123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395 |
- <?php
- namespace Asm89\Stack;
- use PHPUnit_Framework_TestCase;
- use Symfony\Component\HttpKernel\HttpKernelInterface;
- use Symfony\Component\HttpFoundation\Request;
- use Symfony\Component\HttpFoundation\Response;
- class CorsTest extends PHPUnit_Framework_TestCase
- {
- /**
- * @test
- */
- public function it_does_not_modify_on_a_request_without_origin()
- {
- $app = $this->createStackedApp();
- $unmodifiedResponse = new Response();
- $response = $app->handle(new Request());
- $this->assertEquals($unmodifiedResponse->headers, $response->headers);
- }
- /**
- * @test
- */
- public function it_returns_403_on_valid_actual_request_with_origin_not_allowed()
- {
- $app = $this->createStackedApp(array('allowedOrigins' => array('notlocalhost')));
- $request = $this->createValidActualRequest();
- $response = $app->handle($request);
- $this->assertEquals(403, $response->getStatusCode());
- }
- /**
- * @test
- */
- public function it_returns_allow_origin_header_on_valid_actual_request()
- {
- $app = $this->createStackedApp();
- $request = $this->createValidActualRequest();
- $response = $app->handle($request);
- $this->assertTrue($response->headers->has('Access-Control-Allow-Origin'));
- $this->assertEquals('localhost', $response->headers->get('Access-Control-Allow-Origin'));
- }
- /**
- * @test
- */
- public function it_returns_allow_origin_header_on_allow_all_origin_request()
- {
- $app = $this->createStackedApp(array('allowedOrigins' => array('*')));
- $request = new Request();
- $request->headers->set('Origin', 'http://localhost');
- $response = $app->handle($request);
- $this->assertEquals(200, $response->getStatusCode());
- $this->assertTrue($response->headers->has('Access-Control-Allow-Origin'));
- $this->assertEquals('http://localhost', $response->headers->get('Access-Control-Allow-Origin'));
- }
- /**
- * @test
- */
- public function it_returns_allow_headers_header_on_allow_all_headers_request()
- {
- $app = $this->createStackedApp(array('allowedHeaders' => array('*')));
- $request = $this->createValidPreflightRequest();
- $request->headers->set('Access-Control-Request-Headers', 'Foo, BAR');
- $response = $app->handle($request);
- $this->assertEquals(200, $response->getStatusCode());
- $this->assertEquals('FOO, BAR', $response->headers->get('Access-Control-Allow-Headers'));
- }
- /**
- * @test
- */
- public function it_does_not_return_allow_origin_header_on_valid_actual_request_with_origin_not_allowed()
- {
- $app = $this->createStackedApp(array('allowedOrigins' => array('notlocalhost')));
- $request = $this->createValidActualRequest();
- $response = $app->handle($request);
- $this->assertFalse($response->headers->has('Access-Control-Allow-Origin'));
- }
- /**
- * @test
- */
- public function it_sets_allow_credentials_header_when_flag_is_set_on_valid_actual_request()
- {
- $app = $this->createStackedApp(array('supportsCredentials' => true));
- $request = $this->createValidActualRequest();
- $response = $app->handle($request);
- $this->assertTrue($response->headers->has('Access-Control-Allow-Credentials'));
- $this->assertEquals('true', $response->headers->get('Access-Control-Allow-Credentials'));
- }
- /**
- * @test
- */
- public function it_does_not_set_allow_credentials_header_when_flag_is_not_set_on_valid_actual_request()
- {
- $app = $this->createStackedApp();
- $request = $this->createValidActualRequest();
- $response = $app->handle($request);
- $this->assertFalse($response->headers->has('Access-Control-Allow-Credentials'));
- }
- /**
- * @test
- */
- public function it_sets_exposed_headers_when_configured_on_actual_request()
- {
- $app = $this->createStackedApp(array('exposedHeaders' => array('x-exposed-header', 'x-another-exposed-header')));
