public void testThatOmittingCorsHeaderDoesNotReturnAnything() throws Exception { HttpResponse response = httpClient().method("GET").path("/").execute(); assertThat(response.getStatusCode(), is(200)); assertThat(response.getHeaders(), not(hasKey("Access-Control-Allow-Origin"))); assertThat(response.getHeaders(), not(hasKey("Access-Control-Allow-Credentials"))); }
public void testThatRegularExpressionReturnsForbiddenOnNonMatch() throws Exception { HttpResponse response = httpClient() .method("GET") .path("/") .addHeader("User-Agent", "Mozilla Bar") .addHeader("Origin", "http://evil-host:9200") .execute(); // a rejected origin gets a FORBIDDEN - 403 assertThat(response.getStatusCode(), is(403)); assertThat(response.getHeaders(), not(hasKey("Access-Control-Allow-Origin"))); }
public void testThatPreFlightRequestWorksOnMatch() throws Exception { String corsValue = "http://localhost:9200"; HttpResponse response = httpClient() .method("OPTIONS") .path("/") .addHeader("User-Agent", "Mozilla Bar") .addHeader("Origin", corsValue) .addHeader(HttpHeaders.Names.ACCESS_CONTROL_REQUEST_METHOD, "GET") .execute(); assertResponseWithOriginheader(response, corsValue); assertThat(response.getHeaders(), hasKey("Access-Control-Allow-Methods")); }
public void testThatPreFlightRequestReturnsNullOnNonMatch() throws Exception { HttpResponse response = httpClient() .method("OPTIONS") .path("/") .addHeader("User-Agent", "Mozilla Bar") .addHeader("Origin", "http://evil-host:9200") .addHeader(HttpHeaders.Names.ACCESS_CONTROL_REQUEST_METHOD, "GET") .execute(); // a rejected origin gets a FORBIDDEN - 403 assertThat(response.getStatusCode(), is(403)); assertThat(response.getHeaders(), not(hasKey("Access-Control-Allow-Origin"))); assertThat(response.getHeaders(), not(hasKey("Access-Control-Allow-Methods"))); }
public void testCorsSettingDefaultBehaviourDoesNotReturnAnything() throws Exception { String corsValue = "http://localhost:9200"; HttpResponse response = httpClient() .method("GET") .path("/") .addHeader("User-Agent", "Mozilla Bar") .addHeader("Origin", corsValue) .execute(); assertThat(response.getStatusCode(), is(200)); assertThat(response.getHeaders(), not(hasKey("Access-Control-Allow-Origin"))); assertThat(response.getHeaders(), not(hasKey("Access-Control-Allow-Credentials"))); }
@Test public void testThatErrorTraceWorksByDefault() throws Exception { // Make the HTTP request HttpResponse response = new HttpRequestBuilder(HttpClients.createDefault()) .httpTransport(internalCluster().getDataNodeInstance(HttpServerTransport.class)) .path("/") .addParam("error_trace", "true") .method(HttpDeleteWithEntity.METHOD_NAME) .execute(); assertThat(response.getHeaders().get("Content-Type"), containsString("application/json")); assertThat( response.getBody(), containsString("\"error_trace\":{\"message\":\"Validation Failed")); }
public void testThatRegularExpressionWorksOnMatch() throws Exception { String corsValue = "http://localhost:9200"; HttpResponse response = httpClient() .method("GET") .path("/") .addHeader("User-Agent", "Mozilla Bar") .addHeader("Origin", corsValue) .execute(); assertResponseWithOriginheader(response, corsValue); corsValue = "https://localhost:9200"; response = httpClient() .method("GET") .path("/") .addHeader("User-Agent", "Mozilla Bar") .addHeader("Origin", corsValue) .execute(); assertResponseWithOriginheader(response, corsValue); assertThat(response.getHeaders(), hasKey("Access-Control-Allow-Credentials")); assertThat(response.getHeaders().get("Access-Control-Allow-Credentials"), is("true")); }
public void testThatSendingNoOriginHeaderReturnsNoAccessControlHeader() throws Exception { HttpResponse response = httpClient().method("GET").path("/").addHeader("User-Agent", "Mozilla Bar").execute(); assertThat(response.getStatusCode(), is(200)); assertThat(response.getHeaders(), not(hasKey("Access-Control-Allow-Origin"))); }
protected static void assertResponseWithOriginheader( HttpResponse response, String expectedCorsHeader) { assertThat(response.getStatusCode(), is(200)); assertThat(response.getHeaders(), hasKey("Access-Control-Allow-Origin")); assertThat(response.getHeaders().get("Access-Control-Allow-Origin"), is(expectedCorsHeader)); }
public void testThatRegularExpressionIsNotAppliedWithoutCorrectBrowserOnMatch() throws Exception { HttpResponse response = httpClient().method("GET").path("/").execute(); assertThat(response.getStatusCode(), is(200)); assertThat(response.getHeaders(), not(hasKey("Access-Control-Allow-Origin"))); }