View Javadoc
1   /*
2    * MIT License
3    *
4    * Copyright (c) 2010-2020 The Waffle Project Contributors: https://github.com/Waffle/waffle/graphs/contributors
5    *
6    * Permission is hereby granted, free of charge, to any person obtaining a copy
7    * of this software and associated documentation files (the "Software"), to deal
8    * in the Software without restriction, including without limitation the rights
9    * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10   * copies of the Software, and to permit persons to whom the Software is
11   * furnished to do so, subject to the following conditions:
12   *
13   * The above copyright notice and this permission notice shall be included in all
14   * copies or substantial portions of the Software.
15   *
16   * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17   * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18   * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19   * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20   * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21   * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22   * SOFTWARE.
23   */
24  package waffle.util;
25  
26  import jakarta.servlet.http.HttpServletRequest;
27  
28  import mockit.Expectations;
29  import mockit.Mocked;
30  import mockit.Verifications;
31  
32  import org.junit.jupiter.api.Assertions;
33  import org.junit.jupiter.api.Test;
34  
35  /**
36   * The Class CorsPreflightCheckTest.
37   */
38  class CorsPreFlightCheckTest {
39  
40      /** The preflight request. */
41      @Mocked
42      HttpServletRequest preflightRequest;
43  
44      /** The no origin preflight request. */
45      @Mocked
46      HttpServletRequest noOriginPreflightRequest;
47  
48      /** The no cors method preflight request. */
49      @Mocked
50      HttpServletRequest noCorsMethodPreflightRequest;
51  
52      /** The no cors headers preflight header request. */
53      @Mocked
54      HttpServletRequest noCorsHeadersPreflightHeaderRequest;
55  
56      /**
57       * Test expected cors preflight headers present.
58       */
59      @Test
60      void testExpectedCorsPreflightHeadersPresent() {
61  
62          new Expectations() {
63              {
64                  CorsPreFlightCheckTest.this.preflightRequest.getMethod();
65                  this.result = "OPTIONS";
66                  CorsPreFlightCheckTest.this.preflightRequest.getHeader("Access-Control-Request-Method");
67                  this.result = "LOGIN";
68                  CorsPreFlightCheckTest.this.preflightRequest.getHeader("Access-Control-Request-Headers");
69                  this.result = "X-Request-For";
70                  CorsPreFlightCheckTest.this.preflightRequest.getHeader("Origin");
71                  this.result = "https://theorigin.localhost";
72              }
73          };
74  
75          Assertions.assertTrue(CorsPreFlightCheck.isPreflight(this.preflightRequest));
76  
77          new Verifications() {
78              {
79                  CorsPreFlightCheckTest.this.preflightRequest.getMethod();
80                  this.times = 1;
81                  CorsPreFlightCheckTest.this.preflightRequest.getHeader("Access-Control-Request-Method");
82                  this.times = 1;
83                  CorsPreFlightCheckTest.this.preflightRequest.getHeader("Access-Control-Request-Headers");
84                  this.times = 1;
85                  CorsPreFlightCheckTest.this.preflightRequest.getHeader("Origin");
86                  this.times = 1;
87              }
88          };
89      }
90  
91      /**
92       * Test no cors preflight origin present.
93       */
94      @Test
95      void testNoCorsPreflightOriginPresent() {
96          new Expectations() {
97              {
98                  CorsPreFlightCheckTest.this.noOriginPreflightRequest.getMethod();
99                  this.result = "OPTIONS";
100                 CorsPreFlightCheckTest.this.noOriginPreflightRequest.getHeader("Access-Control-Request-Method");
101                 this.result = "LOGIN";
102                 CorsPreFlightCheckTest.this.noOriginPreflightRequest.getHeader("Access-Control-Request-Headers");
103                 this.result = "X-Request-For";
104                 /** Origin MUST be present with Method and Headers to be a valid CORS request **/
105                 CorsPreFlightCheckTest.this.noOriginPreflightRequest.getHeader("Origin");
106                 this.result = null;
107             }
108         };
109 
110         Assertions.assertFalse(CorsPreFlightCheck.isPreflight(this.noOriginPreflightRequest));
111 
112         new Verifications() {
113             {
114                 CorsPreFlightCheckTest.this.noOriginPreflightRequest.getMethod();
115                 this.times = 1;
116                 CorsPreFlightCheckTest.this.noOriginPreflightRequest.getHeader("Access-Control-Request-Method");
117                 this.times = 1;
118                 CorsPreFlightCheckTest.this.noOriginPreflightRequest.getHeader("Access-Control-Request-Headers");
119                 this.times = 1;
120                 CorsPreFlightCheckTest.this.noOriginPreflightRequest.getHeader("Origin");
121                 this.times = 1;
122             }
123         };
124 
125     }
126 
127     /**
128      * Test cors method preflight headers present.
129      */
130     @Test
131     void testCorsMethodPreflightHeadersPresent() {
132         new Expectations() {
133             {
134                 CorsPreFlightCheckTest.this.noCorsMethodPreflightRequest.getMethod();
135                 this.result = "OPTIONS";
136                 CorsPreFlightCheckTest.this.noCorsMethodPreflightRequest.getHeader("Access-Control-Request-Method");
137                 this.result = "LOGIN";
138             }
139         };
140 
141         Assertions.assertFalse(CorsPreFlightCheck.isPreflight(this.noCorsMethodPreflightRequest));
142 
143         new Verifications() {
144             {
145                 CorsPreFlightCheckTest.this.noCorsMethodPreflightRequest.getMethod();
146                 this.times = 1;
147                 CorsPreFlightCheckTest.this.noCorsMethodPreflightRequest.getHeader("Access-Control-Request-Method");
148                 this.times = 1;
149             }
150         };
151 
152     }
153 
154     /**
155      * Test no cors headers preflight header present.
156      */
157     @Test
158     void testNoCorsHeadersPreflightHeaderPresent() {
159 
160         new Expectations() {
161             {
162                 CorsPreFlightCheckTest.this.noCorsHeadersPreflightHeaderRequest.getMethod();
163                 this.result = "OPTIONS";
164                 CorsPreFlightCheckTest.this.noCorsHeadersPreflightHeaderRequest
165                         .getHeader("Access-Control-Request-Method");
166                 this.result = "LOGIN";
167                 CorsPreFlightCheckTest.this.noCorsHeadersPreflightHeaderRequest
168                         .getHeader("Access-Control-Request-Headers");
169                 this.result = null;
170                 this.result = "https://theorigin.localhost";
171             }
172         };
173 
174         Assertions.assertFalse(CorsPreFlightCheck.isPreflight(this.noCorsHeadersPreflightHeaderRequest));
175 
176         new Verifications() {
177             {
178                 CorsPreFlightCheckTest.this.noCorsHeadersPreflightHeaderRequest.getMethod();
179                 this.times = 1;
180                 CorsPreFlightCheckTest.this.noCorsHeadersPreflightHeaderRequest
181                         .getHeader("Access-Control-Request-Method");
182                 this.times = 1;
183                 CorsPreFlightCheckTest.this.noCorsHeadersPreflightHeaderRequest
184                         .getHeader("Access-Control-Request-Headers");
185                 this.times = 1;
186             }
187         };
188     }
189 
190 }