CorsConfiguration now supports pattern based origins.

Closes gh-24763
This commit is contained in:
Ruslan Akhundov
2020-05-04 09:55:30 +01:00
committed by Rossen Stoyanchev
parent a1bab14140
commit 8632118e8d
9 changed files with 308 additions and 19 deletions

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2019 the original author or authors.
* Copyright 2002-2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -50,6 +50,8 @@ public class CorsConfigurationTests {
assertThat(config.getAllowCredentials()).isNull();
config.setMaxAge((Long) null);
assertThat(config.getMaxAge()).isNull();
config.setAllowedOriginsPatterns(null);
assertThat(config.getAllowedOriginsPatterns()).isNull();
}
@Test
@@ -68,6 +70,8 @@ public class CorsConfigurationTests {
assertThat((boolean) config.getAllowCredentials()).isTrue();
config.setMaxAge(123L);
assertThat(config.getMaxAge()).isEqualTo(new Long(123));
config.addAllowedOriginPattern(".*\\.example\\.com");
assertThat(config.getAllowedOriginsPatterns()).isEqualTo(Arrays.asList(".*\\.example\\.com"));
}
@Test
@@ -101,6 +105,7 @@ public class CorsConfigurationTests {
config.addAllowedMethod(HttpMethod.GET.name());
config.setMaxAge(123L);
config.setAllowCredentials(true);
config.setAllowedOriginsPatterns(Arrays.asList(".*\\.example\\.com"));
CorsConfiguration other = new CorsConfiguration();
config = config.combine(other);
assertThat(config.getAllowedOrigins()).isEqualTo(Arrays.asList("*"));
@@ -109,6 +114,7 @@ public class CorsConfigurationTests {
assertThat(config.getAllowedMethods()).isEqualTo(Arrays.asList(HttpMethod.GET.name()));
assertThat(config.getMaxAge()).isEqualTo(new Long(123));
assertThat((boolean) config.getAllowCredentials()).isTrue();
assertThat(config.getAllowedOriginsPatterns()).isEqualTo(Arrays.asList(".*\\.example\\.com"));
}
@Test // SPR-15772
@@ -142,25 +148,60 @@ public class CorsConfigurationTests {
HttpMethod.POST.name()));
}
@Test
public void combinePatternWithDefaultPermitValues() {
CorsConfiguration config = new CorsConfiguration().applyPermitDefaultValues();
CorsConfiguration other = new CorsConfiguration();
other.addAllowedOriginPattern(".*\\.com");
CorsConfiguration combinedConfig = other.combine(config);
assertThat(combinedConfig.getAllowedOrigins()).isNull();
assertThat(combinedConfig.getAllowedOriginsPatterns()).isEqualTo(Arrays.asList(".*\\.com"));
combinedConfig = config.combine(other);
assertThat(combinedConfig.getAllowedOrigins()).isNull();
assertThat(combinedConfig.getAllowedOriginsPatterns()).isEqualTo(Arrays.asList(".*\\.com"));
}
@Test
public void combinePatternWithDefaultPermitValuesAndCustomOrigin() {
CorsConfiguration config = new CorsConfiguration().applyPermitDefaultValues();
config.setAllowedOrigins(Arrays.asList("https://domain.com"));
CorsConfiguration other = new CorsConfiguration();
other.addAllowedOriginPattern(".*\\.com");
CorsConfiguration combinedConfig = other.combine(config);
assertThat(combinedConfig.getAllowedOrigins()).isEqualTo(Arrays.asList("https://domain.com"));
assertThat(combinedConfig.getAllowedOriginsPatterns()).isEqualTo(Arrays.asList(".*\\.com"));
combinedConfig = config.combine(other);
assertThat(combinedConfig.getAllowedOrigins()).isEqualTo(Arrays.asList("https://domain.com"));
assertThat(combinedConfig.getAllowedOriginsPatterns()).isEqualTo(Arrays.asList(".*\\.com"));
}
@Test
public void combineWithAsteriskWildCard() {
CorsConfiguration config = new CorsConfiguration();
config.addAllowedOrigin("*");
config.addAllowedHeader("*");
config.addAllowedMethod("*");
config.addAllowedOriginPattern(".*");
CorsConfiguration other = new CorsConfiguration();
other.addAllowedOrigin("https://domain.com");
other.addAllowedHeader("header1");
other.addExposedHeader("header2");
other.addAllowedOriginPattern(".*\\.company\\.com");
other.addAllowedMethod(HttpMethod.PUT.name());
CorsConfiguration combinedConfig = config.combine(other);
assertThat(combinedConfig.getAllowedOrigins()).isEqualTo(Arrays.asList("*"));
assertThat(combinedConfig.getAllowedHeaders()).isEqualTo(Arrays.asList("*"));
assertThat(combinedConfig.getAllowedMethods()).isEqualTo(Arrays.asList("*"));
assertThat(combinedConfig.getAllowedOriginsPatterns()).isEqualTo(Arrays.asList(".*"));
combinedConfig = other.combine(config);
assertThat(combinedConfig.getAllowedOrigins()).isEqualTo(Arrays.asList("*"));
assertThat(combinedConfig.getAllowedHeaders()).isEqualTo(Arrays.asList("*"));
assertThat(combinedConfig.getAllowedMethods()).isEqualTo(Arrays.asList("*"));
