Merge pull request #710 from RakhithaRR/cors-it

Krishanx92 · web-flow · commit 1730742b791e · 2026-01-20T18:23:39.000+05:30
Add integration tests for CORS policy
diff --git a/gateway/it/features/cors.feature b/gateway/it/features/cors.feature
@@ -0,0 +1,122 @@
+# --------------------------------------------------------------------
+# Copyright (c) 2026, WSO2 LLC. (https://www.wso2.com).
+#
+# WSO2 LLC. licenses this file to you under the Apache License,
+# Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# --------------------------------------------------------------------
+
+@cors
+Feature: CORS Policy
+  As an API developer
+  I want to configure CORS policies on my API
+  So that cross-origin requests are correctly allowed and preflighted
+
+  Background:
+    Given the gateway services are running
+
+  Scenario: Preflight request allows configured origin, methods, and headers
+    Given I authenticate using basic auth as "admin"
+    When I deploy this API configuration:
+      """
+      apiVersion: gateway.api-platform.wso2.com/v1alpha1
+      kind: RestApi
+      metadata:
+        name: cors-preflight-api
+      spec:
+        displayName: CORS Preflight API
+        version: v1.0
+        context: /cors-preflight/$version
+        upstream:
+          main:
+            url: http://sample-backend:9080/api/v1
+        policies:
+          - name: cors
+            version: v0.1.0
+            params:
+              allowedOrigins:
+                - "http://example.com"
+                - '^https://[^.]+\.example\.com$'
+                - "http://localhost:5000"
+              allowedMethods:
+                - "GET"
+                - "POST"
+              allowedHeaders:
+                - "Content-Type"
+              exposedHeaders:
+                - X-Content-Type-Options
+        operations:
+          - method: GET
+            path: /{country_code}/{city}
+          - method: GET
+            path: /alerts/active
+          - method: OPTIONS
+            path: /{country_code}/{city}
+      """
+    Then the response should be successful
+    And I wait for the endpoint "http://localhost:8080/cors-preflight/v1.0/us/seattle" to be ready
+
+    When I set header "Origin" to "http://example.com"
+    And I set header "Access-Control-Request-Method" to "POST"
+    And I set header "Access-Control-Request-Headers" to "Content-Type"
+    And I send an OPTIONS request to "http://localhost:8080/cors-preflight/v1.0/us/seattle"
+    Then the response status code should be 204
+    And the response header "Access-Control-Allow-Origin" should be "http://example.com"
+    And the response header "Access-Control-Allow-Methods" should contain "GET"
+    And the response header "Access-Control-Allow-Methods" should contain "POST"
+    And the response header "Access-Control-Allow-Headers" should contain "Content-Type"
+
+  Scenario: Preflight request allows configured origin based on regex
+    When I set header "Origin" to "https://app.example.com"
+    And I set header "Access-Control-Request-Method" to "GET"
+    And I set header "Access-Control-Request-Headers" to "Content-Type"
+    And I send an OPTIONS request to "http://localhost:8080/cors-preflight/v1.0/us/seattle"
+    Then the response status code should be 204
+    And the response header "Access-Control-Allow-Origin" should be "https://app.example.com"
+    And the response header "Access-Control-Allow-Methods" should contain "GET"
+    And the response header "Access-Control-Allow-Methods" should contain "POST"
+    And the response header "Access-Control-Allow-Headers" should contain "Content-Type"
+
+  Scenario: Preflight request fails for disallowed origin
+    When I set header "Origin" to "http://evil.com"
+    And I set header "Access-Control-Request-Method" to "GET"
+    And I set header "Access-Control-Request-Headers" to "Content-Type"
+    And I send an OPTIONS request to "http://localhost:8080/cors-preflight/v1.0/us/seattle"
+    Then the response status code should be 204
+    And the response header "Access-Control-Allow-Origin" should not exist
+    And the response header "Access-Control-Allow-Methods" should not exist
+    And the response header "Access-Control-Allow-Headers" should not exist
+
+  Scenario: Preflight request fails for disallowed method
+    When I set header "Origin" to "http://example.com"
+    And I set header "Access-Control-Request-Method" to "PUT"
+    And I set header "Access-Control-Request-Headers" to "Content-Type"
+    And I send an OPTIONS request to "http://localhost:8080/cors-preflight/v1.0/us/seattle"
+    Then the response status code should be 204
+    And the response header "Access-Control-Allow-Origin" should not exist
+    And the response header "Access-Control-Allow-Methods" should not exist
+    And the response header "Access-Control-Allow-Headers" should not exist
+  
+  Scenario: Preflight request fails for disallowed header
+    When I set header "Origin" to "http://example.com"
+    And I set header "Access-Control-Request-Method" to "GET"
+    And I set header "Access-Control-Request-Headers" to "Authorization"
+    And I send an OPTIONS request to "http://localhost:8080/cors-preflight/v1.0/us/seattle"
+    Then the response status code should be 204
+    And the response header "Access-Control-Allow-Origin" should not exist
+    And the response header "Access-Control-Allow-Methods" should not exist
+    And the response header "Access-Control-Allow-Headers" should not exist
+
+    Given I authenticate using basic auth as "admin"
+    When I delete the API "cors-preflight-api"
+    Then the response should be successful
diff --git a/gateway/it/steps/http_steps.go b/gateway/it/steps/http_steps.go
@@ -67,6 +67,7 @@ func (h *HTTPSteps) Register(ctx *godog.ScenarioContext) {
 	ctx.Step(`^I send a PUT request to \"([^\"]*)\" with body:$`, h.ISendPUTRequestWithBody)
 	ctx.Step(`^I send a DELETE request to \"([^\"]*)\"$`, h.ISendDELETERequest)
 	ctx.Step(`^I send a PATCH request to \"([^\"]*)\" with body:$`, h.ISendPATCHRequestWithBody)
+	ctx.Step(`^I send an OPTIONS request to \"([^\"]*)\"$`, h.ISendOPTIONSRequest)
 	ctx.Step(`^I send (\d+) GET requests to \"([^\"]*)\"$`, h.ISendManyGETRequests)
 	ctx.Step(`^I send a GET request to \"([^\"]*)\" with header \"([^\"]*)\" value \"([^\"]*)\"$`, h.iSendGETRequestWithHeader)
 	ctx.Step(`^I send (\d+) GET requests to \"([^\"]*)\" with header \"([^\"]*)\" value \"([^\"]*)\"$`, h.iSendManyGETRequestsWithHeader)
@@ -190,6 +191,11 @@ func (h *HTTPSteps) ISendPATCHRequestWithBody(url string, body *godog.DocString)
 	return h.sendRequest(http.MethodPatch, url, []byte(body.Content))
 }
 
+// ISendOPTIONSRequest sends an OPTIONS request
+func (h *HTTPSteps) ISendOPTIONSRequest(url string) error {
+	return h.sendRequest(http.MethodOptions, url, nil)
+}
+
 // iSendManyGETRequests sends multiple GET requests
 func (h *HTTPSteps) ISendManyGETRequests(count int, url string) error {
 	log.Printf("DEBUG: Sending %d GET requests to %s", count, url)
diff --git a/gateway/it/suite_test.go b/gateway/it/suite_test.go
@@ -79,6 +79,7 @@ func TestFeatures(t *testing.T) {
 				"features/ratelimit.feature",
 				"features/basic-ratelimit.feature",
 				"features/jwt-auth.feature",
+				"features/cors.feature",
 			},
 			TestingT: t,
 		},
