Mercurial > p > roundup > code

diff test/test_liveserver.py @ 7150:72a54826ff4f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
better rest Origin check; refactor CORS preflight code. A previous version allowed requests without an origin that should require it (e.g. an OPTIONS or PATCH request). Moved the origin checking logic into the main flow. It looks like this was limited to OPTIONS/PATCH requests as handle_csrf() (called later in the main flow) handles POST, PUT, DELETE verbs. Refactored CORS preflight request code into functions and call them from main flow. Also return immediately. Prior code processed the options request a second time due to falling through. Modified is_origin_header_ok to return True if origin was missing and it was a get request. Fixed tests that make OPTIONS requests to supply origin. Comment fixups.
author John Rouillard <rouilj@ieee.org>
date Tue, 21 Feb 2023 16:42:20 -0500
parents 3c4047cdc77a
children a9be849d4dd2
line wrap: on
line diff
--- a/test/test_liveserver.py	Thu Feb 16 21:56:08 2023 -0500
+++ b/test/test_liveserver.py	Tue Feb 21 16:42:20 2023 -0500
@@ -424,6 +424,20 @@
                    'allowed to use Rest Interface." } }'
         self.assertEqual(b2s(f.content), expected)
 
+        # Test when Origin is not sent.
+        f = requests.options(self.url_base() + '/rest/data/user',
+                             headers = {'content-type': "application/json",
+                             'x-requested-with': "rest",
+                             'Access-Control-Request-Headers':
+                                 "x-requested-with",
+                             'Access-Control-Request-Method': "PUT",})
+
+        self.assertEqual(f.status_code, 400)
+
+        expected = ('{ "error": { "status": 400, "msg": "Required'
+                    ' Header Missing" } }')
+        self.assertEqual(b2s(f.content), expected)
+
 
     def test_rest_invalid_method_collection(self):
         # use basic auth for rest endpoint
@@ -595,7 +609,8 @@
         ## test a property that doesn't exist
         f = requests.options(self.url_base() + '/rest/data/user/1/zot',
                              auth=('admin', 'sekrit'),
-                             headers = {'content-type': ""})
+                             headers = {'content-type': "",
+                                        'Origin': "http://localhost:9001",})
         print(f.status_code)
         print(f.headers)
 
@@ -936,7 +951,7 @@
                              headers = {'content-type': "",
                                         'Accept-Encoding': '%s, foo'%method,
                                         'Accept': '*/*',
-                                        'Origin': 'ZZZZ'})
+                                        'Origin': 'https://client.com'})
         print(f.status_code)
         print(f.headers)
 
@@ -944,7 +959,7 @@
         self.assertEqual(f.status_code, 400)
         expected = { 'Content-Type': 'application/json',
                      'Access-Control-Allow-Credentials': 'true',
-                     'Access-Control-Allow-Origin': 'ZZZZ',
+                     'Access-Control-Allow-Origin': 'https://client.com',
                      'Allow': 'OPTIONS, GET, POST, PUT, DELETE, PATCH',
                      'Vary': 'Origin'
         }
Roundup Issue Tracker: http://roundup-tracker.org/