-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #34693 from owncloud/stable10-corsAcceptanceTests
[stable10] test ocs endpoints with CORS headers
- Loading branch information
Showing
5 changed files
with
336 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,123 @@ | ||
@api @TestAlsoOnExternalUserBackend | ||
Feature: CORS headers | ||
Background: | ||
Given user "user0" has been created with default attributes | ||
And a new client token for "user0" has been generated | ||
|
||
Scenario Outline: CORS headers should be returned when setting CORS domain sending Origin header | ||
Given using OCS API version "<ocs_api_version>" | ||
And user "user0" has added "https://aphno.badal" to the list of personal CORS domains | ||
When user "user0" sends HTTP method "GET" to OCS API endpoint "<endpoint>" with headers | ||
| header | value | | ||
| Origin | https://aphno.badal | | ||
Then the OCS status code should be "<ocs-code>" | ||
And the HTTP status code should be "<http-code>" | ||
Then the following headers should be set | ||
| Access-Control-Allow-Headers | OC-Checksum,OC-Total-Length,OCS-APIREQUEST,X-OC-Mtime,Accept,Authorization,Brief,Content-Length,Content-Range,Content-Type,Date,Depth,Destination,Host,If,If-Match,If-Modified-Since,If-None-Match,If-Range,If-Unmodified-Since,Location,Lock-Token,Overwrite,Prefer,Range,Schedule-Reply,Timeout,User-Agent,X-Expected-Entity-Length,Accept-Language,Access-Control-Request-Method,Access-Control-Allow-Origin,ETag,OC-Autorename,OC-CalDav-Import,OC-Chunked,OC-Etag,OC-FileId,OC-LazyOps,OC-Total-File-Length,Origin,X-Request-ID,X-Requested-With | | ||
| Access-Control-Expose-Headers | Content-Location,DAV,ETag,Link,Lock-Token,OC-ETag,OC-Checksum,OC-FileId,OC-JobStatus-Location,Vary,Webdav-Location,X-Sabre-Status | | ||
| Access-Control-Allow-Origin | https://aphno.badal | | ||
| Access-Control-Allow-Methods | GET,OPTIONS,POST,PUT,DELETE,MKCOL,PROPFIND,PATCH,PROPPATCH,REPORT | | ||
Examples: | ||
| ocs_api_version |endpoint | ocs-code | http-code | | ||
| 1 |/apps/files_external/api/v1/mounts | 100 | 200 | | ||
| 2 |/apps/files_external/api/v1/mounts | 200 | 200 | | ||
| 1 |/apps/files_sharing/api/v1/remote_shares | 100 | 200 | | ||
| 2 |/apps/files_sharing/api/v1/remote_shares | 200 | 200 | | ||
| 1 |/apps/files_sharing/api/v1/remote_shares/pending | 100 | 200 | | ||
| 2 |/apps/files_sharing/api/v1/remote_shares/pending | 200 | 200 | | ||
| 1 |/apps/files_sharing/api/v1/shares | 100 | 200 | | ||
| 2 |/apps/files_sharing/api/v1/shares | 200 | 200 | | ||
| 1 |/privatedata/getattribute | 100 | 200 | | ||
| 2 |/privatedata/getattribute | 200 | 200 | | ||
|
||
#merge into previous scenario when fixed | ||
@issue-34664 | ||
Scenario Outline: CORS headers should be returned when setting CORS domain sending Origin header | ||
Given using OCS API version "<ocs_api_version>" | ||
And user "user0" has added "https://aphno.badal" to the list of personal CORS domains | ||
When user "user0" sends HTTP method "GET" to OCS API endpoint "<endpoint>" with headers | ||
| header | value | | ||
| Origin | https://aphno.badal | | ||
Then the OCS status code should be "<ocs-code>" | ||
And the HTTP status code should be "<http-code>" | ||
Then the following headers should not be set | ||
| Access-Control-Allow-Headers | | ||
| Access-Control-Expose-Headers | | ||
| Access-Control-Allow-Origin | | ||
| Access-Control-Allow-Methods | | ||
Examples: | ||
| ocs_api_version |endpoint | ocs-code | http-code | | ||
| 1 |/config | 100 | 200 | | ||
| 2 |/config | 200 | 200 | | ||
|
||
Scenario Outline: CORS headers should be returned when setting CORS domain sending Origin header (admin only endpoints) | ||
Given using OCS API version "<ocs_api_version>" | ||
And the administrator has added "https://aphno.badal" to the list of personal CORS domains | ||
When the administrator sends HTTP method "GET" to OCS API endpoint "<endpoint>" with headers | ||
| header | value | | ||
| Origin | https://aphno.badal | | ||
Then the OCS status code should be "<ocs-code>" | ||
And the HTTP status code should be "<http-code>" | ||
