Mercurial > hg > isophonics-drupal-site

comparison core/tests/Drupal/FunctionalTests/HttpKernel/CorsIntegrationTest.php @ 0:4c8ae668cc8c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Initial import (non-working)
author Chris Cannam
date Wed, 29 Nov 2017 16:09:58 +0000
parents
children 129ea1e6d783
comparison
equal deleted inserted replaced
-1:000000000000 0:4c8ae668cc8c
1 <?php
2
3 namespace Drupal\FunctionalTests\HttpKernel;
4
5 use Drupal\Core\Url;
6 use Drupal\Tests\BrowserTestBase;
7
8 /**
9 * Tests CORS provided by Drupal.
10 *
11 * @see sites/default/default.services.yml
12 * @see \Asm89\Stack\Cors
13 * @see \Asm89\Stack\CorsService
14 *
15 * @group Http
16 */
17 class CorsIntegrationTest extends BrowserTestBase {
18
19 /**
20 * {@inheritdoc}
21 */
22 public static $modules = ['system', 'test_page_test', 'page_cache'];
23
24 public function testCrossSiteRequest() {
25 // Test default parameters.
26 $cors_config = $this->container->getParameter('cors.config');
27 $this->assertSame(FALSE, $cors_config['enabled']);
28 $this->assertSame([], $cors_config['allowedHeaders']);
29 $this->assertSame([], $cors_config['allowedMethods']);
30 $this->assertSame(['*'], $cors_config['allowedOrigins']);
31
32 $this->assertSame(FALSE, $cors_config['exposedHeaders']);
33 $this->assertSame(FALSE, $cors_config['maxAge']);
34 $this->assertSame(FALSE, $cors_config['supportsCredentials']);
35
36 // Enable CORS with the default options.
37 $cors_config['enabled'] = TRUE;
38
39 $this->setContainerParameter('cors.config', $cors_config);
40 $this->rebuildContainer();
41
42 // Fire off a request.
43 $this->drupalGet('/test-page', [], ['Origin' => 'http://example.com']);
44 $this->assertSession()->statusCodeEquals(200);
45 $this->assertSession()->responseHeaderEquals('X-Drupal-Cache', 'MISS');
46 $this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.com');
47
48 // Fire the same exact request. This time it should be cached.
49 $this->drupalGet('/test-page', [], ['Origin' => 'http://example.com']);
50 $this->assertSession()->statusCodeEquals(200);
51 $this->assertSession()->responseHeaderEquals('X-Drupal-Cache', 'HIT');
52 $this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.com');
53
54 // Fire a request for a different origin. Verify the CORS header.
55 $this->drupalGet('/test-page', [], ['Origin' => 'http://example.org']);
56 $this->assertSession()->statusCodeEquals(200);
57 $this->assertSession()->responseHeaderEquals('X-Drupal-Cache', 'HIT');
58 $this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.org');
59
60 // Configure the CORS stack to allow a specific set of origins.
61 $cors_config['allowedOrigins'] = ['http://example.com'];
62
63 $this->setContainerParameter('cors.config', $cors_config);
64 $this->rebuildContainer();
65
66 // Fire a request from an origin that isn't allowed.
67 /** @var \Symfony\Component\HttpFoundation\Response $response */
68 $this->drupalGet('/test-page', [], ['Origin' => 'http://non-valid.com']);
69 $this->assertSession()->statusCodeEquals(403);
70 $this->assertSession()->pageTextContains('Not allowed.');
71
72 // Specify a valid origin.
73 $this->drupalGet('/test-page', [], ['Origin' => 'http://example.com']);
74 $this->assertSession()->statusCodeEquals(200);
75 $this->assertSession()->responseHeaderEquals('Access-Control-Allow-Origin', 'http://example.com');
76
77 // Verify POST still functions with 'Origin' header set to site's domain.
78 $origin = \Drupal::request()->getSchemeAndHttpHost();
79
80 /** @var \GuzzleHttp\ClientInterface $httpClient */
81 $httpClient = $this->getSession()->getDriver()->getClient()->getClient();
82 $url = Url::fromUri('base:/test-page');
83 $response = $httpClient->request('POST', $url->setAbsolute()->toString(), [
84 'headers' => [
85 'Origin' => $origin,
86 ]
87 ]);
88 $this->assertEquals(200, $response->getStatusCode());
89 }
90
91 }