core/tests/components/http/test_cors.py

"""Test cors for the HTTP component."""
from unittest.mock import patch

from aiohttp import web
from aiohttp.hdrs import (
    ACCESS_CONTROL_ALLOW_ORIGIN,
    ACCESS_CONTROL_ALLOW_HEADERS,
    ACCESS_CONTROL_REQUEST_HEADERS,
    ACCESS_CONTROL_REQUEST_METHOD,
    AUTHORIZATION,
    ORIGIN
)
import pytest

from homeassistant.const import (
    HTTP_HEADER_HA_AUTH
)
from homeassistant.setup import async_setup_component
from homeassistant.components.http.cors import setup_cors
from homeassistant.components.http.view import HomeAssistantView


TRUSTED_ORIGIN = 'https://home-assistant.io'


async def test_cors_middleware_loaded_by_default(hass):
    """Test accessing to server from banned IP when feature is off."""
    with patch('homeassistant.components.http.setup_cors') as mock_setup:
        await async_setup_component(hass, 'http', {
            'http': {}
        })

    assert len(mock_setup.mock_calls) == 1


async def test_cors_middleware_loaded_from_config(hass):
    """Test accessing to server from banned IP when feature is off."""
    with patch('homeassistant.components.http.setup_cors') as mock_setup:
        await async_setup_component(hass, 'http', {
            'http': {
                'cors_allowed_origins': ['http://home-assistant.io']
            }
        })

    assert len(mock_setup.mock_calls) == 1


async def mock_handler(request):
    """Return if request was authenticated."""
    return web.Response(status=200)


@pytest.fixture
def client(loop, aiohttp_client):
    """Fixture to set up a web.Application."""
    app = web.Application()
    app.router.add_get('/', mock_handler)
    setup_cors(app, [TRUSTED_ORIGIN])
    return loop.run_until_complete(aiohttp_client(app))


async def test_cors_requests(client):
    """Test cross origin requests."""
    req = await client.get('/', headers={
        ORIGIN: TRUSTED_ORIGIN
    })
    assert req.status == 200
    assert req.headers[ACCESS_CONTROL_ALLOW_ORIGIN] == \
        TRUSTED_ORIGIN

    # With password in URL
    req = await client.get('/', params={
        'api_password': 'some-pass'
    }, headers={
        ORIGIN: TRUSTED_ORIGIN
    })
    assert req.status == 200
    assert req.headers[ACCESS_CONTROL_ALLOW_ORIGIN] == \
        TRUSTED_ORIGIN

    # With password in headers
    req = await client.get('/', headers={
        HTTP_HEADER_HA_AUTH: 'some-pass',
        ORIGIN: TRUSTED_ORIGIN
    })
    assert req.status == 200
    assert req.headers[ACCESS_CONTROL_ALLOW_ORIGIN] == \
        TRUSTED_ORIGIN

    # With auth token in headers
    req = await client.get('/', headers={
        AUTHORIZATION: 'Bearer some-token',
        ORIGIN: TRUSTED_ORIGIN
    })
    assert req.status == 200
    assert req.headers[ACCESS_CONTROL_ALLOW_ORIGIN] == \
        TRUSTED_ORIGIN


async def test_cors_preflight_allowed(client):
    """Test cross origin resource sharing preflight (OPTIONS) request."""
    req = await client.options('/', headers={
        ORIGIN: TRUSTED_ORIGIN,
        ACCESS_CONTROL_REQUEST_METHOD: 'GET',
        ACCESS_CONTROL_REQUEST_HEADERS: 'x-ha-access'
    })

    assert req.status == 200
    assert req.headers[ACCESS_CONTROL_ALLOW_ORIGIN] == TRUSTED_ORIGIN
    assert req.headers[ACCESS_CONTROL_ALLOW_HEADERS] == \
        HTTP_HEADER_HA_AUTH.upper()


async def test_cors_middleware_with_cors_allowed_view(hass):
    """Test that we can configure cors and have a cors_allowed view."""
    class MyView(HomeAssistantView):
        """Test view that allows CORS."""

        requires_auth = False
        cors_allowed = True

        def __init__(self, url, name):
            """Initialize test view."""
            self.url = url
            self.name = name

        async def get(self, request):
            """Test response."""
            return "test"

    assert await async_setup_component(hass, 'http', {
        'http': {
            'cors_allowed_origins': ['http://home-assistant.io']
        }
    })

    hass.http.register_view(MyView('/api/test', 'api:test'))
    hass.http.register_view(MyView('/api/test', 'api:test2'))
    hass.http.register_view(MyView('/api/test2', 'api:test'))

    hass.http.app._on_startup.freeze()
    await hass.http.app.startup()


async def test_cors_works_with_frontend(hass, hass_client):
    """Test CORS works with the frontend."""
    assert await async_setup_component(hass, 'frontend', {
        'http': {
            'cors_allowed_origins': ['http://home-assistant.io']
        }
    })
    client = await hass_client()
    resp = await client.get('/')
    assert resp.status == 200
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`"""Test cors for the HTTP component."""`
			`from unittest.mock import patch`

