mattermost/server/channels/api4/cors_test.go

// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
// See LICENSE.txt for license information.

package api4

import (
	"fmt"
	"net/http"
	"testing"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"

	"github.com/mattermost/mattermost/server/public/model"
	"github.com/mattermost/mattermost/server/v8/channels/store/storetest/mocks"
)

const (
	acAllowOrigin      = "Access-Control-Allow-Origin"
	acExposeHeaders    = "Access-Control-Expose-Headers"
	acMaxAge           = "Access-Control-Max-Age"
	acAllowCredentials = "Access-Control-Allow-Credentials"
	acAllowMethods     = "Access-Control-Allow-Methods"
	acAllowHeaders     = "Access-Control-Allow-Headers"
)

func TestCORSRequestHandling(t *testing.T) {
	mainHelper.Parallel(t)
	for name, testcase := range map[string]struct {
		AllowCorsFrom            string
		CorsExposedHeaders       string
		CorsAllowCredentials     bool
		ModifyRequest            func(req *http.Request)
		ExpectedAllowOrigin      string
		ExpectedExposeHeaders    string
		ExpectedAllowCredentials string
	}{
		"NoCORS": {
			"",
			"",
			false,
			func(req *http.Request) {
			},
			"",
			"",
			"",
		},
		"CORSEnabled": {
			"http://somewhere.com",
			"",
			false,
			func(req *http.Request) {
			},
			"",
			"",
			"",
		},
		"CORSEnabledStarOrigin": {
			"*",
			"",
			false,
			func(req *http.Request) {
				req.Header.Set("Origin", "http://pre-release.mattermost.com")
			},
			"*",
			"",
			"",
		},
		"CORSEnabledStarNoOrigin": { // CORS spec requires this, not a bug.
			"*",
			"",
			false,
			func(req *http.Request) {
			},
			"",
			"",
			"",
		},
		"CORSEnabledMatching": {
			"http://mattermost.com",
			"",
			false,
			func(req *http.Request) {
				req.Header.Set("Origin", "http://mattermost.com")
			},
			"http://mattermost.com",
			"",
			"",
		},
		"CORSEnabledMultiple": {
			"http://spinmint.com http://mattermost.com",
			"",
			false,
			func(req *http.Request) {
				req.Header.Set("Origin", "http://mattermost.com")
			},
			"http://mattermost.com",
			"",
			"",
		},
		"CORSEnabledWithCredentials": {
			"http://mattermost.com",
			"",
			true,
			func(req *http.Request) {
				req.Header.Set("Origin", "http://mattermost.com")
			},
			"http://mattermost.com",
			"",
			"true",
		},
		"CORSEnabledWithHeaders": {
			"http://mattermost.com",
			"x-my-special-header x-blueberry",
			true,
			func(req *http.Request) {
				req.Header.Set("Origin", "http://mattermost.com")
			},
			"http://mattermost.com",
			"X-My-Special-Header, X-Blueberry",
			"true",
		},
	} {
		t.Run(name, func(t *testing.T) {
			th := SetupConfigWithStoreMock(t, func(cfg *model.Config) {
				*cfg.ServiceSettings.AllowCorsFrom = testcase.AllowCorsFrom
				*cfg.ServiceSettings.CorsExposedHeaders = testcase.CorsExposedHeaders
				*cfg.ServiceSettings.CorsAllowCredentials = testcase.CorsAllowCredentials
			})
			licenseStore := mocks.LicenseStore{}
			licenseStore.On("Get", "").Return(&model.LicenseRecord{}, nil)
			th.App.Srv().Store().(*mocks.Store).On("License").Return(&licenseStore)

			port := th.App.Srv().ListenAddr.Port
			host := fmt.Sprintf("http://localhost:%v", port)
			url := fmt.Sprintf("%v/api/v4/system/ping", host)

			req, err := http.NewRequest("GET", url, nil)
			require.NoError(t, err)
			testcase.ModifyRequest(req)

