Exemplo n.º 1
0
def test_origin_policy_match():
    policy = free.copy()
    policy[
        "pol_origin"] = "http://example.com example?.com https://*.example.com"

    corsed = mw(Response("non preflight response"), policy)

    ### preflight request

    for origin, expected in [("localhost", None),
                             ("http://example.com", "http://example.com"),
                             ("example2.com", "example2.com"),
                             ("https://www.example.com",
                              "https://www.example.com")]:
        yield preflight_check_result, corsed, "Origin", origin, expected

    ### actual request

    for origin, origin_expected, vary_expected in [
        ("localhost", None, None),
        ("http://example.com", "http://example.com", "Origin"),
        ("example2.com", "example2.com", "Origin"),
        ("https://www.example.com", "https://www.example.com", "Origin")
    ]:
        yield request_check_result, corsed, "Origin", origin, origin_expected, (
            "Vary", vary_expected)
Exemplo n.º 2
0
def testwildcard():
    corsed = mw(Response(), wildcard)
    res = deniedpreflight.get_response(corsed)
    assert res.headers.get("Access-Control-Allow-Origin", "") == ""
    assert res.headers.get("Access-Control-Allow-Credentials", "") == "true"
    assert res.headers.get("Access-Control-Allow-Methods", "") == "post"
    assert res.headers.get("Access-Control-Allow-Headers", "") == "*"
    assert res.headers.get("Access-Control-Max-Age", "0") == "100"
    assert "Access-Control-Expose-Headers" not in res.headers
    assert "Vary" not in res.headers

    res = allowedpreflight.get_response(corsed)
    assert res.headers.get("Access-Control-Allow-Origin", "") == "sub.example.com"
    assert res.headers.get("Access-Control-Allow-Credentials", "") == "true"
    assert res.headers.get("Access-Control-Allow-Methods", "") == "post"
    assert res.headers.get("Access-Control-Allow-Headers", "") == "*"
    assert res.headers.get("Access-Control-Max-Age", "0") == "100"
    assert "Access-Control-Expose-Headers" not in res.headers
    assert "Vary" not in res.headers

    res = post.get_response(corsed)
    assert res.headers.get("Access-Control-Allow-Origin", "") == "example.com"
    assert res.headers.get("Access-Control-Allow-Credentials", "") == "true"
    assert "Access-Control-Expose-Headers" not in res.headers
    assert res.headers.get("Vary", "") == "Origin"

    res = post3.get_response(corsed)
    assert res.headers.get("Access-Control-Allow-Origin", "") == "sub.example.com"
    assert res.headers.get("Access-Control-Allow-Credentials", "") == "true"
    assert "Access-Control-Expose-Headers" not in res.headers
    assert res.headers.get("Vary", "") == "Origin"
Exemplo n.º 3
0
def test_non_preflight_are_not_answered():
    "requests that don't match preflight criteria are ignored"
    corsed = mw(Response("this is not a preflight response"), free)

    for drop_header in preflight_headers.keys():
        hdr=preflight_headers.copy()
        del hdr[drop_header]
        yield non_preflight_are_not_answered, corsed, hdr
Exemplo n.º 4
0
def test_non_preflight_are_not_answered():
    "requests that don't match preflight criteria are ignored"
    corsed = mw(Response("this is not a preflight response"), free)

    for drop_header in preflight_headers.keys():
        hdr = preflight_headers.copy()
        del hdr[drop_header]
        yield non_preflight_are_not_answered, corsed, hdr
Exemplo n.º 5
0
def test_selectPolicy_verbmatch():
    "check whether correct policy is returned"
    multi2 = verbmulti.copy()
    multi2["policy"] = "pol2,pol1"
    multi2["matchstrategy"] = "verbmatch"
    corsed = mw(Response("this is not a preflight response"), multi2)

    policyname, ret_origin = corsed.selectPolicy("ourdomain", "PUT")
    assert policyname == "pol1", "'pol1' should have been returned since it matches both origin and verb first (but result was: '%s')" % policyname

