lib/controller/router/router_test.go

   1 // Copyright (C) The Arvados Authors. All rights reserved.
   2 //
   3 // SPDX-License-Identifier: AGPL-3.0
   4
   5 package router
   6
   7 import (
   8         "bytes"
   9         "encoding/json"
  10         "io"
  11         "net/http"
  12         "net/http/httptest"
  13         "net/url"
  14         "os"
  15         "strings"
  16         "testing"
  17         "time"
  18
  19         "git.arvados.org/arvados.git/lib/controller/rpc"
  20         "git.arvados.org/arvados.git/sdk/go/arvados"
  21         "git.arvados.org/arvados.git/sdk/go/arvadostest"
  22         "github.com/gorilla/mux"
  23         check "gopkg.in/check.v1"
  24 )
  25
  26 // Gocheck boilerplate
  27 func Test(t *testing.T) {
  28         check.TestingT(t)
  29 }
  30
  31 var _ = check.Suite(&RouterSuite{})
  32
  33 type RouterSuite struct {
  34         rtr  *router
  35         stub arvadostest.APIStub
  36 }
  37
  38 func (s *RouterSuite) SetUpTest(c *check.C) {
  39         s.stub = arvadostest.APIStub{}
  40         s.rtr = &router{
  41                 mux:     mux.NewRouter(),
  42                 backend: &s.stub,
  43         }
  44         s.rtr.addRoutes()
  45 }
  46
  47 func (s *RouterSuite) TestOptions(c *check.C) {
  48         token := arvadostest.ActiveToken
  49         for _, trial := range []struct {
  50                 comment      string // unparsed -- only used to help match test failures to trials
  51                 method       string
  52                 path         string
  53                 header       http.Header
  54                 body         string
  55                 shouldStatus int // zero value means 200
  56                 shouldCall   string
  57                 withOptions  interface{}
  58         }{
  59                 {
  60                         method:      "GET",
  61                         path:        "/arvados/v1/collections/" + arvadostest.FooCollection,
  62                         shouldCall:  "CollectionGet",
  63                         withOptions: arvados.GetOptions{UUID: arvadostest.FooCollection},
  64                 },
  65                 {
  66                         method:      "PUT",
  67                         path:        "/arvados/v1/collections/" + arvadostest.FooCollection,
  68                         shouldCall:  "CollectionUpdate",
  69                         withOptions: arvados.UpdateOptions{UUID: arvadostest.FooCollection},
  70                 },
  71                 {
  72                         method:      "PATCH",
  73                         path:        "/arvados/v1/collections/" + arvadostest.FooCollection,
  74                         shouldCall:  "CollectionUpdate",
  75                         withOptions: arvados.UpdateOptions{UUID: arvadostest.FooCollection},
  76                 },
  77                 {
  78                         method:      "DELETE",
  79                         path:        "/arvados/v1/collections/" + arvadostest.FooCollection,
  80                         shouldCall:  "CollectionDelete",
  81                         withOptions: arvados.DeleteOptions{UUID: arvadostest.FooCollection},
  82                 },
  83                 {
  84                         method:      "POST",
  85                         path:        "/arvados/v1/collections",
  86                         shouldCall:  "CollectionCreate",
  87                         withOptions: arvados.CreateOptions{},
  88                 },
  89                 {
  90                         method:      "GET",
  91                         path:        "/arvados/v1/collections",
  92                         shouldCall:  "CollectionList",
  93                         withOptions: arvados.ListOptions{Limit: -1},
  94                 },
  95                 {
  96                         method:      "GET",
  97                         path:        "/arvados/v1/collections?limit=123&offset=456&include_trash=true&include_old_versions=1",
