Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
wiki.techinc.nl/tests/phpunit/unit/includes/Rest/CorsUtilsTest.php

326 lines
8.8 KiB
PHP
Raw Normal View History

Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
<?php
namespace MediaWiki\Tests\Rest;
use MediaWiki\Config\ServiceOptions;
unit tests: Use MainConfigNames constant to refer configs When creating ServiceOptions objects or fake HashConfigs use the constant to refer the config name Change-Id: I59a29f25b76e896c07e82156c6cc4494f98e64cc
2022-08-17 20:33:06 +00:00
use MediaWiki\MainConfigNames;
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
use MediaWiki\Rest\CorsUtils;
use MediaWiki\Rest\Handler;
use MediaWiki\Rest\RequestInterface;
use MediaWiki\Rest\Response;
use MediaWiki\Rest\ResponseFactory;
use MediaWiki\Rest\ResponseInterface;
Use UserIdentityValue in tests where possible … instead of PHPUnit mocks. The tiny value class is made for this. Change-Id: Ie04cde57126fcafabf8906f9644c6e80345d8a48
2021-04-21 10:16:42 +00:00
use MediaWiki\User\UserIdentityValue;
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
/**
* @covers \MediaWiki\Rest\CorsUtils
*/
class CorsUtilsTest extends \MediaWikiUnitTestCase {
private function createServiceOptions( array $options = [] ) {
$defaults = [
unit tests: Use MainConfigNames constant to refer configs When creating ServiceOptions objects or fake HashConfigs use the constant to refer the config name Change-Id: I59a29f25b76e896c07e82156c6cc4494f98e64cc
2022-08-17 20:33:06 +00:00
MainConfigNames::AllowedCorsHeaders => [],
MainConfigNames::AllowCrossOrigin => false,
MainConfigNames::RestAllowCrossOriginCookieAuth => false,
MainConfigNames::CanonicalServer => 'https://example.com',
MainConfigNames::CrossSiteAJAXdomains => [],
MainConfigNames::CrossSiteAJAXdomainExceptions => [],
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
];
return new ServiceOptions( CorsUtils::CONSTRUCTOR_OPTIONS, array_merge( $defaults, $options ) );
}
/**
* @dataProvider provideAuthorizeAllowOrigin
*/
public function testAuthorizeAllowOrigin( bool $isRegistered, bool $needsWriteAccess, string $origin ) {
$cors = new CorsUtils(
$this->createServiceOptions( [
unit tests: Use MainConfigNames constant to refer configs When creating ServiceOptions objects or fake HashConfigs use the constant to refer the config name Change-Id: I59a29f25b76e896c07e82156c6cc4494f98e64cc
2022-08-17 20:33:06 +00:00
MainConfigNames::CrossSiteAJAXdomains => [
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
'www.mediawiki.org',
],
] ),
$this->createNoOpMock( ResponseFactory::class ),
Fix incomplete test case in CorsUtilsTest There was never anything actually executed in this test. This patch also removes a little bit of unused code and inlines trivial test setup code. Change-Id: I7dd019cac383313913e06adbea22bb6540162280
2022-08-05 10:37:28 +00:00
new UserIdentityValue( (int)$isRegistered, __CLASS__ )
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
);
$request = $this->createMock( RequestInterface::class );
$request->method( 'hasHeader' )
Tests: Cleanup some unnecessary nested function calls Replace ->will( ->return with ->willReturn( Change-Id: Ia2dfafa03cac8169d86d6fa5a30b73bfad1fe9fa
2022-06-05 23:39:02 +00:00
->willReturnMap( [
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
[ 'Origin', (bool)$origin ]
Tests: Cleanup some unnecessary nested function calls Replace ->will( ->return with ->willReturn( Change-Id: Ia2dfafa03cac8169d86d6fa5a30b73bfad1fe9fa
2022-06-05 23:39:02 +00:00
] );
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
$request->method( 'getHeader' )
Tests: Cleanup some unnecessary nested function calls Replace ->will( ->return with ->willReturn( Change-Id: Ia2dfafa03cac8169d86d6fa5a30b73bfad1fe9fa
2022-06-05 23:39:02 +00:00
->willReturnMap( [
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
[ 'Origin', [ $origin ] ]
Tests: Cleanup some unnecessary nested function calls Replace ->will( ->return with ->willReturn( Change-Id: Ia2dfafa03cac8169d86d6fa5a30b73bfad1fe9fa
2022-06-05 23:39:02 +00:00
] );
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
$handler = $this->createMock( Handler::class );
$handler->method( 'needsWriteAccess' )
->willReturn( false );
$result = $cors->authorize(
$request,
$handler
);
$this->assertNull( $result );
}
public function provideAuthorizeAllowOrigin() {
$origin = 'https://example.com';
return [
'User is registered' => [