    multi2 = verbmulti.copy()
    multi2["policy"] = "pol2,pol1"
    multi2["matchstrategy"] = "verbmatch"
    multi2["pol1_methods"] = "*"
    corsed = mw(Response("this is not a preflight response"), multi2)

    policyname, ret_origin = corsed.selectPolicy("ourdomain", "PUT")
    assert policyname == "pol1", "'pol1' should have been returned since it matches both origin and verb first (but result was: '%s')" % policyname
Exemplo n.º 6
0
def test_selectPolicy_verbmatch():
    "check whether correct policy is returned"
    multi2 = verbmulti.copy()
    multi2["policy"] = "pol2,pol1"
    multi2["matchstrategy"] = "verbmatch"
    corsed = mw(Response("this is not a preflight response"), multi2)
    
    policyname, ret_origin = corsed.selectPolicy("ourdomain", "PUT")
    assert policyname == "pol1", "'pol1' should have been returned since it matches both origin and verb first (but result was: '%s')" % policyname

    multi2 = verbmulti.copy()
    multi2["policy"] = "pol2,pol1"
    multi2["matchstrategy"] = "verbmatch"
    multi2["pol1_methods"] = "*"
    corsed = mw(Response("this is not a preflight response"), multi2)
    
    policyname, ret_origin = corsed.selectPolicy("ourdomain", "PUT")
    assert policyname == "pol1", "'pol1' should have been returned since it matches both origin and verb first (but result was: '%s')" % policyname
Exemplo n.º 7
0
def test_selectPolicy():
    "check whether correct policy is returned"
    multi2 = multi.copy()
    multi2["policy"] = "pol2,pol1"
    corsed = mw(Response("this is not a preflight response"), multi2)

    policyname, ret_origin = corsed.selectPolicy("palim.woopy.com")
    assert policyname == "pol2", "'pol2' should have been returned since it matches first (but result was: '%s')" % policyname
    assert ret_origin == "palim.woopy.com", "'palim.woopy.com' expected since its matched by pol2 (but result was: '%s')" % ret_origin

    policyname, ret_origin = corsed.selectPolicy("palim.com")
    assert policyname == "pol1", "'pol1' should have been returned since it matches first (but result was: '%s')" % policyname
    assert ret_origin == "*", "'*' expected since its matched by pol1 (but result was: '%s')" % ret_origin

    multi2 = multi.copy()
    multi2["policy"] = "pol1,pol2"
    corsed = mw(Response("this is not a preflight response"), multi2)
    policyname, ret_origin = corsed.selectPolicy("palim.woopy.com")
    assert policyname == "pol1", "'pol1' should have been returned since it matches first (but result was: '%s')" % policyname
    assert ret_origin == "*", "'*' expectedsince its matched by pol1 (but result was: '%s')" % ret_origin
Exemplo n.º 8
0
def testdeny():
    corsed = mw(Response(), deny)
    res = preflight.get_response(corsed)
    assert "Access-Control-Allow-Origin" not in res.headers
    assert "Access-Control-Allow-Credentials" not in res.headers
    assert "Access-Control-Allow-Methods" not in res.headers
    assert "Access-Control-Allow-Headers" not in res.headers
    assert "Access-Control-Max-Age" not in res.headers

    res = post.get_response(corsed)
    assert "Access-Control-Allow-Origin" not in res.headers
    assert "Access-Control-Allow-Credentials" not in res.headers
Exemplo n.º 9
0
def testfree():
    corsed = mw(Response(), free)
    res = preflight.get_response(corsed)
    assert res.headers.get("Access-Control-Allow-Origin", "") == "*"
    assert res.headers.get("Access-Control-Allow-Credentials", "") == "true"
    assert res.headers.get("Access-Control-Allow-Methods", "") == "post"
    assert res.headers.get("Access-Control-Allow-Headers", "") == "*"
    assert res.headers.get("Access-Control-Max-Age", "0") == "100"

