fix(cors): update CorsConfigTest for new deny-all default; constructor injection

aksOps · claude · aksOps · commit 331cf0c3485c · 2026-04-28T07:55:44.000Z
CorsConfigTest in main was asserting the old loopback-by-default behaviour. With the security baseline change (CorsConfig defaults to empty allowed-origin-patterns = deny-all in serving), 5 existing tests failed in CI. - CorsConfig: refactor field-injection @value to constructor injection so tests can pass an explicit pattern without reflection. - CorsConfigTest: rewrite to validate both contracts — - default empty/blank/null patterns register NO mappings (deny-all) - explicit patterns register /api/** (GET,OPTIONS) and /mcp/** (GET,POST,OPTIONS) - mutating verbs (PUT/PATCH/DELETE) are NOT allowed on the API mapping - origin patterns reach the CorsConfiguration unchanged - 9 tests covering the new contract; existing assertion shape preserved. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/src/main/java/io/github/randomcodespace/iq/config/CorsConfig.java b/src/main/java/io/github/randomcodespace/iq/config/CorsConfig.java
@@ -46,8 +46,11 @@ public class CorsConfig {
     static final String ALLOWED_HEADERS = "*";
 
     /** Empty default = deny-all (no mappings registered). */
-    @Value("${codeiq.cors.allowed-origin-patterns:}")
-    private String allowedOriginPatterns = "";
+    private final String allowedOriginPatterns;
+
+    public CorsConfig(@Value("${codeiq.cors.allowed-origin-patterns:}") String allowedOriginPatterns) {
+        this.allowedOriginPatterns = allowedOriginPatterns == null ? "" : allowedOriginPatterns;
+    }
 
     @PostConstruct
     void logCorsState() {
diff --git a/src/test/java/io/github/randomcodespace/iq/config/CorsConfigTest.java b/src/test/java/io/github/randomcodespace/iq/config/CorsConfigTest.java
@@ -18,59 +18,84 @@ public Map<String, CorsConfiguration> getCorsConfigurations() {
         }
     }
 
-    private CorsConfig createCorsConfig() {
-        return new CorsConfig();
+    /** Default empty pattern = deny-all (production default). */
+    private CorsConfig denyAllByDefault() {
+        return new CorsConfig("");
+    }
+
+    /** Operator-configured loopback patterns (typical local-dev override). */
+    private CorsConfig localDevConfig() {
+        return new CorsConfig("http://localhost:[*],http://127.0.0.1:[*]");
     }
 
     @Test
-    void corsConfigurerReturnsWebMvcConfigurer() {
-        WebMvcConfigurer configurer = createCorsConfig().corsConfigurer();
-        assertNotNull(configurer);
+    void corsConfigurerNeverNull() {
+        // Both deny-all and explicit configs return a non-null configurer.
+        assertNotNull(denyAllByDefault().corsConfigurer());
+        assertNotNull(localDevConfig().corsConfigurer());
+    }
+
+    @Test
+    void denyAllByDefault_registersNoMappings() {
+        WebMvcConfigurer configurer = denyAllByDefault().corsConfigurer();
+        TestableCorsRegistry registry = new TestableCorsRegistry();
+        configurer.addCorsMappings(registry);
+
+        Map<String, CorsConfiguration> configurations = registry.getCorsConfigurations();
+        assertFalse(configurations.containsKey("/api/**"),
+                "Empty allowed-origin-patterns must NOT register /api/** CORS — deny-all is the default");
+        assertFalse(configurations.containsKey("/mcp/**"),
+                "Empty allowed-origin-patterns must NOT register /mcp/** CORS — deny-all is the default");
     }
 
     @Test
-    void corsConfigurerDoesNotThrowWhenAddingMappings() {
-        WebMvcConfigurer configurer = createCorsConfig().corsConfigurer();
+    void blankAllowedOriginPatterns_treatedAsDenyAll() {
+        // Whitespace-only is the same as empty.
+        WebMvcConfigurer configurer = new CorsConfig("   ").corsConfigurer();
         TestableCorsRegistry registry = new TestableCorsRegistry();
-        assertDoesNotThrow(() -> configurer.addCorsMappings(registry));
+        configurer.addCorsMappings(registry);
+        assertTrue(registry.getCorsConfigurations().isEmpty(),
+                "Blank allowed-origin-patterns must register no mappings");
     }
 
     @Test
-    void corsRegistryContainsApiAndMcpMappings() {
-        WebMvcConfigurer configurer = createCorsConfig().corsConfigurer();
+    void explicitConfig_registersApiAndMcpMappings() {
+        WebMvcConfigurer configurer = localDevConfig().corsConfigurer();
         TestableCorsRegistry registry = new TestableCorsRegistry();
         configurer.addCorsMappings(registry);
 
