public void ShortCircuit()
{
CorsConfig cors = CorsConfigBuilder.ForOrigin((AsciiString)"http://localhost:8080")
.ShortCircuit().Build();
Assert.True(cors.IsShortCircuit);
}
public void Origin()
{
CorsConfig cors = CorsConfigBuilder.ForOrigin((StringCharSequence)"http://localhost:7888").Build();
Assert.Equal("http://localhost:7888", cors.Origin.ToString());
Assert.False(cors.IsAnyOriginSupported);
}
public void WildcardOrigin()
{
CorsConfig cors = CorsConfigBuilder.ForOrigin(CorsHandler.AnyOrigin).Build();
Assert.True(cors.IsAnyOriginSupported);
Assert.Equal("*", cors.Origin.ToString());
Assert.Equal(0, cors.Origins.Count);
}
public void SimpleRequestWithOrigin()
{
var origin = new AsciiString("http://localhost:8888");
IHttpResponse response = SimpleRequest(CorsConfigBuilder.ForOrigin(origin).Build(), origin.ToString());
Assert.Equal(origin, response.Headers.Get(HttpHeaderNames.AccessControlAllowOrigin, null));
Assert.Null(response.Headers.Get(HttpHeaderNames.AccessControlAllowHeaders, null));
}
public void PreflightRequestAllowCredentials()
{
var origin = new AsciiString("null");
CorsConfig config = CorsConfigBuilder.ForOrigin(origin).AllowCredentials().Build();
IHttpResponse response = PreflightRequest(config, origin.ToString(), "content-type, xheader1");
Assert.Equal("true", response.Headers.Get(HttpHeaderNames.AccessControlAllowCredentials, null));
}
public void SimpleRequestNoShortCircuit()
{
CorsConfig config = CorsConfigBuilder.ForOrigin((AsciiString)"http://localhost:8080").Build();
IHttpResponse response = SimpleRequest(config, "http://localhost:7777");
Assert.Equal(HttpResponseStatus.OK, response.Status);
Assert.Null(response.Headers.Get(HttpHeaderNames.AccessControlAllowOrigin, null));
}
public void PreflightRequestDoNotAllowCredentials()
{
CorsConfig config = CorsConfigBuilder.ForOrigin((AsciiString)"http://localhost:8888").Build();
IHttpResponse response = PreflightRequest(config, "http://localhost:8888", "");
// the only valid value for Access-Control-Allow-Credentials is true.
Assert.False(response.Headers.Contains(HttpHeaderNames.AccessControlAllowCredentials));
}
public void SimpleRequestShortCircuit()
{
CorsConfig config = CorsConfigBuilder.ForOrigin((AsciiString)"http://localhost:8080")
.ShortCircuit().Build();
IHttpResponse response = SimpleRequest(config, "http://localhost:7777");
Assert.Equal(HttpResponseStatus.Forbidden, response.Status);
Assert.Equal("0", response.Headers.Get(HttpHeaderNames.ContentLength, null).ToString());
}
public void PreflightRequestWithValueGenerator()
{
CorsConfig config = CorsConfigBuilder.ForOrigin((AsciiString)"http://localhost:8888")
.PreflightResponseHeader((AsciiString)"GenHeader", new ValueGenerator()).Build();
IHttpResponse response = PreflightRequest(config, "http://localhost:8888", "content-type, xheader1");
Assert.Equal("generatedValue", response.Headers.Get((AsciiString)"GenHeader", null).ToString());
Assert.Equal(HttpHeaderNames.Origin.ToString(), response.Headers.Get(HttpHeaderNames.Vary, null));
}
public void PreflightRequestWithUnauthorizedOrigin()
{
var origin = "http://host";
CorsConfig config = CorsConfigBuilder.ForOrigin((AsciiString)"http://localhost").Build();
var response = PreflightRequest(config, origin, "xheader1");
Assert.False(response.Headers.Contains(HttpHeaderNames.AccessControlAllowOrigin));
Assert.True(ReferenceCountUtil.Release(response));
}
public void ShortCircuitNonCorsRequest()
{
CorsConfig config = CorsConfigBuilder.ForOrigin((AsciiString)"https://localhost")
.ShortCircuit().Build();
IHttpResponse response = SimpleRequest(config, null);
Assert.Equal(HttpResponseStatus.OK, response.Status);
Assert.Null(response.Headers.Get(HttpHeaderNames.AccessControlAllowOrigin, null));
Assert.True(ReferenceCountUtil.Release(response));
}
public void PreflightRequestWithDefaultHeaders()
{
CorsConfig config = CorsConfigBuilder.ForOrigin(new AsciiString("http://localhost:8888")).Build();
var response = PreflightRequest(config, "http://localhost:8888", "content-type, xheader1");
Assert.Equal("0", response.Headers.Get(HttpHeaderNames.ContentLength, null).ToString());
Assert.NotNull(response.Headers.Get(HttpHeaderNames.Date, null));