Then the following headers should be set | ||
| Access-Control-Allow-Headers | OC-Checksum,OC-Total-Length,OCS-APIREQUEST,X-OC-Mtime,Accept,Authorization,Brief,Content-Length,Content-Range,Content-Type,Date,Depth,Destination,Host,If,If-Match,If-Modified-Since,If-None-Match,If-Range,If-Unmodified-Since,Location,Lock-Token,Overwrite,Prefer,Range,Schedule-Reply,Timeout,User-Agent,X-Expected-Entity-Length,Accept-Language,Access-Control-Request-Method,Access-Control-Allow-Origin,ETag,OC-Autorename,OC-CalDav-Import,OC-Chunked,OC-Etag,OC-FileId,OC-LazyOps,OC-Total-File-Length,Origin,X-Request-ID,X-Requested-With | | ||
| Access-Control-Expose-Headers | Content-Location,DAV,ETag,Link,Lock-Token,OC-ETag,OC-Checksum,OC-FileId,OC-JobStatus-Location,Vary,Webdav-Location,X-Sabre-Status | | ||
| Access-Control-Allow-Origin | https://aphno.badal | | ||
| Access-Control-Allow-Methods | GET,OPTIONS,POST,PUT,DELETE,MKCOL,PROPFIND,PATCH,PROPPATCH,REPORT | | ||
Examples: | ||
| ocs_api_version |endpoint | ocs-code | http-code | | ||
| 1 |/cloud/apps | 100 | 200 | | ||
| 2 |/cloud/apps | 200 | 200 | | ||
| 1 |/cloud/groups | 100 | 200 | | ||
| 2 |/cloud/groups | 200 | 200 | | ||
| 1 |/cloud/users | 100 | 200 | | ||
| 2 |/cloud/users | 200 | 200 | | ||
|
||
Scenario Outline: no CORS headers should be returned when CORS domain does not match Origin header | ||
Given using OCS API version "<ocs_api_version>" | ||
And user "user0" has added "https://mero.badal" to the list of personal CORS domains | ||
When user "user0" sends HTTP method "GET" to OCS API endpoint "<endpoint>" with headers | ||
| header | value | | ||
| Origin | https://aphno.badal | | ||
Then the OCS status code should be "<ocs-code>" | ||
And the HTTP status code should be "<http-code>" | ||
Then the following headers should not be set | ||
| Access-Control-Allow-Headers | | ||
| Access-Control-Expose-Headers | | ||
| Access-Control-Allow-Origin | | ||
| Access-Control-Allow-Methods | | ||
Examples: | ||
| ocs_api_version |endpoint | ocs-code | http-code | | ||
| 1 |/apps/files_external/api/v1/mounts | 100 | 200 | | ||
| 2 |/apps/files_external/api/v1/mounts | 200 | 200 | | ||
| 1 |/apps/files_sharing/api/v1/remote_shares | 100 | 200 | | ||
| 2 |/apps/files_sharing/api/v1/remote_shares | 200 | 200 | | ||
| 1 |/apps/files_sharing/api/v1/remote_shares/pending | 100 | 200 | | ||
| 2 |/apps/files_sharing/api/v1/remote_shares/pending | 200 | 200 | | ||
| 1 |/apps/files_sharing/api/v1/shares | 100 | 200 | | ||
| 2 |/apps/files_sharing/api/v1/shares | 200 | 200 | | ||
| 1 |/config | 100 | 200 | | ||
| 2 |/config | 200 | 200 | | ||
| 1 |/privatedata/getattribute | 100 | 200 | | ||
| 2 |/privatedata/getattribute | 200 | 200 | | ||
|
||
Scenario Outline: no CORS headers should be returned when CORS domain does not match Origin header (admin only endpoints) | ||
Given using OCS API version "<ocs_api_version>" | ||
And the administrator has added "https://mero.badal" to the list of personal CORS domains | ||
When the administrator sends HTTP method "GET" to OCS API endpoint "<endpoint>" with headers | ||
| header | value | | ||
| Origin | https://aphno.badal | | ||
Then the OCS status code should be "<ocs-code>" | ||
And the HTTP status code should be "<http-code>" | ||
Then the following headers should not be set | ||
| Access-Control-Allow-Headers | | ||
| Access-Control-Expose-Headers | | ||
| Access-Control-Allow-Origin | | ||
| Access-Control-Allow-Methods | | ||
Examples: | ||
| ocs_api_version |endpoint | ocs-code | http-code | | ||
| 1 |/cloud/apps | 100 | 200 | | ||
| 2 |/cloud/apps | 200 | 200 | | ||
| 1 |/cloud/groups | 100 | 200 | | ||
| 2 |/cloud/groups | 200 | 200 | | ||
| 1 |/cloud/users | 100 | 200 | | ||
| 2 |/cloud/users | 200 | 200 | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,165 @@ | ||
<?php | ||
/** | ||
* ownCloud | ||
* | ||
* @author Artur Neumann <artur@jankaritech.com> | ||
* @copyright Copyright (c) 2019, ownCloud GmbH | ||
* | ||
* This code is free software: you can redistribute it and/or modify | ||
* it under the terms of the GNU Affero General Public License, | ||
