Add tests for CORS support (#72)

* Add tests for CORS support
* Use CSS from dockerhub image.
* Simplify tests and add higher level tests for server-cors requirement

Author: edwardsph

CHANGELOG.md

@@ -1,6 +1,7 @@
 # Solid Specification Conformance Tests
 
 ## Release 0.0.7
+* Test CORS support.
 * Change all github-related URIs to use accessible versions
 
 ## Release 0.0.6

protocol/cors/acao-vary.feature

@@ -0,0 +1,61 @@
+Feature: Server returns correct Access-Control-Allow-Origin and Vary headers
+
+  Background: Set up test container
+    * def testContainer = rootTestContainer.createContainer()
+    * def resource = testContainer.createResource('.txt', 'Hello', 'text/plain')
+
+  Scenario Outline: Access-Control-Allow-Origin header is set to correct origin for <method> on container
+    Given url testContainer.url
+    And headers clients.alice.getAuthHeaders('<method>', testContainer.url)
+    And header Origin = 'https://tester'
+    When method <method>
+    Then match <statuses> contains responseStatus
+    And match header Access-Control-Allow-Origin == 'https://tester'
+    And match response <check>
+    Examples:
+      | method  | statuses   | check |
+      | OPTIONS | [200, 204] | == '' |
+      | GET     | [200]      | != '' |
+      | HEAD    | [200]      | == '' |
+
+  Scenario Outline: Vary header includes Origin for <method> on container
+    Given url testContainer.url
+    And headers clients.alice.getAuthHeaders('<method>', testContainer.url)
+    And header Origin = 'https://tester'
+    When method <method>
+    Then match <statuses> contains responseStatus
+    And match header Vary contains 'Origin'
+    And match response <check>
+    Examples:
+      | method  | statuses   | check |
+      | OPTIONS | [200, 204] | == '' |
+      | GET     | [200]      | != '' |
+      | HEAD    | [200]      | == '' |
+
+  Scenario Outline: Access-Control-Allow-Origin header is set to correct origin for <method> on resource
+    Given url resource.url
+    And headers clients.alice.getAuthHeaders('<method>', resource.url)
+    And header Origin = 'https://tester'
+    When method <method>
+    Then match <statuses> contains responseStatus
+    And match header Access-Control-Allow-Origin == 'https://tester'
+    And match response <check>
+    Examples:
+      | method  | statuses   | check      |
+      | OPTIONS | [200, 204] | == ''      |
+      | GET     | [200]      | == 'Hello' |
+      | HEAD    | [200]      | == ''      |
+
+  Scenario Outline: Vary header includes Origin for <method> on resource
+    Given url resource.url
+    And headers clients.alice.getAuthHeaders('<method>', resource.url)
+    And header Origin = 'https://tester'
+    When method <method>
+    Then match <statuses> contains responseStatus
+    And match header Vary contains 'Origin'
+    And match response <check>
+    Examples:
+      | method  | statuses   | check      |
+      | OPTIONS | [200, 204] | == ''      |
+      | GET     | [200]      | == 'Hello' |
+      | HEAD    | [200]      | == ''      |

protocol/cors/accept-acah.feature

@@ -0,0 +1,47 @@
+# This only applies to pre-flight checks since that is where Access-Control-Allow-Headers is used
+Feature: Server should explicitly list Accept under Access-Control-Allow-Headers
+
+  Background: Set up test container
+    * def testContainer = rootTestContainer.createContainer()
+    * def resource = testContainer.createResource('.txt', 'Hello', 'text/plain')
+
+  Scenario: OPTIONS request doesn't return Accept in Access-Control-Allow-Headers for GET pre-flight if not requested
+    Given url testContainer.url
+    And headers clients.alice.getAuthHeaders('OPTIONS', testContainer.url)
+    And header Origin = 'https://tester'
+    And header Access-Control-Request-Method = 'GET'
+    And header Access-Control-Request-Headers = 'X-CUSTOM, Content-Type'
+    When method OPTIONS
+    Then match [200, 204] contains responseStatus
+    And match response == ''
+    And match header Access-Control-Allow-Headers !contains 'Accept'
+
+  Scenario: OPTIONS request returns Accept in Access-Control-Allow-Headers for POST pre-flight
+    Given url testContainer.url
+    And headers clients.alice.getAuthHeaders('OPTIONS', testContainer.url)
+    And header Origin = 'https://tester'
+    And header Access-Control-Request-Method = 'POST'
+    And header Access-Control-Request-Headers = 'X-CUSTOM, Content-Type, Accept'
+    When method OPTIONS
+    Then match [200, 204] contains responseStatus
+    And match response == ''
+    And match header Access-Control-Allow-Headers contains 'Accept'
+
+  Scenario: OPTIONS request returns Accept in Access-Control-Allow-Headers for GET pre-flight with long Accept
+    Given url testContainer.url
+    And headers clients.alice.getAuthHeaders('OPTIONS', testContainer.url)
+    And header Origin = 'https://tester'
+    And header Access-Control-Request-Method = 'GET'
+    And header Access-Control-Request-Headers = 'X-CUSTOM, Content-Type, Accept'
+    When method OPTIONS
+    Then match [200, 204] contains responseStatus
+    And match response == ''
+    And match header Access-Control-Allow-Headers contains 'Accept'
+
+    Given url testContainer.url
+    And headers clients.alice.getAuthHeaders('GET', testContainer.url)
+    And header Accept = 'text/turtle;q=0.9, application/rdf+xml;q=0.8, application/n-triples;q=0.8, application/n-quads;q=0.8, text/x-nquads;q=0.8, application/trig;q=0.8, text/n3;q=0.8, application/ld+json;q=0.8, application/x-binary-rdf;q=0.8, text/plain;q=0.7'
+    When method GET
+    Then status 200
+    And match response != ''
+    And match header Content-Type contains 'text/turtle'