- $request = $this->createValidActualRequest();
- $response = $app->handle($request);
- $this->assertTrue($response->headers->has('Access-Control-Expose-Headers'));
- $this->assertEquals('x-exposed-header, x-another-exposed-header', $response->headers->get('Access-Control-Expose-Headers'));
- }
- /**
- * @test
- * @see http://www.w3.org/TR/cors/index.html#resource-implementation
- */
- public function it_adds_a_vary_header()
- {
- $app = $this->createStackedApp();
- $request = $this->createValidActualRequest();
- $response = $app->handle($request);
- $this->assertTrue($response->headers->has('Vary'));
- $this->assertEquals('Origin', $response->headers->get('Vary'));
- }
- /**
- * @test
- * @see http://www.w3.org/TR/cors/index.html#resource-implementation
- */
- public function it_appends_an_existing_vary_header()
- {
- $app = $this->createStackedApp(array(), array('Vary' => 'Content-Type'));
- $request = $this->createValidActualRequest();
- $response = $app->handle($request);
- $this->assertTrue($response->headers->has('Vary'));
- $this->assertEquals('Content-Type, Origin', $response->headers->get('Vary'));
- }
- /**
- * @test
- */
- public function it_returns_access_control_headers_on_cors_request()
- {
- $app = $this->createStackedApp();
- $request = new Request();
- $request->headers->set('Origin', 'localhost');
- $response = $app->handle($request);
- $this->assertTrue($response->headers->has('Access-Control-Allow-Origin'));
- $this->assertEquals('localhost', $response->headers->get('Access-Control-Allow-Origin'));
- }
- /**
- * @test
- */
- public function it_returns_access_control_headers_on_valid_preflight_request()
- {
- $app = $this->createStackedApp();
- $request = $this->createValidPreflightRequest();
- $response = $app->handle($request);
- $this->assertTrue($response->headers->has('Access-Control-Allow-Origin'));
- $this->assertEquals('localhost', $response->headers->get('Access-Control-Allow-Origin'));
- }
- /**
- * @test
- */
- public function it_returns_403_on_valid_preflight_request_with_origin_not_allowed()
- {
- $app = $this->createStackedApp(array('allowedOrigins' => array('notlocalhost')));
- $request = $this->createValidPreflightRequest();
- $response = $app->handle($request);
- $this->assertEquals(403, $response->getStatusCode());
- }
- /**
- * @test
- */
- public function it_does_not_modify_request_with_origin_not_allowed()
- {
- $passedOptions = array(
- 'allowedOrigins' => array('notlocalhost'),
- );
- $service = new CorsService($passedOptions);
- $request = $this->createValidActualRequest();
- $response = new Response();
- $service->addActualRequestHeaders($response, $request);
- $this->assertEquals($response, new Response());
- }
- /**
- * @test
- */
- public function it_returns_405_on_valid_preflight_request_with_method_not_allowed()
- {
- $app = $this->createStackedApp(array('allowedMethods' => array('put')));
- $request = $this->createValidPreflightRequest();
- $response = $app->handle($request);
- $this->assertEquals(405, $response->getStatusCode());
- }
- /**
- * @test
- */
- public function it_allow_methods_on_valid_preflight_request()
- {
- $app = $this->createStackedApp(array('allowedMethods' => array('get', 'put')));
- $request = $this->createValidPreflightRequest();
- $response = $app->handle($request);
- $this->assertTrue($response->headers->has('Access-Control-Allow-Methods'));
- // it will uppercase the methods
- $this->assertEquals('GET, PUT', $response->headers->get('Access-Control-Allow-Methods'));
- }
- /**
- * @test
- */
- public function it_returns_valid_preflight_request_with_allow_methods_all()
- {
- $app = $this->createStackedApp(array('allowedMethods' => array('*')));
- $request = $this->createValidPreflightRequest();
- $response = $app->handle($request);
- $this->assertTrue($response->headers->has('Access-Control-Allow-Methods'));