  98                         shouldCall:  "CollectionList",
  99                         withOptions: arvados.ListOptions{Limit: 123, Offset: 456, IncludeTrash: true, IncludeOldVersions: true},
 100                 },
 101                 {
 102                         method:      "POST",
 103                         path:        "/arvados/v1/collections?limit=123&_method=GET",
 104                         body:        `{"offset":456,"include_trash":true,"include_old_versions":true}`,
 105                         shouldCall:  "CollectionList",
 106                         withOptions: arvados.ListOptions{Limit: 123, Offset: 456, IncludeTrash: true, IncludeOldVersions: true},
 107                 },
 108                 {
 109                         method:      "POST",
 110                         path:        "/arvados/v1/collections?limit=123",
 111                         body:        `{"offset":456,"include_trash":true,"include_old_versions":true}`,
 112                         header:      http.Header{"X-Http-Method-Override": {"GET"}, "Content-Type": {"application/json"}},
 113                         shouldCall:  "CollectionList",
 114                         withOptions: arvados.ListOptions{Limit: 123, Offset: 456, IncludeTrash: true, IncludeOldVersions: true},
 115                 },
 116                 {
 117                         method:      "POST",
 118                         path:        "/arvados/v1/collections?limit=123",
 119                         body:        "offset=456&include_trash=true&include_old_versions=1&_method=GET",
 120                         header:      http.Header{"Content-Type": {"application/x-www-form-urlencoded"}},
 121                         shouldCall:  "CollectionList",
 122                         withOptions: arvados.ListOptions{Limit: 123, Offset: 456, IncludeTrash: true, IncludeOldVersions: true},
 123                 },
 124                 {
 125                         comment:     "form-encoded expression filter in query string",
 126                         method:      "GET",
 127                         path:        "/arvados/v1/collections?filters=[%22(foo<bar)%22]",
 128                         shouldCall:  "CollectionList",
 129                         withOptions: arvados.ListOptions{Limit: -1, Filters: []arvados.Filter{{"(foo<bar)", "=", true}}},
 130                 },
 131                 {
 132                         comment:     "form-encoded expression filter in POST body",
 133                         method:      "POST",
 134                         path:        "/arvados/v1/collections",
 135                         body:        "filters=[\"(foo<bar)\"]&_method=GET",
 136                         header:      http.Header{"Content-Type": {"application/x-www-form-urlencoded"}},
 137                         shouldCall:  "CollectionList",
 138                         withOptions: arvados.ListOptions{Limit: -1, Filters: []arvados.Filter{{"(foo<bar)", "=", true}}},
 139                 },
 140                 {
 141                         comment:     "json-encoded expression filter in POST body",
 142                         method:      "POST",
 143                         path:        "/arvados/v1/collections?_method=GET",
 144                         body:        `{"filters":["(foo<bar)",["bar","=","baz"]],"limit":2}`,
 145                         header:      http.Header{"Content-Type": {"application/json"}},
 146                         shouldCall:  "CollectionList",
 147                         withOptions: arvados.ListOptions{Limit: 2, Filters: []arvados.Filter{{"(foo<bar)", "=", true}, {"bar", "=", "baz"}}},
 148                 },
 149                 {
 150                         comment:     "json-encoded select param in query string",
 151                         method:      "GET",
 152                         path:        "/arvados/v1/collections/" + arvadostest.FooCollection + "?select=[%22portable_data_hash%22]",
