public void EvaluatePolicy_PreflightRequest_HeadersRequested_NotAllHeaderMatches_ReturnsInvalidResult()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
HttpMethod = "OPTIONS",
AccessControlRequestMethod = "PUT",
Origin = "foo"
};
requestContext.AccessControlRequestHeaders.Add("match");
requestContext.AccessControlRequestHeaders.Add("noMatch");
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true,
AllowAnyMethod = true
};
policy.Headers.Add("match");
policy.Headers.Add("foo");
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.True(requestContext.IsPreflight);
Assert.False(result.IsValid);
Assert.Contains("The collection of headers 'match,noMatch' is not allowed.", result.ErrorMessages);
}
public void EvaluatePolicy_PreflightRequest_HeadersRequested_AllowSomeHeaders_ReturnsSubsetOfListedHeaders()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
HttpMethod = "OPTIONS",
AccessControlRequestMethod = "PUT",
Origin = "foo"
};
requestContext.AccessControlRequestHeaders.Add("Content-Type");
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true,
AllowAnyMethod = true
};
policy.Headers.Add("foo");
policy.Headers.Add("bar");
policy.Headers.Add("Content-Type");
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.True(requestContext.IsPreflight);
Assert.Equal(1, result.AllowedHeaders.Count);
Assert.Contains("Content-Type", result.AllowedHeaders);
}
public void TryValidateHeaders_NullRequestContext_Throws()
{
CorsEngine corsEngine = new CorsEngine();
Assert.ThrowsArgumentNull(() =>
corsEngine.TryValidateHeaders(null, new CorsPolicy(), new CorsResult()),
"requestContext");
}
public void TryValidateOrigin_NullResult_Throws()
{
CorsEngine corsEngine = new CorsEngine();
Assert.ThrowsArgumentNull(() =>
corsEngine.TryValidateOrigin(new CorsRequestContext(), new CorsPolicy(), null),
"result");
}
public void EvaluatePolicy_NullPolicy_Throws()
{
CorsEngine corsEngine = new CorsEngine();
Assert.ThrowsArgumentNull(() =>
corsEngine.EvaluatePolicy(new CorsRequestContext(), null),
"policy");
}
public void EvaluatePolicy_NullPolicy_Throws()
{
CorsEngine corsEngine = new CorsEngine();
Assert.ThrowsArgumentNull(() =>
corsEngine.EvaluatePolicy(new CorsRequestContext(), null),
"policy");
}
public void EvaluatePolicy_NullRequest_Throws()
{
CorsEngine corsEngine = new CorsEngine();
Assert.ThrowsArgumentNull(() =>
corsEngine.EvaluatePolicy(null, new CorsPolicy()),
"requestContext");
}
public void TryValidateMethod_NullPolicy_Throws()
{
CorsEngine corsEngine = new CorsEngine();
Assert.ThrowsArgumentNull(() =>
corsEngine.TryValidateMethod(new CorsRequestContext(), null, new CorsResult()),
"policy");
}
public void EvaluatePolicy_NullRequest_Throws()
{
CorsEngine corsEngine = new CorsEngine();
Assert.ThrowsArgumentNull(() =>
corsEngine.EvaluatePolicy(null, new CorsPolicy()),
"requestContext");
}
public static bool EvaluateCorsPolicy(
this CorsEngine corsEngine,
CorsRequestContext context,
CorsOptions options)
{
var result = corsEngine.EvaluatePolicy(context, options.GetCorsPolicy());
return(result.IsNotNull() && result.IsValid);
}
public static IDictionary <string, string> GetCorsResponseHeaders(
this CorsEngine corsEngine,
CorsRequestContext context,
CorsOptions options)
{
return(corsEngine
.EvaluatePolicy(context, options.GetCorsPolicy())
.ToResponseHeaders() ?? new Dictionary <string, string>());
}
public void Should_set_cors_engine_instance()
{
var configuration = new CorsConfiguration();
var engine = new CorsEngine();
new CorsConfigurationDsl(configuration).WithEngine(engine);
configuration.CorsEngine.HasInstance.ShouldBeTrue();
configuration.CorsEngine.Instance.ShouldEqual(engine);
}
private static CorsBasedSecurityMessageHandler CreateSubjectUnderTest(
HttpResponseMessage response = null,
CorsEngine corsEngine = null,
CorsOptions options = null)
{
var sut = new CorsBasedSecurityMessageHandler(options ?? CorsOptions.AllowAll());
sut.InnerHandler = new TestHandler(response);
sut.SetCorsEngineFactory(() => corsEngine ?? new CorsEngine());
return(sut);
}
public void EvaluatePolicy_EmptyOriginsPolicy_ReturnsInvalidResult()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext {
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy();
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.False(result.IsValid);
Assert.Contains("The origin 'foo' is not allowed.", result.ErrorMessages);
}
