Fix CORS auth, additional tests

rogerdahl · rogerdahl · commit 7575d59efa80 · 2018-11-19T20:39:47.000-07:00
diff --git a/gmn/src/d1_gmn/app/middleware/request_handler.py b/gmn/src/d1_gmn/app/middleware/request_handler.py
@@ -54,7 +54,7 @@ def __call__(self, request):
         hasattr(request, 'allowed_method_list')
     ):
       d1_gmn.app.views.headers.add_cors_headers_to_response(
-        response, request.allowed_method_list
+        response, request
       )
 
     return response
diff --git a/gmn/src/d1_gmn/app/middleware/view_handler.py b/gmn/src/d1_gmn/app/middleware/view_handler.py
@@ -143,6 +143,6 @@ def pem_in_http_header_to_pem_in_string(self, header_str):
   def create_cors_options_response(self, request):
     response = django.http.HttpResponse(b'Header response to OPTIONS request')
     d1_gmn.app.views.headers.add_cors_headers_to_response(
-      response, request.allowed_method_list
+      response, request
     )
     return response
diff --git a/gmn/src/d1_gmn/app/views/headers.py b/gmn/src/d1_gmn/app/views/headers.py
@@ -78,15 +78,15 @@ def add_http_date_header_to_response(response, date_time=None):
   )
 
 
-def add_cors_headers_to_response(response, method_list):
+def add_cors_headers_to_response(response, request):
   """Add Cross-Origin Resource Sharing (CORS) headers to response
   - {method_list} is a list of HTTP methods that are allowed for the endpoint
   that was called. It should not include "OPTIONS", which is included
   automatically since it's allowed for all endpoints.
   """
-  opt_method_list = ','.join(method_list + ['OPTIONS'])
+  opt_method_list = ','.join(request.allowed_method_list + ['OPTIONS'])
   response['Allow'] = opt_method_list
   response['Access-Control-Allow-Methods'] = opt_method_list
-  response['Access-Control-Allow-Origin'] = '*'
+  response['Access-Control-Allow-Origin'] = request.META.get('Origin', '*')
   response['Access-Control-Allow-Headers'] = 'Authorization'
   response['Access-Control-Allow-Credentials'] = 'true'
diff --git a/gmn/src/d1_gmn/tests/test_cors.py b/gmn/src/d1_gmn/tests/test_cors.py
@@ -19,17 +19,19 @@
 # limitations under the License.
 """Test Cross-Origin Resource Sharing (CORS) Headers
 """
+import d1_common
 import freezegun
 import responses
 
 import d1_gmn.tests.gmn_mock
 import d1_gmn.tests.gmn_test_case
 
 import d1_test.d1_test_case
+import d1_common.const
 
 
 @d1_test.d1_test_case.reproducible_random_decorator('TestCors')
-@freezegun.freeze_time('1961-01-02')
+@freezegun.freeze_time('1981-01-02')
 class TestCors(d1_gmn.tests.gmn_test_case.GMNTestCase):
   @responses.activate
   def test_1000(self, gmn_client_v1_v2):
@@ -81,6 +83,16 @@ def test_1050(self, gmn_client_v1_v2):
       response = gmn_client_v1_v2.OPTIONS(['object', pid])
     self.sample.assert_equals(response, 'get_options', gmn_client_v1_v2)
 
+
+  @responses.activate
+  def test_1051(self, gmn_client_v2):
+    """getPackage(): OPTIONS request returns expected headers"""
+    pid_list = self.create_multiple_objects(gmn_client_v2, object_count=2)
+    ore_pid = self.create_resource_map(gmn_client_v2, pid_list)
+    response = gmn_client_v2.OPTIONS(['packages', d1_common.const.DEFAULT_DATA_PACKAGE_FORMAT_ID, ore_pid])
+    self.sample.assert_equals(response, 'get_package_options', gmn_client_v2)
+
+
   @responses.activate
   def test_1060(self, gmn_client_v1_v2):
     """Invalid method against endpoint raises 405 Method Not Allowed and returns
@@ -89,3 +101,26 @@ def test_1060(self, gmn_client_v1_v2):
     with d1_gmn.tests.gmn_mock.disable_auth():
       response = gmn_client_v1_v2.PUT(['object'])
     self.sample.assert_equals(response, 'put_object_list', gmn_client_v1_v2)
+
+
+  @responses.activate
+  def test_1061(self, gmn_client_v1_v2):
+    """get(): WITHOUT Origin header sets Access-Control-Allow-Origin to wildcard
+    """
+    pid, sid, sciobj_bytes, sysmeta_pyxb = self.create_obj(gmn_client_v1_v2)
+    with d1_gmn.tests.gmn_mock.disable_auth():
+      response = gmn_client_v1_v2.get(pid)
+    self.sample.assert_equals(response.headers, 'get_without_origin', gmn_client_v1_v2)
+    assert response.headers['Access-Control-Allow-Origin'] == '*'
+
+
+  @responses.activate
+  def test_1062(self, gmn_client_v1_v2):
+    """get(): WITH Origin header sets Access-Control-Allow-Origin to the Origin
+    """
+    pid, sid, sciobj_bytes, sysmeta_pyxb = self.create_obj(gmn_client_v1_v2)
+    origin_url = 'https://somewhere.com'
+    with d1_gmn.tests.gmn_mock.disable_auth():
+      response = gmn_client_v1_v2.get(pid, vendorSpecific={'Origin': origin_url})
+    self.sample.assert_equals(response.headers, 'get_with_origin', gmn_client_v1_v2)
+    assert response.headers['Access-Control-Allow-Origin'] == origin_url

Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ def __call__(self, request):`
`54`	`54`	`hasattr(request, 'allowed_method_list')`
`55`	`55`	`):`
`56`	`56`	`d1_gmn.app.views.headers.add_cors_headers_to_response(`
`57`		`- response, request.allowed_method_list`
	`57`	`+ response, request`
`58`	`58`	`)`
`59`	`59`
`60`	`60`	`return response`
Original file line number	Diff line number	Diff line change
`@@ -143,6 +143,6 @@ def pem_in_http_header_to_pem_in_string(self, header_str):`
`143`	`143`	`def create_cors_options_response(self, request):`
`144`	`144`	`response = django.http.HttpResponse(b'Header response to OPTIONS request')`
`145`	`145`	`d1_gmn.app.views.headers.add_cors_headers_to_response(`
`146`		`- response, request.allowed_method_list`
	`146`	`+ response, request`
`147`	`147`	`)`
`148`	`148`	`return response`