1
|
|
|
<?php |
2
|
|
|
|
3
|
|
|
namespace JDesrosiers\Silex\Provider\Test; |
4
|
|
|
|
5
|
|
|
use JDesrosiers\Silex\Provider\CorsServiceProvider; |
6
|
|
|
use Silex\Application; |
7
|
|
|
use Symfony\Component\HttpKernel\Client; |
8
|
|
|
|
9
|
|
|
class CorsServiceProviderTest extends \PHPUnit_Framework_TestCase |
10
|
|
|
{ |
11
|
|
|
protected $app; |
12
|
|
|
|
13
|
|
|
public function setUp() |
14
|
|
|
{ |
15
|
|
|
$this->app = new Application(); |
16
|
|
|
$this->app["debug"] = true; |
17
|
|
|
$this->app->register(new CorsServiceProvider(), [ |
18
|
|
|
"cors.maxAge" => 15, |
19
|
|
|
]); |
20
|
|
|
$this->app->after($this->app["cors"]); |
21
|
|
|
} |
22
|
|
|
|
23
|
|
|
public function testCorsPreFlight() |
24
|
|
|
{ |
25
|
|
|
$this->app->get("/foo", function () { |
26
|
|
|
return "foo"; |
27
|
|
|
}); |
28
|
|
|
|
29
|
|
|
$headers = [ |
30
|
|
|
"HTTP_ORIGIN" => "http://www.foo.com", |
31
|
|
|
"HTTP_ACCESS_CONTROL_REQUEST_METHOD" => "GET", |
32
|
|
|
"HTTP_ACCESS_CONTROL_REQUEST_HEADERS" => "content-type", |
33
|
|
|
]; |
34
|
|
|
$client = new Client($this->app, $headers); |
35
|
|
|
$client->request("OPTIONS", "/foo"); |
36
|
|
|
|
37
|
|
|
$response = $client->getResponse(); |
38
|
|
|
|
39
|
|
|
$this->assertEquals("204", $response->getStatusCode()); |
40
|
|
|
$this->assertEquals("GET", $response->headers->get("Allow")); |
41
|
|
|
$this->assertEquals("GET", $response->headers->get("Access-Control-Allow-Methods")); |
42
|
|
|
$this->assertEquals("http://www.foo.com", $response->headers->get("Access-Control-Allow-Origin")); |
43
|
|
|
$this->assertEquals("content-type", $response->headers->get("Access-Control-Allow-Headers")); |
44
|
|
|
$this->assertEquals("15", $response->headers->get("Access-Control-Max-Age")); |
45
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Allow-Credentials")); |
46
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Expose-Headers")); |
47
|
|
|
$this->assertFalse($response->headers->has("Content-Type")); |
48
|
|
|
$this->assertEquals("", $response->getContent()); |
49
|
|
|
} |
50
|
|
|
|
51
|
|
|
public function testCorsPreFlightFail() |
52
|
|
|
{ |
53
|
|
|
$this->app->get("/foo", function () { |
54
|
|
|
return "foo"; |
55
|
|
|
}); |
56
|
|
|
|
57
|
|
|
$headers = [ |
58
|
|
|
"HTTP_ORIGIN" => "http://www.foo.com", |
59
|
|
|
"HTTP_ACCESS_CONTROL_REQUEST_METHOD" => "POST", |
60
|
|
|
]; |
61
|
|
|
$client = new Client($this->app, $headers); |
62
|
|
|
$client->request("OPTIONS", "/foo"); |
63
|
|
|
|
64
|
|
|
$response = $client->getResponse(); |
65
|
|
|
|
66
|
|
|
$this->assertEquals("204", $response->getStatusCode()); |
67
|
|
|
$this->assertEquals("GET", $response->headers->get("Allow")); |
68
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Allow-Methods")); |
69
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Allow-Origin")); |
70
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Allow-Headers")); |
71
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Max-Age")); |
72
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Allow-Credentials")); |
73
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Expose-Headers")); |
74
|
|
|
$this->assertFalse($response->headers->has("Content-Type")); |
75
|
|
|
$this->assertEquals("", $response->getContent()); |
76
|
|
|
} |
77
|
|
|
|
78
|
|
|
public function dataProviderAllowOrigin() |
79
|
|
|
{ |
80
|
|
|
return [ |
81
|
|
|
["*"], |
82
|
|
|
