1   package groovy.security;
2   
3   import groovy.lang.GroovyCodeSource;
4   
5   import java.io.File;
6   import java.io.IOException;
7   import java.net.URL;
8   import java.security.Security;
9   import java.util.PropertyPermission;
10  
11  import org.codehaus.groovy.control.CompilationFailedException;
12  
13  import junit.framework.Test;
14  import junit.framework.TestSuite;
15  import junit.textui.TestRunner;
16  
17  /***
18   * Test the effects of enabling security in Groovy.  Some tests below check for proper framework
19   * behavior (e.g. ensuring that GroovyCodeSources may only be created for which proper permissions exist).
20   * Other tests run .groovy scripts under a secure environment and ensure that the proper permissions
21   * are required for success.
22   *
23   * Todo: find out why the marked tests are environment specific and why security tests are not
24   * running on the build server.
25   * 
26   * @author Steve Goetze
27   */
28  public class SecurityTest extends SecurityTestSupport {
29  
30  	public static void main(String[] args) {
31          TestRunner.run( suite() );
32      }
33     
34      public static Test suite() {
35      	return new TestSuite(SecurityTest.class);
36      }
37  
38      public void testForbiddenProperty() {
39  		String script = "System.getProperty(\"user.home\")";
40  		assertExecute(script, null, new PropertyPermission("user.home", "read"));
41  	}
42  
43  	public void testForbiddenPackage() {
44  		String script = "import sun.net.*; s = new NetworkClient()";
45  		assertExecute(script, "/groovy/security/testForbiddenPackage", new RuntimePermission("accessClassInPackage.sun.*"));
46  	}
47  
48      public void testForbiddenCodebase() { 
49  		assertExecute(new File("src/test/groovy/security/forbiddenCodeBase.gvy"), new GroovyCodeSourcePermission("/groovy/security/forbiddenCodeBase"));
50  	}
51  	
52  	//Check that the Security package.access control works.
53  	public void testPackageAccess() {
54  		String script = "new javax.print.PrintException();";
55          Security.setProperty("package.access", "javax.print");
56          //This should throw an ACE because its codeBase does not allow access to javax.print
57  		assertExecute(script, "/groovy/security/javax/print/deny", new RuntimePermission("accessClassInPackage.javax.print"));
58  		//This should not throw an ACE because groovy.policy grants the codeBase access to javax.print
59  		assertExecute(script, "/groovy/security/javax/print/allow", null);
60  	}
61  
62      public void testBadScriptNameBug() { 
63  		assertExecute(new File("src/test/groovy/bugs/BadScriptNameBug.groovy"), null);
64  	}
65  
66      public void testClosureListenerTest() {
67          //if (System.getProperty("java.version").startsWith("1.5") && notYetImplemented()) return;
68          if (System.getProperty("java.version").startsWith("1.5")) return;
69          assertExecute(new File("src/test/groovy/ClosureListenerTest.groovy"), null);
70  	}
71  
72  	public void testClosureMethodTest() {
73  		assertExecute(new File("src/test/groovy/ClosureMethodTest.groovy"), null);
74  	}
75  
76  	public void testGroovyMethodsTest_FAILS() {
77  		if (notYetImplemented()) return;
78  		assertExecute(new File("src/test/groovy/GroovyMethodsTest.groovy"), null);
79  	}
80  
81  	public void testClosureWithDefaultParamTest() {
82  		assertExecute(new File("src/test/groovy/ClosureWithDefaultParamTest.groovy"), null);
83  	}
84  
85  	public void testGroovy303_Bug() {
86  		assertExecute(new File("src/test/groovy/bugs/Groovy303_Bug.groovy"), null);
87  	}
88  
89      public void testScriptTest() {
90  		assertExecute(new File("src/test/groovy/script/ScriptTest.groovy"), null);
91  	}
92  	
93  	//In addition to requiring several permissions, this test is an example of the case
94  	//where the groovy class loader is required at script invocation time as well as
95  	//during compilation.
96  	public void testSqlCompleteWithoutDataSourceTest() {
97  		assertExecute(new File("src/test/groovy/sql/SqlCompleteWithoutDataSourceTest.groovy"), null);
98  	}
99  	
100 	//Test to prevent scripts from invoking the groovy compiler.  This is done by restricting access
101 	//to the org.codehaus.groovy packages.
102 	public void testMetaClassTest() {
103         Security.setProperty("package.access", "org.codehaus.groovy");
104 		assertExecute(new File("src/test/org/codehaus/groovy/classgen/MetaClassTest.groovy"), new RuntimePermission("accessClassInPackage.org.codehaus.groovy"));
105 	}
106 	
107 	//Mailing list post by Richard Hensley reporting a CodeSource bug.  A GroovyCodeSource created
108 	//with a URL was causing an NPE.
109 	public void testCodeSource() throws IOException, CompilationFailedException {
110 		URL script = loader.getResource("groovy/ArrayTest.groovy");
111 		GroovyCodeSource gcs = new GroovyCodeSource(script);
112 		Class result = loader.parseClass(gcs);
113 	}
114 	
115 }