2019-01-17 07:01:06 -08:00
|
|
|
// Copyright 2016 The Prometheus Authors
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
|
|
package httputil
|
|
|
|
|
|
|
|
import (
|
|
|
|
"net/http"
|
|
|
|
"testing"
|
2021-09-13 12:19:20 -07:00
|
|
|
|
2022-02-12 15:58:27 -08:00
|
|
|
"github.com/grafana/regexp"
|
2021-09-13 12:19:20 -07:00
|
|
|
"github.com/stretchr/testify/require"
|
2019-01-17 07:01:06 -08:00
|
|
|
)
|
|
|
|
|
|
|
|
func getCORSHandlerFunc() http.Handler {
|
|
|
|
hf := func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
reg := regexp.MustCompile(`^https://foo\.com$`)
|
|
|
|
SetCORS(w, reg, r)
|
|
|
|
w.WriteHeader(http.StatusOK)
|
|
|
|
}
|
|
|
|
return http.HandlerFunc(hf)
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestCORSHandler(t *testing.T) {
|
|
|
|
tearDown := setup()
|
|
|
|
defer tearDown()
|
|
|
|
client := &http.Client{}
|
|
|
|
|
|
|
|
ch := getCORSHandlerFunc()
|
|
|
|
mux.Handle("/any_path", ch)
|
|
|
|
|
|
|
|
dummyOrigin := "https://foo.com"
|
|
|
|
|
|
|
|
// OPTIONS with legit origin
|
2024-04-08 12:26:23 -07:00
|
|
|
req, err := http.NewRequest(http.MethodOptions, server.URL+"/any_path", nil)
|
2021-09-13 12:19:20 -07:00
|
|
|
require.NoError(t, err, "could not create request")
|
2019-01-17 07:01:06 -08:00
|
|
|
|
|
|
|
req.Header.Set("Origin", dummyOrigin)
|
|
|
|
resp, err := client.Do(req)
|
2021-09-13 12:19:20 -07:00
|
|
|
require.NoError(t, err, "client get failed with unexpected error")
|
2019-01-17 07:01:06 -08:00
|
|
|
|
|
|
|
AccessControlAllowOrigin := resp.Header.Get("Access-Control-Allow-Origin")
|
|
|
|
|
2021-09-13 12:19:20 -07:00
|
|
|
require.Equal(t, dummyOrigin, AccessControlAllowOrigin, "expected Access-Control-Allow-Origin header")
|
2019-01-17 07:01:06 -08:00
|
|
|
|
|
|
|
// OPTIONS with bad origin
|
2024-04-08 12:26:23 -07:00
|
|
|
req, err = http.NewRequest(http.MethodOptions, server.URL+"/any_path", nil)
|
2021-09-13 12:19:20 -07:00
|
|
|
require.NoError(t, err, "could not create request")
|
2019-01-17 07:01:06 -08:00
|
|
|
|
|
|
|
req.Header.Set("Origin", "https://not-foo.com")
|
|
|
|
resp, err = client.Do(req)
|
2021-09-13 12:19:20 -07:00
|
|
|
require.NoError(t, err, "client get failed with unexpected error")
|
2019-01-17 07:01:06 -08:00
|
|
|
|
|
|
|
AccessControlAllowOrigin = resp.Header.Get("Access-Control-Allow-Origin")
|
2021-09-13 12:19:20 -07:00
|
|
|
require.Empty(t, AccessControlAllowOrigin, "Access-Control-Allow-Origin header should not exist but it was set")
|
2019-01-17 07:01:06 -08:00
|
|
|
}
|