			`from aiohttp import web`
			`from aiohttp.hdrs import (`
			`ACCESS_CONTROL_ALLOW_ORIGIN,`
			`ACCESS_CONTROL_ALLOW_HEADERS,`
			`ACCESS_CONTROL_REQUEST_HEADERS,`
			`ACCESS_CONTROL_REQUEST_METHOD,`
Fix authorization header in cors (#21662) * Fix authorization headers in cors * Use aiohttp authorization header instead of custom const 2019-03-09 18:00:10 +00:00			`AUTHORIZATION,`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`ORIGIN`
			`)`
			`import pytest`

Fix authorization header in cors (#21662) * Fix authorization headers in cors * Use aiohttp authorization header instead of custom const 2019-03-09 18:00:10 +00:00			`from homeassistant.const import (`
			`HTTP_HEADER_HA_AUTH`
			`)`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`from homeassistant.setup import async_setup_component`
			`from homeassistant.components.http.cors import setup_cors`
Fix CORS duplicate registration (#15670) 2018-07-25 09:36:44 +00:00			`from homeassistant.components.http.view import HomeAssistantView`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00

			`TRUSTED_ORIGIN = 'https://home-assistant.io'`


Allow CORS requests to token endpoint (#15519) * Allow CORS requests to token endpoint * Tests * Fuck emulated hue * Clean up * Only cors existing methods 2018-07-19 06:37:00 +00:00			`async def test_cors_middleware_loaded_by_default(hass):`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`"""Test accessing to server from banned IP when feature is off."""`
			`with patch('homeassistant.components.http.setup_cors') as mock_setup:`
Move HomeAssistantView to separate file. Convert http to async syntax. [skip ci] (#12982) * Move HomeAssistantView to separate file. Convert http to async syntax. * pylint * websocket api * update emulated_hue for async/await * Lint 2018-03-09 01:51:49 +00:00			`await async_setup_component(hass, 'http', {`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`'http': {}`
			`})`

Allow CORS requests to token endpoint (#15519) * Allow CORS requests to token endpoint * Tests * Fuck emulated hue * Clean up * Only cors existing methods 2018-07-19 06:37:00 +00:00			`assert len(mock_setup.mock_calls) == 1`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00

Move HomeAssistantView to separate file. Convert http to async syntax. [skip ci] (#12982) * Move HomeAssistantView to separate file. Convert http to async syntax. * pylint * websocket api * update emulated_hue for async/await * Lint 2018-03-09 01:51:49 +00:00			`async def test_cors_middleware_loaded_from_config(hass):`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`"""Test accessing to server from banned IP when feature is off."""`
			`with patch('homeassistant.components.http.setup_cors') as mock_setup:`
Move HomeAssistantView to separate file. Convert http to async syntax. [skip ci] (#12982) * Move HomeAssistantView to separate file. Convert http to async syntax. * pylint * websocket api * update emulated_hue for async/await * Lint 2018-03-09 01:51:49 +00:00			`await async_setup_component(hass, 'http', {`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`'http': {`
			`'cors_allowed_origins': ['http://home-assistant.io']`
			`}`
			`})`

			`assert len(mock_setup.mock_calls) == 1`


Move HomeAssistantView to separate file. Convert http to async syntax. [skip ci] (#12982) * Move HomeAssistantView to separate file. Convert http to async syntax. * pylint * websocket api * update emulated_hue for async/await * Lint 2018-03-09 01:51:49 +00:00			`async def mock_handler(request):`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`"""Return if request was authenticated."""`
			`return web.Response(status=200)`


			`@pytest.fixture`
Fix aiohttp deprecation warnings (#13240) * Fix aiohttp deprecation warnings * Fix Ring deprecation warning * Lint 2018-03-15 20:49:49 +00:00			`def client(loop, aiohttp_client):`
Grammar and spelling fixes (#16065) 2018-08-19 20:29:08 +00:00			`"""Fixture to set up a web.Application."""`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`app = web.Application()`
			`app.router.add_get('/', mock_handler)`
			`setup_cors(app, [TRUSTED_ORIGIN])`
Fix aiohttp deprecation warnings (#13240) * Fix aiohttp deprecation warnings * Fix Ring deprecation warning * Lint 2018-03-15 20:49:49 +00:00			`return loop.run_until_complete(aiohttp_client(app))`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00

Move HomeAssistantView to separate file. Convert http to async syntax. [skip ci] (#12982) * Move HomeAssistantView to separate file. Convert http to async syntax. * pylint * websocket api * update emulated_hue for async/await * Lint 2018-03-09 01:51:49 +00:00			`async def test_cors_requests(client):`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`"""Test cross origin requests."""`
Move HomeAssistantView to separate file. Convert http to async syntax. [skip ci] (#12982) * Move HomeAssistantView to separate file. Convert http to async syntax. * pylint * websocket api * update emulated_hue for async/await * Lint 2018-03-09 01:51:49 +00:00			`req = await client.get('/', headers={`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`ORIGIN: TRUSTED_ORIGIN`
			`})`
			`assert req.status == 200`
			`assert req.headers[ACCESS_CONTROL_ALLOW_ORIGIN] == \`
			`TRUSTED_ORIGIN`

