github.com/kongr45gpen/mattermost-server@v5.11.1+incompatible/api4/cors_test.go (about) 1 package api4 2 3 import ( 4 "fmt" 5 "net/http" 6 "testing" 7 8 "github.com/mattermost/mattermost-server/model" 9 "github.com/stretchr/testify/assert" 10 ) 11 12 const ( 13 acAllowOrigin = "Access-Control-Allow-Origin" 14 acExposeHeaders = "Access-Control-Expose-Headers" 15 acMaxAge = "Access-Control-Max-Age" 16 acAllowCredentials = "Access-Control-Allow-Credentials" 17 acAllowMethods = "Access-Control-Allow-Methods" 18 acAllowHeaders = "Access-Control-Allow-Headers" 19 ) 20 21 func TestCORSRequestHandling(t *testing.T) { 22 for name, testcase := range map[string]struct { 23 AllowCorsFrom string 24 CorsExposedHeaders string 25 CorsAllowCredentials bool 26 ModifyRequest func(req *http.Request) 27 ExpectedAllowOrigin string 28 ExpectedExposeHeaders string 29 ExpectedAllowCredentials string 30 }{ 31 "NoCORS": { 32 "", 33 "", 34 false, 35 func(req *http.Request) { 36 }, 37 "", 38 "", 39 "", 40 }, 41 "CORSEnabled": { 42 "http://somewhere.com", 43 "", 44 false, 45 func(req *http.Request) { 46 }, 47 "", 48 "", 49 "", 50 }, 51 "CORSEnabledStarOrigin": { 52 "*", 53 "", 54 false, 55 func(req *http.Request) { 56 req.Header.Set("Origin", "http://pre-release.mattermost.com") 57 }, 58 "*", 59 "", 60 "", 61 }, 62 "CORSEnabledStarNoOrigin": { // CORS spec requires this, not a bug. 63 "*", 64 "", 65 false, 66 func(req *http.Request) { 67 }, 68 "", 69 "", 70 "", 71 }, 72 "CORSEnabledMatching": { 73 "http://mattermost.com", 74 "", 75 false, 76 func(req *http.Request) { 77 req.Header.Set("Origin", "http://mattermost.com") 78 }, 79 "http://mattermost.com", 80 "", 81 "", 82 }, 83 "CORSEnabledMultiple": { 84 "http://spinmint.com http://mattermost.com", 85 "", 86 false, 87 func(req *http.Request) { 88 req.Header.Set("Origin", "http://mattermost.com") 89 }, 90 "http://mattermost.com", 91 "", 92 "", 93 }, 94 "CORSEnabledWithCredentials": { 95 "http://mattermost.com", 96 "", 97 true, 98 func(req *http.Request) { 99 req.Header.Set("Origin", "http://mattermost.com") 100 }, 101 "http://mattermost.com", 102 "", 103 "true", 104 }, 105 "CORSEnabledWithHeaders": { 106 "http://mattermost.com", 107 "x-my-special-header x-blueberry", 108 true, 109 func(req *http.Request) { 110 req.Header.Set("Origin", "http://mattermost.com") 111 }, 112 "http://mattermost.com", 113 "X-My-Special-Header, X-Blueberry", 114 "true", 115 }, 116 } { 117 t.Run(name, func(t *testing.T) { 118 th := SetupConfig(func(cfg *model.Config) { 119 *cfg.ServiceSettings.AllowCorsFrom = testcase.AllowCorsFrom 120 *cfg.ServiceSettings.CorsExposedHeaders = testcase.CorsExposedHeaders 121 *cfg.ServiceSettings.CorsAllowCredentials = testcase.CorsAllowCredentials 122 }) 123 defer th.TearDown() 124 125 port := th.App.Srv.ListenAddr.Port 126 host := fmt.Sprintf("http://localhost:%v", port) 127 url := fmt.Sprintf("%v/api/v4/system/ping", host) 128 129 req, err := http.NewRequest("GET", url, nil) 130 if err != nil { 131 t.Fatal(err) 132 } 133 testcase.ModifyRequest(req) 134 135 client := &http.Client{} 136 resp, err := client.Do(req) 137 if err != nil { 138 t.Fatal(err) 139 } 140 assert.Equal(t, http.StatusOK, resp.StatusCode) 141 assert.Equal(t, testcase.ExpectedAllowOrigin, resp.Header.Get(acAllowOrigin)) 142 assert.Equal(t, testcase.ExpectedExposeHeaders, resp.Header.Get(acExposeHeaders)) 143 assert.Equal(t, "", resp.Header.Get(acMaxAge)) 144 assert.Equal(t, testcase.ExpectedAllowCredentials, resp.Header.Get(acAllowCredentials)) 145 assert.Equal(t, "", resp.Header.Get(acAllowMethods)) 146 assert.Equal(t, "", resp.Header.Get(acAllowHeaders)) 147 }) 148 } 149 150 }