public async Task Invoke_HasEndpointWithEnableMetadata_HasSignificantDisableCors_ReturnsNoContentForPreflightRequest()
{
// Arrange
var corsService = Mock.Of <ICorsService>();
var policyProvider = Mock.Of <ICorsPolicyProvider>();
var loggerFactory = NullLoggerFactory.Instance;
var middleware = new CorsMiddleware(
c => { throw new Exception("Should not be called."); },
corsService,
loggerFactory,
"DefaultPolicyName");
var httpContext = new DefaultHttpContext();
httpContext.SetEndpoint(new Endpoint(c => Task.CompletedTask, new EndpointMetadataCollection(new EnableCorsAttribute(), new DisableCorsAttribute()), "Test endpoint"));
httpContext.Request.Method = "OPTIONS";
httpContext.Request.Headers.Add(CorsConstants.Origin, new[] { "http://example.com" });
httpContext.Request.Headers.Add(CorsConstants.AccessControlRequestMethod, new[] { "GET" });
// Act
await middleware.Invoke(httpContext, policyProvider);
// Assert
Assert.Equal(StatusCodes.Status204NoContent, httpContext.Response.StatusCode);
}
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(opts =>
{
var corsMw = new CorsMiddleware(opts);
corsMw.AddAllowAllOriginsPolicy();
});
services.AddMvc(
setupAction =>
{
setupAction.ReturnHttpNotAcceptable = true;
setupAction.OutputFormatters.Add(new XmlDataContractSerializerOutputFormatter());
setupAction.InputFormatters.Add(new XmlDataContractSerializerInputFormatter());
});
services.AddScoped <IUsersService>(provider => new UsersService(new DateTimeProvider(), new UsersRepository()));
services.AddScoped <IEventsService>(provider => new EventsService(new EventsRepository()));
services.AddSingleton <IActionContextAccessor, ActionContextAccessor>();
services.AddScoped <IUrlHelper, UrlHelper>(implementationFactory =>
{
var actionContext = implementationFactory.GetService <IActionContextAccessor>().ActionContext;
return(new UrlHelper(actionContext));
});
// Register the Swagger generator, defining 1 or more Swagger documents
services.AddSwaggerGen(c =>
{
c.SwaggerDoc("v1", new Info {
Title = "Example API", Version = "v1"
});
c.OperationFilter <ExamplesOperationFilter>();
});
}
public async Task Invoke_HasEndpointWithMutlipleMetadata_SkipCorsBecauseOfMetadataOrder()
{
// Arrange
var corsService = Mock.Of <ICorsService>();
var mockProvider = new Mock <ICorsPolicyProvider>();
var loggerFactory = NullLoggerFactory.Instance;
mockProvider.Setup(o => o.GetPolicyAsync(It.IsAny <HttpContext>(), It.IsAny <string>()))
.Returns(Task.FromResult <CorsPolicy>(null))
.Verifiable();
var middleware = new CorsMiddleware(
Mock.Of <RequestDelegate>(),
corsService,
loggerFactory,
"DefaultPolicyName");
var httpContext = new DefaultHttpContext();
httpContext.SetEndpoint(new Endpoint(c => Task.CompletedTask, new EndpointMetadataCollection(new EnableCorsAttribute("MetadataPolicyName"), new DisableCorsAttribute()), "Test endpoint"));
httpContext.Request.Headers.Add(CorsConstants.Origin, new[] { "http://example.com" });
// Act
await middleware.Invoke(httpContext, mockProvider.Object);
// Assert
mockProvider.Verify(
o => o.GetPolicyAsync(It.IsAny <HttpContext>(), It.IsAny <string>()),
Times.Never);
}
public async Task Uses_PolicyProvider_AsFallback()
{
// Arrange
var corsService = Mock.Of <ICorsService>();
var mockProvider = new Mock <ICorsPolicyProvider>();
mockProvider.Setup(o => o.GetPolicyAsync(It.IsAny <HttpContext>(), It.IsAny <string>()))
.Returns(Task.FromResult <CorsPolicy>(null))
.Verifiable();
var middleware = new CorsMiddleware(
Mock.Of <RequestDelegate>(),
corsService,
mockProvider.Object,
policyName: null);
var httpContext = new DefaultHttpContext();
httpContext.Request.Headers.Add(CorsConstants.Origin, new[] { "http://example.com" });
// Act
await middleware.Invoke(httpContext);
// Assert
mockProvider.Verify(
o => o.GetPolicyAsync(It.IsAny <HttpContext>(), It.IsAny <string>()),
Times.Once);