protocol/cors/access-control-headers.feature

@@ -0,0 +1,39 @@
+# Simple requests
+# - Methods: GET, HEAD, POST
+# - Extra headers: Accept, Accept-Language, Content-Language, Content-Type (application/x-www-form-urlencoded, multipart/form-data, text/plain)
+# Pre-flight requests - handled in a separate test since it has its own requirement
+Feature: Server must respond to requests sending Origin with the appropriate Access-Control-* headers
+
+  Background: Set up test container and test data
+    * def testContainer = rootTestContainer.createContainer()
+
+  Scenario Outline: Simple request: <method> request returns access control headers
+    Given url testContainer.url
+    And header Origin = 'https://tester'
+    And headers <headers>
+    * <body>
+    When method <method>
+    Then match <statuses> contains responseStatus
+    And match header Access-Control-Allow-Origin == 'https://tester'
+    And match header Access-Control-Allow-Credentials == 'true'
+    Examples:
+      | method | headers!                       | body            | statuses |
+      | GET    | {Accept: 'text/turtle'}        | def ignore = 1  | [401]    |
+      | HEAD   | {}                             | def ignore = 1  | [401]    |
+      | POST   | {'Content-Type': 'text/plain'} | request "Hello" | [401]    |
+
+  Scenario Outline: Requests with credentials: <method> request returns access control headers
+    Given url testContainer.url
+    And headers clients.alice.getAuthHeaders('<method>', testContainer.url)
+    And header Origin = 'https://tester'
+    And headers <headers>
+    * <body>
+    When method <method>
+    Then match <statuses> contains responseStatus
+    And match header Access-Control-Allow-Origin == 'https://tester'
+    And match header Access-Control-Allow-Credentials == 'true'
+    Examples:
+      | method | headers!                       | body            | statuses             |
+      | GET    | {Accept: 'text/turtle'}        | def ignore = 1  | [200]                |
+      | HEAD   | {}                             | def ignore = 1  | [200]                |
+      | POST   | {'Content-Type': 'text/plain'} | request "Hello" | [200, 201, 204, 205] |

protocol/cors/enumerate-headers.feature

@@ -0,0 +1,22 @@
+Feature: Server should enumerate headers in Access-Control-Expose-Headers
+
+  Background: Set up test container (not empty)
+    * def testContainer = rootTestContainer.createContainer()
+    * def resource = testContainer.createResource('.txt', 'Hello', 'text/plain')
+
+  Scenario: Access-Control-Expose-Headers is present but not *
+    Given url testContainer.url
+    And headers clients.alice.getAuthHeaders('GET', testContainer.url)
+    And header Origin = 'https://tester'
+    And header Accept = 'text/turtle'
+    When method GET
+    Then status 200
+    And match header Access-Control-Expose-Headers != null
+    And match header Access-Control-Expose-Headers != '*'
+    And match response != ''
+
+  # To test this enumerates all headers we could split it on ', ' and compare to the set of all keys in responseHeaders
+  # The FETCH spec says
+  #   "A response will typically get its CORS-exposed header-name list set by extracting header values from the
+  #   `Access-Control-Expose-Headers` header. This list is used by a CORS filtered response to determine which headers to expose."
+  # This makes it sound as though the important thing is the intersection - it doesn't matter if headers are in one list but not the other.