public void EvaluatePolicy_NoOrigin_ReturnsInvalidResult()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
Origin = null,
HttpMethod = "GET"
};
CorsResult result = corsEngine.EvaluatePolicy(requestContext, new CorsPolicy());
Assert.False(result.IsValid);
Assert.Contains("The request does not contain the Origin header.", result.ErrorMessages);
}
public void EvaluatePolicy_NoOrigin_ReturnsInvalidResult()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
Origin = null,
HttpMethod = "GET"
};
CorsResult result = corsEngine.EvaluatePolicy(requestContext, new CorsPolicy());
Assert.False(result.IsValid);
Assert.Contains("The request does not contain the Origin header.", result.ErrorMessages);
}
public void EvaluatePolicy_NoExposedHeaders_NoAllowExposedHeaders()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext {
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy {
AllowAnyOrigin = true
};
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.Empty(result.AllowedExposedHeaders);
}
public void EvaluatePolicy_EmptyOriginsPolicy_ReturnsInvalidResult()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy();
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.False(result.IsValid);
Assert.Contains("The origin 'foo' is not allowed.", result.ErrorMessages);
}
public void EvaluatePolicy_AllowAnyOrigin_DoesNotSupportCredentials_EmitsWildcardForOrigin()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext {
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true,
SupportsCredentials = false
};
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.Equal("*", result.AllowedOrigin);
}
public void EvaluatePolicy_AllowAnyOrigin_SupportsCredentials_AddsSpecificOrigin()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext {
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true,
SupportsCredentials = true
};
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.Equal("foo", result.AllowedOrigin);
}
public void EvaluatePolicy_SupportsCredentials_AllowCredentialsReturnsTrue()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext {
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true,
SupportsCredentials = true
};
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.True(result.SupportsCredentials);
}
public void EvaluatePolicy_OneExposedHeaders_HeadersAllowed()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext {
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy {
AllowAnyOrigin = true
};
policy.ExposedHeaders.Add("foo");
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.Equal(1, result.AllowedExposedHeaders.Count);
Assert.Contains("foo", result.AllowedExposedHeaders);
}
public void TryValidateMethod_DoesCaseSensitiveComparison()
{
CorsEngine corsEngine = new CorsEngine();
CorsPolicy policy = new CorsPolicy();
policy.Methods.Add("POST");
CorsResult result = new CorsResult();
bool isValid = corsEngine.TryValidateMethod(new CorsRequestContext {
AccessControlRequestMethod = "post"
}, policy, result);
Assert.False(isValid);
Assert.Equal(1, result.ErrorMessages.Count);
Assert.Equal("The method 'post' is not allowed.", result.ErrorMessages[0]);
}
public void TryValidateOrigin_DoesCaseSensitiveComparison()
{
CorsEngine corsEngine = new CorsEngine();
CorsPolicy policy = new CorsPolicy();
policy.Origins.Add("http://Example.com");
CorsResult result = new CorsResult();
bool isValid = corsEngine.TryValidateOrigin(new CorsRequestContext {
Origin = "http://example.com"
}, policy, result);
Assert.False(isValid);
Assert.Equal(1, result.ErrorMessages.Count);
Assert.Equal("The origin 'http://example.com' is not allowed.", result.ErrorMessages[0]);
}
public void EvaluatePolicy_AllowAnyOrigin_DoesNotSupportCredentials_EmitsWildcardForOrigin()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true,
SupportsCredentials = false
};
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.Equal("*", result.AllowedOrigin);
}
public void EvaluatePolicy_PreflightRequest_AnyMethod_ReturnsRequestMethod()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
HttpMethod = "OPTIONS",
AccessControlRequestMethod = "GET",
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy {
AllowAnyOrigin = true, AllowAnyMethod = true
};
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.True(requestContext.IsPreflight);
Assert.Equal(1, result.AllowedMethods.Count);
Assert.Contains("GET", result.AllowedMethods);
}
public void EvaluatePolicy_PreflightRequest_OriginAllowed_ReturnsOrigin()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
