github.com/kongr45gpen/mattermost-server@v5.11.1+incompatible/api4/cors_test.go (about)

     1  package api4
     2  
     3  import (
     4  	"fmt"
     5  	"net/http"
     6  	"testing"
     7  
     8  	"github.com/mattermost/mattermost-server/model"
     9  	"github.com/stretchr/testify/assert"
    10  )
    11  
    12  const (
    13  	acAllowOrigin      = "Access-Control-Allow-Origin"
    14  	acExposeHeaders    = "Access-Control-Expose-Headers"
    15  	acMaxAge           = "Access-Control-Max-Age"
    16  	acAllowCredentials = "Access-Control-Allow-Credentials"
    17  	acAllowMethods     = "Access-Control-Allow-Methods"
    18  	acAllowHeaders     = "Access-Control-Allow-Headers"
    19  )
    20  
    21  func TestCORSRequestHandling(t *testing.T) {
    22  	for name, testcase := range map[string]struct {
    23  		AllowCorsFrom            string
    24  		CorsExposedHeaders       string
    25  		CorsAllowCredentials     bool
    26  		ModifyRequest            func(req *http.Request)
    27  		ExpectedAllowOrigin      string
    28  		ExpectedExposeHeaders    string
    29  		ExpectedAllowCredentials string
    30  	}{
    31  		"NoCORS": {
    32  			"",
    33  			"",
    34  			false,
    35  			func(req *http.Request) {
    36  			},
    37  			"",
    38  			"",
    39  			"",
    40  		},
    41  		"CORSEnabled": {
    42  			"http://somewhere.com",
    43  			"",
    44  			false,
    45  			func(req *http.Request) {
    46  			},
    47  			"",
    48  			"",
    49  			"",
    50  		},
    51  		"CORSEnabledStarOrigin": {
    52  			"*",
    53  			"",
    54  			false,
    55  			func(req *http.Request) {
    56  				req.Header.Set("Origin", "http://pre-release.mattermost.com")
    57  			},
    58  			"*",
    59  			"",
    60  			"",
    61  		},
    62  		"CORSEnabledStarNoOrigin": { // CORS spec requires this, not a bug.
    63  			"*",
    64  			"",
    65  			false,
    66  			func(req *http.Request) {
    67  			},
    68  			"",
    69  			"",
    70  			"",
    71  		},
    72  		"CORSEnabledMatching": {
    73  			"http://mattermost.com",
    74  			"",
    75  			false,
    76  			func(req *http.Request) {
    77  				req.Header.Set("Origin", "http://mattermost.com")
    78  			},
    79  			"http://mattermost.com",
    80  			"",
    81  			"",
    82  		},
    83  		"CORSEnabledMultiple": {
    84  			"http://spinmint.com http://mattermost.com",
    85  			"",
    86  			false,
    87  			func(req *http.Request) {
    88  				req.Header.Set("Origin", "http://mattermost.com")
    89  			},
    90  			"http://mattermost.com",
    91  			"",
    92  			"",
    93  		},
    94  		"CORSEnabledWithCredentials": {
    95  			"http://mattermost.com",
    96  			"",
    97  			true,
    98  			func(req *http.Request) {
    99  				req.Header.Set("Origin", "http://mattermost.com")
   100  			},
   101  			"http://mattermost.com",
   102  			"",
   103  			"true",
   104  		},
   105  		"CORSEnabledWithHeaders": {
   106  			"http://mattermost.com",
   107  			"x-my-special-header x-blueberry",
   108  			true,
   109  			func(req *http.Request) {
   110  				req.Header.Set("Origin", "http://mattermost.com")
   111  			},
   112  			"http://mattermost.com",
   113  			"X-My-Special-Header, X-Blueberry",
   114  			"true",
   115  		},
   116  	} {
   117  		t.Run(name, func(t *testing.T) {
   118  			th := SetupConfig(func(cfg *model.Config) {
   119  				*cfg.ServiceSettings.AllowCorsFrom = testcase.AllowCorsFrom
   120  				*cfg.ServiceSettings.CorsExposedHeaders = testcase.CorsExposedHeaders
   121  				*cfg.ServiceSettings.CorsAllowCredentials = testcase.CorsAllowCredentials
   122  			})
   123  			defer th.TearDown()
   124  
   125  			port := th.App.Srv.ListenAddr.Port
   126  			host := fmt.Sprintf("http://localhost:%v", port)
   127  			url := fmt.Sprintf("%v/api/v4/system/ping", host)
   128  
   129  			req, err := http.NewRequest("GET", url, nil)
   130  			if err != nil {
   131  				t.Fatal(err)
   132  			}
   133  			testcase.ModifyRequest(req)
   134  
   135  			client := &http.Client{}
   136  			resp, err := client.Do(req)
   137  			if err != nil {
   138  				t.Fatal(err)
   139  			}
   140  			assert.Equal(t, http.StatusOK, resp.StatusCode)
   141  			assert.Equal(t, testcase.ExpectedAllowOrigin, resp.Header.Get(acAllowOrigin))
   142  			assert.Equal(t, testcase.ExpectedExposeHeaders, resp.Header.Get(acExposeHeaders))
   143  			assert.Equal(t, "", resp.Header.Get(acMaxAge))
   144  			assert.Equal(t, testcase.ExpectedAllowCredentials, resp.Header.Get(acAllowCredentials))
   145  			assert.Equal(t, "", resp.Header.Get(acAllowMethods))
   146  			assert.Equal(t, "", resp.Header.Get(acAllowHeaders))
   147  		})
   148  	}
   149  
   150  }