}
public async Task DoesNotSetHeaders_ForNoPolicy()
{
// Arrange
var corsService = Mock.Of <ICorsService>();
var mockProvider = new Mock <ICorsPolicyProvider>();
var loggerFactory = NullLoggerFactory.Instance;
mockProvider.Setup(o => o.GetPolicyAsync(It.IsAny <HttpContext>(), It.IsAny <string>()))
.Returns(Task.FromResult <CorsPolicy>(null))
.Verifiable();
var middleware = new CorsMiddleware(
Mock.Of <RequestDelegate>(),
corsService,
loggerFactory,
policyName: null);
var httpContext = new DefaultHttpContext();
httpContext.Request.Headers.Add(CorsConstants.Origin, new[] { "http://example.com" });
// Act
await middleware.Invoke(httpContext, mockProvider.Object);
// Assert
Assert.Equal(200, httpContext.Response.StatusCode);
Assert.Empty(httpContext.Response.Headers);
mockProvider.Verify(
o => o.GetPolicyAsync(It.IsAny <HttpContext>(), It.IsAny <string>()),
Times.Once);
}
public async Task Invoke_HasEndpointWithEnableMetadata_HasSignificantDisableCors_ExecutesNextMiddleware()
{
// Arrange
var executed = false;
var corsService = Mock.Of <ICorsService>();
var policyProvider = Mock.Of <ICorsPolicyProvider>();
var loggerFactory = NullLoggerFactory.Instance;
var middleware = new CorsMiddleware(
c =>
{
executed = true;
return(Task.CompletedTask);
},
corsService,
loggerFactory,
"DefaultPolicyName");
var httpContext = new DefaultHttpContext();
httpContext.SetEndpoint(new Endpoint(c => Task.CompletedTask, new EndpointMetadataCollection(new EnableCorsAttribute(), new DisableCorsAttribute()), "Test endpoint"));
httpContext.Request.Method = "GET";
httpContext.Request.Headers.Add(CorsConstants.Origin, new[] { "http://example.com" });
httpContext.Request.Headers.Add(CorsConstants.AccessControlRequestMethod, new[] { "GET" });
// Act
await middleware.Invoke(httpContext, policyProvider);
// Assert
Assert.True(executed);
Mock.Get(policyProvider).Verify(v => v.GetPolicyAsync(It.IsAny <HttpContext>(), It.IsAny <string>()), Times.Never());
Mock.Get(corsService).Verify(v => v.EvaluatePolicy(It.IsAny <HttpContext>(), It.IsAny <CorsPolicy>()), Times.Never());
}
protected override void ApplicationStartup(TinyIoCContainer container, IPipelines pipelines)
{
pipelines.AfterRequest += (ctx) => {
ctx = new CorsMiddleware().Process(ctx);
ctx = new AddHeaderMiddleware().Process(ctx, "Content-Type", "application/json");
};
pipelines.OnError += (context, exception) => HandleException(context, exception);
}
public CorsMiddleware CreateCorsMiddleware(RequestDelegate next, IOptions <HostCorsOptions> corsOptions)
{
CorsPolicy policy = _corsOptions.Value.GetPolicy(_corsOptions.Value.DefaultPolicyName);
var corsService = new CorsService(_corsOptions);
var middleware = new CorsMiddleware(next, corsService, policy, _loggerFactory);
return(middleware);
}
static void Main(string[] args)
{
HorseMvc mvc = new HorseMvc();
mvc.IsDevelopment = false;
mvc.Init(services =>
{
services.AddScoped <IScopedService, ScopedService>();
services.AddTransient <IFirstService, FirstService>();
services.AddTransient <ISecondService, SecondService>();
services.AddJwt(mvc, options =>
{
options.Key = "Very_very_secret_key";
options.Issuer = "localhost";
options.Audience = "localhost";
options.Lifetime = TimeSpan.FromHours(1);
options.ValidateAudience = false;
options.ValidateIssuer = false;
options.ValidateLifetime = true;
});
mvc.Policies.Add(Policy.RequireRole("Admin", "Admin"));
mvc.Policies.Add(Policy.RequireClaims("IT", "Database", "Cloud", "Source"));
mvc.Policies.Add(Policy.Custom("Custom", (d, c) => true));
mvc.StatusCodeResults.Add(HttpStatusCode.Unauthorized, new JsonResult(new { Message = "Access denied" }));
mvc.ErrorHandler = new MvcErrorHandler();
});
CorsMiddleware cors = new CorsMiddleware();
cors.AllowAll();
mvc.Use(app =>
{
app.UseActionRoute("/test-action", request => new StringResult("Hello, Test Action!"));