["http://www.foo.com"], |
83
|
|
|
["*.foo.com"], |
84
|
|
|
["http://www.foo.com http://www.bar.com"], |
85
|
|
|
["*.foo.com http://www.bar.com"], |
86
|
|
|
["http://www.bar.com http://www.foo.com"], |
87
|
|
|
]; |
88
|
|
|
} |
89
|
|
|
|
90
|
|
|
/** |
91
|
|
|
* @dataProvider dataProviderAllowOrigin |
92
|
|
|
*/ |
93
|
|
|
public function testAllowOrigin($domain) |
94
|
|
|
{ |
95
|
|
|
$this->app["cors.allowOrigin"] = $domain; |
96
|
|
|
|
97
|
|
|
$this->app->get("/foo", function () { |
98
|
|
|
return "foo"; |
99
|
|
|
}); |
100
|
|
|
|
101
|
|
|
$headers = [ |
102
|
|
|
"HTTP_ORIGIN" => "http://www.foo.com", |
103
|
|
|
]; |
104
|
|
|
$client = new Client($this->app, $headers); |
105
|
|
|
$client->request("GET", "/foo"); |
106
|
|
|
|
107
|
|
|
$response = $client->getResponse(); |
108
|
|
|
|
109
|
|
|
$this->assertEquals("200", $response->getStatusCode()); |
110
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Allow-Methods")); |
111
|
|
|
$this->assertEquals("http://www.foo.com", $response->headers->get("Access-Control-Allow-Origin")); |
112
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Allow-Headers")); |
113
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Max-Age")); |
114
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Allow-Credentials")); |
115
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Expose-Headers")); |
116
|
|
|
$this->assertEquals("foo", $response->getContent()); |
117
|
|
|
} |
118
|
|
|
|
119
|
|
|
public function testAllowOriginFail() |
120
|
|
|
{ |
121
|
|
|
$this->app["cors.allowOrigin"] = "http://www.bar.com"; |
122
|
|
|
|
123
|
|
|
$this->app->get("/foo", function () { |
124
|
|
|
return "foo"; |
125
|
|
|
}); |
126
|
|
|
|
127
|
|
|
$headers = [ |
128
|
|
|
"HTTP_ORIGIN" => "http://www.foo.com", |
129
|
|
|
"HTTP_ACCESS_CONTROL_REQUEST_METHOD" => "GET", |
130
|
|
|
]; |
131
|
|
|
$client = new Client($this->app, $headers); |
132
|
|
|
$client->request("OPTIONS", "/foo"); |
133
|
|
|
|
134
|
|
|
$response = $client->getResponse(); |
135
|
|
|
|
136
|
|
|
$this->assertEquals("204", $response->getStatusCode()); |
137
|
|
|
$this->assertEquals("GET", $response->headers->get("Allow")); |
138
|
|
|
$this->assertEquals("GET", $response->headers->get("Access-Control-Allow-Methods")); |
139
|
|
|
$this->assertEquals("null", $response->headers->get("Access-Control-Allow-Origin")); |
140
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Allow-Headers")); |
141
|
|
|
$this->assertEquals("15", $response->headers->get("Access-Control-Max-Age")); |
142
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Allow-Credentials")); |
143
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Expose-Headers")); |
144
|
|
|
$this->assertFalse($response->headers->has("Content-Type")); |
145
|
|
|
$this->assertEquals("", $response->getContent()); |
146
|
|
|
} |
147
|
|
|
|
148
|
|
|
public function testDefaultAllowMethodsWithMultipleAllow() |
149
|
|
|
{ |
150
|
|
|
$this->app->match("/foo", function () { |
151
|
|
|
return "foo"; |
152
|
|
|
})->method("GET|POST"); |
153
|
|
|
|
154
|
|
|
$headers = array( |
155
|
|
|
"HTTP_ORIGIN" => "http://www.foo.com", |
156
|
|
|
"HTTP_ACCESS_CONTROL_REQUEST_METHOD" => "GET", |
157
|
|
|
); |
158
|
|
|
$client = new Client($this->app, $headers); |
159
|
|
|
$client->request("OPTIONS", "/foo"); |
160
|
|
|
|
161
|
|
|
$response = $client->getResponse(); |
162
|
|
|
|
163
|
|
|