Assert.Equal(HttpHeaderNames.Origin.ToString(), response.Headers.Get(HttpHeaderNames.Vary, null));
Assert.True(ReferenceCountUtil.Release(response));
}
public void SimpleRequestWithNullOrigin()
{
IHttpResponse response = SimpleRequest(CorsConfigBuilder.ForOrigin((AsciiString)"http://test.com")
.AllowNullOrigin()
.AllowCredentials()
.Build(), "null");
Assert.Equal("null", response.Headers.Get(HttpHeaderNames.AccessControlAllowOrigin, null).ToString());
Assert.Equal("true", response.Headers.Get(HttpHeaderNames.AccessControlAllowCredentials, null).ToString());
Assert.Null(response.Headers.Get(HttpHeaderNames.AccessControlAllowHeaders, null));
}
public void PreflightDeleteRequestWithCustomHeaders()
{
CorsConfig config = CorsConfigBuilder.ForOrigin(
new AsciiString("http://localhost:8888")).AllowedRequestMethods(HttpMethod.Get, HttpMethod.Delete).Build();
IHttpResponse response = PreflightRequest(config, "http://localhost:8888", "content-type, xheader1");
Assert.Equal("http://localhost:8888", response.Headers.Get(HttpHeaderNames.AccessControlAllowOrigin, null));
Assert.Contains("GET", response.Headers.Get(HttpHeaderNames.AccessControlAllowMethods, null).ToString());
Assert.Contains("DELETE", response.Headers.Get(HttpHeaderNames.AccessControlAllowMethods, null).ToString());
Assert.Equal(HttpHeaderNames.Origin.ToString(), response.Headers.Get(HttpHeaderNames.Vary, null));
}
public void ForbiddenShouldReleaseRequest()
{
CorsConfig config = CorsConfigBuilder.ForOrigin((AsciiString)"https://localhost").ShortCircuit().Build();
var channel = new EmbeddedChannel(new CorsHandler(config), new EchoHandler());
IFullHttpRequest request = CreateHttpRequest(HttpMethod.Get);
request.Headers.Set(HttpHeaderNames.Origin, "http://localhost:8888");
Assert.False(channel.WriteInbound(request));
Assert.Equal(0, request.ReferenceCount);
Assert.True(ReferenceCountUtil.Release(channel.ReadOutbound()));
Assert.False(channel.Finish());
}
public void PreflightRequestWithCustomHeaders()
{
const string HeaderName = "CustomHeader";
const string Value1 = "value1";
const string Value2 = "value2";
CorsConfig config = CorsConfigBuilder.ForOrigin((AsciiString)"http://localhost:8888")
.PreflightResponseHeader((AsciiString)HeaderName, (AsciiString)Value1, (AsciiString)Value2).Build();
IHttpResponse response = PreflightRequest(config, "http://localhost:8888", "content-type, xheader1");
AssertValues(response, HeaderName, Value1, Value2);
Assert.Equal(HttpHeaderNames.Origin.ToString(), response.Headers.Get(HttpHeaderNames.Vary, null));
Assert.Equal("0", response.Headers.Get(HttpHeaderNames.ContentLength, null).ToString());
}
public void PreflightRequestShouldReleaseRequest()
{
CorsConfig config = CorsConfigBuilder.ForOrigin((AsciiString)"http://localhost:8888")
.PreflightResponseHeader((AsciiString)"CustomHeader", new List <ICharSequence> {
(AsciiString)"value1", (AsciiString)"value2"
})
.Build();
var channel = new EmbeddedChannel(new CorsHandler(config));
IFullHttpRequest request = OptionsRequest("http://localhost:8888", "content-type, xheader1", null);
Assert.False(channel.WriteInbound(request));
Assert.Equal(0, request.ReferenceCount);
Assert.True(ReferenceCountUtil.Release(channel.ReadOutbound()));
Assert.False(channel.Finish());
}
public void PreflightRequestWithConnectionCloseShouldClose()
{
CorsConfig config = CorsConfigBuilder.ForOrigin((AsciiString)"http://localhost:8888").Build();
var channel = new EmbeddedChannel(new CorsHandler(config));
IFullHttpRequest request = OptionsRequest("http://localhost:8888", "", HttpHeaderValues.Close);
Assert.False(channel.WriteInbound(request));
var response = channel.ReadOutbound <IHttpResponse>();
Assert.False(HttpUtil.IsKeepAlive(response));
Assert.False(channel.IsOpen);
Assert.Equal(HttpResponseStatus.OK, response.Status);
Assert.True(ReferenceCountUtil.Release(response));
Assert.False(channel.Finish());
}
public void PreflightRequestWithCustomHeadersIterable()
{
const string HeaderName = "CustomHeader";
const string Value1 = "value1";
const string Value2 = "value2";
CorsConfig config = CorsConfigBuilder.ForOrigin((AsciiString)"http://localhost:8888")
.PreflightResponseHeader((AsciiString)HeaderName, new List <ICharSequence> {
(AsciiString)Value1, (AsciiString)Value2
})
