From 8a58cc2c5932fbd60d68b2c92b0495f747179b4b Mon Sep 17 00:00:00 2001
From: NeilShadrach <neil.shadrach@corryn.com>
Date: Fri, 12 Jul 2024 15:16:37 +0100
Subject: [PATCH] SEC-54 Additional test

---
 .../DisqualifiedOfficerControllerTest.java    | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/src/test/java/uk/gov/companieshouse/disqualifiedofficersdataapi/api/controller/DisqualifiedOfficerControllerTest.java b/src/test/java/uk/gov/companieshouse/disqualifiedofficersdataapi/api/controller/DisqualifiedOfficerControllerTest.java
index f86e057..a45366e 100644
--- a/src/test/java/uk/gov/companieshouse/disqualifiedofficersdataapi/api/controller/DisqualifiedOfficerControllerTest.java
+++ b/src/test/java/uk/gov/companieshouse/disqualifiedofficersdataapi/api/controller/DisqualifiedOfficerControllerTest.java
@@ -46,6 +46,7 @@
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.put;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
 
 @ExtendWith(SpringExtension.class)
 @WebMvcTest(controllers = DisqualifiedOfficerController.class)
@@ -431,6 +432,24 @@ void callDisqualifiedOfficerGetRequestCORS() throws Exception {
         assertEquals(data, objectMapper.readValue(result.getResponse().getContentAsString(), NaturalDisqualificationApi.class));
     }
 
+    @Test
+    @DisplayName("Forbidden Disqualified Officer GET request - CORS")
+    void getCompanyExemptionsForbiddenCORS() throws Exception {
+
+        MvcResult result = mockMvc.perform(get(NATURAL_GET_URL)
+                .contentType(APPLICATION_JSON)
+                .header("Origin", "")
+                .header("ERIC-Allowed-Origin", "")
+                .header("x-request-id", "5342342")
+                .header("ERIC-Identity", "Test-Identity")
+                .header("ERIC-Identity-Type", "oauth2"))
+            .andExpect(status().isForbidden())
+            .andExpect(header().exists(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS))
+            .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, containsString("GET")))
+            .andExpect(content().string(""))
+            .andReturn();
+    }
+
     @Test
     @DisplayName("Disqualified Officer PUT request - CORS")
     void callDisqualifiedOfficerPutRequestCORS() throws Exception {
@@ -453,6 +472,7 @@ void callDisqualifiedOfficerPutRequestCORS() throws Exception {
                 .andExpect(status().isForbidden())
                 .andExpect(header().exists(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS))
                 .andExpect(header().string(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, containsString("GET")))
+                .andExpect(content().string(""))
                 .andReturn();
     }