 153                         shouldCall:  "CollectionGet",
 154                         withOptions: arvados.GetOptions{UUID: arvadostest.FooCollection, Select: []string{"portable_data_hash"}},
 155                 },
 156                 {
 157                         method:       "PATCH",
 158                         path:         "/arvados/v1/collections",
 159                         shouldStatus: http.StatusMethodNotAllowed,
 160                 },
 161                 {
 162                         method:       "PUT",
 163                         path:         "/arvados/v1/collections",
 164                         shouldStatus: http.StatusMethodNotAllowed,
 165                 },
 166                 {
 167                         method:       "DELETE",
 168                         path:         "/arvados/v1/collections",
 169                         shouldStatus: http.StatusMethodNotAllowed,
 170                 },
 171         } {
 172                 // Reset calls captured in previous trial
 173                 s.stub = arvadostest.APIStub{}
 174
 175                 c.Logf("trial: %+v", trial)
 176                 comment := check.Commentf("trial comment: %s", trial.comment)
 177
 178                 _, rr, _ := doRequest(c, s.rtr, token, trial.method, trial.path, trial.header, bytes.NewBufferString(trial.body))
 179                 if trial.shouldStatus == 0 {
 180                         c.Check(rr.Code, check.Equals, http.StatusOK, comment)
 181                 } else {
 182                         c.Check(rr.Code, check.Equals, trial.shouldStatus, comment)
 183                 }
 184                 calls := s.stub.Calls(nil)
 185                 if trial.shouldCall == "" {
 186                         c.Check(calls, check.HasLen, 0, comment)
 187                 } else if len(calls) != 1 {
 188                         c.Check(calls, check.HasLen, 1, comment)
 189                 } else {
 190                         c.Check(calls[0].Method, isMethodNamed, trial.shouldCall, comment)
 191                         c.Check(calls[0].Options, check.DeepEquals, trial.withOptions, comment)
 192                 }
 193         }
 194 }
 195
 196 var _ = check.Suite(&RouterIntegrationSuite{})
 197
 198 type RouterIntegrationSuite struct {
 199         rtr *router
 200 }
 201
 202 func (s *RouterIntegrationSuite) SetUpTest(c *check.C) {
 203         cluster := &arvados.Cluster{}
 204         cluster.TLS.Insecure = true
 205         arvadostest.SetServiceURL(&cluster.Services.RailsAPI, "https://"+os.Getenv("ARVADOS_TEST_API_HOST"))
 206         url, _ := url.Parse("https://" + os.Getenv("ARVADOS_TEST_API_HOST"))
 207         s.rtr = New(rpc.NewConn("zzzzz", url, true, rpc.PassthroughTokenProvider), Config{})
 208 }
 209
 210 func (s *RouterIntegrationSuite) TearDownSuite(c *check.C) {
 211         err := arvados.NewClientFromEnv().RequestAndDecode(nil, "POST", "database/reset", nil, nil)
 212         c.Check(err, check.IsNil)
 213 }
 214
 215 func (s *RouterIntegrationSuite) TestCollectionResponses(c *check.C) {
 216         token := arvadostest.ActiveTokenV2
 217
 218         // Check "get collection" response has "kind" key
 219         _, rr, jresp := doRequest(c, s.rtr, token, "GET", `/arvados/v1/collections`, nil, bytes.NewBufferString(`{"include_trash":true}`))
 220         c.Check(rr.Code, check.Equals, http.StatusOK)
 221         c.Check(jresp["items"], check.FitsTypeOf, []interface{}{})
 222         c.Check(jresp["kind"], check.Equals, "arvados#collectionList")
 223         c.Check(jresp["items"].([]interface{})[0].(map[string]interface{})["kind"], check.Equals, "arvados#collection")
 224
 225         // Check items in list response have a "kind" key regardless
 226         // of whether a uuid/pdh is selected.
 227         for _, selectj := range []string{
 228                 ``,
 229                 `,"select":["portable_data_hash"]`,