    res = post.get_response(corsed)
    assert res.headers.get("Access-Control-Allow-Origin", "") == "example.com"
    assert res.headers.get("Access-Control-Allow-Credentials", "") == "true"
Exemplo n.º 10
0
def test_selectPolicy_firstmatch():
    "check whether correct policy is returned"
    multi2 = multi.copy()
    multi2["policy"] = "pol2,pol1"
    multi2["matchstrategy"] = "firstmatch"
    corsed = mw(Response("this is not a preflight response"), multi2)
    
    policyname, ret_origin = corsed.selectPolicy("palim.woopy.com")
    assert policyname == "pol2", "'pol2' should have been returned since it matches first (but result was: '%s')" % policyname
    assert ret_origin == "palim.woopy.com", "'palim.woopy.com' expected since its matched by pol2 (but result was: '%s')" % ret_origin

    policyname, ret_origin = corsed.selectPolicy("palim.com")
    assert policyname == "pol1", "'pol1' should have been returned since it matches first (but result was: '%s')" % policyname
    assert ret_origin == "*", "'*' expected since its matched by pol1 (but result was: '%s')" % ret_origin

    multi2 = multi.copy()
    multi2["policy"] = "pol1,pol2"
    corsed = mw(Response("this is not a preflight response"), multi2)
    policyname, ret_origin = corsed.selectPolicy("palim.woopy.com")
    assert policyname == "pol1", "'pol1' should have been returned since it matches first (but result was: '%s')" % policyname
    assert ret_origin == "*", "'*' expectedsince its matched by pol1 (but result was: '%s')" % ret_origin
Exemplo n.º 11
0
def testdeny():
    "Denied policy"
    corsed = mw(Response("non preflight"), deny)
    preflight = prepRequest(preflight_headers)
    res = preflight.get_response(corsed)
    assert res.body.decode("utf-8") == "", "Body must be empty but was:%s" % res.body
    assert "Access-Control-Allow-Origin" not in res.headers, "Header should not be in repsonse"
    assert "Access-Control-Allow-Credentials" not in res.headers, "Header should not be in repsonse"
    assert "Access-Control-Allow-Methods" not in res.headers, "Header should not be in repsonse"
    assert "Access-Control-Allow-Headers" not in res.headers, "Header should not be in repsonse"
    assert "Access-Control-Max-Age" not in res.headers, "Header should not be in repsonse"
    assert "Access-Control-Expose-Headers" not in res.headers, "Header should not be in repsonse"
    assert "Vary" not in res.headers, "Header should not be in repsonse"
Exemplo n.º 12
0
def testverbatim():

    corsed = mw(Response(), verbatim)
    res = preflight.get_response(corsed)
    assert res.headers.get("Access-Control-Allow-Origin", "") == "example.com"
    assert res.headers.get("Access-Control-Allow-Credentials", "") == "true"
    assert res.headers.get("Access-Control-Allow-Methods", "") == "put,delete"
    assert res.headers.get("Access-Control-Allow-Headers", "") == "header1,header2"
    assert res.headers.get("Access-Control-Max-Age", "0") == "100"

    res = post.get_response(corsed)
    assert res.headers.get("Access-Control-Allow-Origin", "") == "example.com"
    assert res.headers.get("Access-Control-Allow-Credentials", "") == "true"
Exemplo n.º 13
0
def testdeny():
    "Denied policy"
    corsed = mw(Response("non preflight"), deny)
    preflight = prepRequest(preflight_headers)
    res = preflight.get_response(corsed)
    assert res.body.decode(
        "utf-8") == "", "Body must be empty but was:%s" % res.body
    assert "Access-Control-Allow-Origin" not in res.headers, "Header should not be in repsonse"
    assert "Access-Control-Allow-Credentials" not in res.headers, "Header should not be in repsonse"
    assert "Access-Control-Allow-Methods" not in res.headers, "Header should not be in repsonse"
    assert "Access-Control-Allow-Headers" not in res.headers, "Header should not be in repsonse"
    assert "Access-Control-Max-Age" not in res.headers, "Header should not be in repsonse"
    assert "Access-Control-Expose-Headers" not in res.headers, "Header should not be in repsonse"
    assert "Vary" not in res.headers, "Header should not be in repsonse"
Exemplo n.º 14
0
def test_req_origin_no_match():
    "sending a post from a disallowed host => no allow headers will be returned"

