diff options
author | Valerij Fredriksen <valerijf@yahooinc.com> | 2023-06-06 15:52:41 +0200 |
---|---|---|
committer | Valerij Fredriksen <valerijf@yahooinc.com> | 2023-06-06 15:52:41 +0200 |
commit | a5c36c88fe03eb16908e7066df2be7fc08fef7ce (patch) | |
tree | e5732e52acca99978e1fd3bb0c3f803bfd8d8863 /jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors | |
parent | 212a1934ff38662183609827ac91a67a34179eb0 (diff) |
Allow subdomains in CORS filters
Diffstat (limited to 'jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors')
2 files changed, 46 insertions, 0 deletions
diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogicTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogicTest.java new file mode 100644 index 00000000000..60b5edde97d --- /dev/null +++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogicTest.java @@ -0,0 +1,40 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.jdisc.http.filter.security.cors; + +import org.junit.jupiter.api.Test; + +import java.util.List; + +import static org.junit.jupiter.api.Assertions.assertEquals; + +/** + * @author freva + */ +class CorsLogicTest { + + @Test + void wildcard_matches_everything() { + CorsLogic logic = CorsLogic.forAllowedOrigins(List.of("*")); + assertMatches(logic, true, "http://any.origin", "https://any.origin", "http://any.origin:8080"); + } + + @Test + void matches_verbatim_and_pattern() { + CorsLogic logic = CorsLogic.forAllowedOrigins(List.of("http://my.origin", "http://*.domain.origin", "*://do.main", "*.tld")); + assertMatches(logic, true, + "http://my.origin", // Matches verbatim + "http://any.domain.origin", // Matches first pattern + "http://any.sub.domain.origin", // Matches first pattern + "http://do.main", "https://do.main", // Matches second pattern + "https://any.thing.tld"); // Matches third pattern + assertMatches(logic, false, + "https://my.origin", // Different scheme from verbatim + "http://domain.origin", // Missing subdomain to match the first pattern + "https://sub.do.main"); // Second pattern, but with subdomain + } + + private static void assertMatches(CorsLogic logic, boolean expected, String... origins) { + for (String origin : origins) + assertEquals(expected, logic.originMatches(origin), origin); + } +} diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors/CorsResponseFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors/CorsResponseFilterTest.java index 7762fde1a72..1fded811eed 100644 --- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors/CorsResponseFilterTest.java +++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors/CorsResponseFilterTest.java @@ -54,6 +54,12 @@ public class CorsResponseFilterTest { assertEquals("http://any.origin", headers.get(ALLOW_ORIGIN_HEADER)); } + @Test + void matches_subdomains() { + Map<String, String> headers = doFilterRequest(newResponseFilter("http://*.domain.origin"), "http://any.domain.origin"); + assertEquals("http://any.domain.origin", headers.get(ALLOW_ORIGIN_HEADER)); + } + private static Map<String, String> doFilterRequest(SecurityResponseFilter filter, String originUrl) { TestResponse response = new TestResponse(); filter.filter(response, newRequestView(originUrl)); |