 230                 `,"select":["name"]`,
 231                 `,"select":["uuid"]`,
 232         } {
 233                 _, rr, jresp = doRequest(c, s.rtr, token, "GET", `/arvados/v1/collections`, nil, bytes.NewBufferString(`{"where":{"uuid":["`+arvadostest.FooCollection+`"]}`+selectj+`}`))
 234                 c.Check(rr.Code, check.Equals, http.StatusOK)
 235                 c.Check(jresp["items"], check.FitsTypeOf, []interface{}{})
 236                 c.Check(jresp["items_available"], check.FitsTypeOf, float64(0))
 237                 c.Check(jresp["kind"], check.Equals, "arvados#collectionList")
 238                 item0 := jresp["items"].([]interface{})[0].(map[string]interface{})
 239                 c.Check(item0["kind"], check.Equals, "arvados#collection")
 240                 if selectj == "" || strings.Contains(selectj, "portable_data_hash") {
 241                         c.Check(item0["portable_data_hash"], check.Equals, arvadostest.FooCollectionPDH)
 242                 } else {
 243                         c.Check(item0["portable_data_hash"], check.IsNil)
 244                 }
 245                 if selectj == "" || strings.Contains(selectj, "name") {
 246                         c.Check(item0["name"], check.FitsTypeOf, "")
 247                 } else {
 248                         c.Check(item0["name"], check.IsNil)
 249                 }
 250                 if selectj == "" || strings.Contains(selectj, "uuid") {
 251                         c.Check(item0["uuid"], check.Equals, arvadostest.FooCollection)
 252                 } else {
 253                         c.Check(item0["uuid"], check.IsNil)
 254                 }
 255         }
 256
 257         // Check "create collection" response has "kind" key
 258         _, rr, jresp = doRequest(c, s.rtr, token, "POST", `/arvados/v1/collections`, http.Header{"Content-Type": {"application/x-www-form-urlencoded"}}, bytes.NewBufferString(`ensure_unique_name=true`))
 259         c.Check(rr.Code, check.Equals, http.StatusOK)
 260         c.Check(jresp["uuid"], check.FitsTypeOf, "")
 261         c.Check(jresp["kind"], check.Equals, "arvados#collection")
 262 }
 263
 264 func (s *RouterIntegrationSuite) TestMaxRequestSize(c *check.C) {
 265         token := arvadostest.ActiveTokenV2
 266         for _, maxRequestSize := range []int{
 267                 // Ensure 5M limit is enforced.
 268                 5000000,
 269                 // Ensure 50M limit is enforced, and that a >25M body
 270                 // is accepted even though the default Go request size
 271                 // limit is 10M.
 272                 50000000,
 273         } {
 274                 s.rtr.config.MaxRequestSize = maxRequestSize
 275                 okstr := "a"
 276                 for len(okstr) < maxRequestSize/2 {
 277                         okstr = okstr + okstr
 278                 }
 279
 280                 hdr := http.Header{"Content-Type": {"application/x-www-form-urlencoded"}}
 281
 282                 body := bytes.NewBufferString(url.Values{"foo_bar": {okstr}}.Encode())
 283                 _, rr, _ := doRequest(c, s.rtr, token, "POST", `/arvados/v1/collections`, hdr, body)
 284                 c.Check(rr.Code, check.Equals, http.StatusOK)
 285
 286                 body = bytes.NewBufferString(url.Values{"foo_bar": {okstr + okstr}}.Encode())
 287                 _, rr, _ = doRequest(c, s.rtr, token, "POST", `/arvados/v1/collections`, hdr, body)
 288                 c.Check(rr.Code, check.Equals, http.StatusRequestEntityTooLarge)
 289         }
 290 }
 291
 292 func (s *RouterIntegrationSuite) TestContainerList(c *check.C) {
 293         token := arvadostest.ActiveTokenV2
 294
 295         _, rr, jresp := doRequest(c, s.rtr, token, "GET", `/arvados/v1/containers?limit=0`, nil, nil)
 296         c.Check(rr.Code, check.Equals, http.StatusOK)
 297         c.Check(jresp["items_available"], check.FitsTypeOf, float64(0))
