		"CORSEnabledStarNoOrigin": { // CORS spec requires this, not a bug.
    68. 

  68. 			"*",
    69. 

  69. 			"",
    70. 

  70. 			false,
    71. 

  71. 			func(req *http.Request) {
    72. 

  72. 			},
    73. 

  73. 			"",
    74. 

  74. 			"",
    75. 

  75. 			"",
    76. 

  76. 		},
    77. 

  77. 		"CORSEnabledMatching": {
    78. 

  78. 			"http://mattermost.com",
    79. 

  79. 			"",
    80. 

  80. 			false,
    81. 

  81. 			func(req *http.Request) {
    82. 

  82. 				req.Header.Set("Origin", "http://mattermost.com")
    83. 

  83. 			},
    84. 

  84. 			"http://mattermost.com",
    85. 

  85. 			"",
    86. 

  86. 			"",
    87. 

  87. 		},
    88. 

  88. 		"CORSEnabledMultiple": {
    89. 

  89. 			"http://spinmint.com http://mattermost.com",
    90. 

  90. 			"",
    91. 

  91. 			false,
    92. 

  92. 			func(req *http.Request) {
    93. 

  93. 				req.Header.Set("Origin", "http://mattermost.com")
    94. 

  94. 			},
    95. 

  95. 			"http://mattermost.com",
    96. 

  96. 			"",
    97. 

  97. 			"",
    98. 

  98. 		},
    99. 

  99. 		"CORSEnabledWithCredentials": {
    100. 

  100. 			"http://mattermost.com",
    101. 

  101. 			"",
    102. 

  102. 			true,
    103. 

  103. 			func(req *http.Request) {
    104. 

  104. 				req.Header.Set("Origin", "http://mattermost.com")
    105. 

  105. 			},
    106. 

  106. 			"http://mattermost.com",
    107. 

  107. 			"",
    108. 

  108. 			"true",
    109. 

  109. 		},
    110. 

  110. 		"CORSEnabledWithHeaders": {
    111. 

  111. 			"http://mattermost.com",
    112. 

  112. 			"x-my-special-header x-blueberry",
    113. 

  113. 			true,
    114. 

  114. 			func(req *http.Request) {
    115. 

  115. 				req.Header.Set("Origin", "http://mattermost.com")
    116. 

  116. 			},
    117. 

  117. 			"http://mattermost.com",
    118. 

  118. 			"X-My-Special-Header, X-Blueberry",
    119. 

  119. 			"true",
    120. 

  120. 		},
    121. 

  121. 	} {
    122. 

  122. 		t.Run(name, func(t *testing.T) {
    123. 

  123. 			th := SetupConfigWithStoreMock(t, func(cfg *model.Config) {
    124. 

  124. 				*cfg.ServiceSettings.AllowCorsFrom = testcase.AllowCorsFrom
    125. 

  125. 				*cfg.ServiceSettings.CorsExposedHeaders = testcase.CorsExposedHeaders
    126. 

  126. 				*cfg.ServiceSettings.CorsAllowCredentials = testcase.CorsAllowCredentials
    127. 

  127. 			})
    128. 

  128. 			defer th.TearDown()
    129. 

  129. 			systemStore := mocks.SystemStore{}
    130. 

  130. 			systemStore.On("Get").Return(make(model.StringMap), nil)
    131. 

  131. 			licenseStore := mocks.LicenseStore{}
    132. 

  132. 			licenseStore.On("Get", "").Return(&model.LicenseRecord{}, nil)
    133. 

  133. 			th.App.Srv().Store.(*mocks.Store).On("System").Return(&systemStore)
    134. 

  134. 			th.App.Srv().Store.(*mocks.Store).On("License").Return(&licenseStore)
    135. 

  135. 

  136. 			port := th.App.Srv().ListenAddr.Port
    137. 

  137. 			host := fmt.Sprintf("http://localhost:%v", port)
    138. 

  138. 			url := fmt.Sprintf("%v/api/v4/system/ping", host)
    139. 

  139. 

  140. 			req, err := http.NewRequest("GET", url, nil)
    141. 

  141. 			require.NoError(t, err)
    142. 

  142. 			testcase.ModifyRequest(req)
    143. 

  143. 

  144. 			client := &http.Client{}
    145. 

  145. 			resp, err := client.Do(req)
    146. 

  146. 			require.NoError(t, err)
    147. 

  147. 			assert.Equal(t, http.StatusOK, resp.StatusCode)
    148. 

  148. 			assert.Equal(t, testcase.ExpectedAllowOrigin, resp.Header.Get(acAllowOrigin))
    149. 

  149. 			assert.Equal(t, testcase.ExpectedExposeHeaders, resp.Header.Get(acExposeHeaders))
    150. 

  150. 			assert.Equal(t, "", resp.Header.Get(acMaxAge))
    151. 

  151. 			assert.Equal(t, testcase.ExpectedAllowCredentials, resp.Header.Get(acAllowCredentials))
    152. 

  152. 			assert.Equal(t, "", resp.Header.Get(acAllowMethods))
    153. 

  153. 			assert.Equal(t, "", resp.Header.Get(acAllowHeaders))
    154. 

  154. 		})
    155. 

  155. 	}
    156. 

  156. }
    157. 

  157.