@@ -33,7 +33,7 @@ func init() {
3333
3434var HTTPRouteCORS = suite.ConformanceTest {
3535 ShortName : "HTTPRouteCORS" ,
36- Description : "An HTTPRoute with CORS filter" ,
36+ Description : "An HTTPRoute with CORS filter should allow CORS requests from specified origins " ,
3737 Manifests : []string {"tests/httproute-cors.yaml" },
3838 Features : []features.FeatureName {
3939 features .SupportGateway ,
@@ -49,6 +49,7 @@ var HTTPRouteCORS = suite.ConformanceTest{
4949
5050 testCases := []http.ExpectedResponse {
5151 {
52+ TestCaseName : "CORS preflight request from an exact mactching origin should be allowed" ,
5253 Request : http.Request {
5354 Path : "/" ,
5455 Method : "OPTIONS" ,
@@ -74,10 +75,132 @@ var HTTPRouteCORS = suite.ConformanceTest{
7475 Response : http.Response {
7576 StatusCode : 200 ,
7677 Headers : map [string ]string {
77- "access-control-allow-origin" : "https://www.foo.com" ,
78- "access-control-allow-methods" : "GET, POST, PUT, PATCH, DELETE, OPTIONS" ,
79- "access-control-allow-headers" : "x-header-1, x-header-2" ,
80- "access-control-expose-headers" : "x-header-3, x-header-4" ,
78+ "access-control-allow-origin" : "https://www.foo.com" ,
79+ "access-control-allow-methods" : "GET, POST, PUT, PATCH, OPTIONS" ,
80+ "access-control-allow-headers" : "x-header-1, x-header-2" ,
81+ "access-control-expose-headers" : "x-header-3, x-header-4" ,
82+ "access-control-max-age" : "3600" ,
83+ "access-control-allow-credentials" : "true" ,
84+ },
85+ },
86+ },
87+ {
88+ TestCaseName : "CORS preflight request from a wildcard matching origin should be allowed" ,
89+ Request : http.Request {
90+ Path : "/" ,
91+ Method : "OPTIONS" ,
92+ Headers : map [string ]string {
93+ "Origin" : "https://www.bar.com" ,
94+ "access-control-request-method" : "GET" ,
95+ "access-control-request-headers" : "x-header-1, x-header-2" ,
96+ },
97+ },
98+ // Set the expected request properties and namespace to empty strings.
99+ // This is a workaround to avoid the test failure.
100+ // The response body is empty because the request is a preflight request,
101+ // so we can't get the request properties from the echoserver.
102+ ExpectedRequest : & http.ExpectedRequest {
103+ Request : http.Request {
104+ Host : "" ,
105+ Method : "OPTIONS" ,
106+ Path : "" ,
107+ Headers : nil ,
108+ },
109+ },
110+ Namespace : "" ,
111+ Response : http.Response {
112+ StatusCode : 200 ,
113+ Headers : map [string ]string {
114+ "access-control-allow-origin" : "https://www.bar.com" ,
115+ "access-control-allow-methods" : "GET, POST, PUT, PATCH, OPTIONS" ,
116+ "access-control-allow-headers" : "x-header-1, x-header-2" ,
117+ "access-control-expose-headers" : "x-header-3, x-header-4" ,
118+ "access-control-max-age" : "3600" ,
119+ "access-control-allow-credentials" : "true" ,
120+ },
121+ },
122+ },
123+ {
124+ TestCaseName : "CORS preflight request from a non-matching origin should not be allowed" ,
125+ Request : http.Request {
126+ Path : "/" ,
127+ Method : "OPTIONS" ,
128+ Headers : map [string ]string {
129+ "Origin" : "https://foobar.com" ,
130+ "access-control-request-method" : "GET" ,
131+ },
132+ },
133+ // Set the expected request properties and namespace to empty strings.
134+ // This is a workaround to avoid the test failure.
135+ // The response body is empty because the request is a preflight request,
136+ // so we can't get the request properties from the echoserver.
137+ ExpectedRequest : & http.ExpectedRequest {
138+ Request : http.Request {
139+ Host : "" ,
140+ Method : "OPTIONS" ,
141+ Path : "" ,
142+ Headers : nil ,
143+ },
144+ },
145+ Namespace : "" ,
146+ Response : http.Response {
147+ AbsentHeaders : []string {
148+ "access-control-allow-origin" ,
149+ },
150+ },
151+ },
152+ {
153+ TestCaseName : "Simple request from an exact mactching origin should be allowed" ,
154+ Namespace : ns ,
155+ Request : http.Request {
156+ Path : "/" ,
157+ Method : "GET" ,
158+ Headers : map [string ]string {
159+ "Origin" : "https://www.foo.com" ,
160+ "access-control-request-method" : "GET" ,
161+ "access-control-request-headers" : "x-header-1, x-header-2" ,
162+ },
163+ },
164+ Response : http.Response {
165+ StatusCode : 200 ,
166+ Headers : map [string ]string {
167+ "access-control-allow-origin" : "https://www.foo.com" ,
168+ },
169+ },
170+ },
171+ {
172+ TestCaseName : "Simple request from a wildcard matching origin should be allowed" ,
173+ Namespace : ns ,
174+ Request : http.Request {
175+ Path : "/" ,
176+ Method : "GET" ,
177+ Headers : map [string ]string {
178+ "Origin" : "https://www.bar.com" ,
179+ "access-control-request-method" : "GET" ,
180+ "access-control-request-headers" : "x-header-1, x-header-2" ,
181+ },
182+ },
183+ Response : http.Response {
184+ StatusCode : 200 ,
185+ Headers : map [string ]string {
186+ "access-control-allow-origin" : "https://www.bar.com" ,
187+ },
188+ },
189+ },
190+ {
191+ TestCaseName : "Simple request from a non-matching origin should not be allowed" ,
192+ Namespace : ns ,
193+ Request : http.Request {
194+ Path : "/" ,
195+ Method : "GET" ,
196+ Headers : map [string ]string {
197+ "Origin" : "https://foobar.com" ,
198+ "access-control-request-method" : "GET" ,
199+ },
200+ },
201+ Response : http.Response {
202+ AbsentHeaders : []string {
203+ "access-control-allow-origin" ,
81204 },
82205 },
83206 },
0 commit comments