true,
true,
$origin,
],
'Handler does not need write access' => [
false,
false,
$origin,
],
'Missing origin' => [
false,
true,
'',
],
'Same origin' => [
false,
true,
$origin,
],
'Trusted origin' => [
false,
true,
'https://www.mediawiki.org',
],
];
}
public function testAuthorizeDisallowOrigin() {
$cors = new CorsUtils(
$this->createServiceOptions(),
$this->createMock( ResponseFactory::class ),
Fix incomplete test case in CorsUtilsTest There was never anything actually executed in this test. This patch also removes a little bit of unused code and inlines trivial test setup code. Change-Id: I7dd019cac383313913e06adbea22bb6540162280
2022-08-05 10:37:28 +00:00
new UserIdentityValue( 0, __CLASS__ )
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
);
$request = $this->createMock( RequestInterface::class );
$request->method( 'hasHeader' )
Tests: Cleanup some unnecessary nested function calls Replace ->will( ->return with ->willReturn( Change-Id: Ia2dfafa03cac8169d86d6fa5a30b73bfad1fe9fa
2022-06-05 23:39:02 +00:00
->willReturnMap( [
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
[ 'Origin', true ]
Tests: Cleanup some unnecessary nested function calls Replace ->will( ->return with ->willReturn( Change-Id: Ia2dfafa03cac8169d86d6fa5a30b73bfad1fe9fa
2022-06-05 23:39:02 +00:00
] );
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
$request->expects( $this->once() )
->method( 'getHeader' )
Tests: Cleanup some unnecessary nested function calls Replace ->will( ->return with ->willReturn( Change-Id: Ia2dfafa03cac8169d86d6fa5a30b73bfad1fe9fa
2022-06-05 23:39:02 +00:00
->willReturnMap( [
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
[ 'Origin', [ 'https://www.mediawiki.org' ] ]
Tests: Cleanup some unnecessary nested function calls Replace ->will( ->return with ->willReturn( Change-Id: Ia2dfafa03cac8169d86d6fa5a30b73bfad1fe9fa
2022-06-05 23:39:02 +00:00
] );
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
$handler = $this->createMock( Handler::class );
$handler->method( 'needsWriteAccess' )
->willReturn( true );
$result = $cors->authorize(
$request,
$handler
);
$this->assertSame( 'rest-cross-origin-anon-write', $result );
}
public function testModifyResponseNoChange() {
$cors = new CorsUtils(
$this->createServiceOptions(),
$this->createMock( ResponseFactory::class ),
Use UserIdentityValue in tests where possible … instead of PHPUnit mocks. The tiny value class is made for this. Change-Id: Ie04cde57126fcafabf8906f9644c6e80345d8a48
2021-04-21 10:16:42 +00:00
new UserIdentityValue( 0, __CLASS__ )
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
);
$response = $this->createNoOpMock( ResponseInterface::class );
Fix incomplete test case in CorsUtilsTest There was never anything actually executed in this test. This patch also removes a little bit of unused code and inlines trivial test setup code. Change-Id: I7dd019cac383313913e06adbea22bb6540162280
2022-08-05 10:37:28 +00:00
$result = $cors->modifyResponse(
$this->createMock( RequestInterface::class ),
$response
);
$this->assertSame( $response, $result );
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
}
public function testModifyResponseAllowOrigin() {
$cors = new CorsUtils(
$this->createServiceOptions( [
unit tests: Use MainConfigNames constant to refer configs When creating ServiceOptions objects or fake HashConfigs use the constant to refer the config name Change-Id: I59a29f25b76e896c07e82156c6cc4494f98e64cc
2022-08-17 20:33:06 +00:00
MainConfigNames::AllowCrossOrigin => true,
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
] ),
$this->createNoOpMock( ResponseFactory::class ),
Use UserIdentityValue in tests where possible … instead of PHPUnit mocks. The tiny value class is made for this. Change-Id: Ie04cde57126fcafabf8906f9644c6e80345d8a48
2021-04-21 10:16:42 +00:00
new UserIdentityValue( 0, __CLASS__ )
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
);
$response = new Response();
$result = $cors->modifyResponse(
$this->createMock( RequestInterface::class ),
$response
);
$this->assertSame( $response, $result );
$this->assertFalse( $result->hasHeader( 'Vary' ) );
$this->assertTrue( $result->hasHeader( 'Access-Control-Allow-Origin' ) );
$this->assertSame( [ '*' ], $result->getHeader( 'Access-Control-Allow-Origin' ) );
}
/**
* @dataProvider provideModifyResponseAllowTrustedOriginCookieAuth
* @param string $requestMethod
* @param string $isRegistered
*/
