public void testThatOmittingCorsHeaderDoesNotReturnAnything() throws Exception {
HttpResponse response = httpClient().method("GET").path("/").execute();
assertThat(response.getStatusCode(), is(200));
assertThat(response.getHeaders(), not(hasKey("Access-Control-Allow-Origin")));
assertThat(response.getHeaders(), not(hasKey("Access-Control-Allow-Credentials")));
}
public void testThatRegularExpressionReturnsForbiddenOnNonMatch() throws Exception {
HttpResponse response =
httpClient()
.method("GET")
.path("/")
.addHeader("User-Agent", "Mozilla Bar")
.addHeader("Origin", "http://evil-host:9200")
.execute();
// a rejected origin gets a FORBIDDEN - 403
assertThat(response.getStatusCode(), is(403));
assertThat(response.getHeaders(), not(hasKey("Access-Control-Allow-Origin")));
}
public void testThatPreFlightRequestWorksOnMatch() throws Exception {
String corsValue = "http://localhost:9200";
HttpResponse response =
httpClient()
.method("OPTIONS")
.path("/")
.addHeader("User-Agent", "Mozilla Bar")
.addHeader("Origin", corsValue)
.addHeader(HttpHeaders.Names.ACCESS_CONTROL_REQUEST_METHOD, "GET")
.execute();
assertResponseWithOriginheader(response, corsValue);
assertThat(response.getHeaders(), hasKey("Access-Control-Allow-Methods"));
}
public void testThatPreFlightRequestReturnsNullOnNonMatch() throws Exception {
HttpResponse response =
httpClient()
.method("OPTIONS")
.path("/")
.addHeader("User-Agent", "Mozilla Bar")
.addHeader("Origin", "http://evil-host:9200")
.addHeader(HttpHeaders.Names.ACCESS_CONTROL_REQUEST_METHOD, "GET")
.execute();
// a rejected origin gets a FORBIDDEN - 403
assertThat(response.getStatusCode(), is(403));
assertThat(response.getHeaders(), not(hasKey("Access-Control-Allow-Origin")));
assertThat(response.getHeaders(), not(hasKey("Access-Control-Allow-Methods")));
}
public void testCorsSettingDefaultBehaviourDoesNotReturnAnything() throws Exception {
String corsValue = "http://localhost:9200";
HttpResponse response =
httpClient()
.method("GET")
.path("/")
.addHeader("User-Agent", "Mozilla Bar")
.addHeader("Origin", corsValue)
.execute();
assertThat(response.getStatusCode(), is(200));
assertThat(response.getHeaders(), not(hasKey("Access-Control-Allow-Origin")));
assertThat(response.getHeaders(), not(hasKey("Access-Control-Allow-Credentials")));
}
@Test
public void testThatErrorTraceWorksByDefault() throws Exception {
// Make the HTTP request
HttpResponse response =
new HttpRequestBuilder(HttpClients.createDefault())
.httpTransport(internalCluster().getDataNodeInstance(HttpServerTransport.class))
.path("/")
.addParam("error_trace", "true")
.method(HttpDeleteWithEntity.METHOD_NAME)
.execute();
assertThat(response.getHeaders().get("Content-Type"), containsString("application/json"));
assertThat(
response.getBody(), containsString("\"error_trace\":{\"message\":\"Validation Failed"));
}
public void testThatRegularExpressionWorksOnMatch() throws Exception {
String corsValue = "http://localhost:9200";
HttpResponse response =
httpClient()
.method("GET")
.path("/")
.addHeader("User-Agent", "Mozilla Bar")
.addHeader("Origin", corsValue)
.execute();
assertResponseWithOriginheader(response, corsValue);
corsValue = "https://localhost:9200";
response =
httpClient()
.method("GET")
.path("/")
.addHeader("User-Agent", "Mozilla Bar")
.addHeader("Origin", corsValue)
.execute();
assertResponseWithOriginheader(response, corsValue);
assertThat(response.getHeaders(), hasKey("Access-Control-Allow-Credentials"));
assertThat(response.getHeaders().get("Access-Control-Allow-Credentials"), is("true"));
}
public void testThatSendingNoOriginHeaderReturnsNoAccessControlHeader() throws Exception {
HttpResponse response =
httpClient().method("GET").path("/").addHeader("User-Agent", "Mozilla Bar").execute();
assertThat(response.getStatusCode(), is(200));
assertThat(response.getHeaders(), not(hasKey("Access-Control-Allow-Origin")));
}
protected static void assertResponseWithOriginheader(
HttpResponse response, String expectedCorsHeader) {
assertThat(response.getStatusCode(), is(200));
assertThat(response.getHeaders(), hasKey("Access-Control-Allow-Origin"));
assertThat(response.getHeaders().get("Access-Control-Allow-Origin"), is(expectedCorsHeader));
}
public void testThatRegularExpressionIsNotAppliedWithoutCorrectBrowserOnMatch() throws Exception {
HttpResponse response = httpClient().method("GET").path("/").execute();
assertThat(response.getStatusCode(), is(200));
assertThat(response.getHeaders(), not(hasKey("Access-Control-Allow-Origin")));
}
