def test_is_valid_header_when_url_has_dash_is_authorized_in_subdomain(): # Given header_origin = 'https://my-poc.passculture.app' endpoint = 'list_offers' # When is_valid_header = check_origin_header_validity(header_origin, endpoint, '/') # Then assert is_valid_header
def test_is_valid_header_when_header_not_in_whitelist_for_exception_endpoint(): # Given header_origin = 'http://random.url.com' endpoint = 'patch_booking_by_token' # When is_valid_header = check_origin_header_validity(header_origin, endpoint, '/') # Then assert is_valid_header
def test_is_invalid_header_when_malicious_url_is_used(): # Given header_origin = 'https://my.malicious.website.com?origin=poc.passculture.app' endpoint = 'list_offers' # When is_valid_header = check_origin_header_validity(header_origin, endpoint, '/') # Then assert not is_valid_header
def test_is_invalid_header_when_url_is_not_known(): # Given header_origin = 'https://poc.fr' endpoint = 'list_offers' # When is_valid_header = check_origin_header_validity(header_origin, endpoint, '/') # Then assert not is_valid_header
def test_any_origin_header_is_valid_on_endpoint_validate_venue(): # Given header_origin = 'http://random.url.fr' endpoint = 'validate_venue' # When is_valid_header = check_origin_header_validity(header_origin, endpoint, '/') # Then assert is_valid_header
def test_is_valid_header_when_is_staging_and_header_is_app_passculture_staging_for_normal_endpoint( ): # Given header_origin = 'http://app.passculture-staging.beta.gouv.fr' endpoint = 'list_offers' # When is_valid_header = check_origin_header_validity(header_origin, endpoint, '/') # Then assert is_valid_header
def test_is_valid_header_when_is_dev_and_header_is_local_host_for_normal_endpoint( ): # Given header_origin = 'http://localhost:3000' endpoint = 'list_offers' # When is_valid_header = check_origin_header_validity(header_origin, endpoint, '/') # Then assert is_valid_header
def test_is_valid_header_when_not_staging_not_dev_and_header_is_pro_passculture_for_exception_endpoint( ): # Given header_origin = 'http://random.url.frv' endpoint = 'patch_booking_by_token' # When is_valid_header = check_origin_header_validity(header_origin, endpoint, '/') # Then assert is_valid_header
def test_not_valid_header_when_not_staging_not_dev_and_header_is_pro_passculture_for_normal_endpoint( ): # Given header_origin = 'http://pro.passculture.beta.gouv.fr' endpoint = 'list_offers' # When is_valid_header = check_origin_header_validity(header_origin, endpoint, '/') # Then assert is_valid_header
def check_valid_origin_header(): header = request.headers.get('origin') endpoint = request.endpoint if not check_origin_header_validity(header, endpoint, request.path): raise InvalidOriginHeader