    corsed = mw(Response(), verbatim)
    res = preflight.get_response(corsed)
    assert res.headers.get("Access-Control-Allow-Origin", "") == "example.com"
    assert res.headers.get("Access-Control-Allow-Credentials", "") == "true"
    assert res.headers.get("Access-Control-Allow-Methods", "") == "put,delete"
    assert res.headers.get("Access-Control-Allow-Headers", "") == "header1,header2"
    assert res.headers.get("Access-Control-Max-Age", "0") == "100"

    res = post2.get_response(corsed)
    assert "Access-Control-Allow-Origin" not in res.headers
    assert "Access-Control-Allow-Credentials" not in res.headers
Exemplo n.º 15
0
def test_method_policy_fixed():
    policy = free.copy()
    policy["pol_methods"] = "PUT, GET"

    corsed = mw(Response("non preflight response"), policy)

    ### preflight request

    for requested, expected in [("woopy", "PUT, GET")]:
        yield preflight_check_result, corsed, "Method", requested, expected

    ### actual request

    for requested, expected in [("woopy", None)]:
        yield request_check_result, corsed, "Method", requested, expected
Exemplo n.º 16
0
def test_headers_policy_fixed():
    policy = free.copy()
    policy["pol_headers"] = "Wooble"

    corsed = mw(Response("non preflight response"), policy)

    ### preflight request

    for requested, expected in [("woopy", "Wooble")]:
        yield preflight_check_result, corsed, "Headers", requested, expected

    ### actual request

    for requested, expected in [("woopy", None)]:
        yield request_check_result, corsed, "Headers", requested, expected
Exemplo n.º 17
0
def test_method_policy_fixed():
    policy = free.copy()
    policy["pol_methods"] = "PUT, GET"

    corsed = mw(Response("non preflight response"), policy)

    ### preflight request

    for requested, expected in [("woopy", "PUT, GET")]:
        yield preflight_check_result, corsed, "Method", requested, expected


    ### actual request

    for requested, expected in [("woopy", None)]:
        yield request_check_result, corsed, "Method", requested, expected
Exemplo n.º 18
0
def test_headers_policy_fixed():
    policy = free.copy()
    policy["pol_headers"] = "Wooble"

    corsed = mw(Response("non preflight response"), policy)

    ### preflight request

    for requested, expected in [("woopy", "Wooble")]:
        yield preflight_check_result, corsed, "Headers", requested, expected


    ### actual request

    for requested, expected in [("woopy", None)]:
        yield request_check_result, corsed, "Headers", requested, expected
Exemplo n.º 19
0
def test_origin_policy_all():
    policy = free.copy()
    policy["pol_origin"] = "*"

    corsed = mw(Response("non preflight response"), policy)

    ### preflight request

    for origin, expected in [("localhost", "*")]:
        yield preflight_check_result, corsed, "Origin", origin, expected


    ### actual request

    for origin, origin_expected, vary_expected in [("localhost", "localhost", None)]:
        yield request_check_result, corsed, "Origin", origin, origin_expected, ("Vary", vary_expected)
Exemplo n.º 20
0
def testfree_nocred():
    """
    similar to free, but the actual request will be answered 
    with a '*' for allowed origin
    """

    corsed = mw(Response(), free_nocred)
    res = preflight.get_response(corsed)
    assert res.headers.get("Access-Control-Allow-Origin", "") == "*"
    assert res.headers.get("Access-Control-Allow-Credentials", None) == None
    assert res.headers.get("Access-Control-Allow-Methods", "") == "post"
    assert res.headers.get("Access-Control-Allow-Headers", "") == "*"
    assert res.headers.get("Access-Control-Max-Age", "0") == "100"

    res = post.get_response(corsed)
    assert res.headers.get("Access-Control-Allow-Origin", "") == "*"
    assert res.headers.get("Access-Control-Allow-Credentials", None) == None
Exemplo n.º 21
0
def test_expose_header_policy_unset():
    "No Expose-Headers in actual request if not given"
    policy = free.copy()
    del policy["pol_expose_headers"]

    corsed = mw(Response("non preflight response"), policy)

