pillar/tests/test_auth/test_cors.py

from pillar.tests import AbstractPillarTest

import flask
import werkzeug.wrappers as wz_wrappers
import werkzeug.exceptions as wz_exceptions


class CorsWrapperTest(AbstractPillarTest):
    def test_noncors_request(self):
        from pillar.auth.cors import allow

        @allow()
        def wrapped(a, b):
            return f'{a} and {b}'

        with self.app.test_request_context():
            resp = wrapped('x', 'y')

        self.assertEqual('x and y', resp, 'Non-CORS request should not be modified')

    def test_string_response(self):
        from pillar.auth.cors import allow

        @allow()
        def wrapped(a, b):
            return f'{a} and {b}'

        with self.app.test_request_context(headers={'Origin': 'http://jemoeder.nl:1234/'}):
            resp = wrapped('x', 'y')

        self.assertIsInstance(resp, wz_wrappers.Response)
        self.assertEqual(b'x and y', resp.data)
        self.assertEqual(200, resp.status_code)

        self.assertEqual('http://jemoeder.nl:1234/', resp.headers['Access-Control-Allow-Origin'])
        self.assertEqual('x-requested-with', resp.headers['Access-Control-Allow-Headers'])
        self.assertNotIn('Access-Control-Allow-Credentials', resp.headers)

    def test_string_with_code_response(self):
        from pillar.auth.cors import allow

        @allow()
        def wrapped(a, b):
            return f'{a} and {b}', 403

        with self.app.test_request_context(headers={'Origin': 'http://jemoeder.nl:1234/'}):
            resp = wrapped('x', 'y')

        self.assertIsInstance(resp, wz_wrappers.Response)
        self.assertEqual(b'x and y', resp.data)
        self.assertEqual(403, resp.status_code)

        self.assertEqual('http://jemoeder.nl:1234/', resp.headers['Access-Control-Allow-Origin'])
        self.assertEqual('x-requested-with', resp.headers['Access-Control-Allow-Headers'])
        self.assertNotIn('Access-Control-Allow-Credentials', resp.headers)

    def test_flask_response_object(self):
        from pillar.auth.cors import allow

        @allow()
        def wrapped(a, b):
            return flask.Response(f'{a} and {b}', status=147, headers={'op-je': 'hoofd'})

        with self.app.test_request_context(headers={'Origin': 'http://jemoeder.nl:1234/'}):
            resp = wrapped('x', 'y')

        self.assertIsInstance(resp, wz_wrappers.Response)
        self.assertEqual(b'x and y', resp.data)
        self.assertEqual(147, resp.status_code)
        self.assertEqual('hoofd', resp.headers['Op-Je'])

        self.assertEqual('http://jemoeder.nl:1234/', resp.headers['Access-Control-Allow-Origin'])
        self.assertEqual('x-requested-with', resp.headers['Access-Control-Allow-Headers'])
        self.assertNotIn('Access-Control-Allow-Credentials', resp.headers)

    def test_wz_exception(self):
        from pillar.auth.cors import allow

        @allow()
        def wrapped(a, b):
            raise wz_exceptions.NotImplemented('nee')

        with self.app.test_request_context(headers={'Origin': 'http://jemoeder.nl:1234/'}):
            resp = wrapped('x', 'y')

        self.assertIsInstance(resp, wz_wrappers.Response)
        self.assertIn(b'nee', resp.data)
        self.assertEqual(501, resp.status_code)

        self.assertEqual('http://jemoeder.nl:1234/', resp.headers['Access-Control-Allow-Origin'])
        self.assertEqual('x-requested-with', resp.headers['Access-Control-Allow-Headers'])
        self.assertNotIn('Access-Control-Allow-Credentials', resp.headers)

    def test_flask_abort(self):
        from pillar.auth.cors import allow

        @allow()
        def wrapped(a, b):
            raise flask.abort(401)

        with self.app.test_request_context(headers={'Origin': 'http://jemoeder.nl:1234/'}):
            resp = wrapped('x', 'y')

        self.assertIsInstance(resp, wz_wrappers.Response)
        self.assertEqual(401, resp.status_code)

        self.assertEqual('http://jemoeder.nl:1234/', resp.headers['Access-Control-Allow-Origin'])
        self.assertEqual('x-requested-with', resp.headers['Access-Control-Allow-Headers'])
        self.assertNotIn('Access-Control-Allow-Credentials', resp.headers)

    def test_with_credentials(self):
        from pillar.auth.cors import allow

        @allow(allow_credentials=True)
        def wrapped(a, b):
            return f'{a} and {b}'

        with self.app.test_request_context(headers={'Origin': 'http://jemoeder.nl:1234/'}):
            resp = wrapped('x', 'y')

        self.assertIsInstance(resp, wz_wrappers.Response)
        self.assertEqual(b'x and y', resp.data)
        self.assertEqual(200, resp.status_code)

        self.assertEqual('http://jemoeder.nl:1234/', resp.headers['Access-Control-Allow-Origin'])
        self.assertEqual('x-requested-with', resp.headers['Access-Control-Allow-Headers'])
        self.assertEqual('true', resp.headers['Access-Control-Allow-Credentials'])
Added pillar.auth.cors.allow() decorator Use this decorator on Flask endpoints that should respond with CORS headers. These headers are sent in a reply when the browser sends an `Origin` request header; for more info see [1]. This commit rolls back the previous commit (0ee1d0d3), as this new approach with a separate decorator is both easier to use and less error-prone. [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS 2019-03-19 10:55:15 +01:00			`from pillar.tests import AbstractPillarTest`

