test(gw): cors preflight with custom hearder

This cleans up old CORS tests and adds more resolution (proper origin, testing custom header behavior)
ipfs · Aug 17, 2022 · c413030 · c413030
1 parent 1236eb0
commit c413030
Showing 1 changed file with 59 additions and 18 deletions.
diff --git a/test/sharness/t0112-gateway-cors.sh b/test/sharness/t0112-gateway-cors.sh
@@ -1,14 +1,39 @@
 #!/usr/bin/env bash
-#
-# Copyright (c) 2016 Marcin Rataj
-# MIT Licensed; see the LICENSE file in this repository.
-#
 
-test_description="Test HTTP Gateway CORS Support"
+test_description="Test CORS behavior on HTTP ports (RPC API and Gateway)"
 
 . lib/test-lib.sh
 
 test_init_ipfs
+
+# Default config
+
+test_expect_success "Default API.HTTPHeaders config is empty" '
+    echo "{}" > expected &&
+    ipfs config --json API.HTTPHeaders > actual &&
+    test_cmp expected actual
+'
+
+test_expect_success "Default Gateway.HTTPHeaders config match expected values" '
+cat <<EOF > expected
+{
+  "Access-Control-Allow-Headers": [
+    "X-Requested-With",
+    "Range",
+    "User-Agent"
+  ],
+  "Access-Control-Allow-Methods": [
+    "GET"
+  ],
+  "Access-Control-Allow-Origin": [
+    "*"
+  ]
+}
+EOF
+    ipfs config --json Gateway.HTTPHeaders > actual &&
+    test_cmp expected actual
+'
+
 test_launch_ipfs_daemon
 
 thash='QmUNLLsPACCz1vLxQVkXqqLX5R1X345qqfHbsf67hvA3Nn'
@@ -34,7 +59,7 @@ test_expect_success "GET response for Gateway resource looks good" '
 
 # HTTP OPTIONS Request
 test_expect_success "OPTIONS to Gateway succeeds" '
-  curl -svX OPTIONS "http://127.0.0.1:$GWAY_PORT/ipfs/$thash" 2>curl_output &&
+  curl -svX OPTIONS -H "Origin: https://example.com" "http://127.0.0.1:$GWAY_PORT/ipfs/$thash" 2>curl_output &&
   cat curl_output
 '
 
@@ -51,7 +76,7 @@ test_expect_success "OPTIONS response for Gateway resource looks good" '
 
 test_kill_ipfs_daemon
 
-# Change headers
+# Test CORS safelisting of custom headers
 test_expect_success "Can configure gateway headers" '
   ipfs config --json Gateway.HTTPHeaders.Access-Control-Allow-Headers "[\"X-Custom1\"]" &&
   ipfs config --json Gateway.HTTPHeaders.Access-Control-Expose-Headers "[\"X-Custom2\"]" &&
@@ -60,12 +85,13 @@ test_expect_success "Can configure gateway headers" '
 
 test_launch_ipfs_daemon
 
-test_expect_success "OPTIONS to Gateway succeeds" '
-  curl -svX OPTIONS "http://127.0.0.1:$GWAY_PORT/ipfs/$thash" 2>curl_output &&
+test_expect_success "OPTIONS to Gateway without custom headers succeeds" '
+  curl -svX OPTIONS -H "Origin: https://example.com" "http://127.0.0.1:$GWAY_PORT/ipfs/$thash" 2>curl_output &&
   cat curl_output
 '
-
-test_expect_success "Access-Control-Allow-Headers extends" '
+# Range and Content-Range are safelisted by default, and keeping them makes better devexp
+# because it does not cause regressions in range requests made by JS
+test_expect_success "Access-Control-Allow-Headers extends the implicit list" '
   grep "< Access-Control-Allow-Headers: Range" curl_output &&
   grep "< Access-Control-Allow-Headers: X-Custom1" curl_output &&
   grep "< Access-Control-Expose-Headers: Content-Range" curl_output &&
@@ -75,29 +101,44 @@ test_expect_success "Access-Control-Allow-Headers extends" '
   grep "< Access-Control-Expose-Headers: X-Custom2" curl_output
 '
 
-test_expect_success "Access-Control-Allow-Origin replaces" '
+test_expect_success "OPTIONS to Gateway with a custom header succeeds" '
+  curl -svX OPTIONS -H "Origin: https://example.com" -H "Access-Control-Request-Headers: X-Unexpected-Custom" "http://127.0.0.1:$GWAY_PORT/ipfs/$thash" 2>curl_output &&
+  cat curl_output
+'
+test_expect_success "Access-Control-Allow-Headers extends the implicit list" '
+  test_expect_code 1 grep "< Access-Control-Allow-Headers: X-Unexpected-Custom" curl_output &&
+  grep "< Access-Control-Allow-Headers: Range" curl_output &&
+  grep "< Access-Control-Allow-Headers: X-Custom1" curl_output &&
+  grep "< Access-Control-Expose-Headers: Content-Range" curl_output &&
+  grep "< Access-Control-Expose-Headers: X-Custom2" curl_output
+'
+
+# Origin is sensitive security perimeter, and we assume override should remove
+# any implicit records
+test_expect_success "Access-Control-Allow-Origin replaces the implicit list" '
   grep "< Access-Control-Allow-Origin: localhost" curl_output
 '
 
-# Read-Only API (at the Gateway Port)
+# Read-Only /api/v0 RPC API (exposed on the Gateway Port)
 
 # HTTP GET Request
-test_expect_success "GET to API succeeds" '
+test_expect_success "GET to {gw}/api/v0 succeeds" '
   curl -svX GET "http://127.0.0.1:$GWAY_PORT/api/v0/cat?arg=$thash" >/dev/null 2>curl_output
 '
 # GET Response from the API should NOT contain CORS headers
 # Blacklisting: https://github.com/ipfs/go-ipfs/blob/5d9ee59908099df3f7e85679f7384c98d4ac8111/commands/http/handler.go#L71-L82
 # Rationale: https://github.com/ipfs/go-ipfs/pull/1529#issuecomment-125702347
-test_expect_success "OPTIONS response for API looks good" '
+test_expect_success "GET response from {gw}/api/v0 has no CORS headers" '
   grep -q "Access-Control-Allow-" curl_output && false || true
 '
 
 # HTTP OPTIONS Request
-test_expect_success "OPTIONS to API succeeds" '
-  curl -svX OPTIONS "http://127.0.0.1:$GWAY_PORT/api/v0/cat?arg=$thash" 2>curl_output
+test_expect_success "OPTIONS to {gw}/api/v0 succeeds" '
+  curl -svX OPTIONS -H "Origin: https://example.com" "http://127.0.0.1:$GWAY_PORT/api/v0/cat?arg=$thash" 2>curl_output
 '
 # OPTIONS Response from the API should NOT contain CORS headers
-test_expect_success "OPTIONS response for API looks good" '
+test_expect_success "OPTIONS response from {gw}/api/v0 has no CORS header" '
+  cat curl_output &&
   grep -q "Access-Control-Allow-" curl_output && false || true
 '