Skip to content

Commit

Permalink
test(gw): cors preflight with custom hearder
Browse files Browse the repository at this point in the history
This cleans up old CORS tests and adds more resolution
(proper origin, testing custom header behavior)
  • Loading branch information
lidel committed Aug 17, 2022
1 parent 1236eb0 commit c413030
Showing 1 changed file with 59 additions and 18 deletions.
77 changes: 59 additions & 18 deletions test/sharness/t0112-gateway-cors.sh
Original file line number Diff line number Diff line change
@@ -1,14 +1,39 @@
#!/usr/bin/env bash
#
# Copyright (c) 2016 Marcin Rataj
# MIT Licensed; see the LICENSE file in this repository.
#

test_description="Test HTTP Gateway CORS Support"
test_description="Test CORS behavior on HTTP ports (RPC API and Gateway)"

. lib/test-lib.sh

test_init_ipfs

# Default config

test_expect_success "Default API.HTTPHeaders config is empty" '
echo "{}" > expected &&
ipfs config --json API.HTTPHeaders > actual &&
test_cmp expected actual
'

test_expect_success "Default Gateway.HTTPHeaders config match expected values" '
cat <<EOF > expected
{
"Access-Control-Allow-Headers": [
"X-Requested-With",
"Range",
"User-Agent"
],
"Access-Control-Allow-Methods": [
"GET"
],
"Access-Control-Allow-Origin": [
"*"
]
}
EOF
ipfs config --json Gateway.HTTPHeaders > actual &&
test_cmp expected actual
'

test_launch_ipfs_daemon

thash='QmUNLLsPACCz1vLxQVkXqqLX5R1X345qqfHbsf67hvA3Nn'
Expand All @@ -34,7 +59,7 @@ test_expect_success "GET response for Gateway resource looks good" '

# HTTP OPTIONS Request
test_expect_success "OPTIONS to Gateway succeeds" '
curl -svX OPTIONS "http://127.0.0.1:$GWAY_PORT/ipfs/$thash" 2>curl_output &&
curl -svX OPTIONS -H "Origin: https://example.com" "http://127.0.0.1:$GWAY_PORT/ipfs/$thash" 2>curl_output &&
cat curl_output
'

Expand All @@ -51,7 +76,7 @@ test_expect_success "OPTIONS response for Gateway resource looks good" '

test_kill_ipfs_daemon

# Change headers
# Test CORS safelisting of custom headers
test_expect_success "Can configure gateway headers" '
ipfs config --json Gateway.HTTPHeaders.Access-Control-Allow-Headers "[\"X-Custom1\"]" &&
ipfs config --json Gateway.HTTPHeaders.Access-Control-Expose-Headers "[\"X-Custom2\"]" &&
Expand All @@ -60,12 +85,13 @@ test_expect_success "Can configure gateway headers" '

test_launch_ipfs_daemon

test_expect_success "OPTIONS to Gateway succeeds" '
curl -svX OPTIONS "http://127.0.0.1:$GWAY_PORT/ipfs/$thash" 2>curl_output &&
test_expect_success "OPTIONS to Gateway without custom headers succeeds" '
curl -svX OPTIONS -H "Origin: https://example.com" "http://127.0.0.1:$GWAY_PORT/ipfs/$thash" 2>curl_output &&
cat curl_output
'

test_expect_success "Access-Control-Allow-Headers extends" '
# Range and Content-Range are safelisted by default, and keeping them makes better devexp
# because it does not cause regressions in range requests made by JS
test_expect_success "Access-Control-Allow-Headers extends the implicit list" '
grep "< Access-Control-Allow-Headers: Range" curl_output &&
grep "< Access-Control-Allow-Headers: X-Custom1" curl_output &&
grep "< Access-Control-Expose-Headers: Content-Range" curl_output &&
Expand All @@ -75,29 +101,44 @@ test_expect_success "Access-Control-Allow-Headers extends" '
grep "< Access-Control-Expose-Headers: X-Custom2" curl_output
'

test_expect_success "Access-Control-Allow-Origin replaces" '
test_expect_success "OPTIONS to Gateway with a custom header succeeds" '
curl -svX OPTIONS -H "Origin: https://example.com" -H "Access-Control-Request-Headers: X-Unexpected-Custom" "http://127.0.0.1:$GWAY_PORT/ipfs/$thash" 2>curl_output &&
cat curl_output
'
test_expect_success "Access-Control-Allow-Headers extends the implicit list" '
test_expect_code 1 grep "< Access-Control-Allow-Headers: X-Unexpected-Custom" curl_output &&
grep "< Access-Control-Allow-Headers: Range" curl_output &&
grep "< Access-Control-Allow-Headers: X-Custom1" curl_output &&
grep "< Access-Control-Expose-Headers: Content-Range" curl_output &&
grep "< Access-Control-Expose-Headers: X-Custom2" curl_output
'

# Origin is sensitive security perimeter, and we assume override should remove
# any implicit records
test_expect_success "Access-Control-Allow-Origin replaces the implicit list" '
grep "< Access-Control-Allow-Origin: localhost" curl_output
'

# Read-Only API (at the Gateway Port)
# Read-Only /api/v0 RPC API (exposed on the Gateway Port)

# HTTP GET Request
test_expect_success "GET to API succeeds" '
test_expect_success "GET to {gw}/api/v0 succeeds" '
curl -svX GET "http://127.0.0.1:$GWAY_PORT/api/v0/cat?arg=$thash" >/dev/null 2>curl_output
'
# GET Response from the API should NOT contain CORS headers
# Blacklisting: https://github.com/ipfs/go-ipfs/blob/5d9ee59908099df3f7e85679f7384c98d4ac8111/commands/http/handler.go#L71-L82
# Rationale: https://github.com/ipfs/go-ipfs/pull/1529#issuecomment-125702347
test_expect_success "OPTIONS response for API looks good" '
test_expect_success "GET response from {gw}/api/v0 has no CORS headers" '
grep -q "Access-Control-Allow-" curl_output && false || true
'

# HTTP OPTIONS Request
test_expect_success "OPTIONS to API succeeds" '
curl -svX OPTIONS "http://127.0.0.1:$GWAY_PORT/api/v0/cat?arg=$thash" 2>curl_output
test_expect_success "OPTIONS to {gw}/api/v0 succeeds" '
curl -svX OPTIONS -H "Origin: https://example.com" "http://127.0.0.1:$GWAY_PORT/api/v0/cat?arg=$thash" 2>curl_output
'
# OPTIONS Response from the API should NOT contain CORS headers
test_expect_success "OPTIONS response for API looks good" '
test_expect_success "OPTIONS response from {gw}/api/v0 has no CORS header" '
cat curl_output &&
grep -q "Access-Control-Allow-" curl_output && false || true
'

Expand Down

0 comments on commit c413030

Please sign in to comment.