164 lines
4.6 KiB
Go
164 lines
4.6 KiB
Go
|
// Copyright 2019 The go-ethereum Authors
|
||
|
// This file is part of the go-ethereum library.
|
||
|
//
|
||
|
// The go-ethereum library is free software: you can redistribute it and/or modify
|
||
|
// it under the terms of the GNU Lesser General Public License as published by
|
||
|
// the Free Software Foundation, either version 3 of the License, or
|
||
|
// (at your option) any later version.
|
||
|
//
|
||
|
// The go-ethereum library is distributed in the hope that it will be useful,
|
||
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
|
// GNU Lesser General Public License for more details.
|
||
|
//
|
||
|
// You should have received a copy of the GNU Lesser General Public License
|
||
|
// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
|
||
|
|
||
|
package explorer
|
||
|
|
||
|
import (
|
||
|
"fmt"
|
||
|
"net/http"
|
||
|
"net/http/httptest"
|
||
|
"testing"
|
||
|
|
||
|
"github.com/ethereum/go-ethereum/swarm/storage/mock/mem"
|
||
|
)
|
||
|
|
||
|
// TestHandler_CORSOrigin validates that the correct Access-Control-Allow-Origin
|
||
|
// header is served with various allowed origin settings.
|
||
|
func TestHandler_CORSOrigin(t *testing.T) {
|
||
|
notAllowedOrigin := "http://not-allowed-origin.com/"
|
||
|
|
||
|
for _, tc := range []struct {
|
||
|
name string
|
||
|
origins []string
|
||
|
}{
|
||
|
{
|
||
|
name: "no origin",
|
||
|
origins: nil,
|
||
|
},
|
||
|
{
|
||
|
name: "single origin",
|
||
|
origins: []string{"http://localhost/"},
|
||
|
},
|
||
|
{
|
||
|
name: "multiple origins",
|
||
|
origins: []string{"http://localhost/", "http://ethereum.org/"},
|
||
|
},
|
||
|
} {
|
||
|
t.Run(tc.name, func(t *testing.T) {
|
||
|
handler := NewHandler(mem.NewGlobalStore(), tc.origins)
|
||
|
|
||
|
origins := tc.origins
|
||
|
if origins == nil {
|
||
|
// handle the "no origin" test case
|
||
|
origins = []string{""}
|
||
|
}
|
||
|
|
||
|
for _, origin := range origins {
|
||
|
t.Run(fmt.Sprintf("get %q", origin), newTestCORSOrigin(handler, origin, origin))
|
||
|
t.Run(fmt.Sprintf("preflight %q", origin), newTestCORSPreflight(handler, origin, origin))
|
||
|
}
|
||
|
|
||
|
t.Run(fmt.Sprintf("get %q", notAllowedOrigin), newTestCORSOrigin(handler, notAllowedOrigin, ""))
|
||
|
t.Run(fmt.Sprintf("preflight %q", notAllowedOrigin), newTestCORSPreflight(handler, notAllowedOrigin, ""))
|
||
|
})
|
||
|
}
|
||
|
|
||
|
t.Run("wildcard", func(t *testing.T) {
|
||
|
handler := NewHandler(mem.NewGlobalStore(), []string{"*"})
|
||
|
|
||
|
for _, origin := range []string{
|
||
|
"http://example.com/",
|
||
|
"http://ethereum.org",
|
||
|
"http://localhost",
|
||
|
} {
|
||
|
t.Run(fmt.Sprintf("get %q", origin), newTestCORSOrigin(handler, origin, origin))
|
||
|
t.Run(fmt.Sprintf("preflight %q", origin), newTestCORSPreflight(handler, origin, origin))
|
||
|
}
|
||
|
})
|
||
|
}
|
||
|
|
||
|
// newTestCORSOrigin returns a test function that validates if wantOrigin CORS header is
|
||
|
// served by the handler for a GET request.
|
||
|
func newTestCORSOrigin(handler http.Handler, origin, wantOrigin string) func(t *testing.T) {
|
||
|
return func(t *testing.T) {
|
||
|
req, err := http.NewRequest(http.MethodGet, "/", nil)
|
||
|
if err != nil {
|
||
|
t.Fatal(err)
|
||
|
}
|
||
|
req.Header.Set("Origin", origin)
|
||
|
|
||
|
w := httptest.NewRecorder()
|
||
|
handler.ServeHTTP(w, req)
|
||
|
resp := w.Result()
|
||
|
|
||
|
header := resp.Header.Get("Access-Control-Allow-Origin")
|
||
|
if header != wantOrigin {
|
||
|
t.Errorf("got Access-Control-Allow-Origin header %q, want %q", header, wantOrigin)
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// newTestCORSPreflight returns a test function that validates if wantOrigin CORS header is
|
||
|
// served by the handler for an OPTIONS CORS preflight request.
|
||
|
func newTestCORSPreflight(handler http.Handler, origin, wantOrigin string) func(t *testing.T) {
|
||
|
return func(t *testing.T) {
|
||
|
req, err := http.NewRequest(http.MethodOptions, "/", nil)
|
||
|
if err != nil {
|
||
|
t.Fatal(err)
|
||
|
}
|
||
|
req.Header.Set("Origin", origin)
|
||
|
req.Header.Set("Access-Control-Request-Method", "GET")
|
||
|
|
||
|
w := httptest.NewRecorder()
|
||
|
handler.ServeHTTP(w, req)
|
||
|
resp := w.Result()
|
||
|
|
||
|
header := resp.Header.Get("Access-Control-Allow-Origin")
|
||
|
if header != wantOrigin {
|
||
|
t.Errorf("got Access-Control-Allow-Origin header %q, want %q", header, wantOrigin)
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// TestHandler_noCacheHeaders validates that no cache headers are server.
|
||
|
func TestHandler_noCacheHeaders(t *testing.T) {
|
||
|
handler := NewHandler(mem.NewGlobalStore(), nil)
|
||
|
|
||
|
for _, tc := range []struct {
|
||
|
url string
|
||
|
}{
|
||
|
{
|
||
|
url: "/",
|
||
|
},
|
||
|
{
|
||
|
url: "/api/nodes",
|
||
|
},
|
||
|
{
|
||
|
url: "/api/keys",
|
||
|
},
|
||
|
} {
|
||
|
req, err := http.NewRequest(http.MethodGet, tc.url, nil)
|
||
|
if err != nil {
|
||
|
t.Fatal(err)
|
||
|
}
|
||
|
|
||
|
w := httptest.NewRecorder()
|
||
|
handler.ServeHTTP(w, req)
|
||
|
resp := w.Result()
|
||
|
|
||
|
for header, want := range map[string]string{
|
||
|
"Cache-Control": "no-cache, no-store, must-revalidate",
|
||
|
"Pragma": "no-cache",
|
||
|
"Expires": "0",
|
||
|
} {
|
||
|
got := resp.Header.Get(header)
|
||
|
if got != want {
|
||
|
t.Errorf("got %q header %q for url %q, want %q", header, tc.url, got, want)
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
}
|