* as published by the Free Software Foundation; | ||
* either version 3 of the License, or any later version. | ||
* | ||
* This program is distributed in the hope that it will be useful, | ||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
* GNU Affero General Public License for more details. | ||
* | ||
* You should have received a copy of the GNU Affero General Public License | ||
* along with this program. If not, see <http://www.gnu.org/licenses/> | ||
* | ||
*/ | ||
|
||
use Behat\Behat\Context\Context; | ||
use Behat\Behat\Hook\Scope\BeforeScenarioScope; | ||
use Behat\Behat\Hook\Scope\AfterScenarioScope; | ||
|
||
require_once 'bootstrap.php'; | ||
/** | ||
* Steps that relate to CORS tests | ||
*/ | ||
class CorsContext implements Context { | ||
/** | ||
* | ||
* @var FeatureContext | ||
*/ | ||
private $featureContext; | ||
|
||
private $originalAdminCorsDomains = null; | ||
|
||
/** | ||
* @Given user :user has added :domain to the list of personal CORS domains | ||
* | ||
* @param string $user | ||
* @param string $domain | ||
* | ||
* @return void | ||
*/ | ||
public function addDomainToPrivateCORSLists($user, $domain) { | ||
$this->featureContext->runOcc( | ||
[ | ||
'user:setting', | ||
$user, | ||
'core', | ||
'domains' | ||
] | ||
); | ||
if ($this->featureContext->getExitStatusCodeOfOccCommand() === 0) { | ||
$domainsJson = $this->featureContext->getStdOutOfOccCommand(); | ||
$domains = \json_decode($domainsJson); | ||
} else { | ||
$domainsJson = ""; | ||
$domains = []; | ||
} | ||
if ($user === $this->featureContext->getAdminUsername() | ||
&& $this->originalAdminCorsDomains === null | ||
) { | ||
$this->originalAdminCorsDomains = $domainsJson; | ||
} | ||
|
||
$domains[] = $domain; | ||
$valueString = \json_encode($domains); | ||
|
||
$this->featureContext->runOcc( | ||
[ | ||
'user:setting', | ||
$user, | ||
'core', | ||
'domains', | ||
'--value=\'' . $valueString . '\'' | ||
] | ||
); | ||
if ($this->featureContext->getExitStatusCodeOfOccCommand() !== 0) { | ||
throw new \Exception( | ||
"could not set CORS domain. " . | ||
$this->featureContext->getStdErrOfOccCommand() | ||
); | ||
} | ||
//double check if it was set | ||
$this->featureContext->runOcc( | ||
[ | ||
'user:setting', | ||
$user, | ||
'core', | ||
'domains' | ||
] | ||
); | ||
$domains = \json_decode($this->featureContext->getStdOutOfOccCommand()); | ||
PHPUnit_Framework_Assert::assertContains( | ||
$domain, $domains, "CORS domain was not added correctly" | ||
); | ||
} | ||
|
||
/** | ||
* @Given the administrator has added :domain to the list of personal CORS domains | ||
* | ||
* @param string $domain | ||
* | ||
* @return void | ||
*/ | ||
public function adminAddDomainToPrivateCORSLists($domain) { | ||
$this->addDomainToPrivateCORSLists( | ||
$this->featureContext->getAdminUsername(), $domain | ||
); | ||
} | ||
|
||
/** | ||
* This will run before EVERY scenario. | ||
* It will set the properties for this object. | ||
* | ||
* @BeforeScenario | ||
* | ||
* @param BeforeScenarioScope $scope | ||
* | ||
* @return void | ||
*/ | ||
public function before(BeforeScenarioScope $scope) { | ||
// Get the environment | ||
$environment = $scope->getEnvironment(); | ||
// Get all the contexts you need in this context | ||
$this->featureContext = $environment->getContext('FeatureContext'); | ||
} | ||
|
||
/** | ||
* @AfterScenario | ||
* | ||
* @param AfterScenarioScope $scope | ||
* | ||
* @return void | ||
*/ | ||
public function resetAdminCors(AfterScenarioScope $scope) { | ||
if ($this->originalAdminCorsDomains !== null) { | ||
if ($this->originalAdminCorsDomains !== "") { | ||
$this->featureContext->runOcc( | ||
[ | ||
'user:setting', | ||
$this->featureContext->getAdminUsername(), | ||
'core', | ||
'domains', | ||
'--value=\'' . $this->originalAdminCorsDomains . '\'' | ||
] | ||
); | ||
} else { | ||
$this->featureContext->runOcc( | ||
[ | ||
'user:setting', | ||
$this->featureContext->getAdminUsername(), | ||
'core', | ||
'domains', | ||
'--delete' | ||
] | ||
); | ||
} | ||
} | ||
} | ||
} |