$this->assertEquals("204", $response->getStatusCode()); |
164
|
|
|
$this->assertEquals("GET,POST", $response->headers->get("Allow")); |
165
|
|
|
$this->assertEquals("GET,POST", $response->headers->get("Access-Control-Allow-Methods")); |
166
|
|
|
$this->assertEquals("http://www.foo.com", $response->headers->get("Access-Control-Allow-Origin")); |
167
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Allow-Headers")); |
168
|
|
|
$this->assertEquals("15", $response->headers->get("Access-Control-Max-Age")); |
169
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Allow-Credentials")); |
170
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Expose-Headers")); |
171
|
|
|
$this->assertFalse($response->headers->has("Content-Type")); |
172
|
|
|
$this->assertEquals("", $response->getContent()); |
173
|
|
|
} |
174
|
|
|
|
175
|
|
|
public function testAllowMethods() |
176
|
|
|
{ |
177
|
|
|
$this->app["cors.allowMethods"] = "GET"; |
178
|
|
|
|
179
|
|
|
$this->app->match("/foo", function () { |
180
|
|
|
return "foo"; |
181
|
|
|
})->method("GET|POST"); |
182
|
|
|
|
183
|
|
|
$headers = [ |
184
|
|
|
"HTTP_ORIGIN" => "http://www.foo.com", |
185
|
|
|
"HTTP_ACCESS_CONTROL_REQUEST_METHOD" => "GET", |
186
|
|
|
]; |
187
|
|
|
$client = new Client($this->app, $headers); |
188
|
|
|
$client->request("OPTIONS", "/foo"); |
189
|
|
|
|
190
|
|
|
$response = $client->getResponse(); |
191
|
|
|
|
192
|
|
|
$this->assertEquals("204", $response->getStatusCode()); |
193
|
|
|
$this->assertEquals("GET,POST", $response->headers->get("Allow")); |
194
|
|
|
$this->assertEquals("GET", $response->headers->get("Access-Control-Allow-Methods")); |
195
|
|
|
$this->assertEquals("http://www.foo.com", $response->headers->get("Access-Control-Allow-Origin")); |
196
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Allow-Headers")); |
197
|
|
|
$this->assertEquals("15", $response->headers->get("Access-Control-Max-Age")); |
198
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Allow-Credentials")); |
199
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Expose-Headers")); |
200
|
|
|
$this->assertFalse($response->headers->has("Content-Type")); |
201
|
|
|
$this->assertEquals("", $response->getContent()); |
202
|
|
|
} |
203
|
|
|
|
204
|
|
|
public function testAllowMethodsFail() |
205
|
|
|
{ |
206
|
|
|
$this->app["cors.allowMethods"] = "GET"; |
207
|
|
|
|
208
|
|
|
$this->app->match("/foo", function () { |
209
|
|
|
return "foo"; |
210
|
|
|
})->method("GET|POST"); |
211
|
|
|
|
212
|
|
|
$headers = [ |
213
|
|
|
"HTTP_ORIGIN" => "http://www.foo.com", |
214
|
|
|
"HTTP_ACCESS_CONTROL_REQUEST_METHOD" => "POST", |
215
|
|
|
]; |
216
|
|
|
$client = new Client($this->app, $headers); |
217
|
|
|
$client->request("OPTIONS", "/foo"); |
218
|
|
|
|
219
|
|
|
$response = $client->getResponse(); |
220
|
|
|
|
221
|
|
|
$this->assertEquals("204", $response->getStatusCode()); |
222
|
|
|
$this->assertEquals("GET,POST", $response->headers->get("Allow")); |
223
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Allow-Methods")); |
224
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Allow-Origin")); |
225
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Allow-Headers")); |
226
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Max-Age")); |
227
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Allow-Credentials")); |
228
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Expose-Headers")); |
229
