groovy-core/src/test/groovy/security/SecurityTest.java - groovy - Git at Google

 package groovy.security;

 import groovy.lang.GroovyCodeSource;
 import junit.framework.Test;
 import junit.framework.TestSuite;
 import junit.textui.TestRunner;
 import org.codehaus.groovy.control.CompilationFailedException;

 import java.io.File;
 import java.io.IOException;
 import java.net.URL;
 import java.security.Security;
 import java.util.PropertyPermission;

 /**
  * Test the effects of enabling security in Groovy.  Some tests below check for proper framework
  * behavior (e.g. ensuring that GroovyCodeSources may only be created for which proper permissions exist).
  * Other tests run .groovy scripts under a secure environment and ensure that the proper permissions
  * are required for success.
  * <p/>
  * Todo: find out why the marked tests are environment specific and why security tests are not
  * running on the build server.
  *
  * @author Steve Goetze
  */
 public class SecurityTest extends SecurityTestSupport {

     public static void main(String[] args) {
         TestRunner.run(suite());
     }

     public static Test suite() {
         return new TestSuite(SecurityTest.class);
     }

     public void testForbiddenProperty() {
         String script = "System.getProperty(\"user.home\")";
         assertExecute(script, null, new PropertyPermission("user.home", "read"));
     }

     public void testForbiddenPackage() {
         String script = "import sun.net.*; s = new NetworkClient()";
         assertExecute(script, "/groovy/security/testForbiddenPackage", new RuntimePermission("accessClassInPackage.sun.*"));
     }

     public void testForbiddenCodebase() {
         assertExecute(new File("src/test/groovy/security/forbiddenCodeBase.gvy"), new GroovyCodeSourcePermission("/groovy/security/forbiddenCodeBase"));
     }

     public void testForbiddenCodebaseWithActions() {
         assertExecute(new File("src/test/groovy/security/forbiddenCodeBase.gvy"), new GroovyCodeSourcePermission("/groovy/security/forbiddenCodeBase", "unused actions string"));
     }

     //Check that the Security package.access control works.
     public void testPackageAccess() {
         String script = "new javax.print.PrintException();";
         Security.setProperty("package.access", "javax.print");
         //This should throw an ACE because its codeBase does not allow access to javax.print
         assertExecute(script, "/groovy/security/javax/print/deny", new RuntimePermission("accessClassInPackage.javax.print"));
         //This should not throw an ACE because groovy.policy grants the codeBase access to javax.print
         assertExecute(script, "/groovy/security/javax/print/allow", null);
     }

     public void testBadScriptNameBug() {
         assertExecute(new File("src/test/groovy/bugs/BadScriptNameBug.groovy"), null);
     }

     public void testClosureListenerTest() {
         //if (System.getProperty("java.version").startsWith("1.5") && notYetImplemented()) return;
         if (System.getProperty("java.version").startsWith("1.5")) return;
         assertExecute(new File("src/test/groovy/ClosureListenerTest.groovy"), null);
     }

     public void testClosureMethodTest() {
         assertExecute(new File("src/test/groovy/ClosureMethodTest.groovy"), null);
     }

     public void testGroovyMethodsTest_FAILS() {
         if (notYetImplemented()) return;
         assertExecute(new File("src/test/groovy/GroovyMethodsTest.groovy"), null);
     }

     public void testClosureWithDefaultParamTest() {
         assertExecute(new File("src/test/groovy/ClosureWithDefaultParamTest.groovy"), null);
     }

     public void testGroovy303_Bug() {
         assertExecute(new File("src/test/groovy/bugs/Groovy303_Bug.groovy"), null);
     }

     public void testScriptTest() {
         assertExecute(new File("src/test/groovy/script/ScriptTest.groovy"), null);
     }

     //In addition to requiring several permissions, this test is an example of the case
     //where the groovy class loader is required at script invocation time as well as
     //during compilation.
     public void testSqlCompleteWithoutDataSourceTest() {
         assertExecute(new File("src/test/groovy/sql/SqlCompleteWithoutDataSourceTest.groovy"), null);
     }

     //Test to prevent scripts from invoking the groovy compiler.  This is done by restricting access
     //to the org.codehaus.groovy packages.
     public void testMetaClassTest() {
         //Security.setProperty("package.access", "org.codehaus.groovy");
         //assertExecute(new File("src/test/org/codehaus/groovy/classgen/MetaClassTest.groovy"), new RuntimePermission("accessClassInPackage.org.codehaus.groovy"));
     }

     //Mailing list post by Richard Hensley reporting a CodeSource bug.  A GroovyCodeSource created
     //with a URL was causing an NPE.
     public void testCodeSource() throws IOException, CompilationFailedException {
         URL script = loader.getResource("groovy/ArrayTest.groovy");
         try {
             new GroovyCodeSource(script);
         } catch (RuntimeException re) {
             assertEquals("Could not construct a GroovyCodeSource from a null URL", re.getMessage());
         }
     }

