Added test to use specific allowed origin.

COSSAS · May 1, 2024 · 56c3119 · 56c3119
1 parent 0197c6c
commit 56c3119
Showing 1 changed file with 47 additions and 0 deletions.
diff --git a/test/integration/api/api_test.go b/test/integration/api/api_test.go
@@ -41,3 +41,50 @@ func TestCorsHeader(t *testing.T) {
 	assert.Equal(t, "*", origins)
 
 }
+
+func TestCorsHeaderFromNonAllowedOrigin(t *testing.T) {
+
+	// Set example.com as allowed origin
+	t.Setenv("SOARCA_ALLOWED_ORIGINS", "http://example.com")
+
+	// Start SOARCA in separate threat
+	go initializeSoarca(t)
+
+	// Wait for the server to be online
+	time.Sleep(400 * time.Millisecond)
+
+	client := http.Client{}
+	buffer := bytes.NewBufferString("")
+	request, err := http.NewRequest("POST", "http://localhost:8080", buffer)
+	if err != nil {
+		t.Fail()
+	}
+
+	request.Header.Add("Origin", "http://example.com")
+	response, err := client.Do(request)
+	if err != nil {
+		t.Log(err)
+		t.Fail()
+	}
+	origins := response.Header.Get("Access-Control-Allow-Origin")
+	t.Log(response)
+	assert.Equal(t, http.StatusNotFound, response.StatusCode) // We expect 404 do to the empty request body
+	assert.Equal(t, "http://example.com", origins)
+
+	client2 := http.Client{}
+	buffer2 := bytes.NewBufferString("")
+	request2, err := http.NewRequest("POST", "http://localhost:8080", buffer2)
+	if err != nil {
+		t.Fail()
+	}
+
+	request2.Header.Add("Origin", "http://example2.com")
+	response2, err := client2.Do(request2)
+	if err != nil {
+		t.Log(err)
+		t.Fail()
+	}
+	t.Log(response2)
+	assert.Equal(t, http.StatusForbidden, response2.StatusCode)
+
+}