			client := &http.Client{}
			resp, err := client.Do(req)
			require.NoError(t, err)
			assert.Equal(t, http.StatusOK, resp.StatusCode)
			assert.Equal(t, testcase.ExpectedAllowOrigin, resp.Header.Get(acAllowOrigin))
			assert.Equal(t, testcase.ExpectedExposeHeaders, resp.Header.Get(acExposeHeaders))
			assert.Equal(t, "", resp.Header.Get(acMaxAge))
			assert.Equal(t, testcase.ExpectedAllowCredentials, resp.Header.Get(acAllowCredentials))
			assert.Equal(t, "", resp.Header.Get(acAllowMethods))
			assert.Equal(t, "", resp.Header.Get(acAllowHeaders))
		})
	}
}
Consistent license message for all the go files (#13235) * Consistent license message for all the go files * Fixing the last set of unconsistencies with the license headers * Addressing PR review comments * Fixing busy.go and busy_test.go license header 2019-11-29 06:59:40 -05:00			`// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.`
			`// See LICENSE.txt for license information.`

MM-11160 Adding proper CORS support. (#9152) * Adding proper CORS support. * Better CORS tests. 2018-07-26 11:31:22 -04:00			`package api4`

			`import (`
			`"fmt"`
			`"net/http"`
			`"testing"`

			`"github.com/stretchr/testify/assert"`
command_help_test, cors_test: use testify (#12941) * command_help_test, cors_test: use testify * cors_test: remove extraneous lines * command_help_test: remove extraneous lines * command_help_test: set checks to nonterminal 2019-10-28 11:52:51 -04:00			`"github.com/stretchr/testify/require"`
goimports (#16640) * format using `goimports -local github.com/mattermost/mattermost-server/v5 -w` * added goimports lint check to .golangci.yml * format using `goimports -local github.com/mattermost/mattermost-server/v5 -w` for a corner case * make app-layers, *-mocks and store-layers for ci check Co-authored-by: Mahmudul Haque <mahmudulhaque@protonmail.com> Co-authored-by: Mattermod <mattermod@users.noreply.github.com> 2021-01-07 12:12:43 -05:00
MM-53032: Fix module path after repo rename (#23689) It was a good decision in hindsight to keep the public module as 0.x because this would have been a breaking change again. https://mattermost.atlassian.net/browse/MM-53032 ```release-note Changed the Go module path from github.com/mattermost/mattermost-server/server/v8 to github.com/mattermost/mattermost/server/v8. For the public facing module, it's path is also changed from github.com/mattermost/mattermost-server/server/public to github.com/mattermost/mattermost/server/public ``` 2023-06-11 01:24:35 -04:00			`"github.com/mattermost/mattermost/server/public/model"`
			`"github.com/mattermost/mattermost/server/v8/channels/store/storetest/mocks"`
MM-11160 Adding proper CORS support. (#9152) * Adding proper CORS support. * Better CORS tests. 2018-07-26 11:31:22 -04:00			`)`

			`const (`
			`acAllowOrigin = "Access-Control-Allow-Origin"`
			`acExposeHeaders = "Access-Control-Expose-Headers"`
			`acMaxAge = "Access-Control-Max-Age"`
			`acAllowCredentials = "Access-Control-Allow-Credentials"`
			`acAllowMethods = "Access-Control-Allow-Methods"`
			`acAllowHeaders = "Access-Control-Allow-Headers"`
			`)`