 }
	package groovy.security;

	import groovy.lang.GroovyCodeSource;
	import junit.framework.Test;
	import junit.framework.TestSuite;
	import junit.textui.TestRunner;
	import org.codehaus.groovy.control.CompilationFailedException;

	import java.io.File;
	import java.io.IOException;
	import java.net.URL;
	import java.security.Security;
	import java.util.PropertyPermission;

	/**
	* Test the effects of enabling security in Groovy. Some tests below check for proper framework
	* behavior (e.g. ensuring that GroovyCodeSources may only be created for which proper permissions exist).
	* Other tests run .groovy scripts under a secure environment and ensure that the proper permissions
	* are required for success.
	* <p/>
	* Todo: find out why the marked tests are environment specific and why security tests are not
	* running on the build server.
	*
	* @author Steve Goetze
	*/
	public class SecurityTest extends SecurityTestSupport {

	public static void main(String[] args) {
	TestRunner.run(suite());
	}

	public static Test suite() {
	return new TestSuite(SecurityTest.class);
	}

	public void testForbiddenProperty() {
	String script = "System.getProperty(\"user.home\")";
	assertExecute(script, null, new PropertyPermission("user.home", "read"));
	}

	public void testForbiddenPackage() {
	String script = "import sun.net.*; s = new NetworkClient()";
	assertExecute(script, "/groovy/security/testForbiddenPackage", new RuntimePermission("accessClassInPackage.sun.*"));
	}

	public void testForbiddenCodebase() {
	assertExecute(new File("src/test/groovy/security/forbiddenCodeBase.gvy"), new GroovyCodeSourcePermission("/groovy/security/forbiddenCodeBase"));
	}

	public void testForbiddenCodebaseWithActions() {
	assertExecute(new File("src/test/groovy/security/forbiddenCodeBase.gvy"), new GroovyCodeSourcePermission("/groovy/security/forbiddenCodeBase", "unused actions string"));
	}

	//Check that the Security package.access control works.
	public void testPackageAccess() {
	String script = "new javax.print.PrintException();";
	Security.setProperty("package.access", "javax.print");
	//This should throw an ACE because its codeBase does not allow access to javax.print
	assertExecute(script, "/groovy/security/javax/print/deny", new RuntimePermission("accessClassInPackage.javax.print"));
	//This should not throw an ACE because groovy.policy grants the codeBase access to javax.print
	assertExecute(script, "/groovy/security/javax/print/allow", null);
	}

	public void testBadScriptNameBug() {
	assertExecute(new File("src/test/groovy/bugs/BadScriptNameBug.groovy"), null);
	}

	public void testClosureListenerTest() {
	//if (System.getProperty("java.version").startsWith("1.5") && notYetImplemented()) return;
	if (System.getProperty("java.version").startsWith("1.5")) return;
	assertExecute(new File("src/test/groovy/ClosureListenerTest.groovy"), null);
	}

	public void testClosureMethodTest() {
	assertExecute(new File("src/test/groovy/ClosureMethodTest.groovy"), null);
	}

	public void testGroovyMethodsTest_FAILS() {
	if (notYetImplemented()) return;
	assertExecute(new File("src/test/groovy/GroovyMethodsTest.groovy"), null);
	}

	public void testClosureWithDefaultParamTest() {
	assertExecute(new File("src/test/groovy/ClosureWithDefaultParamTest.groovy"), null);
	}

	public void testGroovy303_Bug() {
	assertExecute(new File("src/test/groovy/bugs/Groovy303_Bug.groovy"), null);
	}

	public void testScriptTest() {
	assertExecute(new File("src/test/groovy/script/ScriptTest.groovy"), null);
	}

	//In addition to requiring several permissions, this test is an example of the case
	//where the groovy class loader is required at script invocation time as well as
	//during compilation.
	public void testSqlCompleteWithoutDataSourceTest() {
	assertExecute(new File("src/test/groovy/sql/SqlCompleteWithoutDataSourceTest.groovy"), null);
	}

	//Test to prevent scripts from invoking the groovy compiler. This is done by restricting access
	//to the org.codehaus.groovy packages.
	public void testMetaClassTest() {
	//Security.setProperty("package.access", "org.codehaus.groovy");
	//assertExecute(new File("src/test/org/codehaus/groovy/classgen/MetaClassTest.groovy"), new RuntimePermission("accessClassInPackage.org.codehaus.groovy"));
	}

	//Mailing list post by Richard Hensley reporting a CodeSource bug. A GroovyCodeSource created
	//with a URL was causing an NPE.
	public void testCodeSource() throws IOException, CompilationFailedException {
	URL script = loader.getResource("groovy/ArrayTest.groovy");
	try {
	new GroovyCodeSource(script);
	} catch (RuntimeException re) {
	assertEquals("Could not construct a GroovyCodeSource from a null URL", re.getMessage());
	}
	}

	}