def test_get_response_headers_preflight_with_cache(self):
cors = CORSMiddleware(self.app, ['GET', 'PUT'], ['Accept'], 86400)
assert_equal(cors.get_response_headers(preflight=True),
[('Access-Control-Allow-Origin', '*'),
('Access-Control-Allow-Methods', 'GET, PUT'),
('Access-Control-Allow-Headers', 'accept'),
('Access-Control-Max-Age', '86400')])
def test_get_response_headers_preflight_with_cache(self):
cors = CORSMiddleware(self.app, ['GET', 'PUT'], ['Accept'], 86400)
assert_equal(cors.get_response_headers(preflight=True),
[('Access-Control-Allow-Origin', '*'),
('Access-Control-Allow-Methods', 'GET, PUT'),
('Access-Control-Allow-Headers', 'accept'),
('Access-Control-Max-Age', '86400')])
class TestCORSMiddleware(object):
def setUp(self):
self.app = MagicMock()
self.allowed_methods = ['GET', 'POST', 'DELETE']
self.allowed_headers = ['Authorization', 'Accept']
self.cors = CORSMiddleware(self.app, self.allowed_methods,
self.allowed_headers)
def test_init(self):
cors = CORSMiddleware(self.app, ['get', 'post'], ['Some-Header'])
assert_equal(cors.app, self.app)
assert_equal(cors.allowed_methods, ['GET', 'POST'])
assert_equal(cors.allowed_headers, set(['some-header']))
def test_call_not_api_request(self):
callback = MagicMock()
env = {'PATH_INFO': '/p/test/'}
self.cors(env, callback)
self.app.assert_called_once_with(env, callback)
def test_call_invalid_cors(self):
callback = MagicMock()
env = {'PATH_INFO': '/rest/p/test/'}
self.cors(env, callback)
self.app.assert_called_once_with(env, callback)
def test_handle_call_simple_request(self):
callback = MagicMock()
env = {
'PATH_INFO': '/rest/p/test/',
'HTTP_ORIGIN': 'my.site.com',
'REQUEST_METHOD': 'GET'
}
self.cors(env, callback)
assert_equal(self.app.call_count, 1)
assert_equal(self.app.call_args_list[0][0][0], env)
assert_not_equal(self.app.call_args_list[0][0][1], callback)
@patch('allura.lib.custom_middleware.exc', autospec=True)
def test_handle_call_preflight_request(self, exc):
callback = MagicMock()
env = {
'PATH_INFO': '/rest/p/test/',
'HTTP_ORIGIN': 'my.site.com',
'REQUEST_METHOD': 'OPTIONS',
'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'POST'
}
self.cors(env, callback)
assert_equal(self.app.call_count, 0)
exc.HTTPOk.assert_called_once_with(headers=[(
'Access-Control-Allow-Origin',
'*'), ('Access-Control-Allow-Methods', 'GET, POST, DELETE'
), ('Access-Control-Allow-Headers',
'accept, authorization')])
exc.HTTPOk.return_value.assert_called_once_with(env, callback)
def test_get_response_headers_simple(self):
# Allow-Origin: * is crucial for security, since that prevents browsers from exposing results fetched withCredentials: true (aka cookies)
assert_equal(self.cors.get_response_headers(),
[('Access-Control-Allow-Origin', '*')])
assert_equal(self.cors.get_response_headers(preflight=False),
[('Access-Control-Allow-Origin', '*')])
def test_get_response_headers_preflight(self):
assert_equal(
self.cors.get_response_headers(preflight=True),
[('Access-Control-Allow-Origin', '*'),
('Access-Control-Allow-Methods', 'GET, POST, DELETE'),
('Access-Control-Allow-Headers', 'accept, authorization')])
def test_get_response_headers_preflight_with_cache(self):
cors = CORSMiddleware(self.app, ['GET', 'PUT'], ['Accept'], 86400)
assert_equal(cors.get_response_headers(preflight=True),
[('Access-Control-Allow-Origin', '*'),
('Access-Control-Allow-Methods', 'GET, PUT'),