			`import flask`
			`import werkzeug.wrappers as wz_wrappers`
			`import werkzeug.exceptions as wz_exceptions`


			`class CorsWrapperTest(AbstractPillarTest):`
			`def test_noncors_request(self):`
			`from pillar.auth.cors import allow`

			`@allow()`
			`def wrapped(a, b):`
			`return f'{a} and {b}'`

			`with self.app.test_request_context():`
			`resp = wrapped('x', 'y')`

			`self.assertEqual('x and y', resp, 'Non-CORS request should not be modified')`

			`def test_string_response(self):`
			`from pillar.auth.cors import allow`

			`@allow()`
			`def wrapped(a, b):`
			`return f'{a} and {b}'`

			`with self.app.test_request_context(headers={'Origin': 'http://jemoeder.nl:1234/'}):`
			`resp = wrapped('x', 'y')`

			`self.assertIsInstance(resp, wz_wrappers.Response)`
			`self.assertEqual(b'x and y', resp.data)`
			`self.assertEqual(200, resp.status_code)`

			`self.assertEqual('http://jemoeder.nl:1234/', resp.headers['Access-Control-Allow-Origin'])`
			`self.assertEqual('x-requested-with', resp.headers['Access-Control-Allow-Headers'])`
			`self.assertNotIn('Access-Control-Allow-Credentials', resp.headers)`

			`def test_string_with_code_response(self):`
			`from pillar.auth.cors import allow`

			`@allow()`
			`def wrapped(a, b):`
			`return f'{a} and {b}', 403`

			`with self.app.test_request_context(headers={'Origin': 'http://jemoeder.nl:1234/'}):`
			`resp = wrapped('x', 'y')`

			`self.assertIsInstance(resp, wz_wrappers.Response)`
			`self.assertEqual(b'x and y', resp.data)`
			`self.assertEqual(403, resp.status_code)`

			`self.assertEqual('http://jemoeder.nl:1234/', resp.headers['Access-Control-Allow-Origin'])`
			`self.assertEqual('x-requested-with', resp.headers['Access-Control-Allow-Headers'])`
			`self.assertNotIn('Access-Control-Allow-Credentials', resp.headers)`

			`def test_flask_response_object(self):`
			`from pillar.auth.cors import allow`

			`@allow()`
			`def wrapped(a, b):`
			`return flask.Response(f'{a} and {b}', status=147, headers={'op-je': 'hoofd'})`

			`with self.app.test_request_context(headers={'Origin': 'http://jemoeder.nl:1234/'}):`
			`resp = wrapped('x', 'y')`

			`self.assertIsInstance(resp, wz_wrappers.Response)`
			`self.assertEqual(b'x and y', resp.data)`
			`self.assertEqual(147, resp.status_code)`
			`self.assertEqual('hoofd', resp.headers['Op-Je'])`

			`self.assertEqual('http://jemoeder.nl:1234/', resp.headers['Access-Control-Allow-Origin'])`
			`self.assertEqual('x-requested-with', resp.headers['Access-Control-Allow-Headers'])`
			`self.assertNotIn('Access-Control-Allow-Credentials', resp.headers)`

			`def test_wz_exception(self):`
			`from pillar.auth.cors import allow`

			`@allow()`
			`def wrapped(a, b):`
			`raise wz_exceptions.NotImplemented('nee')`

			`with self.app.test_request_context(headers={'Origin': 'http://jemoeder.nl:1234/'}):`
			`resp = wrapped('x', 'y')`

			`self.assertIsInstance(resp, wz_wrappers.Response)`
			`self.assertIn(b'nee', resp.data)`
			`self.assertEqual(501, resp.status_code)`

			`self.assertEqual('http://jemoeder.nl:1234/', resp.headers['Access-Control-Allow-Origin'])`
			`self.assertEqual('x-requested-with', resp.headers['Access-Control-Allow-Headers'])`
			`self.assertNotIn('Access-Control-Allow-Credentials', resp.headers)`

			`def test_flask_abort(self):`
			`from pillar.auth.cors import allow`

			`@allow()`
			`def wrapped(a, b):`
			`raise flask.abort(401)`

			`with self.app.test_request_context(headers={'Origin': 'http://jemoeder.nl:1234/'}):`
			`resp = wrapped('x', 'y')`

			`self.assertIsInstance(resp, wz_wrappers.Response)`
			`self.assertEqual(401, resp.status_code)`

			`self.assertEqual('http://jemoeder.nl:1234/', resp.headers['Access-Control-Allow-Origin'])`
			`self.assertEqual('x-requested-with', resp.headers['Access-Control-Allow-Headers'])`
			`self.assertNotIn('Access-Control-Allow-Credentials', resp.headers)`

			`def test_with_credentials(self):`
			`from pillar.auth.cors import allow`

			`@allow(allow_credentials=True)`
			`def wrapped(a, b):`
			`return f'{a} and {b}'`

			`with self.app.test_request_context(headers={'Origin': 'http://jemoeder.nl:1234/'}):`
			`resp = wrapped('x', 'y')`

			`self.assertIsInstance(resp, wz_wrappers.Response)`
			`self.assertEqual(b'x and y', resp.data)`
			`self.assertEqual(200, resp.status_code)`

			`self.assertEqual('http://jemoeder.nl:1234/', resp.headers['Access-Control-Allow-Origin'])`
			`self.assertEqual('x-requested-with', resp.headers['Access-Control-Allow-Headers'])`
			`self.assertEqual('true', resp.headers['Access-Control-Allow-Credentials'])`