Merge branch 'master' into 12018-sync-groups-tool

[arvados.git] / services / arv-git-httpd / auth_handler_test.go

// Copyright (C) The Arvados Authors. All rights reserved.
//
// SPDX-License-Identifier: AGPL-3.0

package main

import (
        "net/http"
        "net/http/httptest"
        "net/url"

        check "gopkg.in/check.v1"
)

var _ = check.Suite(&AuthHandlerSuite{})

type AuthHandlerSuite struct{}

func (s *AuthHandlerSuite) TestCORS(c *check.C) {
        h := &authHandler{}

        // CORS preflight
        resp := httptest.NewRecorder()
        req := &http.Request{
                Method: "OPTIONS",
                Header: http.Header{
                        "Origin":                        {"*"},
                        "Access-Control-Request-Method": {"GET"},
                },
        }
        h.ServeHTTP(resp, req)
        c.Check(resp.Code, check.Equals, http.StatusOK)
        c.Check(resp.Header().Get("Access-Control-Allow-Methods"), check.Equals, "GET, POST")
        c.Check(resp.Header().Get("Access-Control-Allow-Headers"), check.Equals, "Authorization, Content-Type")
        c.Check(resp.Header().Get("Access-Control-Allow-Origin"), check.Equals, "*")
        c.Check(resp.Body.String(), check.Equals, "")

        // CORS actual request. Bogus token and path ensure
        // authHandler responds 4xx without calling our wrapped (nil)
        // handler.
        u, err := url.Parse("git.zzzzz.arvadosapi.com/test")
        c.Assert(err, check.Equals, nil)
        resp = httptest.NewRecorder()
        req = &http.Request{
                Method: "GET",
                URL:    u,
                Header: http.Header{
                        "Origin":        {"*"},
                        "Authorization": {"OAuth2 foobar"},
                },
        }
        h.ServeHTTP(resp, req)
        c.Check(resp.Header().Get("Access-Control-Allow-Origin"), check.Equals, "*")
}