X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/6c0bf267d795a3ca49c3258c9490714c9e18d333..fe45b1b66c730f2546d78a7899375707c0816518:/services/keep-web/handler_test.go diff --git a/services/keep-web/handler_test.go b/services/keep-web/handler_test.go index b3e17e8b61..57ac2190c4 100644 --- a/services/keep-web/handler_test.go +++ b/services/keep-web/handler_test.go @@ -18,6 +18,66 @@ var _ = check.Suite(&UnitSuite{}) type UnitSuite struct{} +func (s *UnitSuite) TestCORSPreflight(c *check.C) { + h := handler{Config: &Config{}} + u, _ := url.Parse("http://keep-web.example/c=" + arvadostest.FooCollection + "/foo") + req := &http.Request{ + Method: "OPTIONS", + Host: u.Host, + URL: u, + RequestURI: u.RequestURI(), + Header: http.Header{ + "Origin": {"https://workbench.example"}, + "Access-Control-Request-Method": {"POST"}, + }, + } + + // Check preflight for an allowed request + resp := httptest.NewRecorder() + h.ServeHTTP(resp, req) + c.Check(resp.Code, check.Equals, http.StatusOK) + c.Check(resp.Body.String(), check.Equals, "") + c.Check(resp.Header().Get("Access-Control-Allow-Origin"), check.Equals, "*") + c.Check(resp.Header().Get("Access-Control-Allow-Methods"), check.Equals, "GET, POST") + c.Check(resp.Header().Get("Access-Control-Allow-Headers"), check.Equals, "Range") + + // Check preflight for a disallowed request + resp = httptest.NewRecorder() + req.Header.Set("Access-Control-Request-Method", "DELETE") + h.ServeHTTP(resp, req) + c.Check(resp.Body.String(), check.Equals, "") + c.Check(resp.Code, check.Equals, http.StatusMethodNotAllowed) +} + +func (s *UnitSuite) TestInvalidUUID(c *check.C) { + bogusID := strings.Replace(arvadostest.FooPdh, "+", "-", 1) + "-" + token := arvadostest.ActiveToken + for _, trial := range []string{ + "http://keep-web/c=" + bogusID + "/foo", + "http://keep-web/c=" + bogusID + "/t=" + token + "/foo", + "http://keep-web/collections/download/" + bogusID + "/" + token + "/foo", + "http://keep-web/collections/" + bogusID + "/foo", + "http://" + bogusID + ".keep-web/" + bogusID + "/foo", + "http://" + bogusID + ".keep-web/t=" + token + "/" + bogusID + "/foo", + } { + c.Log(trial) + u, err := url.Parse(trial) + c.Assert(err, check.IsNil) + req := &http.Request{ + Method: "GET", + Host: u.Host, + URL: u, + RequestURI: u.RequestURI(), + } + resp := httptest.NewRecorder() + h := handler{Config: &Config{ + AnonymousTokens: []string{arvadostest.AnonymousToken}, + }} + h.ServeHTTP(resp, req) + c.Check(resp.Code, check.Equals, http.StatusNotFound) + } +} + func mustParseURL(s string) *url.URL { r, err := url.Parse(s) if err != nil { @@ -350,49 +410,6 @@ func (s *IntegrationSuite) TestAnonymousTokenError(c *check.C) { ) } -func (s *IntegrationSuite) TestRange(c *check.C) { - s.testServer.Config.AnonymousTokens = []string{arvadostest.AnonymousToken} - u, _ := url.Parse("http://example.com/c=" + arvadostest.HelloWorldCollection + "/Hello%20world.txt") - req := &http.Request{ - Method: "GET", - Host: u.Host, - URL: u, - RequestURI: u.RequestURI(), - Header: http.Header{"Range": {"bytes=0-4"}}, - } - resp := httptest.NewRecorder() - s.testServer.Handler.ServeHTTP(resp, req) - c.Check(resp.Code, check.Equals, http.StatusPartialContent) - c.Check(resp.Body.String(), check.Equals, "Hello") - c.Check(resp.Header().Get("Content-Length"), check.Equals, "5") - c.Check(resp.Header().Get("Content-Range"), check.Equals, "bytes 0-4/12") - - req.Header.Set("Range", "bytes=0-") - resp = httptest.NewRecorder() - s.testServer.Handler.ServeHTTP(resp, req) - // 200 and 206 are both correct: - c.Check(resp.Code, check.Equals, http.StatusOK) - c.Check(resp.Body.String(), check.Equals, "Hello world\n") - c.Check(resp.Header().Get("Content-Length"), check.Equals, "12") - - // Unsupported ranges are ignored - for _, hdr := range []string{ - "bytes=5-5", // non-zero start byte - "bytes=-5", // last 5 bytes - "cubits=0-5", // unsupported unit - "bytes=0-340282366920938463463374607431768211456", // 2^128 - } { - req.Header.Set("Range", hdr) - resp = httptest.NewRecorder() - s.testServer.Handler.ServeHTTP(resp, req) - c.Check(resp.Code, check.Equals, http.StatusOK) - c.Check(resp.Body.String(), check.Equals, "Hello world\n") - c.Check(resp.Header().Get("Content-Length"), check.Equals, "12") - c.Check(resp.Header().Get("Content-Range"), check.Equals, "") - c.Check(resp.Header().Get("Accept-Ranges"), check.Equals, "bytes") - } -} - // XHRs can't follow redirect-with-cookie so they rely on method=POST // and disposition=attachment (telling us it's acceptable to respond // with content instead of a redirect) and an Origin header that gets