Mercurial > p > roundup > code
comparison test/test_liveserver.py @ 7150:72a54826ff4f
better rest Origin check; refactor CORS preflight code.
A previous version allowed requests without an origin that should
require it (e.g. an OPTIONS or PATCH request). Moved the origin
checking logic into the main flow. It looks like this was limited to
OPTIONS/PATCH requests as handle_csrf() (called later in the main
flow) handles POST, PUT, DELETE verbs.
Refactored CORS preflight request code into functions and call them
from main flow. Also return immediately. Prior code processed the
options request a second time due to falling through.
Modified is_origin_header_ok to return True if origin was missing and
it was a get request.
Fixed tests that make OPTIONS requests to supply origin.
Comment fixups.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 21 Feb 2023 16:42:20 -0500 |
| parents | 3c4047cdc77a |
| children | a9be849d4dd2 |
comparison
equal
deleted
inserted
replaced
| 7149:282ba72a5615 | 7150:72a54826ff4f |
|---|---|
| 422 | 422 |
| 423 expected = '{ "error": { "status": 400, "msg": "Client is not ' \ | 423 expected = '{ "error": { "status": 400, "msg": "Client is not ' \ |
| 424 'allowed to use Rest Interface." } }' | 424 'allowed to use Rest Interface." } }' |
| 425 self.assertEqual(b2s(f.content), expected) | 425 self.assertEqual(b2s(f.content), expected) |
| 426 | 426 |
| 427 # Test when Origin is not sent. | |
| 428 f = requests.options(self.url_base() + '/rest/data/user', | |
| 429 headers = {'content-type': "application/json", | |
| 430 'x-requested-with': "rest", | |
| 431 'Access-Control-Request-Headers': | |
| 432 "x-requested-with", | |
| 433 'Access-Control-Request-Method': "PUT",}) | |
| 434 | |
| 435 self.assertEqual(f.status_code, 400) | |
| 436 | |
| 437 expected = ('{ "error": { "status": 400, "msg": "Required' | |
| 438 ' Header Missing" } }') | |
| 439 self.assertEqual(b2s(f.content), expected) | |
| 440 | |
| 427 | 441 |
| 428 def test_rest_invalid_method_collection(self): | 442 def test_rest_invalid_method_collection(self): |
| 429 # use basic auth for rest endpoint | 443 # use basic auth for rest endpoint |
| 430 f = requests.put(self.url_base() + '/rest/data/user', | 444 f = requests.put(self.url_base() + '/rest/data/user', |
| 431 auth=('admin', 'sekrit'), | 445 auth=('admin', 'sekrit'), |
| 593 self.assertDictEqual({ key: value for (key, value) in f.headers.items() if key in expected }, expected1) | 607 self.assertDictEqual({ key: value for (key, value) in f.headers.items() if key in expected }, expected1) |
| 594 | 608 |
| 595 ## test a property that doesn't exist | 609 ## test a property that doesn't exist |
| 596 f = requests.options(self.url_base() + '/rest/data/user/1/zot', | 610 f = requests.options(self.url_base() + '/rest/data/user/1/zot', |
| 597 auth=('admin', 'sekrit'), | 611 auth=('admin', 'sekrit'), |
| 598 headers = {'content-type': ""}) | 612 headers = {'content-type': "", |
| 613 'Origin': "http://localhost:9001",}) | |
| 599 print(f.status_code) | 614 print(f.status_code) |
| 600 print(f.headers) | 615 print(f.headers) |
| 601 | 616 |
| 602 self.assertEqual(f.status_code, 404) | 617 self.assertEqual(f.status_code, 404) |
| 603 | 618 |
| 934 f = requests.get(self.url_base() + '/rest/data/user/1/foo', | 949 f = requests.get(self.url_base() + '/rest/data/user/1/foo', |
| 935 auth=('admin', 'sekrit'), | 950 auth=('admin', 'sekrit'), |
| 936 headers = {'content-type': "", | 951 headers = {'content-type': "", |
| 937 'Accept-Encoding': '%s, foo'%method, | 952 'Accept-Encoding': '%s, foo'%method, |
| 938 'Accept': '*/*', | 953 'Accept': '*/*', |
| 939 'Origin': 'ZZZZ'}) | 954 'Origin': 'https://client.com'}) |
| 940 print(f.status_code) | 955 print(f.status_code) |
| 941 print(f.headers) | 956 print(f.headers) |
| 942 | 957 |
| 943 # NOTE: not compressed payload too small | 958 # NOTE: not compressed payload too small |
| 944 self.assertEqual(f.status_code, 400) | 959 self.assertEqual(f.status_code, 400) |
| 945 expected = { 'Content-Type': 'application/json', | 960 expected = { 'Content-Type': 'application/json', |
| 946 'Access-Control-Allow-Credentials': 'true', | 961 'Access-Control-Allow-Credentials': 'true', |
| 947 'Access-Control-Allow-Origin': 'ZZZZ', | 962 'Access-Control-Allow-Origin': 'https://client.com', |
| 948 'Allow': 'OPTIONS, GET, POST, PUT, DELETE, PATCH', | 963 'Allow': 'OPTIONS, GET, POST, PUT, DELETE, PATCH', |
| 949 'Vary': 'Origin' | 964 'Vary': 'Origin' |
| 950 } | 965 } |
| 951 | 966 |
| 952 content = { "error": | 967 content = { "error": |