    ### preflight request

    for requested, expected in [("woopy", "woopy")]:
        yield preflight_check_result, corsed, "Headers", requested, expected, ("Access-Control-Expose-Headers", None)


    ### actual request

    for requested, expected in [("woopy", None)]:
        yield request_check_result, corsed, "Headers", requested, expected, ("Access-Control-Expose-Headers", None)
Exemplo n.º 22
0
def test_expose_header_policy_set():
    "Add Expose-Headers in actual request if policy says so"
    policy = free.copy()
    policy["pol_expose_headers"] = "exposed"

    corsed = mw(Response("non preflight response"), policy)

    ### preflight request

    for requested, expected in [("woopy", "woopy")]:
        yield preflight_check_result, corsed, "Headers", requested, expected, ("Access-Control-Expose-Headers", None)


    ### actual request

    for requested, expected in [("woopy", None)]:
        yield request_check_result, corsed, "Headers", requested, expected, ("Access-Control-Expose-Headers", "exposed")
Exemplo n.º 23
0
def test_age_policy_unset():
    "Add Max-Age not in preflight response"
    policy = free.copy()
    del policy["pol_maxage"]

    corsed = mw(Response("non preflight response"), policy)

    ### preflight request

    for requested, expected in [("woopy", "woopy")]:
        yield preflight_check_result, corsed, "Headers", requested, expected, ("Access-Control-Max-Age", None)


    ### actual request

    for requested, expected in [("woopy", None)]:
        yield request_check_result, corsed, "Headers", requested, expected, ("Access-Control-Max-Age", None)
Exemplo n.º 24
0
def test_credentials_policy_none():
    "Allow-Credentials should not be present"
    policy = free.copy()
    del policy["pol_credentials"]

    corsed = mw(Response("non preflight response"), policy)

    ### preflight request

    for requested, expected in [("woopy", "woopy")]:
        yield preflight_check_result, corsed, "Headers", requested, expected, ("Access-Control-Allow-Credentials", None)


    ### actual request

    for requested, expected in [("woopy", None)]:
        yield request_check_result, corsed, "Headers", requested, expected, ("Access-Control-Allow-Credentials", None)
Exemplo n.º 25
0
def test_credentials_policy_no():
    "Allow-Credentials should not be present, if policy is different from 'yes'"
    policy = free.copy()
    policy["pol_credentials"] = "no" # something different from "yes"

    corsed = mw(Response("non preflight response"), policy)

    ### preflight request

    for requested, expected in [("woopy", "woopy")]:
        yield preflight_check_result, corsed, "Headers", requested, expected, ("Access-Control-Allow-Credentials", None)


    ### actual request

    for requested, expected in [("woopy", None)]:
        yield request_check_result, corsed, "Headers", requested, expected, ("Access-Control-Allow-Credentials", None)
Exemplo n.º 26
0
def test_origin_policy_all():
    policy = free.copy()
    policy["pol_origin"] = "*"

    corsed = mw(Response("non preflight response"), policy)

    ### preflight request

    for origin, expected in [("localhost", "*")]:
        yield preflight_check_result, corsed, "Origin", origin, expected

    ### actual request

    for origin, origin_expected, vary_expected in [("localhost", "localhost",
                                                    None)]:
        yield request_check_result, corsed, "Origin", origin, origin_expected, (
            "Vary", vary_expected)
Exemplo n.º 27
0
def test_credentials_policy_none():
    "Allow-Credentials should not be present"
    policy = free.copy()
    del policy["pol_credentials"]

    corsed = mw(Response("non preflight response"), policy)

