diff --git a/extensions/vertx-http/deployment/src/main/java/io/quarkus/devui/deployment/DevUIProcessor.java b/extensions/vertx-http/deployment/src/main/java/io/quarkus/devui/deployment/DevUIProcessor.java index bee1adcbebb577..c995e43333b4f4 100644 --- a/extensions/vertx-http/deployment/src/main/java/io/quarkus/devui/deployment/DevUIProcessor.java +++ b/extensions/vertx-http/deployment/src/main/java/io/quarkus/devui/deployment/DevUIProcessor.java @@ -139,7 +139,6 @@ void registerDevUiHandlers( if (devUIConfig.cors.enabled) { routeProducer.produce(nonApplicationRootPathBuildItem.routeBuilder() .orderedRoute(DEVUI + SLASH_ALL, -1 * FilterBuildItem.CORS) - //.route(DEVUI + SLASH_ALL) .handler(new DevConsoleCORSFilter()) .build()); } diff --git a/extensions/vertx-http/deployment/src/main/java/io/quarkus/vertx/http/deployment/devmode/console/DevConsoleProcessor.java b/extensions/vertx-http/deployment/src/main/java/io/quarkus/vertx/http/deployment/devmode/console/DevConsoleProcessor.java index 97efb0a0030fe8..f70d7def670250 100644 --- a/extensions/vertx-http/deployment/src/main/java/io/quarkus/vertx/http/deployment/devmode/console/DevConsoleProcessor.java +++ b/extensions/vertx-http/deployment/src/main/java/io/quarkus/vertx/http/deployment/devmode/console/DevConsoleProcessor.java @@ -495,7 +495,6 @@ public void setupDevConsoleRoutes( if (devUIConfig.cors.enabled) { routeBuildItemBuildProducer.produce(nonApplicationRootPathBuildItem.routeBuilder() .orderedRoute("dev-v1/*", -1 * FilterBuildItem.CORS) - //.route("dev-v1/*") .handler(new DevConsoleCORSFilter()) .build()); } diff --git a/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/devui/DevUICorsTest.java b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/devui/DevUICorsTest.java new file mode 100644 index 00000000000000..f17f7e5f636c1d --- /dev/null +++ b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/devui/DevUICorsTest.java @@ -0,0 +1,194 @@ +package io.quarkus.vertx.http.devui; + +import static org.hamcrest.Matchers.emptyOrNullString; +import static org.hamcrest.Matchers.not; +import static org.hamcrest.Matchers.nullValue; + +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.RegisterExtension; + +import io.quarkus.test.QuarkusDevModeTest; +import io.restassured.RestAssured; + +public class DevUICorsTest { + + @RegisterExtension + static final QuarkusDevModeTest config = new QuarkusDevModeTest() + .withEmptyApplication(); + + @Test + public void testPreflightHttpLocalhostOrigin() { + String origin = "http://localhost:8080"; + String methods = "GET,POST"; + RestAssured.given() + .header("Origin", origin) + .header("Access-Control-Request-Method", methods) + .when() + .options("q/dev-ui/configuration-form-editor").then() + .statusCode(200) + .header("Access-Control-Allow-Origin", origin) + .header("Access-Control-Allow-Methods", methods) + .body(emptyOrNullString()); + } + + @Test + public void testPreflightHttpLocalhostIpOrigin() { + String origin = "http://127.0.0.1:8080"; + String methods = "GET,POST"; + RestAssured.given() + .header("Origin", origin) + .header("Access-Control-Request-Method", methods) + .when() + .options("q/dev-ui/configuration-form-editor").then() + .statusCode(200) + .header("Access-Control-Allow-Origin", origin) + .header("Access-Control-Allow-Methods", methods) + .body(emptyOrNullString()); + } + + @Test + public void testPreflightHttpsLocalhostOrigin() { + String origin = "https://localhost:8443"; + String methods = "GET,POST"; + RestAssured.given() + .header("Origin", origin) + .header("Access-Control-Request-Method", methods) + .when() + .options("q/dev-ui/configuration-form-editor").then() + .statusCode(200) + .header("Access-Control-Allow-Origin", origin) + .header("Access-Control-Allow-Methods", methods) + .body(emptyOrNullString()); + } + + @Test + public void testPreflightHttpsLocalhostIpOrigin() { + String origin = "https://127.0.0.1:8443"; + String methods = "GET,POST"; + RestAssured.given() + .header("Origin", origin) + .header("Access-Control-Request-Method", methods) + .when() + .options("q/dev-ui/configuration-form-editor").then() + .statusCode(200) + .header("Access-Control-Allow-Origin", origin) + .header("Access-Control-Allow-Methods", methods) + .body(emptyOrNullString()); + } + + @Test + public void testPreflightNonLocalhostOrigin() { + String methods = "GET,POST"; + RestAssured.given() + .header("Origin", "https://quarkus.io/http://localhost") + .header("Access-Control-Request-Method", methods) + .when() + .options("q/dev-ui/configuration-form-editor").then() + .statusCode(403) + .header("Access-Control-Allow-Origin", nullValue()) + .header("Access-Control-Allow-Methods", nullValue()) + .body(emptyOrNullString()); + } + + @Test + public void testPreflightBadLocalhostOrigin() { + String methods = "GET,POST"; + RestAssured.given() + .header("Origin", "http://localhost:8080/devui") + .header("Access-Control-Request-Method", methods) + .when() + .options("q/dev-ui/configuration-form-editor").then() + .statusCode(403) + .header("Access-Control-Allow-Origin", nullValue()) + .body(emptyOrNullString()); + } + + @Test + public void testPreflightBadLocalhostIpOrigin() { + String methods = "GET,POST"; + RestAssured.given() + .header("Origin", "http://127.0.0.1:8080/devui") + .header("Access-Control-Request-Method", methods) + .when() + .options("q/dev-ui/configuration-form-editor").then() + .statusCode(403) + .header("Access-Control-Allow-Origin", nullValue()) + .body(emptyOrNullString()); + } + + @Test + public void testPreflightLocalhostOriginWithoutPort() { + String methods = "GET,POST"; + RestAssured.given() + .header("Origin", "http://localhost") + .header("Access-Control-Request-Method", methods) + .when() + .options("q/dev-ui/configuration-form-editor").then() + .statusCode(403) + .header("Access-Control-Allow-Origin", nullValue()) + .body(emptyOrNullString()); + } + + @Test + public void testSimpleRequestHttpLocalhostOrigin() { + String origin = "http://localhost:8080"; + RestAssured.given() + .header("Origin", origin) + .when() + .get("q/dev-ui/configuration-form-editor").then() + .statusCode(200) + .header("Access-Control-Allow-Origin", origin) + .header("Access-Control-Allow-Methods", nullValue()) + .body(not(emptyOrNullString())); + } + + @Test + public void testSimpleRequestHttpLocalhostIpOrigin() { + String origin = "http://127.0.0.1:8080"; + RestAssured.given() + .header("Origin", origin) + .when() + .get("q/dev-ui/configuration-form-editor").then() + .statusCode(200) + .header("Access-Control-Allow-Origin", origin) + .header("Access-Control-Allow-Methods", nullValue()) + .body(not(emptyOrNullString())); + } + + @Test + public void testSimpleRequestHttpsLocalhostOrigin() { + String origin = "https://localhost:8443"; + RestAssured.given() + .header("Origin", origin) + .when() + .get("q/dev-ui/configuration-form-editor").then() + .statusCode(200) + .header("Access-Control-Allow-Origin", origin) + .header("Access-Control-Allow-Methods", nullValue()) + .body(not(emptyOrNullString())); + } + + @Test + public void testSimpleRequestHttpsLocalhostIpOrigin() { + String origin = "https://127.0.0.1:8443"; + RestAssured.given() + .header("Origin", origin) + .when() + .get("q/dev-ui/configuration-form-editor").then() + .statusCode(200) + .header("Access-Control-Allow-Origin", origin) + .header("Access-Control-Allow-Methods", nullValue()) + .body(not(emptyOrNullString())); + } + + @Test + public void testSimpleRequestNonLocalhostOrigin() { + RestAssured.given() + .header("Origin", "https://quarkus.io/http://localhost") + .when() + .get("q/dev-ui/configuration-form-editor").then() + .statusCode(403) + .header("Access-Control-Allow-Origin", nullValue()) + .body(emptyOrNullString()); + } +} diff --git a/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/devui/DevUIRemoteCorsTest.java b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/devui/DevUIRemoteCorsTest.java new file mode 100644 index 00000000000000..b33d1009d119c0 --- /dev/null +++ b/extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/devui/DevUIRemoteCorsTest.java @@ -0,0 +1,37 @@ +package io.quarkus.vertx.http.devui; + +import static org.hamcrest.Matchers.emptyOrNullString; + +import java.net.Inet4Address; +import java.net.UnknownHostException; + +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.RegisterExtension; + +import io.quarkus.test.QuarkusDevModeTest; +import io.restassured.RestAssured; + +public class DevUIRemoteCorsTest { + + @RegisterExtension + static final QuarkusDevModeTest config = new QuarkusDevModeTest() + .setBuildSystemProperty("quarkus.http.host", "0.0.0.0") + .withEmptyApplication(); + + @Test + public void test() throws UnknownHostException { + String origin = Inet4Address.getLocalHost().toString(); + if (origin.contains("/")) { + origin = "http://" + origin.split("/")[1] + ":8080"; + } + String methods = "GET,POST"; + RestAssured.given() + .header("Origin", origin) + .header("Access-Control-Request-Method", methods) + .when() + .options("q/dev-ui/configuration-form-editor").then() + .statusCode(403) + .body(emptyOrNullString()); + } + +}