HttpMethod = "OPTIONS",
AccessControlRequestMethod = "PUT",
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy {
AllowAnyMethod = true
};
policy.Origins.Add("foo");
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.True(requestContext.IsPreflight);
Assert.Equal("foo", result.AllowedOrigin);
}
public void EvaluatePolicy_PreflightRequest_NoHeadersRequested_AllowedAllHeaders_ReturnsEmptyHeaders()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
HttpMethod = "OPTIONS",
AccessControlRequestMethod = "PUT",
Origin = "foo",
};
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true,
AllowAnyMethod = true,
AllowAnyHeader = true
};
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.True(requestContext.IsPreflight);
Assert.Empty(result.AllowedHeaders);
}
public void EvaluatePolicy_PreflightRequest_MethodNotAllowed_ReturnsInvalidResult()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
HttpMethod = "OPTIONS",
AccessControlRequestMethod = "PUT",
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy {
AllowAnyOrigin = true
};
policy.Methods.Add("GET");
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.True(requestContext.IsPreflight);
Assert.False(result.IsValid);
Assert.Contains("The method 'PUT' is not allowed.", result.ErrorMessages);
}
public void EvaluatePolicy_PreflightRequest_PreflightMaxAge_PreflightMaxAgeSet()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
HttpMethod = "OPTIONS",
AccessControlRequestMethod = "PUT",
Origin = "foo",
};
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true,
AllowAnyMethod = true,
PreflightMaxAge = 10
};
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.True(requestContext.IsPreflight);
Assert.Equal(10, result.PreflightMaxAge);
}
public void EvaluatePolicy_PreflightRequest_SupportsCredentials_AllowCredentialsReturnsTrue()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
HttpMethod = "OPTIONS",
AccessControlRequestMethod = "PUT",
Origin = "foo",
};
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true,
AllowAnyMethod = true,
SupportsCredentials = true
};
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.True(requestContext.IsPreflight);
Assert.True(result.SupportsCredentials);
}
public void EvaluatePolicy_PreflightRequest_MethodAllowed_ReturnsAllowMethods()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
HttpMethod = "OPTIONS",
AccessControlRequestMethod = "PUT",
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy {
AllowAnyOrigin = true
};
policy.Methods.Add("PUT");
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.True(requestContext.IsPreflight);
Assert.NotNull(result);
Assert.Contains("PUT", result.AllowedMethods);
}
public void EvaluatePolicy_PreflightRequest_ListedMethod_ReturnsSubsetOfListedMethods()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
HttpMethod = "OPTIONS",
AccessControlRequestMethod = "PUT",
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true
};
policy.Methods.Add("PUT");
policy.Methods.Add("DELETE");
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.True(requestContext.IsPreflight);
Assert.Equal(1, result.AllowedMethods.Count());
Assert.Contains("PUT", result.AllowedMethods);
}
public void TryValidateOrigin_DoesCaseSensitiveComparison()
{
CorsEngine corsEngine = new CorsEngine();
CorsPolicy policy = new CorsPolicy();
policy.Origins.Add("http://Example.com");
CorsResult result = new CorsResult();
bool isValid = corsEngine.TryValidateOrigin(new CorsRequestContext { Origin = "http://example.com" }, policy, result);
Assert.False(isValid);
Assert.Equal(1, result.ErrorMessages.Count);
Assert.Equal("The origin 'http://example.com' is not allowed.", result.ErrorMessages[0]);
}
public void EvaluatePolicy_SupportsCredentials_AllowCredentialsReturnsTrue()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true,
SupportsCredentials = true
};
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.True(result.SupportsCredentials);
}
public void EvaluatePolicy_NoExposedHeaders_NoAllowExposedHeaders()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true
};
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.Empty(result.AllowedExposedHeaders);
}
public void EvaluatePolicy_ManyExposedHeaders_HeadersAllowed()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true
};
policy.ExposedHeaders.Add("foo");
policy.ExposedHeaders.Add("bar");