			`func TestCORSRequestHandling(t *testing.T) {`
[MM-62408] Server Code Coverage with Fully Parallel Tests (#30078) * TestPool * Store infra * Store tests updates * Bump maximum concurrent postgres connections * More infra * channels/jobs * channels/app * channels/api4 * Protect i18n from concurrent access * Replace some use of os.Setenv * Remove debug * Lint fixes * Fix more linting * Fix test * Remove use of Setenv in drafts tests * Fix flaky TestWebHubCloseConnOnDBFail * Fix merge * [MM-62408] Add CI job to generate test coverage (#30284) * Add CI job to generate test coverage * Remove use of Setenv in drafts tests * Fix flaky TestWebHubCloseConnOnDBFail * Fix more Setenv usage * Fix more potential flakyness * Remove parallelism from flaky test * Remove conflicting env var * Fix * Disable parallelism * Test atomic covermode * Disable parallelism * Enable parallelism * Add upload coverage step * Fix codecov.yml * Add codecov.yml * Remove redundant workspace field * Add Parallel() util methods and refactor * Fix formatting * More formatting fixes * Fix reporting 2025-05-30 07:58:26 -04:00			`mainHelper.Parallel(t)`
MM-11160 Adding proper CORS support. (#9152) * Adding proper CORS support. * Better CORS tests. 2018-07-26 11:31:22 -04:00			`for name, testcase := range map[string]struct {`
			`AllowCorsFrom string`
			`CorsExposedHeaders string`
			`CorsAllowCredentials bool`
			`ModifyRequest func(req *http.Request)`
			`ExpectedAllowOrigin string`
			`ExpectedExposeHeaders string`
			`ExpectedAllowCredentials string`
			`}{`
			`"NoCORS": {`
			`"",`
			`"",`
			`false,`
			`func(req *http.Request) {`
			`},`
			`"",`
			`"",`
			`"",`
			`},`
			`"CORSEnabled": {`
			`"http://somewhere.com",`
			`"",`
			`false,`
			`func(req *http.Request) {`
			`},`
			`"",`
			`"",`
			`"",`
			`},`
			`"CORSEnabledStarOrigin": {`
			`"*",`
			`"",`
			`false,`
			`func(req *http.Request) {`
			`req.Header.Set("Origin", "http://pre-release.mattermost.com")`
			`},`
			`"*",`
			`"",`
			`"",`
			`},`
			`"CORSEnabledStarNoOrigin": { // CORS spec requires this, not a bug.`
			`"*",`
			`"",`
			`false,`
			`func(req *http.Request) {`
			`},`
			`"",`
			`"",`
			`"",`
			`},`
			`"CORSEnabledMatching": {`
			`"http://mattermost.com",`
			`"",`
			`false,`
			`func(req *http.Request) {`
			`req.Header.Set("Origin", "http://mattermost.com")`
			`},`
			`"http://mattermost.com",`
			`"",`
			`"",`
			`},`
			`"CORSEnabledMultiple": {`
			`"http://spinmint.com http://mattermost.com",`
			`"",`
			`false,`
			`func(req *http.Request) {`
			`req.Header.Set("Origin", "http://mattermost.com")`
			`},`
			`"http://mattermost.com",`
			`"",`
			`"",`
			`},`
			`"CORSEnabledWithCredentials": {`
			`"http://mattermost.com",`
			`"",`
			`true,`
			`func(req *http.Request) {`
			`req.Header.Set("Origin", "http://mattermost.com")`
			`},`
			`"http://mattermost.com",`
			`"",`
			`"true",`
			`},`
			`"CORSEnabledWithHeaders": {`
			`"http://mattermost.com",`
			`"x-my-special-header x-blueberry",`
			`true,`
			`func(req *http.Request) {`
			`req.Header.Set("Origin", "http://mattermost.com")`
			`},`
			`"http://mattermost.com",`
			`"X-My-Special-Header, X-Blueberry",`
			`"true",`
			`},`
			`} {`
			`t.Run(name, func(t *testing.T) {`
Adding changes to separate unit tests and integration tests (#13670) * Introducing unit (not integration) tests for the app layer * Initial support for unit tests at the API * Adding unit tests support to the store layer * Add unit tests support in commands * Adding last tests needed for run unit tests properly * Fixing govet * Removing some duplication * Fixing tests * Fixing tests * Not compiling test helpers with the main module for api * Revert "Not compiling test helpers with the main module for api" This reverts commit 36a199bbe0f7503f665f5d6c7b41c53aabc2e54f. * Fixing tests * Fixing unit tests * More consistency between api4/apiteslib.go and app/helper_test.go * Renaming things to make more obvious the new Setup functions purpose * Reverting change in go.sum * Start with empty mock for app layer * Start with empty mock for api layer * Start with empty mock for web layer * Renaming SetupWithStoreMockConfig to SetupConfigWithStoreMock * Fixing tests on web package * Removing unnecesary function 2020-03-02 11:13:39 -05:00			`th := SetupConfigWithStoreMock(t, func(cfg *model.Config) {`
MM-11160 Adding proper CORS support. (#9152) * Adding proper CORS support. * Better CORS tests. 2018-07-26 11:31:22 -04:00			`*cfg.ServiceSettings.AllowCorsFrom = testcase.AllowCorsFrom`
			`*cfg.ServiceSettings.CorsExposedHeaders = testcase.CorsExposedHeaders`
			`*cfg.ServiceSettings.CorsAllowCredentials = testcase.CorsAllowCredentials`
			`})`
Removing all FakeApp usages (#14174) * Removing some other fake apps * More FakeApp removed * Removing entirely FakeApp * Fixing some tests * Fixing get Cluster id from get plugin status * Fixing failing tests * Fixing tests * Fixing test initialization for web * Fixing InitServer for server tests * Fixing InitServer for server tests * Reverting go.sum and go.mod * Removing unneded HTMLTemplates function in App layer * Moving back some functions to its old place to easy the review * Moving back some functions to its old place to easy the review * Using the last struct2interface version * Generating store layers * Fixing merge problems * Addressing PR comments * Small fix * Fixing app tests build * Fixing tests * fixing tests * Fix tests * Fixing tests * Fixing tests * Fixing tests * Moving license to server struct * Adding some fixes to the test compilation * Fixing cluster and some jobs initialization * Fixing some license tests compilation problems * Fixing recursive cache invalidation * Regenerating app layers * Fix test compilation Co-authored-by: mattermod <mattermod@users.noreply.github.com> 2020-06-12 07:43:50 -04:00			`licenseStore := mocks.LicenseStore{}`
			`licenseStore.On("Get", "").Return(&model.LicenseRecord{}, nil)`
Move cluster, webhub and store out of Server (#20899) 2022-10-06 04:04:21 -04:00			`th.App.Srv().Store().(*mocks.Store).On("License").Return(&licenseStore)`
MM-11160 Adding proper CORS support. (#9152) * Adding proper CORS support. * Better CORS tests. 2018-07-26 11:31:22 -04:00
MM-21898 - Part 1: Generate and use an interface instead of A… (#13840) Generate and use an interface instead of *App 2020-02-13 07:26:58 -05:00			`port := th.App.Srv().ListenAddr.Port`
MM-11160 Adding proper CORS support. (#9152) * Adding proper CORS support. * Better CORS tests. 2018-07-26 11:31:22 -04:00			`host := fmt.Sprintf("http://localhost:%v", port)`
			`url := fmt.Sprintf("%v/api/v4/system/ping", host)`