- // it will return the Access-Control-Request-Method pass in the request
- $this->assertEquals('GET', $response->headers->get('Access-Control-Allow-Methods'));
- }
- /**
- * @test
- */
- public function it_returns_403_on_valid_preflight_request_with_one_of_the_requested_headers_not_allowed()
- {
- $app = $this->createStackedApp();
- $request = $this->createValidPreflightRequest();
- $request->headers->set('Access-Control-Request-Headers', 'x-not-allowed-header');
- $response = $app->handle($request);
- $this->assertEquals(403, $response->getStatusCode());
- }
- /**
- * @test
- */
- public function it_returns_ok_on_valid_preflight_request_with_requested_headers_allowed()
- {
- $app = $this->createStackedApp();
- $requestHeaders = 'X-Allowed-Header, x-other-allowed-header';
- $request = $this->createValidPreflightRequest();
- $request->headers->set('Access-Control-Request-Headers', $requestHeaders);
- $response = $app->handle($request);
- $this->assertEquals(200, $response->getStatusCode());
- $this->assertTrue($response->headers->has('Access-Control-Allow-Headers'));
- // the response will have the "allowedHeaders" value passed to Cors rather than the request one
- $this->assertEquals('x-allowed-header, x-other-allowed-header', $response->headers->get('Access-Control-Allow-Headers'));
- }
- /**
- * @test
- */
- public function it_sets_allow_credentials_header_when_flag_is_set_on_valid_preflight_request()
- {
- $app = $this->createStackedApp(array('supportsCredentials' => true));
- $request = $this->createValidPreflightRequest();
- $response = $app->handle($request);
- $this->assertTrue($response->headers->has('Access-Control-Allow-Credentials'));
- $this->assertEquals('true', $response->headers->get('Access-Control-Allow-Credentials'));
- }
- /**
- * @test
- */
- public function it_does_not_set_allow_credentials_header_when_flag_is_not_set_on_valid_preflight_request()
- {
- $app = $this->createStackedApp();
- $request = $this->createValidPreflightRequest();
- $response = $app->handle($request);
- $this->assertFalse($response->headers->has('Access-Control-Allow-Credentials'));
- }
- /**
- * @test
- */
- public function it_sets_max_age_when_set()
- {
- $app = $this->createStackedApp(array('maxAge' => 42));
- $request = $this->createValidPreflightRequest();
- $response = $app->handle($request);
- $this->assertTrue($response->headers->has('Access-Control-Max-Age'));
- $this->assertEquals(42, $response->headers->get('Access-Control-Max-Age'));
- }
- private function createValidActualRequest()
- {
- $request = new Request();
- $request->headers->set('Origin', 'localhost');
- return $request;
- }
- private function createValidPreflightRequest()
- {
- $request = new Request();
- $request->headers->set('Origin', 'localhost');
- $request->headers->set('Access-Control-Request-Method', 'get');
- $request->setMethod('OPTIONS');
- return $request;
- }
- private function createStackedApp(array $options = array(), array $responseHeaders = array())
- {
- $passedOptions = array_merge(array(
- 'allowedHeaders' => array('x-allowed-header', 'x-other-allowed-header'),
- 'allowedMethods' => array('delete', 'get', 'post', 'put'),
- 'allowedOrigins' => array('localhost'),
- 'exposedHeaders' => false,
- 'maxAge' => false,
- 'supportsCredentials' => false,
- ),
- $options
- );
- return new Cors(new MockApp($responseHeaders), $passedOptions);
- }
- }
- class MockApp implements HttpKernelInterface
- {
- private $responseHeaders;
- public function __construct(array $responseHeaders)
- {
- $this->responseHeaders = $responseHeaders;
- }
- public function handle(Request $request, $type = HttpKernelInterface::MASTER_REQUEST, $catch = true)
- {
- $response = new Response();
- $response->headers->add($this->responseHeaders);
- return $response;
- }
- }
|