 298         c.Check(jresp["items_available"].(float64) > 2, check.Equals, true)
 299         c.Check(jresp["items"], check.NotNil)
 300         c.Check(jresp["items"], check.HasLen, 0)
 301
 302         _, rr, jresp = doRequest(c, s.rtr, token, "GET", `/arvados/v1/containers?filters=[["uuid","in",[]]]`, nil, nil)
 303         c.Check(rr.Code, check.Equals, http.StatusOK)
 304         c.Check(jresp["items_available"], check.Equals, float64(0))
 305         c.Check(jresp["items"], check.NotNil)
 306         c.Check(jresp["items"], check.HasLen, 0)
 307
 308         _, rr, jresp = doRequest(c, s.rtr, token, "GET", `/arvados/v1/containers?limit=2&select=["uuid","command"]`, nil, nil)
 309         c.Check(rr.Code, check.Equals, http.StatusOK)
 310         c.Check(jresp["items_available"], check.FitsTypeOf, float64(0))
 311         c.Check(jresp["items_available"].(float64) > 2, check.Equals, true)
 312         c.Check(jresp["items"], check.HasLen, 2)
 313         item0 := jresp["items"].([]interface{})[0].(map[string]interface{})
 314         c.Check(item0["uuid"], check.HasLen, 27)
 315         c.Check(item0["command"], check.FitsTypeOf, []interface{}{})
 316         c.Check(item0["command"].([]interface{})[0], check.FitsTypeOf, "")
 317         c.Check(item0["mounts"], check.IsNil)
 318
 319         _, rr, jresp = doRequest(c, s.rtr, token, "GET", `/arvados/v1/containers`, nil, nil)
 320         c.Check(rr.Code, check.Equals, http.StatusOK)
 321         c.Check(jresp["items_available"], check.FitsTypeOf, float64(0))
 322         c.Check(jresp["items_available"].(float64) > 2, check.Equals, true)
 323         avail := int(jresp["items_available"].(float64))
 324         c.Check(jresp["items"], check.HasLen, avail)
 325         item0 = jresp["items"].([]interface{})[0].(map[string]interface{})
 326         c.Check(item0["uuid"], check.HasLen, 27)
 327         c.Check(item0["command"], check.FitsTypeOf, []interface{}{})
 328         c.Check(item0["command"].([]interface{})[0], check.FitsTypeOf, "")
 329         c.Check(item0["mounts"], check.NotNil)
 330 }
 331
 332 func (s *RouterIntegrationSuite) TestContainerLock(c *check.C) {
 333         uuid := arvadostest.QueuedContainerUUID
 334         token := arvadostest.AdminToken
 335         _, rr, jresp := doRequest(c, s.rtr, token, "POST", "/arvados/v1/containers/"+uuid+"/lock", nil, nil)
 336         c.Check(rr.Code, check.Equals, http.StatusOK)
 337         c.Check(jresp["uuid"], check.HasLen, 27)
 338         c.Check(jresp["state"], check.Equals, "Locked")
 339         _, rr, _ = doRequest(c, s.rtr, token, "POST", "/arvados/v1/containers/"+uuid+"/lock", nil, nil)
 340         c.Check(rr.Code, check.Equals, http.StatusUnprocessableEntity)
 341         c.Check(rr.Body.String(), check.Not(check.Matches), `.*"uuid":.*`)
 342         _, rr, jresp = doRequest(c, s.rtr, token, "POST", "/arvados/v1/containers/"+uuid+"/unlock", nil, nil)
 343         c.Check(rr.Code, check.Equals, http.StatusOK)
 344         c.Check(jresp["uuid"], check.HasLen, 27)
 345         c.Check(jresp["state"], check.Equals, "Queued")
 346         c.Check(jresp["environment"], check.IsNil)
 347         _, rr, jresp = doRequest(c, s.rtr, token, "POST", "/arvados/v1/containers/"+uuid+"/unlock", nil, nil)
 348         c.Check(rr.Code, check.Equals, http.StatusUnprocessableEntity)
 349         c.Check(jresp["uuid"], check.IsNil)
 350 }
 351
 352 func (s *RouterIntegrationSuite) TestWritableBy(c *check.C) {
 353         _, rr, jresp := doRequest(c, s.rtr, arvadostest.ActiveTokenV2, "GET", `/arvados/v1/users/`+arvadostest.ActiveUserUUID, nil, nil)
 354         c.Check(rr.Code, check.Equals, http.StatusOK)
 355         c.Check(jresp["writable_by"], check.DeepEquals, []interface{}{"zzzzz-tpzed-000000000000000", "zzzzz-tpzed-xurymjxw79nv3jz", "zzzzz-j7d0g-48foin4vonvc2at"})
 356 }
 357
 358 func (s *RouterIntegrationSuite) TestFullTimestampsInResponse(c *check.C) {
 359         uuid := arvadostest.CollectionReplicationDesired2Confirmed2UUID