			`# With password in URL`
Move HomeAssistantView to separate file. Convert http to async syntax. [skip ci] (#12982) * Move HomeAssistantView to separate file. Convert http to async syntax. * pylint * websocket api * update emulated_hue for async/await * Lint 2018-03-09 01:51:49 +00:00			`req = await client.get('/', params={`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`'api_password': 'some-pass'`
			`}, headers={`
			`ORIGIN: TRUSTED_ORIGIN`
			`})`
			`assert req.status == 200`
			`assert req.headers[ACCESS_CONTROL_ALLOW_ORIGIN] == \`
			`TRUSTED_ORIGIN`

			`# With password in headers`
Move HomeAssistantView to separate file. Convert http to async syntax. [skip ci] (#12982) * Move HomeAssistantView to separate file. Convert http to async syntax. * pylint * websocket api * update emulated_hue for async/await * Lint 2018-03-09 01:51:49 +00:00			`req = await client.get('/', headers={`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`HTTP_HEADER_HA_AUTH: 'some-pass',`
			`ORIGIN: TRUSTED_ORIGIN`
			`})`
			`assert req.status == 200`
			`assert req.headers[ACCESS_CONTROL_ALLOW_ORIGIN] == \`
			`TRUSTED_ORIGIN`

Fix authorization header in cors (#21662) * Fix authorization headers in cors * Use aiohttp authorization header instead of custom const 2019-03-09 18:00:10 +00:00			`# With auth token in headers`
			`req = await client.get('/', headers={`
			`AUTHORIZATION: 'Bearer some-token',`
			`ORIGIN: TRUSTED_ORIGIN`
			`})`
			`assert req.status == 200`
			`assert req.headers[ACCESS_CONTROL_ALLOW_ORIGIN] == \`
			`TRUSTED_ORIGIN`

Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00
Move HomeAssistantView to separate file. Convert http to async syntax. [skip ci] (#12982) * Move HomeAssistantView to separate file. Convert http to async syntax. * pylint * websocket api * update emulated_hue for async/await * Lint 2018-03-09 01:51:49 +00:00			`async def test_cors_preflight_allowed(client):`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`"""Test cross origin resource sharing preflight (OPTIONS) request."""`
Move HomeAssistantView to separate file. Convert http to async syntax. [skip ci] (#12982) * Move HomeAssistantView to separate file. Convert http to async syntax. * pylint * websocket api * update emulated_hue for async/await * Lint 2018-03-09 01:51:49 +00:00			`req = await client.options('/', headers={`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`ORIGIN: TRUSTED_ORIGIN,`
			`ACCESS_CONTROL_REQUEST_METHOD: 'GET',`
			`ACCESS_CONTROL_REQUEST_HEADERS: 'x-ha-access'`
			`})`

			`assert req.status == 200`
			`assert req.headers[ACCESS_CONTROL_ALLOW_ORIGIN] == TRUSTED_ORIGIN`
			`assert req.headers[ACCESS_CONTROL_ALLOW_HEADERS] == \`
			`HTTP_HEADER_HA_AUTH.upper()`
Fix CORS duplicate registration (#15670) 2018-07-25 09:36:44 +00:00

			`async def test_cors_middleware_with_cors_allowed_view(hass):`
			`"""Test that we can configure cors and have a cors_allowed view."""`
			`class MyView(HomeAssistantView):`
			`"""Test view that allows CORS."""`

			`requires_auth = False`
			`cors_allowed = True`

			`def __init__(self, url, name):`
			`"""Initialize test view."""`
			`self.url = url`
			`self.name = name`

			`async def get(self, request):`
			`"""Test response."""`
			`return "test"`

			`assert await async_setup_component(hass, 'http', {`
			`'http': {`
			`'cors_allowed_origins': ['http://home-assistant.io']`
			`}`
			`})`

			`hass.http.register_view(MyView('/api/test', 'api:test'))`
			`hass.http.register_view(MyView('/api/test', 'api:test2'))`
			`hass.http.register_view(MyView('/api/test2', 'api:test'))`

			`hass.http.app._on_startup.freeze()`
			`await hass.http.app.startup()`
Fix cors on the index view (#24283) 2019-06-03 18:43:13 +00:00

			`async def test_cors_works_with_frontend(hass, hass_client):`
			`"""Test CORS works with the frontend."""`
			`assert await async_setup_component(hass, 'frontend', {`
			`'http': {`
			`'cors_allowed_origins': ['http://home-assistant.io']`
			`}`
			`})`
			`client = await hass_client()`
			`resp = await client.get('/')`
			`assert resp.status == 200`