graphql-engine/server/tests-py/test_cors.py

import pytest
from context import PytestConf

def url(hge_ctx):
    return hge_ctx.hge_url + '/v1/version'

@pytest.mark.hge_env('HASURA_GRAPHQL_CORS_DOMAIN', 'http://*.localhost, http://localhost:3000, https://*.foo.bar.com')
class TestCors():
    def assert_cors_headers(self, origin, resp):
        headers = resp.headers
        assert 'Access-Control-Allow-Origin' in headers
        assert headers['Access-Control-Allow-Origin'] == origin
        assert 'Access-Control-Allow-Credentials' in headers
        assert headers['Access-Control-Allow-Credentials'] == 'true'
        assert 'Access-Control-Allow-Methods' in headers
        assert headers['Access-Control-Allow-Methods'] == 'GET,POST,PUT,PATCH,DELETE,OPTIONS'

    def test_cors_foo_bar_top_domain(self, hge_ctx):
        origin = 'https://foo.bar.com'
        resp = hge_ctx.http.get(url(hge_ctx), headers={'Origin': origin})
        with pytest.raises(AssertionError):
            self.assert_cors_headers(origin, resp)

    def test_cors_foo_bar_sub_domain(self, hge_ctx):
        origin = 'https://app.foo.bar.com'
        resp = hge_ctx.http.get(url(hge_ctx), headers={'Origin': origin})
        self.assert_cors_headers(origin, resp)

    def test_cors_foo_bar_sub_sub_domain_fails(self, hge_ctx):
        origin = 'https://inst1.app.foo.bar.com'
        resp = hge_ctx.http.get(url(hge_ctx), headers={'Origin': origin})
        with pytest.raises(AssertionError):
            self.assert_cors_headers(origin, resp)

    def test_cors_localhost_domain_w_port(self, hge_ctx):
        origin = 'http://localhost:3000'
        resp = hge_ctx.http.get(url(hge_ctx), headers={'Origin': origin})
        self.assert_cors_headers(origin, resp)

    def test_cors_localhost_domain(self, hge_ctx):
        origin = 'http://app.localhost'
        resp = hge_ctx.http.get(url(hge_ctx), headers={'Origin': origin})
        self.assert_cors_headers(origin, resp)

    def test_cors_wrong_domain(self, hge_ctx):
        origin = 'https://example.com'
        resp = hge_ctx.http.get(url(hge_ctx), headers={'Origin': origin})
        assert 'Access-Control-Allow-Origin' not in resp.headers
add support for multiple domains in cors config (close #1436) (#1536) Support for multiple domains (as CSV) in the `--cors-domain` flag and `HASURA_GRAPHQL_CORS_DOMAIN` env var. Following are all valid configurations (must include scheme and optional port): ```shell HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com:8080" HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com, http://.localhost, https://example.com" HASURA_GRAPHQL_CORS_DOMAIN="" HASURA_GRAPHQL_CORS_DOMAIN="http://example.com, http://.localhost, http://localhost:3000, https://.foo.bar.com, https://foo.bar.com" ``` Note: top-level domains are not considered as part of wildcard domains. You have to add them separately. E.g - `https://.foo.com` doesn't include `https://foo.com`. The default (if the flag or env var is not specified) is ``. Which means CORS headers are sent for all domains. 2019-02-14 08:58:38 +03:00			`import pytest`
remove usage of deprecated 'pytest.config' (#3434) pytest is now at version 5.3 2019-11-29 08:14:26 +03:00			`from context import PytestConf`
add support for multiple domains in cors config (close #1436) (#1536) Support for multiple domains (as CSV) in the `--cors-domain` flag and `HASURA_GRAPHQL_CORS_DOMAIN` env var. Following are all valid configurations (must include scheme and optional port): ```shell HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com:8080" HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com, http://.localhost, https://example.com" HASURA_GRAPHQL_CORS_DOMAIN="" HASURA_GRAPHQL_CORS_DOMAIN="http://example.com, http://.localhost, http://localhost:3000, https://.foo.bar.com, https://foo.bar.com" ``` Note: top-level domains are not considered as part of wildcard domains. You have to add them separately. E.g - `https://.foo.com` doesn't include `https://foo.com`. The default (if the flag or env var is not specified) is ``. Which means CORS headers are sent for all domains. 2019-02-14 08:58:38 +03:00
			`def url(hge_ctx):`
			`return hge_ctx.hge_url + '/v1/version'`

