Package groovy.security

Source Code of groovy.security.SecurityTest

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
package groovy.security;

import groovy.lang.GroovyCodeSource;
import junit.framework.Test;
import junit.framework.TestSuite;
import junit.textui.TestRunner;
import org.codehaus.groovy.control.CompilationFailedException;

import java.io.File;
import java.io.IOException;
import java.net.URL;
import java.security.Security;
import java.util.PropertyPermission;

/**
* Test the effects of enabling security in Groovy.  Some tests below check for proper framework
* behavior (e.g. ensuring that GroovyCodeSources may only be created for which proper permissions exist).
* Other tests run .groovy scripts under a secure environment and ensure that the proper permissions
* are required for success.
* <p>
* Todo: find out why the marked tests are environment specific and why security tests are not
* running on the build server.
*
* @author Steve Goetze
*/
public class SecurityTest extends SecurityTestSupport {

    public static void main(String[] args) {
        TestRunner.run(suite());
    }

    public static Test suite() {
        return new TestSuite(SecurityTest.class);
    }

    public void testForbiddenProperty() {
        String script = "System.getProperty(\"user.home\")";
        assertExecute(script, null, new PropertyPermission("user.home", "read"));
    }

    public void testForbiddenPackage() {
        String script = "import sun.net.*; s = new NetworkClient()";
        assertExecute(script, "/groovy/security/testForbiddenPackage", new RuntimePermission("accessClassInPackage.sun.*"));
    }

    public void testForbiddenCodebase() {
        assertExecute(new File("src/test/groovy/security/forbiddenCodeBase.gvy"), new GroovyCodeSourcePermission("/groovy/security/forbiddenCodeBase"));
    }

    public void testForbiddenCodebaseWithActions() {
        assertExecute(new File("src/test/groovy/security/forbiddenCodeBase.gvy"), new GroovyCodeSourcePermission("/groovy/security/forbiddenCodeBase", "unused actions string"));
    }

    //Check that the Security package.access control works.
    public void testPackageAccess() {
        String script = "new javax.print.PrintException();";
        Security.setProperty("package.access", "javax.print");
        //This should throw an ACE because its codeBase does not allow access to javax.print
        assertExecute(script, "/groovy/security/javax/print/deny", new RuntimePermission("accessClassInPackage.javax.print"));
        //This should not throw an ACE because groovy.policy grants the codeBase access to javax.print
        assertExecute(script, "/groovy/security/javax/print/allow", null);
    }

    public void testBadScriptNameBug() {
        assertExecute(new File("src/test/groovy/bugs/BadScriptNameBug.groovy"), null);
    }

    public void testClosureListenerTest() {
        assertExecute(new File("src/test/groovy/ClosureListenerTest.groovy"), null);
    }

    public void testClosureMethodTest() {
        assertExecute(new File("src/test/groovy/ClosureMethodTest.groovy"), null);
    }

    public void testGroovyMethodsTest_FAILS() {
        if (notYetImplemented()) return;
        assertExecute(new File("src/test/groovy/GroovyMethodsTest.groovy"), null);
    }

    public void testClosureWithDefaultParamTest() {
        assertExecute(new File("src/test/groovy/ClosureWithDefaultParamTest.groovy"), null);
    }

    public void testGroovy303_Bug() {
        assertExecute(new File("src/test/groovy/bugs/Groovy303_Bug.groovy"), null);
    }

    public void testScriptTest() {
        assertExecute(new File("src/test/groovy/script/ScriptTest.groovy"), null);
    }

    //In addition to requiring several permissions, this test is an example of the case
    //where the groovy class loader is required at script invocation time as well as
    //during compilation.
    public void testSqlCompleteWithoutDataSourceTest() {
        assertExecute(new File("src/test/groovy/sql/SqlCompleteWithoutDataSourceTest.groovy"), null);
    }

    //Test to prevent scripts from invoking the groovy compiler.  This is done by restricting access
    //to the org.codehaus.groovy packages.
    public void testMetaClassTest() {
        //Security.setProperty("package.access", "org.codehaus.groovy");
        //assertExecute(new File("src/test/org/codehaus/groovy/classgen/MetaClassTest.groovy"), new RuntimePermission("accessClassInPackage.org.codehaus.groovy"));
    }

    //Mailing list post by Richard Hensley reporting a CodeSource bug.  A GroovyCodeSource created
    //with a URL was causing an NPE.
    public void testCodeSource() throws IOException, CompilationFailedException {
        URL script = loader.getResource("groovy/ArrayTest.groovy");
        try {
            new GroovyCodeSource(script);
        } catch (RuntimeException re) {
            assertEquals("Could not construct a GroovyCodeSource from a null URL", re.getMessage());
        }
    }

}
TOP

Related Classes of groovy.security.SecurityTest

  • groovy.lang.GroovyCodeSource
  • junit.framework.TestSuite
  • java.util.PropertyPermission
  • java.net.URL
  • java.io.File
    • TOP
    Copyright © 2018 www.massapi.com. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.