prometheus/util/httputil/cors_test.go

66 lines
2.1 KiB
Go
Raw Normal View History

// Copyright 2016 The Prometheus Authors
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package httputil
import (
"net/http"
"testing"
"github.com/grafana/regexp"
"github.com/stretchr/testify/require"
)
func getCORSHandlerFunc() http.Handler {
hf := func(w http.ResponseWriter, r *http.Request) {
reg := regexp.MustCompile(`^https://foo\.com$`)
SetCORS(w, reg, r)
w.WriteHeader(http.StatusOK)
}
return http.HandlerFunc(hf)
}
func TestCORSHandler(t *testing.T) {
tearDown := setup()
defer tearDown()
client := &http.Client{}
ch := getCORSHandlerFunc()
mux.Handle("/any_path", ch)
dummyOrigin := "https://foo.com"
// OPTIONS with legit origin
req, err := http.NewRequest(http.MethodOptions, server.URL+"/any_path", nil)
require.NoError(t, err, "could not create request")
req.Header.Set("Origin", dummyOrigin)
resp, err := client.Do(req)
require.NoError(t, err, "client get failed with unexpected error")
AccessControlAllowOrigin := resp.Header.Get("Access-Control-Allow-Origin")
require.Equal(t, dummyOrigin, AccessControlAllowOrigin, "expected Access-Control-Allow-Origin header")
// OPTIONS with bad origin
req, err = http.NewRequest(http.MethodOptions, server.URL+"/any_path", nil)
require.NoError(t, err, "could not create request")
req.Header.Set("Origin", "https://not-foo.com")
resp, err = client.Do(req)
require.NoError(t, err, "client get failed with unexpected error")
AccessControlAllowOrigin = resp.Header.Get("Access-Control-Allow-Origin")
require.Empty(t, AccessControlAllowOrigin, "Access-Control-Allow-Origin header should not exist but it was set")
}