server/tests-py: Declaratively state the HGE environment variables. This has two purposes: * When running the Python integration tests against a running HGE instance, with `--hge-url`, it will check the environment variables available and actively skip the test if they aren't set. This replaces the previous ad-hoc skip behavior. * More interestingly, when running against a binary with `--hge-bin`, the environment variables are passed through, which means different tests can run with different environment variables. On top of this, the various services we use for testing now also provide their own environment variables, rather than expecting a test script to do it. In order to make this work, I also had to invert the dependency between various services and `hge_ctx`. I extracted a `pg_version` fixture to provide the PostgreSQL version, and now pass the `hge_url` and `hge_key` explicitly to `ActionsWebhookServer`. PR-URL: https://github.com/hasura/graphql-engine-mono/pull/6028 GitOrigin-RevId: 16d866741dba5887da1adf4e1ade8182ccc9d344 2022-09-28 12:19:47 +03:00			`@pytest.mark.hge_env('HASURA_GRAPHQL_CORS_DOMAIN', 'http://.localhost, http://localhost:3000, https://.foo.bar.com')`
add support for multiple domains in cors config (close #1436) (#1536) Support for multiple domains (as CSV) in the `--cors-domain` flag and `HASURA_GRAPHQL_CORS_DOMAIN` env var. Following are all valid configurations (must include scheme and optional port): ```shell HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com:8080" HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com, http://.localhost, https://example.com" HASURA_GRAPHQL_CORS_DOMAIN="" HASURA_GRAPHQL_CORS_DOMAIN="http://example.com, http://.localhost, http://localhost:3000, https://.foo.bar.com, https://foo.bar.com" ``` Note: top-level domains are not considered as part of wildcard domains. You have to add them separately. E.g - `https://.foo.com` doesn't include `https://foo.com`. The default (if the flag or env var is not specified) is ``. Which means CORS headers are sent for all domains. 2019-02-14 08:58:38 +03:00			`class TestCors():`
			`def assert_cors_headers(self, origin, resp):`
			`headers = resp.headers`
			`assert 'Access-Control-Allow-Origin' in headers`
			`assert headers['Access-Control-Allow-Origin'] == origin`
			`assert 'Access-Control-Allow-Credentials' in headers`
			`assert headers['Access-Control-Allow-Credentials'] == 'true'`
			`assert 'Access-Control-Allow-Methods' in headers`
			`assert headers['Access-Control-Allow-Methods'] == 'GET,POST,PUT,PATCH,DELETE,OPTIONS'`

			`def test_cors_foo_bar_top_domain(self, hge_ctx):`
			`origin = 'https://foo.bar.com'`
			`resp = hge_ctx.http.get(url(hge_ctx), headers={'Origin': origin})`
			`with pytest.raises(AssertionError):`
			`self.assert_cors_headers(origin, resp)`

			`def test_cors_foo_bar_sub_domain(self, hge_ctx):`
			`origin = 'https://app.foo.bar.com'`
			`resp = hge_ctx.http.get(url(hge_ctx), headers={'Origin': origin})`
			`self.assert_cors_headers(origin, resp)`

			`def test_cors_foo_bar_sub_sub_domain_fails(self, hge_ctx):`
			`origin = 'https://inst1.app.foo.bar.com'`
			`resp = hge_ctx.http.get(url(hge_ctx), headers={'Origin': origin})`
			`with pytest.raises(AssertionError):`
			`self.assert_cors_headers(origin, resp)`

			`def test_cors_localhost_domain_w_port(self, hge_ctx):`
			`origin = 'http://localhost:3000'`
			`resp = hge_ctx.http.get(url(hge_ctx), headers={'Origin': origin})`
			`self.assert_cors_headers(origin, resp)`

			`def test_cors_localhost_domain(self, hge_ctx):`
			`origin = 'http://app.localhost'`
			`resp = hge_ctx.http.get(url(hge_ctx), headers={'Origin': origin})`
			`self.assert_cors_headers(origin, resp)`

			`def test_cors_wrong_domain(self, hge_ctx):`
			`origin = 'https://example.com'`
			`resp = hge_ctx.http.get(url(hge_ctx), headers={'Origin': origin})`
			`assert 'Access-Control-Allow-Origin' not in resp.headers`