.Build();
IHttpResponse response = PreflightRequest(config, "http://localhost:8888", "content-type, xheader1");
AssertValues(response, HeaderName, Value1, Value2);
Assert.Equal(HttpHeaderNames.Origin.ToString(), response.Headers.Get(HttpHeaderNames.Vary, null));
Assert.True(ReferenceCountUtil.Release(response));
}
public void PreflightGetRequestWithCustomHeaders()
{
CorsConfig config = CorsConfigBuilder.ForOrigin(new AsciiString("http://localhost:8888"))
.AllowedRequestMethods(HttpMethod.Options, HttpMethod.Get, HttpMethod.Delete)
.AllowedRequestHeaders((AsciiString)"content-type", (AsciiString)"xheader1")
.Build();
var response = PreflightRequest(config, "http://localhost:8888", "content-type, xheader1");
Assert.Equal("http://localhost:8888", response.Headers.Get(HttpHeaderNames.AccessControlAllowOrigin, null));
Assert.Contains("OPTIONS", response.Headers.Get(HttpHeaderNames.AccessControlAllowMethods, null).ToString());
Assert.Contains("GET", response.Headers.Get(HttpHeaderNames.AccessControlAllowMethods, null).ToString());
Assert.Contains("content-type", response.Headers.Get(HttpHeaderNames.AccessControlAllowHeaders, null).ToString());
Assert.Contains("xheader1", response.Headers.Get(HttpHeaderNames.AccessControlAllowHeaders, null).ToString());
Assert.Equal(HttpHeaderNames.Origin.ToString(), response.Headers.Get(HttpHeaderNames.Vary, null));
Assert.True(ReferenceCountUtil.Release(response));
}
public void ShortCircuitWithoutConnectionShouldStayOpen()
{
CorsConfig config = CorsConfigBuilder.ForOrigin((AsciiString)"http://localhost:8080")
.ShortCircuit().Build();
var channel = new EmbeddedChannel(new CorsHandler(config));
IFullHttpRequest request = CreateHttpRequest(HttpMethod.Get);
request.Headers.Set(HttpHeaderNames.Origin, (AsciiString)"http://localhost:8888");
Assert.False(channel.WriteInbound(request));
var response = channel.ReadOutbound <IHttpResponse>();
Assert.True(HttpUtil.IsKeepAlive(response));
Assert.True(channel.IsOpen);
Assert.Equal(HttpResponseStatus.Forbidden, response.Status);
Assert.True(ReferenceCountUtil.Release(response));
Assert.False(channel.Finish());
}
public void DifferentConfigsPerOrigin()
{
var host1 = "http://host1:80";
var host2 = "http://host2";
CorsConfig rule1 = CorsConfigBuilder.ForOrigin((AsciiString)host1).AllowedRequestMethods(HttpMethod.Get).Build();
CorsConfig rule2 = CorsConfigBuilder.ForOrigin((AsciiString)host2).AllowedRequestMethods(HttpMethod.Get, HttpMethod.Post)
.AllowCredentials().Build();
List <CorsConfig> corsConfigs = new List <CorsConfig>(new[] { rule1, rule2 });
var preFlightHost1 = PreflightRequest(corsConfigs, host1, "", false);
Assert.Equal("GET", preFlightHost1.Headers.Get(HttpHeaderNames.AccessControlAllowMethods, null).ToString());
Assert.Null(preFlightHost1.Headers.GetAsString(HttpHeaderNames.AccessControlAllowCredentials));
var preFlightHost2 = PreflightRequest(corsConfigs, host2, "", false);
AssertValues(preFlightHost2, HttpHeaderNames.AccessControlAllowMethods.ToString(), "GET", "POST");
Assert.Equal("true", preFlightHost2.Headers.GetAsString(HttpHeaderNames.AccessControlAllowCredentials));
}
public void SpecificConfigPrecedenceOverGeneric()
{
var host1 = "http://host1";
var host2 = "http://host2";
CorsConfig forHost1 = CorsConfigBuilder.ForOrigin((AsciiString)host1).AllowedRequestMethods(HttpMethod.Get).MaxAge(3600L).Build();
CorsConfig allowAll = CorsConfigBuilder.ForAnyOrigin().AllowedRequestMethods(HttpMethod.Post, HttpMethod.Get, HttpMethod.Options)
.MaxAge(1800).Build();
List <CorsConfig> rules = new List <CorsConfig>(new[] { forHost1, allowAll });
var host1Response = PreflightRequest(rules, host1, "", false);
Assert.Equal("GET", host1Response.Headers.Get(HttpHeaderNames.AccessControlAllowMethods, null).ToString());
Assert.Equal("3600", host1Response.Headers.GetAsString(HttpHeaderNames.AccessControlMaxAge));
var host2Response = PreflightRequest(rules, host2, "", false);
AssertValues(host2Response, HttpHeaderNames.AccessControlAllowMethods.ToString(), "POST", "GET", "OPTIONS");
Assert.Equal("*", host2Response.Headers.GetAsString(HttpHeaderNames.AccessControlAllowOrigin));
Assert.Equal("1800", host2Response.Headers.GetAsString(HttpHeaderNames.AccessControlMaxAge));
}