-        var configurations = registry.getCorsConfigurations();
+        Map<String, CorsConfiguration> configurations = registry.getCorsConfigurations();
         assertTrue(configurations.containsKey("/api/**"),
-                "Should register CORS mapping for /api/**");
+                "Explicit pattern should register CORS mapping for /api/**");
         assertTrue(configurations.containsKey("/mcp/**"),
-                "Should register CORS mapping for /mcp/**");
+                "Explicit pattern should register CORS mapping for /mcp/**");
     }
 
     @Test
-    void apiMappingAllowsExpectedMethods() {
-        WebMvcConfigurer configurer = createCorsConfig().corsConfigurer();
+    void explicitConfig_apiAllowsGetAndOptionsOnly() {
+        WebMvcConfigurer configurer = localDevConfig().corsConfigurer();
         TestableCorsRegistry registry = new TestableCorsRegistry();
         configurer.addCorsMappings(registry);
 
-        var configurations = registry.getCorsConfigurations();
-        var apiCors = configurations.get("/api/**");
+        var apiCors = registry.getCorsConfigurations().get("/api/**");
         assertNotNull(apiCors);
         var methods = apiCors.getAllowedMethods();
         assertNotNull(methods);
         assertTrue(methods.contains("GET"));
         assertTrue(methods.contains("OPTIONS"));
+        // Mutating verbs must NOT be allowed — read-only API.
+        assertFalse(methods.contains("PUT"));
+        assertFalse(methods.contains("PATCH"));
+        assertFalse(methods.contains("DELETE"));
     }
 
     @Test
-    void mcpMappingAllowsGetPostOptions() {
-        WebMvcConfigurer configurer = createCorsConfig().corsConfigurer();
+    void explicitConfig_mcpAllowsGetPostOptions() {
+        WebMvcConfigurer configurer = localDevConfig().corsConfigurer();
         TestableCorsRegistry registry = new TestableCorsRegistry();
         configurer.addCorsMappings(registry);
 
-        var configurations = registry.getCorsConfigurations();
-        var mcpCors = configurations.get("/mcp/**");
+        var mcpCors = registry.getCorsConfigurations().get("/mcp/**");
         assertNotNull(mcpCors);
         var methods = mcpCors.getAllowedMethods();
         assertNotNull(methods);
@@ -80,31 +105,39 @@ void mcpMappingAllowsGetPostOptions() {
     }
 
     @Test
-    void apiMappingRestrictsToLocalhostOrigins() {
-        WebMvcConfigurer configurer = createCorsConfig().corsConfigurer();
+    void explicitConfig_originPatternsPreserved() {
+        WebMvcConfigurer configurer = localDevConfig().corsConfigurer();
         TestableCorsRegistry registry = new TestableCorsRegistry();
         configurer.addCorsMappings(registry);
 
-        var configurations = registry.getCorsConfigurations();
-        var apiCors = configurations.get("/api/**");
+        var apiCors = registry.getCorsConfigurations().get("/api/**");
         assertNotNull(apiCors);
         var patterns = apiCors.getAllowedOriginPatterns();
         assertNotNull(patterns);
         assertTrue(patterns.stream().anyMatch(p -> p.contains("localhost")),
-                "CORS should restrict to localhost origins");
+                "Configured loopback pattern must reach the CORS configuration");
     }
 
     @Test
-    void apiMappingAllowsAllHeaders() {
-        WebMvcConfigurer configurer = createCorsConfig().corsConfigurer();
+    void explicitConfig_allowsAllHeaders() {
+        WebMvcConfigurer configurer = localDevConfig().corsConfigurer();
         TestableCorsRegistry registry = new TestableCorsRegistry();
         configurer.addCorsMappings(registry);
 
-        var configurations = registry.getCorsConfigurations();
-        var apiCors = configurations.get("/api/**");
+        var apiCors = registry.getCorsConfigurations().get("/api/**");
         assertNotNull(apiCors);
         var headers = apiCors.getAllowedHeaders();
         assertNotNull(headers);
         assertTrue(headers.contains("*"));
     }
+
+    @Test
+    void nullPatterns_treatedAsDenyAll() {
+        // Defensive — Spring binding can pass null in edge cases.
+        WebMvcConfigurer configurer = new CorsConfig(null).corsConfigurer();
+        TestableCorsRegistry registry = new TestableCorsRegistry();
+        configurer.addCorsMappings(registry);
+        assertTrue(registry.getCorsConfigurations().isEmpty(),
+                "Null allowed-origin-patterns must register no mappings");
+    }
 }
