phoenix-oss/llama-stack-mirror
0
0
Fork 1
mirror of https://github.com/meta-llama/llama-stack.git synced 2025-12-17 21:39:48 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add CORS configuration support for FastAPI server

Browse source
This commit is contained in:
skamenan7 2025-08-19 11:40:19 -04:00
parent c716c8cd03
commit 815b5c7279
3 changed files with 107 additions and 141 deletions
Download patch file Download diff file Expand all files Collapse all files

197
tests/unit/server/test_cors.py
View file

@ -6,157 +6,100 @@
import pytest
from llama_stack.core.datatypes import CORSConfig, process_cors_config
from llama_stack.core.datatypes import CORSSpec, process_cors_config
class TestCORSConfig:
"""Test basic CORS configuration."""
def test_cors_spec_defaults():
config = CORSSpec()
def test_defaults(self):
config = CORSConfig()
assert config.allow_origins == ["*"]
assert config.allow_origin_regex is None
assert config.allow_methods == ["*"]
assert config.allow_headers == ["*"]
assert config.allow_credentials is False
assert config.expose_headers == []
assert config.max_age == 600
def test_custom_values(self):
config = CORSConfig(allow_origins=["https://example.com"], allow_credentials=True, max_age=3600)
assert config.allow_origins == ["https://example.com"]
assert config.allow_credentials is True
assert config.max_age == 3600
def test_regex_field(self):
config = CORSConfig(allow_origins=[], allow_origin_regex=r"https?://localhost:\d+")
assert config.allow_origins == []
assert config.allow_origin_regex == r"https?://localhost:\d+"
def test_credentials_with_wildcard_error(self):
"""Should raise error when using credentials with wildcard origins."""
with pytest.raises(ValueError, match="CORS: allow_credentials=True requires explicit origins"):
CORSConfig(allow_origins=["*"], allow_credentials=True)
assert config.allow_origins == []
assert config.allow_origin_regex is None
assert config.allow_methods == ["OPTIONS"]
assert config.allow_headers == []
assert config.allow_credentials is False
assert config.expose_headers == []
assert config.max_age == 600
class TestProcessCORSConfig:
"""Test the process_cors_config function."""
def test_cors_spec_explicit_config():
config = CORSSpec(
allow_origins=["https://example.com"], allow_credentials=True, max_age=3600, allow_methods=["GET", "POST"]
)
def test_none_returns_none(self):
result = process_cors_config(None)
assert result is None
def test_false_returns_none(self):
result = process_cors_config(False)
assert result is None
def test_true_returns_dev_config(self):
"""Test dev mode: cors: true"""
result = process_cors_config(True)
assert isinstance(result, CORSConfig)
assert result.allow_origins == []
assert result.allow_origin_regex == r"https?://localhost:\d+"
assert result.allow_credentials is False
assert "GET" in result.allow_methods
assert "POST" in result.allow_methods
def test_cors_object_returned_as_is(self):
original = CORSConfig(allow_origins=["https://example.com"])
result = process_cors_config(original)
assert result is original
def test_invalid_type_raises_error(self):
with pytest.raises(ValueError, match="Invalid CORS configuration type"):
process_cors_config("invalid")
assert config.allow_origins == ["https://example.com"]
assert config.allow_credentials is True
assert config.max_age == 3600
assert config.allow_methods == ["GET", "POST"]
class TestCORSIntegration:
"""Test CORS with FastAPI integration."""
def test_cors_spec_regex():
config = CORSSpec(allow_origins=[], allow_origin_regex=r"https?://localhost:\d+")
def test_dev_mode_with_fastapi(self):
"""Test that dev mode config works with FastAPI middleware."""
from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware
from fastapi.testclient import TestClient
assert config.allow_origins == []
assert config.allow_origin_regex == r"https?://localhost:\d+"
app = FastAPI()
# Use our dev mode config
cors_config = process_cors_config(True)
app.add_middleware(CORSMiddleware, **cors_config.model_dump())
def test_cors_spec_wildcard_credentials_error():