assertThat(combinedConfig.getAllowedOriginsPatterns()).isEqualTo(Arrays.asList(".*"));
}
@Test // SPR-14792
@@ -174,16 +215,20 @@ public class CorsConfigurationTests {
config.addExposedHeader("header4");
config.addAllowedMethod(HttpMethod.GET.name());
config.addAllowedMethod(HttpMethod.PUT.name());
config.addAllowedOriginPattern(".*\\.domain1\\.com");
config.addAllowedOriginPattern(".*\\.domain2\\.com");
CorsConfiguration other = new CorsConfiguration();
other.addAllowedOrigin("https://domain1.com");
other.addAllowedHeader("header1");
other.addExposedHeader("header3");
other.addAllowedMethod(HttpMethod.GET.name());
other.addAllowedOriginPattern(".*\\.domain1\\.com");
CorsConfiguration combinedConfig = config.combine(other);
assertThat(combinedConfig.getAllowedOrigins()).isEqualTo(Arrays.asList("https://domain1.com", "https://domain2.com"));
assertThat(combinedConfig.getAllowedHeaders()).isEqualTo(Arrays.asList("header1", "header2"));
assertThat(combinedConfig.getExposedHeaders()).isEqualTo(Arrays.asList("header3", "header4"));
assertThat(combinedConfig.getAllowedMethods()).isEqualTo(Arrays.asList(HttpMethod.GET.name(), HttpMethod.PUT.name()));
assertThat(combinedConfig.getAllowedOriginsPatterns()).isEqualTo(Arrays.asList(".*\\.domain1\\.com", ".*\\.domain2\\.com"));
}
@Test
@@ -195,6 +240,7 @@ public class CorsConfigurationTests {
config.addAllowedMethod(HttpMethod.GET.name());
config.setMaxAge(123L);
config.setAllowCredentials(true);
config.addAllowedOriginPattern(".*\\.domain1\\.com");
CorsConfiguration other = new CorsConfiguration();
other.addAllowedOrigin("https://domain2.com");
other.addAllowedHeader("header2");
@@ -202,6 +248,7 @@ public class CorsConfigurationTests {
other.addAllowedMethod(HttpMethod.PUT.name());
other.setMaxAge(456L);
other.setAllowCredentials(false);
other.addAllowedOriginPattern(".*\\.domain2\\.com");
config = config.combine(other);
assertThat(config.getAllowedOrigins()).isEqualTo(Arrays.asList("https://domain1.com", "https://domain2.com"));
assertThat(config.getAllowedHeaders()).isEqualTo(Arrays.asList("header1", "header2"));
@@ -209,6 +256,7 @@ public class CorsConfigurationTests {
assertThat(config.getAllowedMethods()).isEqualTo(Arrays.asList(HttpMethod.GET.name(), HttpMethod.PUT.name()));
assertThat(config.getMaxAge()).isEqualTo(new Long(456));
assertThat((boolean) config.getAllowCredentials()).isFalse();
assertThat(config.getAllowedOriginsPatterns()).isEqualTo(Arrays.asList(".*\\.domain1\\.com", ".*\\.domain2\\.com"));
}
@Test
@@ -237,6 +285,32 @@ public class CorsConfigurationTests {
assertThat(config.checkOrigin("https://domain.com")).isNull();
}
@Test
public void checkOriginPatternAllowed() {
CorsConfiguration config = new CorsConfiguration();
config.setAllowedOriginsPatterns(Arrays.asList(".*"));
assertThat(config.checkOrigin("https://domain.com")).isEqualTo("*");
config.setAllowCredentials(true);
assertThat(config.checkOrigin("https://domain.com")).isEqualTo("https://domain.com");
config.setAllowedOriginsPatterns(Arrays.asList(".*\\.domain\\.com"));
assertThat(config.checkOrigin("https://example.domain.com")).isEqualTo("https://example.domain.com");
config.setAllowCredentials(false);
assertThat(config.checkOrigin("https://example.domain.com")).isEqualTo("https://example.domain.com");
}
@Test
public void checkOriginPatternNotAllowed() {
CorsConfiguration config = new CorsConfiguration();
assertThat(config.checkOrigin(null)).isNull();
assertThat(config.checkOrigin("https://domain.com")).isNull();
config.addAllowedOriginPattern(".*");
assertThat(config.checkOrigin(null)).isNull();
config.setAllowedOriginsPatterns(Arrays.asList(".*\\.domain1\\.com"));
assertThat(config.checkOrigin("https://domain2.com")).isNull();
config.setAllowedOriginsPatterns(new ArrayList<>());
assertThat(config.checkOrigin("https://domain.com")).isNull();
}
@Test
public void checkMethodAllowed() {
CorsConfiguration config = new CorsConfiguration();
@@ -291,4 +365,12 @@ public class CorsConfigurationTests {
assertThat(config.getAllowedMethods()).isEqualTo(Arrays.asList("GET", "HEAD", "POST", "PATCH"));
}
@Test
public void permitDefaultDoesntSetOriginWhenPatternPresent() {
CorsConfiguration config = new CorsConfiguration();
config.addAllowedOriginPattern(".*\\.com");
config = config.applyPermitDefaultValues();
assertThat(config.getAllowedOrigins()).isNull();
assertThat(config.getAllowedOriginsPatterns()).isEqualTo(Arrays.asList(".*\\.com"));
}
}