    ### preflight request

    for requested, expected in [("woopy", "woopy")]:
        yield preflight_check_result, corsed, "Headers", requested, expected, (
            "Access-Control-Allow-Credentials", None)

    ### actual request

    for requested, expected in [("woopy", None)]:
        yield request_check_result, corsed, "Headers", requested, expected, (
            "Access-Control-Allow-Credentials", None)
Exemplo n.º 28
0
def test_age_policy_unset():
    "Add Max-Age not in preflight response"
    policy = free.copy()
    del policy["pol_maxage"]

    corsed = mw(Response("non preflight response"), policy)

    ### preflight request

    for requested, expected in [("woopy", "woopy")]:
        yield preflight_check_result, corsed, "Headers", requested, expected, (
            "Access-Control-Max-Age", None)

    ### actual request

    for requested, expected in [("woopy", None)]:
        yield request_check_result, corsed, "Headers", requested, expected, (
            "Access-Control-Max-Age", None)
Exemplo n.º 29
0
def test_credentials_policy_no():
    "Allow-Credentials should not be present, if policy is different from 'yes'"
    policy = free.copy()
    policy["pol_credentials"] = "no"  # something different from "yes"

    corsed = mw(Response("non preflight response"), policy)

    ### preflight request

    for requested, expected in [("woopy", "woopy")]:
        yield preflight_check_result, corsed, "Headers", requested, expected, (
            "Access-Control-Allow-Credentials", None)

    ### actual request

    for requested, expected in [("woopy", None)]:
        yield request_check_result, corsed, "Headers", requested, expected, (
            "Access-Control-Allow-Credentials", None)
Exemplo n.º 30
0
def test_expose_header_policy_set():
    "Add Expose-Headers in actual request if policy says so"
    policy = free.copy()
    policy["pol_expose_headers"] = "exposed"

    corsed = mw(Response("non preflight response"), policy)

    ### preflight request

    for requested, expected in [("woopy", "woopy")]:
        yield preflight_check_result, corsed, "Headers", requested, expected, (
            "Access-Control-Expose-Headers", None)

    ### actual request

    for requested, expected in [("woopy", None)]:
        yield request_check_result, corsed, "Headers", requested, expected, (
            "Access-Control-Expose-Headers", "exposed")
Exemplo n.º 31
0
def test_expose_header_policy_unset():
    "No Expose-Headers in actual request if not given"
    policy = free.copy()
    del policy["pol_expose_headers"]

    corsed = mw(Response("non preflight response"), policy)

    ### preflight request

    for requested, expected in [("woopy", "woopy")]:
        yield preflight_check_result, corsed, "Headers", requested, expected, (
            "Access-Control-Expose-Headers", None)

    ### actual request

    for requested, expected in [("woopy", None)]:
        yield request_check_result, corsed, "Headers", requested, expected, (
            "Access-Control-Expose-Headers", None)
Exemplo n.º 32
0
def test_origin_policy_match():
    policy = free.copy()
    policy["pol_origin"] = "http://example.com example?.com https://*.example.com"

    corsed = mw(Response("non preflight response"), policy)

    ### preflight request

    for origin, expected in [("localhost", None), 
                             ("http://example.com", "http://example.com"), 
                             ("example2.com", "example2.com"), 
                             ("https://www.example.com", "https://www.example.com")]:
        yield preflight_check_result, corsed, "Origin", origin, expected


    ### actual request

    for origin, origin_expected, vary_expected in [("localhost", None, None), 
                                                   ("http://example.com", "http://example.com", "Origin"), 
                                                   ("example2.com", "example2.com", "Origin"), 
                                                   ("https://www.example.com", "https://www.example.com", "Origin")]:
        yield request_check_result, corsed, "Origin", origin, origin_expected, ("Vary", vary_expected)