|
|
|
$this->assertFalse($response->headers->has("Content-Type")); |
230
|
|
|
$this->assertEquals("", $response->getContent()); |
231
|
|
|
} |
232
|
|
|
|
233
|
|
|
public function testMultipleAllowMethods() |
234
|
|
|
{ |
235
|
|
|
$this->app["cors.allowMethods"] = "GET,POST"; |
236
|
|
|
|
237
|
|
|
$this->app->match("/foo", function () { |
238
|
|
|
return "foo"; |
239
|
|
|
})->method("GET|POST|DELETE"); |
240
|
|
|
|
241
|
|
|
$headers = array( |
242
|
|
|
"HTTP_ORIGIN" => "http://www.foo.com", |
243
|
|
|
"HTTP_ACCESS_CONTROL_REQUEST_METHOD" => "GET", |
244
|
|
|
); |
245
|
|
|
$client = new Client($this->app, $headers); |
246
|
|
|
$client->request("OPTIONS", "/foo"); |
247
|
|
|
|
248
|
|
|
$response = $client->getResponse(); |
249
|
|
|
|
250
|
|
|
$this->assertEquals("204", $response->getStatusCode()); |
251
|
|
|
$this->assertEquals("GET,POST,DELETE", $response->headers->get("Allow")); |
252
|
|
|
$this->assertEquals("GET,POST", $response->headers->get("Access-Control-Allow-Methods")); |
253
|
|
|
$this->assertEquals("http://www.foo.com", $response->headers->get("Access-Control-Allow-Origin")); |
254
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Allow-Headers")); |
255
|
|
|
$this->assertEquals("15", $response->headers->get("Access-Control-Max-Age")); |
256
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Allow-Credentials")); |
257
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Expose-Headers")); |
258
|
|
|
$this->assertFalse($response->headers->has("Content-Type")); |
259
|
|
|
$this->assertEquals("", $response->getContent()); |
260
|
|
|
} |
261
|
|
|
|
262
|
|
|
public function testAllowCredentialsAndExposeHeaders() |
263
|
|
|
{ |
264
|
|
|
$this->app["cors.allowCredentials"] = true; |
265
|
|
|
$this->app["cors.exposeHeaders"] = "Foo-Bar Baz"; |
266
|
|
|
|
267
|
|
|
$this->app->get("/foo", function () { |
268
|
|
|
return "foo"; |
269
|
|
|
}); |
270
|
|
|
|
271
|
|
|
$headers = [ |
272
|
|
|
"HTTP_ORIGIN" => "http://www.foo.com", |
273
|
|
|
]; |
274
|
|
|
$client = new Client($this->app, $headers); |
275
|
|
|
$client->request("GET", "/foo"); |
276
|
|
|
|
277
|
|
|
$response = $client->getResponse(); |
278
|
|
|
|
279
|
|
|
$this->assertEquals("200", $response->getStatusCode()); |
280
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Allow-Methods")); |
281
|
|
|
$this->assertEquals("http://www.foo.com", $response->headers->get("Access-Control-Allow-Origin")); |
282
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Allow-Headers")); |
283
|
|
|
$this->assertFalse($response->headers->has("Access-Control-Max-Age")); |
284
|
|
|
$this->assertEquals("true", $response->headers->get("Access-Control-Allow-Credentials")); |
285
|
|
|
$this->assertEquals("Foo-Bar Baz", $response->headers->get("Access-Control-Expose-Headers")); |
286
|
|
|
$this->assertEquals("foo", $response->getContent()); |
287
|
|
|
} |
288
|
|
|
|
289
|
|
|
public function testNotEnabledMethod() |
290
|
|
|
{ |
291
|
|
|
$this->app->post("/foo", function () { |
292
|
|
|
return "foo"; |
293
|
|
|
}); |
294
|
|
|
|
295
|
|
|
$client = new Client($this->app); |
296
|
|
|
$client->request("GET", "/foo"); |
297
|
|
|
|
298
|
|
|
$response = $client->getResponse(); |
299
|
|
|
|
300
|
|
|
$this->assertEquals("405", $response->getStatusCode()); |
301
|
|
|
$this->assertEquals("POST, OPTIONS", $response->headers->get("Allow")); |
302
|
|
|
} |
303
|
|
|
} |
304
|
|
|
|