public function testModifyResponseAllowTrustedOriginCookieAuth( string $requestMethod, bool $isRegistered ) {
$cors = new CorsUtils(
$this->createServiceOptions( [
unit tests: Use MainConfigNames constant to refer configs When creating ServiceOptions objects or fake HashConfigs use the constant to refer the config name Change-Id: I59a29f25b76e896c07e82156c6cc4494f98e64cc
2022-08-17 20:33:06 +00:00
MainConfigNames::AllowCrossOrigin => true,
MainConfigNames::RestAllowCrossOriginCookieAuth => true,
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
] ),
$this->createNoOpMock( ResponseFactory::class ),
Fix incomplete test case in CorsUtilsTest There was never anything actually executed in this test. This patch also removes a little bit of unused code and inlines trivial test setup code. Change-Id: I7dd019cac383313913e06adbea22bb6540162280
2022-08-05 10:37:28 +00:00
new UserIdentityValue( (int)$isRegistered, __CLASS__ )
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
);
$request = $this->createMock( RequestInterface::class );
$request->method( 'hasHeader' )
Tests: Cleanup some unnecessary nested function calls Replace ->will( ->return with ->willReturn( Change-Id: Ia2dfafa03cac8169d86d6fa5a30b73bfad1fe9fa
2022-06-05 23:39:02 +00:00
->willReturnMap( [
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
[ 'Origin', true ]
Tests: Cleanup some unnecessary nested function calls Replace ->will( ->return with ->willReturn( Change-Id: Ia2dfafa03cac8169d86d6fa5a30b73bfad1fe9fa
2022-06-05 23:39:02 +00:00
] );
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
$request->method( 'getHeader' )
Tests: Cleanup some unnecessary nested function calls Replace ->will( ->return with ->willReturn( Change-Id: Ia2dfafa03cac8169d86d6fa5a30b73bfad1fe9fa
2022-06-05 23:39:02 +00:00
->willReturnMap( [
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
[ 'Origin', [ 'https://example.com' ] ],
Tests: Cleanup some unnecessary nested function calls Replace ->will( ->return with ->willReturn( Change-Id: Ia2dfafa03cac8169d86d6fa5a30b73bfad1fe9fa
2022-06-05 23:39:02 +00:00
] );
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
$request->method( 'getMethod' )
->willReturn( $requestMethod );
$response = new Response();
$result = $cors->modifyResponse( $request, $response );
$this->assertSame( $response, $result );
$this->assertTrue( $result->hasHeader( 'Vary' ) );
$this->assertSame( [ 'Origin' ], $result->getHeader( 'Vary' ) );
$this->assertTrue( $result->hasHeader( 'Access-Control-Allow-Credentials' ) );
$this->assertSame( [ 'true' ], $result->getHeader( 'Access-Control-Allow-Credentials' ) );
$this->assertTrue( $result->hasHeader( 'Access-Control-Allow-Origin' ) );
$this->assertSame( [ 'https://example.com' ], $result->getHeader( 'Access-Control-Allow-Origin' ) );
}
public function provideModifyResponseAllowTrustedOriginCookieAuth() {
return [
'OPTIONS request' => [
'OPTIONS',
false
],
'Registered user on main request' => [
'POST',
true,
],
];
}
/**
* @dataProvider provideModifyResponseDisallowUntrustedOriginCookieAuth
*/
public function testModifyResponseDisallowUntrustedOriginCookieAuth(
string $origin,
string $requestMethod,
bool $isRegistered
) {
$cors = new CorsUtils(
$this->createServiceOptions( [
unit tests: Use MainConfigNames constant to refer configs When creating ServiceOptions objects or fake HashConfigs use the constant to refer the config name Change-Id: I59a29f25b76e896c07e82156c6cc4494f98e64cc
2022-08-17 20:33:06 +00:00
MainConfigNames::AllowCrossOrigin => true,
MainConfigNames::RestAllowCrossOriginCookieAuth => true,
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
] ),
$this->createNoOpMock( ResponseFactory::class ),
Fix incomplete test case in CorsUtilsTest There was never anything actually executed in this test. This patch also removes a little bit of unused code and inlines trivial test setup code. Change-Id: I7dd019cac383313913e06adbea22bb6540162280
2022-08-05 10:37:28 +00:00
new UserIdentityValue( (int)$isRegistered, __CLASS__ )
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
);
$request = $this->createMock( RequestInterface::class );
$request->method( 'hasHeader' )
Tests: Cleanup some unnecessary nested function calls Replace ->will( ->return with ->willReturn( Change-Id: Ia2dfafa03cac8169d86d6fa5a30b73bfad1fe9fa
2022-06-05 23:39:02 +00:00
->willReturnMap( [
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
[ 'Origin', (bool)$origin ]