 360         token := arvadostest.ActiveTokenV2
 361
 362         _, rr, jresp := doRequest(c, s.rtr, token, "GET", `/arvados/v1/collections/`+uuid, nil, nil)
 363         c.Check(rr.Code, check.Equals, http.StatusOK)
 364         c.Check(jresp["uuid"], check.Equals, uuid)
 365         expectNS := map[string]int{
 366                 "created_at":  596506000, // fixture says 596506247, but truncated by postgresql
 367                 "modified_at": 596338000, // fixture says 596338465, but truncated by postgresql
 368         }
 369         for key, ns := range expectNS {
 370                 mt, ok := jresp[key].(string)
 371                 c.Logf("jresp[%q] == %q", key, mt)
 372                 c.Assert(ok, check.Equals, true)
 373                 t, err := time.Parse(time.RFC3339Nano, mt)
 374                 c.Check(err, check.IsNil)
 375                 c.Check(t.Nanosecond(), check.Equals, ns)
 376         }
 377 }
 378
 379 func (s *RouterIntegrationSuite) TestSelectParam(c *check.C) {
 380         uuid := arvadostest.QueuedContainerUUID
 381         token := arvadostest.ActiveTokenV2
 382         // GET
 383         for _, sel := range [][]string{
 384                 {"uuid", "command"},
 385                 {"uuid", "command", "uuid"},
 386         } {
 387                 j, err := json.Marshal(sel)
 388                 c.Assert(err, check.IsNil)
 389                 _, rr, resp := doRequest(c, s.rtr, token, "GET", "/arvados/v1/containers/"+uuid+"?select="+string(j), nil, nil)
 390                 c.Check(rr.Code, check.Equals, http.StatusOK)
 391
 392                 c.Check(resp["kind"], check.Equals, "arvados#container")
 393                 c.Check(resp["uuid"], check.HasLen, 27)
 394                 c.Check(resp["command"], check.HasLen, 2)
 395                 c.Check(resp["mounts"], check.IsNil)
 396                 _, hasMounts := resp["mounts"]
 397                 c.Check(hasMounts, check.Equals, false)
 398         }
 399         // POST & PUT
 400         uuid = arvadostest.FooCollection
 401         j, err := json.Marshal([]string{"uuid", "description"})
 402         c.Assert(err, check.IsNil)
 403         for _, method := range []string{"PUT", "POST"} {
 404                 desc := "Today is " + time.Now().String()
 405                 reqBody := "{\"description\":\"" + desc + "\"}"
 406                 var resp map[string]interface{}
 407                 var rr *httptest.ResponseRecorder
 408                 if method == "PUT" {
 409                         _, rr, resp = doRequest(c, s.rtr, token, method, "/arvados/v1/collections/"+uuid+"?select="+string(j), nil, bytes.NewReader([]byte(reqBody)))
 410                 } else {
 411                         _, rr, resp = doRequest(c, s.rtr, token, method, "/arvados/v1/collections?select="+string(j), nil, bytes.NewReader([]byte(reqBody)))
 412                 }
 413                 c.Check(rr.Code, check.Equals, http.StatusOK)
 414                 c.Check(resp["kind"], check.Equals, "arvados#collection")
 415                 c.Check(resp["uuid"], check.HasLen, 27)
 416                 c.Check(resp["description"], check.Equals, desc)
 417                 c.Check(resp["manifest_text"], check.IsNil)
 418         }
 419 }
 420
 421 func (s *RouterIntegrationSuite) TestHEAD(c *check.C) {
 422         _, rr, _ := doRequest(c, s.rtr, arvadostest.ActiveTokenV2, "HEAD", "/arvados/v1/containers/"+arvadostest.QueuedContainerUUID, nil, nil)
 423         c.Check(rr.Code, check.Equals, http.StatusOK)
 424 }
 425
 426 func (s *RouterIntegrationSuite) TestRouteNotFound(c *check.C) {
 427         token := arvadostest.ActiveTokenV2
 428         req := (&testReq{
 429                 method: "POST",
 430                 path:   "arvados/v1/collections/" + arvadostest.FooCollection + "/error404pls",
 431                 token:  token,
 432         }).Request()
 433         rr := httptest.NewRecorder()
 434         s.rtr.ServeHTTP(rr, req)
