/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.security.http;
import java.io.IOException;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.hadoop.security.http.CrossOriginFilter;
import org.junit.Assert;
import org.junit.Test;
import org.mockito.Mockito;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
public class TestCrossOriginFilter {
@Test
public void testSameOrigin() throws ServletException, IOException {
// Setup the configuration settings of the server
Map<String, String> conf = new HashMap<String, String>();
conf.put(CrossOriginFilter.ALLOWED_ORIGINS, "");
FilterConfig filterConfig = new FilterConfigTest(conf);
// Origin is not specified for same origin requests
HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
Mockito.when(mockReq.getHeader(CrossOriginFilter.ORIGIN)).thenReturn(null);
// Objects to verify interactions based on request
HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
FilterChain mockChain = Mockito.mock(FilterChain.class);
// Object under test
CrossOriginFilter filter = new CrossOriginFilter();
filter.init(filterConfig);
filter.doFilter(mockReq, mockRes, mockChain);
Mockito.verifyZeroInteractions(mockRes);
Mockito.verify(mockChain).doFilter(mockReq, mockRes);
}
@Test
public void testAllowAllOrigins() throws ServletException, IOException {
// Setup the configuration settings of the server
Map<String, String> conf = new HashMap<String, String>();
conf.put(CrossOriginFilter.ALLOWED_ORIGINS, "*");
FilterConfig filterConfig = new FilterConfigTest(conf);
// Object under test
CrossOriginFilter filter = new CrossOriginFilter();
filter.init(filterConfig);
Assert.assertTrue(filter.areOriginsAllowed("example.com"));
}
@Test
public void testEncodeHeaders() {
String validOrigin = "http://localhost:12345";
String encodedValidOrigin = CrossOriginFilter.encodeHeader(validOrigin);
Assert.assertEquals("Valid origin encoding should match exactly",
validOrigin, encodedValidOrigin);
String httpResponseSplitOrigin = validOrigin + " \nSecondHeader: value";
String encodedResponseSplitOrigin =
CrossOriginFilter.encodeHeader(httpResponseSplitOrigin);
Assert.assertEquals("Http response split origin should be protected against",
validOrigin, encodedResponseSplitOrigin);
// Test Origin List
String validOriginList = "http://foo.example.com:12345 http://bar.example.com:12345";
String encodedValidOriginList = CrossOriginFilter
.encodeHeader(validOriginList);
Assert.assertEquals("Valid origin list encoding should match exactly",
validOriginList, encodedValidOriginList);
}
@Test
public void testPatternMatchingOrigins() throws ServletException, IOException {
// Setup the configuration settings of the server
Map<String, String> conf = new HashMap<String, String>();
conf.put(CrossOriginFilter.ALLOWED_ORIGINS, "*.example.com");
FilterConfig filterConfig = new FilterConfigTest(conf);
// Object under test
CrossOriginFilter filter = new CrossOriginFilter();
filter.init(filterConfig);
// match multiple sub-domains
Assert.assertFalse(filter.areOriginsAllowed("example.com"));
Assert.assertFalse(filter.areOriginsAllowed("foo:example.com"));
Assert.assertTrue(filter.areOriginsAllowed("foo.example.com"));
Assert.assertTrue(filter.areOriginsAllowed("foo.bar.example.com"));
// First origin is allowed
Assert.assertTrue(filter.areOriginsAllowed("foo.example.com foo.nomatch.com"));
// Second origin is allowed
Assert.assertTrue(filter.areOriginsAllowed("foo.nomatch.com foo.example.com"));
// No origin in list is allowed
Assert.assertFalse(filter.areOriginsAllowed("foo.nomatch1.com foo.nomatch2.com"));
}
@Test
public void testDisallowedOrigin() throws ServletException, IOException {
// Setup the configuration settings of the server
Map<String, String> conf = new HashMap<String, String>();
conf.put(CrossOriginFilter.ALLOWED_ORIGINS, "example.com");
FilterConfig filterConfig = new FilterConfigTest(conf);
// Origin is not specified for same origin requests
HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
Mockito.when(mockReq.getHeader(CrossOriginFilter.ORIGIN)).thenReturn("example.org");
// Objects to verify interactions based on request
HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
FilterChain mockChain = Mockito.mock(FilterChain.class);
// Object under test
CrossOriginFilter filter = new CrossOriginFilter();
filter.init(filterConfig);
filter.doFilter(mockReq, mockRes, mockChain);
Mockito.verifyZeroInteractions(mockRes);
Mockito.verify(mockChain).doFilter(mockReq, mockRes);
}
@Test
public void testDisallowedMethod() throws ServletException, IOException {
// Setup the configuration settings of the server
Map<String, String> conf = new HashMap<String, String>();
conf.put(CrossOriginFilter.ALLOWED_ORIGINS, "example.com");
FilterConfig filterConfig = new FilterConfigTest(conf);
// Origin is not specified for same origin requests
HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
Mockito.when(mockReq.getHeader(CrossOriginFilter.ORIGIN)).thenReturn("example.com");
Mockito.when(
mockReq.getHeader(CrossOriginFilter.ACCESS_CONTROL_REQUEST_METHOD))
.thenReturn("DISALLOWED_METHOD");
// Objects to verify interactions based on request
HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
FilterChain mockChain = Mockito.mock(FilterChain.class);
// Object under test
CrossOriginFilter filter = new CrossOriginFilter();
filter.init(filterConfig);
filter.doFilter(mockReq, mockRes, mockChain);
Mockito.verifyZeroInteractions(mockRes);
Mockito.verify(mockChain).doFilter(mockReq, mockRes);
}
@Test
public void testDisallowedHeader() throws ServletException, IOException {
// Setup the configuration settings of the server
Map<String, String> conf = new HashMap<String, String>();
conf.put(CrossOriginFilter.ALLOWED_ORIGINS, "example.com");
FilterConfig filterConfig = new FilterConfigTest(conf);
// Origin is not specified for same origin requests
HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
Mockito.when(mockReq.getHeader(CrossOriginFilter.ORIGIN)).thenReturn("example.com");
Mockito.when(
mockReq.getHeader(CrossOriginFilter.ACCESS_CONTROL_REQUEST_METHOD))
.thenReturn("GET");
Mockito.when(
mockReq.getHeader(CrossOriginFilter.ACCESS_CONTROL_REQUEST_HEADERS))
.thenReturn("Disallowed-Header");
// Objects to verify interactions based on request
HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
FilterChain mockChain = Mockito.mock(FilterChain.class);
// Object under test
CrossOriginFilter filter = new CrossOriginFilter();
filter.init(filterConfig);
filter.doFilter(mockReq, mockRes, mockChain);
Mockito.verifyZeroInteractions(mockRes);
Mockito.verify(mockChain).doFilter(mockReq, mockRes);
}
@Test
public void testCrossOriginFilter() throws ServletException, IOException {
// Setup the configuration settings of the server
Map<String, String> conf = new HashMap<String, String>();
conf.put(CrossOriginFilter.ALLOWED_ORIGINS, "example.com");
FilterConfig filterConfig = new FilterConfigTest(conf);
// Origin is not specified for same origin requests
HttpServletRequest mockReq = Mockito.mock(HttpServletRequest.class);
Mockito.when(mockReq.getHeader(CrossOriginFilter.ORIGIN)).thenReturn("example.com");
Mockito.when(
mockReq.getHeader(CrossOriginFilter.ACCESS_CONTROL_REQUEST_METHOD))
.thenReturn("GET");
Mockito.when(
mockReq.getHeader(CrossOriginFilter.ACCESS_CONTROL_REQUEST_HEADERS))
.thenReturn("X-Requested-With");
// Objects to verify interactions based on request
HttpServletResponse mockRes = Mockito.mock(HttpServletResponse.class);
FilterChain mockChain = Mockito.mock(FilterChain.class);
// Object under test
CrossOriginFilter filter = new CrossOriginFilter();
filter.init(filterConfig);
filter.doFilter(mockReq, mockRes, mockChain);
Mockito.verify(mockRes).setHeader(CrossOriginFilter.ACCESS_CONTROL_ALLOW_ORIGIN,
"example.com");
Mockito.verify(mockRes).setHeader(
CrossOriginFilter.ACCESS_CONTROL_ALLOW_CREDENTIALS,
Boolean.TRUE.toString());
Mockito.verify(mockRes).setHeader(CrossOriginFilter.ACCESS_CONTROL_ALLOW_METHODS,
filter.getAllowedMethodsHeader());
Mockito.verify(mockRes).setHeader(CrossOriginFilter.ACCESS_CONTROL_ALLOW_HEADERS,
filter.getAllowedHeadersHeader());
Mockito.verify(mockChain).doFilter(mockReq, mockRes);
}
@Test
public void testCrossOriginFilterAfterRestart() throws ServletException {
// Setup the configuration settings of the server
Map<String, String> conf = new HashMap<String, String>();
conf.put(CrossOriginFilter.ALLOWED_ORIGINS, "example.com");
conf.put(CrossOriginFilter.ALLOWED_HEADERS, "X-Requested-With,Accept");
conf.put(CrossOriginFilter.ALLOWED_METHODS, "GET,POST");
FilterConfig filterConfig = new FilterConfigTest(conf);
// Object under test
CrossOriginFilter filter = new CrossOriginFilter();
filter.init(filterConfig);
//verify filter values
Assert.assertTrue("Allowed headers do not match",
filter.getAllowedHeadersHeader()
.compareTo("X-Requested-With,Accept") == 0);
Assert.assertTrue("Allowed methods do not match",
filter.getAllowedMethodsHeader()
.compareTo("GET,POST") == 0);
Assert.assertTrue(filter.areOriginsAllowed("example.com"));
//destroy filter values and clear conf
filter.destroy();
conf.clear();
// Setup the configuration settings of the server
conf.put(CrossOriginFilter.ALLOWED_ORIGINS, "newexample.com");
conf.put(CrossOriginFilter.ALLOWED_HEADERS, "Content-Type,Origin");
conf.put(CrossOriginFilter.ALLOWED_METHODS, "GET,HEAD");
filterConfig = new FilterConfigTest(conf);
//initialize filter
filter.init(filterConfig);
//verify filter values
Assert.assertTrue("Allowed headers do not match",
filter.getAllowedHeadersHeader()
.compareTo("Content-Type,Origin") == 0);
Assert.assertTrue("Allowed methods do not match",
filter.getAllowedMethodsHeader()
.compareTo("GET,HEAD") == 0);
Assert.assertTrue(filter.areOriginsAllowed("newexample.com"));
//destroy filter values
filter.destroy();
}
private static class FilterConfigTest implements FilterConfig {
final Map<String, String> map;
FilterConfigTest(Map<String, String> map) {
this.map = map;
}
@Override
public String getFilterName() {
return "test-filter";
}
@Override
public String getInitParameter(String key) {
return map.get(key);
}
@Override
public Enumeration<String> getInitParameterNames() {
return Collections.enumeration(map.keySet());
}
@Override
public ServletContext getServletContext() {
return null;
}
}
}