protocol/cors/preflight-requests.feature

@@ -0,0 +1,67 @@
+Feature: Server must implement the CORS protocol for preflight requests
+
+  Background: Set up test container and resource
+    * def testContainer = rootTestContainer.createContainer()
+    * def resource = testContainer.createResource('.txt', 'Hello', 'text/plain')
+
+  Scenario Outline: Pre-flight CORS request for <method> request
+    Given url testContainer.url
+    And header Origin = 'https://tester'
+    And header Access-Control-Request-Method = '<method>'
+    And header Access-Control-Request-Headers = 'X-CUSTOM, Content-Type, Accept'
+    When method OPTIONS
+    Then match [200, 204] contains responseStatus
+    And match header Access-Control-Allow-Origin == 'https://tester'
+    And match header Access-Control-Allow-Methods contains '<method>'
+    And match header Access-Control-Allow-Headers contains 'X-CUSTOM'
+    And match header Access-Control-Allow-Headers contains 'Content-Type'
+    And match header Access-Control-Allow-Headers contains 'Accept'
+    And match header Access-Control-Allow-Credentials == 'true'
+    And match header Access-Control-Expose-Headers != null
+    And match response == ''
+
+    Given url testContainer.url
+    And header Origin = 'https://tester'
+    And headers clients.alice.getAuthHeaders('<method>', testContainer.url)
+    # Demonstrates the case where a long Accept header is allowed
+    And header Accept = 'text/turtle;q=0.9, application/rdf+xml;q=0.8, application/n-triples;q=0.8, application/n-quads;q=0.8, text/x-nquads;q=0.8, application/trig;q=0.8, text/n3;q=0.8, application/ld+json;q=0.8, application/x-binary-rdf;q=0.8, text/plain;q=0.7'
+    * <body>
+    When method <method>
+    Then match <statuses> contains responseStatus
+    And match header Access-Control-Allow-Origin == 'https://tester'
+    And match header Access-Control-Allow-Credentials == 'true'
+    And match header Access-Control-Expose-Headers != null
+    And match header Access-Control-Expose-Headers != '*'
+    # Check Content-Type on GET request only
+    And <check>
+    And match header Vary contains 'Origin'
+    Examples:
+      | method | body            | statuses             | check                                            |
+      | GET    | def ignore = 1  | [200]                | match header Content-Type contains 'text/turtle' |
+      | HEAD   | def ignore = 1  | [200]                | def ignore = 1                                   |
+      | POST   | request "Hello" | [200, 201, 204, 205] | def ignore = 1                                   |
+
+  @http-redirect
+  Scenario: OPTIONS request returns headers for pre-flight check after redirect from http
+    * configure followRedirects = false
+    Given url testContainer.url.replace(/^https:/, 'http:')
+    And header Origin = 'https://tester'
+    And header Access-Control-Request-Method = 'POST'
+    And header Access-Control-Request-Headers = 'X-CUSTOM, Content-Type'
+    When method OPTIONS
+    Then match [301, 308] contains responseStatus
+    * def location = responseHeaders['Location'][0]
+
+    Given url location
+    And header Origin = 'https://tester'
+    And header Access-Control-Request-Method = 'POST'
+    And header Access-Control-Request-Headers = 'X-CUSTOM, Content-Type'
+    When method OPTIONS
+    Then match [200, 204] contains responseStatus
+    And match header Access-Control-Allow-Origin == 'https://tester'
+    And match header Access-Control-Allow-Methods contains 'POST'
+    And match header Access-Control-Allow-Headers contains 'X-CUSTOM'
+    And match header Access-Control-Allow-Headers contains 'Content-Type'
+    And match header Access-Control-Allow-Credentials == 'true'
+    And match header Access-Control-Expose-Headers != null
+    And match response == ''

protocol/cors/preflight.feature

@@ -0,0 +1,45 @@
+Feature: Server must support HTTP OPTIONS for CORS preflight requests
+
+  Background: Set up test container
+    * def testContainer = rootTestContainer.createContainer()
+
+  Scenario: OPTIONS request returns headers for pre-flight check
+    Given url testContainer.url
+    And header Origin = 'https://tester'
+    And header Access-Control-Request-Method = 'POST'
+    And header Access-Control-Request-Headers = 'X-CUSTOM, Content-Type'
+    When method OPTIONS
+    Then match [200, 204] contains responseStatus
+    And match header Access-Control-Allow-Origin == 'https://tester'
+    And match header Access-Control-Allow-Methods contains 'POST'
+    And match header Access-Control-Allow-Headers contains 'X-CUSTOM'
+    And match header Access-Control-Allow-Headers contains 'Content-Type'
+    And match header Access-Control-Allow-Credentials == 'true'
+    # We should check the list of headers exposed but what is the required list
+    And match header Access-Control-Expose-Headers != null
+    And match response == ''
+
+  @http-redirect
+  Scenario: OPTIONS request returns headers for pre-flight check after redirect from http
+    Given url testContainer.url.replace(/^https:/, 'http:')
+    And header Origin = 'https://tester'
+    And header Access-Control-Request-Method = 'POST'
+    And header Access-Control-Request-Headers = 'X-CUSTOM, Content-Type'
+    When method OPTIONS
+    Then match [301, 308] contains responseStatus
+    * def location = responseHeaders['Location'][0]
+
+    Given url location
+    And header Origin = 'https://tester'
+    And header Access-Control-Request-Method = 'POST'
+    And header Access-Control-Request-Headers = 'X-CUSTOM, Content-Type'
+    When method OPTIONS
+    Then match [200, 204] contains responseStatus
+    And match header Access-Control-Allow-Origin == 'https://tester'
+    And match header Access-Control-Allow-Methods contains 'POST'
+    And match header Access-Control-Allow-Headers contains 'X-CUSTOM'
+    And match header Access-Control-Allow-Headers contains 'Content-Type'
+    And match header Access-Control-Allow-Credentials == 'true'
+    # We should check the list of headers exposed but what is the required list
+    And match header Access-Control-Expose-Headers != null
+    And match response == ''