 435         c.Check(rr.Code, check.Equals, http.StatusNotFound)
 436         c.Logf("body: %q", rr.Body.String())
 437         var j map[string]interface{}
 438         err := json.Unmarshal(rr.Body.Bytes(), &j)
 439         c.Check(err, check.IsNil)
 440         c.Logf("decoded: %v", j)
 441         c.Assert(j["errors"], check.FitsTypeOf, []interface{}{})
 442         c.Check(j["errors"].([]interface{})[0], check.Equals, "API endpoint not found")
 443 }
 444
 445 func (s *RouterIntegrationSuite) TestCORS(c *check.C) {
 446         token := arvadostest.ActiveTokenV2
 447         req := (&testReq{
 448                 method: "OPTIONS",
 449                 path:   "arvados/v1/collections/" + arvadostest.FooCollection,
 450                 header: http.Header{"Origin": {"https://example.com"}},
 451                 token:  token,
 452         }).Request()
 453         rr := httptest.NewRecorder()
 454         s.rtr.ServeHTTP(rr, req)
 455         c.Check(rr.Code, check.Equals, http.StatusOK)
 456         c.Check(rr.Body.String(), check.HasLen, 0)
 457         c.Check(rr.Result().Header.Get("Access-Control-Allow-Origin"), check.Equals, "*")
 458         for _, hdr := range []string{"Authorization", "Content-Type"} {
 459                 c.Check(rr.Result().Header.Get("Access-Control-Allow-Headers"), check.Matches, ".*"+hdr+".*")
 460         }
 461         for _, method := range []string{"GET", "HEAD", "PUT", "POST", "PATCH", "DELETE"} {
 462                 c.Check(rr.Result().Header.Get("Access-Control-Allow-Methods"), check.Matches, ".*"+method+".*")
 463         }
 464
 465         for _, unsafe := range []string{"login", "logout", "auth", "auth/foo", "login/?blah"} {
 466                 req := (&testReq{
 467                         method: "OPTIONS",
 468                         path:   unsafe,
 469                         header: http.Header{"Origin": {"https://example.com"}},
 470                         token:  token,
 471                 }).Request()
 472                 rr := httptest.NewRecorder()
 473                 s.rtr.ServeHTTP(rr, req)
 474                 c.Check(rr.Code, check.Equals, http.StatusOK)
 475                 c.Check(rr.Body.String(), check.HasLen, 0)
 476                 c.Check(rr.Result().Header.Get("Access-Control-Allow-Origin"), check.Equals, "")
 477                 c.Check(rr.Result().Header.Get("Access-Control-Allow-Methods"), check.Equals, "")
 478                 c.Check(rr.Result().Header.Get("Access-Control-Allow-Headers"), check.Equals, "")
 479
 480                 req = (&testReq{
 481                         method: "POST",
 482                         path:   unsafe,
 483                         header: http.Header{"Origin": {"https://example.com"}},
 484                         token:  token,
 485                 }).Request()
 486                 rr = httptest.NewRecorder()
 487                 s.rtr.ServeHTTP(rr, req)
 488                 c.Check(rr.Result().Header.Get("Access-Control-Allow-Origin"), check.Equals, "")
 489                 c.Check(rr.Result().Header.Get("Access-Control-Allow-Methods"), check.Equals, "")
 490                 c.Check(rr.Result().Header.Get("Access-Control-Allow-Headers"), check.Equals, "")
 491         }
 492 }
 493
 494 func doRequest(c *check.C, rtr http.Handler, token, method, path string, hdrs http.Header, body io.Reader) (*http.Request, *httptest.ResponseRecorder, map[string]interface{}) {
 495         req := httptest.NewRequest(method, path, body)
 496         for k, v := range hdrs {
 497                 req.Header[k] = v
 498         }
 499         req.Header.Set("Authorization", "Bearer "+token)
 500         rr := httptest.NewRecorder()
 501         rtr.ServeHTTP(rr, req)
 502         c.Logf("response body: %s", rr.Body.String())
 503         var jresp map[string]interface{}
 504         err := json.Unmarshal(rr.Body.Bytes(), &jresp)
 505         c.Check(err, check.IsNil)
 506         return req, rr, jresp
 507 }