2014-05-08 09:47:18 +00:00
|
|
|
<?php
|
|
|
|
/**
|
|
|
|
* ownCloud - App Framework
|
|
|
|
*
|
|
|
|
* This file is licensed under the Affero General Public License version 3 or
|
|
|
|
* later. See the COPYING file.
|
|
|
|
*
|
|
|
|
* @author Bernhard Posselt <dev@bernhard-posselt.com>
|
|
|
|
* @copyright Bernhard Posselt 2014
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
namespace OC\AppFramework\Middleware\Security;
|
|
|
|
|
|
|
|
use OC\AppFramework\Http\Request;
|
2014-05-11 15:55:59 +00:00
|
|
|
use OC\AppFramework\Utility\ControllerMethodReflector;
|
|
|
|
|
2014-05-08 09:47:18 +00:00
|
|
|
use OCP\AppFramework\Http\Response;
|
|
|
|
|
|
|
|
|
2014-11-10 22:30:38 +00:00
|
|
|
class CORSMiddlewareTest extends \Test\TestCase {
|
2014-05-08 09:47:18 +00:00
|
|
|
|
2014-05-11 15:55:59 +00:00
|
|
|
private $reflector;
|
|
|
|
|
|
|
|
protected function setUp() {
|
2014-11-10 22:30:38 +00:00
|
|
|
parent::setUp();
|
2014-05-11 15:55:59 +00:00
|
|
|
$this->reflector = new ControllerMethodReflector();
|
|
|
|
}
|
|
|
|
|
2014-05-08 09:47:18 +00:00
|
|
|
/**
|
|
|
|
* @CORS
|
|
|
|
*/
|
|
|
|
public function testSetCORSAPIHeader() {
|
|
|
|
$request = new Request(
|
2015-02-09 10:41:48 +00:00
|
|
|
[
|
|
|
|
'server' => [
|
|
|
|
'HTTP_ORIGIN' => 'test'
|
|
|
|
]
|
|
|
|
],
|
2015-02-10 12:02:48 +00:00
|
|
|
$this->getMock('\OCP\Security\ISecureRandom'),
|
|
|
|
$this->getMock('\OCP\IConfig')
|
2014-05-08 09:47:18 +00:00
|
|
|
);
|
2014-05-11 15:55:59 +00:00
|
|
|
$this->reflector->reflect($this, __FUNCTION__);
|
|
|
|
$middleware = new CORSMiddleware($request, $this->reflector);
|
2014-05-08 09:47:18 +00:00
|
|
|
|
|
|
|
$response = $middleware->afterController($this, __FUNCTION__, new Response());
|
|
|
|
$headers = $response->getHeaders();
|
|
|
|
$this->assertEquals('test', $headers['Access-Control-Allow-Origin']);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public function testNoAnnotationNoCORSHEADER() {
|
|
|
|
$request = new Request(
|
2015-02-09 10:41:48 +00:00
|
|
|
[
|
|
|
|
'server' => [
|
|
|
|
'HTTP_ORIGIN' => 'test'
|
|
|
|
]
|
|
|
|
],
|
2015-02-10 12:02:48 +00:00
|
|
|
$this->getMock('\OCP\Security\ISecureRandom'),
|
|
|
|
$this->getMock('\OCP\IConfig')
|
2014-05-08 09:47:18 +00:00
|
|
|
);
|
2014-05-11 15:55:59 +00:00
|
|
|
$middleware = new CORSMiddleware($request, $this->reflector);
|
2014-05-08 09:47:18 +00:00
|
|
|
|
|
|
|
$response = $middleware->afterController($this, __FUNCTION__, new Response());
|
|
|
|
$headers = $response->getHeaders();
|
|
|
|
$this->assertFalse(array_key_exists('Access-Control-Allow-Origin', $headers));
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @CORS
|
|
|
|
*/
|
|
|
|
public function testNoOriginHeaderNoCORSHEADER() {
|
2015-02-10 12:02:48 +00:00
|
|
|
$request = new Request(
|
|
|
|
[],
|
|
|
|
$this->getMock('\OCP\Security\ISecureRandom'),
|
|
|
|
$this->getMock('\OCP\IConfig')
|
|
|
|
);
|
2014-05-11 15:55:59 +00:00
|
|
|
$this->reflector->reflect($this, __FUNCTION__);
|
|
|
|
$middleware = new CORSMiddleware($request, $this->reflector);
|
2014-05-08 09:47:18 +00:00
|
|
|
|
|
|
|
$response = $middleware->afterController($this, __FUNCTION__, new Response());
|
|
|
|
$headers = $response->getHeaders();
|
|
|
|
$this->assertFalse(array_key_exists('Access-Control-Allow-Origin', $headers));
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @CORS
|
|
|
|
* @expectedException \OC\AppFramework\Middleware\Security\SecurityException
|
|
|
|
*/
|
|
|
|
public function testCorsIgnoredIfWithCredentialsHeaderPresent() {
|
|
|
|
$request = new Request(
|
2015-02-09 10:41:48 +00:00
|
|
|
[
|
|
|
|
'server' => [
|
|
|
|
'HTTP_ORIGIN' => 'test'
|
|
|
|
]
|
|
|
|
],
|
2015-02-10 12:02:48 +00:00
|
|
|
$this->getMock('\OCP\Security\ISecureRandom'),
|
|
|
|
$this->getMock('\OCP\IConfig')
|
2014-05-08 09:47:18 +00:00
|
|
|
);
|
2014-05-11 15:55:59 +00:00
|
|
|
$this->reflector->reflect($this, __FUNCTION__);
|
|
|
|
$middleware = new CORSMiddleware($request, $this->reflector);
|
2014-05-08 09:47:18 +00:00
|
|
|
|
|
|
|
$response = new Response();
|
|
|
|
$response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE');
|
2015-02-10 12:02:48 +00:00
|
|
|
$middleware->afterController($this, __FUNCTION__, $response);
|
2014-05-08 09:47:18 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
}
|