graphql-engine/server/tests-py/test_cors.py

import pytest

if not pytest.config.getoption("--test-cors"):
    pytest.skip("--test-cors flag is missing, skipping tests", allow_module_level=True)


def url(hge_ctx):
    return hge_ctx.hge_url + '/v1/version'

class TestCors():
    """
    currently assumes the following is set:
    HASURA_GRAPHQL_CORS_DOMAIN="http://*.localhost, http://localhost:3000, https://*.foo.bar.com"
    """
    def assert_cors_headers(self, origin, resp):
        headers = resp.headers
        assert 'Access-Control-Allow-Origin' in headers
        assert headers['Access-Control-Allow-Origin'] == origin
        assert 'Access-Control-Allow-Credentials' in headers
        assert headers['Access-Control-Allow-Credentials'] == 'true'
        assert 'Access-Control-Allow-Methods' in headers
        assert headers['Access-Control-Allow-Methods'] == 'GET,POST,PUT,PATCH,DELETE,OPTIONS'

    def test_cors_foo_bar_top_domain(self, hge_ctx):
        origin = 'https://foo.bar.com'
        resp = hge_ctx.http.get(url(hge_ctx), headers={'Origin': origin})
        with pytest.raises(AssertionError):
            self.assert_cors_headers(origin, resp)

    def test_cors_foo_bar_sub_domain(self, hge_ctx):
        origin = 'https://app.foo.bar.com'
        resp = hge_ctx.http.get(url(hge_ctx), headers={'Origin': origin})
        self.assert_cors_headers(origin, resp)

    def test_cors_foo_bar_sub_sub_domain_fails(self, hge_ctx):
        origin = 'https://inst1.app.foo.bar.com'
        resp = hge_ctx.http.get(url(hge_ctx), headers={'Origin': origin})
        with pytest.raises(AssertionError):
            self.assert_cors_headers(origin, resp)

    def test_cors_localhost_domain_w_port(self, hge_ctx):
        origin = 'http://localhost:3000'
        resp = hge_ctx.http.get(url(hge_ctx), headers={'Origin': origin})
        self.assert_cors_headers(origin, resp)

    def test_cors_localhost_domain(self, hge_ctx):
        origin = 'http://app.localhost'
        resp = hge_ctx.http.get(url(hge_ctx), headers={'Origin': origin})
        self.assert_cors_headers(origin, resp)

    def test_cors_wrong_domain(self, hge_ctx):
        origin = 'https://example.com'
        resp = hge_ctx.http.get(url(hge_ctx), headers={'Origin': origin})
        assert 'Access-Control-Allow-Origin' not in resp.headers
add support for multiple domains in cors config (close #1436) (#1536) Support for multiple domains (as CSV) in the `--cors-domain` flag and `HASURA_GRAPHQL_CORS_DOMAIN` env var. Following are all valid configurations (must include scheme and optional port): ```shell HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com:8080" HASURA_GRAPHQL_CORS_DOMAIN="https://.foo.bar.com, http://.localhost, https://example.com" HASURA_GRAPHQL_CORS_DOMAIN="" HASURA_GRAPHQL_CORS_DOMAIN="http://example.com, http://.localhost, http://localhost:3000, https://.foo.bar.com, https://foo.bar.com" ``` Note: top-level domains are not considered as part of wildcard domains. You have to add them separately. E.g - `https://.foo.com` doesn't include `https://foo.com`. The default (if the flag or env var is not specified) is ``. Which means CORS headers are sent for all domains. 2019-02-14 08:58:38 +03:00			`import pytest`

			`if not pytest.config.getoption("--test-cors"):`
			`pytest.skip("--test-cors flag is missing, skipping tests", allow_module_level=True)`


			`def url(hge_ctx):`
			`return hge_ctx.hge_url + '/v1/version'`

			`class TestCors():`
			`"""`
			`currently assumes the following is set:`
			`HASURA_GRAPHQL_CORS_DOMAIN="http://.localhost, http://localhost:3000, https://.foo.bar.com"`
			`"""`
			`def assert_cors_headers(self, origin, resp):`
			`headers = resp.headers`
			`assert 'Access-Control-Allow-Origin' in headers`
			`assert headers['Access-Control-Allow-Origin'] == origin`
			`assert 'Access-Control-Allow-Credentials' in headers`
			`assert headers['Access-Control-Allow-Credentials'] == 'true'`
			`assert 'Access-Control-Allow-Methods' in headers`
			`assert headers['Access-Control-Allow-Methods'] == 'GET,POST,PUT,PATCH,DELETE,OPTIONS'`

			`def test_cors_foo_bar_top_domain(self, hge_ctx):`
			`origin = 'https://foo.bar.com'`
			`resp = hge_ctx.http.get(url(hge_ctx), headers={'Origin': origin})`
			`with pytest.raises(AssertionError):`
			`self.assert_cors_headers(origin, resp)`

			`def test_cors_foo_bar_sub_domain(self, hge_ctx):`
			`origin = 'https://app.foo.bar.com'`
			`resp = hge_ctx.http.get(url(hge_ctx), headers={'Origin': origin})`
			`self.assert_cors_headers(origin, resp)`

			`def test_cors_foo_bar_sub_sub_domain_fails(self, hge_ctx):`
			`origin = 'https://inst1.app.foo.bar.com'`
			`resp = hge_ctx.http.get(url(hge_ctx), headers={'Origin': origin})`
			`with pytest.raises(AssertionError):`
			`self.assert_cors_headers(origin, resp)`

			`def test_cors_localhost_domain_w_port(self, hge_ctx):`
			`origin = 'http://localhost:3000'`
			`resp = hge_ctx.http.get(url(hge_ctx), headers={'Origin': origin})`
			`self.assert_cors_headers(origin, resp)`

			`def test_cors_localhost_domain(self, hge_ctx):`
			`origin = 'http://app.localhost'`
			`resp = hge_ctx.http.get(url(hge_ctx), headers={'Origin': origin})`
			`self.assert_cors_headers(origin, resp)`

			`def test_cors_wrong_domain(self, hge_ctx):`
			`origin = 'https://example.com'`
			`resp = hge_ctx.http.get(url(hge_ctx), headers={'Origin': origin})`
			`assert 'Access-Control-Allow-Origin' not in resp.headers`