@Test public void testSameOrigin() throws ServletException, IOException { // Setup the configuration settings of the server Map<String, String> conf = new HashMap<String, String>(); conf.put(CrossOriginFilter.ALLOWED_ORIGINS, ""); FilterConfig filterConfig = new FilterConfigTest(conf); // Origin is not specified for same origin requests HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class); Mockito.when(mockReq.getHeader(CrossOriginFilter.ORIGIN)).thenReturn(null); // Objects to verify interactions based on request HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class); FilterChain mockChain = Mockito.mock(FilterChain.class); // Object under test CrossOriginFilter filter = new CrossOriginFilter(); filter.init(filterConfig); filter.doFilter(mockReq, mockRes, mockChain); Mockito.verifyZeroInteractions(mockRes); Mockito.verify(mockChain).doFilter(mockReq, mockRes); }
@Test public void testEncodeHeaders() { String validOrigin = "http://localhost:12345"; String encodedValidOrigin = CrossOriginFilter.encodeHeader(validOrigin); Assert.assertEquals("Valid origin encoding should match exactly", validOrigin, encodedValidOrigin); String httpResponseSplitOrigin = validOrigin + " \nSecondHeader: value"; String encodedResponseSplitOrigin = CrossOriginFilter.encodeHeader(httpResponseSplitOrigin); Assert.assertEquals("Http response split origin should be protected against", validOrigin, encodedResponseSplitOrigin); // Test Origin List String validOriginList = "http://foo.example.com:12345 http://bar.example.com:12345"; String encodedValidOriginList = CrossOriginFilter .encodeHeader(validOriginList); Assert.assertEquals("Valid origin list encoding should match exactly", validOriginList, encodedValidOriginList); }
@Test public void testPatternMatchingOrigins() throws ServletException, IOException { // Setup the configuration settings of the server Map<String, String> conf = new HashMap<String, String>(); conf.put(CrossOriginFilter.ALLOWED_ORIGINS, "*.example.com"); FilterConfig filterConfig = new FilterConfigTest(conf); // Object under test CrossOriginFilter filter = new CrossOriginFilter(); filter.init(filterConfig); // match multiple sub-domains Assert.assertFalse(filter.areOriginsAllowed("example.com")); Assert.assertFalse(filter.areOriginsAllowed("foo:example.com")); Assert.assertTrue(filter.areOriginsAllowed("foo.example.com")); Assert.assertTrue(filter.areOriginsAllowed("foo.bar.example.com")); // First origin is allowed Assert.assertTrue(filter.areOriginsAllowed("foo.example.com foo.nomatch.com")); // Second origin is allowed Assert.assertTrue(filter.areOriginsAllowed("foo.nomatch.com foo.example.com")); // No origin in list is allowed Assert.assertFalse(filter.areOriginsAllowed("foo.nomatch1.com foo.nomatch2.com")); }
@Test public void testDisallowedOrigin() throws ServletException, IOException { // Setup the configuration settings of the server Map<String, String> conf = new HashMap<String, String>(); conf.put(CrossOriginFilter.ALLOWED_ORIGINS, "example.com"); FilterConfig filterConfig = new FilterConfigTest(conf); // Origin is not specified for same origin requests HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class); Mockito.when(mockReq.getHeader(CrossOriginFilter.ORIGIN)).thenReturn("example.org"); // Objects to verify interactions based on request HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class); FilterChain mockChain = Mockito.mock(FilterChain.class); // Object under test CrossOriginFilter filter = new CrossOriginFilter(); filter.init(filterConfig); filter.doFilter(mockReq, mockRes, mockChain); Mockito.verifyZeroInteractions(mockRes); Mockito.verify(mockChain).doFilter(mockReq, mockRes); }
@Override public void initFilter(FilterContainer container, Configuration conf) { String key = getEnabledConfigKey(); boolean enabled = conf.getBoolean(key, false); if (enabled) { container.addGlobalFilter("Cross Origin Filter", CrossOriginFilter.class.getName(), getFilterParameters(conf, getPrefix())); } else { LOG.info("CORS filter not enabled. Please set " + key + " to 'true' to enable it"); } }
@Test public void testAllowAllOrigins() throws ServletException, IOException { // Setup the configuration settings of the server Map<String, String> conf = new HashMap<String, String>(); conf.put(CrossOriginFilter.ALLOWED_ORIGINS, "*"); FilterConfig filterConfig = new FilterConfigTest(conf); // Object under test CrossOriginFilter filter = new CrossOriginFilter(); filter.init(filterConfig); Assert.assertTrue(filter.areOriginsAllowed("example.com")); }
@Test public void testDisallowedMethod() throws ServletException, IOException { // Setup the configuration settings of the server Map<String, String> conf = new HashMap<String, String>(); conf.put(CrossOriginFilter.ALLOWED_ORIGINS, "example.com"); FilterConfig filterConfig = new FilterConfigTest(conf); // Origin is not specified for same origin requests HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class); Mockito.when(mockReq.getHeader(CrossOriginFilter.ORIGIN)).thenReturn("example.com"); Mockito.when( mockReq.getHeader(CrossOriginFilter.ACCESS_CONTROL_REQUEST_METHOD)) .thenReturn("DISALLOWED_METHOD"); // Objects to verify interactions based on request HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class); FilterChain mockChain = Mockito.mock(FilterChain.class); // Object under test CrossOriginFilter filter = new CrossOriginFilter(); filter.init(filterConfig); filter.doFilter(mockReq, mockRes, mockChain); Mockito.verifyZeroInteractions(mockRes); Mockito.verify(mockChain).doFilter(mockReq, mockRes); }
