Merge pull request #8504 from owncloud/cors-middleware

Add cors middleware

4 files changed, 135 insertions, 3 deletions

diff --git a/tests/lib/appframework/controller/ApiControllerTest.php b/tests/lib/appframework/controller/ApiControllerTest.php
new file mode 100644
index 00000000000..b772f540ce8
--- /dev/null
+++ b/tests/lib/appframework/controller/ApiControllerTest.php
@@ -0,0 +1,55 @@
+<?php
+
+/**
+ * ownCloud - App Framework
+ *
+ * @author Bernhard Posselt
+ * @copyright 2012 Bernhard Posselt nukeawhale@gmail.com
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU AFFERO GENERAL PUBLIC LICENSE for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public
+ * License along with this library.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+
+namespace OCP\AppFramework;
+
+use OC\AppFramework\Http\Request;
+use OCP\AppFramework\Http\TemplateResponse;
+
+
+class ChildApiController extends ApiController {};
+
+
+class ApiControllerTest extends \PHPUnit_Framework_TestCase {
+
+
+    public function testCors() {
+        $request = new Request(
+            array('server' => array('HTTP_ORIGIN' => 'test'))
+        );
+        $this->controller = new ChildApiController('app', $request, 'verbs',
+            'headers', 100);
+
+        $response = $this->controller->preflightedCors();
+
+        $headers = $response->getHeaders();
+
+        $this->assertEquals('test', $headers['Access-Control-Allow-Origin']);
+        $this->assertEquals('verbs', $headers['Access-Control-Allow-Methods']);
+        $this->assertEquals('headers', $headers['Access-Control-Allow-Headers']);
+        $this->assertEquals('false', $headers['Access-Control-Allow-Credentials']);
+        $this->assertEquals(100, $headers['Access-Control-Max-Age']);
+    }
+
+}
diff --git a/tests/lib/appframework/controller/ControllerTest.php b/tests/lib/appframework/controller/ControllerTest.php
index f17d5f24aa5..b6c83125da1 100644
--- a/tests/lib/appframework/controller/ControllerTest.php
+++ b/tests/lib/appframework/controller/ControllerTest.php
@@ -22,10 +22,9 @@
  */
 
 
-namespace Test\AppFramework\Controller;
+namespace OCP\AppFramework;
 
 use OC\AppFramework\Http\Request;
-use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http\TemplateResponse;
 
 
@@ -129,4 +128,5 @@ class ControllerTest extends \PHPUnit_Framework_TestCase {
 		$this->assertEquals('daheim', $this->controller->env('PATH'));
 	}
 
+
 }
diff --git a/tests/lib/appframework/http/ResponseTest.php b/tests/lib/appframework/http/ResponseTest.php
index 27350725d79..4b8d3ae50ef 100644
--- a/tests/lib/appframework/http/ResponseTest.php
+++ b/tests/lib/appframework/http/ResponseTest.php
@@ -42,7 +42,7 @@ class ResponseTest extends \PHPUnit_Framework_TestCase {
 
 
 	public function testAddHeader(){
-		$this->childResponse->addHeader('hello', 'world');
+		$this->childResponse->addHeader(' hello ', 'world');
 		$headers = $this->childResponse->getHeaders();
 		$this->assertEquals('world', $headers['hello']);
 	}
diff --git a/tests/lib/appframework/middleware/security/CORSMiddlewareTest.php b/tests/lib/appframework/middleware/security/CORSMiddlewareTest.php
new file mode 100644
index 00000000000..8224e9b4aa6
--- /dev/null
+++ b/tests/lib/appframework/middleware/security/CORSMiddlewareTest.php
@@ -0,0 +1,77 @@
+<?php
+/**
+ * ownCloud - App Framework
+ *
+ * This file is licensed under the Affero General Public License version 3 or
+ * later. See the COPYING file.
+ *
+ * @author Bernhard Posselt <dev@bernhard-posselt.com>
+ * @copyright Bernhard Posselt 2014
+ */
+
+
+namespace OC\AppFramework\Middleware\Security;
+
+use OC\AppFramework\Http\Request;
+use OCP\AppFramework\Http\Response;
+
+
+class CORSMiddlewareTest extends \PHPUnit_Framework_TestCase {
+
+	/**
+	 * @CORS
+	 */
+	public function testSetCORSAPIHeader() {
+		$request = new Request(
+			array('server' => array('HTTP_ORIGIN' => 'test'))
+		);
+
+		$middleware = new CORSMiddleware($request);
+		$response = $middleware->afterController($this, __FUNCTION__, new Response());
+		$headers = $response->getHeaders();
+
+		$this->assertEquals('test', $headers['Access-Control-Allow-Origin']);
+	}
+
+
+	public function testNoAnnotationNoCORSHEADER() {
+		$request = new Request(
+			array('server' => array('HTTP_ORIGIN' => 'test'))
+		);
+		$middleware = new CORSMiddleware($request);
+
+		$response = $middleware->afterController($this, __FUNCTION__, new Response());
+		$headers = $response->getHeaders();
+		$this->assertFalse(array_key_exists('Access-Control-Allow-Origin', $headers));
+	}
+
+
+	/**
+	 * @CORS
+	 */
+	public function testNoOriginHeaderNoCORSHEADER() {
+		$request = new Request();
+
+		$middleware = new CORSMiddleware($request);
+		$response = $middleware->afterController($this, __FUNCTION__, new Response());
+		$headers = $response->getHeaders();
+		$this->assertFalse(array_key_exists('Access-Control-Allow-Origin', $headers));
+	}
+
+
+	/**
+	 * @CORS
+	 * @expectedException \OC\AppFramework\Middleware\Security\SecurityException
+	 */
+	public function testCorsIgnoredIfWithCredentialsHeaderPresent() {
+		$request = new Request(
+			array('server' => array('HTTP_ORIGIN' => 'test'))
+		);
+		$middleware = new CORSMiddleware($request);
+
+		$response = new Response();
+		$response->addHeader('AcCess-control-Allow-Credentials ', 'TRUE');
+		$response = $middleware->afterController($this, __FUNCTION__, $response);
+	}
+
+}