app.UseMiddleware(cors);
app.UseMiddleware <TMid>();
app.UseFiles("/download", "/home/mehmet/files");
});
HorseServer server = new HorseServer();
var opt = HttpOptions.CreateDefault();
opt.HttpConnectionTimeMax = 0;
server.UseMvc(mvc, opt);
server.Run(4410);
}
static void Main(string[] args)
{
using TwinoMvc mvc = new TwinoMvc();
mvc.IsDevelopment = false;
mvc.Init(twino =>
{
twino.Services.AddScoped <IScopedService, ScopedService>();
twino.Services.AddTransient <IFirstService, FirstService>();
twino.Services.AddTransient <ISecondService, SecondService>();
twino.AddJwt(options =>
{
options.Key = "Very_very_secret_key";
options.Issuer = "localhost";
options.Audience = "localhost";
options.Lifetime = TimeSpan.FromHours(1);
options.ValidateAudience = false;
options.ValidateIssuer = false;
options.ValidateLifetime = true;
});
twino.Policies.Add(Policy.RequireRole("Admin", "Admin"));
twino.Policies.Add(Policy.RequireClaims("IT", "Database", "Cloud", "Source"));
twino.Policies.Add(Policy.Custom("Custom", (d, c) => true));
twino.Services.AddHttpClient();
twino.StatusCodeResults.Add(HttpStatusCode.Unauthorized, new JsonResult(new { Message = "Access denied" }));
});
CorsMiddleware cors = new CorsMiddleware();
cors.AllowAll();
mvc.Use(app =>
{
app.UseMiddleware(cors);
app.UseMiddleware <TMid>();
app.UseFiles("/download", "/home/mehmet/files");
});
TwinoServer server = new TwinoServer();
var opt = HttpOptions.CreateDefault();
opt.HttpConnectionTimeMax = 0;
server.UseMvc(mvc, opt);
server.Start(441);
server.BlockWhileRunning();
}
public async Task Invoke_WithCustomPolicyProviderThatReturnsAsynchronously_Works()
{
// Arrange
var corsService = new CorsService(Options.Create(new CorsOptions()), NullLoggerFactory.Instance);
var mockProvider = new Mock <ICorsPolicyProvider>();
var loggerFactory = NullLoggerFactory.Instance;
var policy = new CorsPolicyBuilder()
.WithOrigins(OriginUrl)
.WithHeaders("AllowedHeader")
.Build();
mockProvider.Setup(o => o.GetPolicyAsync(It.IsAny <HttpContext>(), It.IsAny <string>()))
.ReturnsAsync(policy, TimeSpan.FromMilliseconds(10));
var middleware = new CorsMiddleware(
Mock.Of <RequestDelegate>(),
corsService,
loggerFactory,
"DefaultPolicyName");
var httpContext = new DefaultHttpContext();
httpContext.Request.Method = "OPTIONS";
httpContext.Request.Headers.Add(CorsConstants.Origin, new[] { OriginUrl });
httpContext.Request.Headers.Add(CorsConstants.AccessControlRequestMethod, new[] { "PUT" });
// Act
await middleware.Invoke(httpContext, mockProvider.Object);
// Assert
var response = httpContext.Response;
Assert.Collection(
response.Headers.OrderBy(o => o.Key),
kvp =>
{
Assert.Equal(CorsConstants.AccessControlAllowHeaders, kvp.Key);
Assert.Equal("AllowedHeader", Assert.Single(kvp.Value));
},
kvp =>
{
Assert.Equal(CorsConstants.AccessControlAllowOrigin, kvp.Key);
Assert.Equal(OriginUrl, Assert.Single(kvp.Value));
});
}
public async Task TestSkipsOnOptions(string method, bool shouldBeCalled)
{
var middleware = new CorsMiddleware(_loggerFactory);
var context = new DefaultHttpContext();
var called = false;
context.Request.Method = method;
context.Response.Body = new MemoryStream();
await middleware.InvokeAsync(context, (ctx) =>
{
called = true;
return(Task.CompletedTask);
});
Assert.Equal(shouldBeCalled, called);
}
public async Task TestCorsHeadersAreSet()
{
var middleware = new CorsMiddleware(_loggerFactory);
var context = new DefaultHttpContext();
context.Response.Body = new MemoryStream();
await middleware.InvokeAsync(context, (ctx) =>
{
var headers = new string[] { "Authorization", "Content-Type", "Accept" };
Assert.Equal("*", GetFirstHeaderValue(ctx.Response.Headers, "Access-Control-Allow-Origin"));
Assert.Equal(headers, GetHeaderValues(ctx.Response.Headers, "Access-Control-Allow-Headers"));
Assert.Equal("POST", GetFirstHeaderValue(ctx.Response.Headers, "Access-Control-Allow-Methods"));