with pytest.raises(ValueError, match="CORS: allow_credentials=True requires explicit origins"):
CORSSpec(allow_origins=["*"], allow_credentials=True)
@app.get("/test")
def test_endpoint():
return {"message": "hello"}
with pytest.raises(ValueError, match="CORS: allow_credentials=True requires explicit origins"):
CORSSpec(allow_origins=["https://example.com", "*"], allow_credentials=True)
client = TestClient(app)
# Test localhost origins work
response = client.get("/test", headers={"Origin": "http://localhost:3000"})
assert response.status_code == 200
assert response.headers.get("Access-Control-Allow-Origin") == "http://localhost:3000"
def test_process_cors_config_false():
result = process_cors_config(False)
assert result is None
# Test non-localhost doesn't get CORS headers
response = client.get("/test", headers={"Origin": "https://evil.com"})
assert response.status_code == 200
assert "Access-Control-Allow-Origin" not in response.headers
def test_production_mode_with_fastapi(self):
"""Test explicit origins configuration."""
from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware
from fastapi.testclient import TestClient
def test_process_cors_config_true():
result = process_cors_config(True)
app = FastAPI()
assert isinstance(result, CORSSpec)
assert result.allow_origins == []
assert result.allow_origin_regex == r"https?://localhost:\d+"
assert result.allow_credentials is False
assert "GET" in result.allow_methods
assert "POST" in result.allow_methods
assert "OPTIONS" in result.allow_methods
# Production config
cors_config = CORSConfig(allow_origins=["https://myapp.com"], allow_credentials=True)
app.add_middleware(CORSMiddleware, **cors_config.model_dump())
@app.get("/test")
def test_endpoint():
return {"message": "hello"}
def test_process_cors_config_passthrough():
original = CORSSpec(allow_origins=["https://example.com"], allow_methods=["GET"])
result = process_cors_config(original)
client = TestClient(app)
assert result is original
# Test allowed origin works
response = client.get("/test", headers={"Origin": "https://myapp.com"})
assert response.status_code == 200
assert response.headers.get("Access-Control-Allow-Origin") == "https://myapp.com"
assert response.headers.get("Access-Control-Allow-Credentials") == "true"
# Test disallowed origin
response = client.get("/test", headers={"Origin": "https://evil.com"})
assert response.status_code == 200
assert "Access-Control-Allow-Origin" not in response.headers
def test_process_cors_config_invalid_type():
with pytest.raises(ValueError, match="Invalid CORS configuration type"):
process_cors_config("invalid")
def test_preflight_request(self):
"""Test CORS preflight OPTIONS request."""
from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware
from fastapi.testclient import TestClient
app = FastAPI()
def test_cors_spec_model_dump():
cors_spec = CORSSpec(
allow_origins=["https://example.com"],
allow_methods=["GET", "POST"],
allow_headers=["Content-Type"],
allow_credentials=True,
max_age=3600,
)
cors_config = process_cors_config(True)
app.add_middleware(CORSMiddleware, **cors_config.model_dump())
config_dict = cors_spec.model_dump()
@app.get("/test")
def test_endpoint():
return {"message": "hello"}
assert config_dict["allow_origins"] == ["https://example.com"]
assert config_dict["allow_methods"] == ["GET", "POST"]
assert config_dict["allow_headers"] == ["Content-Type"]
assert config_dict["allow_credentials"] is True
assert config_dict["max_age"] == 3600
client = TestClient(app)
# Preflight request
response = client.options(
"/test", headers={"Origin": "http://localhost:3000", "Access-Control-Request-Method": "GET"}
)
assert response.status_code == 200
assert response.headers.get("Access-Control-Allow-Origin") == "http://localhost:3000"
assert "GET" in response.headers.get("Access-Control-Allow-Methods", "")
expected_keys = {
"allow_origins",
"allow_origin_regex",
"allow_methods",
"allow_headers",
"allow_credentials",
"expose_headers",
"max_age",
}
assert set(config_dict.keys()) == expected_keys