Addign cors headers unit tests

Author: dpacheco-groupieticket

server/server-core/build.gradle.kts

@@ -16,4 +16,5 @@ dependencies {
     implementation(libs.smithy.model)
     implementation(project(":io"))
     implementation(project(":logging"))
+    implementation(libs.netty.all)
 }

server/server-core/src/main/java/software/amazon/smithy/java/server/core/CorsHeaders.java

@@ -7,61 +7,59 @@
 
 import static software.amazon.smithy.java.core.schema.TraitKey.CORS_TRAIT;
 
-import java.util.*;
-import software.amazon.smithy.java.logging.InternalLogger;
-import software.amazon.smithy.model.traits.CorsTrait;
+import io.netty.handler.codec.http.HttpHeaders;
+import java.util.Arrays;
+import java.util.List;
+import java.util.Map;
 
 public final class CorsHeaders {
-    private static final InternalLogger LOGGER = InternalLogger.getLogger(CorsHeaders.class);
 
-    private CorsHeaders() {} // Prevent instantiation
+    private CorsHeaders() {}
 
-    public static Map<String, List<String>> of(HttpJob job) {
+    private static final Map<String, Iterable<?>> BASE_CORS_HEADERS = Map.of(
+            "Access-Control-Allow-Methods",
+            List.of("GET, POST, PUT, DELETE, OPTIONS"),
+            "Access-Control-Allow-Headers",
+            List.of("*,Access-Control-Allow-Headers,Access-Control-Allow-Methods,Access-Control-Allow-Origin,Amz-Sdk-Invocation-Id,Amz-Sdk-Request,Authorization,Content-Length,Content-Type,X-Amz-User-Agent,X-Amzn-Trace-Id"),
+            "Access-Control-Max-Age",
+            List.of("600"));
+
+    public static void of(HttpJob job, HttpHeaders headers) {
         if (!shouldAddCorsHeaders(job)) {
-            return Map.of();
+            return;
         }
 
         String requestOrigin = job.request().headers().firstValue("origin");
-        Optional<String> configuredOrigin = getConfiguredOrigin(job);
+        String configuredOrigin = getConfiguredOrigin(job);
 
-        if (!isOriginAllowed(configuredOrigin.orElse(null), requestOrigin)) {
-            return Map.of();
+        if (!isOriginAllowed(configuredOrigin, requestOrigin)) {
+            return;
         }
 
-        Map<String, List<String>> headers = new HashMap<>();
-        headers.put("Access-Control-Allow-Origin", List.of(requestOrigin));
-        headers.put("Access-Control-Allow-Methods", List.of("GET, POST, PUT, DELETE, OPTIONS"));
-        headers.put("Access-Control-Allow-Headers",
-                List.of("*,Access-Control-Allow-Headers,Access-Control-Allow-Methods,Access-Control-Allow-Origin,Amz-Sdk-Invocation-Id,Amz-Sdk-Request,Authorization,Content-Length,Content-Type,X-Amz-User-Agent,X-Amzn-Trace-Id"));
-        headers.put("Access-Control-Max-Age", List.of("600"));
+        for (Map.Entry<String, Iterable<?>> entrySet : BASE_CORS_HEADERS.entrySet()) {
+            headers.set(entrySet.getKey(), entrySet.getValue());
+        }
 
-        return headers;
+        headers.set("Access-Control-Allow-Origin", List.of(requestOrigin));
     }
 
     private static boolean shouldAddCorsHeaders(HttpJob job) {
-        if (job == null || job.operation() == null
-                || job.operation().getApiOperation() == null
-                ||
-                job.operation().getApiOperation().service() == null
-                ||
+        if (job.operation().getApiOperation().service() == null ||
                 job.operation().getApiOperation().service().schema() == null
                 ||
                 !job.operation().getApiOperation().service().schema().hasTrait(CORS_TRAIT)) {
             return false;
         }
-
-        return job.request() != null
-                && job.request().headers() != null
-                && job.request().headers().hasHeader("origin");
+        return job.request().headers().hasHeader("origin");
     }
 
-    private static Optional<String> getConfiguredOrigin(HttpJob job) {
-        return Optional.ofNullable(job.operation()
+    private static String getConfiguredOrigin(HttpJob job) {
+        return job.operation()
                 .getApiOperation()
                 .service()
                 .schema()
-                .getTrait(CORS_TRAIT))
-                .map(CorsTrait::getOrigin);
+                .getTrait(CORS_TRAIT)
+                .getOrigin();
     }
 
     private static boolean isOriginAllowed(String configuredOrigin, String requestOrigin) {

server/server-core/src/test/java/software/amazon/smithy/java/server/core/CorsHeadersTest.java