return(Task.CompletedTask);
});
}
public async Task Invoke_HasEndpointRequireCorsMetadata_MiddlewareHasPolicy_RunsCorsWithPolicyName()
{
// Arrange
var defaultPolicy = new CorsPolicyBuilder().Build();
var metadataPolicy = new CorsPolicyBuilder().Build();
var mockCorsService = new Mock <ICorsService>();
var mockProvider = new Mock <ICorsPolicyProvider>();
var loggerFactory = NullLoggerFactory.Instance;
mockProvider.Setup(o => o.GetPolicyAsync(It.IsAny <HttpContext>(), It.IsAny <string>()))
.Returns(Task.FromResult <CorsPolicy>(null))
.Verifiable();
mockCorsService.Setup(o => o.EvaluatePolicy(It.IsAny <HttpContext>(), It.IsAny <CorsPolicy>()))
.Returns(new CorsResult())
.Verifiable();
var middleware = new CorsMiddleware(
Mock.Of <RequestDelegate>(),
mockCorsService.Object,
defaultPolicy,
loggerFactory);
var httpContext = new DefaultHttpContext();
httpContext.SetEndpoint(new Endpoint(c => Task.CompletedTask, new EndpointMetadataCollection(new CorsPolicyMetadata(metadataPolicy)), "Test endpoint"));
httpContext.Request.Headers.Add(CorsConstants.Origin, new[] { "http://example.com" });
// Act
await middleware.Invoke(httpContext, mockProvider.Object);
// Assert
mockProvider.Verify(
o => o.GetPolicyAsync(It.IsAny <HttpContext>(), It.IsAny <string>()),
Times.Never);
mockCorsService.Verify(
o => o.EvaluatePolicy(It.IsAny <HttpContext>(), metadataPolicy),
Times.Once);
}
public async Task Invoke_WithoutOrigin_InvokeFlagSet()
{
// Arrange
var corsService = Mock.Of <ICorsService>();
var mockProvider = Mock.Of <ICorsPolicyProvider>();
var loggerFactory = NullLoggerFactory.Instance;
var middleware = new CorsMiddleware(
Mock.Of <RequestDelegate>(),
corsService,
loggerFactory,
"DefaultPolicyName");
var httpContext = new DefaultHttpContext();
httpContext.SetEndpoint(new Endpoint(c => Task.CompletedTask, new EndpointMetadataCollection(new EnableCorsAttribute("MetadataPolicyName"), new DisableCorsAttribute()), "Test endpoint"));
// Act
await middleware.Invoke(httpContext, mockProvider);
// Assert
Assert.Contains(httpContext.Items, item => string.Equals(item.Key as string, "__CorsMiddlewareWithEndpointInvoked"));
}
public async Task Invoke_WithoutEndpoint_InvokeFlagSet()
{
// Arrange
var corsService = Mock.Of <ICorsService>();
var mockProvider = Mock.Of <ICorsPolicyProvider>();
var loggerFactory = NullLoggerFactory.Instance;
var middleware = new CorsMiddleware(
Mock.Of <RequestDelegate>(),
corsService,
loggerFactory,
"DefaultPolicyName");
var httpContext = new DefaultHttpContext();
httpContext.Request.Headers.Add(CorsConstants.Origin, new[] { "http://example.com" });
// Act
await middleware.Invoke(httpContext, mockProvider);
// Assert
Assert.DoesNotContain(httpContext.Items, item => string.Equals(item.Key as string, "__CorsMiddlewareWithEndpointInvoked"));
}
public async Task DoesNotSetHeaders_ForNoPolicy()
{
// Arrange
var corsService = Mock.Of<ICorsService>();
var mockProvider = new Mock<ICorsPolicyProvider>();
mockProvider.Setup(o => o.GetPolicyAsync(It.IsAny<HttpContext>(), It.IsAny<string>()))
.Returns(Task.FromResult<CorsPolicy>(null))
.Verifiable();
var middleware = new CorsMiddleware(
Mock.Of<RequestDelegate>(),
corsService,
mockProvider.Object,
policyName: null);
var httpContext = new DefaultHttpContext();
httpContext.Request.Headers.Add(CorsConstants.Origin, new[] { "http://example.com" });
// Act
await middleware.Invoke(httpContext);
// Assert
Assert.Equal(200, httpContext.Response.StatusCode);
Assert.Empty(httpContext.Response.Headers);
mockProvider.Verify(
o => o.GetPolicyAsync(It.IsAny<HttpContext>(), It.IsAny<string>()),
Times.Once);
}
public JobHostCorsMiddleware(IOptions <HostCorsOptions> hostCorsOptions, ICorsMiddlewareFactory middlewareFactory)
{
_corsMiddleware = middlewareFactory.CreateCorsMiddleware(InvokeNext, hostCorsOptions);
}
