From 1fb73c6462951b2205838ea565b3d15a4a703160 Mon Sep 17 00:00:00 2001
From: John Grimes <John.Grimes@csiro.au>
Date: Wed, 22 May 2024 10:13:52 +1000
Subject: [PATCH] Add test to verify CORS behaviour when authentication is
 disabled

---
 .../integration/CapabilityStatementTest.java  | 21 ++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/fhir-server/src/test/java/au/csiro/pathling/test/integration/CapabilityStatementTest.java b/fhir-server/src/test/java/au/csiro/pathling/test/integration/CapabilityStatementTest.java
index eecd0f23c6..551e4c8b88 100644
--- a/fhir-server/src/test/java/au/csiro/pathling/test/integration/CapabilityStatementTest.java
+++ b/fhir-server/src/test/java/au/csiro/pathling/test/integration/CapabilityStatementTest.java
@@ -18,7 +18,10 @@
 package au.csiro.pathling.test.integration;
 
 import static au.csiro.pathling.test.TestResources.assertJson;
+import static org.junit.jupiter.api.Assertions.assertEquals;
 
+import java.util.Arrays;
+import java.util.Collections;
 import org.json.JSONException;
 import org.junit.jupiter.api.Tag;
 import org.junit.jupiter.api.Test;
@@ -29,11 +32,19 @@
 import org.springframework.http.HttpEntity;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.test.context.TestPropertySource;
 
 /**
  * @author John Grimes
  */
+@TestPropertySource(properties = {
+    "pathling.cors.maxAge=800",
+    "pathling.cors.allowedMethods=GET,POST",
+    "pathling.cors.allowedOrigins=http://foo.bar,http://boo.bar",
+    "pathling.cors.allowedHeaders=X-Mine,X-Other"
+})
 @Tag("Tranche2")
 class CapabilityStatementTest extends IntegrationTest {
 
@@ -56,12 +67,20 @@ void cors() throws JSONException {
     final HttpHeaders corsHeaders = new HttpHeaders();
     corsHeaders.setOrigin("http://foo.bar");
     corsHeaders.setAccessControlRequestMethod(HttpMethod.GET);
+    corsHeaders.setAccessControlRequestHeaders(Arrays.asList("X-Mine", "X-Skip"));
 
     final ResponseEntity<String> response = restTemplate.exchange(
         "http://localhost:" + port + "/fhir/metadata", HttpMethod.OPTIONS,
         new HttpEntity<String>(corsHeaders), String.class);
 
-    System.out.println(response);
+    final HttpHeaders responseHeaders = response.getHeaders();
+    assertEquals(HttpStatus.OK, response.getStatusCode());
+    assertEquals("http://foo.bar", responseHeaders.getAccessControlAllowOrigin());
+    assertEquals(Arrays.asList(HttpMethod.GET, HttpMethod.POST),
+        responseHeaders.getAccessControlAllowMethods());
+    assertEquals(800L, responseHeaders.getAccessControlMaxAge());
+    assertEquals(Collections.singletonList("X-Mine"),
+        responseHeaders.getAccessControlAllowHeaders());
   }
 
 }