@@ -0,0 +1,127 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package software.amazon.smithy.java.server.core;
+
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import io.netty.handler.codec.http.DefaultHttpHeaders;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Stream;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.MethodSource;
+import software.amazon.smithy.java.core.schema.ApiService;
+import software.amazon.smithy.java.core.schema.Schema;
+import software.amazon.smithy.java.http.api.HttpHeaders;
+import software.amazon.smithy.java.server.Operation;
+import software.amazon.smithy.model.traits.CorsTrait;
+
+public class CorsHeadersTest {
+
+    record TestCase(
+            String name,
+            String configuredOrigin,
+            String requestOrigin,
+            boolean shouldHaveHeaders,
+            String expectedAllowOrigin) {}
+
+    private static Stream<TestCase> corsTestCases() {
+        return Stream.of(
+                new TestCase(
+                        "No request origin header",
+                        "http://allowed-origin.com",
+                        null,
+                        false,
+                        null),
+                new TestCase(
+                        "Not allowed origin",
+                        "http://allowed-origin.com",
+                        "http://not-allowed-origin.com",
+                        false,
+                        null),
+                new TestCase(
+                        "Multiple allowed origins",
+                        "http://allowed-origin.com,http://other-allowed-origin.com",
+                        "http://allowed-origin.com",
+                        true,
+                        "http://allowed-origin.com"),
+                new TestCase(
+                        "Wildcard origin",
+                        "*",
+                        "http://any-origin.com",
+                        true,
+                        "http://any-origin.com"),
+                new TestCase(
+                        "Exact match origin",
+                        "http://allowed-origin.com",
+                        "http://allowed-origin.com",
+                        true,
+                        "http://allowed-origin.com"));
+    }
+
+    @ParameterizedTest(name = "{0}")
+    @MethodSource("corsTestCases")
+    void testCorsHeaders(TestCase testCase) throws URISyntaxException {
+        // Create operation with configured CORS origin
+        Operation testOperation = Operation.of(
+                "TestOperation",
+                (input, context) -> new TestStructs.TestOutput(),
+                new TestStructs.TestApiOperation(new ApiService() {
+                    @Override
+                    public Schema schema() {
+                        return Schema.structureBuilder(
+                                CorsTrait.ID,
+                                CorsTrait.builder().origin(testCase.configuredOrigin).build()).build();
+                    }
+                }),
+                new TestStructs.TestService());
+
+        // Create request headers
+        Map<String, List<String>> headerMap =
+                testCase.requestOrigin != null ? Map.of("Origin", List.of(testCase.requestOrigin)) : Map.of();
+        HttpHeaders requestHeaders = HttpHeaders.of(headerMap);
+
+        // Create request
+        HttpRequest request = new HttpRequest(
+                requestHeaders,
+                new URI("http://test.com"),
+                "GET");
+
+        // Create response and job
+        HttpResponse response = new HttpResponse(new TestStructs.TestModifiableHttpHeaders());
+        ServerProtocol protocol = new TestStructs.TestServerProtocol(List.of());
+        HttpJob job = new HttpJob(testOperation, protocol, request, response);
+
+        // Apply CORS headers
+        var responseHeaders = new DefaultHttpHeaders();
+        CorsHeaders.of(job, responseHeaders);
+
+        // Verify headers
+        if (testCase.shouldHaveHeaders) {
+            assertContainsHeader(responseHeaders, testCase.expectedAllowOrigin);
+        } else {
+            assertDoNotContainsHeader(responseHeaders);
+        }
+    }
+
+    private void assertContainsHeader(io.netty.handler.codec.http.HttpHeaders responseHeaders, String allowedOrigin) {
+        assertTrue(responseHeaders.contains("Access-Control-Allow-Methods"));
+        assertTrue(responseHeaders.contains("Access-Control-Allow-Headers"));
+        assertTrue(responseHeaders.contains("Access-Control-Max-Age"));
+        assertTrue(responseHeaders.contains("Access-Control-Allow-Origin"));
+        assertTrue(responseHeaders.get("Access-Control-Allow-Origin").contains(allowedOrigin));
+    }
+
+    private void assertDoNotContainsHeader(io.netty.handler.codec.http.HttpHeaders responseHeaders) {
+        assertFalse(responseHeaders.contains("Access-Control-Allow-Methods"));
+        assertFalse(responseHeaders.contains("Access-Control-Allow-Headers"));
+        assertFalse(responseHeaders.contains("Access-Control-Max-Age"));
+        assertFalse(responseHeaders.contains("Access-Control-Allow-Origin"));
+    }
+}