156 lines
5.4 KiB
Lua
156 lines
5.4 KiB
Lua
local helpers = require "spec.helpers"
|
|
|
|
describe("Admin API - CORS -", function()
|
|
for _, admin_gui_url in ipairs({ "", "http://admin.api:9100", "http://admin.api:9100/path/to/any/way" }) do
|
|
describe('when |admin_gui_url| is "' .. admin_gui_url .. '",', function ()
|
|
|
|
local client
|
|
|
|
lazy_setup(function()
|
|
assert(helpers.start_kong({
|
|
database = "off",
|
|
admin_gui_listen = "127.0.0.1:9002",
|
|
admin_gui_url = admin_gui_url,
|
|
}))
|
|
|
|
client = helpers.admin_client()
|
|
end)
|
|
|
|
teardown(function()
|
|
if client then
|
|
client:close()
|
|
end
|
|
helpers.stop_kong()
|
|
end)
|
|
|
|
describe("Pre-flight request", function ()
|
|
it("should return different allow-methods for specific route", function ()
|
|
local res
|
|
|
|
res = assert(client:send {
|
|
method = "OPTIONS",
|
|
path = "/"
|
|
})
|
|
|
|
assert.res_status(204, res)
|
|
assert.equal("GET, HEAD, OPTIONS", res.headers["Allow"])
|
|
assert.equal("GET, HEAD, OPTIONS", res.headers["Access-Control-Allow-Methods"])
|
|
|
|
res = assert(client:send {
|
|
method = "OPTIONS",
|
|
path = "/routes"
|
|
})
|
|
|
|
assert.res_status(204, res)
|
|
assert.equal("GET, HEAD, OPTIONS, POST", res.headers["Allow"])
|
|
assert.equal("GET, HEAD, OPTIONS, POST", res.headers["Access-Control-Allow-Methods"])
|
|
|
|
res = assert(client:send {
|
|
method = "OPTIONS",
|
|
path = "/routes/test"
|
|
})
|
|
|
|
assert.res_status(204, res)
|
|
assert.equal("DELETE, GET, HEAD, OPTIONS, PATCH, PUT", res.headers["Allow"])
|
|
assert.equal("DELETE, GET, HEAD, OPTIONS, PATCH, PUT", res.headers["Access-Control-Allow-Methods"])
|
|
end)
|
|
|
|
it("should allow headers from the request", function ()
|
|
local res, err = client:send({
|
|
path = "/",
|
|
method = "OPTIONS",
|
|
headers = {}
|
|
})
|
|
assert.is_nil(err)
|
|
assert.res_status(204, res)
|
|
assert.equal("Content-Type", res.headers["Access-Control-Allow-Headers"])
|
|
|
|
local res, err = client:send({
|
|
path = "/",
|
|
method = "OPTIONS",
|
|
headers = {
|
|
["Access-Control-Request-Headers"] = "X-Header-1,X-Header-2",
|
|
}
|
|
})
|
|
assert.is_nil(err)
|
|
assert.res_status(204, res)
|
|
assert.equal("X-Header-1,X-Header-2", res.headers["Access-Control-Allow-Headers"])
|
|
end)
|
|
|
|
it("should return the correct |AC-Allow-Origin| header when \"Origin\" is present in request headers", function ()
|
|
local res, err = client:send({
|
|
path = "/",
|
|
method = "OPTIONS",
|
|
headers = {
|
|
["Origin"] = "http://example.com",
|
|
}
|
|
})
|
|
local expected_allow_origin = admin_gui_url ~= "" and "http://admin.api:9100" or "http://example.com"
|
|
|
|
assert.is_nil(err)
|
|
assert.res_status(204, res)
|
|
assert.equal(expected_allow_origin, res.headers["Access-Control-Allow-Origin"])
|
|
end)
|
|
|
|
it("should return the correct |AC-Allow-Origin| header when \"Origin\" is absent in request headers", function ()
|
|
local res, err = client:send({
|
|
path = "/",
|
|
method = "OPTIONS",
|
|
headers = {}
|
|
})
|
|
local expected_allow_origin = admin_gui_url ~= "" and "http://admin.api:9100" or "*"
|
|
|
|
assert.is_nil(err)
|
|
assert.res_status(204, res)
|
|
assert.equal(expected_allow_origin, res.headers["Access-Control-Allow-Origin"])
|
|
end)
|
|
end)
|
|
|
|
describe("Main request", function ()
|
|
it("should not respond to |AC-Request-Method| or |AC-Request-Headers| headers", function ()
|
|
local res, err = client:send({
|
|
path = "/",
|
|
method = "GET",
|
|
headers = {
|
|
["Access-Control-Request-Method"] = "PATCH",
|
|
["Access-Control-Request-Headers"] = "X-Header-1,X-Header-2",
|
|
}
|
|
})
|
|
assert.is_nil(err)
|
|
assert.res_status(200, res)
|
|
assert.equal(nil, res.headers["Access-Control-Allow-Methods"])
|
|
assert.equal(nil, res.headers["Access-Control-Allow-Headers"])
|
|
end)
|
|
|
|
it("should return the correct |AC-Allow-Origin| header when \"Origin\" is present in request headers", function ()
|
|
local res, err = client:send({
|
|
path = "/",
|
|
method = "GET",
|
|
headers = {
|
|
["Origin"] = "http://example.com",
|
|
}
|
|
})
|
|
local expected_allow_origin = admin_gui_url ~= "" and "http://admin.api:9100" or "http://example.com"
|
|
|
|
assert.is_nil(err)
|
|
assert.res_status(200, res)
|
|
assert.equal(expected_allow_origin, res.headers["Access-Control-Allow-Origin"])
|
|
end)
|
|
|
|
it("should return the correct |AC-Allow-Origin| header when \"Origin\" is absent in request headers", function ()
|
|
local res, err = client:send({
|
|
path = "/",
|
|
method = "GET",
|
|
headers = {}
|
|
})
|
|
local expected_allow_origin = admin_gui_url ~= "" and "http://admin.api:9100" or "*"
|
|
|
|
assert.is_nil(err)
|
|
assert.res_status(200, res)
|
|
assert.equal(expected_allow_origin, res.headers["Access-Control-Allow-Origin"])
|
|
end)
|
|
end)
|
|
end)
|
|
end
|
|
end)
|