@Test public void testDisallowedHeader() throws ServletException, IOException { // Setup the configuration settings of the server Map<String, String> conf = new HashMap<String, String>(); conf.put(CrossOriginFilter.ALLOWED_ORIGINS, "example.com"); FilterConfig filterConfig = new FilterConfigTest(conf); // Origin is not specified for same origin requests HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class); Mockito.when(mockReq.getHeader(CrossOriginFilter.ORIGIN)).thenReturn("example.com"); Mockito.when( mockReq.getHeader(CrossOriginFilter.ACCESS_CONTROL_REQUEST_METHOD)) .thenReturn("GET"); Mockito.when( mockReq.getHeader(CrossOriginFilter.ACCESS_CONTROL_REQUEST_HEADERS)) .thenReturn("Disallowed-Header"); // Objects to verify interactions based on request HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class); FilterChain mockChain = Mockito.mock(FilterChain.class); // Object under test CrossOriginFilter filter = new CrossOriginFilter(); filter.init(filterConfig); filter.doFilter(mockReq, mockRes, mockChain); Mockito.verifyZeroInteractions(mockRes); Mockito.verify(mockChain).doFilter(mockReq, mockRes); }
@Test public void testCrossOriginFilter() throws ServletException, IOException { // Setup the configuration settings of the server Map<String, String> conf = new HashMap<String, String>(); conf.put(CrossOriginFilter.ALLOWED_ORIGINS, "example.com"); FilterConfig filterConfig = new FilterConfigTest(conf); // Origin is not specified for same origin requests HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class); Mockito.when(mockReq.getHeader(CrossOriginFilter.ORIGIN)).thenReturn("example.com"); Mockito.when( mockReq.getHeader(CrossOriginFilter.ACCESS_CONTROL_REQUEST_METHOD)) .thenReturn("GET"); Mockito.when( mockReq.getHeader(CrossOriginFilter.ACCESS_CONTROL_REQUEST_HEADERS)) .thenReturn("X-Requested-With"); // Objects to verify interactions based on request HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class); FilterChain mockChain = Mockito.mock(FilterChain.class); // Object under test CrossOriginFilter filter = new CrossOriginFilter(); filter.init(filterConfig); filter.doFilter(mockReq, mockRes, mockChain); Mockito.verify(mockRes).setHeader(CrossOriginFilter.ACCESS_CONTROL_ALLOW_ORIGIN, "example.com"); Mockito.verify(mockRes).setHeader( CrossOriginFilter.ACCESS_CONTROL_ALLOW_CREDENTIALS, Boolean.TRUE.toString()); Mockito.verify(mockRes).setHeader(CrossOriginFilter.ACCESS_CONTROL_ALLOW_METHODS, filter.getAllowedMethodsHeader()); Mockito.verify(mockRes).setHeader(CrossOriginFilter.ACCESS_CONTROL_ALLOW_HEADERS, filter.getAllowedHeadersHeader()); Mockito.verify(mockChain).doFilter(mockReq, mockRes); }
@Override public void initFilter(FilterContainer container, Configuration conf) { // setup the filter // use the keys with "yarn.timeline-service.http-cross-origin" prefix to // override the ones with the "hadoop.http.cross-origin" prefix. Map<String, String> filterParameters = getFilterParameters(conf, HttpCrossOriginFilterInitializer.PREFIX); filterParameters.putAll(getFilterParameters(conf, getPrefix())); container.addGlobalFilter("Cross Origin Filter", CrossOriginFilter.class.getName(), filterParameters); }
@Test public void testCrossOriginFilterAfterRestart() throws ServletException { // Setup the configuration settings of the server Map<String, String> conf = new HashMap<String, String>(); conf.put(CrossOriginFilter.ALLOWED_ORIGINS, "example.com"); conf.put(CrossOriginFilter.ALLOWED_HEADERS, "X-Requested-With,Accept"); conf.put(CrossOriginFilter.ALLOWED_METHODS, "GET,POST"); FilterConfig filterConfig = new FilterConfigTest(conf); // Object under test CrossOriginFilter filter = new CrossOriginFilter(); filter.init(filterConfig); //verify filter values Assert.assertTrue("Allowed headers do not match", filter.getAllowedHeadersHeader() .compareTo("X-Requested-With,Accept") == 0); Assert.assertTrue("Allowed methods do not match", filter.getAllowedMethodsHeader() .compareTo("GET,POST") == 0); Assert.assertTrue(filter.areOriginsAllowed("example.com")); //destroy filter values and clear conf filter.destroy(); conf.clear(); // Setup the configuration settings of the server conf.put(CrossOriginFilter.ALLOWED_ORIGINS, "newexample.com"); conf.put(CrossOriginFilter.ALLOWED_HEADERS, "Content-Type,Origin"); conf.put(CrossOriginFilter.ALLOWED_METHODS, "GET,HEAD"); filterConfig = new FilterConfigTest(conf); //initialize filter filter.init(filterConfig); //verify filter values Assert.assertTrue("Allowed headers do not match", filter.getAllowedHeadersHeader() .compareTo("Content-Type,Origin") == 0); Assert.assertTrue("Allowed methods do not match", filter.getAllowedMethodsHeader() .compareTo("GET,HEAD") == 0); Assert.assertTrue(filter.areOriginsAllowed("newexample.com")); //destroy filter values filter.destroy(); }