('Access-Control-Allow-Headers', 'accept'),
('Access-Control-Max-Age', '86400')])
def test_get_access_control_request_headers(self):
key = 'HTTP_ACCESS_CONTROL_REQUEST_HEADERS'
f = self.cors.get_access_control_request_headers
assert_equal(f({}), set())
assert_equal(f({key: ''}), set())
assert_equal(f({key: 'Authorization, Accept'}),
set(['authorization', 'accept']))
class TestCORSMiddleware(object):
def setUp(self):
self.app = MagicMock()
self.allowed_methods = ['GET', 'POST', 'DELETE']
self.allowed_headers = ['Authorization', 'Accept']
self.cors = CORSMiddleware(
self.app,
self.allowed_methods,
self.allowed_headers)
def test_init(self):
cors = CORSMiddleware(self.app, ['get', 'post'], ['Some-Header'])
assert_equal(cors.app, self.app)
assert_equal(cors.allowed_methods, ['GET', 'POST'])
assert_equal(cors.allowed_headers, set(['some-header']))
def test_call_not_api_request(self):
callback = MagicMock()
env = {'PATH_INFO': '/p/test/'}
self.cors(env, callback)
self.app.assert_called_once_with(env, callback)
def test_call_invalid_cors(self):
callback = MagicMock()
env = {'PATH_INFO': '/rest/p/test/'}
self.cors(env, callback)
self.app.assert_called_once_with(env, callback)
def test_handle_call_simple_request(self):
callback = MagicMock()
env = {'PATH_INFO': '/rest/p/test/',
'HTTP_ORIGIN': 'my.site.com',
'REQUEST_METHOD': 'GET'}
self.cors(env, callback)
assert_equal(self.app.call_count, 1)
assert_equal(self.app.call_args_list[0][0][0], env)
assert_not_equal(self.app.call_args_list[0][0][1], callback)
@patch('allura.lib.custom_middleware.exc', autospec=True)
def test_handle_call_preflight_request(self, exc):
callback = MagicMock()
env = {'PATH_INFO': '/rest/p/test/',
'HTTP_ORIGIN': 'my.site.com',
'REQUEST_METHOD': 'OPTIONS',
'HTTP_ACCESS_CONTROL_REQUEST_METHOD': 'POST'}
self.cors(env, callback)
assert_equal(self.app.call_count, 0)
exc.HTTPOk.assert_called_once_with(headers=[
('Access-Control-Allow-Origin', '*'),
('Access-Control-Allow-Methods', 'GET, POST, DELETE'),
('Access-Control-Allow-Headers', 'accept, authorization')
])
exc.HTTPOk.return_value.assert_called_once_with(env, callback)
def test_get_response_headers_simple(self):
# Allow-Origin: * is crucial for security, since that prevents browsers from exposing results fetched withCredentials: true (aka cookies)
assert_equal(self.cors.get_response_headers(),
[('Access-Control-Allow-Origin', '*')])
assert_equal(self.cors.get_response_headers(preflight=False),
[('Access-Control-Allow-Origin', '*')])
def test_get_response_headers_preflight(self):
assert_equal(
self.cors.get_response_headers(preflight=True),
[('Access-Control-Allow-Origin', '*'),
('Access-Control-Allow-Methods', 'GET, POST, DELETE'),
('Access-Control-Allow-Headers', 'accept, authorization')])
def test_get_response_headers_preflight_with_cache(self):
cors = CORSMiddleware(self.app, ['GET', 'PUT'], ['Accept'], 86400)
assert_equal(cors.get_response_headers(preflight=True),
[('Access-Control-Allow-Origin', '*'),
('Access-Control-Allow-Methods', 'GET, PUT'),
('Access-Control-Allow-Headers', 'accept'),
('Access-Control-Max-Age', '86400')])
def test_get_access_control_request_headers(self):
key = 'HTTP_ACCESS_CONTROL_REQUEST_HEADERS'
f = self.cors.get_access_control_request_headers
assert_equal(f({}), set())
assert_equal(f({key: ''}), set())
assert_equal(f({key: 'Authorization, Accept'}),
set(['authorization', 'accept']))
