Merge pull request #33139 from owncloud/stable10-3cdbd3fc21250dfc0065…

…ba3817b0ad6e7da214d2 [stable10] Support global CORS domains for public pages
owncloud · Oct 15, 2018 · e351a40 · e351a40
2 parents 924e6e1 + 5e03ca6
commit e351a40
Show file tree

Hide file tree

Showing 3 changed files with 72 additions and 18 deletions.
diff --git a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
@@ -98,9 +98,9 @@ public function afterController($controller, $methodName, Response $response) {
 			$userId = $this->session->getUser()->getUID();
 		}
 
-		if ($this->request->getHeader("Origin") !== null &&
-			$this->reflector->hasAnnotation('CORS') && $userId !== null) {
-			$requesterDomain = $this->request->getHeader("Origin");
+		if ($this->request->getHeader('Origin') !== null &&
+			$this->reflector->hasAnnotation('CORS')) {
+			$requesterDomain = $this->request->getHeader('Origin');
 
 			$headers = \OC_Response::setCorsHeaders($userId, $requesterDomain, $this->config);
 			foreach ($headers as $key => $value) {

diff --git a/lib/private/legacy/response.php b/lib/private/legacy/response.php
@@ -289,7 +289,7 @@ public static function setCorsHeaders($userId, $domain, \OCP\IConfig $config = n
 		// first check if any of the global CORS domains matches
 		$globalAllowedDomains = $config->getSystemValue('cors.allowed-domains', []);
 		$isCorsRequest = (\is_array($globalAllowedDomains) && \in_array($domain, $globalAllowedDomains));
-		if (!$isCorsRequest) {
+		if (!$isCorsRequest && $userId !== null) {
 			// check if any of the user specific CORS domains matches
 			$allowedDomains = \json_decode($config->getUserValue($userId, 'core', 'domains'));
 			$isCorsRequest = (\is_array($allowedDomains) && \in_array($domain, $allowedDomains));

diff --git a/tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php b/tests/lib/AppFramework/Middleware/Security/CORSMiddlewareTest.php
@@ -20,13 +20,28 @@
 use OCP\IConfig;
 use OCP\IUser;
 use OCP\IUserSession;
+use OCP\Security\ISecureRandom;
+use OC\User\Session;
 
 /**
  * Class CORSMiddlewareTest
  */
 class CORSMiddlewareTest extends \Test\TestCase {
+	/** @var ControllerMethodReflector */
 	private $reflector;
+	/** @var Session */
 	private $session;
+	/** @var IConfig */
+	private $config;
+	/** @var IUserSession */
+	private $fakeSession;
+
+	public function providesConfigForPublicPageTest() {
+		return [
+			'no cors domain in system config' => [false, []],
+			'cors domain in system config' => [true, ['http://www.test.com']]
+		];
+	}
 
 	protected function setUp() {
 		parent::setUp();
@@ -37,7 +52,7 @@ protected function setUp() {
 
 		$this->reflector = new ControllerMethodReflector();
 
-		$this->session = $this->getMockBuilder('\OC\User\Session')
+		$this->session = $this->getMockBuilder(Session::class)
 			->disableOriginalConstructor()
 			->getMock();
 
@@ -59,7 +74,7 @@ public function testSetCORSAPIHeader() {
 					'HTTP_ORIGIN' => 'http://www.test.com'
 				]
 			],
-			$this->createMock('\OCP\Security\ISecureRandom'),
+			$this->createMock(ISecureRandom::class),
 			$this->config
 		);
 
@@ -76,15 +91,54 @@ public function testSetCORSAPIHeader() {
 		$this->assertEquals('http://www.test.com', $headers['Access-Control-Allow-Origin']);
 	}
 