policy.ExposedHeaders.Add("baz");
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.Equal(3, result.AllowedExposedHeaders.Count());
Assert.Contains("foo", result.AllowedExposedHeaders);
Assert.Contains("bar", result.AllowedExposedHeaders);
Assert.Contains("baz", result.AllowedExposedHeaders);
}
public void EvaluatePolicy_PreflightRequest_HeadersRequested_NotAllHeaderMatches_ReturnsInvalidResult()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
HttpMethod = "OPTIONS",
AccessControlRequestMethod = "PUT",
Origin = "foo"
};
requestContext.AccessControlRequestHeaders.Add("match");
requestContext.AccessControlRequestHeaders.Add("noMatch");
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true,
AllowAnyMethod = true
};
policy.Headers.Add("match");
policy.Headers.Add("foo");
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.True(requestContext.IsPreflight);
Assert.False(result.IsValid);
Assert.Contains("The collection of headers 'match,noMatch' is not allowed.", result.ErrorMessages);
}
public void EvaluatePolicy_PreflightRequest_NoHeadersRequested_AllowedAllHeaders_ReturnsEmptyHeaders()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
HttpMethod = "OPTIONS",
AccessControlRequestMethod = "PUT",
Origin = "foo",
};
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true,
AllowAnyMethod = true,
AllowAnyHeader = true
};
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.True(requestContext.IsPreflight);
Assert.Empty(result.AllowedHeaders);
}
public void EvaluatePolicy_PreflightRequest_MethodAllowed_ReturnsAllowMethods()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
HttpMethod = "OPTIONS",
AccessControlRequestMethod = "PUT",
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true
};
policy.Methods.Add("PUT");
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.True(requestContext.IsPreflight);
Assert.NotNull(result);
Assert.Contains("PUT", result.AllowedMethods);
}
public void TryValidateOrigin_NullResult_Throws()
{
CorsEngine corsEngine = new CorsEngine();
Assert.ThrowsArgumentNull(() =>
corsEngine.TryValidateOrigin(new CorsRequestContext(), new CorsPolicy(), null),
"result");
}
public void TryValidateHeaders_NullRequestContext_Throws()
{
CorsEngine corsEngine = new CorsEngine();
Assert.ThrowsArgumentNull(() =>
corsEngine.TryValidateHeaders(null, new CorsPolicy(), new CorsResult()),
"requestContext");
}
public void TryValidateMethod_NullPolicy_Throws()
{
CorsEngine corsEngine = new CorsEngine();
Assert.ThrowsArgumentNull(() =>
corsEngine.TryValidateMethod(new CorsRequestContext(), null, new CorsResult()),
"policy");
}
public void EvaluatePolicy_PreflightRequest_OriginAllowed_ReturnsOrigin()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
HttpMethod = "OPTIONS",
AccessControlRequestMethod = "PUT",
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy
{
AllowAnyMethod = true
};
policy.Origins.Add("foo");
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.True(requestContext.IsPreflight);
Assert.Equal("foo", result.AllowedOrigin);
}
public void EvaluatePolicy_PreflightRequest_HeadersRequested_AllowSomeHeaders_ReturnsSubsetOfListedHeaders()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
HttpMethod = "OPTIONS",
AccessControlRequestMethod = "PUT",
Origin = "foo"
};
requestContext.AccessControlRequestHeaders.Add("Content-Type");
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true,
AllowAnyMethod = true
};
policy.Headers.Add("foo");
policy.Headers.Add("bar");
policy.Headers.Add("Content-Type");
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.True(requestContext.IsPreflight);
Assert.Equal(1, result.AllowedHeaders.Count);
Assert.Contains("Content-Type", result.AllowedHeaders);
}
public void EvaluatePolicy_AllowAnyOrigin_SupportsCredentials_AddsSpecificOrigin()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true,
SupportsCredentials = true
};
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.Equal("foo", result.AllowedOrigin);
}
public void EvaluatePolicy_PreflightRequest_MethodNotAllowed_ReturnsInvalidResult()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
HttpMethod = "OPTIONS",
AccessControlRequestMethod = "PUT",
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true
};
policy.Methods.Add("GET");
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.True(requestContext.IsPreflight);
Assert.False(result.IsValid);
Assert.Contains("The method 'PUT' is not allowed.", result.ErrorMessages);
