Refactor CORS handler (#28587) (#28611)

Backport #28587, the only conflict is the test file. The CORS code has been unmaintained for long time, and the behavior is not correct. This PR tries to improve it. The key point is written as comment in code. And add more tests. Fix #28515 Fix #27642 Fix #17098
author: wxiaoguang <wxiaoguang@gmail.com> 2023-12-25 21:01:24 +0800
committer: GitHub <noreply@github.com> 2023-12-25 21:01:24 +0800
commit: 7a2786ca6cd84633784a2c9986da65a9c4d79c78 (patch)
tree: 20ec218669592b1f4e1b0f96528499141a29b2c1 /tests
parent: b2588338f0795c259ffe92236ae8341dd4f4cec5 (diff)
download: gitea-7a2786ca6cd84633784a2c9986da65a9c4d79c78.tar.gz
gitea-7a2786ca6cd84633784a2c9986da65a9c4d79c78.zip
1 files changed, 78 insertions, 7 deletions
diff --git a/tests/integration/cors_test.go b/tests/integration/cors_test.go
index e4151d1c32..2b995e5906 100644
--- a/tests/integration/cors_test.go
+++ b/tests/integration/cors_test.go
@@ -7,17 +7,88 @@ import (
 	"net/http"
 	"testing"
 
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/test"
+	"code.gitea.io/gitea/routers"
 	"code.gitea.io/gitea/tests"
 
 	"github.com/stretchr/testify/assert"
 )
 
-func TestCORSNotSet(t *testing.T) {
+func TestCORS(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
-	req := NewRequestf(t, "GET", "/api/v1/version")
-	session := loginUser(t, "user2")
-	resp := session.MakeRequest(t, req, http.StatusOK)
-	assert.Equal(t, resp.Code, http.StatusOK)
-	corsHeader := resp.Header().Get("Access-Control-Allow-Origin")
-	assert.Empty(t, corsHeader, "Access-Control-Allow-Origin: generated header should match") // header not set
+	t.Run("CORS enabled", func(t *testing.T) {
+		defer test.MockVariableValue(&setting.CORSConfig.Enabled, true)()
+		defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()
+
+		t.Run("API with CORS", func(t *testing.T) {
+			// GET api with no CORS header
+			req := NewRequest(t, "GET", "/api/v1/version")
+			resp := MakeRequest(t, req, http.StatusOK)
+			assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
+			assert.Contains(t, resp.Header().Values("Vary"), "Origin")
+
+			// OPTIONS api for CORS
+			req = NewRequest(t, "OPTIONS", "/api/v1/version")
+			req.Header.Set("Origin", "https://example.com")
+			req.Header.Set("Access-Control-Request-Method", "GET")
+			resp = MakeRequest(t, req, http.StatusOK)
+			assert.NotEmpty(t, resp.Header().Get("Access-Control-Allow-Origin"))
+			assert.Contains(t, resp.Header().Values("Vary"), "Origin")
+		})
+
+		t.Run("Web with CORS", func(t *testing.T) {
+			// GET userinfo with no CORS header
+			req := NewRequest(t, "GET", "/login/oauth/userinfo")
+			resp := MakeRequest(t, req, http.StatusUnauthorized)
+			assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
+			assert.Contains(t, resp.Header().Values("Vary"), "Origin")
+
+			// OPTIONS userinfo for CORS
+			req = NewRequest(t, "OPTIONS", "/login/oauth/userinfo")
+			req.Header.Set("Origin", "https://example.com")
+			req.Header.Set("Access-Control-Request-Method", "GET")
+			resp = MakeRequest(t, req, http.StatusOK)
+			assert.NotEmpty(t, resp.Header().Get("Access-Control-Allow-Origin"))
+			assert.Contains(t, resp.Header().Values("Vary"), "Origin")
+
+			// OPTIONS userinfo for non-CORS
+			req = NewRequest(t, "OPTIONS", "/login/oauth/userinfo")
+			resp = MakeRequest(t, req, http.StatusMethodNotAllowed)
+			assert.NotContains(t, resp.Header().Values("Vary"), "Origin")
+		})
+	})
+
+	t.Run("CORS disabled", func(t *testing.T) {
+		defer test.MockVariableValue(&setting.CORSConfig.Enabled, false)()
+		defer test.MockVariableValue(&testWebRoutes, routers.NormalRoutes())()
+
+		t.Run("API without CORS", func(t *testing.T) {
+			req := NewRequest(t, "GET", "/api/v1/version")
+			resp := MakeRequest(t, req, http.StatusOK)
+			assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
+			assert.Empty(t, resp.Header().Values("Vary"))
+
+			req = NewRequest(t, "OPTIONS", "/api/v1/version")
+			req.Header.Set("Origin", "https://example.com")
+			req.Header.Set("Access-Control-Request-Method", "GET")
+			resp = MakeRequest(t, req, http.StatusMethodNotAllowed)
+			assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
+			assert.Empty(t, resp.Header().Values("Vary"))
+		})
+
+		t.Run("Web without CORS", func(t *testing.T) {
+			req := NewRequest(t, "GET", "/login/oauth/userinfo")
+			resp := MakeRequest(t, req, http.StatusUnauthorized)
+			assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
+			assert.NotContains(t, resp.Header().Values("Vary"), "Origin")
+
+			req = NewRequest(t, "OPTIONS", "/login/oauth/userinfo")
+			req.Header.Set("Origin", "https://example.com")
+			req.Header.Set("Access-Control-Request-Method", "GET")
+			resp = MakeRequest(t, req, http.StatusMethodNotAllowed)
+			assert.Empty(t, resp.Header().Get("Access-Control-Allow-Origin"))
+			assert.NotContains(t, resp.Header().Values("Vary"), "Origin")
+		})
+	})
 }
author	wxiaoguang <wxiaoguang@gmail.com>	2023-12-25 21:01:24 +0800
committer	GitHub <noreply@github.com>	2023-12-25 21:01:24 +0800
commit	7a2786ca6cd84633784a2c9986da65a9c4d79c78 (patch)
tree	20ec218669592b1f4e1b0f96528499141a29b2c1 /tests
parent	b2588338f0795c259ffe92236ae8341dd4f4cec5 (diff)
download	gitea-7a2786ca6cd84633784a2c9986da65a9c4d79c78.tar.gz gitea-7a2786ca6cd84633784a2c9986da65a9c4d79c78.zip