			`req, err := http.NewRequest("GET", url, nil)`
command_help_test, cors_test: use testify (#12941) * command_help_test, cors_test: use testify * cors_test: remove extraneous lines * command_help_test: remove extraneous lines * command_help_test: set checks to nonterminal 2019-10-28 11:52:51 -04:00			`require.NoError(t, err)`
MM-11160 Adding proper CORS support. (#9152) * Adding proper CORS support. * Better CORS tests. 2018-07-26 11:31:22 -04:00			`testcase.ModifyRequest(req)`

			`client := &http.Client{}`
			`resp, err := client.Do(req)`
command_help_test, cors_test: use testify (#12941) * command_help_test, cors_test: use testify * cors_test: remove extraneous lines * command_help_test: remove extraneous lines * command_help_test: set checks to nonterminal 2019-10-28 11:52:51 -04:00			`require.NoError(t, err)`
MM-11160 Adding proper CORS support. (#9152) * Adding proper CORS support. * Better CORS tests. 2018-07-26 11:31:22 -04:00			`assert.Equal(t, http.StatusOK, resp.StatusCode)`
			`assert.Equal(t, testcase.ExpectedAllowOrigin, resp.Header.Get(acAllowOrigin))`
			`assert.Equal(t, testcase.ExpectedExposeHeaders, resp.Header.Get(acExposeHeaders))`
			`assert.Equal(t, "", resp.Header.Get(acMaxAge))`
			`assert.Equal(t, testcase.ExpectedAllowCredentials, resp.Header.Get(acAllowCredentials))`
			`assert.Equal(t, "", resp.Header.Get(acAllowMethods))`
			`assert.Equal(t, "", resp.Header.Get(acAllowHeaders))`
			`})`
			`}`
			`}`