}
public void EvaluatePolicy_PreflightRequest_PreflightMaxAge_PreflightMaxAgeSet()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
HttpMethod = "OPTIONS",
AccessControlRequestMethod = "PUT",
Origin = "foo",
};
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true,
AllowAnyMethod = true,
PreflightMaxAge = 10
};
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.True(requestContext.IsPreflight);
Assert.Equal(10, result.PreflightMaxAge);
}
public void EvaluatePolicy_PreflightRequest_SupportsCredentials_AllowCredentialsReturnsTrue()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
HttpMethod = "OPTIONS",
AccessControlRequestMethod = "PUT",
Origin = "foo",
};
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true,
AllowAnyMethod = true,
SupportsCredentials = true
};
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.True(requestContext.IsPreflight);
Assert.True(result.SupportsCredentials);
}
public void EvaluatePolicy_PreflightRequest_AnyMethod_ReturnsRequestMethod()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
HttpMethod = "OPTIONS",
AccessControlRequestMethod = "GET",
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true,
AllowAnyMethod = true
};
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.True(requestContext.IsPreflight);
Assert.Equal(1, result.AllowedMethods.Count);
Assert.Contains("GET", result.AllowedMethods);
}
public void EvaluatePolicy_PreflightRequest_ListedMethod_ReturnsSubsetOfListedMethods()
{
CorsEngine corsEngine = new CorsEngine();
CorsRequestContext requestContext = new CorsRequestContext
{
HttpMethod = "OPTIONS",
AccessControlRequestMethod = "PUT",
Origin = "foo"
};
CorsPolicy policy = new CorsPolicy
{
AllowAnyOrigin = true
};
policy.Methods.Add("PUT");
policy.Methods.Add("DELETE");
CorsResult result = corsEngine.EvaluatePolicy(requestContext, policy);
Assert.True(requestContext.IsPreflight);
Assert.Equal(1, result.AllowedMethods.Count());
Assert.Contains("PUT", result.AllowedMethods);
}
private void ProcessCors(OAuthValidateTokenRequestContext context)
{
var accessControlRequestMethodHeaders = context.Request.Headers.GetCommaSeparatedValues(CorsConstants.AccessControlRequestMethod);
var originHeaders = context.Request.Headers.GetCommaSeparatedValues(CorsConstants.Origin);
var accessControlRequestHeaders = context.Request.Headers.GetCommaSeparatedValues(CorsConstants.AccessControlRequestMethod);
var corsRequest = new CorsRequestContext
{
Host = context.Request.Host.Value,
HttpMethod = context.Request.Method,
Origin = originHeaders?.FirstOrDefault(),
RequestUri = context.Request.Uri,
AccessControlRequestMethod = accessControlRequestMethodHeaders?.FirstOrDefault()
};
if (accessControlRequestHeaders != null)
{
foreach (var header in context.Request.Headers.GetCommaSeparatedValues(CorsConstants.AccessControlRequestMethod))
{
corsRequest.AccessControlRequestHeaders.Add(header);
}
}
var engine = new CorsEngine();
if (corsRequest.IsPreflight)
{
try
{
// Make sure Access-Control-Request-Method is valid.
var test = new HttpMethod(corsRequest.AccessControlRequestMethod);
}
catch (ArgumentException)
{
context.Response.StatusCode = (int)HttpStatusCode.BadRequest;
context.SetError("Access Control Request Method Cannot Be Null Or Empty");
//context.RequestCompleted();
return;
}
catch (FormatException)
{
context.Response.StatusCode = (int)HttpStatusCode.BadRequest;
context.SetError("Invalid Access Control Request Method");
//context.RequestCompleted();
return;
}
var result = engine.EvaluatePolicy(corsRequest, _options.CorsPolicy);
if (!result.IsValid)
{
context.Response.StatusCode = (int)HttpStatusCode.BadRequest;
context.SetError(string.Join(" | ", result.ErrorMessages));
//context.RequestCompleted();
return;
}
WriteCorsHeaders(result, context);
}
else
{
var result = engine.EvaluatePolicy(corsRequest, _options.CorsPolicy);
if (result.IsValid)
{
WriteCorsHeaders(result, context);
}
}
}
public void TryValidateMethod_DoesCaseSensitiveComparison()
{
CorsEngine corsEngine = new CorsEngine();
CorsPolicy policy = new CorsPolicy();
policy.Methods.Add("POST");
CorsResult result = new CorsResult();
bool isValid = corsEngine.TryValidateMethod(new CorsRequestContext { AccessControlRequestMethod = "post" }, policy, result);
Assert.False(isValid);
Assert.Equal(1, result.ErrorMessages.Count);
Assert.Equal("The method 'post' is not allowed.", result.ErrorMessages[0]);
}