+	/**
+	 * @dataProvider providesConfigForPublicPageTest
+	 * @CORS
+	 */
+	public function testCorsOnPublicPage($expected, $systemConfig) {
+		/** @var IUserSession $userSession */
+		$userSession = $this->createMock(IUserSession::class);
+		$config = $this->createMock(IConfig::class);
+		$config->method('getUserValue')->willReturn('');
+		$config->method('getSystemValue')->willReturn($systemConfig);
+
+		$request = new Request(
+			[
+				'server' => [
+					'HTTP_ORIGIN' => 'http://www.test.com'
+				]
+			],
+			$this->createMock(ISecureRandom::class),
+			$config
+		);
+
+		$this->reflector->reflect($this, __FUNCTION__);
+		$middleware = new CORSMiddleware(
+			$request,
+			$this->reflector,
+			$userSession,
+			$config
+		);
+
+		$response = $middleware->afterController($this, __FUNCTION__, new Response());
+		$headers = $response->getHeaders();
+		if ($expected) {
+			self::assertArrayHasKey('Access-Control-Allow-Origin', $headers);
+			self::assertEquals('http://www.test.com', $headers['Access-Control-Allow-Origin']);
+		} else {
+			self::assertArrayNotHasKey('Access-Control-Allow-Origin', $headers);
+		}
+	}
+
 	public function testNoAnnotationNoCORSHEADER() {
 		$request = new Request(
 			[
 				'server' => [
 					'HTTP_ORIGIN' => 'test'
 				]
 			],
-			$this->createMock('\OCP\Security\ISecureRandom'),
-			$this->createMock('\OCP\IConfig')
+			$this->createMock(ISecureRandom::class),
+			$this->createMock(IConfig::class)
 		);
 		$middleware = new CORSMiddleware(
 			$request,
@@ -104,8 +158,8 @@ public function testNoAnnotationNoCORSHEADER() {
 	public function testNoOriginHeaderNoCORSHEADER() {
 		$request = new Request(
 			[],
-			$this->createMock('\OCP\Security\ISecureRandom'),
-			$this->createMock('\OCP\IConfig')
+			$this->createMock(ISecureRandom::class),
+			$this->createMock(IConfig::class)
 		);
 		$this->reflector->reflect($this, __FUNCTION__);
 		$middleware = new CORSMiddleware(
@@ -131,8 +185,8 @@ public function testCorsIgnoredIfWithCredentialsHeaderPresent() {
 					'HTTP_ORIGIN' => 'http://www.test.com',
 				]
 			],
-			$this->createMock('\OCP\Security\ISecureRandom'),
-			$this->createMock('\OCP\IConfig')
+			$this->createMock(ISecureRandom::class),
+			$this->createMock(IConfig::class)
 		);
 		$this->reflector->reflect($this, __FUNCTION__);
 		$middleware = new CORSMiddleware(
@@ -153,8 +207,8 @@ public function testAfterExceptionWithSecurityExceptionNoStatus() {
 				'PHP_AUTH_USER' => 'user',
 				'PHP_AUTH_PW' => 'pass'
 			]],
-			$this->createMock('\OCP\Security\ISecureRandom'),
-			$this->createMock('\OCP\IConfig')
+			$this->createMock(ISecureRandom::class),
+			$this->createMock(IConfig::class)
 		);
 		$middleware = new CORSMiddleware(
 			$request,
@@ -174,8 +228,8 @@ public function testAfterExceptionWithSecurityExceptionWithStatus() {
 				'PHP_AUTH_USER' => 'user',
 				'PHP_AUTH_PW' => 'pass'
 			]],
-			$this->createMock('\OCP\Security\ISecureRandom'),
-			$this->createMock('\OCP\IConfig')
+			$this->createMock(ISecureRandom::class),
+			$this->createMock(IConfig::class)
 		);
 		$middleware = new CORSMiddleware(
 			$request,
@@ -199,8 +253,8 @@ public function testAfterExceptionWithRegularException() {
 				'PHP_AUTH_USER' => 'user',
 				'PHP_AUTH_PW' => 'pass'
 			]],
-			$this->createMock('\OCP\Security\ISecureRandom'),
-			$this->createMock('\OCP\IConfig')
+			$this->createMock(ISecureRandom::class),
+			$this->createMock(IConfig::class)
 		);
 		$middleware = new CORSMiddleware(
 			$request,