Tests: Cleanup some unnecessary nested function calls Replace ->will( ->return with ->willReturn( Change-Id: Ia2dfafa03cac8169d86d6fa5a30b73bfad1fe9fa
2022-06-05 23:39:02 +00:00
] );
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
$request->method( 'getHeader' )
Tests: Cleanup some unnecessary nested function calls Replace ->will( ->return with ->willReturn( Change-Id: Ia2dfafa03cac8169d86d6fa5a30b73bfad1fe9fa
2022-06-05 23:39:02 +00:00
->willReturnMap( [
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
[ 'Origin', [ $origin ] ],
Tests: Cleanup some unnecessary nested function calls Replace ->will( ->return with ->willReturn( Change-Id: Ia2dfafa03cac8169d86d6fa5a30b73bfad1fe9fa
2022-06-05 23:39:02 +00:00
] );
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
$request->method( 'getMethod' )
->willReturn( $requestMethod );
$response = new Response();
$result = $cors->modifyResponse( $request, $response );
$this->assertSame( $response, $result );
$this->assertTrue( $result->hasHeader( 'Vary' ) );
$this->assertSame( [ 'Origin' ], $result->getHeader( 'Vary' ) );
$this->assertFalse( $result->hasHeader( 'Access-Control-Allow-Credentials' ) );
$this->assertTrue( $result->hasHeader( 'Access-Control-Allow-Origin' ) );
$this->assertSame( [ '*' ], $result->getHeader( 'Access-Control-Allow-Origin' ) );
}
public function provideModifyResponseDisallowUntrustedOriginCookieAuth() {
return [
'Missing Origin' => [
'',
'GET',
true,
],
'Untrusted Origin' => [
'www.mediawiki.org',
'GET',
true
],
'Trusted Origin, anon user' => [
'example.com',
'POST',
false
],
];
}
public function testCreatePreflightResponse() {
$responseFactory = $this->createMock( ResponseFactory::class );
$responseFactory->method( 'createNoContent' )
->willReturn( new Response() );
$cors = new CorsUtils(
$this->createServiceOptions(),
$responseFactory,
Use UserIdentityValue in tests where possible … instead of PHPUnit mocks. The tiny value class is made for this. Change-Id: Ie04cde57126fcafabf8906f9644c6e80345d8a48
2021-04-21 10:16:42 +00:00
new UserIdentityValue( 0, __CLASS__ )
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
);
$methods = [ 'POST' ];
$response = $cors->createPreflightResponse( $methods );
$this->assertInstanceOf( ResponseInterface::class, $response );
$this->assertTrue( $response->hasHeader( 'Access-Control-Allow-Headers' ) );
$this->assertTrue( $response->hasHeader( 'Access-Control-Allow-Methods' ) );
$this->assertSame( $methods, $response->getHeader( 'Access-Control-Allow-Methods' ) );
}
Make REST CORS allowed headers respect site configuration. Bug: T268791 Change-Id: I4f10e508730baf5ce276bb71dc354554eed3cfb0
2021-05-22 00:32:58 +00:00
public function testCreatePreflightResponse_allow_headers() {
$responseFactory = $this->createMock( ResponseFactory::class );
$responseFactory->method( 'createNoContent' )
->willReturn( new Response() );
$cors = new CorsUtils(
$this->createServiceOptions( [
unit tests: Use MainConfigNames constant to refer configs When creating ServiceOptions objects or fake HashConfigs use the constant to refer the config name Change-Id: I59a29f25b76e896c07e82156c6cc4494f98e64cc
2022-08-17 20:33:06 +00:00
MainConfigNames::AllowedCorsHeaders => [ 'Authorization', 'BlaHeader', ],
Make REST CORS allowed headers respect site configuration. Bug: T268791 Change-Id: I4f10e508730baf5ce276bb71dc354554eed3cfb0
2021-05-22 00:32:58 +00:00
] ),
$responseFactory,
new UserIdentityValue( 0, __CLASS__ )
);
$methods = [ 'POST' ];
$response = $cors->createPreflightResponse( $methods );
$this->assertTrue( $response->hasHeader( 'Access-Control-Allow-Headers' ) );
$header = $response->getHeader( 'Access-Control-Allow-Headers' );
$this->assertContains( 'Authorization', $header );
$this->assertContains( 'Content-Type', $header );
$this->assertSame( count( $header ), count( array_unique( $header ) ) );
}
Handle CORS preflight request and prevent anon users from unsafe methods Creates an OPTIONS handler that handles any OPTIONS requests that are not already handled by a handler. CORS has no mechanism to ensure the user is authenticated, so the Router will reject cross-origin requests from anon users. This change allows authenticated users to make cross-origin requests if they authenticate with OAuth or if $wgRestAllowCrossOriginCookieAuth is enabled. Bug: T232176 Bug: T262712 Change-Id: I128b4bdbec4f6bea35142153c951fd7b79617106
2020-08-22 19:26:19 +00:00
}
Reference in a new issue Copy permalink