protocol/cors/simple-requests.feature

@@ -0,0 +1,80 @@
+# Simple requests
+# - Methods: GET, HEAD, POST
+# - Safe headers: Accept, Accept-Language, Content-Language, Content-Type (application/x-www-form-urlencoded, multipart/form-data, text/plain)
+Feature: Server must implement the CORS protocol for simple requests
+
+  Background: Set up test container and test data
+    * def testContainer = rootTestContainer.createContainer()
+    * def resource = testContainer.createResource('.txt', 'Hello', 'text/plain')
+
+  Scenario Outline: Simple container request: <method> request returns access control headers
+    Given url testContainer.url
+    And header Origin = 'https://tester'
+    And headers <headers>
+    * <body>
+    When method <method>
+    Then match <statuses> contains responseStatus
+    And match header Access-Control-Allow-Origin == 'https://tester'
+    And match header Access-Control-Allow-Credentials == 'true'
+    And match header Access-Control-Expose-Headers != null
+    And match header Access-Control-Expose-Headers != '*'
+    And match header Vary contains 'Origin'
+    Examples:
+      | method | headers!                       | body            | statuses |
+      | GET    | {Accept: 'text/turtle'}        | def ignore = 1  | [401]    |
+      | HEAD   | {}                             | def ignore = 1  | [401]    |
+      | POST   | {'Content-Type': 'text/plain'} | request "Hello" | [401]    |
+
+  Scenario Outline: Simple resource request: <method> request returns access control headers
+    Given url resource.url
+    And header Origin = 'https://tester'
+    And headers <headers>
+    * <body>
+    When method <method>
+    Then match <statuses> contains responseStatus
+    And match header Access-Control-Allow-Origin == 'https://tester'
+    And match header Access-Control-Allow-Credentials == 'true'
+    And match header Access-Control-Expose-Headers != null
+    And match header Access-Control-Expose-Headers != '*'
+    And match header Vary contains 'Origin'
+    Examples:
+      | method | headers!                       | body            | statuses |
+      | GET    | {Accept: 'text/plain'}         | def ignore = 1  | [401]    |
+      | HEAD   | {}                             | def ignore = 1  | [401]    |
+
+  Scenario Outline: Requests container with credentials: <method> request returns access control headers
+    Given url testContainer.url
+    And headers clients.alice.getAuthHeaders('<method>', testContainer.url)
+    And header Origin = 'https://tester'
+    And headers <headers>
+    * <body>
+    When method <method>
+    Then match <statuses> contains responseStatus
+    And match header Access-Control-Allow-Origin == 'https://tester'
+    And match header Access-Control-Allow-Credentials == 'true'
+    And match header Access-Control-Expose-Headers != null
+    And match header Access-Control-Expose-Headers != '*'
+    And match header Vary contains 'Origin'
+    Examples:
+      | method | headers!                       | body            | statuses             |
+      | GET    | {Accept: 'text/turtle'}        | def ignore = 1  | [200]                |
+      | HEAD   | {}                             | def ignore = 1  | [200]                |
+      | POST   | {'Content-Type': 'text/plain'} | request "Hello" | [200, 201, 204, 205] |
+
+  Scenario Outline: Requests resource with credentials: <method> request returns access control headers
+    Given url resource.url
+    And headers clients.alice.getAuthHeaders('<method>', resource.url)
+    And header Origin = 'https://tester'
+    And headers <headers>
+    * <body>
+    When method <method>
+    Then match <statuses> contains responseStatus
+    And match header Access-Control-Allow-Origin == 'https://tester'
+    And match header Access-Control-Allow-Credentials == 'true'
+    And match header Access-Control-Expose-Headers != null
+    And match header Access-Control-Expose-Headers != '*'
+    And match header Vary contains 'Origin'
+    Examples:
+      | method | headers!                       | body            | statuses             |
+      | GET    | {Accept: 'text/plain'}         | def ignore = 1  | [200]                |
+      | HEAD   | {}                             | def ignore = 1  | [200]                |